From 379cad6bcd1d0b267c457d0ca64ea17612535e9e Mon Sep 17 00:00:00 2001
From: syeopite <syeopite@syeopite.dev>
Date: Thu, 15 Jul 2021 02:53:35 -0700
Subject: [PATCH] Change 2fa on login to be after pass verification

---
 src/invidious/routes/account.cr |  8 +++++---
 src/invidious/routes/login.cr   | 12 ++++++------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/invidious/routes/account.cr b/src/invidious/routes/account.cr
index b5cbd188..0f751694 100644
--- a/src/invidious/routes/account.cr
+++ b/src/invidious/routes/account.cr
@@ -373,6 +373,8 @@ module Invidious::Routes::Account
   # -------------------
   # 2fa through OTP handling
   # -------------------
+
+  # Setup 2fa page
   def setup_2fa_page(env)
     locale = env.get("preferences").as(Preferences).locale
 
@@ -391,7 +393,7 @@ module Invidious::Routes::Account
     return templated "user/setup_2fa"
   end
 
-  # Setup TOTP (post) request.
+  # Setup 2fa post request.
   def setup_2fa(env)
     locale = env.get("preferences").as(Preferences).locale
 
@@ -463,7 +465,7 @@ module Invidious::Routes::Account
 
     # https://stackoverflow.com/a/574698
     if email && password
-      # The rest of the login code.
+      # Verify the password again for extra security
       if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
         sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
         PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc)
@@ -506,7 +508,7 @@ module Invidious::Routes::Account
     env.redirect referer
   end
 
-  # Endpoint to remove 2fa
+  # Remove 2fa page
   def remove_2fa_page(env)
     locale = env.get("preferences").as(Preferences).locale
     referer = get_referer(env)
diff --git a/src/invidious/routes/login.cr b/src/invidious/routes/login.cr
index 44aea163..ed2185b8 100644
--- a/src/invidious/routes/login.cr
+++ b/src/invidious/routes/login.cr
@@ -56,13 +56,13 @@ module Invidious::Routes::Login
       user = Invidious::Database::Users.select(email: email)
 
       if user
-        # If user has setup TOTP
-        if user.totp_secret
-          csrf_token = nil # setting this to false for compatibility reasons.
-          return templated "user/validate_2fa"
-        end
+        if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) \
+                      # If the password is correct then we'll go ahead and begin 2fa if applicable
+          if user.totp_secret
+            csrf_token = nil # setting this to false for compatibility reasons.
+            return templated "user/validate_2fa"
+          end
 
-        if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
           sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
           Invidious::Database::SessionIDs.insert(sid, email)