Feat: 2fa (#1783)

* preplan otp, better qrcode library * add 2fa as feature * add totp generation * working totp lifecycle * don't allow disabled user to log in not a security issue as permission handler would fail anyway * require 2fa on login if enabled * update packages * fix typo * remove console.logs
2025-04-01 14:43:48 +02:00
parent 1c7f64ebd5
commit 32b73b850a
24 changed files with 804 additions and 438 deletions
@@ -1,29 +1,42 @@
 import { UserLoginSchema } from '#db/repositories/user/types';

 export default defineEventHandler(async (event) => {
-  const { username, password, remember } = await readValidatedBody(
+  const { username, password, remember, totpCode } = await readValidatedBody(
    event,
    validateZod(UserLoginSchema, event)
  );

-  // TODO: timing can be used to enumerate usernames
+  const result = await Database.users.login(username, password, totpCode);

-  const user = await Database.users.getByUsername(username);
-  if (!user)
-    throw createError({
-      statusCode: 401,
-      statusMessage: 'Incorrect credentials',
-    });
+  // TODO: add localization support

-  const userHashPassword = user.password;
-  const passwordValid = await isPasswordValid(password, userHashPassword);
-  if (!passwordValid) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: 'Incorrect credentials',
-    });
+  if (!result.success) {
+    switch (result.error) {
+      case 'INCORRECT_CREDENTIALS':
+        throw createError({
+          statusCode: 401,
+          statusMessage: 'Invalid username or password',
+        });
+      case 'TOTP_REQUIRED':
+        return { status: 'TOTP_REQUIRED' };
+      case 'INVALID_TOTP_CODE':
+        return { status: 'INVALID_TOTP_CODE' };
+      case 'USER_DISABLED':
+        throw createError({
+          statusCode: 401,
+          statusMessage: 'User disabled',
+        });
+      case 'UNEXPECTED_ERROR':
+        throw createError({
+          statusCode: 500,
+          statusMessage: 'Unexpected error',
+        });
+    }
+    assertUnreachable(result.error);
  }

+  const user = result.user;
+
  const session = await useWGSession(event, remember);

  const data = await session.update({
@@ -34,5 +47,5 @@ export default defineEventHandler(async (event) => {

  SERVER_DEBUG(`New Session: ${data.id} for ${user.id} (${user.username})`);

-  return { success: true };
+  return { status: 'success' };
 });