e115934061
Publish `@librechat/data-schemas` to NPM / pack (push) Failing after 8s
Publish `@librechat/client` to NPM / pack (push) Failing after 0s
GitNexus Index / index (push) Failing after 1s
Sync Locize Translations & Create Translation PR / Create Translation PR on Version Published (push) Has been skipped
Sync Helm Chart Tags / Sync chart tags (push) Failing after 2s
Publish `librechat-data-provider` to NPM / pack (push) Failing after 1s
Docker Dev Images Build / build (Dockerfile, librechat-dev, node) (push) Failing after 1s
Docker Dev Images Build / build (Dockerfile.multi, librechat-dev-api, api-build) (push) Failing after 0s
Sync Helm Chart Tags / Ignore non-main push (push) Has been skipped
Sync Locize Translations & Create Translation PR / Sync Translation Keys with Locize (push) Failing after 1s
Publish `@librechat/client` to NPM / publish-npm (push) Has been cancelled
Publish `librechat-data-provider` to NPM / publish-npm (push) Has been cancelled
GitNexus Index / post-index (push) Has been cancelled
Publish `@librechat/data-schemas` to NPM / publish-npm (push) Has been cancelled
211 lines
6.4 KiB
JavaScript
211 lines
6.4 KiB
JavaScript
const { encryptV3, logger } = require('@librechat/data-schemas');
|
|
const {
|
|
verifyOTPOrBackupCode,
|
|
generateBackupCodes,
|
|
generateTOTPSecret,
|
|
verifyBackupCode,
|
|
getTOTPSecret,
|
|
verifyTOTP,
|
|
} = require('~/server/services/twoFactorService');
|
|
const { getUserById, updateUser } = require('~/models');
|
|
|
|
const safeAppTitle = (process.env.APP_TITLE || 'LibreChat').replace(/\s+/g, '');
|
|
|
|
/**
|
|
* Enable 2FA for the user by generating a new TOTP secret and backup codes.
|
|
* The secret is encrypted and stored, and 2FA is marked as disabled until confirmed.
|
|
* If 2FA is already enabled, requires OTP or backup code verification to re-enroll.
|
|
*/
|
|
const enable2FA = async (req, res) => {
|
|
try {
|
|
const userId = req.user.id;
|
|
const existingUser = await getUserById(
|
|
userId,
|
|
'+totpSecret +backupCodes _id twoFactorEnabled email',
|
|
);
|
|
|
|
if (existingUser && existingUser.twoFactorEnabled) {
|
|
const { token, backupCode } = req.body;
|
|
const result = await verifyOTPOrBackupCode({
|
|
user: existingUser,
|
|
token,
|
|
backupCode,
|
|
persistBackupUse: false,
|
|
});
|
|
|
|
if (!result.verified) {
|
|
const msg = result.message ?? 'TOTP token or backup code is required to re-enroll 2FA';
|
|
return res.status(result.status ?? 400).json({ message: msg });
|
|
}
|
|
}
|
|
|
|
const secret = generateTOTPSecret();
|
|
const { plainCodes, codeObjects } = await generateBackupCodes();
|
|
const encryptedSecret = encryptV3(secret);
|
|
|
|
const user = await updateUser(userId, {
|
|
pendingTotpSecret: encryptedSecret,
|
|
pendingBackupCodes: codeObjects,
|
|
});
|
|
|
|
const email = user.email || (existingUser && existingUser.email) || '';
|
|
const otpauthUrl = `otpauth://totp/${safeAppTitle}:${email}?secret=${secret}&issuer=${safeAppTitle}`;
|
|
|
|
return res.status(200).json({ otpauthUrl, backupCodes: plainCodes });
|
|
} catch (err) {
|
|
logger.error('[enable2FA]', err);
|
|
return res.status(500).json({ message: err.message });
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Verify a 2FA code (either TOTP or backup code) during setup.
|
|
*/
|
|
const verify2FA = async (req, res) => {
|
|
try {
|
|
const userId = req.user.id;
|
|
const { token, backupCode } = req.body;
|
|
const user = await getUserById(userId, '+totpSecret +pendingTotpSecret +backupCodes _id');
|
|
const secretSource = user?.pendingTotpSecret ?? user?.totpSecret;
|
|
|
|
if (!user || !secretSource) {
|
|
return res.status(400).json({ message: '2FA not initiated' });
|
|
}
|
|
|
|
const secret = await getTOTPSecret(secretSource);
|
|
let isVerified = false;
|
|
|
|
if (token) {
|
|
isVerified = await verifyTOTP(secret, token);
|
|
} else if (backupCode) {
|
|
isVerified = await verifyBackupCode({ user, backupCode });
|
|
}
|
|
|
|
if (isVerified) {
|
|
return res.status(200).json();
|
|
}
|
|
return res.status(400).json({ message: 'Invalid token or backup code.' });
|
|
} catch (err) {
|
|
logger.error('[verify2FA]', err);
|
|
return res.status(500).json({ message: err.message });
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Confirm and enable 2FA after a successful verification.
|
|
*/
|
|
const confirm2FA = async (req, res) => {
|
|
try {
|
|
const userId = req.user.id;
|
|
const { token } = req.body;
|
|
const user = await getUserById(
|
|
userId,
|
|
'+totpSecret +pendingTotpSecret +pendingBackupCodes _id',
|
|
);
|
|
const secretSource = user?.pendingTotpSecret ?? user?.totpSecret;
|
|
|
|
if (!user || !secretSource) {
|
|
return res.status(400).json({ message: '2FA not initiated' });
|
|
}
|
|
|
|
const secret = await getTOTPSecret(secretSource);
|
|
if (await verifyTOTP(secret, token)) {
|
|
const update = {
|
|
totpSecret: user.pendingTotpSecret ?? user.totpSecret,
|
|
twoFactorEnabled: true,
|
|
pendingTotpSecret: null,
|
|
pendingBackupCodes: [],
|
|
};
|
|
if (user.pendingBackupCodes?.length) {
|
|
update.backupCodes = user.pendingBackupCodes;
|
|
}
|
|
await updateUser(userId, update);
|
|
return res.status(200).json();
|
|
}
|
|
return res.status(400).json({ message: 'Invalid token.' });
|
|
} catch (err) {
|
|
logger.error('[confirm2FA]', err);
|
|
return res.status(500).json({ message: err.message });
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Disable 2FA by clearing the stored secret and backup codes.
|
|
* Requires verification with either TOTP token or backup code if 2FA is fully enabled.
|
|
*/
|
|
const disable2FA = async (req, res) => {
|
|
try {
|
|
const userId = req.user.id;
|
|
const { token, backupCode } = req.body;
|
|
const user = await getUserById(userId, '+totpSecret +backupCodes _id twoFactorEnabled');
|
|
|
|
if (!user || !user.totpSecret) {
|
|
return res.status(400).json({ message: '2FA is not setup for this user' });
|
|
}
|
|
|
|
if (user.twoFactorEnabled) {
|
|
const result = await verifyOTPOrBackupCode({ user, token, backupCode });
|
|
|
|
if (!result.verified) {
|
|
const msg = result.message ?? 'Either token or backup code is required to disable 2FA';
|
|
return res.status(result.status ?? 400).json({ message: msg });
|
|
}
|
|
}
|
|
await updateUser(userId, {
|
|
totpSecret: null,
|
|
backupCodes: [],
|
|
twoFactorEnabled: false,
|
|
pendingTotpSecret: null,
|
|
pendingBackupCodes: [],
|
|
});
|
|
return res.status(200).json();
|
|
} catch (err) {
|
|
logger.error('[disable2FA]', err);
|
|
return res.status(500).json({ message: err.message });
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Regenerate backup codes for the user.
|
|
* Requires OTP or backup code verification if 2FA is already enabled.
|
|
*/
|
|
const regenerateBackupCodes = async (req, res) => {
|
|
try {
|
|
const userId = req.user.id;
|
|
const user = await getUserById(userId, '+totpSecret +backupCodes _id twoFactorEnabled');
|
|
|
|
if (!user) {
|
|
return res.status(404).json({ message: 'User not found' });
|
|
}
|
|
|
|
if (user.twoFactorEnabled) {
|
|
const { token, backupCode } = req.body;
|
|
const result = await verifyOTPOrBackupCode({ user, token, backupCode });
|
|
|
|
if (!result.verified) {
|
|
const msg =
|
|
result.message ?? 'TOTP token or backup code is required to regenerate backup codes';
|
|
return res.status(result.status ?? 400).json({ message: msg });
|
|
}
|
|
}
|
|
|
|
const { plainCodes, codeObjects } = await generateBackupCodes();
|
|
await updateUser(userId, { backupCodes: codeObjects });
|
|
return res.status(200).json({
|
|
backupCodes: plainCodes,
|
|
backupCodesHash: codeObjects,
|
|
});
|
|
} catch (err) {
|
|
logger.error('[regenerateBackupCodes]', err);
|
|
return res.status(500).json({ message: err.message });
|
|
}
|
|
};
|
|
|
|
module.exports = {
|
|
enable2FA,
|
|
verify2FA,
|
|
confirm2FA,
|
|
disable2FA,
|
|
regenerateBackupCodes,
|
|
};
|