midou/invidious
1
0
Fork 1
mirror of https://github.com/iv-org/invidious.git synced 2025-05-31 14:11:54 +05:30
Code Issues Packages Projects Releases Wiki Activity

Change 2fa on login to be after pass verification

Browse Source
This commit is contained in:
syeopite
2021-07-15 02:53:35 -07:00
parent 2bf8bfd5de
commit 379cad6bcd
2 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/invidious/routes/account.cr
View File

@@ -373,6 +373,8 @@ module Invidious::Routes::Account
# ------------------- # -------------------
# 2fa through OTP handling # 2fa through OTP handling
# ------------------- # -------------------
# Setup 2fa page
def setup_2fa_page(env) def setup_2fa_page(env)
locale = env.get("preferences").as(Preferences).locale locale = env.get("preferences").as(Preferences).locale
@@ -391,7 +393,7 @@ module Invidious::Routes::Account
return templated "user/setup_2fa" return templated "user/setup_2fa"
end end
# Setup TOTP (post) request. # Setup 2fa post request.
def setup_2fa(env) def setup_2fa(env)
locale = env.get("preferences").as(Preferences).locale locale = env.get("preferences").as(Preferences).locale
@@ -463,7 +465,7 @@ module Invidious::Routes::Account
# https://stackoverflow.com/a/574698 # https://stackoverflow.com/a/574698
if email && password if email && password
# The rest of the login code. # Verify the password again for extra security
if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc) PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc)
@@ -506,7 +508,7 @@ module Invidious::Routes::Account
env.redirect referer env.redirect referer
end end
# Endpoint to remove 2fa # Remove 2fa page
def remove_2fa_page(env) def remove_2fa_page(env)
locale = env.get("preferences").as(Preferences).locale locale = env.get("preferences").as(Preferences).locale
referer = get_referer(env) referer = get_referer(env)

12
src/invidious/routes/login.cr
View File

@@ -56,13 +56,13 @@ module Invidious::Routes::Login
user = Invidious::Database::Users.select(email: email) user = Invidious::Database::Users.select(email: email)
if user if user
# If user has setup TOTP if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) \
if user.totp_secret # If the password is correct then we'll go ahead and begin 2fa if applicable
csrf_token = nil # setting this to false for compatibility reasons. if user.totp_secret
return templated "user/validate_2fa" csrf_token = nil # setting this to false for compatibility reasons.
end return templated "user/validate_2fa"
end
if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
Invidious::Database::SessionIDs.insert(sid, email) Invidious::Database::SessionIDs.insert(sid, email)