generate 2fa backup codes

2026-02-20 20:06:39 +00:00 · 2024-10-05 15:31:28 -04:00
parent e7080c4aa8
commit 4a5e0e1c57
4 changed files with 40 additions and 5 deletions
--- a/server/routers/auth/disable2fa.ts
+++ b/server/routers/auth/disable2fa.ts
@@ -5,7 +5,7 @@ import { fromError } from "zod-validation-error";
 import { unauthorized } from "@server/auth";
 import { z } from "zod";
 import { db } from "@server/db";
-import { User, users } from "@server/db/schema";
+import { twoFactorBackupCodes, User, users } from "@server/db/schema";
 import { eq } from "drizzle-orm";
 import { response } from "@server/utils";
 import { verifyPassword } from "./password";
@@ -82,6 +82,10 @@ export async function disable2fa(
            .set({ twoFactorEnabled: false })
            .where(eq(users.id, user.id));

+        await db
+            .delete(twoFactorBackupCodes)
+            .where(eq(twoFactorBackupCodes.userId, user.id));
+
        return response<null>(res, {
            data: null,
            success: true,
--- a/server/routers/auth/verifyTotp.ts
+++ b/server/routers/auth/verifyTotp.ts
@@ -7,8 +7,10 @@ import { TOTPController } from "oslo/otp";
 import HttpCode from "@server/types/HttpCode";
 import { response } from "@server/utils";
 import { db } from "@server/db";
-import { User, users } from "@server/db/schema";
+import { twoFactorBackupCodes, User, users } from "@server/db/schema";
 import { eq } from "drizzle-orm";
+import { alphabet, generateRandomString } from "oslo/crypto";
+import { hashPassword } from "./password";

 export const verifyTotpBody = z.object({
    code: z.string(),
@@ -18,6 +20,7 @@ export type VerifyTotpBody = z.infer<typeof verifyTotpBody>;

 export type VerifyTotpResponse = {
    valid: boolean;
+    backupCodes: string[];
 };

 export async function verifyTotp(
@@ -65,6 +68,16 @@ export async function verifyTotp(
            decodeHex(user.twoFactorSecret),
        );

+        const backupCodes = await generateBackupCodes();
+        for (const code of backupCodes) {
+            const hash = await hashPassword(code);
+
+            await db.insert(twoFactorBackupCodes).values({
+                userId: user.id,
+                codeHash: hash,
+            });
+        }
+
        if (valid) {
            // if valid, enable two-factor authentication; the totp secret is no longer temporary
            await db
@@ -73,8 +86,8 @@ export async function verifyTotp(
                .where(eq(users.id, user.id));
        }

-        return response<{ valid: boolean }>(res, {
-            data: { valid },
+        return response<VerifyTotpResponse>(res, {
+            data: { valid, backupCodes },
            success: true,
            error: false,
            message: valid
@@ -91,3 +104,12 @@ export async function verifyTotp(
        );
    }
 }
+
+async function generateBackupCodes(): Promise<string[]> {
+    const codes = [];
+    for (let i = 0; i < 10; i++) {
+        const code = generateRandomString(8, alphabet("0-9", "A-Z", "a-z"));
+        codes.push(code);
+    }
+    return codes;
+}