mirrors/nginx-ui
1
0
Fork 0
mirror of https://github.com/0xJacky/nginx-ui.git synced 2025-05-12 10:55:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

feat: validate new recovery code

Browse source
This commit is contained in:
Hintay 2025-02-10 14:44:01 +09:00
parent c7731667f4
commit 9184711d43
No known key found for this signature in database
GPG key ID: 120FC7FF121F2F2D
5 changed files with 69 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/src/api/2fa.ts
View file

@ -6,7 +6,7 @@ export interface TwoFAStatus {
otp_status: boolean otp_status: boolean
passkey_status: boolean passkey_status: boolean
recovery_codes_generated: boolean recovery_codes_generated: boolean
recovery_codes_viewed: boolean recovery_codes_viewed?: boolean
} }
const twoFA = { const twoFA = {

69
app/src/components/TwoFA/Authorization.vue
View file

@ -65,42 +65,30 @@ onMounted(() => {
<template> <template>
<div> <div>
<div v-if="twoFAStatus.otp_status"> <div
<div v-if="!useRecoveryCode"> v-if="useRecoveryCode"
<p>{{ $gettext('Please enter the OTP code:') }}</p> class="mt-2 mb-4"
<OTPInput >
ref="refOTP" <p>{{ $gettext('Input the recovery code:') }}</p>
v-model="passcode" <AInputGroup compact>
class="justify-center mb-6" <AInput v-model:value="recoveryCode" placeholder="xxxxx-xxxxx" />
@on-complete="onSubmit" <AButton
/> type="primary"
</div> @click="onSubmit"
<div >
v-else {{ $gettext('Recovery') }}
class="mt-2 mb-4" </AButton>
> </AInputGroup>
<p>{{ $gettext('Input the recovery code:') }}</p> </div>
<AInputGroup compact>
<AInput v-model:value="recoveryCode" />
<AButton
type="primary"
@click="onSubmit"
>
{{ $gettext('Recovery') }}
</AButton>
</AInputGroup>
</div>
<div class="flex justify-center"> <div v-if="twoFAStatus.otp_status && !useRecoveryCode">
<a <p>{{ $gettext('Please enter the OTP code:') }}</p>
v-if="!useRecoveryCode" <OTPInput
@click="clickUseRecoveryCode" ref="refOTP"
>{{ $gettext('Use recovery code') }}</a> v-model="passcode"
<a class="justify-center mb-6"
v-else @on-complete="onSubmit"
@click="clickUseOTP" />
>{{ $gettext('Use OTP') }}</a>
</div>
</div> </div>
<div <div
@ -121,6 +109,17 @@ onMounted(() => {
{{ $gettext('Authenticate with a passkey') }} {{ $gettext('Authenticate with a passkey') }}
</AButton> </AButton>
</div> </div>
<div v-if="twoFAStatus.otp_status || twoFAStatus.recovery_codes_generated" class="flex justify-center">
<a
v-if="!useRecoveryCode"
@click="clickUseRecoveryCode"
>{{ $gettext('Use recovery code') }}</a>
<a
v-else-if="twoFAStatus.otp_status"
@click="clickUseOTP"
>{{ $gettext('Use OTP') }}</a>
</div>
</div> </div>
</template> </template>

1
app/src/views/other/Login.vue
View file

@ -205,6 +205,7 @@ async function handlePasskeyLogin() {
enabled: true, enabled: true,
otp_status: true, otp_status: true,
passkey_status: false, passkey_status: false,
recovery_codes_generated: true,
}" }"
@submit-o-t-p="handleOTPSubmit" @submit-o-t-p="handleOTPSubmit"
/> />

1
internal/user/errors.go
View file

@ -8,6 +8,7 @@ var (
ErrUserBanned = e.New(40303, "user banned") ErrUserBanned = e.New(40303, "user banned")
ErrOTPCode = e.New(40304, "invalid otp code") ErrOTPCode = e.New(40304, "invalid otp code")
ErrRecoveryCode = e.New(40305, "invalid recovery code") ErrRecoveryCode = e.New(40305, "invalid recovery code")
ErrTOTPNotEnabled = e.New(40306, "legacy recovery code not allowed since totp is not enabled")
ErrWebAuthnNotConfigured = e.New(50000, "WebAuthn settings are not configured") ErrWebAuthnNotConfigured = e.New(50000, "WebAuthn settings are not configured")
ErrUserNotEnabledOTPAs2FA = e.New(50001, "user not enabled otp as 2fa") ErrUserNotEnabledOTPAs2FA = e.New(50001, "user not enabled otp as 2fa")
ErrOTPOrRecoveryCodeEmpty = e.New(50002, "otp or recovery code empty") ErrOTPOrRecoveryCodeEmpty = e.New(50002, "otp or recovery code empty")

37
internal/user/otp.go
View file

@ -5,12 +5,14 @@ import (
"crypto/sha1" "crypto/sha1"
"encoding/hex" "encoding/hex"
"fmt" "fmt"
"time"
"github.com/0xJacky/Nginx-UI/internal/cache" "github.com/0xJacky/Nginx-UI/internal/cache"
"github.com/0xJacky/Nginx-UI/internal/crypto" "github.com/0xJacky/Nginx-UI/internal/crypto"
"github.com/0xJacky/Nginx-UI/model" "github.com/0xJacky/Nginx-UI/model"
"github.com/0xJacky/Nginx-UI/query"
"github.com/google/uuid" "github.com/google/uuid"
"github.com/pquerna/otp/totp" "github.com/pquerna/otp/totp"
"time"
) )
func VerifyOTP(user *model.User, otp, recoveryCode string) (err error) { func VerifyOTP(user *model.User, otp, recoveryCode string) (err error) {
@ -24,14 +26,39 @@ func VerifyOTP(user *model.User, otp, recoveryCode string) (err error) {
return ErrOTPCode return ErrOTPCode
} }
} else { } else {
recoverCode, err := hex.DecodeString(recoveryCode) // get user from db
u := query.User
user, err = u.Where(u.ID.Eq(user.ID)).First()
if err != nil { if err != nil {
return err return err
} }
k := sha1.Sum(user.OTPSecret)
if !bytes.Equal(k[:], recoverCode) { // legacy recovery code
return ErrRecoveryCode if !user.RecoveryCodeGenerated() {
if user.OTPSecret == nil {
return ErrTOTPNotEnabled
}
recoverCode, err := hex.DecodeString(recoveryCode)
if err != nil {
return err
}
k := sha1.Sum(user.OTPSecret)
if !bytes.Equal(k[:], recoverCode) {
return ErrRecoveryCode
}
} }
// check recovery code
for _, code := range user.RecoveryCodes.Codes {
if code.Code == recoveryCode && code.UsedTime == nil {
t := time.Now()
code.UsedTime = &t
_, err = u.Where(u.ID.Eq(user.ID)).Updates(user)
return
}
}
return ErrRecoveryCode
} }
return return
} }