diff --git a/config/migrate-scripts/migrate-db-63162986.sh b/config/migrate-scripts/migrate-db-63162986.sh deleted file mode 100644 index 757d5994..00000000 --- a/config/migrate-scripts/migrate-db-63162986.sh +++ /dev/null @@ -1 +0,0 @@ -psql invidious kemal -c "ALTER TABLE users ADD COLUMN totp_secret VARCHAR(128)" \ No newline at end of file diff --git a/src/invidious/database/migrations/0011_add_totp_secret_to_users_table.cr b/src/invidious/database/migrations/0011_add_totp_secret_to_users_table.cr new file mode 100644 index 00000000..2501123d --- /dev/null +++ b/src/invidious/database/migrations/0011_add_totp_secret_to_users_table.cr @@ -0,0 +1,11 @@ +module Invidious::Database::Migrations + class AddTotpSecretToUsersTable < Migration + version 11 + + def up(conn : DB::Connection) + conn.exec <<-SQL + ALTER TABLE users ADD COLUMN totp_secret VARCHAR(128) + SQL + end + end +end diff --git a/src/invidious/routes/account.cr b/src/invidious/routes/account.cr index fb37c993..c61767fb 100644 --- a/src/invidious/routes/account.cr +++ b/src/invidious/routes/account.cr @@ -24,7 +24,7 @@ module Invidious::Routes::Account user = user.as(User) sid = sid.as(String) - if user.totp_secret && env.response.cookies["2faVerified"]?.try &.value != "1" || nil + if user.totp_secret && env.request.cookies["2faVerified"]?.try &.value != "1" || nil return call_totp_validator(env, user, sid, locale) end @@ -461,15 +461,14 @@ module Invidious::Routes::Account end # There are two routes we can go here. - # 1. Where the user is already logged in and is - # confirming an dangerous task. + # 1. Where the user is already logged in and is confirming a dangerous task. # 2. The user is logging in. # - # This can be detected by the hidden email and password parameter + # The latter can be detected by the hidden email and password parameter - # https://stackoverflow.com/a/574698 + # If we have the email and password variables set then that means we are currently logging in if email && password - # Verify the password again for extra security + # Verify the password if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc)