lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: temporary store of two factor secret to check against

Browse source
This commit is contained in:
Sérgio Salgado 2021-04-19 16:15:44 +01:00 committed by Josh Harvey
parent 91fa16254c
commit 928caaf167
2 changed files with 23 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

21
lib/new-admin/graphql/modules/authentication.js
View file

@ -61,11 +61,15 @@ const getUserData = context => {
}
const get2FASecret = (username, password) => {
return authenticateUser(username, password).then(user => {
const secret = otplib.authenticator.generateSecret()
const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret)
return { secret, otpauth }
})
return authenticateUser(username, password)
.then(user => {
const secret = otplib.authenticator.generateSecret()
const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret)
return Promise.all([users.saveTemp2FASecret(user.id, secret), secret, otpauth])
})
.then(([_, secret, otpauth]) => {
return { secret, otpauth }
})
}
const confirm2FA = (token, context) => {
@ -112,6 +116,9 @@ const validateReset2FALink = token => {
.then(user => {
const secret = otplib.authenticator.generateSecret()
const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret)
return Promise.all([users.saveTemp2FASecret(user.id, secret), user, secret, otpauth])
})
.then(([_, user, secret, otpauth]) => {
return { user_id: user.id, secret, otpauth }
})
.catch(err => console.error(err))
@ -149,6 +156,10 @@ const setup2FA = (username, password, rememberMe, secret, codeConfirmation, cont
return authenticateUser(username, password)
.then(user => {
if (user.temp_twofa_code !== secret) {
throw new authErrors.InvalidTwoFactorError()
}
initializeSession(context, user, rememberMe)
return users.save2FASecret(user.id, secret)
})