Merge remote-tracking branch 'origin/main' into main

2026-04-11 10:27:01 +02:00 · 2022-12-21 18:01:06 +01:00
parent 1a034a1966 16480f6e95
commit af71317ec4
27 changed files with 946 additions and 127 deletions
--- a/backend/src/auth/auth.controller.ts
+++ b/backend/src/auth/auth.controller.ts
@@ -14,8 +14,11 @@ import { AuthService } from "./auth.service";
 import { GetUser } from "./decorator/getUser.decorator";
 import { AuthRegisterDTO } from "./dto/authRegister.dto";
 import { AuthSignInDTO } from "./dto/authSignIn.dto";
+import { AuthSignInTotpDTO } from "./dto/authSignInTotp.dto";
+import { EnableTotpDTO } from "./dto/enableTotp.dto";
 import { RefreshAccessTokenDTO } from "./dto/refreshAccessToken.dto";
 import { UpdatePasswordDTO } from "./dto/updatePassword.dto";
+import { VerifyTotpDTO } from "./dto/verifyTotp.dto";
 import { JwtGuard } from "./guard/jwt.guard";

@Controller("auth")
@@ -40,6 +43,13 @@ export class AuthController {
    return this.authService.signIn(dto);
  }

+  @Throttle(10, 5 * 60)
+  @Post("signIn/totp")
+  @HttpCode(200)
+  signInTotp(@Body() dto: AuthSignInTotpDTO) {
+    return this.authService.signInTotp(dto);
+  }
+
  @Patch("password")
  @UseGuards(JwtGuard)
  async updatePassword(@GetUser() user: User, @Body() dto: UpdatePasswordDTO) {
@@ -54,4 +64,24 @@ export class AuthController {
    );
    return { accessToken };
  }
+
+  // TODO: Implement recovery codes to disable 2FA just in case someone gets locked out
+  @Post("totp/enable")
+  @UseGuards(JwtGuard)
+  async enableTotp(@GetUser() user: User, @Body() body: EnableTotpDTO) {
+    return this.authService.enableTotp(user, body.password);
+  }
+
+  @Post("totp/verify")
+  @UseGuards(JwtGuard)
+  async verifyTotp(@GetUser() user: User, @Body() body: VerifyTotpDTO) {
+    return this.authService.verifyTotp(user, body.password, body.code);
+  }
+
+  @Post("totp/disable")
+  @UseGuards(JwtGuard)
+  async disableTotp(@GetUser() user: User, @Body() body: VerifyTotpDTO) {
+    // Note: We use VerifyTotpDTO here because it has both fields we need: password and totp code
+    return this.authService.disableTotp(user, body.password, body.code);
+  }
 }
--- a/backend/src/auth/auth.service.ts
+++ b/backend/src/auth/auth.service.ts
@@ -13,6 +13,10 @@ import { ConfigService } from "src/config/config.service";
 import { PrismaService } from "src/prisma/prisma.service";
 import { AuthRegisterDTO } from "./dto/authRegister.dto";
 import { AuthSignInDTO } from "./dto/authSignIn.dto";
+import { authenticator, totp } from "otplib";
+import * as qrcode from "qrcode-svg";
+import * as crypto from "crypto";
+import { AuthSignInTotpDTO } from "./dto/authSignInTotp.dto";

@Injectable()
 export class AuthService {
@@ -63,6 +67,69 @@ export class AuthService {
    if (!user || !(await argon.verify(user.password, dto.password)))
      throw new UnauthorizedException("Wrong email or password");

+    // TODO: Make all old loginTokens invalid when a new one is created
+    // Check if the user has TOTP enabled
+    if (user.totpVerified) {
+      const loginToken = await this.createLoginToken(user.id);
+
+      return { loginToken };
+    }
+
+    const accessToken = await this.createAccessToken(user);
+    const refreshToken = await this.createRefreshToken(user.id);
+
+    return { accessToken, refreshToken };
+  }
+
+  async signInTotp(dto: AuthSignInTotpDTO) {
+    if (!dto.email && !dto.username)
+      throw new BadRequestException("Email or username is required");
+
+    const user = await this.prisma.user.findFirst({
+      where: {
+        OR: [{ email: dto.email }, { username: dto.username }],
+      },
+    });
+
+    if (!user || !(await argon.verify(user.password, dto.password)))
+      throw new UnauthorizedException("Wrong email or password");
+
+    const token = await this.prisma.loginToken.findFirst({
+      where: {
+        token: dto.loginToken,
+      },
+    });
+
+    if (!token || token.userId != user.id || token.used)
+      throw new UnauthorizedException("Invalid login token");
+
+    if (token.expiresAt < new Date())
+      throw new UnauthorizedException("Login token expired");
+
+    // Check the TOTP code
+    const { totpSecret } = await this.prisma.user.findUnique({
+      where: { id: user.id },
+      select: { totpSecret: true },
+    });
+
+    if (!totpSecret) {
+      throw new BadRequestException("TOTP is not enabled");
+    }
+
+    const decryptedSecret = this.decryptTotpSecret(totpSecret, dto.password);
+
+    const expected = authenticator.generate(decryptedSecret);
+
+    if (dto.totp !== expected) {
+      throw new BadRequestException("Invalid code");
+    }
+
+    // Set the login token to used
+    await this.prisma.loginToken.update({
+      where: { token: token.token },
+      data: { used: true },
+    });
+
    const accessToken = await this.createAccessToken(user);
    const refreshToken = await this.createRefreshToken(user.id);

@@ -70,7 +137,7 @@ export class AuthService {
  }

  async updatePassword(user: User, oldPassword: string, newPassword: string) {
-    if (argon.verify(user.password, oldPassword))
+    if (!(await argon.verify(user.password, oldPassword)))
      throw new ForbiddenException("Invalid password");

    const hash = await argon.hash(newPassword);
@@ -115,4 +182,161 @@ export class AuthService {

    return refreshToken;
  }
+
+  async createLoginToken(userId: string) {
+    const loginToken = (
+      await this.prisma.loginToken.create({
+        data: { userId, expiresAt: moment().add(5, "minutes").toDate() },
+      })
+    ).token;
+
+    return loginToken;
+  }
+
+  encryptTotpSecret(totpSecret: string, password: string) {
+    let iv = this.config.get("TOTP_SECRET");
+    iv = Buffer.from(iv, "base64");
+    const key = crypto
+      .createHash("sha256")
+      .update(String(password))
+      .digest("base64")
+      .substr(0, 32);
+
+    const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
+
+    let encrypted = cipher.update(totpSecret);
+
+    encrypted = Buffer.concat([encrypted, cipher.final()]);
+
+    return encrypted.toString("base64");
+  }
+
+  decryptTotpSecret(encryptedTotpSecret: string, password: string) {
+    let iv = this.config.get("TOTP_SECRET");
+    iv = Buffer.from(iv, "base64");
+    const key = crypto
+      .createHash("sha256")
+      .update(String(password))
+      .digest("base64")
+      .substr(0, 32);
+
+    const encryptedText = Buffer.from(encryptedTotpSecret, "base64");
+    const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
+    let decrypted = decipher.update(encryptedText);
+    decrypted = Buffer.concat([decrypted, decipher.final()]);
+
+    return decrypted.toString();
+  }
+
+  async enableTotp(user: User, password: string) {
+    if (!(await argon.verify(user.password, password)))
+      throw new ForbiddenException("Invalid password");
+
+    // Check if we have a secret already
+    const { totpVerified } = await this.prisma.user.findUnique({
+      where: { id: user.id },
+      select: { totpVerified: true },
+    });
+
+    if (totpVerified) {
+      throw new BadRequestException("TOTP is already enabled");
+    }
+
+    // TODO: Maybe make the issuer configurable with env vars?
+    const secret = authenticator.generateSecret();
+    const encryptedSecret = this.encryptTotpSecret(secret, password);
+
+    const otpURL = totp.keyuri(
+      user.username || user.email,
+      "pingvin-share",
+      secret
+    );
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: {
+        totpEnabled: true,
+        totpSecret: encryptedSecret,
+      },
+    });
+
+    // TODO: Maybe we should generate the QR code on the client rather than the server?
+    const qrCode = new qrcode({
+      content: otpURL,
+      container: "svg-viewbox",
+      join: true,
+    }).svg();
+
+    return {
+      totpAuthUrl: otpURL,
+      totpSecret: secret,
+      qrCode:
+        "data:image/svg+xml;base64," + Buffer.from(qrCode).toString("base64"),
+    };
+  }
+
+  // TODO: Maybe require a token to verify that the user who started enabling totp is the one who is verifying it?
+  async verifyTotp(user: User, password: string, code: string) {
+    if (!(await argon.verify(user.password, password)))
+      throw new ForbiddenException("Invalid password");
+
+    const { totpSecret } = await this.prisma.user.findUnique({
+      where: { id: user.id },
+      select: { totpSecret: true },
+    });
+
+    if (!totpSecret) {
+      throw new BadRequestException("TOTP is not in progress");
+    }
+
+    const decryptedSecret = this.decryptTotpSecret(totpSecret, password);
+
+    const expected = authenticator.generate(decryptedSecret);
+
+    if (code !== expected) {
+      throw new BadRequestException("Invalid code");
+    }
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: {
+        totpVerified: true,
+      },
+    });
+
+    return true;
+  }
+
+  async disableTotp(user: User, password: string, code: string) {
+    if (!(await argon.verify(user.password, password)))
+      throw new ForbiddenException("Invalid password");
+
+    const { totpSecret } = await this.prisma.user.findUnique({
+      where: { id: user.id },
+      select: { totpSecret: true },
+    });
+
+    if (!totpSecret) {
+      throw new BadRequestException("TOTP is not enabled");
+    }
+
+    const decryptedSecret = this.decryptTotpSecret(totpSecret, password);
+
+    const expected = authenticator.generate(decryptedSecret);
+
+    if (code !== expected) {
+      throw new BadRequestException("Invalid code");
+    }
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: {
+        totpVerified: false,
+        totpEnabled: false,
+        totpSecret: null,
+      },
+    });
+
+    return true;
+  }
 }
--- a/backend/src/auth/dto/authSignInTotp.dto.ts
+++ b/backend/src/auth/dto/authSignInTotp.dto.ts
@@ -0,0 +1,21 @@
+import { PickType } from "@nestjs/mapped-types";
+import { IsEmail, IsOptional, IsString } from "class-validator";
+import { UserDTO } from "src/user/dto/user.dto";
+
+export class AuthSignInTotpDTO extends PickType(UserDTO, [
+  "password",
+] as const) {
+  @IsEmail()
+  @IsOptional()
+  email: string;
+
+  @IsString()
+  @IsOptional()
+  username: string;
+
+  @IsString()
+  totp: string;
+
+  @IsString()
+  loginToken: string;
+}
--- a/backend/src/auth/dto/enableTotp.dto.ts
+++ b/backend/src/auth/dto/enableTotp.dto.ts
@@ -0,0 +1,5 @@
+import { PickType } from "@nestjs/mapped-types";
+import { IsEmail, IsOptional, IsString } from "class-validator";
+import { UserDTO } from "src/user/dto/user.dto";
+
+export class EnableTotpDTO extends PickType(UserDTO, ["password"] as const) {}
--- a/backend/src/auth/dto/verifyTotp.dto.ts
+++ b/backend/src/auth/dto/verifyTotp.dto.ts
@@ -0,0 +1,8 @@
+import { PickType } from "@nestjs/mapped-types";
+import { IsEmail, IsOptional, IsString } from "class-validator";
+import { UserDTO } from "src/user/dto/user.dto";
+
+export class VerifyTotpDTO extends PickType(UserDTO, ["password"] as const) {
+  @IsString()
+  code: string;
+}
--- a/backend/src/user/dto/user.dto.ts
+++ b/backend/src/user/dto/user.dto.ts
@@ -22,6 +22,9 @@ export class UserDTO {
  @Expose()
  isAdmin: boolean;

+  @Expose()
+  totpVerified: boolean;
+
  from(partial: Partial<UserDTO>) {
    return plainToClass(UserDTO, partial, { excludeExtraneousValues: true });
  }