From 403202d4d424c2fb6c8d3441a11478e82ae0b65e Mon Sep 17 00:00:00 2001 From: Ponkhy Date: Thu, 9 Sep 2021 21:10:31 +0200 Subject: [PATCH 01/19] Added simple TOTP Two Factor Authentication --- db/patch12.sql | 10 ++ package.json | 4 + server/server.js | 168 +++++++++++++++++++++++++++++-- server/util-server.js | 10 ++ src/components/Login.vue | 25 ++++- src/components/TwoFADialog.vue | 178 +++++++++++++++++++++++++++++++++ src/languages/de-DE.js | 13 +++ src/languages/en.js | 15 ++- src/mixins/socket.js | 26 ++++- src/pages/Settings.vue | 11 ++ src/pages/Setup.vue | 2 +- 11 files changed, 447 insertions(+), 15 deletions(-) create mode 100644 db/patch12.sql create mode 100644 src/components/TwoFADialog.vue diff --git a/db/patch12.sql b/db/patch12.sql new file mode 100644 index 00000000..754ffdf7 --- /dev/null +++ b/db/patch12.sql @@ -0,0 +1,10 @@ +-- You should not modify if this have pushed to Github, unless it does serious wrong with the db. +BEGIN TRANSACTION; + +ALTER TABLE user + ADD twofa_secret VARCHAR(64); + +ALTER TABLE user + ADD twofa_status BOOLEAN default 0; + +COMMIT; diff --git a/package.json b/package.json index c04be03f..e43e0094 100644 --- a/package.json +++ b/package.json @@ -56,20 +56,24 @@ "http-graceful-shutdown": "^3.1.4", "jsonwebtoken": "^8.5.1", "nodemailer": "^6.6.3", + "notp": "^2.0.3", "password-hash": "^1.2.2", "prom-client": "^13.2.0", "prometheus-api-metrics": "^3.2.0", + "qrcode": "^1.4.4", "redbean-node": "0.1.2", "socket.io": "^4.2.0", "socket.io-client": "^4.2.0", "sqlite3": "github:mapbox/node-sqlite3#593c9d", "tcp-ping": "^0.1.1", + "thirty-two": "^1.0.2", "v-pagination-3": "^0.1.6", "vue": "^3.2.8", "vue-chart-3": "^0.5.7", "vue-confirm-dialog": "^1.0.2", "vue-i18n": "^9.1.7", "vue-multiselect": "^3.0.0-alpha.2", + "vue-qrcode": "^1.0.0", "vue-router": "^4.0.11", "vue-toastification": "^2.0.0-rc.1" }, diff --git a/server/server.js b/server/server.js index 2949c4be..9319fa91 100644 --- a/server/server.js +++ b/server/server.js @@ -22,11 +22,15 @@ const gracefulShutdown = require("http-graceful-shutdown"); debug("Importing prometheus-api-metrics"); const prometheusAPIMetrics = require("prometheus-api-metrics"); +debug("2FA Modules"); +const notp = require("notp"); +const base32 = require("thirty-two"); + console.log("Importing this project modules"); debug("Importing Monitor"); const Monitor = require("./model/monitor"); debug("Importing Settings"); -const { getSettings, setSettings, setting, initJWTSecret } = require("./util-server"); +const { getSettings, setSettings, setting, initJWTSecret, genSecret } = require("./util-server"); debug("Importing Notification"); const { Notification } = require("./notification"); @@ -219,12 +223,38 @@ let indexHTML = fs.readFileSync("./dist/index.html").toString(); if (user) { afterLogin(socket, user) - callback({ - ok: true, - token: jwt.sign({ - username: data.username, - }, jwtSecret), - }) + if (user.twofaStatus == 0) { + callback({ + ok: true, + token: jwt.sign({ + username: data.username, + }, jwtSecret), + }) + } + + if (user.twofaStatus == 1 && !data.token) { + callback({ + tokenRequired: true, + }) + } + + if (data.token) { + let verify = notp.totp.verify(data.token, user.twofa_secret); + + if (verify && verify.delta == 0) { + callback({ + ok: true, + token: jwt.sign({ + username: data.username, + }, jwtSecret), + }) + } else { + callback({ + ok: false, + msg: "Token Invalid!", + }) + } + } } else { callback({ ok: false, @@ -240,6 +270,130 @@ let indexHTML = fs.readFileSync("./dist/index.html").toString(); callback(); }); + socket.on("prepare2FA", async (callback) => { + try { + checkLogin(socket) + + let user = await R.findOne("user", " id = ? AND active = 1 ", [ + socket.userID, + ]) + + if (user.twofa_status == 0) { + let newSecret = await genSecret() + let encodedSecret = base32.encode(newSecret); + let uri = `otpauth://totp/UptimeKuma:${user.username}?secret=${encodedSecret}`; + + await R.exec("UPDATE `user` SET twofa_secret = ? WHERE id = ? ", [ + newSecret, + socket.userID, + ]); + + callback({ + ok: true, + uri: uri, + }) + } else { + callback({ + ok: false, + msg: "2FA is already enabled.", + }) + } + } catch (error) { + callback({ + ok: false, + msg: "Error while trying to prepare 2FA.", + }) + } + }); + + socket.on("save2FA", async (callback) => { + try { + checkLogin(socket) + + await R.exec("UPDATE `user` SET twofa_status = 1 WHERE id = ? ", [ + socket.userID, + ]); + + callback({ + ok: true, + msg: "2FA Enabled.", + }) + } catch (error) { + callback({ + ok: false, + msg: "Error while trying to change 2FA.", + }) + } + }); + + socket.on("disable2FA", async (callback) => { + try { + checkLogin(socket) + + await R.exec("UPDATE `user` SET twofa_status = 0 WHERE id = ? ", [ + socket.userID, + ]); + + callback({ + ok: true, + msg: "2FA Disabled.", + }) + } catch (error) { + callback({ + ok: false, + msg: "Error while trying to change 2FA.", + }) + } + }); + + socket.on("verifyToken", async (token, callback) => { + let user = await R.findOne("user", " id = ? AND active = 1 ", [ + socket.userID, + ]) + + let verify = notp.totp.verify(token, user.twofa_secret); + + if (verify && verify.delta == 0) { + callback({ + ok: true, + valid: true, + }) + } else { + callback({ + ok: false, + msg: "Token Invalid.", + valid: false, + }) + } + }); + + socket.on("twoFAStatus", async (callback) => { + checkLogin(socket) + + try { + let user = await R.findOne("user", " id = ? AND active = 1 ", [ + socket.userID, + ]) + + if (user.twofa_status == 1) { + callback({ + ok: true, + status: true, + }) + } else { + callback({ + ok: true, + status: false, + }) + } + } catch (error) { + callback({ + ok: false, + msg: "Error while trying to get 2FA status.", + }) + } + }); + socket.on("needSetup", async (callback) => { callback(needSetup); }); diff --git a/server/util-server.js b/server/util-server.js index a2fef065..079bd82f 100644 --- a/server/util-server.js +++ b/server/util-server.js @@ -271,3 +271,13 @@ exports.getTotalClientInRoom = (io, roomName) => { return 0; } } + +exports.genSecret = () => { + let secret = ""; + let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; + let charsLength = chars.length; + for ( let i = 0; i < 64; i++ ) { + secret += chars.charAt(Math.floor(Math.random() * charsLength)); + } + return secret; +} diff --git a/src/components/Login.vue b/src/components/Login.vue index bd51759c..ca36fdb9 100644 --- a/src/components/Login.vue +++ b/src/components/Login.vue @@ -4,16 +4,23 @@

-
+
-
+
+
+
+ + +
+
+
@@ -42,16 +49,24 @@ export default { processing: false, username: "", password: "", - + token: "", res: null, + tokenRequired: false, } }, methods: { submit() { this.processing = true; - this.$root.login(this.username, this.password, (res) => { + + this.$root.login(this.username, this.password, this.token, (res) => { this.processing = false; - this.res = res; + console.log(res) + + if (res.tokenRequired) { + this.tokenRequired = true; + } else { + this.res = res; + } }) }, }, diff --git a/src/components/TwoFADialog.vue b/src/components/TwoFADialog.vue new file mode 100644 index 00000000..371462b9 --- /dev/null +++ b/src/components/TwoFADialog.vue @@ -0,0 +1,178 @@ + + + + + diff --git a/src/languages/de-DE.js b/src/languages/de-DE.js index cfadf170..b6bc676c 100644 --- a/src/languages/de-DE.js +++ b/src/languages/de-DE.js @@ -128,4 +128,17 @@ export default { backupDescription3: "Sensible Daten wie Benachrichtigungstoken sind in der Exportdatei enthalten, bitte bewahre sie sorgfältig auf.", alertNoFile: "Bitte wähle eine Datei zum importieren aus.", alertWrongFileType: "Bitte wähle eine JSON Datei aus.", + twoFAVerifyLabel: "Bitte trage deinen Token ein um zu verifizieren das 2FA funktioniert", + "Verify Token": "Token verifizieren", + "Setup 2FA": "2FA Einrichten", + "Enable 2FA": "2FA Aktivieren", + "Disable 2FA": "2FA deaktivieren", + "2FA Settings": "2FA Einstellungen", + confirmEnableTwoFAMsg: "Bist du sicher das du 2FA aktivieren möchtest?", + confirmDisableTwoFAMsg: "Bist du sicher das du 2FA deaktivieren möchtest?", + tokenValidSettingsMsg: "Token gültig! Du kannst jetzt die 2FA Einstellungen speichern.", + "Two Factor Authentication": "Zwei Faktor Authentifizierung", + Active: "Aktiv", + Inactive: "Inaktiv", + Token: "Token", } diff --git a/src/languages/en.js b/src/languages/en.js index 1272bf3e..c7facb2a 100644 --- a/src/languages/en.js +++ b/src/languages/en.js @@ -20,6 +20,10 @@ export default { clearEventsMsg: "Are you sure want to delete all events for this monitor?", clearHeartbeatsMsg: "Are you sure want to delete all heartbeats for this monitor?", confirmClearStatisticsMsg: "Are you sure want to delete ALL statistics?", + twoFAVerifyLabel: "Please type in your token to verify that 2FA is working", + tokenValidSettingsMsg: "Token valid! You can now save the 2FA settings.", + confirmEnableTwoFAMsg: "Are you sure you want to enable 2FA?", + confirmDisableTwoFAMsg: "Are you sure you want to disable 2FA?", Settings: "Settings", Dashboard: "Dashboard", "New Update": "New Update", @@ -127,5 +131,14 @@ export default { backupDescription2: "PS: History and event data is not included.", backupDescription3: "Sensitive data such as notification tokens is included in the export file, please keep it carefully.", alertNoFile: "Please select a file to import.", - alertWrongFileType: "Please select a JSON file." + alertWrongFileType: "Please select a JSON file.", + "Verify Token": "Verify Token", + "Setup 2FA": "Setup 2FA", + "Enable 2FA": "Enable 2FA", + "Disable 2FA": "Disable 2FA", + "2FA Settings": "2FA Settings", + "Two Factor Authentication": "Two Factor Authentication", + Active: "Active", + Inactive: "Inactive", + Token: "Token", } diff --git a/src/mixins/socket.js b/src/mixins/socket.js index 22cc25bf..0cffbdc5 100644 --- a/src/mixins/socket.js +++ b/src/mixins/socket.js @@ -201,11 +201,15 @@ export default { } }, - login(username, password, callback) { + login(username, password, token, callback) { socket.emit("login", { username, password, + token, }, (res) => { + if (res.tokenRequired) { + callback(res) + } if (res.ok) { this.storage().token = res.token; @@ -240,6 +244,26 @@ export default { this.clearData() }, + prepare2FA(callback) { + socket.emit("prepare2FA", callback) + }, + + save2FA(secret, callback) { + socket.emit("save2FA", callback) + }, + + disable2FA(callback) { + socket.emit("disable2FA", callback) + }, + + verifyToken(token, callback) { + socket.emit("verifyToken", token, callback) + }, + + twoFAStatus(callback) { + socket.emit("twoFAStatus", callback) + }, + add(monitor, callback) { socket.emit("add", monitor, callback) }, diff --git a/src/pages/Settings.vue b/src/pages/Settings.vue index 17c2630a..33992a43 100644 --- a/src/pages/Settings.vue +++ b/src/pages/Settings.vue @@ -120,6 +120,14 @@ +

+ {{ $t("Two Factor Authentication") }} +

+ +
+ +
+

{{ $t("Import/Export Backup") }}

@@ -186,6 +194,7 @@ +

@@ -446,10 +446,6 @@ export default { color: #fff; } -.me-1 { - margin-bottom: .25rem; -} - .dark { .list-group-item { background-color: $dark-bg2;