midou/invidious
1
0
Fork 1
mirror of https://github.com/iv-org/invidious.git synced 2025-01-11 09:12:22 +05:30
Code Issues Packages Projects Releases Wiki Activity

Add endpoint to disable 2fa

Browse Source
This commit is contained in:
syeopite 2021-07-15 02:42:44 -07:00
parent 9a615ac1af
commit f32f0b6e16
No known key found for this signature in database
GPG Key ID: A73C186DA3955A1A
5 changed files with 70 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
locales/en-US.json
View File

@ -494,5 +494,7 @@
"general-totp-invalid-code": "The TOTP code entered is invalid",
"general-totp-enter-code-field": "6 digit number",
"general-totp-enter-code-header": "Two-factor authentication",
"general-totp-verify-button": "Verifiy"
"general-totp-verify-button": "Verify",
"remove-totp-header": "Remove two-factor authentication",
"remove-totp-confirm-message": "Are you sure you would like to remove two-factor-authentication?"
}

2
src/invidious/helpers/utils.cr
View File

@ -462,7 +462,7 @@ def totp_validator(env)
# Verify if possible
if token = env.params.body["csrf_token"]?
begin
validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale)
validate_request(token, sid, env.request, HMAC_KEY, locale)
rescue ex
return error_template(400, ex)
end

42
src/invidious/routes/account.cr
View File

@ -208,6 +208,9 @@ module Invidious::Routes::Account
user = env.get? "user"
sid = env.get? "sid"
user = user.as(User)
sid = sid.as(String)
if user.totp_secret && env.request.cookies["2faVerified"]?.try &.value != "1" || nil
return call_totp_validator(env, user, sid, locale)
end
@ -218,8 +221,6 @@ module Invidious::Routes::Account
return env.redirect "/login?referer=#{URI.encode_path_segment(env.request.resource)}"
end
user = user.as(User)
sid = sid.as(String)
csrf_token = generate_response(sid, {":authorize_token"}, HMAC_KEY)
scopes = env.params.query["scopes"]?.try &.split(",")
@ -503,4 +504,41 @@ module Invidious::Routes::Account
env.redirect referer
end
# Endpoint to remove 2fa
def remove_2fa_page(env)
locale = env.get("preferences").as(Preferences).locale
referer = get_referer(env)
user = env.get("user").as(User)
sid = env.get("sid").as(String)
csrf_token = generate_response(sid, {":remove_2fa"}, HMAC_KEY)
return templated "user/remove_2fa"
end
# Remove 2fa post request.
def remove_2fa(env)
locale = env.get("preferences").as(Preferences).locale
user = env.get? "user"
sid = env.get? "sid"
referer = get_referer(env, unroll: false)
if !user
return env.redirect referer
end
user = user.as(User)
sid = sid.as(String)
token = env.params.body["csrf_token"]?
begin
validate_request(token, sid, env.request, HMAC_KEY, locale)
rescue ex
return error_template(400, ex)
end
PG_DB.exec("UPDATE users SET totp_secret = $1 WHERE email = $2", nil, user.email)
end
end

2
src/invidious/routing.cr
View File

@ -83,6 +83,8 @@ module Invidious::Routing
Invidious::Routing.get "/setup_2fa", Routes::Account, :setup_2fa_page
Invidious::Routing.post "/setup_2fa", Routes::Account, :setup_2fa
Invidious::Routing.post "/validate_2fa", Routes::Account, :validate_2fa
Invidious::Routing.get "/remove_2fa", Routes::Account, :remove_2fa_page
Invidious::Routing.post "/remove_2fa", Routes::Account, :remove_2fa
end
def register_iv_playlist_routes

24
src/invidious/views/user/remove_2fa.ecr Normal file
View File

@ -0,0 +1,24 @@
<% content_for "header" do %>
<title><%= translate(locale, "remove-totp-header") %> - Invidious</title>
<% end %>
<div class="h-box">
<form class="pure-form pure-form-aligned" action="/remove_2fa?referer=<%= URI.encode_www_form(referer) %>" method="post">
<legend><%= translate(locale, "remove-totp-confirm-message") %></legend>
<div class="pure-g">
<div class="pure-u-1-2">
<button type="submit" name="submit" value="remove_2fa" class="pure-button pure-button-primary">
<%= translate(locale, "Yes") %>
</button>
</div>
<div class="pure-u-1-2">
<a class="pure-button" href="<%= URI.encode_www_form(referer) %>">
<%= translate(locale, "No") %>
</a>
</div>
</div>
<input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(csrf_token) %>">
</form>
</div>