.type-contentWidget .note-detail {
height: 100%;
}
-
+
.note-detail-content-widget {
height: 100%;
}
-
+
.note-detail-content-widget-content {
padding: 15px;
height: 100%;
@@ -82,6 +83,7 @@ const CONTENT_WIDGETS = {
_optionsImages: [ ImageOptions ],
_optionsSpellcheck: [ SpellcheckOptions ],
_optionsPassword: [ PasswordOptions ],
+ _optionsMFA: [ MultiFactorAuthenticationOptions ],
_optionsEtapi: [ EtapiOptions ],
_optionsBackup: [ BackupOptions ],
_optionsSync: [ SyncOptions ],
diff --git a/src/public/app/widgets/type_widgets/options/multi_factor_authentication.js b/src/public/app/widgets/type_widgets/options/multi_factor_authentication.js
new file mode 100644
index 000000000..f4f5ee365
--- /dev/null
+++ b/src/public/app/widgets/type_widgets/options/multi_factor_authentication.js
@@ -0,0 +1,220 @@
+import server from "../../../services/server.js";
+import toastService from "../../../services/toast.js";
+import OptionsWidget from "./options_widget.js";
+
+const TPL = `
+
+
What is Multi-Factor Authentication?
+
+ Multi-Factor Authentication (MFA) adds an extra layer of security to your account. Instead
+ of just entering a password to log in, MFA requires you to provide one or more additional
+ pieces of evidence to verify your identity. This way, even if someone gets hold of your
+ password, they still ca TOTP_ENABLED is not set in environment variable. Requires restart.n't access your account without the second piece of information.
+ It's like adding an extra lock to your door, making it much harder for anyone else to
+ break in.
+
+
+
+
OAuth/OpenID
+
OpenID is a standardized way to let you log into websites using an account from another service, like Google, to verify your identity.
+
+
+ OAuth/OpenID Enabled
+
+
+
+
+ User Account: Not logged in!
+ User Email: Not logged in!
+
+
+
+
+
Time-based One-Time Password
+
+
+ TOTP Enabled
+
+
+
+
+ TOTP (Time-Based One-Time Password) is a security feature that generates a unique, temporary
+ code which changes every 30 seconds. You use this code, along with your password to log into your
+ account, making it much harder for anyone else to access it.
+
+
+
+
Generate TOTP Secret
+ TOTP Secret Key
+ Generate TOTP Secret
+
+
+
+
Single Sign-on Recovery Keys
+
Single sign-on recovery keys are used to login in the event you cannot access your Authenticator codes. Keep them somewhere safe and secure.
+
+
After a recovery key is used it cannot be used again.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Generate Recovery Keys
+
+`;
+
+export default class MultiFactorAuthenticationOptions extends OptionsWidget {
+ doRender() {
+ this.$widget = $(TPL);
+
+ this.$regenerateTotpButton = this.$widget.find(".regenerate-totp");
+ this.$totpEnabled = this.$widget.find(".totp-enabled");
+ this.$totpSecret = this.$widget.find(".totp-secret");
+ this.$totpSecretInput = this.$widget.find(".totp-secret-input");
+ this.$authenticatorCode = this.$widget.find(".authenticator-code");
+ this.$generateRecoveryCodeButton = this.$widget.find(
+ ".generate-recovery-code"
+ );
+ this.$oAuthEnabledCheckbox = this.$widget.find(".oauth-enabled-checkbox");
+ this.$oauthLoginButton = this.$widget.find(".oauth-login-button");
+ this.$UserAccountName = this.$widget.find(".user-account-name");
+ this.$UserAccountEmail = this.$widget.find(".user-account-email");
+ this.$envEnabledTOTP = this.$widget.find(".env-totp-enabled");
+ this.$envEnabledOAuth = this.$widget.find(".env-oauth-enabled");
+
+
+ this.$recoveryKeys = [];
+
+ for (let i = 0; i < 8; i++)
+ {
+ this.$recoveryKeys.push(this.$widget.find(".key_" + i));
+ }
+
+ this.$generateRecoveryCodeButton.on("click", async () => {
+ this.setRecoveryKeys();
+ });
+
+ this.$regenerateTotpButton.on("click", async () => {
+ this.generateKey();
+ });
+
+ this.$protectedSessionTimeout = this.$widget.find(
+ ".protected-session-timeout-in-seconds"
+ );
+ this.$protectedSessionTimeout.on("change", () =>
+ this.updateOption(
+ "protectedSessionTimeout",
+ this.$protectedSessionTimeout.val()
+ )
+ );
+
+ this.displayRecoveryKeys();
+ }
+
+ async setRecoveryKeys() {
+ server.get("totp_recovery/generate").then((result) => {
+ if (!result.success) {
+ toastService.showError("Error in revevery code generation!");
+ return;
+ }
+ this.keyFiller(result.recoveryCodes);
+ server.post("totp_recovery/set", {
+ recoveryCodes: result.recoveryCodes,
+ });
+ });
+ }
+
+ async keyFiller(values) {
+ // Forces values to be a string so it doesn't error out when I split.
+ // Will be a non-issue when I update everything to typescript.
+ const keys = (values + "").split(",");
+ for (let i = 0; i < keys.length; i++) this.$recoveryKeys[i].text(keys[i]);
+ }
+
+ async generateKey() {
+ server.get("totp/generate").then((result) => {
+ if (result.success) {
+ this.$totpSecret.text(result.message);
+ } else {
+ toastService.showError(result.message);
+ }
+ });
+ }
+
+ optionsLoaded(options) {
+ server.get("oauth/status").then((result) => {
+ if (result.enabled) {
+ this.$oAuthEnabledCheckbox.prop("checked", result.enabled);
+ this.$UserAccountName.text(result.name);
+ this.$UserAccountEmail.text(result.email);
+ }else
+ this.$envEnabledOAuth.text(
+ "set SSO_ENABLED as environment variable to 'true' to enable (Requires restart)"
+ );
+ });
+
+ server.get("totp/status").then((result) => {
+ if (result.enabled){
+ this.$totpEnabled.prop("checked", result.message);
+ this.$authenticatorCode.prop("disabled", !result.message);
+ this.$generateRecoveryCodeButton.prop("disabled", !result.message);
+ }
+ else {
+ this.$totpEnabled.prop("checked", false);
+ this.$totpEnabled.prop("disabled", true);
+ this.$authenticatorCode.prop("disabled", true);
+ this.$generateRecoveryCodeButton.prop("disabled", true);
+
+ this.$envEnabledTOTP.text(
+ "Set TOTP_ENABLED as environment variable to 'true' to enable (Requires restart)"
+ );
+ }
+ });
+ this.$protectedSessionTimeout.val(options.protectedSessionTimeout);
+ }
+
+ displayRecoveryKeys() {
+ server.get("totp_recovery/enabled").then((result) => {
+ if (!result.success) {
+ this.keyFiller(Array(8).fill("Error generating recovery keys!"));
+ return;
+ }
+
+ if (!result.keysExist) {
+ this.keyFiller(Array(8).fill("No key set"));
+ this.$generateRecoveryCodeButton.text("Generate Recovery Codes");
+ return;
+ }
+ });
+ server.get("totp_recovery/used").then((result) => {
+ this.keyFiller((result.usedRecoveryCodes + "").split(","));
+ this.$generateRecoveryCodeButton.text("Regenerate Recovery Codes");
+ });
+ }
+}
diff --git a/src/routes/api/recovery_codes.ts b/src/routes/api/recovery_codes.ts
new file mode 100644
index 000000000..057914388
--- /dev/null
+++ b/src/routes/api/recovery_codes.ts
@@ -0,0 +1,51 @@
+import recovery_codes from'../../services/encryption/recovery_codes.js';
+import {Request} from 'express';
+import {randomBytes} from 'crypto';
+
+function setRecoveryCodes(req: Request) {
+ const success = recovery_codes.setRecoveryCodes(req.body.recoveryCodes);
+ return {success: success, message: 'Recovery codes set!'};
+}
+
+function veryifyRecoveryCode(req: Request) {
+ const success = recovery_codes.verifyRecoveryCode(req.body.recovery_code_guess);
+
+ return {success: success};
+}
+
+function checkForRecoveryKeys() {
+ return {success
+: true, keysExist: recovery_codes.isRecoveryCodeSet()};
+}
+
+function generateRecoveryCodes() {
+ const recoveryKeys = [
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64')
+ ];
+
+ recovery_codes.setRecoveryCodes(recoveryKeys.toString());
+
+ return {success: true, recoveryCodes: recoveryKeys.toString()};
+}
+
+function getUsedRecoveryCodes() {
+ return {
+ success: true,
+ usedRecoveryCodes: recovery_codes.getUsedRecoveryCodes().toString()
+ };
+}
+
+export default {
+ setRecoveryCodes,
+ generateRecoveryCodes,
+ veryifyRecoveryCode,
+ checkForRecoveryKeys,
+ getUsedRecoveryCodes
+};
\ No newline at end of file
diff --git a/src/routes/api/totp.ts b/src/routes/api/totp.ts
new file mode 100644
index 000000000..6435b796b
--- /dev/null
+++ b/src/routes/api/totp.ts
@@ -0,0 +1,31 @@
+import {generateSecret} from 'time2fa';
+
+function generateTOTPSecret() {
+ return {success: 'true', message: generateSecret()};
+}
+
+function getTotpEnabled() {
+ if (process.env.TOTP_ENABLED === undefined) {
+ return false;
+ }
+ if (process.env.TOTP_ENABLED.toLocaleLowerCase() !== 'true') {
+ return false;
+ }
+
+ return true;
+}
+
+function getTOTPStatus() {
+ const totpEnabled = getTotpEnabled();
+ return {success: true, message: totpEnabled, enabled: getTotpEnabled()};
+}
+
+function getSecret() {
+ return process.env.TOTP_SECRET;
+}
+
+export default {
+ generateSecret: generateTOTPSecret,
+ getTOTPStatus,
+ getSecret
+};
\ No newline at end of file
diff --git a/src/routes/login.ts b/src/routes/login.ts
index 4af0abda3..94c13e028 100644
--- a/src/routes/login.ts
+++ b/src/routes/login.ts
@@ -9,16 +9,26 @@ import assetPath from "../services/asset_path.js";
import appPath from "../services/app_path.js";
import ValidationError from "../errors/validation_error.js";
import { Request, Response } from 'express';
+import recoveryCodeService from '../services/encryption/recovery_codes.js';
+import openIDService from '../services/open_id.js';
+import openIDEncryption from '../services/encryption/open_id_encryption.js';
+import totp from '../services/totp.js';
+import open_id from '../services/open_id.js';
function loginPage(req: Request, res: Response) {
- res.render('login', {
+ if (open_id.isOpenIDEnabled()) {
+ res.redirect('/authenticate');
+ } else {
+ res.render('login', {
failedAuth: false,
+ totpEnabled: totp.isTotpEnabled(),
assetPath: assetPath,
- appPath: appPath
- });
-}
+ appPath: appPath,
+ });
+ }
+ }
-function setPasswordPage(req: Request, res: Response) {
+ function setPasswordPage(req: Request, res: Response) {
res.render('set_password', {
error: false,
assetPath: assetPath,
@@ -58,8 +68,16 @@ function setPassword(req: Request, res: Response) {
function login(req: Request, res: Response) {
const guessedPassword = req.body.password;
+ const guessedTotp = req.body.token;
if (verifyPassword(guessedPassword)) {
+ if (totp.isTotpEnabled()){
+ if (!verifyTOTP(guessedTotp)) {
+ sendLoginError(req, res);
+ return;
+ }
+ }
+
const rememberMe = req.body.rememberMe;
req.session.regenerate(() => {
@@ -74,16 +92,18 @@ function login(req: Request, res: Response) {
});
}
else {
- // note that logged IP address is usually meaningless since the traffic should come from a reverse proxy
- log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
-
- res.status(401).render('login', {
- failedAuth: true,
- assetPath: assetPath
- });
+ sendLoginError(req, res);
}
}
+function verifyTOTP(guessedToken: string) {
+ if (totp.validateTOTP(guessedToken)) return true;
+
+ const recoveryCodeValidates = recoveryCodeService.verifyRecoveryCode(guessedToken);
+
+ return recoveryCodeValidates;
+}
+
function verifyPassword(guessedPassword: string) {
const hashed_password = utils.fromBase64(optionService.getOption('passwordVerificationHash'));
@@ -92,11 +112,27 @@ function verifyPassword(guessedPassword: string) {
return guess_hashed.equals(hashed_password);
}
+function sendLoginError(req: Request, res: Response) {
+ // note that logged IP address is usually meaningless since the traffic should come from a reverse proxy
+ if ( totp.isTotpEnabled( )){
+ log.info(`WARNING: Wrong password or TOTP from ${req.ip}, rejecting.`);
+ }else{
+ log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
+ }
+
+ res.status(401).render('login', {
+ failedAuth: true,
+ totpEnabled: optionService.getOption('totpEnabled') && totp.checkForTotSecret(),
+ assetPath: assetPath,
+ });
+}
+
function logout(req: Request, res: Response) {
req.session.regenerate(() => {
req.session.loggedIn = false;
-
- res.redirect('login');
+ if (openIDService.isOpenIDEnabled() && openIDEncryption.isSubjectIdentifierSaved()) {
+ res.oidc.logout({ returnTo: '/authenticate' });
+ } else res.redirect('login');
});
}
diff --git a/src/routes/routes.ts b/src/routes/routes.ts
index ac26999f6..7c07708c5 100644
--- a/src/routes/routes.ts
+++ b/src/routes/routes.ts
@@ -6,6 +6,9 @@ import log from "../services/log.js";
import express from "express";
const router = express.Router();
import auth from "../services/auth.js";
+import openID from '../services/open_id.js';
+import totp from './api/totp.js';
+import recoveryCodes from './api/recovery_codes.js';
import cls from "../services/cls.js";
import sql from "../services/sql.js";
import entityChangesService from "../services/entity_changes.js";
@@ -71,6 +74,7 @@ import etapiSpecialNoteRoutes from "../etapi/special_notes.js";
import etapiSpecRoute from "../etapi/spec.js";
import etapiBackupRoute from "../etapi/backup.js";
+
const csrfMiddleware = csurf({
cookie: {
path: "" // empty, so cookie is valid only for the current path
@@ -117,6 +121,20 @@ function register(app: express.Application) {
route(PST, '/set-password', [auth.checkAppInitialized, auth.checkPasswordNotSet], loginRoute.setPassword);
route(GET, '/setup', [], setupRoute.setupPage);
+
+ apiRoute(GET, '/api/totp/generate', totp.generateSecret);
+ apiRoute(GET, '/api/totp/status', totp.getTOTPStatus);
+ apiRoute(GET, '/api/totp/get', totp.getSecret);
+
+ apiRoute(GET, '/api/oauth/status', openID.getOAuthStatus);
+ apiRoute(GET, '/api/oauth/validate', openID.isTokenValid);
+
+ apiRoute(PST, '/api/totp_recovery/set', recoveryCodes.setRecoveryCodes);
+ apiRoute(PST, '/api/totp_recovery/verify', recoveryCodes.veryifyRecoveryCode);
+ apiRoute(GET, '/api/totp_recovery/generate', recoveryCodes.generateRecoveryCodes);
+ apiRoute(GET, '/api/totp_recovery/enabled', recoveryCodes.checkForRecoveryKeys);
+ apiRoute(GET, '/api/totp_recovery/used', recoveryCodes.getUsedRecoveryCodes);
+
apiRoute(GET, '/api/tree', treeApiRoute.getTree);
apiRoute(PST, '/api/tree/load', treeApiRoute.load);
diff --git a/src/services/auth.ts b/src/services/auth.ts
index b7f183fc4..ba416902b 100644
--- a/src/services/auth.ts
+++ b/src/services/auth.ts
@@ -8,17 +8,32 @@ import passwordEncryptionService from "./encryption/password_encryption.js";
import config from "./config.js";
import passwordService from "./encryption/password.js";
import type { NextFunction, Request, Response } from 'express';
+import openID from './open_id.js';
+import open_id_encryption from './encryption/open_id_encryption.js';
const noAuthentication = config.General && config.General.noAuthentication === true;
function checkAuth(req: Request, res: Response, next: NextFunction) {
if (!sqlInit.isDbInitialized()) {
- res.redirect("setup");
- }
- else if (!req.session.loggedIn && !utils.isElectron() && !noAuthentication) {
- res.redirect("login");
- }
- else {
+ res.redirect('setup');
+ } else if (openID.checkOpenIDRequirements()) {
+ if (
+ req.oidc.isAuthenticated() &&
+ open_id_encryption.verifyOpenIDSubjectIdentifier(req.oidc.user?.sub)
+ ) {
+ req.session.loggedIn = true;
+ next();
+ } else {
+ req.session.loggedIn = false;
+ res.oidc.login({});
+ }
+ } else if (
+ !req.session.loggedIn &&
+ !utils.isElectron() &&
+ !noAuthentication
+ ) {
+ res.redirect('login');
+ } else {
next();
}
}
diff --git a/src/services/encryption/my_scrypt.ts b/src/services/encryption/my_scrypt.ts
index 658f4f230..589da6eed 100644
--- a/src/services/encryption/my_scrypt.ts
+++ b/src/services/encryption/my_scrypt.ts
@@ -2,6 +2,7 @@
import optionService from "../options.js";
import crypto from "crypto";
+import sql from "../sql.js";
function getVerificationHash(password: crypto.BinaryLike) {
const salt = optionService.getOption('passwordVerificationSalt');
@@ -22,7 +23,45 @@ function getScryptHash(password: crypto.BinaryLike, salt: crypto.BinaryLike) {
return hashed;
}
+function getSubjectIdentifierVerificationHash(
+ guessedUserId: string | crypto.BinaryLike,
+ salt?: string
+) {
+ if (salt != null) return getScryptHash(guessedUserId, salt);
+
+ const savedSalt = sql.getValue("SELECT salt FROM user_data;");
+ if (savedSalt === undefined || savedSalt === null) {
+ console.log("User salt undefined!");
+ return undefined;
+ }
+ return getScryptHash(guessedUserId, savedSalt.toString());
+}
+
+function getSubjectIdentifierDerivedKey(
+ subjectIdentifer: crypto.BinaryLike,
+ givenSalt?: string
+) {
+ if (givenSalt !== undefined) {
+ return getScryptHash(subjectIdentifer, givenSalt.toString());
+ }
+
+ const salt = sql.getValue("SELECT salt FROM user_data;");
+ if (salt === undefined || salt === null) return undefined;
+
+ return getScryptHash(subjectIdentifer, salt.toString());
+}
+
+function createSubjectIdentifierDerivedKey(
+ subjectIdentifer: string | crypto.BinaryLike,
+ salt: string | crypto.BinaryLike
+) {
+ return getScryptHash(subjectIdentifer, salt);
+}
+
export default {
getVerificationHash,
- getPasswordDerivedKey
+ getPasswordDerivedKey,
+ getSubjectIdentifierVerificationHash,
+ getSubjectIdentifierDerivedKey,
+ createSubjectIdentifierDerivedKey
};
diff --git a/src/services/encryption/open_id_encryption.ts b/src/services/encryption/open_id_encryption.ts
new file mode 100644
index 000000000..76b1812b7
--- /dev/null
+++ b/src/services/encryption/open_id_encryption.ts
@@ -0,0 +1,145 @@
+import myScryptService from "./my_scrypt.js";
+import utils from "../utils.js";
+import dataEncryptionService from "./data_encryption.js";
+import sql from "../sql.js";
+import sqlInit from "../sql_init.js";
+import OpenIDError from "../../errors/open_id_error.js";
+
+function saveUser(subjectIdentifier: string, name: string, email: string) {
+ if (isUserSaved()) return false;
+
+ const verificationSalt = utils.randomSecureToken(32);
+ const derivedKeySalt = utils.randomSecureToken(32);
+
+ const verificationHash = myScryptService.getSubjectIdentifierVerificationHash(
+ subjectIdentifier,
+ verificationSalt
+ );
+ if (verificationHash === undefined) {
+ throw new OpenIDError("Verification hash undefined!")
+ }
+
+ const userIDEncryptedDataKey = setDataKey(
+ subjectIdentifier,
+ utils.randomSecureToken(16),
+ verificationSalt
+ );
+
+ if (userIDEncryptedDataKey === undefined || userIDEncryptedDataKey === null) {
+ console.log("USERID ENCRYPTED DATA KEY NULL");
+ return undefined;
+ }
+
+ const data = {
+ tmpID: 0,
+ userIDVerificationHash: utils.toBase64(verificationHash),
+ salt: verificationSalt,
+ derivedKey: derivedKeySalt,
+ userIDEcnryptedDataKey: userIDEncryptedDataKey,
+ isSetup: "true",
+ username: name,
+ email: email
+ };
+
+ sql.upsert("user_data", "tmpID", data);
+ return true;
+}
+
+function isSubjectIdentifierSaved() {
+ const value = sql.getValue("SELECT userIDEcnryptedDataKey FROM user_data;");
+ if (value === undefined || value === null || value === "") return false;
+ return true;
+}
+
+function isUserSaved() {
+ const isSaved = sql.getValue
("SELECT isSetup FROM user_data;");
+ return isSaved === "true" ? true : false;
+}
+
+function verifyOpenIDSubjectIdentifier(subjectIdentifier: string) {
+ if (!sqlInit.isDbInitialized()) {
+ throw new OpenIDError("Database not initialized!");
+ }
+
+ if (isUserSaved()) {
+ return false;
+ }
+
+ const salt = sql.getValue("SELECT salt FROM user_data;");
+ if (salt == undefined) {
+ console.log("Salt undefined");
+ return undefined;
+ }
+
+ const givenHash = myScryptService
+ .getSubjectIdentifierVerificationHash(subjectIdentifier)
+ ?.toString("base64");
+ if (givenHash === undefined) {
+ console.log("Sub id hash undefined!");
+ return undefined;
+ }
+
+ const savedHash = sql.getValue(
+ "SELECT userIDVerificationHash FROM user_data"
+ );
+ if (savedHash === undefined) {
+ console.log("verification hash undefined");
+ return undefined;
+ }
+
+ console.log("Matches: " + givenHash === savedHash);
+ return givenHash === savedHash;
+}
+
+function setDataKey(
+ subjectIdentifier: string,
+ plainTextDataKey: string | Buffer,
+ salt: string
+) {
+ const subjectIdentifierDerivedKey =
+ myScryptService.getSubjectIdentifierDerivedKey(subjectIdentifier, salt);
+
+ if (subjectIdentifierDerivedKey === undefined) {
+ console.log("SOMETHING WENT WRONG SAVING USER ID DERIVED KEY");
+ return undefined;
+ }
+ const newEncryptedDataKey = dataEncryptionService.encrypt(
+ subjectIdentifierDerivedKey,
+ plainTextDataKey
+ );
+
+ return newEncryptedDataKey;
+}
+
+function getDataKey(subjectIdentifier: string) {
+ const subjectIdentifierDerivedKey =
+ myScryptService.getSubjectIdentifierDerivedKey(subjectIdentifier);
+
+ const encryptedDataKey = sql.getValue(
+ "SELECT userIDEcnryptedDataKey FROM user_data"
+ );
+
+ if (encryptedDataKey === undefined || encryptedDataKey === null) {
+ console.log("Encrypted data key empty!");
+ return undefined;
+ }
+
+ if (subjectIdentifierDerivedKey === undefined) {
+ console.log("SOMETHING WENT WRONG SAVING USER ID DERIVED KEY");
+ return undefined;
+ }
+ const decryptedDataKey = dataEncryptionService.decrypt(
+ subjectIdentifierDerivedKey,
+ encryptedDataKey.toString()
+ );
+
+ return decryptedDataKey;
+}
+
+export default {
+ verifyOpenIDSubjectIdentifier,
+ getDataKey,
+ setDataKey,
+ saveUser,
+ isSubjectIdentifierSaved,
+};
\ No newline at end of file
diff --git a/src/services/encryption/recovery_codes.ts b/src/services/encryption/recovery_codes.ts
new file mode 100644
index 000000000..c03256a83
--- /dev/null
+++ b/src/services/encryption/recovery_codes.ts
@@ -0,0 +1,90 @@
+'use strict';
+
+import sql from '../sql.js';
+import optionService from '../options.js';
+import crypto from 'crypto';
+
+function isRecoveryCodeSet() {
+ return optionService.getOptionBool('encryptedRecoveryCodes');
+}
+
+function setRecoveryCodes(recoveryCodes: string) {
+ const iv = crypto.randomBytes(16);
+ const securityKey = crypto.randomBytes(32);
+ const cipher = crypto.createCipheriv('aes-256-cbc', securityKey, iv);
+ let encryptedRecoveryCodes = cipher.update(recoveryCodes, 'utf-8', 'hex');
+
+ sql.transactional(() => {
+ optionService.setOption('recoveryCodeInitialVector', iv.toString('hex'));
+ optionService.setOption('recoveryCodeSecurityKey', securityKey.toString('hex'));
+ optionService.setOption('recoveryCodesEncrypted', encryptedRecoveryCodes + cipher.final('hex'));
+ optionService.setOption('encryptedRecoveryCodes', 'true');
+ return true;
+ });
+ return false;
+}
+function getRecoveryCodes() {
+ if (!isRecoveryCodeSet()) {
+ return Array(8).fill("Keys not set")
+ }
+
+ return sql.transactional(() => {
+ const iv = Buffer.from(optionService.getOption('recoveryCodeInitialVector'), 'hex');
+ const securityKey = Buffer.from(optionService.getOption('recoveryCodeSecurityKey'), 'hex');
+ const encryptedRecoveryCodes = optionService.getOption('recoveryCodesEncrypted');
+
+ const decipher = crypto.createDecipheriv('aes-256-cbc', securityKey, iv);
+ const decryptedData = decipher.update(encryptedRecoveryCodes, 'hex', 'utf-8');
+
+ const decryptedString = decryptedData + decipher.final('utf-8');
+ return decryptedString.split(',');
+ });
+}
+
+function removeRecoveryCode(usedCode: string) {
+ const oldCodes: string[] = getRecoveryCodes();
+ const today = new Date();
+ oldCodes[oldCodes.indexOf(usedCode)] = today.toJSON().replace(/-/g, '/');
+ setRecoveryCodes(oldCodes.toString());
+}
+
+function verifyRecoveryCode(recoveryCodeGuess: string) {
+ const recoveryCodeRegex = RegExp(/^.{22}==$/gm);
+ if (!recoveryCodeRegex.test(recoveryCodeGuess)) {
+ return false;
+ }
+
+ const recoveryCodes = getRecoveryCodes();
+ var loginSuccess = false;
+ recoveryCodes.forEach((recoveryCode: string) => {
+ if (recoveryCodeGuess === recoveryCode) {
+ removeRecoveryCode(recoveryCode);
+ loginSuccess = true;
+ return;
+ }
+ });
+ return loginSuccess;
+}
+
+function getUsedRecoveryCodes() {
+ if (!isRecoveryCodeSet()){
+ return Array(8).fill("Recovery code not set")
+ }
+
+ const dateRegex = RegExp(/^\d{4}\/\d{2}\/\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z$/gm);
+ const recoveryCodes = getRecoveryCodes();
+ const usedStatus: string[] = [];
+
+ recoveryCodes.forEach((recoveryKey: string) => {
+ if (dateRegex.test(recoveryKey)) usedStatus.push('Used: ' + recoveryKey);
+ else usedStatus.push('Recovery code ' + recoveryCodes.indexOf(recoveryKey) + ' is unused');
+ });
+ return usedStatus;
+}
+
+export default {
+ setRecoveryCodes,
+ verifyRecoveryCode,
+ getUsedRecoveryCodes,
+ isRecoveryCodeSet
+};
\ No newline at end of file
diff --git a/src/services/hidden_subtree.ts b/src/services/hidden_subtree.ts
index 9e29375fd..69db1e615 100644
--- a/src/services/hidden_subtree.ts
+++ b/src/services/hidden_subtree.ts
@@ -266,6 +266,7 @@ function buildHiddenSubtreeDefinition(): Item {
{ id: '_optionsImages', title: t("hidden-subtree.images-title"), type: 'contentWidget', icon: 'bx-image' },
{ id: '_optionsSpellcheck', title: t("hidden-subtree.spellcheck-title"), type: 'contentWidget', icon: 'bx-check-double' },
{ id: '_optionsPassword', title: t("hidden-subtree.password-title"), type: 'contentWidget', icon: 'bx-lock' },
+ { id: '_optionsMFA', title: 'MFA', type: 'contentWidget', icon: 'bx-lock '},
{ id: '_optionsEtapi', title: t("hidden-subtree.etapi-title"), type: 'contentWidget', icon: 'bx-extension' },
{ id: '_optionsBackup', title: t("hidden-subtree.backup-title"), type: 'contentWidget', icon: 'bx-data' },
{ id: '_optionsSync', title: t("hidden-subtree.sync-title"), type: 'contentWidget', icon: 'bx-wifi' },
diff --git a/src/services/open_id.ts b/src/services/open_id.ts
new file mode 100644
index 000000000..27e879452
--- /dev/null
+++ b/src/services/open_id.ts
@@ -0,0 +1,154 @@
+import OpenIDError from "../errors/open_id_error.js";
+import { NextFunction, Request, Response } from "express";
+import openIDEncryption from "./encryption/open_id_encryption.js";
+import sqlInit from "./sql_init.js";
+import options from "./options.js";
+import { Session, auth } from "express-openid-connect";
+import sql from "./sql.js";
+
+function isOpenIDEnabled() {
+ return checkOpenIDRequirements();
+}
+
+function isUserSaved() {
+ const data = sql.getValue("SELECT isSetup FROM user_data;");
+ return data === "true" ? true : false;
+}
+
+function getUsername() {
+ const username = sql.getValue("SELECT username FROM user_data;");
+ return username;
+}
+
+function getUserEmail() {
+ const email = sql.getValue("SELECT email FROM user_data;");
+ return email;
+}
+
+function clearSavedUser() {
+ sql.execute("DELETE FROM user_data");
+ options.setOption("isUserSaved", false);
+ return {
+ success: true,
+ message: "Account data removed."
+ };
+}
+
+function checkOpenIDRequirements() {
+ if (process.env.SSO_ENABLED === undefined) {
+ return false;
+ }
+ if (process.env.SSO_ENABLED.toLocaleLowerCase() !== "true") {
+ return false;
+ }
+
+ if (process.env.TOTP_ENABLED?.toLocaleLowerCase() === "true"){
+ throw new OpenIDError("Cannot enable both OpenID and TOTP!");
+ }
+
+ if (process.env.BASE_URL === undefined) {
+ throw new OpenIDError("BASE_URL is undefined in .env!");
+ }
+ if (process.env.CLIENT_ID === undefined) {
+ throw new OpenIDError("CLIENT_ID is undefined in .env!");
+ }
+ if (process.env.SECRET === undefined) {
+ throw new OpenIDError("SECRET is undefined in .env!");
+ }
+
+ return true;
+}
+
+function getOAuthStatus() {
+ return {
+ success: true,
+ name: getUsername(),
+ email: getUserEmail(),
+ enabled: isOpenIDEnabled(),
+ };
+}
+
+function isTokenValid(req: Request, res: Response, next: NextFunction) {
+ const userStatus = openIDEncryption.isSubjectIdentifierSaved();
+
+ if (req.oidc !== undefined) {
+ const result = req.oidc
+ .fetchUserInfo()
+ .then((result) => {
+ return {
+ success: true,
+ message: "Token is valid",
+ user: userStatus,
+ };
+ })
+ .catch((result) => {
+ return {
+ success: false,
+ message: "Token is not valid",
+ user: userStatus,
+ };
+ });
+ return result;
+ } else {
+ return {
+ success: false,
+ message: "Token not set up",
+ user: userStatus,
+ };
+ }
+}
+
+function generateOAuthConfig() {
+ const authRoutes = {
+ callback: "/callback",
+ login: "/authenticate",
+ postLogoutRedirect: "/login",
+ logout: "/logout",
+ };
+
+ const logoutParams = {
+ };
+
+ const authConfig = {
+ authRequired: true,
+ auth0Logout: false,
+ baseURL: process.env.BASE_URL,
+ clientID: process.env.CLIENT_ID,
+ issuerBaseURL: "https://accounts.google.com/.well-known/openid-configuration",
+ secret: process.env.SECRET,
+ clientSecret: process.env.SECRET,
+ authorizationParams: {
+ response_type: "code",
+ scope: "openid profile email",
+ },
+ routes: authRoutes,
+ idpLogout: false,
+ logoutParams: logoutParams,
+ afterCallback: async (req: Request, res: Response, session: Session) => {
+ if (!sqlInit.isDbInitialized()) return session;
+
+ if (isUserSaved()) return session;
+
+ if (req.oidc.user === undefined) {
+ console.log("user invalid!");
+ }else {
+ openIDEncryption.saveUser(
+ req.oidc.user.sub.toString(),
+ req.oidc.user.name.toString(),
+ req.oidc.user.email.toString());
+ }
+ return session;
+ },
+ };
+ return authConfig;
+}
+
+export default {
+ generateOAuthConfig,
+ getOAuthStatus,
+ isOpenIDEnabled,
+ clearSavedUser,
+ checkOpenIDRequirements,
+ isTokenValid,
+ isUserSaved,
+};
\ No newline at end of file
diff --git a/src/services/options_init.ts b/src/services/options_init.ts
index a48de12e3..43dd700a6 100644
--- a/src/services/options_init.ts
+++ b/src/services/options_init.ts
@@ -117,6 +117,10 @@ const defaultOptions: DefaultOption[] = [
{ name: 'customSearchEngineUrl', value: 'https://duckduckgo.com/?q={keyword}', isSynced: true },
{ name: 'promotedAttributesOpenInRibbon', value: 'true', isSynced: true },
{ name: 'editedNotesOpenInRibbon', value: 'true', isSynced: true },
+ { name: 'totpEnabled', value: 'false', isSynced: true},
+ { name: 'encryptedRecoveryCodes', value: 'false', isSynced: true},
+ { name: 'userSubjectIdentifierSaved', value: 'false', isSynced: true},
+ { name: 'oAuthEnabled', value: 'false', isSynced: true},
// Internationalization
{ name: 'locale', value: 'en', isSynced: true },
diff --git a/src/services/sql_init.ts b/src/services/sql_init.ts
index 0bcf77002..095e38220 100644
--- a/src/services/sql_init.ts
+++ b/src/services/sql_init.ts
@@ -47,6 +47,21 @@ async function initDbConnection() {
sql.execute('CREATE TEMP TABLE "param_list" (`paramId` TEXT NOT NULL PRIMARY KEY)');
+ sql.execute(`
+ CREATE TABLE IF NOT EXISTS "user_data"
+ (
+ tmpID INT,
+ username TEXT,
+ email TEXT,
+ userIDEcnryptedDataKey TEXT,
+ userIDVerificationHash TEXT,
+ salt TEXT,
+ derivedKey TEXT,
+ isSetup TEXT DEFAULT "false",
+ UNIQUE (tmpID),
+ PRIMARY KEY (tmpID)
+ );`)
+
dbReady.resolve();
}
diff --git a/src/services/totp.ts b/src/services/totp.ts
new file mode 100644
index 000000000..71580fb92
--- /dev/null
+++ b/src/services/totp.ts
@@ -0,0 +1,47 @@
+'use strict';
+
+import {Totp} from 'time2fa';
+
+function isTotpEnabled() {
+ if (process.env.TOTP_ENABLED === undefined) {
+ return false;
+ }
+ if (process.env.TOTP_SECRET === undefined) {
+ return false;
+ }
+ if (process.env.TOTP_ENABLED.toLocaleLowerCase() !== 'true') {
+ return false;
+ }
+
+ return true;
+}
+
+function getTotpSecret() {
+ return process.env.TOTP_SECRET;
+}
+
+function checkForTotSecret() {
+ if (process.env.TOTP_SECRET !== undefined) return true;
+ else return false;
+}
+
+function validateTOTP(guessedPasscode: string) {
+ if (process.env.TOTP_SECRET === undefined) return false;
+
+ try {
+ const valid = Totp.validate({
+ passcode: guessedPasscode,
+ secret: process.env.TOTP_SECRET.trim()
+ });
+ return valid;
+ } catch (e) {
+ return false;
+ }
+}
+
+export default {
+ isTotpEnabled,
+ getTotpSecret,
+ checkForTotSecret,
+ validateTOTP
+};
\ No newline at end of file
diff --git a/src/views/login.ejs b/src/views/login.ejs
index a17a58909..54b38e0b8 100644
--- a/src/views/login.ejs
+++ b/src/views/login.ejs
@@ -13,10 +13,17 @@
<%= t("login.heading") %>
<% if (failedAuth) { %>
-
- <%= t("login.incorrect-password") %>
-
+ <% if( totpEnabled ) { %>
+
+ Password or TOTP is incorrect. Please try again.
+
+ <% }else{ %>
+
+ Password is incorrect. Please try again.
+
+ <% } %>
<% } %>
+