diff --git a/src/invidious.cr b/src/invidious.cr index 5edec97b..ac6ed563 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -345,11 +345,11 @@ Invidious::Routing.get "/preferences", Invidious::Routes::PreferencesRoute, :sho Invidious::Routing.post "/preferences", Invidious::Routes::PreferencesRoute, :update Invidious::Routing.get "/toggle_theme", Invidious::Routes::PreferencesRoute, :toggle_theme -Invidious::Routing.get "/setup_2fa", Invidious::Routes::Accounts, :setup_2fa_page -Invidious::Routing.post "/setup_2fa", Invidious::Routes::Accounts, :setup_2fa -Invidious::Routing.get "/remove_2fa", Invidious::Routes::Accounts, :remove_2fa_page -Invidious::Routing.post "/remove_2fa", Invidious::Routes::Accounts, :remove_2fa -Invidious::Routing.post "/validate_2fa", Invidious::Routes::Accounts, :validate_2fa +Invidious::Routing.get "/2fa/setup", Invidious::Routes::Accounts, :setup_2fa_page +Invidious::Routing.post "/2fa/setup", Invidious::Routes::Accounts, :setup_2fa +Invidious::Routing.get "/2fa/remove", Invidious::Routes::Accounts, :remove_2fa_page +Invidious::Routing.post "/2fa/remove", Invidious::Routes::Accounts, :remove_2fa +Invidious::Routing.post "/2fa/validate", Invidious::Routes::Accounts, :validate_2fa # Users diff --git a/src/invidious/helpers/utils.cr b/src/invidious/helpers/utils.cr index 3e6a6094..5210cf73 100644 --- a/src/invidious/helpers/utils.cr +++ b/src/invidious/helpers/utils.cr @@ -474,7 +474,7 @@ end def call_totp_validator(env, user, sid, locale) referer = URI.decode_www_form(env.get?("current_page").to_s) - csrf_token = generate_response(sid, {":validate_2fa"}, HMAC_KEY, PG_DB) + csrf_token = generate_response(sid, {":2fa/validate"}, HMAC_KEY, PG_DB) email, password = {user.email, nil} return templated "account/validate_2fa" end diff --git a/src/invidious/routes/accounts.cr b/src/invidious/routes/accounts.cr index e86e33e3..55c2fc4c 100644 --- a/src/invidious/routes/accounts.cr +++ b/src/invidious/routes/accounts.cr @@ -13,7 +13,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute user = user.as(User) sid = sid.as(String) - csrf_token = generate_response(sid, {":setup_2fa"}, HMAC_KEY, PG_DB) + csrf_token = generate_response(sid, {":2fa/setup"}, HMAC_KEY, PG_DB) db_secret = Random::Secure.random_bytes(16).hexstring totp = CrOTP::TOTP.new(db_secret) @@ -29,7 +29,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute user = env.get("user").as(User) sid = env.get("sid").as(String) - csrf_token = generate_response(sid, {":remove_2fa"}, HMAC_KEY, PG_DB) + csrf_token = generate_response(sid, {":2fa/remove"}, HMAC_KEY, PG_DB) return templated "account/remove_2fa" end @@ -139,10 +139,10 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute if CONFIG.domain env.response.cookies["SID"] = HTTP::Cookie.new(name: "SID", domain: "#{CONFIG.domain}", value: sid, expires: Time.utc + 2.years, - secure: secure, http_only: true) + secure: secure, http_only: true, path: "/") else env.response.cookies["SID"] = HTTP::Cookie.new(name: "SID", value: sid, expires: Time.utc + 2.years, - secure: secure, http_only: true) + secure: secure, http_only: true, path: "/") end else return error_template(401, "Wrong username or password") @@ -154,7 +154,6 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute cookie.expires = Time.utc(1990, 1, 1) env.response.cookies << cookie end - env.redirect referer else token = env.params.body["csrf_token"] @@ -166,9 +165,9 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute end if CONFIG.domain - env.response.cookies["2faVerified"] = HTTP::Cookie.new(name: "2faVerified", domain: "#{CONFIG.domain}", value: "1", expires: Time.utc + 1.hours, secure: secure, http_only: true) + env.response.cookies["2faVerified"] = HTTP::Cookie.new(name: "2faVerified", domain: "#{CONFIG.domain}", value: "1", expires: Time.utc + 1.hours, secure: secure, http_only: true, path: "/") else - env.response.cookies["2faVerified"] = HTTP::Cookie.new(name: "2faVerified", value: "1", expires: Time.utc + 1.hours, secure: secure, http_only: true) + env.response.cookies["2faVerified"] = HTTP::Cookie.new(name: "2faVerified", value: "1", expires: Time.utc + 1.hours, secure: secure, http_only: true, path: "/") end end diff --git a/src/invidious/routes/login.cr b/src/invidious/routes/login.cr index cf97c485..90a74790 100644 --- a/src/invidious/routes/login.cr +++ b/src/invidious/routes/login.cr @@ -326,8 +326,8 @@ class Invidious::Routes::Login < Invidious::Routes::BaseRoute return error_template(400, "Please sign in using 'Log in with Google'") end - if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) \ - # If the password is correct then we'll go ahead and begin 2fa if applicable + if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) + # If the password is correct then we'll go ahead and begin 2fa if applicable if user.totp_secret csrf_token = nil # setting this to false for compatibility reasons. return templated "account/validate_2fa" diff --git a/src/invidious/views/account/remove_2fa.ecr b/src/invidious/views/account/remove_2fa.ecr index 540b99d2..000a197c 100644 --- a/src/invidious/views/account/remove_2fa.ecr +++ b/src/invidious/views/account/remove_2fa.ecr @@ -3,7 +3,7 @@ <% end %>
-
+ <%= translate(locale, "remove_totp_confirm_message") %>
diff --git a/src/invidious/views/account/setup_2fa.ecr b/src/invidious/views/account/setup_2fa.ecr index deafe7ca..2594ea72 100644 --- a/src/invidious/views/account/setup_2fa.ecr +++ b/src/invidious/views/account/setup_2fa.ecr @@ -6,7 +6,7 @@
- + <%= translate(locale, "setup_totp_form_header") %>
diff --git a/src/invidious/views/account/validate_2fa.ecr b/src/invidious/views/account/validate_2fa.ecr index 9d2b5d0b..5732e104 100644 --- a/src/invidious/views/account/validate_2fa.ecr +++ b/src/invidious/views/account/validate_2fa.ecr @@ -6,7 +6,7 @@
- + <%= translate(locale, "general_totp_enter_code_header") %>
diff --git a/src/invidious/views/preferences.ecr b/src/invidious/views/preferences.ecr index 756ecc81..9c5b962e 100644 --- a/src/invidious/views/preferences.ecr +++ b/src/invidious/views/preferences.ecr @@ -320,7 +320,7 @@
- <%= translate(locale, "setup_totp_form_header") %> + <%= translate(locale, "setup_totp_form_header") %>