lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: temporary store of two factor secret to check against

Browse source
This commit is contained in:
Sérgio Salgado 2021-04-19 16:15:44 +01:00 committed by Josh Harvey
parent 91fa16254c
commit 928caaf167
2 changed files with 23 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

13
lib/new-admin/graphql/modules/authentication.js
View file

@ -61,9 +61,13 @@ const getUserData = context => {
} }
const get2FASecret = (username, password) => { const get2FASecret = (username, password) => {
return authenticateUser(username, password).then(user => { return authenticateUser(username, password)
.then(user => {
const secret = otplib.authenticator.generateSecret() const secret = otplib.authenticator.generateSecret()
const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret) const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret)
return Promise.all([users.saveTemp2FASecret(user.id, secret), secret, otpauth])
})
.then(([_, secret, otpauth]) => {
return { secret, otpauth } return { secret, otpauth }
}) })
} }
@ -112,6 +116,9 @@ const validateReset2FALink = token => {
.then(user => { .then(user => {
const secret = otplib.authenticator.generateSecret() const secret = otplib.authenticator.generateSecret()
const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret) const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret)
return Promise.all([users.saveTemp2FASecret(user.id, secret), user, secret, otpauth])
})
.then(([_, user, secret, otpauth]) => {
return { user_id: user.id, secret, otpauth } return { user_id: user.id, secret, otpauth }
}) })
.catch(err => console.error(err)) .catch(err => console.error(err))
@ -149,6 +156,10 @@ const setup2FA = (username, password, rememberMe, secret, codeConfirmation, cont
return authenticateUser(username, password) return authenticateUser(username, password)
.then(user => { .then(user => {
if (user.temp_twofa_code !== secret) {
throw new authErrors.InvalidTwoFactorError()
}
initializeSession(context, user, rememberMe) initializeSession(context, user, rememberMe)
return users.save2FASecret(user.id, secret) return users.save2FASecret(user.id, secret)
}) })

8
lib/users.js
View file

@ -64,9 +64,14 @@ function verifyAndUpdateUser (id, ua, ip) {
.then(user => user) .then(user => user)
} }
function saveTemp2FASecret (id, secret) {
const sql = 'UPDATE users SET temp_twofa_code=$1 WHERE id=$2'
return db.none(sql, [secret, id])
}
function save2FASecret (id, secret) { function save2FASecret (id, secret) {
return db.tx(t => { return db.tx(t => {
const q1 = t.none('UPDATE users SET twofa_code=$1 WHERE id=$2', [secret, id]) const q1 = t.none('UPDATE users SET twofa_code=$1, temp_twofa_code=NULL WHERE id=$2', [secret, id])
const q2 = t.none(`DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`, [id]) const q2 = t.none(`DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`, [id])
return t.batch([q1, q2]) return t.batch([q1, q2])
}) })
@ -167,6 +172,7 @@ module.exports = {
getUserByUsername, getUserByUsername,
verifyAndUpdateUser, verifyAndUpdateUser,
updatePassword, updatePassword,
saveTemp2FASecret,
save2FASecret, save2FASecret,
reset2FASecret, reset2FASecret,
validateAuthToken, validateAuthToken,