github/directus
1
1
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-04-25 03:00:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

Return secret on enabling 2fa

Browse Source
This commit is contained in:
rijkvanzanten
2020-08-25 13:59:43 -04:00
parent c653e3d8e5
commit 2958ae1584
2 changed files with 30 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
api/src/controllers/users.ts
View File

@@ -159,9 +159,9 @@ router.post('/me/tfa/enable/', asyncHandler(async (req, res) => {
}
const service = new UsersService({ accountability: req.accountability });
const url = await service.enableTFA(req.accountability.user);
const { url, secret } = await service.enableTFA(req.accountability.user);
return res.json({ data: { otpauth_url: url }});
return res.json({ data: { secret, otpauth_url: url }});
}));
router.post('/me/tfa/disable', asyncHandler(async (req, res) => {

30
api/src/services/users.ts
View File

@@ -5,7 +5,7 @@ import { sendInviteMail } from '../mail';
import database from '../database';
import argon2 from 'argon2';
import { InvalidPayloadException } from '../exceptions';
import { Accountability, Query, Item, AbstractServiceOptions } from '../types';
import { Accountability, PrimaryKey, Item, AbstractServiceOptions } from '../types';
import Knex from 'knex';
import env from '../env';
@@ -22,6 +22,29 @@ export default class UsersService extends ItemsService {
this.service = new ItemsService('directus_users', options);
}
update(data: Partial<Item>, keys: PrimaryKey[]): Promise<PrimaryKey[]>;
update(data: Partial<Item>, key: PrimaryKey): Promise<PrimaryKey>;
update(data: Partial<Item>[]): Promise<PrimaryKey[]>;
async update(
data: Partial<Item> | Partial<Item>[],
key?: PrimaryKey | PrimaryKey[]
): Promise<PrimaryKey | PrimaryKey[]> {
/**
* @NOTE
* This is just an extra bit of hardcoded security. We don't want anybody to be able to disable 2fa through
* the regular /users endpoint. Period. You should only be able to manage the 2fa status through the /tfa endpoint.
*/
const payloads = Array.isArray(data) ? data : [data];
for (const payload of payloads) {
if (payload.hasOwnProperty('tfa_secret')) {
throw new InvalidPayloadException(`You can't change the tfa_secret manually.`);
}
}
return this.service.update(data, key as any);
}
async inviteUser(email: string, role: string) {
await this.service.create({ email, role, status: 'invited' });
@@ -64,7 +87,10 @@ export default class UsersService extends ItemsService {
await this.knex('directus_users').update({ tfa_secret: secret }).where({ id: pk });
return await authService.generateOTPAuthURL(pk, secret);
return {
secret,
url: await authService.generateOTPAuthURL(pk, secret),
};
}
async disableTFA(pk: string) {