Change 2fa on login to be after pass verification

This commit is contained in:
syeopite 2021-07-15 02:53:35 -07:00
parent 7ae327966c
commit 63162986a1
No known key found for this signature in database
GPG key ID: 6FA616E5A5294A82
2 changed files with 11 additions and 7 deletions

View file

@ -3,6 +3,7 @@ require "./base_route"
# Different routes relating to existing accounts and the control of their data. # Different routes relating to existing accounts and the control of their data.
class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
# Setup 2fa page
def setup_2fa_page(env) def setup_2fa_page(env)
locale = LOCALES[env.get("preferences").as(Preferences).locale]? locale = LOCALES[env.get("preferences").as(Preferences).locale]?
@ -21,7 +22,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
return templated "account/setup_2fa" return templated "account/setup_2fa"
end end
# Endpoint to remove 2fa # Remove 2fa page
def remove_2fa_page(env) def remove_2fa_page(env)
locale = LOCALES[env.get("preferences").as(Preferences).locale]? locale = LOCALES[env.get("preferences").as(Preferences).locale]?
referer = get_referer(env) referer = get_referer(env)
@ -58,7 +59,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
PG_DB.exec("UPDATE users SET totp_secret = $1 WHERE email = $2", nil, user.email) PG_DB.exec("UPDATE users SET totp_secret = $1 WHERE email = $2", nil, user.email)
end end
# Setup TOTP (post) request. # Setup 2fa post request.
def setup_2fa(env) def setup_2fa(env)
locale = LOCALES[env.get("preferences").as(Preferences).locale]? locale = LOCALES[env.get("preferences").as(Preferences).locale]?
@ -131,7 +132,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
# https://stackoverflow.com/a/574698 # https://stackoverflow.com/a/574698
if email && password if email && password
# The rest of the login code. # Verify the password again for extra security
if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc) PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc)

View file

@ -324,12 +324,15 @@ class Invidious::Routes::Login < Invidious::Routes::BaseRoute
if user if user
if !user.password if !user.password
return error_template(400, "Please sign in using 'Log in with Google'") return error_template(400, "Please sign in using 'Log in with Google'")
elsif user.totp_secret
csrf_token = nil # setting this to false for compatibility reasons.
return templated "account/validate_2fa"
end end
if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) \
# If the password is correct then we'll go ahead and begin 2fa if applicable
if user.totp_secret
csrf_token = nil # setting this to false for compatibility reasons.
return templated "account/validate_2fa"
end
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc) PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc)