Change 2fa on login to be after pass verification

2024-08-15 00:53:38 +00:00 · 2021-07-15 02:53:35 -07:00 · 2021-07-15 02:53:35 -07:00 · 63162986a1
commit 63162986a1
parent 7ae327966c
2 changed files with 11 additions and 7 deletions
--- a/src/invidious/routes/accounts.cr
+++ b/src/invidious/routes/accounts.cr
@ -3,6 +3,7 @@ require "./base_route"

 # Different routes relating to existing accounts and the control of their data.
 class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
+  # Setup 2fa page
  def setup_2fa_page(env)
    locale = LOCALES[env.get("preferences").as(Preferences).locale]?

@ -21,7 +22,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
    return templated "account/setup_2fa"
  end

-  # Endpoint to remove 2fa
+  # Remove 2fa page
  def remove_2fa_page(env)
    locale = LOCALES[env.get("preferences").as(Preferences).locale]?
    referer = get_referer(env)
@ -58,7 +59,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
    PG_DB.exec("UPDATE users SET totp_secret = $1 WHERE email = $2", nil, user.email)
  end

-  # Setup TOTP (post) request.
+  # Setup 2fa post request.
  def setup_2fa(env)
    locale = LOCALES[env.get("preferences").as(Preferences).locale]?

@ -131,7 +132,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute

    # https://stackoverflow.com/a/574698
    if email && password
-      # The rest of the login code.
+      # Verify the password again for extra security
      if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
        sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
        PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc)
--- a/src/invidious/routes/login.cr
+++ b/src/invidious/routes/login.cr
@ -324,12 +324,15 @@ class Invidious::Routes::Login < Invidious::Routes::BaseRoute
      if user
        if !user.password
          return error_template(400, "Please sign in using 'Log in with Google'")
-        elsif user.totp_secret
+        end
+
+        if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) \
+                      # If the password is correct then we'll go ahead and begin 2fa if applicable
+          if user.totp_secret
            csrf_token = nil # setting this to false for compatibility reasons.
            return templated "account/validate_2fa"
          end

-        if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
          sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
          PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc)