Merge remote-tracking branch 'origin/main'

xamtodd · xamtodd · commit 344612119c5b · 2023-10-29T01:49:38.000+02:00
# Conflicts:
#	app.js
diff --git a/app.js b/app.js
@@ -12,6 +12,8 @@ const dbAdapter = require('./services/dbAdapter');
 const auth = require('./routes/auth');
 const users = require('./routes/users');
 const ban = require('./routes/ban');
+const verification = require('./routes/verification');
+const otp = require('./routes/otp');
 
 const app = express();
 
@@ -25,6 +27,8 @@ app.use(cors());
 app.use('/api/auth', auth);
 app.use('/api/users', users);
 app.use('/api/ban', ban);
+app.use('/api/verification', verification);
+app.use('/api/otp', otp);
 
 //read config
 debugStartup('Application Name: '+config.get('name'));
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -27,6 +27,7 @@
     "morgan": "^1.10.0",
     "nodemailer": "^6.9.7",
     "pg": "^8.11.3",
+    "speakeasy": "^2.0.0",
     "utf8": "^3.0.0"
   }
 }
diff --git a/routes/auth.js b/routes/auth.js
@@ -18,6 +18,11 @@ router.post('/', async (req, res) => {
 
     let user = await dbAdapter.getUserByEmail(req.body.email);
 
+    if (!user) {
+        debugRoute("POST /api/auth - 400 - User not found");
+        return res.status(400).send('Invalid email or password.');
+    }
+
     const validPassword = await bcrypt.compare(req.body.password, user.password);
     if (!validPassword) {
         debugRoute("POST /api/auth - 400 - Invalid password");
@@ -31,7 +36,7 @@ router.post('/', async (req, res) => {
 
     debugRoute("POST /api/auth - 200 - User logged in");
 
-    res.status(200).send({token:generateAuthToken(user.id,user.admin,false,(user.totp_secret != null && user.totp_confirmed))});
+    res.status(200).send({token:generateAuthToken(user.id,user.admin,false,(user.totp_secret !== undefined && user.totp_confirmed))});
 })
 
 function validate(req) {
diff --git a/routes/otp.js b/routes/otp.js
@@ -0,0 +1,106 @@
+const express = require('express');
+const router = express.Router();
+const debugRoute = require('debug')('app:route');
+const speakeasy = require('speakeasy');
+//Models
+const {generateAuthToken} = require('../models/User');
+//Middleware
+const auth = require('../middleware/auth');
+
+router.get('/generate', auth, async (req, res) => {
+    //TODO get user from database
+    let user = {};
+
+    if (!user) {
+        debugRoute("GET /api/otp/generate - 404 - User not found");
+        return res.status(404).send('User not found.');
+    }
+
+    if (user.otp_enabled && user.otp_verified) {
+        debugRoute("GET /api/otp/generate - 400 - OTP already enabled");
+        return res.status(400).send('OTP already enabled.');
+    }
+
+    user.totp_confirmed = false;
+    let secret = speakeasy.generateSecret().base32;
+    user.totp_secret = secret;
+
+    //TODO save user
+
+    debugRoute("GET /api/otp/generate - 200 - OTP generated");
+
+    res.send(secret);
+});
+
+router.post('/verify', auth, async (req, res) => {
+    if (!req.body.token) {
+        debugRoute("POST /api/otp/verify - 400 - Token required");
+        return res.status(400).send("Token required");
+    }
+
+    //TODO get user from database and change me
+    let user = {totp_secret: "someting"};
+
+    if (!user) {
+        debugRoute("POST /api/otp/verify - 404 - User not found");
+        return res.status(404).send('User not found.');
+    }
+
+    if (user.totp_secret === undefined) {
+        debugRoute("POST /api/otp/verify - 400 - OTP not enabled");
+        return res.status(400).send('OTP not enabled.');
+    }
+
+    let verified = speakeasy.totp.verify({
+        secret: user.otp_secret,
+        encoding: 'base32',
+        token: req.body.token,
+        window: 1
+    });
+    //TODO change me
+    verified = true;
+
+    if (!verified) {
+        debugRoute("POST /api/otp/verify - 400 - Invalid token");
+        return res.status(400).send('Invalid token.');
+    }
+
+    if (!user.totp_confirmed) {
+        user.totp_confirmed = true;
+        user.lastSecurityUpdate = Date.now();
+        //TODO save User
+    }
+
+    debugRoute("POST /api/otp/verify - 200 - OTP verified");
+
+    res.send(generateAuthToken(user.id, user.admin,true,true));
+});
+
+router.post('/disable', auth, async (req, res) => {
+    //TODO get user from database
+
+    let user = {};
+    if (!user) {
+        debugRoute("POST /api/otp/disable - 404 - User not found");
+        return res.status(404).send('User not found.');
+    }
+
+    //TODO change me
+    user.totp_confirmed = true;
+    if (!user.totp_confirmed) {
+        debugRoute("POST /api/otp/disable - 400 - OTP not enabled");
+        return res.status(400).send('OTP not enabled.');
+    }
+
+    user.totp_secret = undefined;
+    user.totp_confirmed = false;
+    user.lastSecurityUpdate = Date.now();
+
+    //save user
+
+    debugRoute("POST /api/otp/disable - 200 - OTP disabled");
+
+    res.send(generateAuthToken(false,false));
+});
+
+module.exports = router;
diff --git a/routes/verification.js b/routes/verification.js
@@ -4,7 +4,7 @@ const debugRoute = require('debug')('app:route');
 const {sendVerificationEmail} = require("../services/mailer");
 const Joi = require("joi");
 //Models
-const {generateVerificationCode} = require('../models/user');
+const {generateVerificationCode} = require('../models/User');
 
 router.post('/resend/:email', async (req, res) => {
     if (Joi.string().email().validate(req.params.email).error) {
@@ -20,12 +20,12 @@ router.post('/resend/:email', async (req, res) => {
         return res.status(404).send('User not found.');
     }
 
-    if (user.verificationCodeSent > Date.now() - 300000) {
+    if (user.last_email_send > Date.now() - 300000) {
         debugRoute("POST /api/verification/resend/:email - 400 - Verification code already sent");
         return res.status(400).send('Verification code already sent.');
     }
 
-    if (user.active) {
+    if (user.email_confirmed) {
         debugRoute("POST /api/verification/verify/:code - 400 - User already verified");
         return res.status(400).send('User already verified.');
     }
@@ -42,11 +42,6 @@ router.post('/resend/:email', async (req, res) => {
 });
 
 router.post('/verify/:code', async (req, res) => {
-    if (!global.connected) {
-        debugRoute("POST /api/verification/verify/:code - 500 - DB not connected");
-        return res.status(500).send("Database not connected");
-    }
-
     if (!req.params.code) {
         debugRoute("POST /api/verification/verify/:code - 400 - Code required");
         return res.status(400).send("Code required");
@@ -57,11 +52,8 @@ router.post('/verify/:code', async (req, res) => {
         return res.status(400).send("Invalid code");
     }
 
-    let user = await User.findOne({verificationCode: req.params.code});
-    if (!user) {
-        debugRoute("POST /api/verification/verify/:code - 400 - Invalid code");
-        return res.status(400).send("Invalid code");
-    }
+    //TODO find user in database
+    let user = {}
 
     if (user.verificationCodeSent < Date.now() - 259200000) {
         debugRoute("POST /api/verification/verify/:code - 400 - Verification code expired");
@@ -71,7 +63,8 @@ router.post('/verify/:code', async (req, res) => {
     user.active = true;
     user.verificationCode = undefined;
     user.verificationCodeSent = undefined;
-    user.save();
+
+    //TODO save user
 
     debugRoute("POST /api/verification/verify/:code - 200 - User verified");
 

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@`
`27`	`27`	`"morgan": "^1.10.0",`
`28`	`28`	`"nodemailer": "^6.9.7",`
`29`	`29`	`"pg": "^8.11.3",`
	`30`	`+ "speakeasy": "^2.0.0",`
`30`	`31`	`"utf8": "^3.0.0"`
`31`	`32`	`}`
`32`	`33`	`}`