Skip to content

Commit

Permalink
2FA有効時、パスワードをチェックしてからトークンを確認するように
Browse files Browse the repository at this point in the history
  • Loading branch information
u1-liquid committed Oct 11, 2023
1 parent 511ff69 commit 70abe21
Show file tree
Hide file tree
Showing 8 changed files with 55 additions and 60 deletions.
16 changes: 7 additions & 9 deletions packages/backend/src/server/api/endpoints/i/2fa/key-done.ts
Original file line number Diff line number Diff line change
Expand Up @@ -61,10 +61,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
private globalEventService: GlobalEventService,
) {
super(meta, paramDef, async (ps, me) => {
const token = ps.token;
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });

const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

if (profile.twoFactorEnabled) {
const token = ps.token;
if (token == null) {
throw new Error('authentication failed');
}
Expand All @@ -74,14 +79,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
} catch (e) {
throw new Error('authentication failed');
}
}

const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

if (!profile.twoFactorEnabled) {
} else {
throw new ApiError(meta.errors.twoFactorNotEnabled);
}

Expand Down
16 changes: 7 additions & 9 deletions packages/backend/src/server/api/endpoints/i/2fa/register-key.ts
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,6 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
private userAuthService: UserAuthService,
) {
super(meta, paramDef, async (ps, me) => {
const token = ps.token;
const profile = await this.userProfilesRepository.findOne({
where: {
userId: me.id,
Expand All @@ -70,7 +69,13 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
throw new ApiError(meta.errors.userNotFound);
}

const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

if (profile.twoFactorEnabled) {
const token = ps.token;
if (token == null) {
throw new Error('authentication failed');
}
Expand All @@ -80,14 +85,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
} catch (e) {
throw new Error('authentication failed');
}
}

const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

if (!profile.twoFactorEnabled) {
} else {
throw new ApiError(meta.errors.twoFactorNotEnabled);
}

Expand Down
12 changes: 6 additions & 6 deletions packages/backend/src/server/api/endpoints/i/2fa/register.ts
Original file line number Diff line number Diff line change
Expand Up @@ -49,10 +49,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
private userAuthService: UserAuthService,
) {
super(meta, paramDef, async (ps, me) => {
const token = ps.token;
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });

const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

if (profile.twoFactorEnabled) {
const token = ps.token;
if (token == null) {
throw new Error('authentication failed');
}
Expand All @@ -64,11 +69,6 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
}
}

const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

// Generate user's secret key
const secret = new OTPAuth.Secret();

Expand Down
12 changes: 6 additions & 6 deletions packages/backend/src/server/api/endpoints/i/2fa/remove-key.ts
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
private globalEventService: GlobalEventService,
) {
super(meta, paramDef, async (ps, me) => {
const token = ps.token;
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });

const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

if (profile.twoFactorEnabled) {
const token = ps.token;
if (token == null) {
throw new Error('authentication failed');
}
Expand All @@ -66,11 +71,6 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
}
}

const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

// Make sure we only delete the user's own creds
await this.userSecurityKeysRepository.delete({
userId: me.id,
Expand Down
12 changes: 6 additions & 6 deletions packages/backend/src/server/api/endpoints/i/2fa/unregister.ts
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
private globalEventService: GlobalEventService,
) {
super(meta, paramDef, async (ps, me) => {
const token = ps.token;
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });

const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

if (profile.twoFactorEnabled) {
const token = ps.token;
if (token == null) {
throw new Error('authentication failed');
}
Expand All @@ -62,11 +67,6 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
}
}

const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

await this.userProfilesRepository.update(me.id, {
twoFactorSecret: null,
twoFactorBackupSecret: null,
Expand Down
13 changes: 6 additions & 7 deletions packages/backend/src/server/api/endpoints/i/change-password.ts
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
private userAuthService: UserAuthService,
) {
super(meta, paramDef, async (ps, me) => {
const token = ps.token;
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });

const passwordMatched = await bcrypt.compare(ps.currentPassword, profile.password!);
if (!passwordMatched) {
throw new Error('incorrect password');
}

if (profile.twoFactorEnabled) {
const token = ps.token;
if (token == null) {
throw new Error('authentication failed');
}
Expand All @@ -50,12 +55,6 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
}
}

const passwordMatched = await bcrypt.compare(ps.currentPassword, profile.password!);

if (!passwordMatched) {
throw new Error('incorrect password');
}

// Generate hash of password
const salt = await bcrypt.genSalt(8);
const hash = await bcrypt.hash(ps.newPassword, salt);
Expand Down
22 changes: 11 additions & 11 deletions packages/backend/src/server/api/endpoints/i/delete-account.ts
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,20 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
private deleteAccountService: DeleteAccountService,
) {
super(meta, paramDef, async (ps, me) => {
const token = ps.token;
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });

const userDetailed = await this.usersRepository.findOneByOrFail({ id: me.id });
if (userDetailed.isDeleted) {
return;
}

const passwordMatched = await bcrypt.compare(ps.password, profile.password!);
if (!passwordMatched) {
throw new Error('incorrect password');
}

if (profile.twoFactorEnabled) {
const token = ps.token;
if (token == null) {
throw new Error('authentication failed');
}
Expand All @@ -55,16 +65,6 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
}
}

const userDetailed = await this.usersRepository.findOneByOrFail({ id: me.id });
if (userDetailed.isDeleted) {
return;
}

const passwordMatched = await bcrypt.compare(ps.password, profile.password!);
if (!passwordMatched) {
throw new Error('incorrect password');
}

await this.deleteAccountService.deleteAccount(me);
});
}
Expand Down
12 changes: 6 additions & 6 deletions packages/backend/src/server/api/endpoints/i/update-email.ts
Original file line number Diff line number Diff line change
Expand Up @@ -68,10 +68,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
private globalEventService: GlobalEventService,
) {
super(meta, paramDef, async (ps, me) => {
const token = ps.token;
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });

const passwordMatched = await bcrypt.compare(ps.password, profile.password!);
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

if (profile.twoFactorEnabled) {
const token = ps.token;
if (token == null) {
throw new Error('authentication failed');
}
Expand All @@ -83,11 +88,6 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
}
}

const passwordMatched = await bcrypt.compare(ps.password, profile.password!);
if (!passwordMatched) {
throw new ApiError(meta.errors.incorrectPassword);
}

if (ps.email != null) {
const res = await this.emailService.validateEmailForAccount(ps.email);
if (!res.available) {
Expand Down

0 comments on commit 70abe21

Please sign in to comment.