external/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-03-09 15:40:18 +00:00
Code Issues Releases Wiki Activity

Added support for 2FA messaging (#4650)

Browse source
This commit is contained in:
Ylian Saint-Hilaire 2022-10-22 12:59:12 -07:00
parent c62bc9c962
commit e2cf723c6a
8 changed files with 139 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

92
webserver.js
View file

@ -892,8 +892,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// See if SMS 2FA is available
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
// See if Messenger 2FA is available
var msg2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.msg2factor != false)) && (parent.msgserver != null) && (parent.msgserver.providers != 0) && (user.msghandle != null));
// Check if a 2nd factor is present
return ((parent.config.settings.no2factorauth !== true) && (sms2fa || (user.otpsecret != null) || ((user.email != null) && (user.emailVerified == true) && (domain.mailserver != null) && (user.otpekey != null)) || ((user.otphkeys != null) && (user.otphkeys.length > 0))));
return ((parent.config.settings.no2factorauth !== true) && (msg2fa || sms2fa || (user.otpsecret != null) || ((user.email != null) && (user.emailVerified == true) && (domain.mailserver != null) && (user.otpekey != null)) || ((user.otphkeys != null) && (user.otphkeys.length > 0))));
}
// Check the 2-step auth token
@ -907,6 +910,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.email2factor == false)) { otpemail = false; }
var otpsms = (parent.smsserver != null);
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.sms2factor == false)) { otpsms = false; }
var otpmsg = ((parent.msgserver != null) && (parent.msgserver.providers != 0));
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.msg2factor == false)) { otpmsg = false; }
// Check 2FA login cookie
if ((token != null) && (token.startsWith('cookie='))) {
@ -926,7 +931,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
}
}
// Check sms key
// Check SMS key
if ((otpsms) && (user.phone != null) && (user.otpsms != null) && (user.otpsms.d != null) && (user.otpsms.k === token)) {
var deltaTime = (Date.now() - user.otpsms.d);
if ((deltaTime > 0) && (deltaTime < 300000)) { // Allow 5 minutes to use the SMS token (10000 * 60 * 5).
@ -938,6 +943,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
}
}
// Check messenger key
if ((otpmsg) && (user.msghandle != null) && (user.otpmsg != null) && (user.otpmsg.d != null) && (user.otpmsg.k === token)) {
var deltaTime = (Date.now() - user.otpmsg.d);
if ((deltaTime > 0) && (deltaTime < 300000)) { // Allow 5 minutes to use the Messenger token (10000 * 60 * 5).
delete user.otpmsg;
obj.db.SetUser(user);
parent.debug('web', 'checkUserOneTimePassword: success (Messenger).');
func(true, { twoFactorType: 'messenger' });
return;
}
}
// Check hardware key
if (user.otphkeys && (user.otphkeys.length > 0) && (typeof (hwtoken) == 'string') && (hwtoken.length > 0)) {
var authResponse = null;
@ -1121,6 +1138,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.email != null) && (user.emailVerified == true) && (user.otpekey != null));
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
var msg2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.msg2factor != false)) && (parent.msgserver != null) && (parent.msgserver.providers != 0) && (user.msghandle != null));
var push2fa = ((parent.firebase != null) && (user.otpdev != null));
// Check if two factor can be skipped
@ -1158,6 +1176,19 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
return;
}
if ((req.body.hwtoken == '**msg**') && msg2fa) {
// Cause a token to be sent to the user's messenger account
user.otpmsg = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA message to: ' + user.msghandle);
parent.msgserver.sendToken(domain, user.msghandle, user.otpmsg.k, obj.getLanguageCodes(req));
// Ask for a login token & confirm message was sent
req.session.messageid = 6; // "Message sent" message
req.session.loginmode = 4;
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
return;
}
// Handle device push notification 2FA request
// We create a browser cookie, send it back and when the browser connects it's web socket, it will trigger the push notification.
if ((req.body.hwtoken == '**push**') && push2fa && ((domain.passwordrequirements == null) || (domain.passwordrequirements.push2factor != false))) {
@ -1219,6 +1250,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
req.session.loginmode = 4;
if ((user.email != null) && (user.emailVerified == true) && (domain.mailserver != null) && (user.otpekey != null)) { req.session.temail = 1; }
if ((user.phone != null) && (parent.smsserver != null)) { req.session.tsms = 1; }
if ((user.msghandle != null) && (parent.msgserver != null) && (parent.msgserver.providers != 0)) { req.session.tmsg = 1; }
if ((user.otpdev != null) && (parent.firebase != null)) { req.session.tpush = 1; }
req.session.e = parent.encryptSessionData({ tuserid: userid, tuser: xusername, tpass: xpassword });
if (direct === true) { handleRootRequestEx(req, res, domain); } else { res.redirect(domain.url + getQueryPortion(req)); }
@ -1358,6 +1390,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
delete req.session.tpass;
delete req.session.temail;
delete req.session.tsms;
delete req.session.tmsg;
delete req.session.tpush;
delete req.session.messageid;
delete req.session.passhint;
@ -1591,6 +1624,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
delete req.session.tpass;
delete req.session.temail;
delete req.session.tsms;
delete req.session.tmsg;
delete req.session.tpush;
delete req.session.messageid;
delete req.session.passhint;
@ -1673,6 +1707,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
delete req.session.tpass;
delete req.session.temail;
delete req.session.tsms;
delete req.session.tmsg;
delete req.session.tpush;
delete req.session.messageid;
delete req.session.passhint;
@ -1751,6 +1786,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.debug('web', 'handleResetAccountRequest: Invalid 2FA token, try again');
if ((req.body.token != null) || (req.body.hwtoken != null)) {
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
var msg2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.msg2factor != false)) && (parent.msgserver != null) && (parent.msgserver.providers != 0) && (user.msghandle != null));
if ((req.body.hwtoken == '**sms**') && sms2fa) {
// Cause a token to be sent to the user's phone number
user.otpsms = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
@ -1758,6 +1794,13 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.debug('web', 'Sending 2FA SMS for password recovery to: ' + user.phone);
parent.smsserver.sendToken(domain, user.phone, user.otpsms.k, obj.getLanguageCodes(req));
req.session.messageid = 4; // SMS sent.
} else if ((req.body.hwtoken == '**msg**') && msg2fa) {
// Cause a token to be sent to the user's messager account
user.otpmsg = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA message for password recovery to: ' + user.msghandle);
parent.msgserver.sendToken(domain, user.msghandle, user.otpmsg.k, obj.getLanguageCodes(req));
req.session.messageid = 6; // Message sent.
} else {
req.session.messageid = 108; // Invalid token, try again.
const ua = obj.getUserAgentInfo(req);
@ -3204,6 +3247,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.email2factor == false)) { otpemail = false; }
var otpsms = (parent.smsserver != null) && (req.session != null) && (req.session.tsms === 1);
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.sms2factor == false)) { otpsms = false; }
var otpmsg = (parent.msgserver != null) && (req.session != null) && (req.session.tmsg === 1);
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.msg2factor == false)) { otpmsg = false; }
var otppush = (parent.firebase != null) && (req.session != null) && (req.session.tpush === 1);
if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.push2factor == false)) { otppush = false; }
const autofido = ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.autofido2fa == true)); // See if FIDO should be automatically prompted if user account has it.
@ -3270,6 +3315,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
hwstate: hwstate,
otpemail: otpemail,
otpsms: otpsms,
otpmsg: otpmsg,
otppush: otppush,
autofido: autofido,
twoFactorCookieDays: twoFactorCookieDays,
@ -7250,6 +7296,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Figure out if email 2FA is allowed
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
var msg2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.msg2factor != false)) && (parent.msgserver != null) && (parent.msgserver.providers != 0) && (user.msghandle != null));
//var push2fa = ((parent.firebase != null) && (user.otpdev != null));
if ((typeof command.token != 'string') || (command.token == '**email**') || (command.token == '**sms**')/* || (command.token == '**push**')*/) {
if ((command.token == '**email**') && (email2fa == true)) {
@ -7259,7 +7306,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.debug('web', 'Sending 2FA email to: ' + user.email);
domain.mailserver.sendAccountLoginMail(domain, user.email, user.otpekey.k, obj.getLanguageCodes(req), req.query.key);
// Ask for a login token & confirm email was sent
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, msg2fa: msg2fa, email2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
} else if ((command.token == '**sms**') && (sms2fa == true)) {
// Cause a token to be sent to the user's phone number
user.otpsms = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
@ -7267,7 +7314,15 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.debug('web', 'Sending 2FA SMS to: ' + user.phone);
parent.smsserver.sendToken(domain, user.phone, user.otpsms.k, obj.getLanguageCodes(req));
// Ask for a login token & confirm sms was sent
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, sms2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, msg2fa: msg2fa, sms2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
} else if ((command.token == '**msg**') && (msg2fa == true)) {
// Cause a token to be sent to the user's messenger account
user.otpmsg = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA message to: ' + user.phone);
parent.msgserver.sendToken(domain, user.msghandle, user.otpmsg.k, obj.getLanguageCodes(req));
// Ask for a login token & confirm sms was sent
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, msg2fa: msg2fa, msg2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
/*
} else if ((command.token == '**push**') && (push2fa == true)) {
// Cause push notification to device
@ -7311,7 +7366,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.debug('web', 'Invalid login, asking for email validation');
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
try { ws.send(JSON.stringify({ action: 'close', cause: 'emailvalidation', msg: 'emailvalidationrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true })); ws.close(); } catch (e) { }
var msg2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.msg2factor != false)) && (parent.msgserver != null) && (parent.msgserver.providers != 0) && (user.msghandle != null));
try { ws.send(JSON.stringify({ action: 'close', cause: 'emailvalidation', msg: 'emailvalidationrequired', email2fa: email2fa, sms2fa: sms2fa, msg2fa: msg2fa, email2fasent: true })); ws.close(); } catch (e) { }
} else {
// We are authenticated
ws._socket.pause();
@ -7396,6 +7452,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Figure out if email 2FA is allowed
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
var msg2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.msg2factor != false)) && (parent.msgserver != null) && (parent.msgserver.providers != 0) && (user.msghandle != null));
//var push2fa = ((parent.firebase != null) && (user.otpdev != null));
if ((typeof req.query.token != 'string') || (req.query.token == '**email**') || (req.query.token == '**sms**')/* || (req.query.token == '**push**')*/) {
if ((req.query.token == '**email**') && (email2fa == true)) {
@ -7405,7 +7462,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.debug('web', 'Sending 2FA email to: ' + user.email);
domain.mailserver.sendAccountLoginMail(domain, user.email, user.otpekey.k, obj.getLanguageCodes(req), req.query.key);
// Ask for a login token & confirm email was sent
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, msg2fa: msg2fa, email2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
} else if ((req.query.token == '**sms**') && (sms2fa == true)) {
// Cause a token to be sent to the user's phone number
user.otpsms = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
@ -7413,7 +7470,15 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.debug('web', 'Sending 2FA SMS to: ' + user.phone);
parent.smsserver.sendToken(domain, user.phone, user.otpsms.k, obj.getLanguageCodes(req));
// Ask for a login token & confirm sms was sent
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, sms2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, msg2fa: msg2fa, sms2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
} else if ((req.query.token == '**msg**') && (msg2fa == true)) {
// Cause a token to be sent to the user's messenger account
user.otpmsg = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA message to: ' + user.msghandle);
parent.msgserver.sendToken(domain, user.msghandle, user.otpmsg.k, obj.getLanguageCodes(req));
// Ask for a login token & confirm message was sent
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, msg2fa: msg2fa, msg2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
/*
} else if ((command.token == '**push**') && (push2fa == true)) {
// Cause push notification to device
@ -7454,7 +7519,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.debug('web', 'Invalid login, asking for email validation');
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
try { ws.send(JSON.stringify({ action: 'close', cause: 'emailvalidation', msg: 'emailvalidationrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true })); ws.close(); } catch (e) { }
var msg2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.msg2factor != false)) && (parent.msgserver != null) && (parent.msgserver.providers != 0) && (user.msghandle != null));
try { ws.send(JSON.stringify({ action: 'close', cause: 'emailvalidation', msg: 'emailvalidationrequired', email2fa: email2fa, sms2fa: sms2fa, msg2fa: msg2fa, email2fasent: true })); ws.close(); } catch (e) { }
} else {
// We are authenticated
func(ws, req, domain, user);
@ -7533,6 +7599,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Figure out if email 2FA is allowed
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
var msg2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.msg2factor != false)) && (parent.msgserver != null) && (parent.msgserver.providers != 0) && (user.msghandle != null));
if (s.length != 3) {
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
} else {
@ -7554,6 +7621,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.smsserver.sendToken(domain, user.phone, user.otpsms.k, obj.getLanguageCodes(req));
// Ask for a login token & confirm sms was sent
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', sms2fa: sms2fa, sms2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
} else if ((s[2] == '**msg**') && (msg2fa == true)) {
// Cause a token to be sent to the user's phone number
user.otpmsg = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
obj.db.SetUser(user);
parent.debug('web', 'Sending 2FA message to: ' + user.msghandle);
parent.msgserver.sendToken(domain, user.msghandle, user.otpmsg.k, obj.getLanguageCodes(req));
// Ask for a login token & confirm sms was sent
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', msg2fa: msg2fa, msg2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
} else {
// Ask for a login token
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
@ -8173,6 +8248,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
delete user2.subscriptions;
delete user2.passtype;
delete user2.otpsms;
delete user2.otpmsg;
if ((typeof user2.otpekey == 'object') && (user2.otpekey != null)) { user2.otpekey = 1; } // Indicates that email 2FA is enabled.
if ((typeof user2.otpsecret == 'string') && (user2.otpsecret != null)) { user2.otpsecret = 1; } // Indicates a time secret is present.
if ((typeof user2.otpkeys == 'object') && (user2.otpkeys != null)) { user2.otpkeys = 0; if (user.otpkeys != null) { for (var i = 0; i < user.otpkeys.keys.length; i++) { if (user.otpkeys.keys[i].u == true) { user2.otpkeys = 1; } } } } // Indicates the number of one time backup codes that are active.