Initial feature for totp

Author: flovilmart

package-lock.json

@@ -34,6 +34,7 @@
     "lru-cache": "5.1.1",
     "mime": "2.4.0",
     "mongodb": "3.2.0",
+    "otplib": "^10.0.1",
     "parse": "2.1.0",
     "pg-promise": "8.5.5",
     "redis": "2.8.0",

package.json

@@ -23,7 +23,8 @@
       "range": true,
       "jequal": true,
       "create": true,
-      "arrayContains": true
+      "arrayContains": true,
+      "expectAsync": true
     },
     "rules": {
       "no-console": [0],

spec/.eslintrc.json

@@ -12,6 +12,7 @@ const MongoStorageAdapter = require('../lib/Adapters/Storage/Mongo/MongoStorageA
 const request = require('../lib/request');
 const passwordCrypto = require('../lib/password');
 const Config = require('../lib/Config');
+const otplib = require('otplib');
 
 function verifyACL(user) {
   const ACL = user.getACL();
@@ -3754,3 +3755,45 @@ describe('Parse.User testing', () => {
     );
   });
 });
+
+function enable2FA(user) {
+  return request({
+    method: 'GET',
+    url: 'http://localhost:8378/1/users/me/enable2FA',
+    json: true,
+    headers: {
+      'X-Parse-Session-Token': user.getSessionToken(),
+      'X-Parse-Application-Id': Parse.applicationId,
+      'X-Parse-REST-API-Key': 'rest',
+    },
+  });
+}
+
+function validate2FA(user, token) {
+  return request({
+    method: 'POST',
+    url: 'http://localhost:8378/1/users/me/verify2FA',
+    body: {
+      token,
+    },
+    headers: {
+      'X-Parse-Session-Token': user.getSessionToken(),
+      'X-Parse-Application-Id': Parse.applicationId,
+      'X-Parse-REST-API-Key': 'rest',
+      'Content-Type': 'application/json',
+    },
+  });
+}
+
+describe('2FA', () => {
+  it('should enable 2FA tokens', async () => {
+    const user = await Parse.User.signUp('username', 'password');
+    const {
+      data: { secret },
+    } = await enable2FA(user);
+    const token = otplib.authenticator.generate(secret);
+    await validate2FA(user, token);
+    // await Parse.User.logOut();
+    await expectAsync(Parse.User.logIn('username', 'password')).toBeRejected();
+  });
+});

spec/ParseUser.spec.js

@@ -18,6 +18,8 @@ const transformKey = (className, fieldName, schema) => {
       return '_last_used';
     case 'timesUsed':
       return 'times_used';
+    case 'mfa':
+      return '_mfa';
   }
 
   if (
@@ -106,6 +108,9 @@ const transformKeyValueForUpdate = (
       key = 'times_used';
       timeField = true;
       break;
+    case 'mfa':
+      key = '_mfa';
+      break;
   }
 
   if (
@@ -286,6 +291,7 @@ function transformQueryKeyValue(className, key, value, schema) {
     case '_wperm':
     case '_perishable_token':
     case '_email_verify_token':
+    case '_mfa':
       return { key, value };
     case '$or':
     case '$and':
@@ -1349,6 +1355,9 @@ const mongoObjectToParseObject = (className, mongoObject, schema) => {
             break;
           case '_acl':
             break;
+          case '_mfa':
+            restObject._mfa = mongoObject[key];
+            break;
           case '_email_verify_token':
           case '_perishable_token':
           case '_perishable_token_expires_at':

src/Adapters/Storage/Mongo/MongoTransform.js

@@ -951,6 +951,7 @@ export class PostgresStorageAdapter implements StorageAdapter {
       fields._perishable_token_expires_at = { type: 'Date' };
       fields._password_changed_at = { type: 'Date' };
       fields._password_history = { type: 'Array' };
+      fields._mfa = { type: 'String' };
     }
     let index = 2;
     const relations = [];
@@ -1458,6 +1459,10 @@ export class PostgresStorageAdapter implements StorageAdapter {
         update['authData'] = update['authData'] || {};
         update['authData'][provider] = value;
       }
+      if (fieldName === 'mfa') {
+        update['_mfa'] = update['mfa'];
+        delete update.mfa;
+      }
     }
 
     for (const fieldName in update) {

src/Adapters/Storage/Postgres/PostgresStorageAdapter.js

@@ -63,6 +63,7 @@ const specialQuerykeys = [
   '_email_verify_token_expires_at',
   '_account_lockout_expires_at',
   '_failed_login_count',
+  '_mfa',
 ];
 
 const isSpecialQueryKey = key => {
@@ -184,6 +185,7 @@ const filterSensitiveData = (isMaster, aclGroup, className, object) => {
   delete object._account_lockout_expires_at;
   delete object._password_changed_at;
   delete object._password_history;
+  delete object._mfa;
 
   if (aclGroup.indexOf(object.objectId) > -1) {
     return object;
@@ -212,6 +214,7 @@ const specialKeysForUpdate = [
   '_perishable_token_expires_at',
   '_password_changed_at',
   '_password_history',
+  '_mfa',
 ];
 
 const isSpecialUpdateKey = key => {

src/Controllers/DatabaseController.js

@@ -7,6 +7,7 @@ import ClassesRouter from './ClassesRouter';
 import rest from '../rest';
 import Auth from '../Auth';
 import passwordCrypto from '../password';
+import * as otplib from 'otplib';
 
 export class UsersRouter extends ClassesRouter {
   className() {
@@ -44,7 +45,7 @@ export class UsersRouter extends ClassesRouter {
       ) {
         payload = req.query;
       }
-      const { username, email, password } = payload;
+      const { username, email, password, token } = payload;
 
       // TODO: use the right error codes / descriptions.
       if (!username && !email) {
@@ -153,7 +154,12 @@ export class UsersRouter extends ClassesRouter {
               delete user.authData;
             }
           }
-
+          if (user._mfa) {
+            if (!otplib.authenticator.verify({ token, secret: user._mfa })) {
+              throw new Parse.Error(-1, 'Invalid 2FA token');
+            }
+          }
+          delete user._mfa;
           return resolve(user);
         })
         .catch(error => {
@@ -189,16 +195,15 @@ export class UsersRouter extends ClassesRouter {
             Parse.Error.INVALID_SESSION_TOKEN,
             'Invalid session token'
           );
-        } else {
-          const user = response.results[0].user;
-          // Send token back on the login, because SDKs expect that.
-          user.sessionToken = sessionToken;
+        }
+        const user = response.results[0].user;
+        // Send token back on the login, because SDKs expect that.
+        user.sessionToken = sessionToken;
 
-          // Remove hidden properties.
-          UsersRouter.removeHiddenProperties(user);
+        // Remove hidden properties.
+        UsersRouter.removeHiddenProperties(user);
 
-          return { response: user };
-        }
+        return { response: user };
       });
   }
 
@@ -310,6 +315,60 @@ export class UsersRouter extends ClassesRouter {
     return Promise.resolve(success);
   }
 
+  async enable2FA(req) {
+    const { user } = req.auth;
+    const secret = otplib.authenticator.generateSecret();
+    const otpauth = otplib.authenticator.keyuri(
+      user.username,
+      'service',
+      secret
+    );
+    await rest.update(
+      req.config,
+      req.auth,
+      '_User',
+      {
+        objectId: user.id,
+      },
+      {
+        mfa: `pending:${secret}`,
+      }
+    );
+    return { response: { qrcodeURL: otpauth, secret } };
+  }
+
+  async verify2FA(req) {
+    const { token } = req.body;
+    // Fetch the user directly from the DB as we need the _mfa
+    const [user] = await req.config.database.find('_User', {
+      objectId: req.auth.user.id,
+    });
+    const mfa = user._mfa;
+    if (!mfa) {
+      throw new Parse.Error(-1, 'MFA is not enabled on this account');
+    }
+    if (mfa.indexOf('pending:') !== 0) {
+      throw new Parse.Error(-1, 'MFA is already active');
+    }
+    const secret = mfa.slice('pending:'.length);
+    const result = otplib.authenticator.verify({ token, secret });
+    if (!result) {
+      throw new Parse.Error(-1, 'Invalid token');
+    }
+    await rest.update(
+      req.config,
+      req.auth,
+      '_User',
+      {
+        objectId: req.auth.user.id,
+      },
+      {
+        mfa: `${secret}`,
+      }
+    );
+    return { response: {} };
+  }
+
   _throwOnBadEmailConfig(req) {
     try {
       Config.validateEmailConfiguration({
@@ -441,6 +500,8 @@ export class UsersRouter extends ClassesRouter {
     this.route('POST', '/logout', req => {
       return this.handleLogOut(req);
     });
+    this.route('GET', '/users/me/enable2FA', req => this.enable2FA(req));
+    this.route('POST', '/users/me/verify2FA', req => this.verify2FA(req));
     this.route('POST', '/requestPasswordReset', req => {
       return this.handleResetRequest(req);
     });