Add Optional 2FA Support (#61)

* Add TOTP MFA Support * Add Passkey MFA Support It's not impossible I missed some minor cleanup, but most things make sense and there isn't a lot of obvious duplication anymore. --------- Co-authored-by: Bruno Bernardino <me@brunobernardino.com>
2025-05-29 12:30:28 -04:00
parent 2a77915630
commit 455a7201e9
28 changed files with 2361 additions and 40 deletions
--- a/routes/api/auth/multi-factor/disable.ts
+++ b/routes/api/auth/multi-factor/disable.ts
@@ -0,0 +1,119 @@
+import { Handlers } from 'fresh/server.ts';
+
+import { FreshContextState } from '/lib/types.ts';
+import { PASSWORD_SALT } from '/lib/auth.ts';
+import { generateHash } from '/lib/utils/misc.ts';
+import { UserModel } from '/lib/models/user.ts';
+import {
+  getMultiFactorAuthMethodByIdFromUser,
+  getMultiFactorAuthMethodsFromUser,
+} from '/lib/utils/multi-factor-auth.ts';
+import { AppConfig } from '/lib/config.ts';
+import { MultiFactorAuthModel } from '/lib/models/multi-factor-auth.ts';
+
+export interface RequestBody {
+  methodId?: string;
+  password: string;
+  disableAll?: boolean;
+}
+
+export interface ResponseBody {
+  success: boolean;
+  error?: string;
+}
+
+export const handler: Handlers<unknown, FreshContextState> = {
+  async POST(request, context) {
+    if (!context.state.user) {
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    const isMultiFactorAuthEnabled = await AppConfig.isMultiFactorAuthEnabled();
+
+    if (!isMultiFactorAuthEnabled) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Multi-factor authentication is not enabled on this server',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 403 });
+    }
+
+    const { user } = context.state;
+
+    const body = await request.clone().json() as RequestBody;
+    const { methodId, password, disableAll } = body;
+
+    if (!password) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Password is required',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 400 });
+    }
+
+    const hashedPassword = await generateHash(`${password}:${PASSWORD_SALT}`, 'SHA-256');
+
+    if (user.hashed_password !== hashedPassword) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Invalid password',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 400 });
+    }
+
+    if (disableAll) {
+      user.extra.multi_factor_auth_methods = [];
+
+      await UserModel.update(user);
+
+      const responseBody: ResponseBody = {
+        success: true,
+      };
+
+      return new Response(JSON.stringify(responseBody));
+    }
+
+    if (!methodId) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Method ID is required when not disabling all methods',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 400 });
+    }
+
+    const methods = getMultiFactorAuthMethodsFromUser(user);
+    const method = getMultiFactorAuthMethodByIdFromUser(user, methodId);
+
+    if (!method) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Multi-factor authentication method not found',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 404 });
+    }
+
+    if (!method.enabled) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Multi-factor authentication method is not enabled',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 400 });
+    }
+
+    MultiFactorAuthModel.disableMethodFromUser(user, methodId);
+
+    await UserModel.update(user);
+
+    const responseBody: ResponseBody = {
+      success: true,
+    };
+
+    return new Response(JSON.stringify(responseBody));
+  },
+};