sami7777/dashcaddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
77ae8171b8177b74ef5708e799f361572d27c63e
dashcaddy/dashcaddy-api/routes/auth/totp.js
Krystie df3e8efdd0 Refactor auth routes: explicit dependency injection 
- Updated all auth route modules to use destructured dependencies
- Added JSDoc comments for factory functions
- Replaced ctx. references with direct parameter access
- Updated auth/index.js to extract and pass explicit dependencies
- sso-gate.js maintains session helper exports from session-handlers
- All files pass syntax validation

Files refactored:
- routes/auth/keys.js
- routes/auth/session-handlers.js
- routes/auth/sso-gate.js
- routes/auth/totp.js
- routes/auth/index.js (orchestrator)
2026-03-29 21:42:30 -07:00

204 lines
7.7 KiB
JavaScript
Raw Blame History

const express = require('express');
const { renewCSRFToken } = require('../../csrf-protection');
const { ValidationError, AuthenticationError } = require('../../errors');
module.exports = function({ authManager, asyncHandler, errorResponse, log }) {
const router = express.Router();
/**
* Auth TOTP routes factory
* @param {Object} deps - Explicit dependencies
* @param {Object} deps.authManager - Auth manager
* @param {Function} deps.asyncHandler - Async route handler wrapper
* @param {Function} deps.errorResponse - Error response helper
* @param {Object} deps.log - Logger instance
* @returns {express.Router}
*/
// Get current TOTP config (public route)
router.get('/totp/config', asyncHandler(async (req, res) => {
res.json({
success: true,
config: {
enabled: ctx.totpConfig.enabled,
sessionDuration: ctx.totpConfig.sessionDuration,
isSetUp: ctx.totpConfig.isSetUp
}
});
}, 'totp-config-get'));
// Generate new TOTP secret + QR code
router.post('/totp/setup', asyncHandler(async (req, res) => {
const { authenticator } = require('otplib');
const QRCode = require('qrcode');
// Accept user-provided secret or generate a new one
let secret;
if (req.body && req.body.secret) {
secret = req.body.secret.replace(/\s/g, '').toUpperCase();
// Normalize common Base32 confusions: 0→O, 1→L, 8→B
secret = secret.replace(/0/g, 'O').replace(/1/g, 'L').replace(/8/g, 'B');
if (!/^[A-Z2-7]{16,}$/.test(secret)) {
throw new ValidationError('Invalid secret key format. Must be a Base32 string (letters A-Z and digits 2-7).', 'secret');
}
} else {
secret = authenticator.generateSecret();
}
await ctx.credentialManager.store('totp.pending_secret', secret);
const otpauth = authenticator.keyuri('user', 'DashCaddy', secret);
const qrDataUrl = await QRCode.toDataURL(otpauth, {
width: 256, margin: 2,
color: { dark: '#ffffff', light: '#00000000' }
});
res.json({ success: true, qrCode: qrDataUrl, manualKey: secret, issuer: 'DashCaddy', imported: !!req.body?.secret });
}, 'totp-setup'));
// Verify first code to confirm setup, then activate TOTP
router.post('/totp/verify-setup', asyncHandler(async (req, res) => {
const { authenticator } = require('otplib');
const { code } = req.body;
if (!code || !/^\d{6}$/.test(code)) {
throw new ValidationError('Invalid code format', 'code');
}
const pendingSecret = await ctx.credentialManager.retrieve('totp.pending_secret');
if (!pendingSecret) {
throw new ValidationError('No pending TOTP setup. Call /api/totp/setup first.');
}
authenticator.options = { window: 1 };
if (!authenticator.verify({ token: code, secret: pendingSecret })) {
throw new AuthenticationError('[DC-111] Invalid code. Please try again.');
}
// Promote pending secret to active
await ctx.credentialManager.store('totp.secret', pendingSecret);
await ctx.credentialManager.delete('totp.pending_secret');
ctx.totpConfig.isSetUp = true;
ctx.totpConfig.enabled = true;
if (ctx.totpConfig.sessionDuration === 'never') {
ctx.totpConfig.sessionDuration = '24h';
}
await ctx.saveTotpConfig();
// Set session so user doesn't get locked out immediately
ctx.session.create(req, ctx.totpConfig.sessionDuration);
ctx.session.setCookie(res, ctx.totpConfig.sessionDuration);
res.json({ success: true, message: 'TOTP enabled successfully', sessionDuration: ctx.totpConfig.sessionDuration });
}, 'totp-verify-setup'));
// Login: verify TOTP code and set session cookie
router.post('/totp/verify', asyncHandler(async (req, res) => {
const { authenticator } = require('otplib');
const { code } = req.body;
if (!code || !/^\d{6}$/.test(code)) {
throw new ValidationError('Invalid code format', 'code');
}
if (!ctx.totpConfig.enabled || !ctx.totpConfig.isSetUp) {
throw new ValidationError('TOTP is not enabled');
}
const secret = await ctx.credentialManager.retrieve('totp.secret');
if (!secret) {
throw new Error('TOTP secret not found');
}
authenticator.options = { window: 1 };
if (!authenticator.verify({ token: code, secret })) {
throw new AuthenticationError('[DC-111] Invalid code');
}
log.info('auth', 'TOTP verified, creating session', { ip: ctx.session.getClientIP(req), duration: ctx.totpConfig.sessionDuration });
ctx.session.create(req, ctx.totpConfig.sessionDuration);
ctx.session.setCookie(res, ctx.totpConfig.sessionDuration);
// Rotate CSRF token for the new session
const newCsrfToken = renewCSRFToken(res, req.secure || req.protocol === 'https');
log.debug('auth', 'Session created', { sessions: ctx.session.ipSessions.size });
res.json({ success: true, message: 'Authenticated successfully', sessionDuration: ctx.totpConfig.sessionDuration, csrfToken: newCsrfToken });
}, 'totp-verify'));
// Check session validity (used by Caddy forward_auth)
router.get('/totp/check-session', asyncHandler(async (req, res) => {
// Never cache session checks — stale cached 200s cause auth loops
res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
res.setHeader('Pragma', 'no-cache');
if (!ctx.totpConfig.enabled || ctx.totpConfig.sessionDuration === 'never') {
return res.status(200).json({ authenticated: true });
}
const valid = ctx.session.isValid(req);
log.debug('auth', 'Session check', { ip: ctx.session.getClientIP(req), valid, sessions: ctx.session.ipSessions.size });
if (valid) {
return res.status(200).json({ authenticated: true });
}
throw new AuthenticationError('Session expired or invalid');
}, 'totp-check-session'));
// Disable TOTP
router.post('/totp/disable', asyncHandler(async (req, res) => {
const { code } = req.body;
// Always require a valid TOTP code when TOTP is active
if (ctx.totpConfig.enabled && ctx.totpConfig.isSetUp) {
if (!code || !/^\d{6}$/.test(code)) {
throw new ValidationError('A valid TOTP code is required to disable TOTP', 'code');
}
const { authenticator } = require('otplib');
const secret = await ctx.credentialManager.retrieve('totp.secret');
if (secret) {
authenticator.options = { window: 1 };
if (!authenticator.verify({ token: code, secret })) {
throw new AuthenticationError('[DC-111] Invalid code');
}
}
}
await ctx.credentialManager.delete('totp.secret');
await ctx.credentialManager.delete('totp.pending_secret');
ctx.totpConfig.enabled = false;
ctx.totpConfig.isSetUp = false;
ctx.totpConfig.sessionDuration = 'never';
delete ctx.totpConfig.secret; // Remove backup
await ctx.saveTotpConfig();
ctx.session.clear(req);
ctx.session.clearCookie(res);
res.json({ success: true, message: 'TOTP disabled' });
}, 'totp-disable'));
// Update TOTP settings (session duration)
router.post('/totp/config', asyncHandler(async (req, res) => {
const { sessionDuration } = req.body;
if (sessionDuration && !ctx.session.durations.hasOwnProperty(sessionDuration)) {
throw new ValidationError(`Invalid session duration. Valid options: ${Object.keys(ctx.session.durations).join(', ')}`, 'sessionDuration');
}
if (sessionDuration) {
ctx.totpConfig.sessionDuration = sessionDuration;
if (sessionDuration === 'never') {
ctx.totpConfig.enabled = false;
}
}
await ctx.saveTotpConfig();
res.json({
success: true,
config: { enabled: ctx.totpConfig.enabled, sessionDuration: ctx.totpConfig.sessionDuration, isSetUp: ctx.totpConfig.isSetUp }
});
}, 'totp-config'));
return router;
};
Reference in New Issue View Git Blame Copy Permalink