t/tetratto
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add: user totp 2fa

Browse source
This commit is contained in:
trisua 2025-04-04 21:42:08 -04:00
parent 20aae5570b
commit 205fcbdcc1
29 changed files with 699 additions and 116 deletions
Download patch file Download diff file Expand all files Collapse all files

87
Cargo.lock generated
View file

@ -204,9 +204,9 @@ dependencies = [
[[package]] [[package]]
name = "axum" name = "axum"
version = "0.8.1" version = "0.8.3"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6d6fd624c75e18b3b4c6b9caf42b1afe24437daaee904069137d8bab077be8b8" checksum = "de45108900e1f9b9242f7f2e254aa3e2c029c921c258fe9e6b4217eeebd54288"
dependencies = [ dependencies = [
"axum-core", "axum-core",
"axum-macros", "axum-macros",
@ -239,12 +239,12 @@ dependencies = [
[[package]] [[package]]
name = "axum-core" name = "axum-core"
version = "0.5.0" version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "df1362f362fd16024ae199c1970ce98f9661bf5ef94b9808fee734bc3698b733" checksum = "68464cd0412f486726fb3373129ef5d2993f90c34bc2bc1c1e9943b2f4fc7ca6"
dependencies = [ dependencies = [
"bytes", "bytes",
"futures-util", "futures-core",
"http", "http",
"http-body", "http-body",
"http-body-util", "http-body-util",
@ -259,9 +259,9 @@ dependencies = [
[[package]] [[package]]
name = "axum-extra" name = "axum-extra"
version = "0.10.0" version = "0.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "460fc6f625a1f7705c6cf62d0d070794e94668988b1c38111baeec177c715f7b" checksum = "45bf463831f5131b7d3c756525b305d40f1185b688565648a92e1392ca35713d"
dependencies = [ dependencies = [
"axum", "axum",
"axum-core", "axum-core",
@ -275,6 +275,7 @@ dependencies = [
"mime", "mime",
"multer", "multer",
"pin-project-lite", "pin-project-lite",
"rustversion",
"serde", "serde",
"tower", "tower",
"tower-layer", "tower-layer",
@ -307,6 +308,12 @@ dependencies = [
"windows-targets 0.52.6", "windows-targets 0.52.6",
] ]
[[package]]
name = "base32"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "23ce669cd6c8588f79e15cf450314f9638f967fc5770ff1c7c1deb0925ea7cfa"
[[package]] [[package]]
name = "base64" name = "base64"
version = "0.22.1" version = "0.22.1"
@ -616,9 +623,9 @@ dependencies = [
[[package]] [[package]]
name = "comrak" name = "comrak"
version = "0.36.0" version = "0.37.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5afa2702ef2fecc5bd7ca605f37e875a6be3fc8138c4633e711a945b70351550" checksum = "2a4f05e73ca9a30af27bebc13600f91fd1651b2ec7d139ca82a89df7ca583af1"
dependencies = [ dependencies = [
"bon", "bon",
"caseless", "caseless",
@ -633,6 +640,12 @@ dependencies = [
"xdg", "xdg",
] ]
[[package]]
name = "constant_time_eq"
version = "0.2.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "21a53c0a4d288377e7415b53dcfc3c04da5cdc2cc95c8d5ac178b58f0b861ad6"
[[package]] [[package]]
name = "cookie" name = "cookie"
version = "0.18.1" version = "0.18.1"
@ -1490,9 +1503,9 @@ dependencies = [
[[package]] [[package]]
name = "image" name = "image"
version = "0.25.5" version = "0.25.6"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cd6f44aed642f18953a158afeb30206f4d50da59fbc66ecb53c66488de73563b" checksum = "db35664ce6b9810857a38a906215e75a9c879f0696556a39f59c62829710251a"
dependencies = [ dependencies = [
"bytemuck", "bytemuck",
"byteorder-lite", "byteorder-lite",
@ -2283,6 +2296,23 @@ dependencies = [
"bytemuck", "bytemuck",
] ]
[[package]]
name = "qrcodegen"
version = "1.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4339fc7a1021c9c1621d87f5e3505f2805c8c105420ba2f2a4df86814590c142"
[[package]]
name = "qrcodegen-image"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "221b7eace1aef8c95d65dbe09fb7a1a43d006045394a89afba6997721fcb7708"
dependencies = [
"base64",
"image",
"qrcodegen",
]
[[package]] [[package]]
name = "quick-error" name = "quick-error"
version = "2.0.1" version = "2.0.1"
@ -2808,6 +2838,17 @@ dependencies = [
"serde", "serde",
] ]
[[package]]
name = "sha1"
version = "0.10.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
dependencies = [
"cfg-if",
"cpufeatures",
"digest",
]
[[package]] [[package]]
name = "sha1_smol" name = "sha1_smol"
version = "1.0.1" version = "1.0.1"
@ -3152,6 +3193,7 @@ dependencies = [
"tetratto-shared", "tetratto-shared",
"tokio-postgres", "tokio-postgres",
"toml", "toml",
"totp-rs",
] ]
[[package]] [[package]]
@ -3416,6 +3458,23 @@ dependencies = [
"winnow", "winnow",
] ]
[[package]]
name = "totp-rs"
version = "5.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "17b2f27dad992486c26b4e7455f38aa487e838d6d61b57e72906ee2b8c287a90"
dependencies = [
"base32",
"constant_time_eq",
"hmac",
"qrcodegen-image",
"rand 0.8.5",
"sha1",
"sha2",
"url",
"urlencoding",
]
[[package]] [[package]]
name = "tower" name = "tower"
version = "0.5.2" version = "0.5.2"
@ -3661,6 +3720,12 @@ dependencies = [
"percent-encoding", "percent-encoding",
] ]
[[package]]
name = "urlencoding"
version = "2.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "daf8dba3b7eb870caf1ddeed7bc9d2a049f3cfdfae7cb521b087cc33ae4c49da"
[[package]] [[package]]
name = "utf-8" name = "utf-8"
version = "0.7.6" version = "0.7.6"

6
crates/app/Cargo.toml
View file

@ -16,16 +16,16 @@ tera = "1.20.0"
tracing = "0.1.41" tracing = "0.1.41"
tracing-subscriber = { version = "0.3.19", features = ["env-filter"] } tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
tower-http = { version = "0.6.2", features = ["trace", "fs"] } tower-http = { version = "0.6.2", features = ["trace", "fs"] }
axum = { version = "0.8.1", features = ["macros"] } axum = { version = "0.8.3", features = ["macros"] }
tokio = { version = "1.44.1", features = ["macros", "rt-multi-thread"] } tokio = { version = "1.44.1", features = ["macros", "rt-multi-thread"] }
axum-extra = { version = "0.10.0", features = ["cookie", "multipart"] } axum-extra = { version = "0.10.1", features = ["cookie", "multipart"] }
tetratto-shared = { path = "../shared" } tetratto-shared = { path = "../shared" }
tetratto-core = { path = "../core", features = [ tetratto-core = { path = "../core", features = [
"redis", "redis",
], default-features = false } ], default-features = false }
tetratto-l10n = { path = "../l10n" } tetratto-l10n = { path = "../l10n" }
image = "0.25.5" image = "0.25.6"
reqwest = { version = "0.12.15", features = ["json", "stream"] } reqwest = { version = "0.12.15", features = ["json", "stream"] }
regex = "1.11.1" regex = "1.11.1"
serde_json = "1.0.140" serde_json = "1.0.140"

1
crates/app/src/langs/en-US.toml
View file

@ -89,6 +89,7 @@ version = "1.0.0"
"settings:label.new_password" = "New password" "settings:label.new_password" = "New password"
"settings:label.change_username" = "Change username" "settings:label.change_username" = "Change username"
"settings:label.new_username" = "New username" "settings:label.new_username" = "New username"
"settings:label.two_factor_authentication" = "Two-factor authentication"
"settings:label.change_avatar" = "Change avatar" "settings:label.change_avatar" = "Change avatar"
"settings:label.change_banner" = "Change banner" "settings:label.change_banner" = "Change banner"

73
crates/app/src/public/html/auth/login.html
View file

@ -2,34 +2,68 @@
<title>Login</title> <title>Login</title>
{% endblock %} {% block title %}Login{% endblock %} {% block content %} {% endblock %} {% block title %}Login{% endblock %} {% block content %}
<form class="w-full flex flex-col gap-4" onsubmit="login(event)"> <form class="w-full flex flex-col gap-4" onsubmit="login(event)">
<div class="flex flex-col gap-1"> <div id="flow_1" style="display: contents">
<label for="username"><b>Username</b></label> <div class="flex flex-col gap-1">
<input <label for="username"><b>Username</b></label>
type="text" <input
placeholder="username" type="text"
required placeholder="username"
name="username" required
id="username" name="username"
/> id="username"
/>
</div>
<div class="flex flex-col gap-1">
<label for="username"><b>Password</b></label>
<input
type="password"
placeholder="password"
required
name="password"
id="password"
/>
</div>
</div> </div>
<div class="flex flex-col gap-1"> <div id="flow_2" style="display: none">
<label for="username"><b>Password</b></label> <div class="flex flex-col gap-1">
<input <label for="totp"><b>TOTP code</b></label>
type="password" <input type="text" placeholder="totp code" name="totp" id="totp" />
placeholder="password" </div>
required
name="password"
id="password"
/>
</div> </div>
<button>Submit</button> <button>Submit</button>
</form> </form>
<script> <script>
function login(e) { let flow_page = 1;
function next_page() {
document.getElementById(`flow_${flow_page}`).style.display = "none";
flow_page += 1;
document.getElementById(`flow_${flow_page}`).style.display = "contents";
}
async function login(e) {
e.preventDefault(); e.preventDefault();
if (flow_page === 1) {
// check if we need TOTP
const res = await (
await fetch(
`/api/v1/auth/user/${e.target.username.value}/totp/check`,
)
).json();
trigger("atto::toast", [res.ok ? "success" : "error", res.message]);
if (res.ok && res.payload) {
// user exists AND totp is required
return next_page();
}
}
fetch("/api/v1/auth/login", { fetch("/api/v1/auth/login", {
method: "POST", method: "POST",
headers: { headers: {
@ -38,6 +72,7 @@
body: JSON.stringify({ body: JSON.stringify({
username: e.target.username.value, username: e.target.username.value,
password: e.target.password.value, password: e.target.password.value,
totp: e.target.totp.value,
}), }),
}) })
.then((res) => res.json()) .then((res) => res.json())

2
crates/app/src/public/html/communities/settings.html
View file

@ -416,7 +416,7 @@
// ... // ...
element.innerHTML = `<div class="flex gap-2 flex-wrap" ui_ident="actions"> element.innerHTML = `<div class="flex gap-2 flex-wrap" ui_ident="actions">
<a target="_blank" class="button" href="/api/v1/auth/profile/find/${e.target.uid.value}">Open user profile</a> <a target="_blank" class="button" href="/api/v1/auth/user/find/${e.target.uid.value}">Open user profile</a>
${res.payload.role !== 33 ? `<button class="red quaternary" onclick="update_user_role('${e.target.uid.value}', 33)">Ban</button>` : `<button class="quaternary" onclick="update_user_role('${e.target.uid.value}', 5)">Unban</button>`} ${res.payload.role !== 33 ? `<button class="red quaternary" onclick="update_user_role('${e.target.uid.value}', 33)">Ban</button>` : `<button class="quaternary" onclick="update_user_role('${e.target.uid.value}', 5)">Unban</button>`}
${res.payload.role !== 65 ? `<button class="red quaternary" onclick="update_user_role('${e.target.uid.value}', 65)">Send to review</button>` : `<button class="green quaternary" onclick="update_user_role('${e.target.uid.value}', 5)">Accept join request</button>`} ${res.payload.role !== 65 ? `<button class="red quaternary" onclick="update_user_role('${e.target.uid.value}', 65)">Send to review</button>` : `<button class="green quaternary" onclick="update_user_role('${e.target.uid.value}', 5)">Accept join request</button>`}
<button class="red quaternary" onclick="kick_user('${e.target.uid.value}')">Kick</button> <button class="red quaternary" onclick="kick_user('${e.target.uid.value}')">Kick</button>

4
crates/app/src/public/html/components.html
View file

@ -1,7 +1,7 @@
{% macro avatar(username, size="24px", selector_type="username") -%} {% macro avatar(username, size="24px", selector_type="username") -%}
<img <img
title="{{ username }}'s avatar" title="{{ username }}'s avatar"
src="/api/v1/auth/profile/{{ username }}/avatar?selector_type={{ selector_type }}" src="/api/v1/auth/user/{{ username }}/avatar?selector_type={{ selector_type }}"
alt="@{{ username }}" alt="@{{ username }}"
class="avatar shadow" class="avatar shadow"
loading="lazy" loading="lazy"
@ -28,7 +28,7 @@
border_radius="var(--radius)") -%} border_radius="var(--radius)") -%}
<img <img
title="{{ username }}'s banner" title="{{ username }}'s banner"
src="/api/v1/auth/profile/{{ username }}/banner" src="/api/v1/auth/user/{{ username }}/banner"
alt="@{{ username }}'s banner" alt="@{{ username }}'s banner"
class="banner shadow" class="banner shadow"
loading="lazy" loading="lazy"

2
crates/app/src/public/html/mod/audit_log.html
View file

@ -14,7 +14,7 @@
<div class="card-nest"> <div class="card-nest">
<a <a
class="card small flex items-center gap-2 flush" class="card small flex items-center gap-2 flush"
href="/api/v1/auth/profile/find/{{ item.moderator }}" href="/api/v1/auth/user/find/{{ item.moderator }}"
> >
<!-- prettier-ignore --> <!-- prettier-ignore -->
{{ components::avatar(username=item.moderator, selector_type="id") }} {{ components::avatar(username=item.moderator, selector_type="id") }}

2
crates/app/src/public/html/mod/ip_bans.html
View file

@ -14,7 +14,7 @@
<div class="card-nest"> <div class="card-nest">
<a <a
class="card small flex items-center gap-2 flush" class="card small flex items-center gap-2 flush"
href="/api/v1/auth/profile/find/{{ item.moderator }}" href="/api/v1/auth/user/find/{{ item.moderator }}"
> >
<!-- prettier-ignore --> <!-- prettier-ignore -->
{{ components::avatar(username=item.moderator, selector_type="id") }} {{ components::avatar(username=item.moderator, selector_type="id") }}

2
crates/app/src/public/html/mod/reports.html
View file

@ -14,7 +14,7 @@
<div class="card-nest"> <div class="card-nest">
<a <a
class="card small flex items-center gap-2 flush" class="card small flex items-center gap-2 flush"
href="/api/v1/auth/profile/find/{{ item.owner }}" href="/api/v1/auth/user/find/{{ item.owner }}"
> >
<!-- prettier-ignore --> <!-- prettier-ignore -->
{{ components::avatar(username=item.owner, selector_type="id") }} {{ components::avatar(username=item.owner, selector_type="id") }}

10
crates/app/src/public/html/profile/base.html
View file

@ -131,7 +131,7 @@
<script> <script>
globalThis.toggle_follow_user = () => { globalThis.toggle_follow_user = () => {
fetch( fetch(
"/api/v1/auth/profile/{{ profile.id }}/follow", "/api/v1/auth/user/{{ profile.id }}/follow",
{ {
method: "POST", method: "POST",
}, },
@ -155,7 +155,7 @@
} }
fetch( fetch(
"/api/v1/auth/profile/{{ profile.id }}/block", "/api/v1/auth/user/{{ profile.id }}/block",
{ {
method: "POST", method: "POST",
}, },
@ -264,7 +264,7 @@
} }
fetch( fetch(
`/api/v1/auth/profile/{{ profile.id }}/${path}`, `/api/v1/auth/user/{{ profile.id }}/${path}`,
{ {
method: "POST", method: "POST",
headers: { headers: {
@ -295,7 +295,7 @@
} }
fetch( fetch(
"/api/v1/auth/profile/{{ profile.id }}", "/api/v1/auth/user/{{ profile.id }}",
{ {
method: "DELETE", method: "DELETE",
headers: { headers: {
@ -328,7 +328,7 @@
} }
fetch( fetch(
`/api/v1/auth/profile/{{ profile.id }}/role`, `/api/v1/auth/user/{{ profile.id }}/role`,
{ {
method: "POST", method: "POST",
headers: { headers: {

179
crates/app/src/public/html/profile/settings.html
View file

@ -100,6 +100,60 @@
</button> </button>
</form> </form>
</div> </div>
<div class="card-nest" ui_ident="two_factor_authentication">
<div class="card small">
<b>{{ text "settings:label.two_factor_authentication" }}</b>
</div>
<div class="card flex flex-col gap-2">
{% if profile.totp|length == 0 %}
<div id="totp_stuff" style="display: none">
<span
>Scan this QR code in a TOTP authenticator app (like
Google Authenticator):
</span>
<img id="totp_qr" style="max-width: 250px" />
<span>TOTP secret (do NOT share):</span>
<pre id="totp_secret"></pre>
<span
>Recovery codes (STORE SAFELY, these can only be
viewed once):</span
>
<pre id="totp_recovery_codes"></pre>
</div>
<button
class="quaternary green"
onclick="enable_totp(event)"
>
Enable TOTP 2FA
</button>
{% else %}
<pre id="totp_recovery_codes" style="display: none"></pre>
<div class="flex gap-2 flex-wrap">
<button
class="quaternary red"
onclick="refresh_totp_codes(event)"
>
Refresh recovery codes
</button>
<button
class="quaternary red"
onclick="disable_totp(event)"
>
Disable TOTP 2FA
</button>
</div>
{% endif %}
</div>
</div>
</div> </div>
<div class="card-nest" ui_ident="change_password"> <div class="card-nest" ui_ident="change_password">
@ -244,8 +298,7 @@
{% if is_helper %} {% if is_helper %}
<span class="flex gap-2 items-center"> <span class="flex gap-2 items-center">
<span class="fade" <span class="fade"
><a ><a href="/api/v1/auth/user/find_by_ip/{{ token[0] }}"
href="/api/v1/auth/profile/find_by_ip/{{ token[0] }}"
><code>{{ token[0] }}</code></a ><code>{{ token[0] }}</code></a
></span ></span
> >
@ -296,7 +349,7 @@
tokens = new_tokens; tokens = new_tokens;
// send request to save // send request to save
fetch("/api/v1/auth/profile/{{ profile.id }}/tokens", { fetch("/api/v1/auth/user/{{ profile.id }}/tokens", {
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json", "Content-Type": "application/json",
@ -313,7 +366,7 @@
}; };
globalThis.save_settings = () => { globalThis.save_settings = () => {
fetch("/api/v1/auth/profile/{{ profile.id }}/settings", { fetch("/api/v1/auth/user/{{ profile.id }}/settings", {
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json", "Content-Type": "application/json",
@ -331,7 +384,7 @@
globalThis.change_password = (e) => { globalThis.change_password = (e) => {
e.preventDefault(); e.preventDefault();
fetch("/api/v1/auth/profile/{{ profile.id }}/password", { fetch("/api/v1/auth/user/{{ profile.id }}/password", {
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json", "Content-Type": "application/json",
@ -361,7 +414,7 @@
return; return;
} }
fetch("/api/v1/auth/profile/{{ profile.id }}/username", { fetch("/api/v1/auth/user/{{ profile.id }}/username", {
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json", "Content-Type": "application/json",
@ -390,7 +443,7 @@
return; return;
} }
fetch("/api/v1/auth/profile/{{ profile.id }}", { fetch("/api/v1/auth/user/{{ profile.id }}", {
method: "DELETE", method: "DELETE",
headers: { headers: {
"Content-Type": "application/json", "Content-Type": "application/json",
@ -454,6 +507,117 @@
alert("Banner upload in progress. Please wait!"); alert("Banner upload in progress. Please wait!");
}; };
globalThis.enable_totp = async (event) => {
if (
!(await trigger("atto::confirm", [
"Are you sure you want to do this? You must have access to your TOTP codes to disable TOTP.",
]))
) {
return;
}
fetch("/api/v1/auth/user/{{ user.id }}/totp", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
})
.then((res) => res.json())
.then((res) => {
trigger("atto::toast", [
res.ok ? "success" : "error",
res.message,
]);
const [secret, qr, recovery_codes] = res.payload;
document.getElementById("totp_secret").innerText =
secret;
document.getElementById("totp_qr").src =
`data:image/png;base64,${qr}`;
document.getElementById(
"totp_recovery_codes",
).innerText = recovery_codes.join("\n");
document.getElementById("totp_stuff").style.display =
"contents";
event.target.remove();
});
};
globalThis.disable_totp = async (event) => {
if (
!(await trigger("atto::confirm", [
"Are you sure you want to do this?",
]))
) {
return;
}
const totp_code = await trigger("atto::prompt", ["TOTP code:"]);
if (!totp_code) {
return;
}
fetch("/api/v1/auth/user/{{ profile.id }}/totp", {
method: "DELETE",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({ totp: totp_code }),
})
.then((res) => res.json())
.then((res) => {
trigger("atto::toast", [
res.ok ? "success" : "error",
res.message,
]);
event.target.remove();
});
};
globalThis.refresh_totp_codes = async (event) => {
if (
!(await trigger("atto::confirm", [
"Are you sure you want to do this? The old codes will no longer work.",
]))
) {
return;
}
const totp_code = await trigger("atto::prompt", ["TOTP code:"]);
if (!totp_code) {
return;
}
fetch("/api/v1/auth/user/{{ profile.id }}/totp/codes", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({ totp: totp_code }),
})
.then((res) => res.json())
.then((res) => {
trigger("atto::toast", [
res.ok ? "success" : "error",
res.message,
]);
document.getElementById(
"totp_recovery_codes",
).innerText = res.payload.join("\n");
document.getElementById(
"totp_recovery_codes",
).style.display = "block";
event.target.remove();
});
};
const account_settings = const account_settings =
document.getElementById("account_settings"); document.getElementById("account_settings");
const profile_settings = const profile_settings =
@ -462,6 +626,7 @@
ui.refresh_container(account_settings, [ ui.refresh_container(account_settings, [
"change_password", "change_password",
"change_username", "change_username",
"two_factor_authentication",
]); ]);
ui.refresh_container(profile_settings, [ ui.refresh_container(profile_settings, [
"theme_preference", "theme_preference",

6
crates/app/src/public/js/atto.js
View file

@ -415,9 +415,7 @@ media_theme_pref();
try { try {
const href = new URL(anchor.href); const href = new URL(anchor.href);
if ( if (href.pathname.startsWith("/api/v1/auth/user/find_by_ip/")) {
href.pathname.startsWith("/api/v1/auth/profile/find_by_ip/")
) {
const ban_button = document.createElement("button"); const ban_button = document.createElement("button");
ban_button.innerText = "Ban IP"; ban_button.innerText = "Ban IP";
ban_button.className = "quaternary red small"; ban_button.className = "quaternary red small";
@ -428,7 +426,7 @@ media_theme_pref();
$.ban_ip( $.ban_ip(
href.pathname.replace( href.pathname.replace(
"/api/v1/auth/profile/find_by_ip/", "/api/v1/auth/user/find_by_ip/",
"", "",
), ),
); );

4
crates/app/src/public/js/me.js
View file

@ -156,7 +156,7 @@
}); });
self.define("seen", () => { self.define("seen", () => {
fetch("/api/v1/auth/profile/me/seen", { fetch("/api/v1/auth/user/me/seen", {
method: "POST", method: "POST",
}) })
.then((res) => res.json()) .then((res) => res.json())
@ -196,7 +196,7 @@
element.innerHTML += `<button class="quaternary w-full justify-start" onclick="trigger('me::login', ['${token[0]}'])"> element.innerHTML += `<button class="quaternary w-full justify-start" onclick="trigger('me::login', ['${token[0]}'])">
<img <img
title="${token[0]}'s avatar" title="${token[0]}'s avatar"
src="/api/v1/auth/profile/${token[0]}/avatar?selector_type=username" src="/api/v1/auth/user/${token[0]}/avatar?selector_type=username"
alt="Avatar image" alt="Avatar image"
class="avatar" class="avatar"
style="--size: 24px" style="--size: 24px"

4
crates/app/src/routes/api/v1/auth/images.rs
View file

@ -43,7 +43,7 @@ pub struct AvatarSelectorQuery {
} }
/// Get a profile's avatar image /// Get a profile's avatar image
/// `/api/v1/auth/profile/{id}/avatar` /// `/api/v1/auth/user/{id}/avatar`
pub async fn avatar_request( pub async fn avatar_request(
Path(selector): Path<String>, Path(selector): Path<String>,
Extension(data): Extension<State>, Extension(data): Extension<State>,
@ -94,7 +94,7 @@ pub async fn avatar_request(
} }
/// Get a profile's banner image /// Get a profile's banner image
/// `/api/v1/auth/profile/{id}/banner` /// `/api/v1/auth/user/{id}/banner`
pub async fn banner_request( pub async fn banner_request(
Path(username): Path<String>, Path(username): Path<String>,
Extension(data): Extension<State>, Extension(data): Extension<State>,

5
crates/app/src/routes/api/v1/auth/mod.rs
View file

@ -140,6 +140,11 @@ pub async fn login_request(
return (None, Json(Error::IncorrectPassword.into())); return (None, Json(Error::IncorrectPassword.into()));
} }
// verify totp code
if !data.check_totp(&user, &props.totp) {
return (None, Json(Error::NotAllowed.into()));
}
// update tokens // update tokens
let mut new_tokens = user.tokens.clone(); let mut new_tokens = user.tokens.clone();
let (unhashed_token_id, token) = User::create_token(&real_ip); let (unhashed_token_id, token) = User::create_token(&real_ip);

132
crates/app/src/routes/api/v1/auth/profile.rs
View file

@ -1,9 +1,11 @@
use crate::{ use crate::{
State, get_user_from_token, get_user_from_token,
model::{ApiReturn, Error}, model::{ApiReturn, Error},
routes::api::v1::{ routes::api::v1::{
DeleteUser, UpdateUserIsVerified, UpdateUserPassword, UpdateUserRole, UpdateUserUsername, DeleteUser, DisableTotp, UpdateUserIsVerified, UpdateUserPassword, UpdateUserRole,
UpdateUserUsername,
}, },
State,
}; };
use axum::{ use axum::{
Extension, Json, Extension, Json,
@ -11,9 +13,12 @@ use axum::{
response::{IntoResponse, Redirect}, response::{IntoResponse, Redirect},
}; };
use axum_extra::extract::CookieJar; use axum_extra::extract::CookieJar;
use tetratto_core::model::{ use tetratto_core::{
auth::{Token, UserSettings}, model::{
permissions::FinePermission, auth::{Token, UserSettings},
permissions::FinePermission,
},
DataManager,
}; };
pub async fn redirect_from_id( pub async fn redirect_from_id(
@ -264,3 +269,120 @@ pub async fn delete_user_request(
Err(e) => Json(e.into()), Err(e) => Json(e.into()),
} }
} }
/// Enable TOTP for a user.
pub async fn enable_totp_request(
jar: CookieJar,
Path(id): Path<usize>,
Extension(data): Extension<State>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match get_user_from_token!(jar, data) {
Some(ua) => ua,
None => return Json(Error::NotAllowed.into()),
};
match data.enable_totp(id, user).await {
Ok(x) => Json(ApiReturn {
ok: true,
message: "TOTP enabled".to_string(),
payload: Some(x),
}),
Err(e) => Json(e.into()),
}
}
/// Disable TOTP for a user.
pub async fn disable_totp_request(
jar: CookieJar,
Path(id): Path<usize>,
Extension(data): Extension<State>,
Json(req): Json<DisableTotp>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match get_user_from_token!(jar, data) {
Some(ua) => ua,
None => return Json(Error::NotAllowed.into()),
};
if user.id != id && !user.permissions.check(FinePermission::MANAGE_USERS) {
return Json(Error::NotAllowed.into());
}
// check totp code
let other_user = match data.get_user_by_id(id).await {
Ok(u) => u,
Err(e) => return Json(e.into()),
};
if !data.check_totp(&other_user, &req.totp) {
return Json(Error::NotAllowed.into());
}
// ...
match data.update_user_totp(id, &String::new(), &Vec::new()).await {
Ok(()) => Json(ApiReturn {
ok: true,
message: "TOTP disabled".to_string(),
payload: (),
}),
Err(e) => Json(e.into()),
}
}
/// Refresh TOTP recovery codes for a user.
pub async fn refresh_totp_codes_request(
jar: CookieJar,
Path(id): Path<usize>,
Extension(data): Extension<State>,
Json(req): Json<DisableTotp>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match get_user_from_token!(jar, data) {
Some(ua) => ua,
None => return Json(Error::NotAllowed.into()),
};
if user.id != id && !user.permissions.check(FinePermission::MANAGE_USERS) {
return Json(Error::NotAllowed.into());
}
// check totp code
let other_user = match data.get_user_by_id(id).await {
Ok(u) => u,
Err(e) => return Json(e.into()),
};
if !data.check_totp(&other_user, &req.totp) {
return Json(Error::NotAllowed.into());
}
// ...
let recovery_codes = DataManager::generate_totp_recovery_codes();
match data.update_user_totp(id, &user.totp, &recovery_codes).await {
Ok(()) => Json(ApiReturn {
ok: true,
message: "Recovery codes refreshed".to_string(),
payload: Some(recovery_codes),
}),
Err(e) => Json(e.into()),
}
}
/// Check if the given user has TOTP enabled.
pub async fn has_totp_enabled_request(
Path(username): Path<String>,
Extension(data): Extension<State>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match data.get_user_by_username(&username).await {
Ok(u) => u,
Err(e) => return Json(e.into()),
};
Json(ApiReturn {
ok: true,
message: "User exists".to_string(),
payload: Some(!user.totp.is_empty()),
})
}

2
crates/app/src/routes/api/v1/auth/social.rs
View file

@ -36,7 +36,7 @@ pub async fn follow_request(
.create_notification(Notification::new( .create_notification(Notification::new(
"Somebody has followed you!".to_string(), "Somebody has followed you!".to_string(),
format!( format!(
"You have been followed by [@{}](/api/v1/auth/profile/find/{}).", "You have been followed by [@{}](/api/v1/auth/user/find/{}).",
user.username, user.id user.username, user.id
), ),
id, id,

14
crates/app/src/routes/api/v1/communities/images.rs
View file

@ -57,7 +57,7 @@ pub async fn avatar_request(
} }
/// Get a profile's banner image /// Get a profile's banner image
/// `/api/v1/auth/profile/{id}/banner` /// `/api/v1/auth/user/{id}/banner`
pub async fn banner_request( pub async fn banner_request(
Path(id): Path<usize>, Path(id): Path<usize>,
Extension(data): Extension<State>, Extension(data): Extension<State>,
@ -120,9 +120,11 @@ pub async fn upload_avatar_request(
Err(e) => return Json(e.into()), Err(e) => return Json(e.into()),
}; };
if auth_user.id != community.owner && !auth_user if auth_user.id != community.owner
&& !auth_user
.permissions .permissions
.check(FinePermission::MANAGE_COMMUNITIES) { .check(FinePermission::MANAGE_COMMUNITIES)
{
return Json(Error::NotAllowed.into()); return Json(Error::NotAllowed.into());
} }
@ -173,9 +175,11 @@ pub async fn upload_banner_request(
Err(e) => return Json(e.into()), Err(e) => return Json(e.into()),
}; };
if auth_user.id != community.owner && !auth_user if auth_user.id != community.owner
&& !auth_user
.permissions .permissions
.check(FinePermission::MANAGE_COMMUNITIES) { .check(FinePermission::MANAGE_COMMUNITIES)
{
return Json(Error::NotAllowed.into()); return Json(Error::NotAllowed.into());
} }

62
crates/app/src/routes/api/v1/mod.rs
View file

@ -104,57 +104,58 @@ pub fn routes() -> Router {
post(auth::images::upload_banner_request), post(auth::images::upload_banner_request),
) )
// profile // profile
.route("/auth/user/{id}/avatar", get(auth::images::avatar_request))
.route("/auth/user/{id}/banner", get(auth::images::banner_request))
.route("/auth/user/{id}/follow", post(auth::social::follow_request))
.route("/auth/user/{id}/block", post(auth::social::block_request))
.route( .route(
"/auth/profile/{id}/avatar", "/auth/user/{id}/settings",
get(auth::images::avatar_request),
)
.route(
"/auth/profile/{id}/banner",
get(auth::images::banner_request),
)
.route(
"/auth/profile/{id}/follow",
post(auth::social::follow_request),
)
.route(
"/auth/profile/{id}/block",
post(auth::social::block_request),
)
.route(
"/auth/profile/{id}/settings",
post(auth::profile::update_user_settings_request), post(auth::profile::update_user_settings_request),
) )
.route( .route(
"/auth/profile/{id}/role", "/auth/user/{id}/role",
post(auth::profile::update_user_role_request), post(auth::profile::update_user_role_request),
) )
.route( .route(
"/auth/profile/{id}", "/auth/user/{id}",
delete(auth::profile::delete_user_request), delete(auth::profile::delete_user_request),
) )
.route( .route(
"/auth/profile/{id}/password", "/auth/user/{id}/password",
post(auth::profile::update_user_password_request), post(auth::profile::update_user_password_request),
) )
.route( .route(
"/auth/profile/{id}/username", "/auth/user/{id}/username",
post(auth::profile::update_user_username_request), post(auth::profile::update_user_username_request),
) )
.route( .route(
"/auth/profile/{id}/tokens", "/auth/user/{id}/tokens",
post(auth::profile::update_user_tokens_request), post(auth::profile::update_user_tokens_request),
) )
.route( .route(
"/auth/profile/{id}/verified", "/auth/user/{id}/verified",
post(auth::profile::update_user_is_verified_request), post(auth::profile::update_user_is_verified_request),
) )
.route("/auth/profile/me/seen", post(auth::profile::seen_request))
.route( .route(
"/auth/profile/find/{id}", "/auth/user/{id}/totp",
get(auth::profile::redirect_from_id), post(auth::profile::enable_totp_request),
) )
.route( .route(
"/auth/profile/find_by_ip/{ip}", "/auth/user/{id}/totp",
delete(auth::profile::disable_totp_request),
)
.route(
"/auth/user/{id}/totp/codes",
post(auth::profile::refresh_totp_codes_request),
)
.route(
"/auth/user/{username}/totp/check",
get(auth::profile::has_totp_enabled_request),
)
.route("/auth/user/me/seen", post(auth::profile::seen_request))
.route("/auth/user/find/{id}", get(auth::profile::redirect_from_id))
.route(
"/auth/user/find_by_ip/{ip}",
get(auth::profile::redirect_from_ip), get(auth::profile::redirect_from_ip),
) )
// notifications // notifications
@ -196,6 +197,8 @@ pub fn routes() -> Router {
pub struct LoginProps { pub struct LoginProps {
pub username: String, pub username: String,
pub password: String, pub password: String,
#[serde(default)]
pub totp: String,
} }
#[derive(Deserialize)] #[derive(Deserialize)]
@ -308,3 +311,8 @@ pub struct DeleteUser {
pub struct CreateIpBan { pub struct CreateIpBan {
pub reason: String, pub reason: String,
} }
#[derive(Deserialize)]
pub struct DisableTotp {
pub totp: String,
}

1
crates/core/Cargo.toml
View file

@ -16,6 +16,7 @@ toml = "0.8.20"
tetratto-shared = { path = "../shared" } tetratto-shared = { path = "../shared" }
tetratto-l10n = { path = "../l10n" } tetratto-l10n = { path = "../l10n" }
serde_json = "1.0.140" serde_json = "1.0.140"
totp-rs = { version = "5.6.0", features = ["qr", "gen_secret"] }
redis = { version = "0.29.2", optional = true } redis = { version = "0.29.2", optional = true }

139
crates/core/src/database/auth.rs
View file

@ -9,6 +9,7 @@ use crate::model::{
use crate::{auto_method, execute, get, query_row, params}; use crate::{auto_method, execute, get, query_row, params};
use pathbufd::PathBufD; use pathbufd::PathBufD;
use std::fs::{exists, remove_file}; use std::fs::{exists, remove_file};
use std::usize;
use tetratto_shared::hash::{hash_salted, salt}; use tetratto_shared::hash::{hash_salted, salt};
use tetratto_shared::unix_epoch_timestamp; use tetratto_shared::unix_epoch_timestamp;
@ -42,6 +43,8 @@ impl DataManager {
follower_count: get!(x->10(i32)) as usize, follower_count: get!(x->10(i32)) as usize,
following_count: get!(x->11(i32)) as usize, following_count: get!(x->11(i32)) as usize,
last_seen: get!(x->12(i64)) as usize, last_seen: get!(x->12(i64)) as usize,
totp: get!(x->13(String)),
recovery_codes: serde_json::from_str(&get!(x->14(String)).to_string()).unwrap(),
} }
} }
@ -111,7 +114,7 @@ impl DataManager {
let res = execute!( let res = execute!(
&conn, &conn,
"INSERT INTO users VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13)", "INSERT INTO users VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15)",
params![ params![
&(data.id as i64), &(data.id as i64),
&(data.created as i64), &(data.created as i64),
@ -126,6 +129,8 @@ impl DataManager {
&(0 as i32), &(0 as i32),
&(0 as i32), &(0 as i32),
&(data.last_seen as i64), &(data.last_seen as i64),
&String::new(),
&"[]"
] ]
); );
@ -414,6 +419,138 @@ impl DataManager {
Ok(()) Ok(())
} }
/// Validate a given TOTP code for the given profile.
pub fn check_totp(&self, ua: &User, code: &str) -> bool {
let totp = ua.totp(Some(
self.0
.banned_hosts
.get(0)
.unwrap_or(&"https://tetratto.com".to_string())
.replace("http://", "")
.replace("https://", "")
.replace(":", "_"),
));
if let Some(totp) = totp {
return !code.is_empty()
&& (totp.check_current(code).unwrap()
| ua.recovery_codes.contains(&code.to_string()));
}
true
}
/// Generate 8 random recovery codes for TOTP.
pub fn generate_totp_recovery_codes() -> Vec<String> {
let mut out: Vec<String> = Vec::new();
for _ in 0..9 {
out.push(salt())
}
out
}
/// Update the profile's TOTP secret.
///
/// # Arguments
/// * `id` - the ID of the user
/// * `secret` - the TOTP secret
/// * `recovery` - the TOTP recovery codes
pub async fn update_user_totp(
&self,
id: usize,
secret: &str,
recovery: &Vec<String>,
) -> Result<()> {
let user = self.get_user_by_id(id).await?;
// update
let conn = match self.connect().await {
Ok(c) => c,
Err(e) => return Err(Error::DatabaseConnection(e.to_string())),
};
let res = execute!(
&conn,
"UPDATE users SET totp = $1, recovery_codes = $2 WHERE id = $3",
params![
&secret,
&serde_json::to_string(recovery).unwrap(),
&(id as i64)
]
);
if let Err(e) = res {
return Err(Error::DatabaseError(e.to_string()));
}
self.cache_clear_user(&user).await;
Ok(())
}
/// Enable TOTP for a profile.
///
/// # Arguments
/// * `id` - the ID of the user to enable TOTP for
/// * `user` - the user doing this
///
/// # Returns
/// `Result<(secret, qr base64)>`
pub async fn enable_totp(
&self,
id: usize,
user: User,
) -> Result<(String, String, Vec<String>)> {
let other_user = self.get_user_by_id(id).await?;
if other_user.id != user.id {
if other_user.permissions.check(FinePermission::MANAGE_USERS) {
// create audit log entry
self.create_audit_log_entry(AuditLogEntry::new(
user.id,
format!("invoked `enable_totp` with x value `{}`", other_user.id,),
))
.await?;
} else {
return Err(Error::NotAllowed);
}
}
let secret = totp_rs::Secret::default().to_string();
let recovery = Self::generate_totp_recovery_codes();
self.update_user_totp(id, &secret, &recovery).await?;
// fetch profile again (with totp information)
let other_user = self.get_user_by_id(id).await?;
// get totp
let totp = other_user.totp(Some(
self.0
.banned_hosts
.get(0)
.unwrap_or(&"https://tetratto.com".to_string())
.replace("http://", "")
.replace("https://", "")
.replace(":", "_"),
));
if totp.is_none() {
return Err(Error::MiscError("Failed to get TOTP code".to_string()));
}
let totp = totp.unwrap();
// generate qr
let qr = match totp.get_qr_base64() {
Ok(q) => q,
Err(e) => return Err(Error::MiscError(e.to_string())),
};
// return
Ok((secret, qr, recovery))
}
pub async fn cache_clear_user(&self, user: &User) { pub async fn cache_clear_user(&self, user: &User) {
self.2.remove(format!("atto.user:{}", user.id)).await; self.2.remove(format!("atto.user:{}", user.id)).await;
self.2.remove(format!("atto.user:{}", user.username)).await; self.2.remove(format!("atto.user:{}", user.username)).await;

29
crates/core/src/database/communities.rs
View file

@ -168,20 +168,27 @@ impl DataManager {
} }
// check number of communities // check number of communities
let memberships = self.get_memberships_by_owner(data.owner).await?; let owner = self.get_user_by_id(data.owner).await?;
let mut admin_count = 0; // you can not make anymore communities if you are already admin of at least 5
for membership in memberships { if !owner
if membership.role.check(CommunityPermission::ADMINISTRATOR) { .permissions
admin_count += 1; .check(FinePermission::INFINITE_COMMUNITIES)
{
let memberships = self.get_memberships_by_owner(data.owner).await?;
let mut admin_count = 0; // you can not make anymore communities if you are already admin of at least 5
for membership in memberships {
if membership.role.check(CommunityPermission::ADMINISTRATOR) {
admin_count += 1;
}
} }
}
if admin_count >= 5 { if admin_count >= 5 {
return Err(Error::MiscError( return Err(Error::MiscError(
"You are already owner/co-owner of too many communities to create another" "You are already owner/co-owner of too many communities to create another"
.to_string(), .to_string(),
)); ));
}
} }
// make sure community doesn't already exist with title // make sure community doesn't already exist with title

2
crates/core/src/database/memberships.rs
View file

@ -163,7 +163,7 @@ impl DataManager {
self.create_notification(Notification::new( self.create_notification(Notification::new(
"You've received a community join request!".to_string(), "You've received a community join request!".to_string(),
format!( format!(
"[Somebody](/api/v1/auth/profile/find/{}) is asking to join your [community](/community/{}).\n\n[Click here to review their request](/community/{}/manage?uid={}#/members).", "[Somebody](/api/v1/auth/user/find/{}) is asking to join your [community](/community/{}).\n\n[Click here to review their request](/community/{}/manage?uid={}#/members).",
data.owner, data.community, data.community, data.owner data.owner, data.community, data.community, data.owner
), ),
community.owner, community.owner,

6
crates/core/src/database/posts.rs
View file

@ -367,7 +367,7 @@ impl DataManager {
self.create_notification(Notification::new( self.create_notification(Notification::new(
"You've been mentioned in a post!".to_string(), "You've been mentioned in a post!".to_string(),
format!( format!(
"[Somebody](/api/v1/auth/profile/find/{}) mentioned you in their [post](/post/{}).", "[Somebody](/api/v1/auth/user/find/{}) mentioned you in their [post](/post/{}).",
data.owner, data.id data.owner, data.id
), ),
user.id, user.id,
@ -380,7 +380,7 @@ impl DataManager {
data.content = data.content.replace( data.content = data.content.replace(
&format!("@{username}"), &format!("@{username}"),
&format!("[@{username}](/api/v1/auth/profile/find/{})", user.id), &format!("[@{username}](/api/v1/auth/user/find/{})", user.id),
); );
} }
@ -427,7 +427,7 @@ impl DataManager {
self.create_notification(Notification::new( self.create_notification(Notification::new(
"Your post has received a new comment!".to_string(), "Your post has received a new comment!".to_string(),
format!( format!(
"[@{}](/api/v1/auth/profile/find/{}) has commented on your [post](/post/{}).", "[@{}](/api/v1/auth/user/find/{}) has commented on your [post](/post/{}).",
owner.username, owner.id, rt.id owner.username, owner.id, rt.id
), ),
rt.owner, rt.owner,

4
crates/core/src/database/reactions.rs
View file

@ -107,7 +107,7 @@ impl DataManager {
.create_notification(Notification::new( .create_notification(Notification::new(
"Your community has received a like!".to_string(), "Your community has received a like!".to_string(),
format!( format!(
"[@{}](/api/v1/auth/profile/find/{}) has liked your [community](/api/v1/communities/find/{})!", "[@{}](/api/v1/auth/user/find/{}) has liked your [community](/api/v1/communities/find/{})!",
user.username, user.id, community.id user.username, user.id, community.id
), ),
community.owner, community.owner,
@ -136,7 +136,7 @@ impl DataManager {
.create_notification(Notification::new( .create_notification(Notification::new(
"Your post has received a like!".to_string(), "Your post has received a like!".to_string(),
format!( format!(
"[@{}](/api/v1/auth/profile/find/{}) has liked your post!", "[@{}](/api/v1/auth/user/find/{}) has liked your post!",
user.username, user.id user.username, user.id
), ),
post.owner, post.owner,

29
crates/core/src/model/auth.rs
View file

@ -1,5 +1,6 @@
use super::permissions::FinePermission; use super::permissions::FinePermission;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use totp_rs::TOTP;
use tetratto_shared::{ use tetratto_shared::{
hash::{hash_salted, salt}, hash::{hash_salted, salt},
snow::AlmostSnowflake, snow::AlmostSnowflake,
@ -24,6 +25,12 @@ pub struct User {
pub follower_count: usize, pub follower_count: usize,
pub following_count: usize, pub following_count: usize,
pub last_seen: usize, pub last_seen: usize,
/// The TOTP secret for this profile. An empty value means the user has TOTP disabled.
#[serde(default)]
pub totp: String,
/// The TOTP recovery codes for this profile.
#[serde(default)]
pub recovery_codes: Vec<String>,
} }
#[derive(Clone, Debug, Serialize, Deserialize)] #[derive(Clone, Debug, Serialize, Deserialize)]
@ -100,6 +107,8 @@ impl User {
follower_count: 0, follower_count: 0,
following_count: 0, following_count: 0,
last_seen: unix_epoch_timestamp() as usize, last_seen: unix_epoch_timestamp() as usize,
totp: String::new(),
recovery_codes: Vec::new(),
} }
} }
@ -184,6 +193,26 @@ impl User {
// return // return
out out
} }
/// Get a [`TOTP`] from the profile's `totp` secret value.
pub fn totp(&self, issuer: Option<String>) -> Option<TOTP> {
if self.totp.is_empty() {
return None;
}
match TOTP::new(
totp_rs::Algorithm::SHA1,
6,
1,
30,
self.totp.as_bytes().to_owned(),
Some(issuer.unwrap_or("tetratto!".to_string())),
self.username.clone(),
) {
Ok(t) => Some(t),
Err(_) => None,
}
}
} }
#[derive(Debug, Serialize, Deserialize)] #[derive(Debug, Serialize, Deserialize)]

1
crates/core/src/model/permissions.rs
View file

@ -26,6 +26,7 @@ bitflags! {
const MANAGE_AUDITLOG = 1 << 15; const MANAGE_AUDITLOG = 1 << 15;
const MANAGE_REPORTS = 1 << 16; const MANAGE_REPORTS = 1 << 16;
const BANNED = 1 << 17; const BANNED = 1 << 17;
const INFINITE_COMMUNITIES = 1 << 18;
const _ = !0; const _ = !0;
} }

2
crates/shared/Cargo.toml
View file

@ -9,7 +9,7 @@ license.workspace = true
[dependencies] [dependencies]
ammonia = "4.0.0" ammonia = "4.0.0"
chrono = "0.4.40" chrono = "0.4.40"
comrak = "0.36.0" comrak = "0.37.0"
hex_fmt = "0.3.0" hex_fmt = "0.3.0"
num-bigint = "0.4.6" num-bigint = "0.4.6"
rand = "0.9.0" rand = "0.9.0"

5
sql_upgrades/totp.sql Normal file
View file

@ -0,0 +1,5 @@
ALTER TABLE users
ADD COLUMN totp TEXT DEFAULT '';
ALTER TABLE users
ADD COLUMN recovery_codes TEXT DEFAULT '[]';