bewcloud/pages/api/auth/multi-factor/enable.ts
Bruno Bernardino c26cae625e
Remove fresh
This implements a huge change, where Fresh is removed as a framework and serving files, allowing more control over importing, bundling, and serving files and components.

The biggest challenge was to continue making sure that there weren't too many places to look into for import versions, and `PasswordlessPasskeyLogin.tsx` became a prototype in migrating a component to fully SSR, no need for frontend parsing (via Babel) or bundling (via a custom-script, downloading frontend dependencies from esm.sh). Still, there are too many components to migrate like that, and it's all working, so I likely won't even attempt it unless there's some bug, new feature, or security vulnerability to address that warrants a rewrite of those.

This also updates all dependencies (except `@libs/xml` because that still causes some breaking in DAV endpoints), including Deno!

All other advantages can be seen in the related issues, and the breaking change this (v4.0.0) introduces is related simply to `config.email.tlsMode` (which had a deprecation warning throughout v3), and because, while I tested many things exhaustively, it's not impossible something broke that I didn't see.

Closes #141
Closes #132
2026-02-20 10:54:31 +00:00

146 lines
4.2 KiB
TypeScript

import page, { RequestHandlerParams } from '/lib/page.ts';
import { MultiFactorAuthModel } from '/lib/models/multi-factor-auth.ts';
import { TOTPModel } from '/lib/models/multi-factor-auth/totp.ts';
import { EmailModel } from '/lib/models/multi-factor-auth/email.ts';
import { getMultiFactorAuthMethodByIdFromUser } from '/public/ts/utils/multi-factor-auth.ts';
import { UserModel } from '/lib/models/user.ts';
import { AppConfig } from '/lib/config.ts';
export interface RequestBody {
methodId: string;
code: string | 'passkey-verified';
}
export interface ResponseBody {
success: boolean;
error?: string;
}
async function post({ request, user }: RequestHandlerParams) {
const isMultiFactorAuthEnabled = await AppConfig.isMultiFactorAuthEnabled();
if (!isMultiFactorAuthEnabled) {
const responseBody: ResponseBody = {
success: false,
error: 'Multi-factor authentication is not enabled on this server',
};
return new Response(JSON.stringify(responseBody), { status: 403 });
}
const body = await request.clone().json() as RequestBody;
const { methodId, code } = body;
if (!methodId || !code) {
const responseBody: ResponseBody = {
success: false,
error: 'Method ID and verification code are required',
};
return new Response(JSON.stringify(responseBody), { status: 400 });
}
const method = getMultiFactorAuthMethodByIdFromUser(user!, methodId);
if (!method) {
const responseBody: ResponseBody = {
success: false,
error: 'Multi-factor authentication method not found',
};
return new Response(JSON.stringify(responseBody), { status: 404 });
}
if (method.enabled) {
const responseBody: ResponseBody = {
success: false,
error: 'Multi-factor authentication method is already enabled',
};
return new Response(JSON.stringify(responseBody), { status: 400 });
}
if (method.type === 'totp') {
const hashedSecret = method.metadata.totp?.hashed_secret;
if (!hashedSecret) {
const responseBody: ResponseBody = {
success: false,
error: 'TOTP secret not found',
};
return new Response(JSON.stringify(responseBody), { status: 400 });
}
try {
const secret = await TOTPModel.decryptTOTPSecret(hashedSecret);
const isValid = TOTPModel.verifyTOTP(secret, code);
if (!isValid) {
const responseBody: ResponseBody = {
success: false,
error: 'Invalid verification code',
};
return new Response(JSON.stringify(responseBody), { status: 400 });
}
} catch {
const responseBody: ResponseBody = {
success: false,
error: 'Failed to decrypt TOTP secret',
};
return new Response(JSON.stringify(responseBody), { status: 500 });
}
} else if (method.type === 'passkey') {
if (code !== 'passkey-verified') {
const responseBody: ResponseBody = {
success: false,
error: 'Passkey not properly verified',
};
return new Response(JSON.stringify(responseBody), { status: 400 });
}
if (!method.metadata.passkey?.credential_id || !method.metadata.passkey?.public_key) {
const responseBody: ResponseBody = {
success: false,
error: 'Passkey credentials not found',
};
return new Response(JSON.stringify(responseBody), { status: 400 });
}
} else if (method.type === 'email') {
try {
const isValid = await EmailModel.verifyCode(method.id, code, user!);
if (!isValid) {
const responseBody: ResponseBody = {
success: false,
error: 'Invalid verification code',
};
return new Response(JSON.stringify(responseBody), { status: 400 });
}
} catch {
const responseBody: ResponseBody = {
success: false,
error: 'Failed to verify email verification code',
};
return new Response(JSON.stringify(responseBody), { status: 500 });
}
}
MultiFactorAuthModel.enableMethodForUser(user!, methodId);
await UserModel.update(user!);
const responseBody: ResponseBody = {
success: true,
};
return new Response(JSON.stringify(responseBody));
}
export default page({
post,
accessMode: 'user',
});