finished totp endpoints

server/routers/auth/index.ts

@@ -1,3 +1,5 @@
 export * from "./login";
 export * from "./signup";
 export * from "./logout";
+export * from "./verifyTotp";
+export * from "./requestTotpSecret";

server/routers/auth/login.ts

@@ -1,5 +1,5 @@
 import { verify } from "@node-rs/argon2";
-import lucia from "@server/auth";
+import lucia, { verifySession } from "@server/auth";
 import db from "@server/db";
 import { users } from "@server/db/schema";
 import HttpCode from "@server/types/HttpCode";
@@ -42,8 +42,7 @@ export async function login(
 
     const { email, password, code } = parsedBody.data;
 
-    const sessionId = req.cookies[lucia.sessionCookieName];
-    const { session: existingSession } = await lucia.validateSession(sessionId);
+    const { session: existingSession } = await verifySession(req);
     if (existingSession) {
         return response<null>(res, {
             data: null,
@@ -62,7 +61,7 @@ export async function login(
         return next(
             createHttpError(
                 HttpCode.BAD_REQUEST,
-                "A user with that email address does not exist",
+                "Username or password is incorrect",
             ),
         );
     }
@@ -80,7 +79,7 @@ export async function login(
         return next(
             createHttpError(
                 HttpCode.BAD_REQUEST,
-                "The password you entered is incorrect",
+                "Username or password is incorrect",
             ),
         );
     }

server/routers/auth/requestTotpSecret.ts

@@ -0,0 +1,99 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import { encodeHex } from "oslo/encoding";
+import HttpCode from "@server/types/HttpCode";
+import { verifySession, unauthorized } from "@server/auth";
+import { response } from "@server/utils";
+import { db } from "@server/db";
+import { users } from "@server/db/schema";
+import { eq } from "drizzle-orm";
+import { verify } from "@node-rs/argon2";
+import { createTOTPKeyURI } from "oslo/otp";
+
+export const requestTotpSecretBody = z.object({
+    password: z.string(),
+});
+
+export type RequestTotpSecretBody = z.infer<typeof requestTotpSecretBody>;
+
+export type RequestTotpSecretResponse = {
+    secret: string;
+};
+
+export async function requestTotpSecret(
+    req: Request,
+    res: Response,
+    next: NextFunction,
+): Promise<any> {
+    const parsedBody = requestTotpSecretBody.safeParse(req.body);
+
+    if (!parsedBody.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedBody.error).toString(),
+            ),
+        );
+    }
+
+    const { password } = parsedBody.data;
+
+    const { session, user } = await verifySession(req);
+    if (!session) {
+        return next(unauthorized());
+    }
+
+    const existingUser = await db
+        .select()
+        .from(users)
+        .where(eq(users.id, user.id));
+
+    if (!existingUser || !existingUser[0]) {
+        return next(
+            createHttpError(HttpCode.BAD_REQUEST, "User does not exist"),
+        );
+    }
+
+    const validPassword = await verify(existingUser[0].passwordHash, password, {
+        memoryCost: 19456,
+        timeCost: 2,
+        outputLen: 32,
+        parallelism: 1,
+    });
+    if (!validPassword) {
+        await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
+        return next(unauthorized());
+    }
+
+    if (user.twoFactorEnabled) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                "User has already enabled two-factor authentication",
+            ),
+        );
+    }
+
+    const hex = crypto.getRandomValues(new Uint8Array(20));
+    const secret = encodeHex(hex);
+    const uri = createTOTPKeyURI("pangolin", user.email, hex);
+
+    await db
+        .update(users)
+        .set({
+            twoFactorSecret: secret,
+        })
+        .where(eq(users.id, user.id));
+
+    return response<RequestTotpSecretResponse>(res, {
+        data: {
+            secret: uri,
+        },
+        success: true,
+        error: false,
+        message: "TOTP secret generated successfully",
+        status: HttpCode.OK,
+    });
+}

server/routers/auth/verifyTotp.ts

@@ -41,20 +41,31 @@ export async function verifyTotp(
 
     const { session, user } = await verifySession(req);
     if (!session) {
-        return unauthorized();
+        return next(unauthorized());
+    }
+
+    if (user.twoFactorEnabled) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                "Two-factor authentication is already enabled",
+            ),
+        );
     }
 
     if (!user.twoFactorSecret) {
-        return createHttpError(
-            HttpCode.BAD_REQUEST,
-            "User has not requested two-factor authentication",
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                "User has not requested two-factor authentication",
+            ),
         );
     }
 
     const totpController = new TOTPController();
     const valid = await totpController.verify(
-        user.twoFactorSecret,
-        decodeHex(code),
+        code,
+        decodeHex(user.twoFactorSecret),
     );
 
     if (valid) {

server/routers/external.ts

@@ -47,4 +47,5 @@ unauthenticated.use("/auth", authRouter);
 authRouter.put("/signup", auth.signup);
 authRouter.post("/login", auth.login);
 authRouter.post("/logout", auth.logout);
-authRouter.post("/verify-totp", auth.logout);
+authRouter.post("/verify-totp", auth.verifyTotp);
+authRouter.post("/request-totp-secret", auth.requestTotpSecret);