From e357c0caeaad6f4daabd3be49e222ef521b2707c Mon Sep 17 00:00:00 2001 From: Jesusaves Date: Sun, 9 May 2021 20:36:38 -0300 Subject: (untested) extend login table to allow 2FA activation (method itself still unsupported) --- src/routers/vault/middlewares/account.js | 6 ++++++ src/routers/vault/middlewares/session.js | 2 ++ src/routers/vault/models/vault/login.js | 6 ++++++ src/routers/vault/types/Session.js | 5 +++++ 4 files changed, 19 insertions(+) diff --git a/src/routers/vault/middlewares/account.js b/src/routers/vault/middlewares/account.js index 5a5fa85..93c6fc8 100644 --- a/src/routers/vault/middlewares/account.js +++ b/src/routers/vault/middlewares/account.js @@ -28,6 +28,7 @@ const update_account = async (req, res, next) => { primary: +validate.get_prop(req, "primary"), allow: validate.get_prop(req, "allow") === "true", strict: validate.get_prop(req, "strict") === "true", + 2fa: validate.get_prop(req, "2fa") === "true", }; const update_fields = {}; @@ -62,6 +63,10 @@ const update_account = async (req, res, next) => { // update allow non-primary update_fields.strictIPCheck = data.strict; } + if (session.allow2FA !== data.2fa) { + // update allow 2FA auth + update_fields.allow2FA = data.2fa; + } // update SQL if (Object.keys(update_fields).length) { @@ -73,6 +78,7 @@ const update_account = async (req, res, next) => { // now update our cache session.allowNonPrimary = data.allow; session.strictIPCheck = data.strict; + session.allow2FA = data.allow2FA; for (const ident of session.identities) { if (ident.id === session.primaryIdentity.id) { diff --git a/src/routers/vault/middlewares/session.js b/src/routers/vault/middlewares/session.js index 71db21c..2c3b6b8 100644 --- a/src/routers/vault/middlewares/session.js +++ b/src/routers/vault/middlewares/session.js @@ -156,6 +156,7 @@ const auth_session = async (req, res) => { session.primaryIdentity = ident; session.allowNonPrimary = user.allowNonPrimary; session.strictIPCheck = user.strictIPCheck; + session.allow2FA = user.allow2FA; session.identities.push(ident); } else { if (session.identity !== session.primaryIdentity && !session.allowNonPrimary) { @@ -351,6 +352,7 @@ const new_session = async (req, res, next) => { session.primaryIdentity = primary; session.allowNonPrimary = account.allowNonPrimary; session.strictIPCheck = account.strictIPCheck; + session.allow2FA = account.allow2FA; session.identity = identity; req.app.locals.session.set(uuid, session); diff --git a/src/routers/vault/models/vault/login.js b/src/routers/vault/models/vault/login.js index 2167376..32b6c42 100644 --- a/src/routers/vault/models/vault/login.js +++ b/src/routers/vault/models/vault/login.js @@ -23,6 +23,12 @@ module.exports = { defaultValue: false, allowNull: false, }, + allow2FA: { + field: "allow_2fa_login", + type: Sequelize.BOOLEAN, + defaultValue: false, + allowNull: false, + }, creationDate: { type: Sequelize.DATE, allowNull: false, diff --git a/src/routers/vault/types/Session.js b/src/routers/vault/types/Session.js index d1b3943..e7b44ca 100644 --- a/src/routers/vault/types/Session.js +++ b/src/routers/vault/types/Session.js @@ -75,6 +75,10 @@ module.exports = class Session { * refuse to authenticate a session with a different IP */ strictIPCheck = true; + /** + * allow to authenticate a session with 2FA + PBKDF2 password + */ + allow2FA = false; constructor (ip, email) { this.ip = ip; @@ -109,6 +113,7 @@ module.exports = class Session { primaryIdentity: this.primaryIdentity.id, allowNonPrimary: this.allowNonPrimary, strictIPCheck: this.strictIPCheck, + allow2FA: this.allow2FA, vaultId: this.vault, }; } -- cgit v1.2.3-60-g2f50