admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2021-03-12 01:12:03 +00:00
parent df2491f95f
commit ce4a33ce3c
5 changed files with 50 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
server/AyaNova/Controllers/AuthController.cs
View File

@@ -452,9 +452,9 @@ namespace AyaNova.Api.Controllers
//if user already has a secret set then this is not valid, must be re-requested first
//this is to stop someone from messing up someone's login accidentally or maliciously by simply hitting the route logged in as them
if(!string.IsNullOrWhiteSpace(u.TotpSecret) || u.TwoFactorEnabled)
return BadRequest(new ApiErrorResponse(ApiErrorCode.INVALID_OPERATION, "generalerror", "2fa already enabled"));
if (!string.IsNullOrWhiteSpace(u.TotpSecret) || u.TwoFactorEnabled)
return BadRequest(new ApiErrorResponse(ApiErrorCode.INVALID_OPERATION, "generalerror", "2fa already enabled"));
var tfa = new TwoFactorAuth("AyaNova");
u.TotpSecret = tfa.CreateSecret(160);
@@ -509,7 +509,13 @@ namespace AyaNova.Api.Controllers
//ok, something to validate, let's validate it
var tfa = new TwoFactorAuth("AyaNova");
var ret = tfa.VerifyCode(u.TotpSecret, pin.Pin, 8);
var ret = tfa.VerifyCode(u.TotpSecret, pin.Pin.Replace(" ", "").Trim());
if (ret == true)
{
//enable 2fa on user account
u.TwoFactorEnabled = true;
await ct.SaveChangesAsync();
}
return Ok(ApiOkResponse.Response(new
{
@@ -517,6 +523,34 @@ namespace AyaNova.Api.Controllers
}));
}
/// <summary>
/// Disable (turn off) 2fa for current user account
///
/// </summary>
/// <param name="apiVersion">From route path</param>
/// <returns>OK on success</returns>
[HttpPost("totp-disable")]
public async Task<IActionResult> DisableTOTP(ApiVersion apiVersion)
{
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
//get user
var UserId = UserIdFromContext.Id(HttpContext.Items);
var u = await ct.User.FirstOrDefaultAsync(z => z.Id == UserId);
if (u == null)//should never happen but ?
return StatusCode(403, new ApiNotAuthorizedResponse());
u.TotpSecret = null;
u.TwoFactorEnabled = false;
await ct.SaveChangesAsync();
return NoContent();
}
//------------------------------------------------------
public class CredentialsParam