Added OTP error reporting, #3831

This commit is contained in:
Ylian Saint-Hilaire 2022-04-09 15:46:13 -07:00
parent ee2e1057d2
commit 1947dccf9b
3 changed files with 31 additions and 21 deletions

View File

@ -3191,18 +3191,18 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
case 'otpauth-request': case 'otpauth-request':
{ {
// Do not allow this command if 2FA's are locked // Do not allow this command if 2FA's are locked
if ((domain.passwordrequirements) && (domain.passwordrequirements.lock2factor == true)) return; if ((domain.passwordrequirements) && (domain.passwordrequirements.lock2factor == true)) { ws.send(JSON.stringify({ action: 'otpauth-request', err: 1 })); return; }
// Do not allow this command if backup codes are not allowed // Do not allow this command if backup codes are not allowed
if ((domain.passwordrequirements) && (domain.passwordrequirements.backupcode2factor == false)) return; if ((domain.passwordrequirements) && (domain.passwordrequirements.backupcode2factor == false)) { ws.send(JSON.stringify({ action: 'otpauth-request', err: 2 })); return; }
// Do not allow this command when logged in using a login token // Do not allow this command when logged in using a login token
if (req.session.loginToken != null) break; if (req.session.loginToken != null) { ws.send(JSON.stringify({ action: 'otpauth-request', err: 3 })); return; }
// Check of OTP 2FA is allowed // Check of OTP 2FA is allowed
if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) break; if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) { ws.send(JSON.stringify({ action: 'otpauth-request', err: 4 })); return; }
if ((user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)) return; // If this account is settings locked, return here. if ((user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)) { ws.send(JSON.stringify({ action: 'otpauth-request', err: 5 })); return; } // If this account is settings locked, return here.
// Check if 2-step login is supported // Check if 2-step login is supported
const twoStepLoginSupported = ((parent.parent.config.settings.no2factorauth !== true) && (domain.auth != 'sspi') && (parent.parent.certificates.CommonName.indexOf('.') != -1) && (args.nousers !== true)); const twoStepLoginSupported = ((parent.parent.config.settings.no2factorauth !== true) && (domain.auth != 'sspi') && (parent.parent.certificates.CommonName.indexOf('.') != -1) && (args.nousers !== true));
@ -3210,7 +3210,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Request a one time password to be setup // Request a one time password to be setup
var otplib = null; var otplib = null;
try { otplib = require('otplib'); } catch (ex) { } try { otplib = require('otplib'); } catch (ex) { }
if (otplib == null) { break; } if (otplib == null) { ws.send(JSON.stringify({ action: 'otpauth-request', err: 6 })); return; }
const secret = otplib.authenticator.generateSecret(); // TODO: Check the random source of this value. const secret = otplib.authenticator.generateSecret(); // TODO: Check the random source of this value.
var domainName = parent.certificates.CommonName; var domainName = parent.certificates.CommonName;

View File

@ -1604,6 +1604,10 @@
} }
case 'otpauth-request': { case 'otpauth-request': {
if ((xxdialogMode == 2) && (xxdialogTag == 'otpauth-request')) { if ((xxdialogMode == 2) && (xxdialogTag == 'otpauth-request')) {
if (message.err != null) {
var otpauthErrors = ['', "2FA is locked", "Backup codes are locked", "Login token in use", "OTP 2FA not allowed", "Account is locked", "Unable to load OTPLIB"];
if ((message.err > 0) && (message.err < otpauthErrors.length)) { QH('d2optinfo', otpauthErrors[message.err]); } else { QH('d2optinfo', format("Error #{0}", message.err)); }
} else {
var secret = message.secret; var secret = message.secret;
if (secret.length == 52) { secret = secret.split(/(.............)/).filter(Boolean).join(' '); } if (secret.length == 52) { secret = secret.split(/(.............)/).filter(Boolean).join(' '); }
else if (secret.length == 32) { secret = secret.split(/(....)/).filter(Boolean).join(' '); secret = secret.substring(0, 20) + '<br/>' + secret.substring(20) } else if (secret.length == 32) { secret = secret.split(/(....)/).filter(Boolean).join(' '); secret = secret.substring(0, 20) + '<br/>' + secret.substring(20) }
@ -1612,6 +1616,7 @@
QE('idx_dlgOkButton', false); QE('idx_dlgOkButton', false);
Q('d2otpauthinput').focus(); Q('d2otpauthinput').focus();
} }
}
break; break;
} }
case 'otpauth-setup': { case 'otpauth-setup': {

View File

@ -2704,6 +2704,10 @@
} }
case 'otpauth-request': { case 'otpauth-request': {
if ((xxdialogMode == 2) && (xxdialogTag == 'otpauth-request')) { if ((xxdialogMode == 2) && (xxdialogTag == 'otpauth-request')) {
if (message.err != null) {
var otpauthErrors = [ '', "2FA is locked", "Backup codes are locked", "Login token in use", "OTP 2FA not allowed", "Account is locked", "Unable to load OTPLIB" ];
if ((message.err > 0) && (message.err < otpauthErrors.length)) { QH('d2optinfo', otpauthErrors[message.err]); } else { QH('d2optinfo', format("Error #{0}", message.err)); }
} else {
var secret = message.secret; var secret = message.secret;
if (secret.length == 52) { secret = secret.split(/(.............)/).filter(Boolean).join(' '); } if (secret.length == 52) { secret = secret.split(/(.............)/).filter(Boolean).join(' '); }
else if (secret.length == 32) { secret = secret.split(/(....)/).filter(Boolean).join(' '); secret = secret.substring(0, 20) + '<br/>' + secret.substring(20) } else if (secret.length == 32) { secret = secret.split(/(....)/).filter(Boolean).join(' '); secret = secret.substring(0, 20) + '<br/>' + secret.substring(20) }
@ -2713,6 +2717,7 @@
QE('idx_dlgOkButton', false); QE('idx_dlgOkButton', false);
Q('d2otpauthinput').focus(); Q('d2otpauthinput').focus();
} }
}
break; break;
} }
case 'otpauth-setup': { case 'otpauth-setup': {