added change password endpoint

2026-02-24 05:46:39 +00:00 · 2024-10-05 15:11:51 -04:00
parent 86fb43d570
commit e7080c4aa8
9 changed files with 207 additions and 71 deletions
--- a/server/routers/auth/disable2fa.ts
+++ b/server/routers/auth/disable2fa.ts
@@ -4,13 +4,12 @@ import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
 import { unauthorized } from "@server/auth";
 import { z } from "zod";
-import { verify } from "@node-rs/argon2";
 import { db } from "@server/db";
 import { User, users } from "@server/db/schema";
 import { eq } from "drizzle-orm";
 import { response } from "@server/utils";
-import { decodeHex } from "oslo/encoding";
-import { TOTPController } from "oslo/otp";
+import { verifyPassword } from "./password";
+import { verifyTotpCode } from "./verifyTotpCode";

 export const disable2faBody = z.object({
    password: z.string(),
@@ -43,14 +42,8 @@ export async function disable2fa(
    const user = req.user as User;

    try {
-        const validPassword = await verify(user.passwordHash, password, {
-            memoryCost: 19456,
-            timeCost: 2,
-            outputLen: 32,
-            parallelism: 1,
-        });
+        const validPassword = await verifyPassword(password, user.passwordHash);
        if (!validPassword) {
-            await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
            return next(unauthorized());
        }

@@ -73,22 +66,9 @@ export async function disable2fa(
            }
        }

-        if (!user.twoFactorSecret) {
-            return next(
-                createHttpError(
-                    HttpCode.INTERNAL_SERVER_ERROR,
-                    "Failed to authenticate user",
-                ),
-            );
-        }
-
-        const validOTP = await new TOTPController().verify(
-            code,
-            decodeHex(user.twoFactorSecret),
-        );
+        const validOTP = await verifyTotpCode(code, user.twoFactorSecret!);

        if (!validOTP) {
-            await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,