mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-03-16 04:36:34 +01:00
🔑 fix: Require OTP Verification for 2FA Re-Enrollment and Backup Code Regeneration (#12223)
* fix: require OTP verification for 2FA re-enrollment and backup code regeneration * fix: require OTP verification for account deletion when 2FA is enabled * refactor: Improve code formatting and readability in TwoFactorController and UserController - Reformatted code in TwoFactorController and UserController for better readability by aligning parameters and breaking long lines. - Updated test cases in deleteUser.spec.js and TwoFactorController.spec.js to enhance clarity by formatting object parameters consistently. * refactor: Consolidate OTP and backup code verification logic in TwoFactorController and UserController - Introduced a new `verifyOTPOrBackupCode` function to streamline the verification process for TOTP tokens and backup codes across multiple controllers. - Updated the `enable2FA`, `disable2FA`, and `deleteUserController` methods to utilize the new verification function, enhancing code reusability and readability. - Adjusted related tests to reflect the changes in verification logic, ensuring consistent behavior across different scenarios. - Improved error handling and response messages for verification failures, providing clearer feedback to users. * chore: linting * refactor: Update BackupCodesItem component to enhance OTP verification logic - Consolidated OTP input handling by moving the 2FA verification UI logic to a more consistent location within the component. - Improved the state management for OTP readiness, ensuring the regenerate button is only enabled when the OTP is ready. - Cleaned up imports by removing redundant type imports, enhancing code clarity and maintainability. * chore: lint * fix: stage 2FA re-enrollment in pending fields to prevent disarmament window enable2FA now writes to pendingTotpSecret/pendingBackupCodes instead of overwriting the live fields. confirm2FA performs the atomic swap only after the new TOTP code is verified. If the user abandons mid-flow, their existing 2FA remains active and intact.
This commit is contained in:
Danny Avila
GitHub
parent
189cdf581d
commit
71a3b48504
14 changed files with 927 additions and 104 deletions
|
|
@ -1,5 +1,6 @@
|
|||
const { encryptV3, logger } = require('@librechat/data-schemas');
|
||||
const {
|
||||
verifyOTPOrBackupCode,
|
||||
generateBackupCodes,
|
||||
generateTOTPSecret,
|
||||
verifyBackupCode,
|
||||
|
|
@ -13,24 +14,42 @@ const safeAppTitle = (process.env.APP_TITLE || 'LibreChat').replace(/\s+/g, '');
|
|||
/**
|
||||
* Enable 2FA for the user by generating a new TOTP secret and backup codes.
|
||||
* The secret is encrypted and stored, and 2FA is marked as disabled until confirmed.
|
||||
* If 2FA is already enabled, requires OTP or backup code verification to re-enroll.
|
||||
*/
|
||||
const enable2FA = async (req, res) => {
|
||||
try {
|
||||
const userId = req.user.id;
|
||||
const existingUser = await getUserById(
|
||||
userId,
|
||||
'+totpSecret +backupCodes _id twoFactorEnabled email',
|
||||
);
|
||||
|
||||
if (existingUser && existingUser.twoFactorEnabled) {
|
||||
const { token, backupCode } = req.body;
|
||||
const result = await verifyOTPOrBackupCode({
|
||||
user: existingUser,
|
||||
token,
|
||||
backupCode,
|
||||
persistBackupUse: false,
|
||||
});
|
||||
|
||||
if (!result.verified) {
|
||||
const msg = result.message ?? 'TOTP token or backup code is required to re-enroll 2FA';
|
||||
return res.status(result.status ?? 400).json({ message: msg });
|
||||
}
|
||||
}
|
||||
|
||||
const secret = generateTOTPSecret();
|
||||
const { plainCodes, codeObjects } = await generateBackupCodes();
|
||||
|
||||
// Encrypt the secret with v3 encryption before saving.
|
||||
const encryptedSecret = encryptV3(secret);
|
||||
|
||||
// Update the user record: store the secret & backup codes and set twoFactorEnabled to false.
|
||||
const user = await updateUser(userId, {
|
||||
totpSecret: encryptedSecret,
|
||||
backupCodes: codeObjects,
|
||||
twoFactorEnabled: false,
|
||||
pendingTotpSecret: encryptedSecret,
|
||||
pendingBackupCodes: codeObjects,
|
||||
});
|
||||
|
||||
const otpauthUrl = `otpauth://totp/${safeAppTitle}:${user.email}?secret=${secret}&issuer=${safeAppTitle}`;
|
||||
const email = user.email || (existingUser && existingUser.email) || '';
|
||||
const otpauthUrl = `otpauth://totp/${safeAppTitle}:${email}?secret=${secret}&issuer=${safeAppTitle}`;
|
||||
|
||||
return res.status(200).json({ otpauthUrl, backupCodes: plainCodes });
|
||||
} catch (err) {
|
||||
|
|
@ -46,13 +65,14 @@ const verify2FA = async (req, res) => {
|
|||
try {
|
||||
const userId = req.user.id;
|
||||
const { token, backupCode } = req.body;
|
||||
const user = await getUserById(userId, '_id totpSecret backupCodes');
|
||||
const user = await getUserById(userId, '+totpSecret +pendingTotpSecret +backupCodes _id');
|
||||
const secretSource = user?.pendingTotpSecret ?? user?.totpSecret;
|
||||
|
||||
if (!user || !user.totpSecret) {
|
||||
if (!user || !secretSource) {
|
||||
return res.status(400).json({ message: '2FA not initiated' });
|
||||
}
|
||||
|
||||
const secret = await getTOTPSecret(user.totpSecret);
|
||||
const secret = await getTOTPSecret(secretSource);
|
||||
let isVerified = false;
|
||||
|
||||
if (token) {
|
||||
|
|
@ -78,15 +98,28 @@ const confirm2FA = async (req, res) => {
|
|||
try {
|
||||
const userId = req.user.id;
|
||||
const { token } = req.body;
|
||||
const user = await getUserById(userId, '_id totpSecret');
|
||||
const user = await getUserById(
|
||||
userId,
|
||||
'+totpSecret +pendingTotpSecret +pendingBackupCodes _id',
|
||||
);
|
||||
const secretSource = user?.pendingTotpSecret ?? user?.totpSecret;
|
||||
|
||||
if (!user || !user.totpSecret) {
|
||||
if (!user || !secretSource) {
|
||||
return res.status(400).json({ message: '2FA not initiated' });
|
||||
}
|
||||
|
||||
const secret = await getTOTPSecret(user.totpSecret);
|
||||
const secret = await getTOTPSecret(secretSource);
|
||||
if (await verifyTOTP(secret, token)) {
|
||||
await updateUser(userId, { twoFactorEnabled: true });
|
||||
const update = {
|
||||
totpSecret: user.pendingTotpSecret ?? user.totpSecret,
|
||||
twoFactorEnabled: true,
|
||||
pendingTotpSecret: null,
|
||||
pendingBackupCodes: [],
|
||||
};
|
||||
if (user.pendingBackupCodes?.length) {
|
||||
update.backupCodes = user.pendingBackupCodes;
|
||||
}
|
||||
await updateUser(userId, update);
|
||||
return res.status(200).json();
|
||||
}
|
||||
return res.status(400).json({ message: 'Invalid token.' });
|
||||
|
|
@ -104,31 +137,27 @@ const disable2FA = async (req, res) => {
|
|||
try {
|
||||
const userId = req.user.id;
|
||||
const { token, backupCode } = req.body;
|
||||
const user = await getUserById(userId, '_id totpSecret backupCodes');
|
||||
const user = await getUserById(userId, '+totpSecret +backupCodes _id twoFactorEnabled');
|
||||
|
||||
if (!user || !user.totpSecret) {
|
||||
return res.status(400).json({ message: '2FA is not setup for this user' });
|
||||
}
|
||||
|
||||
if (user.twoFactorEnabled) {
|
||||
const secret = await getTOTPSecret(user.totpSecret);
|
||||
let isVerified = false;
|
||||
const result = await verifyOTPOrBackupCode({ user, token, backupCode });
|
||||
|
||||
if (token) {
|
||||
isVerified = await verifyTOTP(secret, token);
|
||||
} else if (backupCode) {
|
||||
isVerified = await verifyBackupCode({ user, backupCode });
|
||||
} else {
|
||||
return res
|
||||
.status(400)
|
||||
.json({ message: 'Either token or backup code is required to disable 2FA' });
|
||||
}
|
||||
|
||||
if (!isVerified) {
|
||||
return res.status(401).json({ message: 'Invalid token or backup code' });
|
||||
if (!result.verified) {
|
||||
const msg = result.message ?? 'Either token or backup code is required to disable 2FA';
|
||||
return res.status(result.status ?? 400).json({ message: msg });
|
||||
}
|
||||
}
|
||||
await updateUser(userId, { totpSecret: null, backupCodes: [], twoFactorEnabled: false });
|
||||
await updateUser(userId, {
|
||||
totpSecret: null,
|
||||
backupCodes: [],
|
||||
twoFactorEnabled: false,
|
||||
pendingTotpSecret: null,
|
||||
pendingBackupCodes: [],
|
||||
});
|
||||
return res.status(200).json();
|
||||
} catch (err) {
|
||||
logger.error('[disable2FA]', err);
|
||||
|
|
@ -138,10 +167,28 @@ const disable2FA = async (req, res) => {
|
|||
|
||||
/**
|
||||
* Regenerate backup codes for the user.
|
||||
* Requires OTP or backup code verification if 2FA is already enabled.
|
||||
*/
|
||||
const regenerateBackupCodes = async (req, res) => {
|
||||
try {
|
||||
const userId = req.user.id;
|
||||
const user = await getUserById(userId, '+totpSecret +backupCodes _id twoFactorEnabled');
|
||||
|
||||
if (!user) {
|
||||
return res.status(404).json({ message: 'User not found' });
|
||||
}
|
||||
|
||||
if (user.twoFactorEnabled) {
|
||||
const { token, backupCode } = req.body;
|
||||
const result = await verifyOTPOrBackupCode({ user, token, backupCode });
|
||||
|
||||
if (!result.verified) {
|
||||
const msg =
|
||||
result.message ?? 'TOTP token or backup code is required to regenerate backup codes';
|
||||
return res.status(result.status ?? 400).json({ message: msg });
|
||||
}
|
||||
}
|
||||
|
||||
const { plainCodes, codeObjects } = await generateBackupCodes();
|
||||
await updateUser(userId, { backupCodes: codeObjects });
|
||||
return res.status(200).json({
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue