Merge branch 'dev' into clients-pops-dev

2026-03-06 10:46:38 +00:00 · 2025-07-14 16:59:00 -07:00
parent 83b00c1cfa d6fdb38c22
commit 3dc79da2fa
55 changed files with 5261 additions and 4194 deletions
--- a/server/routers/auth/requestTotpSecret.ts
+++ b/server/routers/auth/requestTotpSecret.ts
@@ -7,17 +7,19 @@ import HttpCode from "@server/types/HttpCode";
 import { response } from "@server/lib";
 import { db } from "@server/db";
 import { User, users } from "@server/db";
-import { eq } from "drizzle-orm";
+import { eq, and } from "drizzle-orm";
 import { createTOTPKeyURI } from "oslo/otp";
 import logger from "@server/logger";
 import { verifyPassword } from "@server/auth/password";
 import { unauthorized } from "@server/auth/unauthorizedResponse";
-import config from "@server/lib/config";
 import { UserType } from "@server/types/UserTypes";
+import { verifySession } from "@server/auth/sessions/verifySession";
+import config from "@server/lib/config";

 export const requestTotpSecretBody = z
    .object({
-        password: z.string()
+        password: z.string(),
+        email: z.string().email().optional()
    })
    .strict();

@@ -44,9 +46,42 @@ export async function requestTotpSecret(
        );
    }

-    const { password } = parsedBody.data;
+    const { password, email } = parsedBody.data;

-    const user = req.user as User;
+    const { user: sessionUser, session: existingSession } = await verifySession(req);
+
+    let user: User | null = sessionUser;
+    if (!existingSession) {
+        if (!email) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Email is required for two-factor authentication setup"
+                )
+            );
+        }
+        const [res] = await db
+            .select()
+            .from(users)
+            .where(
+                and(eq(users.type, UserType.Internal), eq(users.email, email))
+            );
+        user = res;
+    }
+
+    if (!user) {
+        if (config.getRawConfig().app.log_failed_attempts) {
+            logger.info(
+                `Username or password incorrect. Email: ${email}. IP: ${req.ip}.`
+            );
+        }
+        return next(
+            createHttpError(
+                HttpCode.UNAUTHORIZED,
+                "Username or password is incorrect"
+            )
+        );
+    }

    if (user.type !== UserType.Internal) {
        return next(
@@ -58,7 +93,10 @@ export async function requestTotpSecret(
    }

    try {
-        const validPassword = await verifyPassword(password, user.passwordHash!);
+        const validPassword = await verifyPassword(
+            password,
+            user.passwordHash!
+        );
        if (!validPassword) {
            return next(unauthorized());
        }