63ac2b8ffc
* feat: nginx + torrential basics & services system * fix: lint + i18n * fix: update torrential to remove openssl * feat: add torrential to Docker build * feat: move to self hosted runner * fix: move off self-hosted runner * fix: update nginx.conf * feat: torrential cache invalidation * fix: update torrential for cache invalidation * feat: integrity check task * fix: lint * feat: move to version ids * fix: client fixes and client-side checks * feat: new depot apis and version id fixes * feat: update torrential * feat: droplet bump and remove unsafe update functions * fix: lint * feat: v4 featureset: emulators, multi-launch commands * fix: lint * fix: mobile ui for game editor * feat: launch options * fix: lint * fix: remove axios, use $fetch * feat: metadata and task api improvements * feat: task actions * fix: slight styling issue * feat: fix style and lints * feat: totp backend routes * feat: oidc groups * fix: update drop-base * feat: creation of passkeys & totp * feat: totp signin * feat: webauthn mfa/signin * feat: launch selecting ui * fix: manually running tasks * feat: update add company game modal to use new SelectorGame * feat: executor selector * fix(docker): update rust to rust nightly for torrential build (#305) * feat: new version ui * feat: move package lookup to build time to allow for deno dev * fix: lint * feat: localisation cleanup * feat: apply localisation cleanup * feat: potential i18n refactor logic * feat: remove args from commands * fix: lint * fix: lockfile --------- Co-authored-by: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
62 lines
1.8 KiB
TypeScript
62 lines
1.8 KiB
TypeScript
import aclManager from "~/server/internal/acls";
|
|
import { totp, SecretKey } from "otp-io";
|
|
import { hmac } from "otp-io/crypto";
|
|
import prisma from "~/server/internal/db/database";
|
|
import { MFAMec } from "~/prisma/client/client";
|
|
import type { TOTPv1Credentials } from "~/server/internal/auth/totp";
|
|
import { dropDecodeArrayBase64 } from "~/server/internal/auth/totp";
|
|
import { createError } from "h3";
|
|
import { type } from "arktype";
|
|
import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
|
|
|
|
const TOTPEnableBody = type({
|
|
code: "string",
|
|
}).configure(throwingArktype);
|
|
|
|
export default defineEventHandler(async (h3) => {
|
|
const userId = await aclManager.allowUserSuperlevel(h3); // No ACLs only allows session authentication
|
|
if (!userId)
|
|
throw createError({
|
|
statusCode: 403,
|
|
message: "Not signed in or superlevelled.",
|
|
});
|
|
|
|
const body = await readDropValidatedBody(h3, TOTPEnableBody);
|
|
|
|
const existing = await prisma.linkedMFAMec.findUnique({
|
|
where: {
|
|
userId_mec: {
|
|
userId,
|
|
mec: MFAMec.TOTP,
|
|
},
|
|
enabled: false,
|
|
},
|
|
});
|
|
if (!existing)
|
|
throw createError({ statusCode: 400, message: "TOTP not started" });
|
|
|
|
const secret = (existing.credentials as unknown as TOTPv1Credentials).secret;
|
|
const secretKeyBuffer = dropDecodeArrayBase64(secret);
|
|
const secretKey = new SecretKey(secretKeyBuffer);
|
|
|
|
const code = await totp(hmac, { secret: secretKey });
|
|
if (body.code !== code)
|
|
throw createError({ statusCode: 400, message: "Invalid TOTP code." });
|
|
|
|
// Safe because we're updating something we just queried
|
|
// eslint-disable-next-line drop/no-prisma-delete
|
|
await prisma.linkedMFAMec.update({
|
|
where: {
|
|
userId_mec: {
|
|
userId,
|
|
mec: MFAMec.TOTP,
|
|
},
|
|
},
|
|
data: {
|
|
enabled: true,
|
|
},
|
|
});
|
|
|
|
return;
|
|
});
|