enigma-bbs/core/user_2fa_otp.js

188 lines
5.4 KiB
JavaScript

/* jslint node: true */
'use strict';
// ENiGMA½
const UserProps = require('./user_property.js');
const {
Errors,
ErrorReasons,
} = require('./enig_error.js');
const User = require('./user.js');
const {
recordLogin,
transformLoginError,
} = require('./user_login.js');
const Config = require('./config.js').get;
// deps
const _ = require('lodash');
const crypto = require('crypto');
const qrGen = require('qrcode-generator');
exports.prepareOTP = prepareOTP;
exports.createBackupCodes = createBackupCodes;
exports.createQRCode = createQRCode;
exports.otpFromType = otpFromType;
exports.loginFactor2_OTP = loginFactor2_OTP;
const OTPTypes = exports.OTPTypes = {
RFC6238_TOTP : 'rfc6238_TOTP', // Time-Based, SHA-512
RFC4266_HOTP : 'rfc4266_HOTP', // HMAC-Based, SHA-512
GoogleAuthenticator : 'googleAuth', // Google Authenticator is basically TOTP + quirks
};
function otpFromType(otpType) {
try {
return {
[ OTPTypes.RFC6238_TOTP ] : () => {
const totp = require('otplib/totp');
totp.options = { crypto, algorithm : 'sha256' };
return totp;
},
[ OTPTypes.RFC4266_HOTP ] : () => {
const hotp = require('otplib/hotp');
hotp.options = { crypto, algorithm : 'sha256' };
return hotp;
},
[ OTPTypes.GoogleAuthenticator ] : () => {
const googleAuth = require('otplib/authenticator');
googleAuth.options = { crypto };
return googleAuth;
},
}[otpType]();
} catch(e) {
// nothing
}
}
function generateOTPBackupCode() {
const consonants = 'bdfghjklmnprstvz'.split('');
const vowels = 'aiou'.split('');
const bits = [];
const rng = crypto.randomBytes(4);
for(let i = 0; i < rng.length / 2; ++i) {
const n = rng.readUInt16BE(i * 2);
const c1 = n & 0x0f;
const v1 = (n >> 4) & 0x03;
const c2 = (n >> 6) & 0x0f;
const v2 = (n >> 10) & 0x03;
const c3 = (n >> 12) & 0x0f;
bits.push([
consonants[c1],
vowels[v1],
consonants[c2],
vowels[v2],
consonants[c3],
].join(''));
}
return bits.join('-');
}
function createBackupCodes() {
const codes = [...Array(6)].map(() => generateOTPBackupCode());
return codes;
}
function validateAndConsumeBackupCode(user, token, cb) {
try
{
let validCodes = JSON.parse(user.getProperty(UserProps.AuthFactor2OTPBackupCodes));
const matchingCode = validCodes.find(c => c === token);
if(!matchingCode) {
return cb(Errors.BadLogin('Invalid OTP value supplied', ErrorReasons.Invalid2FA));
}
// We're consuming a match - remove it from available backup codes
validCodes = validCodes.filter(c => c !== matchingCode);
validCodes = JSON.stringify(validCodes);
user.persistProperty(UserProps.AuthFactor2OTPBackupCodes, validCodes, err => {
return cb(err);
});
} catch(e) {
return cb(e);
}
}
function createQRCode(otp, options, secret) {
try {
const uri = otp.keyuri(options.username || 'user', Config().general.boardName, secret);
const qrCode = qrGen(0, 'L');
qrCode.addData(uri);
qrCode.make();
options.qrType = options.qrType || 'ascii';
return {
ascii : qrCode.createASCII,
data : qrCode.createDataURL,
img : qrCode.createImgTag,
svg : qrCode.createSvgTag,
}[options.qrType](options.cellSize);
} catch(e) {
return '';
}
}
function prepareOTP(otpType, options, cb) {
if(!_.isFunction(cb)) {
cb = options;
options = {};
}
const otp = otpFromType(otpType);
if(!otp) {
return cb(Errors.Invalid(`Unknown OTP type: ${otpType}`));
}
const secret = OTPTypes.GoogleAuthenticator === otpType ?
otp.generateSecret() :
crypto.randomBytes(64).toString('base64').substr(0, 32);
const qr = createQRCode(otp, options, secret);
return cb(null, { secret, qr } );
}
function loginFactor2_OTP(client, token, cb) {
if(client.user.authFactor < User.AuthFactors.Factor1) {
return cb(Errors.AccessDenied('OTP requires prior authentication factor 1'));
}
const otpType = client.user.getProperty(UserProps.AuthFactor2OTP);
const otp = otpFromType(otpType);
if(!otp) {
return cb(Errors.Invalid(`Unknown OTP type: ${otpType}`));
}
const secret = client.user.getProperty(UserProps.AuthFactor2OTPSecret);
if(!secret) {
return cb(Errors.Invalid('Missing OTP secret'));
}
const valid = otp.verify( { token, secret } );
const allowLogin = () => {
client.user.authFactor = User.AuthFactors.Factor2;
client.user.authenticated = true;
return recordLogin(client, cb);
};
if(valid) {
return allowLogin();
}
// maybe they punched in a backup code?
validateAndConsumeBackupCode(client.user, token, err => {
if(err) {
return cb(transformLoginError(err, client, client.user.username));
}
return allowLogin();
});
}