t/tetratto
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add: user totp 2fa

Browse source
This commit is contained in:
trisua 2025-04-04 21:42:08 -04:00
parent 20aae5570b
commit 205fcbdcc1
29 changed files with 699 additions and 116 deletions
Download patch file Download diff file Expand all files Collapse all files

1
crates/app/src/langs/en-US.toml
View file

@ -89,6 +89,7 @@ version = "1.0.0"
"settings:label.new_password" = "New password"
"settings:label.change_username" = "Change username"
"settings:label.new_username" = "New username"
"settings:label.two_factor_authentication" = "Two-factor authentication"
"settings:label.change_avatar" = "Change avatar"
"settings:label.change_banner" = "Change banner"

73
crates/app/src/public/html/auth/login.html
View file

@ -2,34 +2,68 @@
<title>Login</title>
{% endblock %} {% block title %}Login{% endblock %} {% block content %}
<form class="w-full flex flex-col gap-4" onsubmit="login(event)">
<div class="flex flex-col gap-1">
<label for="username"><b>Username</b></label>
<input
type="text"
placeholder="username"
required
name="username"
id="username"
/>
<div id="flow_1" style="display: contents">
<div class="flex flex-col gap-1">
<label for="username"><b>Username</b></label>
<input
type="text"
placeholder="username"
required
name="username"
id="username"
/>
</div>
<div class="flex flex-col gap-1">
<label for="username"><b>Password</b></label>
<input
type="password"
placeholder="password"
required
name="password"
id="password"
/>
</div>
</div>
<div class="flex flex-col gap-1">
<label for="username"><b>Password</b></label>
<input
type="password"
placeholder="password"
required
name="password"
id="password"
/>
<div id="flow_2" style="display: none">
<div class="flex flex-col gap-1">
<label for="totp"><b>TOTP code</b></label>
<input type="text" placeholder="totp code" name="totp" id="totp" />
</div>
</div>
<button>Submit</button>
</form>
<script>
function login(e) {
let flow_page = 1;
function next_page() {
document.getElementById(`flow_${flow_page}`).style.display = "none";
flow_page += 1;
document.getElementById(`flow_${flow_page}`).style.display = "contents";
}
async function login(e) {
e.preventDefault();
if (flow_page === 1) {
// check if we need TOTP
const res = await (
await fetch(
`/api/v1/auth/user/${e.target.username.value}/totp/check`,
)
).json();
trigger("atto::toast", [res.ok ? "success" : "error", res.message]);
if (res.ok && res.payload) {
// user exists AND totp is required
return next_page();
}
}
fetch("/api/v1/auth/login", {
method: "POST",
headers: {
@ -38,6 +72,7 @@
body: JSON.stringify({
username: e.target.username.value,
password: e.target.password.value,
totp: e.target.totp.value,
}),
})
.then((res) => res.json())

2
crates/app/src/public/html/communities/settings.html
View file

@ -416,7 +416,7 @@
// ...
element.innerHTML = `<div class="flex gap-2 flex-wrap" ui_ident="actions">
<a target="_blank" class="button" href="/api/v1/auth/profile/find/${e.target.uid.value}">Open user profile</a>
<a target="_blank" class="button" href="/api/v1/auth/user/find/${e.target.uid.value}">Open user profile</a>
${res.payload.role !== 33 ? `<button class="red quaternary" onclick="update_user_role('${e.target.uid.value}', 33)">Ban</button>` : `<button class="quaternary" onclick="update_user_role('${e.target.uid.value}', 5)">Unban</button>`}
${res.payload.role !== 65 ? `<button class="red quaternary" onclick="update_user_role('${e.target.uid.value}', 65)">Send to review</button>` : `<button class="green quaternary" onclick="update_user_role('${e.target.uid.value}', 5)">Accept join request</button>`}
<button class="red quaternary" onclick="kick_user('${e.target.uid.value}')">Kick</button>

4
crates/app/src/public/html/components.html
View file

@ -1,7 +1,7 @@
{% macro avatar(username, size="24px", selector_type="username") -%}
<img
title="{{ username }}'s avatar"
src="/api/v1/auth/profile/{{ username }}/avatar?selector_type={{ selector_type }}"
src="/api/v1/auth/user/{{ username }}/avatar?selector_type={{ selector_type }}"
alt="@{{ username }}"
class="avatar shadow"
loading="lazy"
@ -28,7 +28,7 @@
border_radius="var(--radius)") -%}
<img
title="{{ username }}'s banner"
src="/api/v1/auth/profile/{{ username }}/banner"
src="/api/v1/auth/user/{{ username }}/banner"
alt="@{{ username }}'s banner"
class="banner shadow"
loading="lazy"

2
crates/app/src/public/html/mod/audit_log.html
View file

@ -14,7 +14,7 @@
<div class="card-nest">
<a
class="card small flex items-center gap-2 flush"
href="/api/v1/auth/profile/find/{{ item.moderator }}"
href="/api/v1/auth/user/find/{{ item.moderator }}"
>
<!-- prettier-ignore -->
{{ components::avatar(username=item.moderator, selector_type="id") }}

2
crates/app/src/public/html/mod/ip_bans.html
View file

@ -14,7 +14,7 @@
<div class="card-nest">
<a
class="card small flex items-center gap-2 flush"
href="/api/v1/auth/profile/find/{{ item.moderator }}"
href="/api/v1/auth/user/find/{{ item.moderator }}"
>
<!-- prettier-ignore -->
{{ components::avatar(username=item.moderator, selector_type="id") }}

2
crates/app/src/public/html/mod/reports.html
View file

@ -14,7 +14,7 @@
<div class="card-nest">
<a
class="card small flex items-center gap-2 flush"
href="/api/v1/auth/profile/find/{{ item.owner }}"
href="/api/v1/auth/user/find/{{ item.owner }}"
>
<!-- prettier-ignore -->
{{ components::avatar(username=item.owner, selector_type="id") }}

10
crates/app/src/public/html/profile/base.html
View file

@ -131,7 +131,7 @@
<script>
globalThis.toggle_follow_user = () => {
fetch(
"/api/v1/auth/profile/{{ profile.id }}/follow",
"/api/v1/auth/user/{{ profile.id }}/follow",
{
method: "POST",
},
@ -155,7 +155,7 @@
}
fetch(
"/api/v1/auth/profile/{{ profile.id }}/block",
"/api/v1/auth/user/{{ profile.id }}/block",
{
method: "POST",
},
@ -264,7 +264,7 @@
}
fetch(
`/api/v1/auth/profile/{{ profile.id }}/${path}`,
`/api/v1/auth/user/{{ profile.id }}/${path}`,
{
method: "POST",
headers: {
@ -295,7 +295,7 @@
}
fetch(
"/api/v1/auth/profile/{{ profile.id }}",
"/api/v1/auth/user/{{ profile.id }}",
{
method: "DELETE",
headers: {
@ -328,7 +328,7 @@
}
fetch(
`/api/v1/auth/profile/{{ profile.id }}/role`,
`/api/v1/auth/user/{{ profile.id }}/role`,
{
method: "POST",
headers: {

179
crates/app/src/public/html/profile/settings.html
View file

@ -100,6 +100,60 @@
</button>
</form>
</div>
<div class="card-nest" ui_ident="two_factor_authentication">
<div class="card small">
<b>{{ text "settings:label.two_factor_authentication" }}</b>
</div>
<div class="card flex flex-col gap-2">
{% if profile.totp|length == 0 %}
<div id="totp_stuff" style="display: none">
<span
>Scan this QR code in a TOTP authenticator app (like
Google Authenticator):
</span>
<img id="totp_qr" style="max-width: 250px" />
<span>TOTP secret (do NOT share):</span>
<pre id="totp_secret"></pre>
<span
>Recovery codes (STORE SAFELY, these can only be
viewed once):</span
>
<pre id="totp_recovery_codes"></pre>
</div>
<button
class="quaternary green"
onclick="enable_totp(event)"
>
Enable TOTP 2FA
</button>
{% else %}
<pre id="totp_recovery_codes" style="display: none"></pre>
<div class="flex gap-2 flex-wrap">
<button
class="quaternary red"
onclick="refresh_totp_codes(event)"
>
Refresh recovery codes
</button>
<button
class="quaternary red"
onclick="disable_totp(event)"
>
Disable TOTP 2FA
</button>
</div>
{% endif %}
</div>
</div>
</div>
<div class="card-nest" ui_ident="change_password">
@ -244,8 +298,7 @@
{% if is_helper %}
<span class="flex gap-2 items-center">
<span class="fade"
><a
href="/api/v1/auth/profile/find_by_ip/{{ token[0] }}"
><a href="/api/v1/auth/user/find_by_ip/{{ token[0] }}"
><code>{{ token[0] }}</code></a
></span
>
@ -296,7 +349,7 @@
tokens = new_tokens;
// send request to save
fetch("/api/v1/auth/profile/{{ profile.id }}/tokens", {
fetch("/api/v1/auth/user/{{ profile.id }}/tokens", {
method: "POST",
headers: {
"Content-Type": "application/json",
@ -313,7 +366,7 @@
};
globalThis.save_settings = () => {
fetch("/api/v1/auth/profile/{{ profile.id }}/settings", {
fetch("/api/v1/auth/user/{{ profile.id }}/settings", {
method: "POST",
headers: {
"Content-Type": "application/json",
@ -331,7 +384,7 @@
globalThis.change_password = (e) => {
e.preventDefault();
fetch("/api/v1/auth/profile/{{ profile.id }}/password", {
fetch("/api/v1/auth/user/{{ profile.id }}/password", {
method: "POST",
headers: {
"Content-Type": "application/json",
@ -361,7 +414,7 @@
return;
}
fetch("/api/v1/auth/profile/{{ profile.id }}/username", {
fetch("/api/v1/auth/user/{{ profile.id }}/username", {
method: "POST",
headers: {
"Content-Type": "application/json",
@ -390,7 +443,7 @@
return;
}
fetch("/api/v1/auth/profile/{{ profile.id }}", {
fetch("/api/v1/auth/user/{{ profile.id }}", {
method: "DELETE",
headers: {
"Content-Type": "application/json",
@ -454,6 +507,117 @@
alert("Banner upload in progress. Please wait!");
};
globalThis.enable_totp = async (event) => {
if (
!(await trigger("atto::confirm", [
"Are you sure you want to do this? You must have access to your TOTP codes to disable TOTP.",
]))
) {
return;
}
fetch("/api/v1/auth/user/{{ user.id }}/totp", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
})
.then((res) => res.json())
.then((res) => {
trigger("atto::toast", [
res.ok ? "success" : "error",
res.message,
]);
const [secret, qr, recovery_codes] = res.payload;
document.getElementById("totp_secret").innerText =
secret;
document.getElementById("totp_qr").src =
`data:image/png;base64,${qr}`;
document.getElementById(
"totp_recovery_codes",
).innerText = recovery_codes.join("\n");
document.getElementById("totp_stuff").style.display =
"contents";
event.target.remove();
});
};
globalThis.disable_totp = async (event) => {
if (
!(await trigger("atto::confirm", [
"Are you sure you want to do this?",
]))
) {
return;
}
const totp_code = await trigger("atto::prompt", ["TOTP code:"]);
if (!totp_code) {
return;
}
fetch("/api/v1/auth/user/{{ profile.id }}/totp", {
method: "DELETE",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({ totp: totp_code }),
})
.then((res) => res.json())
.then((res) => {
trigger("atto::toast", [
res.ok ? "success" : "error",
res.message,
]);
event.target.remove();
});
};
globalThis.refresh_totp_codes = async (event) => {
if (
!(await trigger("atto::confirm", [
"Are you sure you want to do this? The old codes will no longer work.",
]))
) {
return;
}
const totp_code = await trigger("atto::prompt", ["TOTP code:"]);
if (!totp_code) {
return;
}
fetch("/api/v1/auth/user/{{ profile.id }}/totp/codes", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({ totp: totp_code }),
})
.then((res) => res.json())
.then((res) => {
trigger("atto::toast", [
res.ok ? "success" : "error",
res.message,
]);
document.getElementById(
"totp_recovery_codes",
).innerText = res.payload.join("\n");
document.getElementById(
"totp_recovery_codes",
).style.display = "block";
event.target.remove();
});
};
const account_settings =
document.getElementById("account_settings");
const profile_settings =
@ -462,6 +626,7 @@
ui.refresh_container(account_settings, [
"change_password",
"change_username",
"two_factor_authentication",
]);
ui.refresh_container(profile_settings, [
"theme_preference",

6
crates/app/src/public/js/atto.js
View file

@ -415,9 +415,7 @@ media_theme_pref();
try {
const href = new URL(anchor.href);
if (
href.pathname.startsWith("/api/v1/auth/profile/find_by_ip/")
) {
if (href.pathname.startsWith("/api/v1/auth/user/find_by_ip/")) {
const ban_button = document.createElement("button");
ban_button.innerText = "Ban IP";
ban_button.className = "quaternary red small";
@ -428,7 +426,7 @@ media_theme_pref();
$.ban_ip(
href.pathname.replace(
"/api/v1/auth/profile/find_by_ip/",
"/api/v1/auth/user/find_by_ip/",
"",
),
);

4
crates/app/src/public/js/me.js
View file

@ -156,7 +156,7 @@
});
self.define("seen", () => {
fetch("/api/v1/auth/profile/me/seen", {
fetch("/api/v1/auth/user/me/seen", {
method: "POST",
})
.then((res) => res.json())
@ -196,7 +196,7 @@
element.innerHTML += `<button class="quaternary w-full justify-start" onclick="trigger('me::login', ['${token[0]}'])">
<img
title="${token[0]}'s avatar"
src="/api/v1/auth/profile/${token[0]}/avatar?selector_type=username"
src="/api/v1/auth/user/${token[0]}/avatar?selector_type=username"
alt="Avatar image"
class="avatar"
style="--size: 24px"

4
crates/app/src/routes/api/v1/auth/images.rs
View file

@ -43,7 +43,7 @@ pub struct AvatarSelectorQuery {
}
/// Get a profile's avatar image
/// `/api/v1/auth/profile/{id}/avatar`
/// `/api/v1/auth/user/{id}/avatar`
pub async fn avatar_request(
Path(selector): Path<String>,
Extension(data): Extension<State>,
@ -94,7 +94,7 @@ pub async fn avatar_request(
}
/// Get a profile's banner image
/// `/api/v1/auth/profile/{id}/banner`
/// `/api/v1/auth/user/{id}/banner`
pub async fn banner_request(
Path(username): Path<String>,
Extension(data): Extension<State>,

5
crates/app/src/routes/api/v1/auth/mod.rs
View file

@ -140,6 +140,11 @@ pub async fn login_request(
return (None, Json(Error::IncorrectPassword.into()));
}
// verify totp code
if !data.check_totp(&user, &props.totp) {
return (None, Json(Error::NotAllowed.into()));
}
// update tokens
let mut new_tokens = user.tokens.clone();
let (unhashed_token_id, token) = User::create_token(&real_ip);

132
crates/app/src/routes/api/v1/auth/profile.rs
View file

@ -1,9 +1,11 @@
use crate::{
State, get_user_from_token,
get_user_from_token,
model::{ApiReturn, Error},
routes::api::v1::{
DeleteUser, UpdateUserIsVerified, UpdateUserPassword, UpdateUserRole, UpdateUserUsername,
DeleteUser, DisableTotp, UpdateUserIsVerified, UpdateUserPassword, UpdateUserRole,
UpdateUserUsername,
},
State,
};
use axum::{
Extension, Json,
@ -11,9 +13,12 @@ use axum::{
response::{IntoResponse, Redirect},
};
use axum_extra::extract::CookieJar;
use tetratto_core::model::{
auth::{Token, UserSettings},
permissions::FinePermission,
use tetratto_core::{
model::{
auth::{Token, UserSettings},
permissions::FinePermission,
},
DataManager,
};
pub async fn redirect_from_id(
@ -264,3 +269,120 @@ pub async fn delete_user_request(
Err(e) => Json(e.into()),
}
}
/// Enable TOTP for a user.
pub async fn enable_totp_request(
jar: CookieJar,
Path(id): Path<usize>,
Extension(data): Extension<State>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match get_user_from_token!(jar, data) {
Some(ua) => ua,
None => return Json(Error::NotAllowed.into()),
};
match data.enable_totp(id, user).await {
Ok(x) => Json(ApiReturn {
ok: true,
message: "TOTP enabled".to_string(),
payload: Some(x),
}),
Err(e) => Json(e.into()),
}
}
/// Disable TOTP for a user.
pub async fn disable_totp_request(
jar: CookieJar,
Path(id): Path<usize>,
Extension(data): Extension<State>,
Json(req): Json<DisableTotp>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match get_user_from_token!(jar, data) {
Some(ua) => ua,
None => return Json(Error::NotAllowed.into()),
};
if user.id != id && !user.permissions.check(FinePermission::MANAGE_USERS) {
return Json(Error::NotAllowed.into());
}
// check totp code
let other_user = match data.get_user_by_id(id).await {
Ok(u) => u,
Err(e) => return Json(e.into()),
};
if !data.check_totp(&other_user, &req.totp) {
return Json(Error::NotAllowed.into());
}
// ...
match data.update_user_totp(id, &String::new(), &Vec::new()).await {
Ok(()) => Json(ApiReturn {
ok: true,
message: "TOTP disabled".to_string(),
payload: (),
}),
Err(e) => Json(e.into()),
}
}
/// Refresh TOTP recovery codes for a user.
pub async fn refresh_totp_codes_request(
jar: CookieJar,
Path(id): Path<usize>,
Extension(data): Extension<State>,
Json(req): Json<DisableTotp>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match get_user_from_token!(jar, data) {
Some(ua) => ua,
None => return Json(Error::NotAllowed.into()),
};
if user.id != id && !user.permissions.check(FinePermission::MANAGE_USERS) {
return Json(Error::NotAllowed.into());
}
// check totp code
let other_user = match data.get_user_by_id(id).await {
Ok(u) => u,
Err(e) => return Json(e.into()),
};
if !data.check_totp(&other_user, &req.totp) {
return Json(Error::NotAllowed.into());
}
// ...
let recovery_codes = DataManager::generate_totp_recovery_codes();
match data.update_user_totp(id, &user.totp, &recovery_codes).await {
Ok(()) => Json(ApiReturn {
ok: true,
message: "Recovery codes refreshed".to_string(),
payload: Some(recovery_codes),
}),
Err(e) => Json(e.into()),
}
}
/// Check if the given user has TOTP enabled.
pub async fn has_totp_enabled_request(
Path(username): Path<String>,
Extension(data): Extension<State>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match data.get_user_by_username(&username).await {
Ok(u) => u,
Err(e) => return Json(e.into()),
};
Json(ApiReturn {
ok: true,
message: "User exists".to_string(),
payload: Some(!user.totp.is_empty()),
})
}

2
crates/app/src/routes/api/v1/auth/social.rs
View file

@ -36,7 +36,7 @@ pub async fn follow_request(
.create_notification(Notification::new(
"Somebody has followed you!".to_string(),
format!(
"You have been followed by [@{}](/api/v1/auth/profile/find/{}).",
"You have been followed by [@{}](/api/v1/auth/user/find/{}).",
user.username, user.id
),
id,

14
crates/app/src/routes/api/v1/communities/images.rs
View file

@ -57,7 +57,7 @@ pub async fn avatar_request(
}
/// Get a profile's banner image
/// `/api/v1/auth/profile/{id}/banner`
/// `/api/v1/auth/user/{id}/banner`
pub async fn banner_request(
Path(id): Path<usize>,
Extension(data): Extension<State>,
@ -120,9 +120,11 @@ pub async fn upload_avatar_request(
Err(e) => return Json(e.into()),
};
if auth_user.id != community.owner && !auth_user
if auth_user.id != community.owner
&& !auth_user
.permissions
.check(FinePermission::MANAGE_COMMUNITIES) {
.check(FinePermission::MANAGE_COMMUNITIES)
{
return Json(Error::NotAllowed.into());
}
@ -173,9 +175,11 @@ pub async fn upload_banner_request(
Err(e) => return Json(e.into()),
};
if auth_user.id != community.owner && !auth_user
if auth_user.id != community.owner
&& !auth_user
.permissions
.check(FinePermission::MANAGE_COMMUNITIES) {
.check(FinePermission::MANAGE_COMMUNITIES)
{
return Json(Error::NotAllowed.into());
}

62
crates/app/src/routes/api/v1/mod.rs
View file

@ -104,57 +104,58 @@ pub fn routes() -> Router {
post(auth::images::upload_banner_request),
)
// profile
.route("/auth/user/{id}/avatar", get(auth::images::avatar_request))
.route("/auth/user/{id}/banner", get(auth::images::banner_request))
.route("/auth/user/{id}/follow", post(auth::social::follow_request))
.route("/auth/user/{id}/block", post(auth::social::block_request))
.route(
"/auth/profile/{id}/avatar",
get(auth::images::avatar_request),
)
.route(
"/auth/profile/{id}/banner",
get(auth::images::banner_request),
)
.route(
"/auth/profile/{id}/follow",
post(auth::social::follow_request),
)
.route(
"/auth/profile/{id}/block",
post(auth::social::block_request),
)
.route(
"/auth/profile/{id}/settings",
"/auth/user/{id}/settings",
post(auth::profile::update_user_settings_request),
)
.route(
"/auth/profile/{id}/role",
"/auth/user/{id}/role",
post(auth::profile::update_user_role_request),
)
.route(
"/auth/profile/{id}",
"/auth/user/{id}",
delete(auth::profile::delete_user_request),
)
.route(
"/auth/profile/{id}/password",
"/auth/user/{id}/password",
post(auth::profile::update_user_password_request),
)
.route(
"/auth/profile/{id}/username",
"/auth/user/{id}/username",
post(auth::profile::update_user_username_request),
)
.route(
"/auth/profile/{id}/tokens",
"/auth/user/{id}/tokens",
post(auth::profile::update_user_tokens_request),
)
.route(
"/auth/profile/{id}/verified",
"/auth/user/{id}/verified",
post(auth::profile::update_user_is_verified_request),
)
.route("/auth/profile/me/seen", post(auth::profile::seen_request))
.route(
"/auth/profile/find/{id}",
get(auth::profile::redirect_from_id),
"/auth/user/{id}/totp",
post(auth::profile::enable_totp_request),
)
.route(
"/auth/profile/find_by_ip/{ip}",
"/auth/user/{id}/totp",
delete(auth::profile::disable_totp_request),
)
.route(
"/auth/user/{id}/totp/codes",
post(auth::profile::refresh_totp_codes_request),
)
.route(
"/auth/user/{username}/totp/check",
get(auth::profile::has_totp_enabled_request),
)
.route("/auth/user/me/seen", post(auth::profile::seen_request))
.route("/auth/user/find/{id}", get(auth::profile::redirect_from_id))
.route(
"/auth/user/find_by_ip/{ip}",
get(auth::profile::redirect_from_ip),
)
// notifications
@ -196,6 +197,8 @@ pub fn routes() -> Router {
pub struct LoginProps {
pub username: String,
pub password: String,
#[serde(default)]
pub totp: String,
}
#[derive(Deserialize)]
@ -308,3 +311,8 @@ pub struct DeleteUser {
pub struct CreateIpBan {
pub reason: String,
}
#[derive(Deserialize)]
pub struct DisableTotp {
pub totp: String,
}