iv-org-mirror/invidious-copy-2022-04-11
1
0
Fork 0
mirror of https://gitea.invidious.io/iv-org/invidious-copy-2022-04-11.git synced 2024-08-15 00:43:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fixes + add 2fa to pass change and acc delete

Browse source
This commit is contained in:
syeopite 2021-07-15 01:27:27 -07:00
parent 755b847ad5
commit 7cfee1dc94
No known key found for this signature in database
GPG key ID: 6FA616E5A5294A82
3 changed files with 20 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/invidious.cr
View file

@ -858,9 +858,8 @@ get "/change_password" do |env|
user = user.as(User) user = user.as(User)
sid = sid.as(String) sid = sid.as(String)
if user.totp_secret && env.response.cookies["2faVerified"]?.try &.value != "1" || nil if user.totp_secret && env.request.cookies["2faVerified"]?.try &.value != "1" || nil
csrf_token = generate_response(sid, {":validate_2fa"}, HMAC_KEY, PG_DB) next call_totp_validator(env, user, sid, locale)
next templated "account/validate_2fa?referer=#{env.get?("current_page")}"
end end
csrf_token = generate_response(sid, {":change_password"}, HMAC_KEY, PG_DB) csrf_token = generate_response(sid, {":change_password"}, HMAC_KEY, PG_DB)
@ -937,6 +936,11 @@ get "/delete_account" do |env|
user = user.as(User) user = user.as(User)
sid = sid.as(String) sid = sid.as(String)
if user.totp_secret && env.request.cookies["2faVerified"]?.try &.value != "1" || nil
next call_totp_validator(env, user, sid, locale)
end
csrf_token = generate_response(sid, {":delete_account"}, HMAC_KEY, PG_DB) csrf_token = generate_response(sid, {":delete_account"}, HMAC_KEY, PG_DB)
templated "account/delete_account" templated "account/delete_account"

7
src/invidious/helpers/utils.cr
View file

@ -546,3 +546,10 @@ def totp_validator(env)
end end
end end
end end
def call_totp_validator(env, user, sid, locale)
referer = URI.decode_www_form(env.get?("current_page").to_s)
csrf_token = generate_response(sid, {":validate_2fa"}, HMAC_KEY, PG_DB)
email, password = {user.email, nil}
return templated "account/validate_2fa"
end

7
src/invidious/routes/accounts.cr
View file

@ -29,6 +29,8 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
sid = env.get? "sid" sid = env.get? "sid"
referer = get_referer(env, unroll: false) referer = get_referer(env, unroll: false)
puts referer
if !user if !user
return env.redirect referer return env.redirect referer
end end
@ -60,11 +62,12 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
# Validate 2fa code endpoint # Validate 2fa code endpoint
def validate_2fa(env) def validate_2fa(env)
locale = LOCALES[env.get("preferences").as(Preferences).locale]? locale = LOCALES[env.get("preferences").as(Preferences).locale]?
referer = get_referer(env) referer = get_referer(env, unroll: false)
email = env.params.body["email"]?.try &.downcase.byte_slice(0, 254) email = env.params.body["email"]?.try &.downcase.byte_slice(0, 254)
password = env.params.body["password"]? password = env.params.body["password"]?
totp_code = env.params.body["totp_code"]? totp_code = env.params.body["totp_code"]?
# This endpoint is only called when the user has a totp_secret. # This endpoint is only called when the user has a totp_secret.
user = PG_DB.query_one?("SELECT * FROM users WHERE email = $1", email, as: User).not_nil! user = PG_DB.query_one?("SELECT * FROM users WHERE email = $1", email, as: User).not_nil!
@ -131,5 +134,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
env.response.cookies["2faVerified"] = HTTP::Cookie.new(name: "2faVerified", value: "1", expires: Time.utc + 1.hours, secure: secure, http_only: true) env.response.cookies["2faVerified"] = HTTP::Cookie.new(name: "2faVerified", value: "1", expires: Time.utc + 1.hours, secure: secure, http_only: true)
end end
end end
env.redirect referer
end end
end end