(untested) extend login table to allow 2FA activation (method itself still unsupported)

4 files changed, 19 insertions, 0 deletions

diff --git a/src/routers/vault/middlewares/account.js b/src/routers/vault/middlewares/account.js
index 5a5fa85..93c6fc8 100644
--- a/src/routers/vault/middlewares/account.js
+++ b/src/routers/vault/middlewares/account.js
@@ -28,6 +28,7 @@ const update_account = async (req, res, next) => {
         primary:  +validate.get_prop(req, "primary"),
         allow:     validate.get_prop(req, "allow") === "true",
         strict:    validate.get_prop(req, "strict") === "true",
+        2fa:       validate.get_prop(req, "2fa") === "true",
     };
 
     const update_fields = {};
@@ -62,6 +63,10 @@ const update_account = async (req, res, next) => {
         // update allow non-primary
         update_fields.strictIPCheck = data.strict;
     }
+    if (session.allow2FA !== data.2fa) {
+        // update allow 2FA auth
+        update_fields.allow2FA = data.2fa;
+    }
 
     // update SQL
     if (Object.keys(update_fields).length) {
@@ -73,6 +78,7 @@ const update_account = async (req, res, next) => {
     // now update our cache
     session.allowNonPrimary = data.allow;
     session.strictIPCheck = data.strict;
+    session.allow2FA = data.allow2FA;
 
     for (const ident of session.identities) {
         if (ident.id === session.primaryIdentity.id) {
diff --git a/src/routers/vault/middlewares/session.js b/src/routers/vault/middlewares/session.js
index 71db21c..2c3b6b8 100644
--- a/src/routers/vault/middlewares/session.js
+++ b/src/routers/vault/middlewares/session.js
@@ -156,6 +156,7 @@ const auth_session = async (req, res) => {
         session.primaryIdentity = ident;
         session.allowNonPrimary = user.allowNonPrimary;
         session.strictIPCheck = user.strictIPCheck;
+        session.allow2FA = user.allow2FA;
         session.identities.push(ident);
     } else {
         if (session.identity !== session.primaryIdentity && !session.allowNonPrimary) {
@@ -351,6 +352,7 @@ const new_session = async (req, res, next) => {
             session.primaryIdentity = primary;
             session.allowNonPrimary = account.allowNonPrimary;
             session.strictIPCheck = account.strictIPCheck;
+            session.allow2FA = account.allow2FA;
             session.identity = identity;
             req.app.locals.session.set(uuid, session);
 
diff --git a/src/routers/vault/models/vault/login.js b/src/routers/vault/models/vault/login.js
index 2167376..32b6c42 100644
--- a/src/routers/vault/models/vault/login.js
+++ b/src/routers/vault/models/vault/login.js
@@ -23,6 +23,12 @@ module.exports = {
             defaultValue: false,
             allowNull: false,
         },
+        allow2FA: {
+            field: "allow_2fa_login",
+            type: Sequelize.BOOLEAN,
+            defaultValue: false,
+            allowNull: false,
+        },
         creationDate: {
             type: Sequelize.DATE,
             allowNull: false,
diff --git a/src/routers/vault/types/Session.js b/src/routers/vault/types/Session.js
index d1b3943..e7b44ca 100644
--- a/src/routers/vault/types/Session.js
+++ b/src/routers/vault/types/Session.js
@@ -75,6 +75,10 @@ module.exports = class Session {
      * refuse to authenticate a session with a different IP
      */
     strictIPCheck = true;
+    /**
+     * allow to authenticate a session with 2FA + PBKDF2 password
+     */
+    allow2FA = false;
 
     constructor (ip, email) {
         this.ip = ip;
@@ -109,6 +113,7 @@ module.exports = class Session {
             primaryIdentity: this.primaryIdentity.id,
             allowNonPrimary: this.allowNonPrimary,
             strictIPCheck: this.strictIPCheck,
+            allow2FA: this.allow2FA,
             vaultId: this.vault,
         };
     }