From df2491f95f4f2eeac963c80ae362120085abddb7 Mon Sep 17 00:00:00 2001
From: John Cardinal <support@ayanova.com>
Date: Fri, 12 Mar 2021 00:48:37 +0000
Subject: [PATCH]

---
 .vscode/launch.json                          |  2 +-
 server/AyaNova/Controllers/AuthController.cs | 22 ++++++++++----------
 server/AyaNova/resource/de.json              |  4 +++-
 server/AyaNova/resource/en.json              |  4 +++-
 server/AyaNova/resource/es.json              |  4 +++-
 server/AyaNova/resource/fr.json              |  4 +++-
 6 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/.vscode/launch.json b/.vscode/launch.json
index 0e2049e9..8fd97968 100644
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -53,7 +53,7 @@
         "AYANOVA_FOLDER_USER_FILES": "c:\\temp\\RavenTestData\\userfiles",
         "AYANOVA_FOLDER_BACKUP_FILES": "c:\\temp\\RavenTestData\\backupfiles",
         "AYANOVA_FOLDER_TEMPORARY_SERVER_FILES": "c:\\temp\\RavenTestData\\tempfiles",
-        "AYANOVA_SERVER_TEST_MODE": "false",
+        "AYANOVA_SERVER_TEST_MODE": "true",
         "AYANOVA_SERVER_TEST_MODE_SEEDLEVEL": "small",
         "AYANOVA_SERVER_TEST_MODE_TZ_OFFSET": "-7",
         "AYANOVA_BACKUP_PG_DUMP_PATH": "C:\\data\\code\\postgres_13\\bin\\"
diff --git a/server/AyaNova/Controllers/AuthController.cs b/server/AyaNova/Controllers/AuthController.cs
index a0062011..1efce9ac 100644
--- a/server/AyaNova/Controllers/AuthController.cs
+++ b/server/AyaNova/Controllers/AuthController.cs
@@ -450,20 +450,20 @@ namespace AyaNova.Api.Controllers
             if (u == null)//should never happen but ?
                 return StatusCode(403, new ApiNotAuthorizedResponse());
 
+            //if user already has a secret set then this is not valid, must be re-requested first
+            //this is to stop someone from messing up someone's login accidentally or maliciously by simply hitting the route logged in as them
+            if(!string.IsNullOrWhiteSpace(u.TotpSecret) || u.TwoFactorEnabled)
+                 return BadRequest(new ApiErrorResponse(ApiErrorCode.INVALID_OPERATION, "generalerror", "2fa already enabled"));
+            
+
             var tfa = new TwoFactorAuth("AyaNova");
             u.TotpSecret = tfa.CreateSecret(160);
             await ct.SaveChangesAsync();
 
             //https://github.com/google/google-authenticator/wiki/Key-Uri-Format
-
-            QRCoder.PayloadGenerator.OneTimePassword generator = new QRCoder.PayloadGenerator.OneTimePassword()
-            {
-                Secret = u.TotpSecret,
-                Issuer = "AyaNova",
-                Label = $"AyaNova.acct.{u.Name}",
-                Type = QRCoder.PayloadGenerator.OneTimePassword.OneTimePasswordAuthType.TOTP
-            };
-            string payload = generator.ToString();
+            //otpauth://totp/ACME%20Co:john.doe@email.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30
+            //this format tested and works with Google, Microsoft Authy, Duo authenticators
+            string payload = $"otpauth://totp/AyaNova:{u.Name}?secret={u.TotpSecret}&issuer=AyaNova&algorithm=SHA1&digits=6&period=30";
 
             QRCodeGenerator qrGenerator = new QRCodeGenerator();
             QRCodeData qrCodeData = qrGenerator.CreateQrCode(payload, QRCodeGenerator.ECCLevel.Q);
@@ -509,11 +509,11 @@ namespace AyaNova.Api.Controllers
 
             //ok, something to validate, let's validate it
             var tfa = new TwoFactorAuth("AyaNova");
-            tfa.VerifyCode(u.TotpSecret, pin.Pin);
+            var ret = tfa.VerifyCode(u.TotpSecret, pin.Pin, 8);
 
             return Ok(ApiOkResponse.Response(new
             {
-                ok = tfa.VerifyCode(u.TotpSecret, pin.Pin)
+                ok = ret
             }));
         }
 
diff --git a/server/AyaNova/resource/de.json b/server/AyaNova/resource/de.json
index 5dfbb317..15877d13 100644
--- a/server/AyaNova/resource/de.json
+++ b/server/AyaNova/resource/de.json
@@ -2169,5 +2169,7 @@
   "AuthConnectAppTitle": "Verbinden Sie Ihre App",
   "AuthConnectAppSubTitle": "Scannen Sie den QR-Code mit einer Authentifizierungs-App wie Google Authenticator, Duo, Microsoft Authenticator oder Authy. Es wird ein 6-stelliger Passcode angezeigt, den Sie unten eingeben müssen.",
   "AuthConnectAppManualEntry":"Haben Sie Probleme beim Scannen des Codes? Geben Sie Folgendes manuell in Ihre Authentifizierungs-App ein:",
-  "AuthEnterPin":"Geben Sie den 6-stelligen Passcode ein"
+  "AuthEnterPin":"Geben Sie den 6-stelligen Passcode ein",
+  "AuthPinInvalid":"Passcode ungültig",
+  "AuthConnectCompleted":"Die Zwei-Faktor-Authentifizierung ist jetzt aktiviert"
 }
\ No newline at end of file
diff --git a/server/AyaNova/resource/en.json b/server/AyaNova/resource/en.json
index 94932186..63de2ecb 100644
--- a/server/AyaNova/resource/en.json
+++ b/server/AyaNova/resource/en.json
@@ -2169,5 +2169,7 @@
   "AuthConnectAppTitle": "Connect your app",
   "AuthConnectAppSubTitle": "Using an authenticator app such as Google Authenticator, Duo, Microsoft Authenticator, Authy etc, scan the QR code. It will display a 6 digit pass code which you need to enter below.",
   "AuthConnectAppManualEntry":"Having trouble scanning the code? Enter the following manually into your authenticator app:",
-  "AuthEnterPin":"Enter 6 digit pass code"
+  "AuthEnterPin":"Enter 6 digit pass code",
+  "AuthPinInvalid":"Pass code not valid",
+  "AuthConnectCompleted":"Two factor authentication is now enabled"
 }
\ No newline at end of file
diff --git a/server/AyaNova/resource/es.json b/server/AyaNova/resource/es.json
index ff2aeba1..88822132 100644
--- a/server/AyaNova/resource/es.json
+++ b/server/AyaNova/resource/es.json
@@ -2169,5 +2169,7 @@
   "AuthConnectAppTitle": "Conecta tu aplicación",
   "AuthConnectAppSubTitle": "Con una aplicación de autenticación como Google Authenticator, Duo, Microsoft Authenticator o Authy, escanee el código QR. Aparecerá un código de acceso de 6 dígitos que debe ingresar a continuación.",
   "AuthConnectAppManualEntry":"¿Tiene problemas para escanear el código? Ingrese lo siguiente manualmente en su aplicación de autenticación:",
-  "AuthEnterPin":"Ingrese un código de acceso de 6 dígitos"
+  "AuthEnterPin":"Ingrese un código de acceso de 6 dígitos",
+  "AuthPinInvalid":"Código de acceso no válido",
+  "AuthConnectCompleted":"La autenticación de dos factores ahora está habilitada"
 }
\ No newline at end of file
diff --git a/server/AyaNova/resource/fr.json b/server/AyaNova/resource/fr.json
index 96932d5e..5b0ee950 100644
--- a/server/AyaNova/resource/fr.json
+++ b/server/AyaNova/resource/fr.json
@@ -2169,5 +2169,7 @@
   "AuthConnectAppTitle": "Connectez votre application",
   "AuthConnectAppSubTitle": "À l'aide d'une application d'authentification telle que Google Authenticator, Duo, Microsoft Authenticator ou Authy, scannez le code QR. Il affichera un code d'accès à 6 chiffres que vous devez saisir ci-dessous.",
   "AuthConnectAppManualEntry":"Vous rencontrez des difficultés pour scanner le code? Saisissez les informations suivantes manuellement dans votre application d'authentification:",
-  "AuthEnterPin":"Entrez le code d'accès à 6 chiffres"
+  "AuthEnterPin":"Entrez le code d'accès à 6 chiffres",
+  "AuthPinInvalid":"Code d'accès non valide",
+  "AuthConnectCompleted":"L'authentification à deux facteurs est maintenant activée"
 }
\ No newline at end of file