2017-07-26 16:52:55 +08:00
|
|
|
'use strict';
|
|
|
|
|
|
|
|
|
|
const Joi = require('joi');
|
|
|
|
|
const ObjectID = require('mongodb').ObjectID;
|
|
|
|
|
|
|
|
|
|
module.exports = (db, server, userHandler) => {
|
2017-10-10 16:19:10 +08:00
|
|
|
// Create TOTP seed and request a QR code
|
|
|
|
|
server.post('/users/:user/2fa/totp/setup', (req, res, next) => {
|
2017-07-26 16:52:55 +08:00
|
|
|
res.charSet('utf-8');
|
|
|
|
|
const schema = Joi.object().keys({
|
2017-10-10 16:19:10 +08:00
|
|
|
user: Joi.string()
|
|
|
|
|
.hex()
|
|
|
|
|
.lowercase()
|
|
|
|
|
.length(24)
|
|
|
|
|
.required(),
|
|
|
|
|
issuer: Joi.string()
|
|
|
|
|
.trim()
|
|
|
|
|
.max(255)
|
|
|
|
|
.required(),
|
|
|
|
|
fresh: Joi.boolean()
|
|
|
|
|
.truthy(['Y', 'true', 'yes', 1])
|
|
|
|
|
.default(false),
|
2017-10-30 19:41:53 +08:00
|
|
|
sess: Joi.string().max(255),
|
2017-07-26 16:52:55 +08:00
|
|
|
ip: Joi.string().ip({
|
|
|
|
|
version: ['ipv4', 'ipv6'],
|
|
|
|
|
cidr: 'forbidden'
|
|
|
|
|
})
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const result = Joi.validate(req.params, schema, {
|
|
|
|
|
abortEarly: false,
|
|
|
|
|
convert: true
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (result.error) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: result.error.message
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let user = new ObjectID(result.value.user);
|
|
|
|
|
|
2017-10-10 16:19:10 +08:00
|
|
|
userHandler.setupTotp(user, result.value, (err, result) => {
|
2017-07-26 16:52:55 +08:00
|
|
|
if (err) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: err.message
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res.json({
|
|
|
|
|
success: true,
|
|
|
|
|
qrcode: result
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return next();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2017-10-10 16:19:10 +08:00
|
|
|
// Send token from QR code to enable TOTP auth for a client
|
|
|
|
|
server.post('/users/:user/2fa/totp/enable', (req, res, next) => {
|
|
|
|
|
res.charSet('utf-8');
|
|
|
|
|
|
|
|
|
|
const schema = Joi.object().keys({
|
|
|
|
|
user: Joi.string()
|
|
|
|
|
.hex()
|
|
|
|
|
.lowercase()
|
|
|
|
|
.length(24)
|
|
|
|
|
.required(),
|
|
|
|
|
token: Joi.string()
|
|
|
|
|
.length(6)
|
|
|
|
|
.required(),
|
2017-10-30 19:41:53 +08:00
|
|
|
sess: Joi.string().max(255),
|
2017-10-10 16:19:10 +08:00
|
|
|
ip: Joi.string().ip({
|
|
|
|
|
version: ['ipv4', 'ipv6'],
|
|
|
|
|
cidr: 'forbidden'
|
|
|
|
|
})
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const result = Joi.validate(req.params, schema, {
|
|
|
|
|
abortEarly: false,
|
|
|
|
|
convert: true
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (result.error) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: result.error.message
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let user = new ObjectID(result.value.user);
|
|
|
|
|
|
|
|
|
|
userHandler.enableTotp(user, result.value, (err, result) => {
|
|
|
|
|
if (err) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: err.message
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!result) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: 'Invalid authentication token'
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res.json({
|
|
|
|
|
success: true
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return next();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Disable TOTP auth for an user
|
|
|
|
|
server.del('/users/:user/2fa/totp', (req, res, next) => {
|
2017-07-26 16:52:55 +08:00
|
|
|
res.charSet('utf-8');
|
|
|
|
|
|
|
|
|
|
const schema = Joi.object().keys({
|
2017-10-10 16:19:10 +08:00
|
|
|
user: Joi.string()
|
|
|
|
|
.hex()
|
|
|
|
|
.lowercase()
|
|
|
|
|
.length(24)
|
|
|
|
|
.required(),
|
2017-10-30 19:41:53 +08:00
|
|
|
sess: Joi.string().max(255),
|
2017-07-26 16:52:55 +08:00
|
|
|
ip: Joi.string().ip({
|
|
|
|
|
version: ['ipv4', 'ipv6'],
|
|
|
|
|
cidr: 'forbidden'
|
|
|
|
|
})
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
req.query.user = req.params.user;
|
|
|
|
|
|
|
|
|
|
const result = Joi.validate(req.query, schema, {
|
|
|
|
|
abortEarly: false,
|
|
|
|
|
convert: true
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (result.error) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: result.error.message
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let user = new ObjectID(result.value.user);
|
|
|
|
|
|
2017-10-10 16:19:10 +08:00
|
|
|
userHandler.disableTotp(user, result.value, (err, result) => {
|
2017-07-26 16:52:55 +08:00
|
|
|
if (err) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: err.message
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!result) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: 'Invalid authentication token'
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res.json({
|
|
|
|
|
success: true
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return next();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2017-10-10 16:19:10 +08:00
|
|
|
// Send current TOTP code to authenticate an user
|
|
|
|
|
server.post('/users/:user/2fa/totp/check', (req, res, next) => {
|
2017-07-26 16:52:55 +08:00
|
|
|
res.charSet('utf-8');
|
|
|
|
|
|
|
|
|
|
const schema = Joi.object().keys({
|
2017-10-10 16:19:10 +08:00
|
|
|
user: Joi.string()
|
|
|
|
|
.hex()
|
|
|
|
|
.lowercase()
|
|
|
|
|
.length(24)
|
|
|
|
|
.required(),
|
|
|
|
|
token: Joi.string()
|
|
|
|
|
.length(6)
|
|
|
|
|
.required(),
|
2017-10-30 19:41:53 +08:00
|
|
|
sess: Joi.string().max(255),
|
2017-07-26 16:52:55 +08:00
|
|
|
ip: Joi.string().ip({
|
|
|
|
|
version: ['ipv4', 'ipv6'],
|
|
|
|
|
cidr: 'forbidden'
|
|
|
|
|
})
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const result = Joi.validate(req.params, schema, {
|
|
|
|
|
abortEarly: false,
|
|
|
|
|
convert: true
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (result.error) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: result.error.message
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let user = new ObjectID(result.value.user);
|
|
|
|
|
|
2017-10-10 16:19:10 +08:00
|
|
|
userHandler.checkTotp(user, result.value, (err, result) => {
|
2017-07-26 16:52:55 +08:00
|
|
|
if (err) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: err.message
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!result) {
|
|
|
|
|
res.json({
|
2017-10-10 16:19:10 +08:00
|
|
|
error: 'Failed to validate TOTP'
|
2017-07-26 16:52:55 +08:00
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res.json({
|
|
|
|
|
success: true
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return next();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2017-10-10 16:19:10 +08:00
|
|
|
// Disable 2FA auth for an user
|
2017-07-26 16:52:55 +08:00
|
|
|
server.del('/users/:user/2fa', (req, res, next) => {
|
|
|
|
|
res.charSet('utf-8');
|
|
|
|
|
|
|
|
|
|
const schema = Joi.object().keys({
|
2017-10-10 16:19:10 +08:00
|
|
|
user: Joi.string()
|
|
|
|
|
.hex()
|
|
|
|
|
.lowercase()
|
|
|
|
|
.length(24)
|
|
|
|
|
.required(),
|
2017-10-30 19:41:53 +08:00
|
|
|
sess: Joi.string().max(255),
|
2017-07-26 16:52:55 +08:00
|
|
|
ip: Joi.string().ip({
|
|
|
|
|
version: ['ipv4', 'ipv6'],
|
|
|
|
|
cidr: 'forbidden'
|
|
|
|
|
})
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
req.query.user = req.params.user;
|
|
|
|
|
|
|
|
|
|
const result = Joi.validate(req.query, schema, {
|
|
|
|
|
abortEarly: false,
|
|
|
|
|
convert: true
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (result.error) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: result.error.message
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let user = new ObjectID(result.value.user);
|
|
|
|
|
|
|
|
|
|
userHandler.disable2fa(user, result.value, (err, result) => {
|
|
|
|
|
if (err) {
|
|
|
|
|
res.json({
|
|
|
|
|
error: err.message
|
|
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!result) {
|
|
|
|
|
res.json({
|
2017-10-10 16:19:10 +08:00
|
|
|
error: 'Failed to disable U2F'
|
2017-07-26 16:52:55 +08:00
|
|
|
});
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res.json({
|
|
|
|
|
success: true
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return next();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
};
|
