mirror of https://github.com/LemmyNet/lemmy
* Rework the way 2FA is enabled/disabled (fixes #3309) * postgres format * change algo to sha1 for better compat * review comments * review * clippy --------- Co-authored-by: Dessalines <dessalines@users.noreply.github.com>remove-explicit-auth
parent
77b2d236b9
commit
22608ae983
@ -0,0 +1,47 @@
|
||||
use crate::{build_totp_2fa, generate_totp_2fa_secret};
|
||||
use activitypub_federation::config::Data;
|
||||
use actix_web::web::Json;
|
||||
use lemmy_api_common::{
|
||||
context::LemmyContext,
|
||||
person::GenerateTotpSecretResponse,
|
||||
sensitive::Sensitive,
|
||||
};
|
||||
use lemmy_db_schema::{
|
||||
source::local_user::{LocalUser, LocalUserUpdateForm},
|
||||
traits::Crud,
|
||||
};
|
||||
use lemmy_db_views::structs::{LocalUserView, SiteView};
|
||||
use lemmy_utils::error::{LemmyError, LemmyErrorType};
|
||||
|
||||
/// Generate a new secret for two-factor-authentication. Afterwards you need to call [toggle_totp]
|
||||
/// to enable it. This can only be called if 2FA is currently disabled.
|
||||
#[tracing::instrument(skip(context))]
|
||||
pub async fn generate_totp_secret(
|
||||
local_user_view: LocalUserView,
|
||||
context: Data<LemmyContext>,
|
||||
) -> Result<Json<GenerateTotpSecretResponse>, LemmyError> {
|
||||
let site_view = SiteView::read_local(&mut context.pool()).await?;
|
||||
|
||||
if local_user_view.local_user.totp_2fa_enabled {
|
||||
return Err(LemmyErrorType::TotpAlreadyEnabled)?;
|
||||
}
|
||||
|
||||
let secret = generate_totp_2fa_secret();
|
||||
let secret_url =
|
||||
build_totp_2fa(&site_view.site.name, &local_user_view.person.name, &secret)?.get_url();
|
||||
|
||||
let local_user_form = LocalUserUpdateForm {
|
||||
totp_2fa_secret: Some(Some(secret)),
|
||||
..Default::default()
|
||||
};
|
||||
LocalUser::update(
|
||||
&mut context.pool(),
|
||||
local_user_view.local_user.id,
|
||||
&local_user_form,
|
||||
)
|
||||
.await?;
|
||||
|
||||
Ok(Json(GenerateTotpSecretResponse {
|
||||
totp_secret_url: Sensitive::new(secret_url),
|
||||
}))
|
||||
}
|
@ -0,0 +1,54 @@
|
||||
use crate::check_totp_2fa_valid;
|
||||
use actix_web::web::{Data, Json};
|
||||
use lemmy_api_common::{
|
||||
context::LemmyContext,
|
||||
person::{UpdateTotp, UpdateTotpResponse},
|
||||
};
|
||||
use lemmy_db_schema::{
|
||||
source::local_user::{LocalUser, LocalUserUpdateForm},
|
||||
traits::Crud,
|
||||
};
|
||||
use lemmy_db_views::structs::{LocalUserView, SiteView};
|
||||
use lemmy_utils::error::LemmyError;
|
||||
|
||||
/// Enable or disable two-factor-authentication. The current setting is determined from
|
||||
/// [LocalUser.totp_2fa_enabled].
|
||||
///
|
||||
/// To enable, you need to first call [generate_totp_secret] and then pass a valid token to this
|
||||
/// function.
|
||||
///
|
||||
/// Disabling is only possible if 2FA was previously enabled. Again it is necessary to pass a valid
|
||||
/// token.
|
||||
#[tracing::instrument(skip(context))]
|
||||
pub async fn update_totp(
|
||||
data: Json<UpdateTotp>,
|
||||
local_user_view: LocalUserView,
|
||||
context: Data<LemmyContext>,
|
||||
) -> Result<Json<UpdateTotpResponse>, LemmyError> {
|
||||
let site_view = SiteView::read_local(&mut context.pool()).await?;
|
||||
|
||||
check_totp_2fa_valid(
|
||||
&local_user_view,
|
||||
&Some(data.totp_token.clone()),
|
||||
&site_view.site.name,
|
||||
)?;
|
||||
|
||||
// toggle the 2fa setting
|
||||
let local_user_form = LocalUserUpdateForm {
|
||||
totp_2fa_enabled: Some(data.enabled),
|
||||
// if totp is enabled, leave unchanged. otherwise clear secret
|
||||
totp_2fa_secret: if data.enabled { None } else { Some(None) },
|
||||
..Default::default()
|
||||
};
|
||||
|
||||
LocalUser::update(
|
||||
&mut context.pool(),
|
||||
local_user_view.local_user.id,
|
||||
&local_user_form,
|
||||
)
|
||||
.await?;
|
||||
|
||||
Ok(Json(UpdateTotpResponse {
|
||||
enabled: data.enabled,
|
||||
}))
|
||||
}
|
@ -0,0 +1,6 @@
|
||||
ALTER TABLE local_user
|
||||
ADD COLUMN totp_2fa_url text;
|
||||
|
||||
ALTER TABLE local_user
|
||||
DROP COLUMN totp_2fa_enabled;
|
||||
|
@ -0,0 +1,6 @@
|
||||
ALTER TABLE local_user
|
||||
DROP COLUMN totp_2fa_url;
|
||||
|
||||
ALTER TABLE local_user
|
||||
ADD COLUMN totp_2fa_enabled boolean NOT NULL DEFAULT FALSE;
|
||||
|
Loading…
Reference in New Issue