Initial commit: DashCaddy v1.0
Full codebase including API server (32 modules + routes), dashboard frontend, DashCA certificate distribution, installer script, and deployment skills.
This commit is contained in:
185
dashcaddy-api/routes/auth/totp.js
Normal file
185
dashcaddy-api/routes/auth/totp.js
Normal file
@@ -0,0 +1,185 @@
|
||||
const express = require('express');
|
||||
|
||||
module.exports = function(ctx) {
|
||||
const router = express.Router();
|
||||
|
||||
// Get current TOTP config (public route)
|
||||
router.get('/totp/config', ctx.asyncHandler(async (req, res) => {
|
||||
res.json({
|
||||
success: true,
|
||||
config: {
|
||||
enabled: ctx.totpConfig.enabled,
|
||||
sessionDuration: ctx.totpConfig.sessionDuration,
|
||||
isSetUp: ctx.totpConfig.isSetUp
|
||||
}
|
||||
});
|
||||
}, 'totp-config-get'));
|
||||
|
||||
// Generate new TOTP secret + QR code
|
||||
router.post('/totp/setup', ctx.asyncHandler(async (req, res) => {
|
||||
const { authenticator } = require('otplib');
|
||||
const QRCode = require('qrcode');
|
||||
|
||||
// Accept user-provided secret or generate a new one
|
||||
let secret;
|
||||
if (req.body && req.body.secret) {
|
||||
secret = req.body.secret.replace(/\s/g, '').toUpperCase();
|
||||
if (!/^[A-Z2-7]{16,}$/.test(secret)) {
|
||||
return ctx.errorResponse(res, 400, 'Invalid secret key format. Must be a Base32 string (letters A-Z and digits 2-7).');
|
||||
}
|
||||
} else {
|
||||
secret = authenticator.generateSecret();
|
||||
}
|
||||
await ctx.credentialManager.store('totp.pending_secret', secret);
|
||||
|
||||
const otpauth = authenticator.keyuri('user', 'DashCaddy', secret);
|
||||
const qrDataUrl = await QRCode.toDataURL(otpauth, {
|
||||
width: 256, margin: 2,
|
||||
color: { dark: '#ffffff', light: '#00000000' }
|
||||
});
|
||||
|
||||
res.json({ success: true, qrCode: qrDataUrl, manualKey: secret, issuer: 'DashCaddy', imported: !!req.body?.secret });
|
||||
}, 'totp-setup'));
|
||||
|
||||
// Verify first code to confirm setup, then activate TOTP
|
||||
router.post('/totp/verify-setup', ctx.asyncHandler(async (req, res) => {
|
||||
const { authenticator } = require('otplib');
|
||||
const { code } = req.body;
|
||||
|
||||
if (!code || !/^\d{6}$/.test(code)) {
|
||||
return ctx.errorResponse(res, 400, 'Invalid code format');
|
||||
}
|
||||
|
||||
const pendingSecret = await ctx.credentialManager.retrieve('totp.pending_secret');
|
||||
if (!pendingSecret) {
|
||||
return ctx.errorResponse(res, 400, 'No pending TOTP setup. Call /api/totp/setup first.');
|
||||
}
|
||||
|
||||
authenticator.options = { window: 1 };
|
||||
if (!authenticator.verify({ token: code, secret: pendingSecret })) {
|
||||
return ctx.errorResponse(res, 401, '[DC-111] Invalid code. Please try again.');
|
||||
}
|
||||
|
||||
// Promote pending secret to active
|
||||
await ctx.credentialManager.store('totp.secret', pendingSecret);
|
||||
await ctx.credentialManager.delete('totp.pending_secret');
|
||||
|
||||
ctx.totpConfig.isSetUp = true;
|
||||
ctx.totpConfig.enabled = true;
|
||||
ctx.totpConfig.secret = pendingSecret; // Persist to file for auto-restore
|
||||
if (ctx.totpConfig.sessionDuration === 'never') {
|
||||
ctx.totpConfig.sessionDuration = '24h';
|
||||
}
|
||||
await ctx.saveTotpConfig();
|
||||
|
||||
// Set session so user doesn't get locked out immediately
|
||||
ctx.session.create(req, ctx.totpConfig.sessionDuration);
|
||||
ctx.session.setCookie(res, ctx.totpConfig.sessionDuration);
|
||||
|
||||
res.json({ success: true, message: 'TOTP enabled successfully', sessionDuration: ctx.totpConfig.sessionDuration });
|
||||
}, 'totp-verify-setup'));
|
||||
|
||||
// Login: verify TOTP code and set session cookie
|
||||
router.post('/totp/verify', ctx.asyncHandler(async (req, res) => {
|
||||
const { authenticator } = require('otplib');
|
||||
const { code } = req.body;
|
||||
|
||||
if (!code || !/^\d{6}$/.test(code)) {
|
||||
return ctx.errorResponse(res, 400, 'Invalid code format');
|
||||
}
|
||||
|
||||
if (!ctx.totpConfig.enabled || !ctx.totpConfig.isSetUp) {
|
||||
return ctx.errorResponse(res, 400, 'TOTP is not enabled');
|
||||
}
|
||||
|
||||
const secret = await ctx.credentialManager.retrieve('totp.secret');
|
||||
if (!secret) {
|
||||
return ctx.errorResponse(res, 500, 'TOTP secret not found');
|
||||
}
|
||||
|
||||
authenticator.options = { window: 1 };
|
||||
if (!authenticator.verify({ token: code, secret })) {
|
||||
return ctx.errorResponse(res, 401, '[DC-111] Invalid code');
|
||||
}
|
||||
|
||||
ctx.log.info('auth', 'TOTP verified, creating session', { ip: ctx.session.getClientIP(req), duration: ctx.totpConfig.sessionDuration });
|
||||
ctx.session.create(req, ctx.totpConfig.sessionDuration);
|
||||
ctx.session.setCookie(res, ctx.totpConfig.sessionDuration);
|
||||
ctx.log.debug('auth', 'Session created', { sessions: ctx.session.ipSessions.size });
|
||||
res.json({ success: true, message: 'Authenticated successfully', sessionDuration: ctx.totpConfig.sessionDuration });
|
||||
}, 'totp-verify'));
|
||||
|
||||
// Check session validity (used by Caddy forward_auth)
|
||||
router.get('/totp/check-session', ctx.asyncHandler(async (req, res) => {
|
||||
// Never cache session checks — stale cached 200s cause auth loops
|
||||
res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
|
||||
res.setHeader('Pragma', 'no-cache');
|
||||
|
||||
if (!ctx.totpConfig.enabled || ctx.totpConfig.sessionDuration === 'never') {
|
||||
return res.status(200).json({ authenticated: true });
|
||||
}
|
||||
|
||||
const valid = ctx.session.isValid(req);
|
||||
ctx.log.debug('auth', 'Session check', { ip: ctx.session.getClientIP(req), valid, sessions: ctx.session.ipSessions.size });
|
||||
if (valid) {
|
||||
return res.status(200).json({ authenticated: true });
|
||||
}
|
||||
|
||||
return ctx.errorResponse(res, 401, 'Session expired or invalid', { authenticated: false });
|
||||
}, 'totp-check-session'));
|
||||
|
||||
// Disable TOTP
|
||||
router.post('/totp/disable', ctx.asyncHandler(async (req, res) => {
|
||||
const { code } = req.body;
|
||||
|
||||
if (ctx.totpConfig.enabled && ctx.totpConfig.isSetUp && code) {
|
||||
const { authenticator } = require('otplib');
|
||||
const secret = await ctx.credentialManager.retrieve('totp.secret');
|
||||
if (secret) {
|
||||
authenticator.options = { window: 1 };
|
||||
if (!authenticator.verify({ token: code, secret })) {
|
||||
return ctx.errorResponse(res, 401, '[DC-111] Invalid code');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
await ctx.credentialManager.delete('totp.secret');
|
||||
await ctx.credentialManager.delete('totp.pending_secret');
|
||||
|
||||
ctx.totpConfig.enabled = false;
|
||||
ctx.totpConfig.isSetUp = false;
|
||||
ctx.totpConfig.sessionDuration = 'never';
|
||||
delete ctx.totpConfig.secret; // Remove backup
|
||||
await ctx.saveTotpConfig();
|
||||
|
||||
ctx.session.clear(req);
|
||||
ctx.session.clearCookie(res);
|
||||
res.json({ success: true, message: 'TOTP disabled' });
|
||||
}, 'totp-disable'));
|
||||
|
||||
// Update TOTP settings (session duration)
|
||||
router.post('/totp/config', ctx.asyncHandler(async (req, res) => {
|
||||
const { sessionDuration } = req.body;
|
||||
|
||||
if (sessionDuration && !ctx.session.durations.hasOwnProperty(sessionDuration)) {
|
||||
return ctx.errorResponse(res, 400, 'Invalid session duration', {
|
||||
validOptions: Object.keys(ctx.session.durations)
|
||||
});
|
||||
}
|
||||
|
||||
if (sessionDuration) {
|
||||
ctx.totpConfig.sessionDuration = sessionDuration;
|
||||
if (sessionDuration === 'never') {
|
||||
ctx.totpConfig.enabled = false;
|
||||
}
|
||||
}
|
||||
|
||||
await ctx.saveTotpConfig();
|
||||
res.json({
|
||||
success: true,
|
||||
config: { enabled: ctx.totpConfig.enabled, sessionDuration: ctx.totpConfig.sessionDuration, isSetUp: ctx.totpConfig.isSetUp }
|
||||
});
|
||||
}, 'totp-config'));
|
||||
|
||||
return router;
|
||||
};
|
||||
Reference in New Issue
Block a user