From 9f448dedc3510ce2cab5a8f8758f45f078be4f84 Mon Sep 17 00:00:00 2001 From: denihs Date: Mon, 14 Feb 2022 15:18:13 -0400 Subject: [PATCH 1/8] - validate if user is logged when calling has2faEnabled - now, first validate if user has successfully logged in, then check if 2fa code is valid --- packages/accounts-2fa/2fa-server.js | 3 ++ packages/accounts-password/password_server.js | 40 ++++++++------- .../passwordless_server.js | 50 ++++++++++++------- 3 files changed, 58 insertions(+), 35 deletions(-) diff --git a/packages/accounts-2fa/2fa-server.js b/packages/accounts-2fa/2fa-server.js index fe84475fa5..ff40304dd6 100644 --- a/packages/accounts-2fa/2fa-server.js +++ b/packages/accounts-2fa/2fa-server.js @@ -124,6 +124,9 @@ Meteor.methods({ ); }, has2faEnabled(selector) { + if (!Meteor.user()) { + throw new Meteor.Error(400, 'No user logged in.'); + } return Accounts._is2faEnabledForUser(selector); }, }); diff --git a/packages/accounts-password/password_server.js b/packages/accounts-password/password_server.js index f0835991b8..01e750a040 100644 --- a/packages/accounts-password/password_server.js +++ b/packages/accounts-password/password_server.js @@ -182,30 +182,34 @@ Accounts.registerLoginHandler("password", options => { Accounts._handleError("User not found"); } - // This method is added by the package accounts-2fa - if ( - Accounts._is2faEnabledForUser && - Accounts._is2faEnabledForUser(options.user) - ) { - if (!options.code) { - Accounts._handleError('2FA code must be informed.'); - } - if ( - !Accounts._isTokenValid(user.services.twoFactorAuthentication.secret, options.code) - ) { - Accounts._handleError('Invalid 2FA code.'); - } - } if (!user.services || !user.services.password || !user.services.password.bcrypt) { Accounts._handleError("User has no password set"); } - return checkPassword( - user, - options.password - ); + const result = checkPassword(user, options.password); + // This method is added by the package accounts-2fa + // First the login is validated, then the code situation is checked + if ( + !result.error && + Accounts._is2faEnabledForUser && + Accounts._is2faEnabledForUser(options.user) + ) { + if (!options.code) { + Accounts._handleError('2FA code must be informed'); + } + if ( + !Accounts._isTokenValid( + user.services.twoFactorAuthentication.secret, + options.code + ) + ) { + Accounts._handleError('Invalid 2FA code'); + } + } + + return result; }); /// diff --git a/packages/accounts-passwordless/passwordless_server.js b/packages/accounts-passwordless/passwordless_server.js index 66b7b3ef90..afe3bb2df4 100644 --- a/packages/accounts-passwordless/passwordless_server.js +++ b/packages/accounts-passwordless/passwordless_server.js @@ -80,21 +80,6 @@ Accounts.registerLoginHandler('passwordless', options => { Accounts._handleError('User has no token set'); } - // This method is added by the package accounts-2fa - if ( - Accounts._is2faEnabledForUser && - Accounts._is2faEnabledForUser(user) - ) { - if (!options.code) { - Accounts._handleError('2FA code must be informed.'); - } - if ( - !Accounts._isTokenValid(user.services.twoFactorAuthentication.secret, options.code) - ) { - Accounts._handleError('Invalid 2FA code.'); - } - } - const result = checkToken({ user, selector, @@ -102,16 +87,47 @@ Accounts.registerLoginHandler('passwordless', options => { }); const { verifiedEmail, error } = result; - if (!error && verifiedEmail) { + + const is2faEnabled = + Accounts._is2faEnabledForUser && + Accounts._is2faEnabledForUser({ _id: user._id }); + + const removeTokenFromUser = () => { Meteor.users.update( { _id: user._id, 'emails.address': verifiedEmail }, { $set: { - 'emails.$.verified': true, + 'emails.$.verified': verifiedEmail, }, $unset: { 'services.passwordless': 1 }, } ); + }; + + // It's necessary to make sure we don't remove the token if the user has 2fa enabled + // otherwise, it would be necessary to generate a new one if this method is called without + // a 2fa code + if (!error && !is2faEnabled) { + removeTokenFromUser(); + } + + // This method is added by the package accounts-2fa + // First the login is validated, then the code situation is checked + if (!error && is2faEnabled) { + if (!options.code) { + Accounts._handleError('2FA code must be informed'); + return; + } + if ( + !Accounts._isTokenValid( + user.services.twoFactorAuthentication.secret, + options.code + ) + ) { + Accounts._handleError('Invalid 2FA code'); + return; + } + removeTokenFromUser(); } return result; From 4601a583bf38509415541882f4f141cf48646968 Mon Sep 17 00:00:00 2001 From: denihs Date: Mon, 14 Feb 2022 16:00:51 -0400 Subject: [PATCH 2/8] - updating docs --- docs/source/packages/accounts-2fa.md | 105 ++++++++++----------------- 1 file changed, 39 insertions(+), 66 deletions(-) diff --git a/docs/source/packages/accounts-2fa.md b/docs/source/packages/accounts-2fa.md index 94c4530216..7561b9a021 100644 --- a/docs/source/packages/accounts-2fa.md +++ b/docs/source/packages/accounts-2fa.md @@ -77,6 +77,12 @@ services: { } ``` +To verify whether or not a user has 2FA enabled, you can call the function `Accounts.has2faEnabled`: + +{% apibox "Accounts.has2faEnabled" "module":"accounts-base" %} + +This function must be called when the user is logged in. +

Disabling 2FA

To disable 2FA for a user use this method: @@ -89,39 +95,27 @@ To call this function the user must be already logged in. Now that you have a way to allow your users to enable 2FA on their accounts, you can create a login flow based on that. -To verify whether or not a user has 2FA enabled, you can call the function `Accounts.has2faEnabled`: - -{% apibox "Accounts.has2faEnabled" "module":"accounts-base" %} - As said at the beginning of this guide, this package is currently working with two other packages: `accounts-password` and `accounts-passwordless`. Below there is an explanation on how to use this package with them.

Working with accounts-password

-With the function `Accounts.has2faEnabled`, you can check whether or not the user has 2FA enabled, and based on this information, you can directly call `Meteor.loginWithPassword` if the 2FA is not enabled, or redirect the user to a place where they can provide a code, in case they do have 2FA enabled. +When calling the function `Meteor.loginWithPassword`, if the 2FA is enabled for the user, an error will be return to the callback, so you can redirect the user to a place where they can provide a code. -A way of using it would be: +As an example: ```js ``` -If the user has 2FA enabled, and you try to use the function `Meteor.loginWithPassword`, the login will fail, as the user should provide a code to access the app. +If the 2FA is not enabled, the user will be logged in normally. The function you will need to call now to allow the user to login is `Meteor.loginWithPasswordAnd2faCode`: @@ -141,7 +135,7 @@ So the call of this function should look something like this: ```js ; ``` +Now you can call the function `Meteor.passwordlessLoginWithTokenAnd2faCode` that will allow you to provide a selector, token, and 2FA code: + +{% apibox "Meteor.passwordlessLoginWithTokenAnd2faCode" %} +

How to integrate an Authentication Package with accounts-2fa

To integrate this package with any other existing Login method, it's necessary following two steps: @@ -217,12 +188,14 @@ To integrate this package with any other existing Login method, it's necessary f 2 - For the server, inside the function that will log the user in, you verify if the function `Accounts._is2faEnabledForUser` exists, and if yes, you call it providing the user you want to check if the 2FA is enabled, and if either of these statements are false, you proceed with the login flow. This function exists only when the package `accounts-2fa` is added to the project. -If both statements are true, now you verify if a code was provided, if not throw an error, if it was provided, verify if the code is valid by calling the function `Accounts._isTokenValid`, if not, throw an error. +If both statements are true, and the login validation was a success, now you verify if a code was provided, if not throw an error, if it was provided, verify if the code is valid by calling the function `Accounts._isTokenValid`, if not, throw an error. Here it's an example: ```js -if ( + const result = validateLogin(); + if ( + !result.error && Accounts._is2faEnabledForUser && Accounts._is2faEnabledForUser(user) ) { @@ -236,6 +209,6 @@ if ( } } - // continue the login flow + return result; ``` From e1a04902e8d9c7da09ddea699d9f40e5eecfa470 Mon Sep 17 00:00:00 2001 From: denihs Date: Mon, 14 Feb 2022 16:08:29 -0400 Subject: [PATCH 3/8] - fixing tests --- packages/accounts-base/accounts_client_tests.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/accounts-base/accounts_client_tests.js b/packages/accounts-base/accounts_client_tests.js index 5f72c5dd02..a94c18cea7 100644 --- a/packages/accounts-base/accounts_client_tests.js +++ b/packages/accounts-base/accounts_client_tests.js @@ -206,7 +206,7 @@ Tinytest.addAsync( forceEnableUser2fa(() => { Meteor.loginWithPasswordAnd2faCode(username, password, 'ABC', e => { test.isFalse(Meteor.user()); - test.equal(e.reason, 'Invalid 2FA code.'); + test.equal(e.reason, 'Invalid 2FA code'); removeTestUser(done); }); }); From a47a237a15b0984a9bd0031dbbcfda4ce992ead9 Mon Sep 17 00:00:00 2001 From: Denilson Date: Tue, 15 Feb 2022 09:08:29 -0400 Subject: [PATCH 4/8] Update docs/source/packages/accounts-2fa.md Co-authored-by: Renan Castro --- docs/source/packages/accounts-2fa.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/packages/accounts-2fa.md b/docs/source/packages/accounts-2fa.md index 7561b9a021..b859c23f36 100644 --- a/docs/source/packages/accounts-2fa.md +++ b/docs/source/packages/accounts-2fa.md @@ -99,7 +99,7 @@ As said at the beginning of this guide, this package is currently working with t

Working with accounts-password

-When calling the function `Meteor.loginWithPassword`, if the 2FA is enabled for the user, an error will be return to the callback, so you can redirect the user to a place where they can provide a code. +When calling the function `Meteor.loginWithPassword`, if the 2FA is enabled for the user, an error will be returned to the callback, so you can redirect the user to a place where they can provide a code. As an example: From a22833427b2d42de18d86cc42344c0ecc3e3834e Mon Sep 17 00:00:00 2001 From: Denilson Date: Tue, 15 Feb 2022 09:08:39 -0400 Subject: [PATCH 5/8] Update docs/source/packages/accounts-2fa.md Co-authored-by: Renan Castro --- docs/source/packages/accounts-2fa.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/packages/accounts-2fa.md b/docs/source/packages/accounts-2fa.md index b859c23f36..d213155470 100644 --- a/docs/source/packages/accounts-2fa.md +++ b/docs/source/packages/accounts-2fa.md @@ -149,7 +149,7 @@ So the call of this function should look something like this: Following the same logic from the previous package, if the 2FA is enabled, an error will be returned to the callback of the function [`Meteor.passwordlessLoginWithToken`](https://docs.meteor.com/packages/accounts-passwordless.html#Meteor-passwordlessLoginWithToken), then you can redirect the user to a place where they can provide a code. -Here it's an example: +Here is an example: ```js