From 1c2cddb7c4be9fa75eabf3ec9424afd6cb032a7c Mon Sep 17 00:00:00 2001 From: Madeline <46743919+MaddyUnderStars@users.noreply.github.com> Date: Wed, 20 Jul 2022 17:39:16 +1000 Subject: 2fa --- util/src/entities/BackupCodes.ts | 35 +++++++++++++++++++++++++++++++++++ util/src/entities/User.ts | 8 +++++++- util/src/entities/index.ts | 3 ++- 3 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 util/src/entities/BackupCodes.ts (limited to 'util/src') diff --git a/util/src/entities/BackupCodes.ts b/util/src/entities/BackupCodes.ts new file mode 100644 index 00000000..d532a39a --- /dev/null +++ b/util/src/entities/BackupCodes.ts @@ -0,0 +1,35 @@ +import { Column, Entity, JoinColumn, ManyToOne, RelationId } from "typeorm"; +import { BaseClass } from "./BaseClass"; +import { User } from "./User"; +import crypto from "crypto"; + +@Entity("backup_codes") +export class BackupCode extends BaseClass { + @JoinColumn({ name: "user_id" }) + @ManyToOne(() => User, { onDelete: "CASCADE" }) + user: User; + + @Column() + code: string; + + @Column() + consumed: boolean; + + @Column() + expired: boolean; +} + +export function generateMfaBackupCodes(user_id: string) { + let backup_codes: BackupCode[] = []; + for (let i = 0; i < 10; i++) { + const code = BackupCode.create({ + user: { id: user_id }, + code: crypto.randomBytes(4).toString("hex"), // 8 characters + consumed: false, + expired: false, + }); + backup_codes.push(code); + } + + return backup_codes; +} \ No newline at end of file diff --git a/util/src/entities/User.ts b/util/src/entities/User.ts index 9b1c494e..79d415ca 100644 --- a/util/src/entities/User.ts +++ b/util/src/entities/User.ts @@ -1,4 +1,4 @@ -import { Column, Entity, FindOneOptions, JoinColumn, ManyToMany, OneToMany, RelationId } from "typeorm"; +import { Column, Entity, FindOneOptions, JoinColumn, OneToMany } from "typeorm"; import { BaseClass } from "./BaseClass"; import { BitField } from "../util/BitField"; import { Relationship } from "./Relationship"; @@ -108,6 +108,12 @@ export class User extends BaseClass { @Column({ select: false }) mfa_enabled: boolean; // if multi factor authentication is enabled + @Column({ select: false, nullable: true }) + totp_secret?: string; + + @Column({ nullable: true, select: false }) + totp_last_ticket?: string; + @Column() created_at: Date; // registration date diff --git a/util/src/entities/index.ts b/util/src/entities/index.ts index f023d5a6..1b6259ae 100644 --- a/util/src/entities/index.ts +++ b/util/src/entities/index.ts @@ -27,4 +27,5 @@ export * from "./Template"; export * from "./User"; export * from "./VoiceState"; export * from "./Webhook"; -export * from "./ClientRelease"; \ No newline at end of file +export * from "./ClientRelease"; +export * from "./BackupCodes"; \ No newline at end of file -- cgit 1.5.1 From eb7f2c7b72f545b99949e4290bc38cb448903141 Mon Sep 17 00:00:00 2001 From: Madeline <46743919+MaddyUnderStars@users.noreply.github.com> Date: Wed, 20 Jul 2022 22:04:19 +1000 Subject: Add config `security_twoFactor_generateBackupCodes` to control backup code generation --- api/src/routes/users/@me/mfa/codes.ts | 4 ++-- api/src/routes/users/@me/mfa/totp/enable.ts | 11 +++++++---- util/src/entities/Config.ts | 6 ++++++ 3 files changed, 15 insertions(+), 6 deletions(-) (limited to 'util/src') diff --git a/api/src/routes/users/@me/mfa/codes.ts b/api/src/routes/users/@me/mfa/codes.ts index 2a1fb498..6ddf32f0 100644 --- a/api/src/routes/users/@me/mfa/codes.ts +++ b/api/src/routes/users/@me/mfa/codes.ts @@ -1,6 +1,6 @@ import { Router, Request, Response } from "express"; import { route } from "@fosscord/api"; -import { BackupCode, FieldErrors, generateMfaBackupCodes, User } from "@fosscord/util"; +import { BackupCode, Config, FieldErrors, generateMfaBackupCodes, User } from "@fosscord/util"; import bcrypt from "bcrypt"; const router = Router(); @@ -22,7 +22,7 @@ router.post("/", route({ body: "MfaCodesSchema" }), async (req: Request, res: Re } var codes: BackupCode[]; - if (regenerate) { + if (regenerate && Config.get().security.twoFactor.generateBackupCodes) { await BackupCode.update( { user: { id: req.user_id } }, { expired: true } diff --git a/api/src/routes/users/@me/mfa/totp/enable.ts b/api/src/routes/users/@me/mfa/totp/enable.ts index bc5f16ad..87f36d55 100644 --- a/api/src/routes/users/@me/mfa/totp/enable.ts +++ b/api/src/routes/users/@me/mfa/totp/enable.ts @@ -1,10 +1,9 @@ import { Router, Request, Response } from "express"; -import { User, generateToken, BackupCode, generateMfaBackupCodes } from "@fosscord/util"; +import { User, generateToken, BackupCode, generateMfaBackupCodes, Config } from "@fosscord/util"; import { route } from "@fosscord/api"; import bcrypt from "bcrypt"; import { HTTPError } from "lambert-server"; import { verifyToken } from 'node-2fa'; -import crypto from "crypto"; const router = Router(); @@ -35,8 +34,12 @@ router.post("/", route({ body: "TotpEnableSchema" }), async (req: Request, res: if (verifyToken(body.secret, body.code)?.delta != 0) throw new HTTPError(req.t("auth:login.INVALID_TOTP_CODE"), 60008); - let backup_codes = generateMfaBackupCodes(req.user_id); - await Promise.all(backup_codes.map(x => x.save())); + let backup_codes: BackupCode[] = []; + if (Config.get().security.twoFactor.generateBackupCodes) { + backup_codes = generateMfaBackupCodes(req.user_id); + await Promise.all(backup_codes.map(x => x.save())); + } + await User.update( { id: req.user_id }, { mfa_enabled: true, totp_secret: body.secret } diff --git a/util/src/entities/Config.ts b/util/src/entities/Config.ts index 3756d686..c84ea4aa 100644 --- a/util/src/entities/Config.ts +++ b/util/src/entities/Config.ts @@ -121,6 +121,9 @@ export interface ConfigValue { secret: string | null; }; ipdataApiKey: string | null; + twoFactor: { + generateBackupCodes: boolean; + }; }; login: { requireCaptcha: boolean; @@ -312,6 +315,9 @@ export const DefaultConfigOptions: ConfigValue = { secret: null, }, ipdataApiKey: "eca677b284b3bac29eb72f5e496aa9047f26543605efe99ff2ce35c9", + twoFactor: { + generateBackupCodes: true, + }, }, login: { requireCaptcha: false, -- cgit 1.5.1