sami7777/dashcaddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e5cd8678b05c76523089a644dd9defe009795abd
dashcaddy/dashcaddy-api/routes/auth/totp.js
Sami b4022288dc fix: service edit, CSRF token stability, and license restore (v1.1.1) 
- Fix service edit double-write bug (was creating duplicate entries)
- Add editable display name field to service edit modal
- Backend update endpoint now accepts name, logo, and recalculates url
- Fix CSRF token regeneration breaking all POST requests (nonce was
  being regenerated on every request, invalidating cached tokens)
- CSRF nonce now persists across requests, rotated only on TOTP login
- Frontend secureFetch auto-retries on CSRF failure with fresh token
- Restore lifetime license activation on DNS2

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-23 13:39:05 -07:00

194 lines
7.2 KiB
JavaScript
Raw Blame History

const express = require('express');
const { renewCSRFToken } = require('../../csrf-protection');
module.exports = function(ctx) {
const router = express.Router();
// Get current TOTP config (public route)
router.get('/totp/config', ctx.asyncHandler(async (req, res) => {
res.json({
success: true,
config: {
enabled: ctx.totpConfig.enabled,
sessionDuration: ctx.totpConfig.sessionDuration,
isSetUp: ctx.totpConfig.isSetUp
}
});
}, 'totp-config-get'));
// Generate new TOTP secret + QR code
router.post('/totp/setup', ctx.asyncHandler(async (req, res) => {
const { authenticator } = require('otplib');
const QRCode = require('qrcode');
// Accept user-provided secret or generate a new one
let secret;
if (req.body && req.body.secret) {
secret = req.body.secret.replace(/\s/g, '').toUpperCase();
if (!/^[A-Z2-7]{16,}$/.test(secret)) {
return ctx.errorResponse(res, 400, 'Invalid secret key format. Must be a Base32 string (letters A-Z and digits 2-7).');
}
} else {
secret = authenticator.generateSecret();
}
await ctx.credentialManager.store('totp.pending_secret', secret);
const otpauth = authenticator.keyuri('user', 'DashCaddy', secret);
const qrDataUrl = await QRCode.toDataURL(otpauth, {
width: 256, margin: 2,
color: { dark: '#ffffff', light: '#00000000' }
});
res.json({ success: true, qrCode: qrDataUrl, manualKey: secret, issuer: 'DashCaddy', imported: !!req.body?.secret });
}, 'totp-setup'));
// Verify first code to confirm setup, then activate TOTP
router.post('/totp/verify-setup', ctx.asyncHandler(async (req, res) => {
const { authenticator } = require('otplib');
const { code } = req.body;
if (!code || !/^\d{6}$/.test(code)) {
return ctx.errorResponse(res, 400, 'Invalid code format');
}
const pendingSecret = await ctx.credentialManager.retrieve('totp.pending_secret');
if (!pendingSecret) {
return ctx.errorResponse(res, 400, 'No pending TOTP setup. Call /api/totp/setup first.');
}
authenticator.options = { window: 1 };
if (!authenticator.verify({ token: code, secret: pendingSecret })) {
return ctx.errorResponse(res, 401, '[DC-111] Invalid code. Please try again.');
}
// Promote pending secret to active
await ctx.credentialManager.store('totp.secret', pendingSecret);
await ctx.credentialManager.delete('totp.pending_secret');
ctx.totpConfig.isSetUp = true;
ctx.totpConfig.enabled = true;
if (ctx.totpConfig.sessionDuration === 'never') {
ctx.totpConfig.sessionDuration = '24h';
}
await ctx.saveTotpConfig();
// Set session so user doesn't get locked out immediately
ctx.session.create(req, ctx.totpConfig.sessionDuration);
ctx.session.setCookie(res, ctx.totpConfig.sessionDuration);
res.json({ success: true, message: 'TOTP enabled successfully', sessionDuration: ctx.totpConfig.sessionDuration });
}, 'totp-verify-setup'));
// Login: verify TOTP code and set session cookie
router.post('/totp/verify', ctx.asyncHandler(async (req, res) => {
const { authenticator } = require('otplib');
const { code } = req.body;
if (!code || !/^\d{6}$/.test(code)) {
return ctx.errorResponse(res, 400, 'Invalid code format');
}
if (!ctx.totpConfig.enabled || !ctx.totpConfig.isSetUp) {
return ctx.errorResponse(res, 400, 'TOTP is not enabled');
}
const secret = await ctx.credentialManager.retrieve('totp.secret');
if (!secret) {
return ctx.errorResponse(res, 500, 'TOTP secret not found');
}
authenticator.options = { window: 1 };
if (!authenticator.verify({ token: code, secret })) {
return ctx.errorResponse(res, 401, '[DC-111] Invalid code');
}
ctx.log.info('auth', 'TOTP verified, creating session', { ip: ctx.session.getClientIP(req), duration: ctx.totpConfig.sessionDuration });
ctx.session.create(req, ctx.totpConfig.sessionDuration);
ctx.session.setCookie(res, ctx.totpConfig.sessionDuration);
// Rotate CSRF token for the new session
const newCsrfToken = renewCSRFToken(res, req.secure || req.protocol === 'https');
ctx.log.debug('auth', 'Session created', { sessions: ctx.session.ipSessions.size });
res.json({ success: true, message: 'Authenticated successfully', sessionDuration: ctx.totpConfig.sessionDuration, csrfToken: newCsrfToken });
}, 'totp-verify'));
// Check session validity (used by Caddy forward_auth)
router.get('/totp/check-session', ctx.asyncHandler(async (req, res) => {
// Never cache session checks — stale cached 200s cause auth loops
res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
res.setHeader('Pragma', 'no-cache');
if (!ctx.totpConfig.enabled || ctx.totpConfig.sessionDuration === 'never') {
return res.status(200).json({ authenticated: true });
}
const valid = ctx.session.isValid(req);
ctx.log.debug('auth', 'Session check', { ip: ctx.session.getClientIP(req), valid, sessions: ctx.session.ipSessions.size });
if (valid) {
return res.status(200).json({ authenticated: true });
}
return ctx.errorResponse(res, 401, 'Session expired or invalid', { authenticated: false });
}, 'totp-check-session'));
// Disable TOTP
router.post('/totp/disable', ctx.asyncHandler(async (req, res) => {
const { code } = req.body;
// Always require a valid TOTP code when TOTP is active
if (ctx.totpConfig.enabled && ctx.totpConfig.isSetUp) {
if (!code || !/^\d{6}$/.test(code)) {
return ctx.errorResponse(res, 400, 'A valid TOTP code is required to disable TOTP');
}
const { authenticator } = require('otplib');
const secret = await ctx.credentialManager.retrieve('totp.secret');
if (secret) {
authenticator.options = { window: 1 };
if (!authenticator.verify({ token: code, secret })) {
return ctx.errorResponse(res, 401, '[DC-111] Invalid code');
}
}
}
await ctx.credentialManager.delete('totp.secret');
await ctx.credentialManager.delete('totp.pending_secret');
ctx.totpConfig.enabled = false;
ctx.totpConfig.isSetUp = false;
ctx.totpConfig.sessionDuration = 'never';
delete ctx.totpConfig.secret; // Remove backup
await ctx.saveTotpConfig();
ctx.session.clear(req);
ctx.session.clearCookie(res);
res.json({ success: true, message: 'TOTP disabled' });
}, 'totp-disable'));
// Update TOTP settings (session duration)
router.post('/totp/config', ctx.asyncHandler(async (req, res) => {
const { sessionDuration } = req.body;
if (sessionDuration && !ctx.session.durations.hasOwnProperty(sessionDuration)) {
return ctx.errorResponse(res, 400, 'Invalid session duration', {
validOptions: Object.keys(ctx.session.durations)
});
}
if (sessionDuration) {
ctx.totpConfig.sessionDuration = sessionDuration;
if (sessionDuration === 'never') {
ctx.totpConfig.enabled = false;
}
}
await ctx.saveTotpConfig();
res.json({
success: true,
config: { enabled: ctx.totpConfig.enabled, sessionDuration: ctx.totpConfig.sessionDuration, isSetUp: ctx.totpConfig.isSetUp }
});
}, 'totp-config'));
return router;
};
Reference in New Issue View Git Blame Copy Permalink