Improved two factor auth

2025-09-13 03:55:58 +03:00 · 2018-06-01 15:08:03 +02:00
parent dc188211d8
commit b0ee5f6570
8 changed files with 251 additions and 107 deletions
--- a/src/db/models/device.rs
+++ b/src/db/models/device.rs
@@ -19,6 +19,8 @@ pub struct Device {
    pub push_token: Option<String>,

    pub refresh_token: String,
+
+    pub twofactor_remember: Option<String>,
 }

 /// Local methods
@@ -37,9 +39,22 @@ impl Device {

            push_token: None,
            refresh_token: String::new(),
+            twofactor_remember: None,
        }
    }

+    pub fn refresh_twofactor_remember(&mut self) {
+        use data_encoding::BASE64;
+        use crypto;
+
+        self.twofactor_remember = Some(BASE64.encode(&crypto::get_random(vec![0u8; 180])));
+    }
+
+    pub fn delete_twofactor_remember(&mut self) {
+        self.twofactor_remember = None;
+    }
+
+
    pub fn refresh_tokens(&mut self, user: &super::User, orgs: Vec<super::UserOrganization>) -> (String, i64) {
        // If there is no refresh token, we create one
        if self.refresh_token.is_empty() {
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@@ -26,8 +26,10 @@ pub struct User {
    pub key: String,
    pub private_key: Option<String>,
    pub public_key: Option<String>,
+    
    pub totp_secret: Option<String>,
    pub totp_recover: Option<String>,
+
    pub security_stamp: String,

    pub equivalent_domains: String,
@@ -61,6 +63,7 @@ impl User {
            password_hint: None,
            private_key: None,
            public_key: None,
+            
            totp_secret: None,
            totp_recover: None,

@@ -95,23 +98,23 @@ impl User {
        self.security_stamp = Uuid::new_v4().to_string();
    }

-    pub fn check_totp_code(&self, totp_code: Option<u64>) -> bool {
+    pub fn requires_twofactor(&self) -> bool {
+        self.totp_secret.is_some()
+    }
+
+    pub fn check_totp_code(&self, totp_code: u64) -> bool {
        if let Some(ref totp_secret) = self.totp_secret {
-            if let Some(code) = totp_code {
-                // Validate totp
-                use data_encoding::BASE32;
-                use oath::{totp_raw_now, HashType};
+            // Validate totp
+            use data_encoding::BASE32;
+            use oath::{totp_raw_now, HashType};

-                let decoded_secret = match BASE32.decode(totp_secret.as_bytes()) {
-                    Ok(s) => s,
-                    Err(_) => return false
-                };
+            let decoded_secret = match BASE32.decode(totp_secret.as_bytes()) {
+                Ok(s) => s,
+                Err(_) => return false
+            };

-                let generated = totp_raw_now(&decoded_secret, 6, 0, 30, &HashType::SHA1);
-                generated == code
-            } else {
-                false
-            }
+            let generated = totp_raw_now(&decoded_secret, 6, 0, 30, &HashType::SHA1);
+            generated == totp_code
        } else {
            true
        }