From 40db978c7d83c4db38effedb52522a5414400528 Mon Sep 17 00:00:00 2001
From: Puyodead1 <puyodead@proton.me>
Date: Sat, 16 Dec 2023 18:17:36 -0500
Subject: [PATCH] update mfa and login to reflect latest discord

---
 assets/schemas.json                           | Bin 18300690 -> 18366994 bytes
 src/api/routes/auth/login.ts                  |  23 +++++++-----
 src/api/routes/auth/mfa/totp.ts               |   5 ++-
 src/api/routes/auth/mfa/webauthn.ts           |   5 ++-
 src/api/routes/users/@me/mfa/totp/enable.ts   |  10 +++++-
 .../@me/mfa/webauthn/credentials/index.ts     |  34 +++++++++++++++++-
 .../subconfigurations/security/TwoFactor.ts   |   2 ++
 src/util/entities/User.ts                     |   9 +++++
 src/util/util/WebAuthn.ts                     |   9 +++++
 9 files changed, 85 insertions(+), 12 deletions(-)

diff --git a/assets/schemas.json b/assets/schemas.json
index a0ab1697c99e4bad5533af3b5d5feaa87e003ecc..91e23f1aaad92775c9ca0efa8fe5bd03d280e366 100644
GIT binary patch
delta 17384
zcmd6v|4-C)9LM)L?(hzd@0>6|<cp+$B(hW-h=&vzF@~9t1(Pr0KogEH=Ku?EQb_KQ
zFL7@Y>_CB-8V~}nkkMUaA-WW#7B!TMsgTBCjG(Nb4-i}Z1<(8WKA-Ke=kxh`y}#b4
zd|^afUih=P^`q}tZBT?znv|NAk{F+rmT@R6hn-S6x>OX1BrI-0cF0tjmAv{Zt2<rh
zSk4JqT)@Qx8s91j*S-9@+3EvJuPfNTFe8V~O4o(}Y4Cqv9_%uTWO@~sd`_Vda9V}J
zhzpTZ;66b@D;gp=Pk0s%k#@!SP77KI{SRVx4Gh6}h&ALYHjP4i@-N9YvnseTG4U4t
zaEO~KD~9%j1l>08!<FzJmt~?Mn0)cPh%M;O8dJE9ebHy=vR%TVlfe$H1|bX$9e1+p
zGzd+~Yn`jxz$7$q*F|{)4KZQqUWd*pZQkuM0JlSvx{=_m^p9%K6KFda4<RMzTi)Sl
zIhbXv-x{)=_mRUJ*fPn2n{QeVx?*_}A2@_w{Q`WnrMceiucISMlT-dh=yZ~uQ@}|$
z#J0V=UPiA}XnpqX^Jpa)4`D_r^}%nWNho_DWFB53)(bEF23O*;*WTJLbnl*w3rj~U
z!FUKUNmSt}XcCfjMYzHteta0&35W2r+FuK=Q)SSB=io{N9gQw*N7rdm^}!DKf~4ox
zTN~hZ6wbwdiC&P<#D=)XD;wLueev|zgw1d}<i&?`(Q_=uLx?D$>&OT?7%L=?$CIbw
zBYTeXv7P92u&8neZz>2o-iIX#m22|jrJRUnPNaDl2ukn8^lU6jq@14I$;`(>yeKEL
zKb0j|h!8o`7rrBAsrQ637T2iW!3wPQyH&UdWUO>tWXW2NMXw?K#_R@kr=v}8<jUaF
zGF~euv|*%a&8vk&jExjD!tL-jIb9E*8)oc$ZynqYzoeowXo%$_H%cfgo<)1ILc$;Z
zIT(f}x?ferpMw`tD+i*t`^(H}(Y2IA*Y1i%O%dg8hG9`g?uQ0K64<B~7=k<IG<C14
z8SM`72j}p$-bz?)y)S%V5LHZ}ahikZh|nHYT|68j^!lYX^gRZuo@{7GufJ)=v8f0>
z?vm51mlbd&w&YxW9^JM&8=C9ULZ};>MHD{NI)UE9<w3+WD!kUz44wm#mv2WUIvSJ^
zL+)^hO=r6Pf<yGRcV~PJ&IC(!cqC!b?w(c})B7UMj+GvknUei{k1sr}PhE921eS-q
zqI&DmN-&pzpM<15bpzi)bXUK*f|i5Khi^VX2csfiVoHtD+nH!JmO=V<e5*u*&}hQl
zY&gU-)!?Uah_J4qOK^zNhu=5AA%-o6@eq9bY=bMIJTg+)fga6jsvf}YSUPbL(!^K#
z3usRmUm_y%nHu{TO+x%E%npCX6gEEFhmNSW<QEOv4rX$6)`U#2KdnZS&?}E7KY>G3
zSWe>`=tRIwK6+1q_+a3t7jIV1<)F778Gk2COnJS(kHMGGMpMruU!dDoi|5~oa8Gy$
zGwO|6+=8u>)mt~(nnI4t!sg@t6gU~$=@Ai^j&9*vp;*l2Vy)mW+jLer+p~fg@@Jzy
z5(oZ60zT{k+1RTia;(_2fU{=nD=eIu<sOf<OrB-DPNUdv!hcerbWm*j|3}oWzH2M=
zyPVm;uvnxiNR)E@OqU~+P|4Pgtyrx?<=UkyXHM7><hADiMJUpSoHOTML))(P@3!RN
b_qny)xHSjAzNFPz%eZ!|BY|>($-DmmY*d<W

delta 4506
zcmai1ZBUd|6rOiyS(e?|SOP)`1^JLf`OF}&aQP4@H3%@rBtUUOBZoB%5CaxWSNU>>
zC9guvLK!9@0s?0da4{od8jUdq7(xNd9i|-EDH%12y1T1C@7bR_&vTyhoco@8?%C>3
zXNA?vQ^K}$qokqeP%klLR0qS|0~y(ylq&UBP^q^?$;kFnzBTE;Wp58DNxZl=HWMhb
z9K%c61-CA<<4Jgg#2Wsa7OJk`BoRbDFHXWTQ6&wM2~K3&4rBP^dOL#Yzk1XD1QwsU
z<d}otMAuhuMT#OT1W>hZg|Zzf*T{q$yPVrB$-$bFE>7K+l=OY8>pIvZ@R@h}_&WrT
z3-oA2>_YV(uMtdNto8=vV2NR_SwK{Ot`|Vwx9dJYGMSh_nTd!Tl&|rNMGg**#s}o~
zBjwhX2l-;Sd}t%~ouOheI2rSI$}?1n`RhsCbQHtyC|-}nE{k+FLIRT=n=3I9N;-n!
zLAKG4up(}U$1Gy;@`G^=J*-3CDkG)w0SRO}+ct&-?C%R#OYPn<{;~o?)0<(fthmkv
z77{Ikc`n|K>4@T5|F^p^+$l9lgH%imh3S0AsNCVs6rpp|NFt&q4iebhyECVgW%nr)
z(&l%yBR9vKv)?s^UDz|FvhAt;$jt$2OyA441I60C8<4^vS--CUX*$STkvWUy=iWH5
z$n1wG8E8tfLXrGrOqj7=J!2Q54$pN}E3ABpTj-pXdcfI{G^9ve)KZb1Cf!%e3CKth
z-+>ZV8(WH!#YDlkevTNvuXog>QG)fE_r*4_`=Tn4*=12OP3pT6P6(cNv%L^cPg#G9
zKg!2gg^hep0xyLfE=E|8us`=ShMzo>AB(gT<PR4(BHatYk3Vt2^q0Jf8!$XNxuglv
zCo`SLt)ceVv3jJPfs$4sNeFEMA++98Dln4iah#HtJw!5@-ddn<t+Pd?7<ttxE&F1a
zl?pGYY_aN1p2Ehe(b-@kiTIycCQSwso~3kTp{mXX)amD1EtW``-Utb(vC|fgKn%Qx
z8g%<wcK>1z=9%I`kS3mQ#?}=RDNEVZf{l^^_*#j4d!Xxt9E-PEdC8A?99v{W=)U7c
zB9~W%kderWS4hLl9#Z0ZoVU_Ac0d<<d5~G=78&^Gwg17qrxYJ-zS7E^JoJ@XHPKbW
zG)M8>0xi3LDDJ)S>Jl@aJ{B_34I%M6>nMSly?yTuvKt@tP1inTI;9hP>F0sZ0g0!X
z&SUYFA%iU#esAB<HwbQi8^fxH^@s^#SiC8Q(I0-yL6m@!6bNn>@$?uuh>##G;r1mA
zR~3$aiQ!YtV_#vo&%^|Z=Ue^Kfy5g>JRin`?kKw0->f@x8qM)m&1@r*1I}Lm6|M2N
z`TI`D5@BjiXmOi+FvRu<5t+Yh5EG<%+oA~6H4o|#5{zG;zkuLoC;khDW`qQ#E`Jqc
zgN8c6TB5t)(Glh-dA8TBz4%0r-DlHQ+B3dnb&Y*w=BtwBu$*Qo9ib$fUPTn=kJM$}
zdvxhJJnk@JO=nzuYB9pVPXg``a=^ODe}r5Crtq(inA0Lf>5Pk<D^iPYZJ8~%6G>tE
h%c<L-wd1fIT(@}Np2PMl-BtS+xK3uC*JM0V;s1Qt_oe^<

diff --git a/src/api/routes/auth/login.ts b/src/api/routes/auth/login.ts
index a2100333e..d23843379 100644
--- a/src/api/routes/auth/login.ts
+++ b/src/api/routes/auth/login.ts
@@ -139,7 +139,9 @@ router.post(
 				ticket: ticket,
 				mfa: true,
 				sms: false, // TODO
-				token: null,
+				totp: true,
+				backup: true,
+				user_id: user.id,
 			});
 		}
 
@@ -172,7 +174,9 @@ router.post(
 				ticket: ticket,
 				mfa: true,
 				sms: false, // TODO
-				token: null,
+				totp: true,
+				backup: true,
+				user_id: user.id,
 				webauthn: challenge,
 			});
 		}
@@ -202,7 +206,13 @@ router.post(
 		// Discord header is just the user id as string, which is not possible with npm-jsonwebtoken package
 		// https://user-images.githubusercontent.com/6506416/81051916-dd8c9900-8ec2-11ea-8794-daf12d6f31f0.png
 
-		res.json({ token, settings: { ...user.settings, index: undefined } });
+		res.json({
+			token,
+			settings: {
+				locale: user.settings.locale,
+				theme: user.settings.theme,
+			},
+		});
 	},
 );
 
@@ -211,15 +221,12 @@ router.post(
  * @argument { login: "email@gmail.com", password: "cleartextpassword", undelete: false, captcha_key: null, login_source: null, gift_code_sku_id: null, }
 
  * MFA required:
- * @returns {"token": null, "mfa": true, "sms": true, "ticket": "SOME TICKET JWT TOKEN"}
-
- * WebAuthn MFA required:
- * @returns {"token": null, "mfa": true, "webauthn": true, "sms": true, "ticket": "SOME TICKET JWT TOKEN"}
+ * @returns {"mfa": true, "sms": boolean, "totp": boolean, "backup": true, "ticket": "SOME TICKET JWT TOKEN", "user_id": "USER ID", "webauthn": "WEBAUTHN DATA or null"}
 
  * Captcha required:
  * @returns {"captcha_key": ["captcha-required"], "captcha_sitekey": null, "captcha_service": "recaptcha"}
 
  * Sucess:
- * @returns {"token": "USERTOKEN", "settings": {"locale": "en", "theme": "dark"}}
+ * @returns {"token": "USERTOKEN", "user_id": "USER ID", "settings": {"locale": "en-US", "theme": "dark"}}
 
  */
diff --git a/src/api/routes/auth/mfa/totp.ts b/src/api/routes/auth/mfa/totp.ts
index 4df408f9c..20ecd7a1c 100644
--- a/src/api/routes/auth/mfa/totp.ts
+++ b/src/api/routes/auth/mfa/totp.ts
@@ -73,7 +73,10 @@ router.post(
 
 		return res.json({
 			token: await generateToken(user.id),
-			settings: { ...user.settings, index: undefined },
+			settings: {
+				locale: user.settings.locale,
+				theme: user.settings.theme,
+			},
 		});
 	},
 );
diff --git a/src/api/routes/auth/mfa/webauthn.ts b/src/api/routes/auth/mfa/webauthn.ts
index b58d29443..687fdcd82 100644
--- a/src/api/routes/auth/mfa/webauthn.ts
+++ b/src/api/routes/auth/mfa/webauthn.ts
@@ -114,7 +114,10 @@ router.post(
 
 		return res.json({
 			token: await generateToken(user.id),
-			user_settings: user.settings,
+			user_settings: {
+				locale: user.settings.locale,
+				theme: user.settings.theme,
+			},
 		});
 	},
 );
diff --git a/src/api/routes/users/@me/mfa/totp/enable.ts b/src/api/routes/users/@me/mfa/totp/enable.ts
index 19836e4d7..5471e0b5d 100644
--- a/src/api/routes/users/@me/mfa/totp/enable.ts
+++ b/src/api/routes/users/@me/mfa/totp/enable.ts
@@ -18,6 +18,7 @@
 
 import { route } from "@spacebar/api";
 import {
+	AuthenticatorType,
 	TotpEnableSchema,
 	User,
 	generateMfaBackupCodes,
@@ -74,7 +75,14 @@ router.post(
 		await Promise.all(backup_codes.map((x) => x.save()));
 		await User.update(
 			{ id: req.user_id },
-			{ mfa_enabled: true, totp_secret: body.secret },
+			{
+				mfa_enabled: true,
+				totp_secret: body.secret,
+				authenticator_types: [
+					...user.authenticator_types,
+					AuthenticatorType.TOTP,
+				],
+			},
 		);
 
 		res.send({
diff --git a/src/api/routes/users/@me/mfa/webauthn/credentials/index.ts b/src/api/routes/users/@me/mfa/webauthn/credentials/index.ts
index f383ffb78..c8e5b67a1 100644
--- a/src/api/routes/users/@me/mfa/webauthn/credentials/index.ts
+++ b/src/api/routes/users/@me/mfa/webauthn/credentials/index.ts
@@ -18,9 +18,12 @@
 
 import { route } from "@spacebar/api";
 import {
+	AuthenticatorType,
+	BackupCode,
 	CreateWebAuthnCredentialSchema,
 	DiscordApiErrors,
 	FieldErrors,
+	generateMfaBackupCodes,
 	GenerateWebAuthnCredentialsSchema,
 	generateWebAuthnTicket,
 	SecurityKey,
@@ -193,12 +196,41 @@ router.post(
 
 			await Promise.all([
 				securityKey.save(),
-				User.update({ id: req.user_id }, { webauthn_enabled: true }),
+				User.update(
+					{ id: req.user_id },
+					{
+						webauthn_enabled: true,
+						authenticator_types: [
+							...user.authenticator_types,
+							AuthenticatorType.WEBAUTHN,
+						],
+					},
+				),
 			]);
 
+			// try and get the users existing backup codes
+			let backup_codes = await BackupCode.find({
+				where: {
+					user: {
+						id: req.user_id,
+					},
+				},
+			});
+
+			// if there arent any, create them
+			if (!backup_codes.length) {
+				backup_codes = generateMfaBackupCodes(req.user_id);
+				await Promise.all(backup_codes.map((x) => x.save()));
+			}
+
 			return res.json({
 				name,
 				id: securityKey.id,
+				type: AuthenticatorType.WEBAUTHN, // I think thats what this is?
+				backup_codes: backup_codes.map((x) => ({
+					...x,
+					expired: undefined,
+				})),
 			});
 		} else {
 			throw DiscordApiErrors.INVALID_AUTHENTICATION_TOKEN;
diff --git a/src/util/config/types/subconfigurations/security/TwoFactor.ts b/src/util/config/types/subconfigurations/security/TwoFactor.ts
index 757571244..dfa493a75 100644
--- a/src/util/config/types/subconfigurations/security/TwoFactor.ts
+++ b/src/util/config/types/subconfigurations/security/TwoFactor.ts
@@ -18,4 +18,6 @@
 
 export class TwoFactorConfiguration {
 	generateBackupCodes: boolean = true;
+	webauthnAttestation: "none" | "indirect" | "direct" = "none";
+	webauthnTimeout: number = 60000;
 }
diff --git a/src/util/entities/User.ts b/src/util/entities/User.ts
index c6582b00a..255867930 100644
--- a/src/util/entities/User.ts
+++ b/src/util/entities/User.ts
@@ -85,6 +85,12 @@ export interface UserPrivate extends Pick<User, PrivateUserKeys> {
 	locale: string;
 }
 
+export enum AuthenticatorType {
+	WEBAUTHN = 1,
+	TOTP = 2,
+	SMS = 3,
+}
+
 @Entity("users")
 export class User extends BaseClass {
 	@Column()
@@ -231,6 +237,9 @@ export class User extends BaseClass {
 	@OneToMany(() => SecurityKey, (key: SecurityKey) => key.user)
 	security_keys: SecurityKey[];
 
+	@Column({ type: "simple-array", select: false })
+	authenticator_types: AuthenticatorType[] = [];
+
 	// TODO: I don't like this method?
 	validate() {
 		if (this.discriminator) {
diff --git a/src/util/util/WebAuthn.ts b/src/util/util/WebAuthn.ts
index b0027b13c..599efe332 100644
--- a/src/util/util/WebAuthn.ts
+++ b/src/util/util/WebAuthn.ts
@@ -33,6 +33,15 @@ export const WebAuthn: {
 	init: function () {
 		this.fido2 = new Fido2Lib({
 			challengeSize: 128,
+			rpName: Config.get().general.instanceName,
+			rpId:
+				Config.get().general.frontPage ??
+				Config.get().general.instanceName.toLowerCase(),
+			attestation: Config.get().security.twoFactor.webauthnAttestation,
+			// rpIcon:
+			timeout: Config.get().security.twoFactor.webauthnTimeout,
+			authenticatorRequireResidentKey: false,
+			authenticatorUserVerification: "preferred",
 		});
 	},
 };