Enable Email as a MFA method/option (#68)

This adds Email as a multi-factor authentication method/option. It reuses the `VerificationCode` for the code generation and validation.

It also refactors the email templating for easier repurposing.

Finally, it has a small Deno version bump.

Closes #25

routes/api/auth/multi-factor/disable.ts

@@ -4,10 +4,7 @@ import { FreshContextState } from '/lib/types.ts';
 import { PASSWORD_SALT } from '/lib/auth.ts';
 import { generateHash } from '/lib/utils/misc.ts';
 import { UserModel } from '/lib/models/user.ts';
-import {
-  getMultiFactorAuthMethodByIdFromUser,
-  getMultiFactorAuthMethodsFromUser,
-} from '/lib/utils/multi-factor-auth.ts';
+import { getMultiFactorAuthMethodByIdFromUser } from '/lib/utils/multi-factor-auth.ts';
 import { AppConfig } from '/lib/config.ts';
 import { MultiFactorAuthModel } from '/lib/models/multi-factor-auth.ts';
 
@@ -85,7 +82,6 @@ export const handler: Handlers<unknown, FreshContextState> = {
       return new Response(JSON.stringify(responseBody), { status: 400 });
     }
 
-    const methods = getMultiFactorAuthMethodsFromUser(user);
     const method = getMultiFactorAuthMethodByIdFromUser(user, methodId);
 
     if (!method) {

routes/api/auth/multi-factor/email/setup.ts

@@ -0,0 +1,58 @@
+import { Handlers } from 'fresh/server.ts';
+
+import { FreshContextState } from '/lib/types.ts';
+import { UserModel } from '/lib/models/user.ts';
+import { AppConfig } from '/lib/config.ts';
+import { MultiFactorAuthModel } from '/lib/models/multi-factor-auth.ts';
+import { EmailModel } from '/lib/models/multi-factor-auth/email.ts';
+
+export interface RequestBody {}
+
+export interface ResponseBody {
+  success: boolean;
+  error?: string;
+  data?: {
+    methodId: string;
+  };
+}
+
+export const handler: Handlers<unknown, FreshContextState> = {
+  async POST(request, context) {
+    if (!context.state.user) {
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    const isMultiFactorAuthEnabled = await AppConfig.isMultiFactorAuthEnabled();
+
+    if (!isMultiFactorAuthEnabled) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Multi-factor authentication is not enabled on this server',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 403 });
+    }
+
+    const { user } = context.state;
+
+    const methodId = MultiFactorAuthModel.generateMethodId();
+    const setup = await EmailModel.createMethod(methodId, 'Email', user);
+
+    if (!user.extra.multi_factor_auth_methods) {
+      user.extra.multi_factor_auth_methods = [];
+    }
+
+    user.extra.multi_factor_auth_methods.push(setup.method);
+
+    await UserModel.update(user);
+
+    const responseData: ResponseBody = {
+      success: true,
+      data: {
+        methodId: setup.method.id,
+      },
+    };
+
+    return new Response(JSON.stringify(responseData));
+  },
+};

routes/api/auth/multi-factor/enable.ts

@@ -3,6 +3,7 @@ import { Handlers } from 'fresh/server.ts';
 import { FreshContextState } from '/lib/types.ts';
 import { MultiFactorAuthModel } from '/lib/models/multi-factor-auth.ts';
 import { TOTPModel } from '/lib/models/multi-factor-auth/totp.ts';
+import { EmailModel } from '/lib/models/multi-factor-auth/email.ts';
 import { getMultiFactorAuthMethodByIdFromUser } from '/lib/utils/multi-factor-auth.ts';
 import { UserModel } from '/lib/models/user.ts';
 import { AppConfig } from '/lib/config.ts';
@@ -115,6 +116,25 @@ export const handler: Handlers<unknown, FreshContextState> = {
 
         return new Response(JSON.stringify(responseBody), { status: 400 });
       }
+    } else if (method.type === 'email') {
+      try {
+        const isValid = await EmailModel.verifyCode(method.id, code, user);
+        if (!isValid) {
+          const responseBody: ResponseBody = {
+            success: false,
+            error: 'Invalid verification code',
+          };
+
+          return new Response(JSON.stringify(responseBody), { status: 400 });
+        }
+      } catch {
+        const responseBody: ResponseBody = {
+          success: false,
+          error: 'Failed to verify email verification code',
+        };
+
+        return new Response(JSON.stringify(responseBody), { status: 500 });
+      }
     }
 
     MultiFactorAuthModel.enableMethodForUser(user, methodId);

routes/mfa-verify.tsx

@@ -11,6 +11,7 @@ import {
   isMultiFactorAuthEnabledForUser,
 } from '/lib/utils/multi-factor-auth.ts';
 import { TOTPModel } from '/lib/models/multi-factor-auth/totp.ts';
+import { EmailModel } from '/lib/models/multi-factor-auth/email.ts';
 import MultiFactorAuthVerifyForm from '/components/auth/MultiFactorAuthVerifyForm.tsx';
 
 interface Data {
@@ -21,7 +22,6 @@ interface Data {
   email?: string;
   redirectUrl?: string;
   availableMethods?: MultiFactorAuthMethodType[];
-  hasPasskey?: boolean;
 }
 
 export const handler: Handlers<Data, FreshContextState> = {
@@ -49,13 +49,11 @@ export const handler: Handlers<Data, FreshContextState> = {
 
     const enabledMethods = getEnabledMultiFactorAuthMethodsFromUser(user);
     const availableMethods = enabledMethods.map((method) => method.type);
-    const hasPasskey = availableMethods.includes('passkey');
 
     return await context.render({
       email: user.email,
       redirectUrl,
       availableMethods,
-      hasPasskey,
     });
   },
   async POST(request, context) {
@@ -82,35 +80,49 @@ export const handler: Handlers<Data, FreshContextState> = {
 
     const enabledMethods = getEnabledMultiFactorAuthMethodsFromUser(user);
     const availableMethods = enabledMethods.map((method) => method.type);
-    const hasPasskey = availableMethods.includes('passkey');
 
     try {
       const formData = await request.formData();
+      const code = getFormDataField(formData, 'code');
       const token = getFormDataField(formData, 'token');
 
-      if (!token) {
-        throw new Error('Authentication token is required');
+      if (!code && !token) {
+        throw new Error('Authentication code/token is required');
       }
 
       let isValid = false;
       let updateUser = false;
 
-      // Passkey verification is handled in a separate process
       for (const method of enabledMethods) {
-        const verification = await TOTPModel.verifyMethodToken(method.metadata, token);
-        if (verification.isValid) {
-          isValid = true;
+        // Passkey verification is handled in a separate process
+        if (method.type === 'passkey') {
+          continue;
+        }
 
-          if (verification.remainingCodes && method.type === 'totp' && method.metadata.totp) {
-            method.metadata.totp.hashed_backup_codes = verification.remainingCodes;
-            updateUser = true;
+        if (method.type === 'totp') {
+          const verification = await TOTPModel.verifyMethodToken(method.metadata, token);
+          if (verification.isValid) {
+            isValid = true;
+
+            if (verification.remainingCodes && method.type === 'totp' && method.metadata.totp) {
+              method.metadata.totp.hashed_backup_codes = verification.remainingCodes;
+              updateUser = true;
+            }
+            break;
+          }
+        }
+
+        if (method.type === 'email') {
+          const verification = await EmailModel.verifyCode(method.id, code, user);
+          if (verification) {
+            isValid = true;
+            break;
           }
-          break;
         }
       }
 
       if (!isValid) {
-        throw new Error('Invalid authentication token or backup code');
+        throw new Error('Invalid authentication code/token or backup code');
       }
 
       if (updateUser) {
@@ -129,7 +141,6 @@ export const handler: Handlers<Data, FreshContextState> = {
         email: user.email,
         redirectUrl,
         availableMethods,
-        hasPasskey,
       });
     }
   },