diff options
| author | syuilo <syuilotan@yahoo.co.jp> | 2017-12-08 22:57:58 +0900 |
|---|---|---|
| committer | syuilo <syuilotan@yahoo.co.jp> | 2017-12-08 22:57:58 +0900 |
| commit | 6bc499f6579a9a248430748f9a69f3e5873a5ed3 (patch) | |
| tree | 23c28e990b526c456a194ac938165e307c8bcaae /src/api | |
| parent | v3278 (diff) | |
| download | sharkey-6bc499f6579a9a248430748f9a69f3e5873a5ed3.tar.gz sharkey-6bc499f6579a9a248430748f9a69f3e5873a5ed3.tar.bz2 sharkey-6bc499f6579a9a248430748f9a69f3e5873a5ed3.zip | |
#967
Diffstat (limited to 'src/api')
| -rw-r--r-- | src/api/endpoints.ts | 8 | ||||
| -rw-r--r-- | src/api/endpoints/i/2fa/done.ts | 37 | ||||
| -rw-r--r-- | src/api/endpoints/i/2fa/register.ts | 48 | ||||
| -rw-r--r-- | src/api/models/user.ts | 2 | ||||
| -rw-r--r-- | src/api/private/signin.ts | 25 | ||||
| -rw-r--r-- | src/api/serializers/user.ts | 6 |
6 files changed, 125 insertions, 1 deletions
diff --git a/src/api/endpoints.ts b/src/api/endpoints.ts index 06fb9a64ae..49871c0ce3 100644 --- a/src/api/endpoints.ts +++ b/src/api/endpoints.ts @@ -156,6 +156,14 @@ const endpoints: Endpoint[] = [ withCredential: true }, { + name: 'i/2fa/register', + withCredential: true + }, + { + name: 'i/2fa/done', + withCredential: true + }, + { name: 'i/update', withCredential: true, limit: { diff --git a/src/api/endpoints/i/2fa/done.ts b/src/api/endpoints/i/2fa/done.ts new file mode 100644 index 0000000000..0b36033bb6 --- /dev/null +++ b/src/api/endpoints/i/2fa/done.ts @@ -0,0 +1,37 @@ +/** + * Module dependencies + */ +import $ from 'cafy'; +import * as speakeasy from 'speakeasy'; +import User from '../../../models/user'; + +module.exports = async (params, user) => new Promise(async (res, rej) => { + // Get 'token' parameter + const [token, tokenErr] = $(params.token).string().$; + if (tokenErr) return rej('invalid token param'); + + const _token = token.replace(/\s/g, ''); + + if (user.two_factor_temp_secret == null) { + return rej('二段階認証の設定が開始されていません'); + } + + const verified = (speakeasy as any).totp.verify({ + secret: user.two_factor_temp_secret, + encoding: 'base32', + token: _token + }); + + if (!verified) { + return rej('not verified'); + } + + await User.update(user._id, { + $set: { + two_factor_secret: user.two_factor_temp_secret, + two_factor_enabled: true + } + }); + + res(); +}); diff --git a/src/api/endpoints/i/2fa/register.ts b/src/api/endpoints/i/2fa/register.ts new file mode 100644 index 0000000000..c2b5037a29 --- /dev/null +++ b/src/api/endpoints/i/2fa/register.ts @@ -0,0 +1,48 @@ +/** + * Module dependencies + */ +import $ from 'cafy'; +import * as bcrypt from 'bcryptjs'; +import * as speakeasy from 'speakeasy'; +import * as QRCode from 'qrcode'; +import User from '../../../models/user'; +import config from '../../../../conf'; + +module.exports = async (params, user) => new Promise(async (res, rej) => { + // Get 'password' parameter + const [password, passwordErr] = $(params.password).string().$; + if (passwordErr) return rej('invalid password param'); + + // Compare password + const same = await bcrypt.compare(password, user.password); + + if (!same) { + return rej('incorrect password'); + } + + // Generate user's secret key + const secret = speakeasy.generateSecret({ + length: 32 + }); + + await User.update(user._id, { + $set: { + two_factor_temp_secret: secret.base32 + } + }); + + // Get the data URL of the authenticator URL + QRCode.toDataURL(speakeasy.otpauthURL({ + secret: secret.base32, + encoding: 'base32', + label: user.username, + issuer: config.host + }), (err, data_url) => { + res({ + qr: data_url, + secret: secret.base32, + label: user.username, + issuer: config.host + }); + }); +}); diff --git a/src/api/models/user.ts b/src/api/models/user.ts index b2f3af09fa..018979158f 100644 --- a/src/api/models/user.ts +++ b/src/api/models/user.ts @@ -72,6 +72,8 @@ export type IUser = { is_pro: boolean; is_suspended: boolean; keywords: string[]; + two_factor_secret: string; + two_factor_enabled: boolean; }; export function init(user): IUser { diff --git a/src/api/private/signin.ts b/src/api/private/signin.ts index 0ebf8d6aa1..7376921e28 100644 --- a/src/api/private/signin.ts +++ b/src/api/private/signin.ts @@ -1,5 +1,6 @@ import * as express from 'express'; import * as bcrypt from 'bcryptjs'; +import * as speakeasy from 'speakeasy'; import { default as User, IUser } from '../models/user'; import Signin from '../models/signin'; import serialize from '../serializers/signin'; @@ -11,6 +12,7 @@ export default async (req: express.Request, res: express.Response) => { const username = req.body['username']; const password = req.body['password']; + const token = req.body['token']; if (typeof username != 'string') { res.sendStatus(400); @@ -22,6 +24,11 @@ export default async (req: express.Request, res: express.Response) => { return; } + if (token != null && typeof token != 'string') { + res.sendStatus(400); + return; + } + // Fetch user const user: IUser = await User.findOne({ username_lower: username.toLowerCase() @@ -43,7 +50,23 @@ export default async (req: express.Request, res: express.Response) => { const same = await bcrypt.compare(password, user.password); if (same) { - signin(res, user, false); + if (user.two_factor_enabled) { + const verified = (speakeasy as any).totp.verify({ + secret: user.two_factor_secret, + encoding: 'base32', + token: token + }); + + if (verified) { + signin(res, user, false); + } else { + res.status(400).send({ + error: 'invalid token' + }); + } + } else { + signin(res, user, false); + } } else { res.status(400).send({ error: 'incorrect password' diff --git a/src/api/serializers/user.ts b/src/api/serializers/user.ts index 3d84156606..fe924911c1 100644 --- a/src/api/serializers/user.ts +++ b/src/api/serializers/user.ts @@ -78,6 +78,8 @@ export default ( // Remove private properties delete _user.password; delete _user.token; + delete _user.two_factor_temp_secret; + delete _user.two_factor_secret; delete _user.username_lower; if (_user.twitter) { delete _user.twitter.access_token; @@ -91,6 +93,10 @@ export default ( delete _user.client_settings; } + if (!opts.detail) { + delete _user.two_factor_enabled; + } + _user.avatar_url = _user.avatar_id != null ? `${config.drive_url}/${_user.avatar_id}` : `${config.drive_url}/default-avatar.jpg`; |