This commit is contained in:
@@ -194,6 +194,18 @@ namespace AyaNova.Api.Controllers
|
||||
}
|
||||
|
||||
|
||||
//TWO FACTOR ENABLED??
|
||||
//if 2fa enabled then need to validate it before sending token, so we're halfway there and need to send a 2fa prompt
|
||||
if (u.TwoFactorEnabled)
|
||||
{
|
||||
|
||||
return Ok(ApiOkResponse.Response(new
|
||||
{
|
||||
tfa = true
|
||||
}));
|
||||
}
|
||||
|
||||
|
||||
//build the key (JWT set in startup.cs)
|
||||
byte[] secretKey = System.Text.Encoding.ASCII.GetBytes(ServerBootConfig.AYANOVA_JWT_SECRET);
|
||||
|
||||
@@ -450,12 +462,10 @@ namespace AyaNova.Api.Controllers
|
||||
if (u == null)//should never happen but ?
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
|
||||
//if user already has a secret set then this is not valid, must be re-requested first
|
||||
//this is to stop someone from messing up someone's login accidentally or maliciously by simply hitting the route logged in as them
|
||||
if (!string.IsNullOrWhiteSpace(u.TotpSecret) || u.TwoFactorEnabled)
|
||||
if (u.TwoFactorEnabled)
|
||||
return BadRequest(new ApiErrorResponse(ApiErrorCode.INVALID_OPERATION, "generalerror", "2fa already enabled"));
|
||||
|
||||
|
||||
var tfa = new TwoFactorAuth("AyaNova");
|
||||
u.TotpSecret = tfa.CreateSecret(160);
|
||||
await ct.SaveChangesAsync();
|
||||
|
||||
Reference in New Issue
Block a user