feat: save settings required 2fa if enabled otp

2025-05-11 02:15:48 +02:00 · 2024-07-26 17:56:45 +08:00 · 2024-07-26 17:56:45 +08:00 · 11c733547f
commit 11c733547f
parent d0af8bd427
5 changed files with 218 additions and 190 deletions
--- a/api/settings/router.go
+++ b/api/settings/router.go
@ -1,13 +1,14 @@
 package settings

 import (
+	"github.com/0xJacky/Nginx-UI/internal/middleware"
 	"github.com/gin-gonic/gin"
 )

 func InitRouter(r *gin.RouterGroup) {
 	r.GET("settings/server/name", GetServerName)
 	r.GET("settings", GetSettings)
-	r.POST("settings", SaveSettings)
+	r.POST("settings", middleware.RequireSecureSession(), SaveSettings)

 	r.GET("settings/auth/banned_ips", GetBanLoginIP)
 	r.DELETE("settings/auth/banned_ip", RemoveBannedIP)
--- a/api/user/otp.go
+++ b/api/user/otp.go
@ -171,10 +171,33 @@ func OTPStatus(c *gin.Context) {
 }

 func SecureSessionStatus(c *gin.Context) {
-	// if you can visit this endpoint, you are already in a secure session
+    cUser := api.CurrentUser(c)
+    if !cUser.EnabledOTP() {
+        c.JSON(http.StatusOK, gin.H{
+            "status": false,
+        })
+        return
+    }
+    ssid := c.GetHeader("X-Secure-Session-ID")
+    if ssid == "" {
+        ssid = c.Query("X-Secure-Session-ID")
+    }
+    if ssid == "" {
+        c.JSON(http.StatusOK, gin.H{
+            "status": false,
+        })
+        return
+    }
+
+    if user.VerifySecureSessionID(ssid, cUser.ID) {
        c.JSON(http.StatusOK, gin.H{
            "status": true,
        })
+        return
+    }
+    c.JSON(http.StatusOK, gin.H{
+        "status": false,
+    })
 }

 func StartSecure2FASession(c *gin.Context) {
--- a/api/user/router.go
+++ b/api/user/router.go
@ -1,7 +1,6 @@
 package user

 import (
-    "github.com/0xJacky/Nginx-UI/internal/middleware"
    "github.com/gin-gonic/gin"
 )

@ -27,7 +26,6 @@ func InitUserRouter(r *gin.RouterGroup) {
 	r.POST("/otp_enroll", EnrollTOTP)
 	r.POST("/otp_reset", ResetOTP)

-    r.GET("/otp_secure_session_status",
-        middleware.RequireSecureSession(), SecureSessionStatus)
+    r.GET("/otp_secure_session_status", SecureSessionStatus)
 	r.POST("/otp_secure_session", StartSecure2FASession)
 }
--- a/app/src/components/OTP/useOTPModal.ts
+++ b/app/src/components/OTP/useOTPModal.ts
@ -23,6 +23,7 @@ const useOTPModal = () => {

  const open = async (): Promise<string> => {
    const { status } = await otp.status()
+    const { status: secureSessionStatus } = await otp.secure_session_status()

    return new Promise((resolve, reject) => {
      if (!status) {
@ -33,13 +34,12 @@ const useOTPModal = () => {

      const cookies = useCookies(['nginx-ui-2fa'])
      const ssid = cookies.get('secure_session_id')
-      if (ssid) {
+      if (ssid && secureSessionStatus) {
        resolve(ssid)
        secureSessionId.value = ssid

        return
      }
-
      injectStyles()
      let container: HTMLDivElement | null = document.createElement('div')
      document.body.appendChild(container)
@ -51,11 +51,11 @@ const useOTPModal = () => {
      }

      const verify = (passcode: string, recovery: string) => {
-        otp.start_secure_session(passcode, recovery).then(r => {
+        otp.start_secure_session(passcode, recovery).then(async r => {
          cookies.set('secure_session_id', r.session_id, { maxAge: 60 * 3 })
-          resolve(r.session_id)
          close()
          secureSessionId.value = r.session_id
+          resolve(r.session_id)
        }).catch(async () => {
          refOTPAuthorization.value?.clearInput()
          await message.error($gettext('Invalid passcode or recovery code'))
--- a/app/src/views/preference/Preference.vue
+++ b/app/src/views/preference/Preference.vue
@ -11,6 +11,7 @@ import type { Settings } from '@/views/preference/typedef'
 import LogrotateSettings from '@/views/preference/LogrotateSettings.vue'
 import { useSettingsStore } from '@/pinia'
 import AuthSettings from '@/views/preference/AuthSettings.vue'
+import useOTPModal from '@/components/OTP/useOTPModal'

 const data = ref<Settings>({
  server: {
@ -66,6 +67,10 @@ const refAuthSettings = ref()
 async function save() {
  // fix type
  data.value.server.http_challenge_port = data.value.server.http_challenge_port.toString()
+
+  const otpModal = useOTPModal()
+
+  otpModal.open().then(() => {
    settings.save(data.value).then(r => {
      if (!settingsStore.is_remote)
        server_name.value = r?.server?.name ?? ''
@ -77,6 +82,7 @@ async function save() {
      errors.value = e.errors
      message.error(e?.message ?? $gettext('Server error'))
    })
+  })
 }

 provide('data', data)