From 2928e3e80e6bffb6317af9db28ea4e902e7bf1e5 Mon Sep 17 00:00:00 2001
From: syeopite <syeopite@syeopite.dev>
Date: Fri, 16 Jul 2021 13:34:53 -0700
Subject: [PATCH] Update 2fa routes to be in the form of /2fa/<action>

---
 src/invidious/helpers/utils.cr            |  2 +-
 src/invidious/routes/account.cr           | 12 ++++++------
 src/invidious/routes/login.cr             |  4 ++--
 src/invidious/routing.cr                  | 10 +++++-----
 src/invidious/views/user/preferences.ecr  |  2 +-
 src/invidious/views/user/remove_2fa.ecr   |  2 +-
 src/invidious/views/user/setup_2fa.ecr    |  2 +-
 src/invidious/views/user/validate_2fa.ecr |  2 +-
 8 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/src/invidious/helpers/utils.cr b/src/invidious/helpers/utils.cr
index 17d8098f..53ae35f1 100644
--- a/src/invidious/helpers/utils.cr
+++ b/src/invidious/helpers/utils.cr
@@ -449,7 +449,7 @@ end
 
 def call_totp_validator(env, user, sid, locale)
   referer = URI.decode_www_form(env.get?("current_page").to_s)
-  csrf_token = generate_response(sid, {":validate_2fa"}, HMAC_KEY)
+  csrf_token = generate_response(sid, {":2fa/validate"}, HMAC_KEY)
   email, password = {user.email, nil}
   return templated "user/validate_2fa"
 end
diff --git a/src/invidious/routes/account.cr b/src/invidious/routes/account.cr
index 0f751694..1abf240f 100644
--- a/src/invidious/routes/account.cr
+++ b/src/invidious/routes/account.cr
@@ -384,7 +384,7 @@ module Invidious::Routes::Account
 
     user = user.as(User)
     sid = sid.as(String)
-    csrf_token = generate_response(sid, {":setup_2fa"}, HMAC_KEY)
+    csrf_token = generate_response(sid, {":2fa/setup"}, HMAC_KEY)
 
     db_secret = Random::Secure.random_bytes(16).hexstring
     totp = CrOTP::TOTP.new(db_secret)
@@ -472,10 +472,10 @@ module Invidious::Routes::Account
 
         if CONFIG.domain
           env.response.cookies["SID"] = HTTP::Cookie.new(name: "SID", domain: "#{CONFIG.domain}", value: sid, expires: Time.utc + 2.years,
-            secure: secure, http_only: true)
+            secure: secure, http_only: true, path: "/")
         else
           env.response.cookies["SID"] = HTTP::Cookie.new(name: "SID", value: sid, expires: Time.utc + 2.years,
-            secure: secure, http_only: true)
+            secure: secure, http_only: true, path: "/")
         end
       else
         return error_template(401, "Wrong username or password")
@@ -499,9 +499,9 @@ module Invidious::Routes::Account
       end
 
       if CONFIG.domain
-        env.response.cookies["2faVerified"] = HTTP::Cookie.new(name: "2faVerified", domain: "#{CONFIG.domain}", value: "1", expires: Time.utc + 1.hours, secure: secure, http_only: true)
+        env.response.cookies["2faVerified"] = HTTP::Cookie.new(name: "2faVerified", domain: "#{CONFIG.domain}", value: "1", expires: Time.utc + 1.hours, secure: secure, http_only: true, path: "/")
       else
-        env.response.cookies["2faVerified"] = HTTP::Cookie.new(name: "2faVerified", value: "1", expires: Time.utc + 1.hours, secure: secure, http_only: true)
+        env.response.cookies["2faVerified"] = HTTP::Cookie.new(name: "2faVerified", value: "1", expires: Time.utc + 1.hours, secure: secure, http_only: true, path: "/")
       end
     end
 
@@ -515,7 +515,7 @@ module Invidious::Routes::Account
 
     user = env.get("user").as(User)
     sid = env.get("sid").as(String)
-    csrf_token = generate_response(sid, {":remove_2fa"}, HMAC_KEY)
+    csrf_token = generate_response(sid, {":2fa/remove"}, HMAC_KEY)
 
     return templated "user/remove_2fa"
   end
diff --git a/src/invidious/routes/login.cr b/src/invidious/routes/login.cr
index ed2185b8..f50823a0 100644
--- a/src/invidious/routes/login.cr
+++ b/src/invidious/routes/login.cr
@@ -56,8 +56,8 @@ module Invidious::Routes::Login
       user = Invidious::Database::Users.select(email: email)
 
       if user
-        if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) \
-                      # If the password is correct then we'll go ahead and begin 2fa if applicable
+        if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
+          # If the password is correct then we'll go ahead and begin 2fa if applicable
           if user.totp_secret
             csrf_token = nil # setting this to false for compatibility reasons.
             return templated "user/validate_2fa"
diff --git a/src/invidious/routing.cr b/src/invidious/routing.cr
index 27c08f3d..01d1d79a 100644
--- a/src/invidious/routing.cr
+++ b/src/invidious/routing.cr
@@ -80,11 +80,11 @@ module Invidious::Routing
     get "/subscription_manager", Routes::Subscriptions, :subscription_manager
 
     # 2fa routes
-    Invidious::Routing.get "/setup_2fa", Routes::Account, :setup_2fa_page
-    Invidious::Routing.post "/setup_2fa", Routes::Account, :setup_2fa
-    Invidious::Routing.post "/validate_2fa", Routes::Account, :validate_2fa
-    Invidious::Routing.get "/remove_2fa", Routes::Account, :remove_2fa_page
-    Invidious::Routing.post "/remove_2fa", Routes::Account, :remove_2fa
+    Invidious::Routing.get "/2fa/setup", Routes::Account, :setup_2fa_page
+    Invidious::Routing.post "/2fa/setup", Routes::Account, :setup_2fa
+    Invidious::Routing.get "/2fa/remove", Routes::Account, :remove_2fa_page
+    Invidious::Routing.post "/2fa/remove", Routes::Account, :remove_2fa
+    Invidious::Routing.post "/2fa/validate", Routes::Account, :validate_2fa
   end
 
   def register_iv_playlist_routes
diff --git a/src/invidious/views/user/preferences.ecr b/src/invidious/views/user/preferences.ecr
index 3ad38f0e..d6a220c4 100644
--- a/src/invidious/views/user/preferences.ecr
+++ b/src/invidious/views/user/preferences.ecr
@@ -346,7 +346,7 @@
                 </div>
 
                 <div class="pure-control-group">
-                    <a href="/setup_2fa?referer=<%= URI.encode_www_form(referer) %>"><%= translate(locale, "setup_totp_form_header") %></a>
+                    <a href="/2fa/setup?referer=<%= URI.encode_www_form(referer) %>"><%= translate(locale, "setup_totp_form_header") %></a>
                 </div>
 
                 <div class="pure-control-group">
diff --git a/src/invidious/views/user/remove_2fa.ecr b/src/invidious/views/user/remove_2fa.ecr
index 540b99d2..000a197c 100644
--- a/src/invidious/views/user/remove_2fa.ecr
+++ b/src/invidious/views/user/remove_2fa.ecr
@@ -3,7 +3,7 @@
 <% end %>
 
 <div class="h-box">
-    <form class="pure-form pure-form-aligned" action="/remove_2fa?referer=<%= URI.encode_www_form(referer) %>" method="post">
+    <form class="pure-form pure-form-aligned" action="/2fa/remove?referer=<%= URI.encode_www_form(referer) %>" method="post">
         <legend><%= translate(locale, "remove_totp_confirm_message") %></legend>
 
         <div class="pure-g">
diff --git a/src/invidious/views/user/setup_2fa.ecr b/src/invidious/views/user/setup_2fa.ecr
index deafe7ca..2594ea72 100644
--- a/src/invidious/views/user/setup_2fa.ecr
+++ b/src/invidious/views/user/setup_2fa.ecr
@@ -6,7 +6,7 @@
     <div class="pure-u-1 pure-u-lg-1-5"></div>
     <div class="pure-u-1 pure-u-lg-3-5">
         <div class="h-box">
-            <form class="pure-form pure-form-aligned" action="/setup_2fa?referer=<%= URI.encode_www_form(referer) %>" method="post">
+            <form class="pure-form pure-form-aligned" action="/2fa/setup?referer=<%= URI.encode_www_form(referer) %>" method="post">
                 <legend><%= translate(locale, "setup_totp_form_header") %></legend>
                 <fieldset>
 
diff --git a/src/invidious/views/user/validate_2fa.ecr b/src/invidious/views/user/validate_2fa.ecr
index 9d2b5d0b..5732e104 100644
--- a/src/invidious/views/user/validate_2fa.ecr
+++ b/src/invidious/views/user/validate_2fa.ecr
@@ -6,7 +6,7 @@
     <div class="pure-u-1 pure-u-lg-1-5"></div>
     <div class="pure-u-1 pure-u-lg-3-5">
         <div class="h-box">
-            <form class="pure-form pure-form-aligned" action="/validate_2fa?referer=<%= URI.encode_www_form(referer) %>" method="post">
+            <form class="pure-form pure-form-aligned" action="/2fa/validate?referer=<%= URI.encode_www_form(referer) %>" method="post">
                 <legend><%= translate(locale, "general_totp_enter_code_header") %></legend>
                 <fieldset>