🔏 fix: Enhance Two-Factor Authentication (#6247)

* 🌟 feat: Implement Two-Factor Authentication (2FA) functionality * fix: Two-Factor Authentication Logic and State Management * 🌟 feat: Add LICENSE file and update package version to 0.0.2 with MIT license
2025-12-17 00:40:14 +01:00 · 2025-03-08 21:28:27 +01:00 · 2025-03-08 21:28:27 +01:00 · 3e3dfe5bad
commit 3e3dfe5bad
parent cc661c95ee
15 changed files with 179 additions and 29 deletions
--- a/api/server/controllers/TwoFactorController.js
+++ b/api/server/controllers/TwoFactorController.js
@ -11,17 +11,19 @@ const { encryptV2 } = require('~/server/utils/crypto');

 const enable2FAController = async (req, res) => {
  const safeAppTitle = (process.env.APP_TITLE || 'LibreChat').replace(/\s+/g, '');
-
  try {
    const userId = req.user.id;
    const secret = generateTOTPSecret();
    const { plainCodes, codeObjects } = await generateBackupCodes();
-
    const encryptedSecret = await encryptV2(secret);
-    const user = await updateUser(userId, { totpSecret: encryptedSecret, backupCodes: codeObjects });
+    // Set twoFactorEnabled to false until the user confirms 2FA.
+    const user = await updateUser(userId, {
+      totpSecret: encryptedSecret,
+      backupCodes: codeObjects,
+      twoFactorEnabled: false,
+    });

    const otpauthUrl = `otpauth://totp/${safeAppTitle}:${user.email}?secret=${secret}&issuer=${safeAppTitle}`;
-
    res.status(200).json({
      otpauthUrl,
      backupCodes: plainCodes,
@ -37,6 +39,7 @@ const verify2FAController = async (req, res) => {
    const userId = req.user.id;
    const { token, backupCode } = req.body;
    const user = await getUserById(userId);
+    // Ensure that 2FA is enabled for this user.
    if (!user || !user.totpSecret) {
      return res.status(400).json({ message: '2FA not initiated' });
    }
@ -52,7 +55,6 @@ const verify2FAController = async (req, res) => {
        return res.status(200).json();
      }
    }
-
    return res.status(400).json({ message: 'Invalid token.' });
  } catch (err) {
    logger.error('[verify2FAController]', err);
@ -74,6 +76,8 @@ const confirm2FAController = async (req, res) => {
    const secret = await getTOTPSecret(user.totpSecret);

    if (await verifyTOTP(secret, token)) {
+      // Upon successful verification, enable 2FA.
+      await updateUser(userId, { twoFactorEnabled: true });
      return res.status(200).json();
    }

@ -87,7 +91,7 @@ const confirm2FAController = async (req, res) => {
 const disable2FAController = async (req, res) => {
  try {
    const userId = req.user.id;
-    await updateUser(userId, { totpSecret: null, backupCodes: [] });
+    await updateUser(userId, { totpSecret: null, backupCodes: [], twoFactorEnabled: false });
    res.status(200).json();
  } catch (err) {
    logger.error('[disable2FAController]', err);
--- a/api/server/controllers/auth/LoginController.js
+++ b/api/server/controllers/auth/LoginController.js
@ -8,7 +8,7 @@ const loginController = async (req, res) => {
      return res.status(400).json({ message: 'Invalid credentials' });
    }

-    if (req.user.backupCodes != null && req.user.backupCodes.length > 0) {
+    if (req.user.twoFactorEnabled) {
      const tempToken = generate2FATempToken(req.user._id);
      return res.status(200).json({ twoFAPending: true, tempToken });
    }
--- a/api/server/controllers/auth/TwoFactorAuthController.js
+++ b/api/server/controllers/auth/TwoFactorAuthController.js
@ -1,5 +1,9 @@
 const jwt = require('jsonwebtoken');
-const { verifyTOTP, verifyBackupCode, getTOTPSecret } = require('~/server/services/twoFactorService');
+const {
+  verifyTOTP,
+  verifyBackupCode,
+  getTOTPSecret,
+} = require('~/server/services/twoFactorService');
 const { setAuthTokens } = require('~/server/services/AuthService');
 const { getUserById } = require('~/models/userMethods');
 const { logger } = require('~/config');
@ -19,12 +23,12 @@ const verify2FA = async (req, res) => {
    }

    const user = await getUserById(payload.userId);
-    // Ensure that the user exists and has backup codes (i.e. 2FA enabled)
-    if (!user || !(user.backupCodes && user.backupCodes.length > 0)) {
+    // Ensure that the user exists and has 2FA enabled
+    if (!user || !user.twoFactorEnabled) {
      return res.status(400).json({ message: '2FA is not enabled for this user' });
    }

-    // Use the new getTOTPSecret function to retrieve (and decrypt if necessary) the TOTP secret.
+    // Retrieve (and decrypt if necessary) the TOTP secret.
    const secret = await getTOTPSecret(user.totpSecret);

    let verified = false;
@ -39,9 +43,7 @@ const verify2FA = async (req, res) => {
    }

    // Prepare user data for response.
-    // If the user is a plain object (from lean queries), we create a shallow copy.
    const userData = user.toObject ? user.toObject() : { ...user };
-    // Remove sensitive fields.
    delete userData.password;
    delete userData.__v;
    delete userData.totpSecret;