admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2021-03-12 00:48:37 +00:00
parent ca98e859b1
commit df2491f95f
6 changed files with 24 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
server/AyaNova/Controllers/AuthController.cs
View File

@@ -450,20 +450,20 @@ namespace AyaNova.Api.Controllers
if (u == null)//should never happen but ?
return StatusCode(403, new ApiNotAuthorizedResponse());
//if user already has a secret set then this is not valid, must be re-requested first
//this is to stop someone from messing up someone's login accidentally or maliciously by simply hitting the route logged in as them
if(!string.IsNullOrWhiteSpace(u.TotpSecret) || u.TwoFactorEnabled)
return BadRequest(new ApiErrorResponse(ApiErrorCode.INVALID_OPERATION, "generalerror", "2fa already enabled"));
var tfa = new TwoFactorAuth("AyaNova");
u.TotpSecret = tfa.CreateSecret(160);
await ct.SaveChangesAsync();
//https://github.com/google/google-authenticator/wiki/Key-Uri-Format
QRCoder.PayloadGenerator.OneTimePassword generator = new QRCoder.PayloadGenerator.OneTimePassword()
{
Secret = u.TotpSecret,
Issuer = "AyaNova",
Label = $"AyaNova.acct.{u.Name}",
Type = QRCoder.PayloadGenerator.OneTimePassword.OneTimePasswordAuthType.TOTP
};
string payload = generator.ToString();
//otpauth://totp/ACME%20Co:john.doe@email.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30
//this format tested and works with Google, Microsoft Authy, Duo authenticators
string payload = $"otpauth://totp/AyaNova:{u.Name}?secret={u.TotpSecret}&issuer=AyaNova&algorithm=SHA1&digits=6&period=30";
QRCodeGenerator qrGenerator = new QRCodeGenerator();
QRCodeData qrCodeData = qrGenerator.CreateQrCode(payload, QRCodeGenerator.ECCLevel.Q);
@@ -509,11 +509,11 @@ namespace AyaNova.Api.Controllers
//ok, something to validate, let's validate it
var tfa = new TwoFactorAuth("AyaNova");
tfa.VerifyCode(u.TotpSecret, pin.Pin);
var ret = tfa.VerifyCode(u.TotpSecret, pin.Pin, 8);
return Ok(ApiOkResponse.Response(new
{
ok = tfa.VerifyCode(u.TotpSecret, pin.Pin)
ok = ret
}));
}