MiauRizius/MiauInv
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

add rate limiting and 2fa hardening

Browse Source
This commit is contained in:
miaurizius
2026-06-10 01:35:36 +02:00
parent ae41b96fa4
commit 58f098d4ca
11 changed files with 410 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
handlers/account.go
View File

@@ -20,6 +20,8 @@ import (
"github.com/pquerna/otp/totp"
)
const recoveryCodeWarningThreshold = 3
func APIRegister(w http.ResponseWriter, r *http.Request) {
var user models.User
if err := json.NewDecoder(r.Body).Decode(&user); err != nil {
@@ -59,6 +61,7 @@ func APIRegister(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusCreated)
log.Println("POST [api/register] " + r.RemoteAddr + ": Successfully created user")
}
func APILogin(w http.ResponseWriter, r *http.Request) {
var creds struct {
Username string `json:"username"`
@@ -91,7 +94,7 @@ func APILogin(w http.ResponseWriter, r *http.Request) {
}
if user.TwoFactorEnabled {
twoFactorToken, err := auth.GeneratePurposeJWT(user.ID, "2fa_login", secret, 5*time.Minute)
twoFactorToken, err := auth.GeneratePurposeJWT(user.ID, auth.PurposeTwoFactorLogin, secret, 5*time.Minute)
if err != nil {
log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not generate 2FA challenge", http.StatusInternalServerError)
@@ -109,6 +112,7 @@ func APILogin(w http.ResponseWriter, r *http.Request) {
issueLoginSession(w, r, user)
log.Println("POST [api/login] " + r.RemoteAddr + ": Successfully logged in")
}
func APILoginTwoFactor(w http.ResponseWriter, r *http.Request) {
var req struct {
TwoFactorToken string `json:"two_factor_token"`
@@ -121,7 +125,7 @@ func APILoginTwoFactor(w http.ResponseWriter, r *http.Request) {
}
secret := []byte(os.Getenv("JWT_SECRET"))
claims, err := auth.ValidatePurposeJWT(req.TwoFactorToken, "2fa_login", secret)
claims, err := auth.ValidatePurposeJWT(req.TwoFactorToken, auth.PurposeTwoFactorLogin, secret)
if err != nil {
log.Println("POST [api/login/2fa] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid or expired 2FA challenge", http.StatusUnauthorized)
@@ -209,6 +213,7 @@ func AccountUpdateUsername(w http.ResponseWriter, r *http.Request) {
})
log.Println("POST [api/account/username] " + r.RemoteAddr + ": Updated username")
}
func AccountUpdatePassword(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
@@ -274,6 +279,7 @@ func AccountUpdatePassword(w http.ResponseWriter, r *http.Request) {
issueLoginSession(w, r, user)
log.Println("POST [api/account/password] " + r.RemoteAddr + ": Updated password")
}
func TwoFactorSetup(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
@@ -304,9 +310,17 @@ func TwoFactorSetup(w http.ResponseWriter, r *http.Request) {
return
}
if err := storage.SetUserTwoFactorSecret(user.ID, key.Secret()); err != nil {
secret := []byte(os.Getenv("JWT_SECRET"))
if len(secret) == 0 {
log.Println("POST [api/2fa/setup] " + r.RemoteAddr + ": Server misconfiguration")
http.Error(w, "Server misconfiguration", http.StatusInternalServerError)
return
}
setupToken, err := auth.GenerateTwoFactorSetupJWT(user.ID, key.Secret(), secret, 10*time.Minute)
if err != nil {
log.Println("POST [api/2fa/setup] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not save 2FA secret", http.StatusInternalServerError)
http.Error(w, "Could not create 2FA setup challenge", http.StatusInternalServerError)
return
}
@@ -326,11 +340,13 @@ func TwoFactorSetup(w http.ResponseWriter, r *http.Request) {
writeJSON(w, http.StatusOK, map[string]interface{}{
"secret": key.Secret(),
"setup_token": setupToken,
"otpauth_url": key.URL(),
"qr_code": "data:image/png;base64," + base64.StdEncoding.EncodeToString(qr.Bytes()),
})
log.Println("POST [api/2fa/setup] " + r.RemoteAddr + ": Created 2FA setup challenge")
}
func TwoFactorEnable(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
@@ -338,7 +354,8 @@ func TwoFactorEnable(w http.ResponseWriter, r *http.Request) {
}
var req struct {
Code string `json:"code"`
Code string `json:"code"`
SetupToken string `json:"setup_token"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": " + err.Error())
@@ -354,12 +371,31 @@ func TwoFactorEnable(w http.ResponseWriter, r *http.Request) {
return
}
if user.TwoFactorSecret == "" {
setupSecret := ""
secret := []byte(os.Getenv("JWT_SECRET"))
if req.SetupToken != "" {
setupClaims, err := auth.ValidateTwoFactorSetupJWT(req.SetupToken, secret)
if err != nil {
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid or expired 2FA setup challenge", http.StatusUnauthorized)
return
}
if setupClaims.UserID != user.ID {
http.Error(w, "Invalid 2FA setup challenge", http.StatusUnauthorized)
return
}
setupSecret = setupClaims.Secret
} else if !user.TwoFactorEnabled && user.TwoFactorSecret != "" {
// Compatibility for accounts that started setup before temporary setup tokens existed.
setupSecret = user.TwoFactorSecret
}
if setupSecret == "" {
http.Error(w, "2FA setup has not been started", http.StatusBadRequest)
return
}
if !totp.Validate(strings.TrimSpace(req.Code), user.TwoFactorSecret) {
if !totp.Validate(strings.TrimSpace(req.Code), setupSecret) {
http.Error(w, "Invalid 2FA code", http.StatusUnauthorized)
return
}
@@ -371,18 +407,30 @@ func TwoFactorEnable(w http.ResponseWriter, r *http.Request) {
return
}
if err := storage.EnableUserTwoFactorWithRecoveryCodes(user.ID, recoveryCodeHashes); err != nil {
if err := storage.EnableUserTwoFactorWithSecretAndRecoveryCodes(user.ID, setupSecret, recoveryCodeHashes); err != nil {
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not enable 2FA", http.StatusInternalServerError)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{
"two_factor_enabled": true,
"recovery_codes": recoveryCodes,
if err := storage.RevokeAllRefreshTokensForUser(user.ID); err != nil {
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not revoke old sessions", http.StatusInternalServerError)
return
}
user.TwoFactorEnabled = true
user.TwoFactorSecret = setupSecret
issueLoginSessionWithExtra(w, r, user, map[string]interface{}{
"two_factor_enabled": true,
"recovery_codes": recoveryCodes,
"recovery_codes_remaining": len(recoveryCodes),
"recovery_codes_warning": false,
"recovery_codes_warning_at": recoveryCodeWarningThreshold,
})
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": Enabled 2FA and generated recovery codes")
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": Enabled 2FA, replaced recovery codes, and revoked old sessions")
}
func TwoFactorDisable(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
@@ -433,6 +481,7 @@ func TwoFactorDisable(w http.ResponseWriter, r *http.Request) {
writeJSON(w, http.StatusOK, map[string]interface{}{"two_factor_enabled": false})
log.Println("POST [api/2fa/disable] " + r.RemoteAddr + ": Disabled 2FA")
}
func TwoFactorRegenerateRecoveryCodes(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
@@ -502,6 +551,7 @@ func Logout(w http.ResponseWriter, r *http.Request) {
clearAuthCookies(w)
w.WriteHeader(http.StatusNoContent)
}
func TestHandler(w http.ResponseWriter, r *http.Request) {
claims, _ := utils.IsLoggedIn(w, r)
@@ -517,6 +567,7 @@ func TestHandler(w http.ResponseWriter, r *http.Request) {
}
log.Println("GET [api/ping] " + r.RemoteAddr + ": Successfully tested connection")
}
func RefreshToken(w http.ResponseWriter, r *http.Request) {
var req struct {
RefreshToken string `json:"refresh_token"`
@@ -560,6 +611,7 @@ func RefreshToken(w http.ResponseWriter, r *http.Request) {
issueLoginSession(w, r, user)
log.Println("POST [api/refresh] " + r.RemoteAddr + ": Successfully refreshed token")
}
func UserInfo(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
log.Println("GET [api/userinfo] " + r.RemoteAddr + ": Method " + r.Method + " not allowed")
@@ -613,14 +665,24 @@ func UserInfo(w http.ResponseWriter, r *http.Request) {
recoveryCodesRemaining = count
}
}
twoFactorStatus := "disabled"
if user.TwoFactorEnabled {
twoFactorStatus = "enabled"
} else if user.TwoFactorSecret != "" {
twoFactorStatus = "setup_pending"
}
recoveryCodesWarning := user.TwoFactorEnabled && recoveryCodesRemaining <= recoveryCodeWarningThreshold
w.Header().Set("Content-Type", "application/json")
err = json.NewEncoder(w).Encode(map[string]interface{}{
"id": user.ID,
"username": user.Username,
"avatar_url": "",
"two_factor_enabled": user.TwoFactorEnabled,
"recovery_codes_remaining": recoveryCodesRemaining,
"id": user.ID,
"username": user.Username,
"avatar_url": "",
"two_factor_enabled": user.TwoFactorEnabled,
"two_factor_status": twoFactorStatus,
"recovery_codes_remaining": recoveryCodesRemaining,
"recovery_codes_warning": recoveryCodesWarning,
"recovery_codes_warning_at": recoveryCodeWarningThreshold,
})
if err != nil {
log.Println("GET [api/userinfo] " + r.RemoteAddr + ": " + err.Error())
@@ -628,7 +690,12 @@ func UserInfo(w http.ResponseWriter, r *http.Request) {
}
log.Println("GET [api/userinfo] " + r.RemoteAddr + ": Successfully retrieved user info of " + user.Username + " (" + user.ID + ")")
}
func issueLoginSession(w http.ResponseWriter, r *http.Request, user models.User) {
issueLoginSessionWithExtra(w, r, user, nil)
}
func issueLoginSessionWithExtra(w http.ResponseWriter, r *http.Request, user models.User, extra map[string]interface{}) {
secret := []byte(os.Getenv("JWT_SECRET"))
if len(secret) == 0 {
log.Println("AUTH " + r.RemoteAddr + ": Server misconfiguration")
@@ -666,7 +733,7 @@ func issueLoginSession(w http.ResponseWriter, r *http.Request, user models.User)
}
setAuthCookies(w, accessToken, refreshTokenPlain)
writeJSON(w, http.StatusOK, map[string]interface{}{
response := map[string]interface{}{
"access_token": accessToken,
"refresh_token": refreshTokenPlain,
"user": map[string]interface{}{
@@ -675,7 +742,11 @@ func issueLoginSession(w http.ResponseWriter, r *http.Request, user models.User)
"role": user.Role,
"two_factor_enabled": user.TwoFactorEnabled,
},
})
}
for key, value := range extra {
response[key] = value
}
writeJSON(w, http.StatusOK, response)
}
func generateRecoveryCodes(count int) ([]string, []string, error) {
@@ -701,6 +772,7 @@ func generateRecoveryCodes(count int) ([]string, []string, error) {
return codes, hashes, nil
}
func generateRecoveryCode() (string, error) {
bytes := make([]byte, 10)
if _, err := rand.Read(bytes); err != nil {
@@ -710,6 +782,7 @@ func generateRecoveryCode() (string, error) {
raw := hex.EncodeToString(bytes)
return raw[0:5] + "-" + raw[5:10] + "-" + raw[10:15] + "-" + raw[15:20], nil
}
func normalizeRecoveryCode(code string) string {
code = strings.TrimSpace(code)
code = strings.ReplaceAll(code, "-", "")
@@ -737,6 +810,7 @@ func setAuthCookies(w http.ResponseWriter, accessToken, refreshToken string) {
SameSite: http.SameSiteLaxMode,
})
}
func clearAuthCookies(w http.ResponseWriter) {
for _, name := range []string{"access_token", "refresh_token"} {
http.SetCookie(w, &http.Cookie{