Support two factor authentication in backend

2025-02-25 18:55:32 -06:00 · 2022-10-05 15:37:15 +02:00
parent 7dd7ff4ceb
commit 56f4783075
27 changed files with 1016 additions and 92 deletions
--- a/shared/models/users/index.ts
+++ b/shared/models/users/index.ts
@@ -1,3 +1,4 @@
+export * from './two-factor-enable-result.model'
 export * from './user-create-result.model'
 export * from './user-create.model'
 export * from './user-flag.model'
--- a/shared/models/users/two-factor-enable-result.model.ts
+++ b/shared/models/users/two-factor-enable-result.model.ts
@@ -0,0 +1,7 @@
+export interface TwoFactorEnableResult {
+  otpRequest: {
+    requestToken: string
+    secret: string
+    uri: string
+  }
+}
--- a/shared/models/users/user.model.ts
+++ b/shared/models/users/user.model.ts
@@ -62,6 +62,8 @@ export interface User {
  pluginAuth: string | null

  lastLoginDate: Date | null
+
+  twoFactorEnabled: boolean
 }

 export interface MyUserSpecialPlaylist {
--- a/shared/server-commands/server/server.ts
+++ b/shared/server-commands/server/server.ts
@@ -13,7 +13,15 @@ import { AbusesCommand } from '../moderation'
 import { OverviewsCommand } from '../overviews'
 import { SearchCommand } from '../search'
 import { SocketIOCommand } from '../socket'
-import { AccountsCommand, BlocklistCommand, LoginCommand, NotificationsCommand, SubscriptionsCommand, UsersCommand } from '../users'
+import {
+  AccountsCommand,
+  BlocklistCommand,
+  LoginCommand,
+  NotificationsCommand,
+  SubscriptionsCommand,
+  TwoFactorCommand,
+  UsersCommand
+} from '../users'
 import {
  BlacklistCommand,
  CaptionsCommand,
@@ -136,6 +144,7 @@ export class PeerTubeServer {
  videos?: VideosCommand
  videoStats?: VideoStatsCommand
  views?: ViewsCommand
+  twoFactor?: TwoFactorCommand

  constructor (options: { serverNumber: number } | { url: string }) {
    if ((options as any).url) {
@@ -417,5 +426,6 @@ export class PeerTubeServer {
    this.videoStudio = new VideoStudioCommand(this)
    this.videoStats = new VideoStatsCommand(this)
    this.views = new ViewsCommand(this)
+    this.twoFactor = new TwoFactorCommand(this)
  }
 }
--- a/shared/server-commands/users/index.ts
+++ b/shared/server-commands/users/index.ts
@@ -5,4 +5,5 @@ export * from './login'
 export * from './login-command'
 export * from './notifications-command'
 export * from './subscriptions-command'
+export * from './two-factor-command'
 export * from './users-command'
--- a/shared/server-commands/users/login-command.ts
+++ b/shared/server-commands/users/login-command.ts
@@ -2,34 +2,27 @@ import { HttpStatusCode, PeerTubeProblemDocument } from '@shared/models'
 import { unwrapBody } from '../requests'
 import { AbstractCommand, OverrideCommandOptions } from '../shared'

+type LoginOptions = OverrideCommandOptions & {
+  client?: { id?: string, secret?: string }
+  user?: { username: string, password?: string }
+  otpToken?: string
+}
+
 export class LoginCommand extends AbstractCommand {

-  login (options: OverrideCommandOptions & {
-    client?: { id?: string, secret?: string }
-    user?: { username: string, password?: string }
-  } = {}) {
-    const { client = this.server.store.client, user = this.server.store.user } = options
-    const path = '/api/v1/users/token'
+  async login (options: LoginOptions = {}) {
+    const res = await this._login(options)

-    const body = {
-      client_id: client.id,
-      client_secret: client.secret,
-      username: user.username,
-      password: user.password ?? 'password',
-      response_type: 'code',
-      grant_type: 'password',
-      scope: 'upload'
+    return this.unwrapLoginBody(res.body)
+  }
+
+  async loginAndGetResponse (options: LoginOptions = {}) {
+    const res = await this._login(options)
+
+    return {
+      res,
+      body: this.unwrapLoginBody(res.body)
    }
-
-    return unwrapBody<{ access_token: string, refresh_token: string } & PeerTubeProblemDocument>(this.postBodyRequest({
-      ...options,
-
-      path,
-      requestType: 'form',
-      fields: body,
-      implicitToken: false,
-      defaultExpectedStatus: HttpStatusCode.OK_200
-    }))
  }

  getAccessToken (arg1?: { username: string, password?: string }): Promise<string>
@@ -129,4 +122,38 @@ export class LoginCommand extends AbstractCommand {
      defaultExpectedStatus: HttpStatusCode.OK_200
    })
  }
+
+  private _login (options: LoginOptions) {
+    const { client = this.server.store.client, user = this.server.store.user, otpToken } = options
+    const path = '/api/v1/users/token'
+
+    const body = {
+      client_id: client.id,
+      client_secret: client.secret,
+      username: user.username,
+      password: user.password ?? 'password',
+      response_type: 'code',
+      grant_type: 'password',
+      scope: 'upload'
+    }
+
+    const headers = otpToken
+      ? { 'x-peertube-otp': otpToken }
+      : {}
+
+    return this.postBodyRequest({
+      ...options,
+
+      path,
+      headers,
+      requestType: 'form',
+      fields: body,
+      implicitToken: false,
+      defaultExpectedStatus: HttpStatusCode.OK_200
+    })
+  }
+
+  private unwrapLoginBody (body: any) {
+    return body as { access_token: string, refresh_token: string } & PeerTubeProblemDocument
+  }
 }
--- a/shared/server-commands/users/two-factor-command.ts
+++ b/shared/server-commands/users/two-factor-command.ts
@@ -0,0 +1,75 @@
+import { TOTP } from 'otpauth'
+import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
+import { unwrapBody } from '../requests'
+import { AbstractCommand, OverrideCommandOptions } from '../shared'
+
+export class TwoFactorCommand extends AbstractCommand {
+
+  static buildOTP (options: {
+    secret: string
+  }) {
+    const { secret } = options
+
+    return new TOTP({
+      issuer: 'PeerTube',
+      algorithm: 'SHA1',
+      digits: 6,
+      period: 30,
+      secret
+    })
+  }
+
+  request (options: OverrideCommandOptions & {
+    userId: number
+    currentPassword: string
+  }) {
+    const { currentPassword, userId } = options
+
+    const path = '/api/v1/users/' + userId + '/two-factor/request'
+
+    return unwrapBody<TwoFactorEnableResult>(this.postBodyRequest({
+      ...options,
+
+      path,
+      fields: { currentPassword },
+      implicitToken: true,
+      defaultExpectedStatus: HttpStatusCode.OK_200
+    }))
+  }
+
+  confirmRequest (options: OverrideCommandOptions & {
+    userId: number
+    requestToken: string
+    otpToken: string
+  }) {
+    const { userId, requestToken, otpToken } = options
+
+    const path = '/api/v1/users/' + userId + '/two-factor/confirm-request'
+
+    return this.postBodyRequest({
+      ...options,
+
+      path,
+      fields: { requestToken, otpToken },
+      implicitToken: true,
+      defaultExpectedStatus: HttpStatusCode.NO_CONTENT_204
+    })
+  }
+
+  disable (options: OverrideCommandOptions & {
+    userId: number
+    currentPassword: string
+  }) {
+    const { userId, currentPassword } = options
+    const path = '/api/v1/users/' + userId + '/two-factor/disable'
+
+    return this.postBodyRequest({
+      ...options,
+
+      path,
+      fields: { currentPassword },
+      implicitToken: true,
+      defaultExpectedStatus: HttpStatusCode.NO_CONTENT_204
+    })
+  }
+}
--- a/shared/server-commands/users/users-command.ts
+++ b/shared/server-commands/users/users-command.ts
@@ -202,7 +202,8 @@ export class UsersCommand extends AbstractCommand {
      token,
      userId: user.id,
      userChannelId: me.videoChannels[0].id,
-      userChannelName: me.videoChannels[0].name
+      userChannelName: me.videoChannels[0].name,
+      password
    }
  }