diff options
| author | syuilo <syuilotan@yahoo.co.jp> | 2017-12-08 22:57:58 +0900 |
|---|---|---|
| committer | syuilo <syuilotan@yahoo.co.jp> | 2017-12-08 22:57:58 +0900 |
| commit | 6bc499f6579a9a248430748f9a69f3e5873a5ed3 (patch) | |
| tree | 23c28e990b526c456a194ac938165e307c8bcaae /src/api/private | |
| parent | v3278 (diff) | |
| download | sharkey-6bc499f6579a9a248430748f9a69f3e5873a5ed3.tar.gz sharkey-6bc499f6579a9a248430748f9a69f3e5873a5ed3.tar.bz2 sharkey-6bc499f6579a9a248430748f9a69f3e5873a5ed3.zip | |
#967
Diffstat (limited to 'src/api/private')
| -rw-r--r-- | src/api/private/signin.ts | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/src/api/private/signin.ts b/src/api/private/signin.ts index 0ebf8d6aa1..7376921e28 100644 --- a/src/api/private/signin.ts +++ b/src/api/private/signin.ts @@ -1,5 +1,6 @@ import * as express from 'express'; import * as bcrypt from 'bcryptjs'; +import * as speakeasy from 'speakeasy'; import { default as User, IUser } from '../models/user'; import Signin from '../models/signin'; import serialize from '../serializers/signin'; @@ -11,6 +12,7 @@ export default async (req: express.Request, res: express.Response) => { const username = req.body['username']; const password = req.body['password']; + const token = req.body['token']; if (typeof username != 'string') { res.sendStatus(400); @@ -22,6 +24,11 @@ export default async (req: express.Request, res: express.Response) => { return; } + if (token != null && typeof token != 'string') { + res.sendStatus(400); + return; + } + // Fetch user const user: IUser = await User.findOne({ username_lower: username.toLowerCase() @@ -43,7 +50,23 @@ export default async (req: express.Request, res: express.Response) => { const same = await bcrypt.compare(password, user.password); if (same) { - signin(res, user, false); + if (user.two_factor_enabled) { + const verified = (speakeasy as any).totp.verify({ + secret: user.two_factor_secret, + encoding: 'base32', + token: token + }); + + if (verified) { + signin(res, user, false); + } else { + res.status(400).send({ + error: 'invalid token' + }); + } + } else { + signin(res, user, false); + } } else { res.status(400).send({ error: 'incorrect password' |