Login 2fa (totp)

api/resolvers/index.js

@@ -20,6 +20,7 @@ import { GraphQLScalarType, Kind } from 'graphql'
 import { createIntScalar } from 'graphql-scalar'
 import paidAction from './paidAction'
 import vault from './vault'
+import verify2fa from './verify2fa'
 
 const date = new GraphQLScalarType({
   name: 'Date',
@@ -56,4 +57,4 @@ const limit = createIntScalar({
 
 export default [user, item, message, wallet, lnurl, notifications, invite, sub,
   upload, search, growth, rewards, referrals, price, admin, blockHeight, chainFee,
-  { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault]
+  { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault, verify2fa]

api/resolvers/user.js

@@ -2,7 +2,7 @@ import { readFile } from 'fs/promises'
 import { join, resolve } from 'path'
 import { decodeCursor, LIMIT, nextCursorEncoded } from '@/lib/cursor'
 import { msatsToSats } from '@/lib/format'
-import { bioSchema, emailSchema, settingsSchema, validateSchema, userSchema } from '@/lib/validate'
+import { bioSchema, emailSchema, settingsSchema, validateSchema, userSchema, totpSchema } from '@/lib/validate'
 import { getItem, updateItem, filterClause, createItem, whereClause, muteClause, activeOrMine } from './item'
 import { USER_ID, RESERVED_MAX_USER_ID, SN_NO_REWARDS_IDS, INVOICE_ACTION_NOTIFICATION_TYPES } from '@/lib/constants'
 import { viewGroup } from './growth'
@@ -11,6 +11,7 @@ import assertApiKeyNotPermitted from './apiKey'
 import { hashEmail } from '@/lib/crypto'
 import { isMuted } from '@/lib/user'
 import { GqlAuthenticationError, GqlAuthorizationError, GqlInputError } from '@/lib/error'
+import { validateTotp } from '@/lib/auth2fa'
 
 const contributors = new Set()
 
@@ -883,6 +884,33 @@ export default {
 
       await models.user.update({ where: { id: me.id }, data: { hideWelcomeBanner: true } })
       return true
+    },
+    setTotpSecret: async (parent, { secret, token }, { me, models }) => {
+      if (!me) throw new GqlAuthenticationError()
+      await validateSchema(totpSchema, { secret, token })
+      await validateTotp({ secret, token })
+      try {
+        await models.user.update({
+          where: {
+            id: me.id,
+            totpSecret: null
+          },
+          data: {
+            totpSecret: secret
+          }
+        })
+      } catch (error) {
+        if (error.code === 'P2025') {
+          throw new Error('could not set totp secret')
+        }
+        throw error
+      }
+      return true
+    },
+    unsetTotpSecret: async (parent, args, { me, models }) => {
+      if (!me) throw new GqlAuthenticationError()
+      await models.user.update({ where: { id: me.id }, data: { totpSecret: null } })
+      return true
     }
   },
 
@@ -1049,6 +1077,12 @@ export default {
         return false
       }
       return !!user.tipRandomMin && !!user.tipRandomMax
+    },
+    isTotpEnabled: async (user, args, { me }) => {
+      if (!me || me.id !== user.id) {
+        return false
+      }
+      return !!user.totpSecret
     }
   },
 

api/resolvers/verify2fa.js

@@ -0,0 +1,26 @@
+import * as Auth2fa from '@/lib/auth2fa'
+
+export default {
+  Mutation: {
+    verify2fa: async (parent, { method, callbackUrl, ...args }, { models, unverifiedSession }) => {
+      const session = unverifiedSession
+      if (!session) throw new Error('Not authenticated')
+
+      const userId = session.user.id
+      const user = await models.user.findUnique({ where: { id: userId } })
+      if (!user) throw new Error('User not found')
+
+      const valid = Auth2fa.validate2fa(method, args, { me: user })
+      if (!valid) throw new Error('Invalid 2FA token')
+
+      const token = await Auth2fa.getEncodedLogin2faToken({ result: valid, userId, jti2fa: session.jti2fa, callbackUrl })
+      return {
+        result: valid,
+        tokens: [
+          token
+        ],
+        callbackUrl
+      }
+    }
+  }
+}

api/ssrApollo.js

@@ -13,11 +13,17 @@ import { BLOCK_HEIGHT } from '@/fragments/blockHeight'
 import { CHAIN_FEE } from '@/fragments/chainFee'
 import { getServerSession } from 'next-auth/next'
 import { getAuthOptions } from '@/pages/api/auth/[...nextauth]'
+import * as Auth2fa from '@/lib/auth2fa'
 import { NOFOLLOW_LIMIT } from '@/lib/constants'
 import { satsToMsats } from '@/lib/format'
 
 export default async function getSSRApolloClient ({ req, res, me = null }) {
-  const session = req && await getServerSession(req, res, getAuthOptions(req))
+  let session = req && await getServerSession(req, res, getAuthOptions(req))
+
+  // 2fa check
+  let unverifiedSession = null
+  ;({ session, unverifiedSession } = await Auth2fa.sessionGuard({ session, req }))
+
   const client = new ApolloClient({
     ssrMode: true,
     link: new SchemaLink({
@@ -31,7 +37,8 @@ export default async function getSSRApolloClient ({ req, res, me = null }) {
           ? session.user
           : me,
         lnd,
-        search
+        search,
+        unverifiedSession
       }
     }),
     cache: new InMemoryCache({

api/typeDefs/index.js

@@ -19,6 +19,7 @@ import blockHeight from './blockHeight'
 import chainFee from './chainFee'
 import paidAction from './paidAction'
 import vault from './vault'
+import verify2fa from './verify2fa'
 
 const common = gql`
   type Query {
@@ -39,4 +40,4 @@ const common = gql`
 `
 
 export default [common, user, item, itemForward, message, wallet, lnurl, notifications, invite,
-  sub, upload, growth, rewards, referrals, price, admin, blockHeight, chainFee, paidAction, vault]
+  sub, upload, growth, rewards, referrals, price, admin, blockHeight, chainFee, paidAction, vault, verify2fa]

api/typeDefs/user.js

@@ -44,6 +44,8 @@ export default gql`
     generateApiKey(id: ID!): String
     deleteApiKey(id: ID!): User
     disableFreebies: Boolean
+    setTotpSecret(secret: String!, token: String!): Boolean
+    unsetTotpSecret: Boolean
   }
 
   type User {
@@ -194,6 +196,7 @@ export default gql`
     walletsUpdatedAt: Date
     proxyReceive: Boolean
     directReceive: Boolean
+    isTotpEnabled: Boolean
   }
 
   type UserOptional {

api/typeDefs/verify2fa.js

@@ -0,0 +1,18 @@
+import { gql } from 'graphql-tag'
+
+export default gql`
+  type Tokens2fa {
+    key: String
+    value: String
+  }
+
+  type Verify2faResponse {
+    result: Boolean!
+    tokens: [Tokens2fa]
+    callbackUrl: String
+  }
+
+  extend type Mutation {
+    verify2fa(method: String!, token: String!, callbackUrl: String): Verify2faResponse
+  }
+`

components/account.js

@@ -14,7 +14,7 @@ const AccountContext = createContext()
 const b64Decode = str => Buffer.from(str, 'base64').toString('utf-8')
 const b64Encode = obj => Buffer.from(JSON.stringify(obj)).toString('base64')
 
-const maybeSecureCookie = cookie => {
+export const maybeSecureCookie = cookie => {
   return window.location.protocol === 'https:' ? cookie + '; Secure' : cookie
 }
 

components/nav/common.js

@@ -261,7 +261,7 @@ export default function LoginButton () {
   )
 }
 
-function LogoutObstacle ({ onClose }) {
+export function LogoutObstacle ({ onClose }) {
   const { registration: swRegistration, togglePushSubscription } = useServiceWorker()
   const { removeLocalWallets } = useWallets()
   const { multiAuthSignout } = useAccounts()

components/totp.js

@@ -0,0 +1,88 @@
+import { useCallback } from 'react'
+import { useShowModal } from '@/components/modal'
+import { validateTotp } from '@/lib/auth2fa'
+import { qrImageSettings } from '@/components/qr'
+import { QRCodeSVG } from 'qrcode.react'
+import BootstrapForm from 'react-bootstrap/Form'
+import { totpSchema, totpTokenSchema } from '@/lib/validate'
+import { Form, SubmitButton, PasswordInput } from '@/components/form'
+import { useToast } from '@/components/toast'
+import CancelButton from './cancel-button'
+
+export const useTOTPEnableDialog = () => {
+  const showModal = useShowModal()
+  const toaster = useToast()
+  const showTOTPDialog = useCallback(({ secret, otpUri }, onToken) => {
+    showModal((close) => {
+      return (
+        <Form
+          initial={{
+            secret: secret.base32,
+            token: ''
+          }}
+          schema={totpSchema}
+          onSubmit={async ({ token }) => {
+            try {
+              const verified = validateTotp({ secret: secret.base32, token })
+              if (!verified) {
+                toaster.danger('invalid code')
+                return
+              }
+              await onToken(token)
+              close()
+            } catch (err) {
+              console.error(err)
+              toaster.danger('failed to enable ' + err.message)
+            }
+          }}
+        >
+          <div className='mb-4 text-center'>
+            <BootstrapForm.Label>use a two-factor authenticator (TOTP) app to scan this qr code</BootstrapForm.Label>
+            <div className='d-block p-3 mb-2 mx-auto' style={{ background: 'white', maxWidth: '300px' }}>
+              <QRCodeSVG
+                className='h-auto mw-100' value={otpUri} size={300} imageSettings={qrImageSettings}
+              />
+            </div>
+            <PasswordInput name='secret' label='or use this setup key' as='textarea' readOnly copy />
+          </div>
+          <PasswordInput name='token' required label='input the one-time authentication code to confirm' />
+          <div className='d-flex'>
+            <CancelButton onClick={close} />
+            <SubmitButton variant='primary' className='ms-auto mt-1 px-4'>enable</SubmitButton>
+          </div>
+        </Form>
+      )
+    })
+  }, [])
+  return showTOTPDialog
+}
+
+export const TOTPInputForm = ({ onSubmit, onCancel }) => {
+  const toaster = useToast()
+  return (
+    <Form
+      initial={{
+        token: ''
+      }}
+      schema={totpTokenSchema}
+      onSubmit={async ({ token }) => {
+        try {
+          await onSubmit(token)
+        } catch (err) {
+          console.error(err)
+          toaster.danger(err.message)
+        }
+      }}
+    >
+      <h3>Two-factor Authentication</h3>
+      <PasswordInput name='token' required label='input the one-time authentication code to continue' />
+      <small className='text-muted'>
+        open your two-factor authenticator (TOTP) app or browser extension to view your authentication code
+      </small>
+      <div className='d-flex mt-4'>
+        <CancelButton onClick={onCancel} />
+        <SubmitButton variant='primary' className='ms-auto mt-1 px-4'>submit</SubmitButton>
+      </div>
+    </Form>
+  )
+}

fragments/users.js

@@ -53,6 +53,7 @@ ${STREAK_FIELDS}
       walletsUpdatedAt
       proxyReceive
       directReceive
+      isTotpEnabled
     }
     optional {
       isContributor