t/tetratto
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add: user totp 2fa

Browse source
This commit is contained in:
trisua 2025-04-04 21:42:08 -04:00
parent 20aae5570b
commit 205fcbdcc1
29 changed files with 699 additions and 116 deletions
Download patch file Download diff file Expand all files Collapse all files

139
crates/core/src/database/auth.rs
View file

@ -9,6 +9,7 @@ use crate::model::{
use crate::{auto_method, execute, get, query_row, params};
use pathbufd::PathBufD;
use std::fs::{exists, remove_file};
use std::usize;
use tetratto_shared::hash::{hash_salted, salt};
use tetratto_shared::unix_epoch_timestamp;
@ -42,6 +43,8 @@ impl DataManager {
follower_count: get!(x->10(i32)) as usize,
following_count: get!(x->11(i32)) as usize,
last_seen: get!(x->12(i64)) as usize,
totp: get!(x->13(String)),
recovery_codes: serde_json::from_str(&get!(x->14(String)).to_string()).unwrap(),
}
}
@ -111,7 +114,7 @@ impl DataManager {
let res = execute!(
&conn,
"INSERT INTO users VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13)",
"INSERT INTO users VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15)",
params![
&(data.id as i64),
&(data.created as i64),
@ -126,6 +129,8 @@ impl DataManager {
&(0 as i32),
&(0 as i32),
&(data.last_seen as i64),
&String::new(),
&"[]"
]
);
@ -414,6 +419,138 @@ impl DataManager {
Ok(())
}
/// Validate a given TOTP code for the given profile.
pub fn check_totp(&self, ua: &User, code: &str) -> bool {
let totp = ua.totp(Some(
self.0
.banned_hosts
.get(0)
.unwrap_or(&"https://tetratto.com".to_string())
.replace("http://", "")
.replace("https://", "")
.replace(":", "_"),
));
if let Some(totp) = totp {
return !code.is_empty()
&& (totp.check_current(code).unwrap()
| ua.recovery_codes.contains(&code.to_string()));
}
true
}
/// Generate 8 random recovery codes for TOTP.
pub fn generate_totp_recovery_codes() -> Vec<String> {
let mut out: Vec<String> = Vec::new();
for _ in 0..9 {
out.push(salt())
}
out
}
/// Update the profile's TOTP secret.
///
/// # Arguments
/// * `id` - the ID of the user
/// * `secret` - the TOTP secret
/// * `recovery` - the TOTP recovery codes
pub async fn update_user_totp(
&self,
id: usize,
secret: &str,
recovery: &Vec<String>,
) -> Result<()> {
let user = self.get_user_by_id(id).await?;
// update
let conn = match self.connect().await {
Ok(c) => c,
Err(e) => return Err(Error::DatabaseConnection(e.to_string())),
};
let res = execute!(
&conn,
"UPDATE users SET totp = $1, recovery_codes = $2 WHERE id = $3",
params![
&secret,
&serde_json::to_string(recovery).unwrap(),
&(id as i64)
]
);
if let Err(e) = res {
return Err(Error::DatabaseError(e.to_string()));
}
self.cache_clear_user(&user).await;
Ok(())
}
/// Enable TOTP for a profile.
///
/// # Arguments
/// * `id` - the ID of the user to enable TOTP for
/// * `user` - the user doing this
///
/// # Returns
/// `Result<(secret, qr base64)>`
pub async fn enable_totp(
&self,
id: usize,
user: User,
) -> Result<(String, String, Vec<String>)> {
let other_user = self.get_user_by_id(id).await?;
if other_user.id != user.id {
if other_user.permissions.check(FinePermission::MANAGE_USERS) {
// create audit log entry
self.create_audit_log_entry(AuditLogEntry::new(
user.id,
format!("invoked `enable_totp` with x value `{}`", other_user.id,),
))
.await?;
} else {
return Err(Error::NotAllowed);
}
}
let secret = totp_rs::Secret::default().to_string();
let recovery = Self::generate_totp_recovery_codes();
self.update_user_totp(id, &secret, &recovery).await?;
// fetch profile again (with totp information)
let other_user = self.get_user_by_id(id).await?;
// get totp
let totp = other_user.totp(Some(
self.0
.banned_hosts
.get(0)
.unwrap_or(&"https://tetratto.com".to_string())
.replace("http://", "")
.replace("https://", "")
.replace(":", "_"),
));
if totp.is_none() {
return Err(Error::MiscError("Failed to get TOTP code".to_string()));
}
let totp = totp.unwrap();
// generate qr
let qr = match totp.get_qr_base64() {
Ok(q) => q,
Err(e) => return Err(Error::MiscError(e.to_string())),
};
// return
Ok((secret, qr, recovery))
}
pub async fn cache_clear_user(&self, user: &User) {
self.2.remove(format!("atto.user:{}", user.id)).await;
self.2.remove(format!("atto.user:{}", user.username)).await;

29
crates/core/src/database/communities.rs
View file

@ -168,20 +168,27 @@ impl DataManager {
}
// check number of communities
let memberships = self.get_memberships_by_owner(data.owner).await?;
let mut admin_count = 0; // you can not make anymore communities if you are already admin of at least 5
let owner = self.get_user_by_id(data.owner).await?;
for membership in memberships {
if membership.role.check(CommunityPermission::ADMINISTRATOR) {
admin_count += 1;
if !owner
.permissions
.check(FinePermission::INFINITE_COMMUNITIES)
{
let memberships = self.get_memberships_by_owner(data.owner).await?;
let mut admin_count = 0; // you can not make anymore communities if you are already admin of at least 5
for membership in memberships {
if membership.role.check(CommunityPermission::ADMINISTRATOR) {
admin_count += 1;
}
}
}
if admin_count >= 5 {
return Err(Error::MiscError(
"You are already owner/co-owner of too many communities to create another"
.to_string(),
));
if admin_count >= 5 {
return Err(Error::MiscError(
"You are already owner/co-owner of too many communities to create another"
.to_string(),
));
}
}
// make sure community doesn't already exist with title

2
crates/core/src/database/memberships.rs
View file

@ -163,7 +163,7 @@ impl DataManager {
self.create_notification(Notification::new(
"You've received a community join request!".to_string(),
format!(
"[Somebody](/api/v1/auth/profile/find/{}) is asking to join your [community](/community/{}).\n\n[Click here to review their request](/community/{}/manage?uid={}#/members).",
"[Somebody](/api/v1/auth/user/find/{}) is asking to join your [community](/community/{}).\n\n[Click here to review their request](/community/{}/manage?uid={}#/members).",
data.owner, data.community, data.community, data.owner
),
community.owner,

6
crates/core/src/database/posts.rs
View file

@ -367,7 +367,7 @@ impl DataManager {
self.create_notification(Notification::new(
"You've been mentioned in a post!".to_string(),
format!(
"[Somebody](/api/v1/auth/profile/find/{}) mentioned you in their [post](/post/{}).",
"[Somebody](/api/v1/auth/user/find/{}) mentioned you in their [post](/post/{}).",
data.owner, data.id
),
user.id,
@ -380,7 +380,7 @@ impl DataManager {
data.content = data.content.replace(
&format!("@{username}"),
&format!("[@{username}](/api/v1/auth/profile/find/{})", user.id),
&format!("[@{username}](/api/v1/auth/user/find/{})", user.id),
);
}
@ -427,7 +427,7 @@ impl DataManager {
self.create_notification(Notification::new(
"Your post has received a new comment!".to_string(),
format!(
"[@{}](/api/v1/auth/profile/find/{}) has commented on your [post](/post/{}).",
"[@{}](/api/v1/auth/user/find/{}) has commented on your [post](/post/{}).",
owner.username, owner.id, rt.id
),
rt.owner,

4
crates/core/src/database/reactions.rs
View file

@ -107,7 +107,7 @@ impl DataManager {
.create_notification(Notification::new(
"Your community has received a like!".to_string(),
format!(
"[@{}](/api/v1/auth/profile/find/{}) has liked your [community](/api/v1/communities/find/{})!",
"[@{}](/api/v1/auth/user/find/{}) has liked your [community](/api/v1/communities/find/{})!",
user.username, user.id, community.id
),
community.owner,
@ -136,7 +136,7 @@ impl DataManager {
.create_notification(Notification::new(
"Your post has received a like!".to_string(),
format!(
"[@{}](/api/v1/auth/profile/find/{}) has liked your post!",
"[@{}](/api/v1/auth/user/find/{}) has liked your post!",
user.username, user.id
),
post.owner,

29
crates/core/src/model/auth.rs
View file

@ -1,5 +1,6 @@
use super::permissions::FinePermission;
use serde::{Deserialize, Serialize};
use totp_rs::TOTP;
use tetratto_shared::{
hash::{hash_salted, salt},
snow::AlmostSnowflake,
@ -24,6 +25,12 @@ pub struct User {
pub follower_count: usize,
pub following_count: usize,
pub last_seen: usize,
/// The TOTP secret for this profile. An empty value means the user has TOTP disabled.
#[serde(default)]
pub totp: String,
/// The TOTP recovery codes for this profile.
#[serde(default)]
pub recovery_codes: Vec<String>,
}
#[derive(Clone, Debug, Serialize, Deserialize)]
@ -100,6 +107,8 @@ impl User {
follower_count: 0,
following_count: 0,
last_seen: unix_epoch_timestamp() as usize,
totp: String::new(),
recovery_codes: Vec::new(),
}
}
@ -184,6 +193,26 @@ impl User {
// return
out
}
/// Get a [`TOTP`] from the profile's `totp` secret value.
pub fn totp(&self, issuer: Option<String>) -> Option<TOTP> {
if self.totp.is_empty() {
return None;
}
match TOTP::new(
totp_rs::Algorithm::SHA1,
6,
1,
30,
self.totp.as_bytes().to_owned(),
Some(issuer.unwrap_or("tetratto!".to_string())),
self.username.clone(),
) {
Ok(t) => Some(t),
Err(_) => None,
}
}
}
#[derive(Debug, Serialize, Deserialize)]

1
crates/core/src/model/permissions.rs
View file

@ -26,6 +26,7 @@ bitflags! {
const MANAGE_AUDITLOG = 1 << 15;
const MANAGE_REPORTS = 1 << 16;
const BANNED = 1 << 17;
const INFINITE_COMMUNITIES = 1 << 18;
const _ = !0;
}