Implement 2FA backup codes

9b9df512 · Diego Sampaio · 590a66a2 · 9b9df512 · 9b9df512 · 9b9df512
Unverified Commit 9b9df512 authored 7 years ago by Diego Sampaio
--- a/.eslintrc
+++ b/.eslintrc
@@ -71,7 +71,7 @@
 		"curly": [2, "all"],
 		"eqeqeq": [2, "allow-null"],
 		"new-cap":  [2, {
-			"capIsNewExceptions": ["Match.Optional", "Match.Maybe", "Match.ObjectIncluding", "Push.Configure"]
+			"capIsNewExceptions": ["Match.Optional", "Match.Maybe", "Match.ObjectIncluding", "Push.Configure", "SHA256"]
 		}],
 		"use-isnan": 2,
 		"valid-typeof": 2,

--- a/packages/rocketchat-2fa/client/accountSecurity.js
+++ b/packages/rocketchat-2fa/client/accountSecurity.js
@@ -66,6 +66,11 @@ Template.accountSecurity.events({
 		Meteor.call('verifyTemp2FAToken', instance.find('#testCode').value, (error, result) => {
 			if (result) {
+				swal({
+					title: t('Backup_codes'),
+					text: t('Make_sure_you_have_a_copy_of_your_codes') + '\n' + result.codes.join('  ')
+				});
 				instance.find('#testCode').value = '';
 				instance.state.set();
 				toastr.success(t('Two-factor_authentication_enabled'));

--- a/packages/rocketchat-2fa/package.js
+++ b/packages/rocketchat-2fa/package.js
@@ -16,7 +16,9 @@ Package.onUse(function(api) {
 		'accounts-base',
 		'ecmascript',
 		'templating',
-		'rocketchat:lib'
+		'rocketchat:lib',
+		'sha',
+		'random'
 	]);
 	api.addFiles('client/accountSecurity.html', 'client');

--- a/packages/rocketchat-2fa/server/methods/verifyTemp2FAToken.js
+++ b/packages/rocketchat-2fa/server/methods/verifyTemp2FAToken.js
@@ -9,8 +9,7 @@ Meteor.methods({
 		const user = Meteor.user();
 		if (!user.services || !user.services.totp || !user.services.totp.tempSecret) {
-			console.error('errour');
+			throw new Meteor.Error('invalid-totp');
-			return false;
 		}
 		const verified = speakeasy.totp.verify({
@@ -20,8 +19,17 @@ Meteor.methods({
 		});
 		if (verified) {
-			RocketChat.models.Users.enable2FAAndSetSecretByUserId(Meteor.userId(), user.services.totp.tempSecret);
+			// generate 10 backup codes
+			const codes = [];
+			const hashedCodes = [];
+			for (let i = 0; i < 10; i++) {
+				const code = Random.id(8);
+				codes.push(code);
+				hashedCodes.push(SHA256(code));
+			}
+			RocketChat.models.Users.enable2FAAndSetSecretAndCodesByUserId(Meteor.userId(), user.services.totp.tempSecret, hashedCodes);
+			return { codes };
 		}
-		return verified;
 	}
 });
--- a/packages/rocketchat-2fa/server/models/users.js
+++ b/packages/rocketchat-2fa/server/models/users.js
@@ -11,13 +11,14 @@ RocketChat.models.Users.disable2FAAndSetTempSecretByUserId = function(userId, te
 	});
 };
-RocketChat.models.Users.enable2FAAndSetSecretByUserId = function(userId, secret) {
+RocketChat.models.Users.enable2FAAndSetSecretAndCodesByUserId = function(userId, secret, backupCodes) {
 	return this.update({
 		_id: userId
 	}, {
 		$set: {
 			'services.totp.enabled': true,
-			'services.totp.secret': secret
+			'services.totp.secret': secret,
+			'services.totp.hashedBackup': backupCodes
 		},
 		$unset: {
 			'services.totp.tempSecret': 1