feat(api/v2): add totp qr code endpoint
Port GET /user/settings/totp/qrcode to v2 as an image/jpeg blob, modeled in the OpenAPI spec. Extract the qr-to-jpeg encoding into user.GetTOTPQrCodeAsJpegForUser so v1 and v2 share it; refactor v1 onto it. The handler reuses the existing local-account guard, rejecting non-local users with 412.
This commit is contained in:
parent
ca4e747bed
commit
ac5e94252b
|
|
@ -17,10 +17,8 @@
|
||||||
package v1
|
package v1
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"image/jpeg"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
"code.vikunja.io/api/pkg/db"
|
"code.vikunja.io/api/pkg/db"
|
||||||
|
|
@ -202,14 +200,7 @@ func UserTOTPQrCode(c *echo.Context) error {
|
||||||
}
|
}
|
||||||
defer s.Close()
|
defer s.Close()
|
||||||
|
|
||||||
qrcode, err := user.GetTOTPQrCodeForUser(s, u)
|
qrcode, err := user.GetTOTPQrCodeAsJpegForUser(s, u)
|
||||||
if err != nil {
|
|
||||||
_ = s.Rollback()
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
buff := &bytes.Buffer{}
|
|
||||||
err = jpeg.Encode(buff, qrcode, nil)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
_ = s.Rollback()
|
_ = s.Rollback()
|
||||||
return err
|
return err
|
||||||
|
|
@ -220,7 +211,7 @@ func UserTOTPQrCode(c *echo.Context) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
return c.Blob(http.StatusOK, "image/jpeg", buff.Bytes())
|
return c.Blob(http.StatusOK, "image/jpeg", qrcode)
|
||||||
}
|
}
|
||||||
|
|
||||||
// UserTOTP returns the current totp implementation if any is enabled.
|
// UserTOTP returns the current totp implementation if any is enabled.
|
||||||
|
|
|
||||||
|
|
@ -49,10 +49,16 @@ type totpMessageBody struct {
|
||||||
Body models.Message
|
Body models.Message
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// totpQrCodeResponse carries the qr code jpeg bytes plus a fixed Content-Type.
|
||||||
|
// Huma writes the []byte Body straight to the wire; the header field overrides
|
||||||
|
// content negotiation so image/jpeg reaches the client (matching v1).
|
||||||
|
type totpQrCodeResponse struct {
|
||||||
|
ContentType string `header:"Content-Type"`
|
||||||
|
Body []byte
|
||||||
|
}
|
||||||
|
|
||||||
// RegisterTOTPRoutes wires the current-user totp (2FA) operations onto the Huma
|
// RegisterTOTPRoutes wires the current-user totp (2FA) operations onto the Huma
|
||||||
// API. Totp is a local-account feature; every handler rejects OIDC/LDAP users.
|
// API. Totp is a local-account feature; every handler rejects OIDC/LDAP users.
|
||||||
// The QR-code blob endpoint is intentionally not ported here (binary streaming,
|
|
||||||
// handled in a later wave).
|
|
||||||
func RegisterTOTPRoutes(api huma.API) {
|
func RegisterTOTPRoutes(api huma.API) {
|
||||||
if !config.ServiceEnableTotp.GetBool() {
|
if !config.ServiceEnableTotp.GetBool() {
|
||||||
return
|
return
|
||||||
|
|
@ -100,6 +106,27 @@ func RegisterTOTPRoutes(api huma.API) {
|
||||||
DefaultStatus: http.StatusOK,
|
DefaultStatus: http.StatusOK,
|
||||||
Tags: tags,
|
Tags: tags,
|
||||||
}, totpDisable)
|
}, totpDisable)
|
||||||
|
|
||||||
|
Register(api, huma.Operation{
|
||||||
|
OperationID: "totp-qrcode",
|
||||||
|
Summary: "Get the totp enrollment qr code",
|
||||||
|
Description: "Returns the qr code for the authenticated user's enrolled totp setting as a jpeg image, for scanning into an authenticator app. Requires a prior enrollment. Local accounts only.",
|
||||||
|
Method: http.MethodGet,
|
||||||
|
Path: "/user/settings/totp/qrcode",
|
||||||
|
Tags: tags,
|
||||||
|
// Spell out the binary response; a bare []byte Body would otherwise be
|
||||||
|
// modeled as a base64 JSON string instead of binary image data.
|
||||||
|
Responses: map[string]*huma.Response{
|
||||||
|
"200": {
|
||||||
|
Description: "The qr code as a jpeg image.",
|
||||||
|
Content: map[string]*huma.MediaType{
|
||||||
|
"image/jpeg": {
|
||||||
|
Schema: &huma.Schema{Type: huma.TypeString, Format: "binary"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, totpQrCode)
|
||||||
}
|
}
|
||||||
|
|
||||||
func init() { AddRouteRegistrar(RegisterTOTPRoutes) }
|
func init() { AddRouteRegistrar(RegisterTOTPRoutes) }
|
||||||
|
|
@ -208,3 +235,21 @@ func totpDisable(ctx context.Context, in *totpDisableBody) (*totpMessageBody, er
|
||||||
}
|
}
|
||||||
return &totpMessageBody{Body: models.Message{Message: "TOTP was disabled successfully."}}, nil
|
return &totpMessageBody{Body: models.Message{Message: "TOTP was disabled successfully."}}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func totpQrCode(ctx context.Context, _ *struct{}) (*totpQrCodeResponse, error) {
|
||||||
|
u, s, err := localUserFromCtx(ctx)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
defer s.Close()
|
||||||
|
|
||||||
|
qrcode, err := user.GetTOTPQrCodeAsJpegForUser(s, u)
|
||||||
|
if err != nil {
|
||||||
|
_ = s.Rollback()
|
||||||
|
return nil, translateDomainError(err)
|
||||||
|
}
|
||||||
|
if err := s.Commit(); err != nil {
|
||||||
|
return nil, translateDomainError(err)
|
||||||
|
}
|
||||||
|
return &totpQrCodeResponse{ContentType: "image/jpeg", Body: qrcode}, nil
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -17,8 +17,10 @@
|
||||||
package user
|
package user
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"fmt"
|
"fmt"
|
||||||
"image"
|
"image"
|
||||||
|
"image/jpeg"
|
||||||
"strconv"
|
"strconv"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
|
@ -198,6 +200,21 @@ func GetTOTPQrCodeForUser(s *xorm.Session, user *User) (qrcode image.Image, err
|
||||||
return key.Image(300, 300)
|
return key.Image(300, 300)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetTOTPQrCodeAsJpegForUser renders the user's totp qr code to jpeg bytes, the
|
||||||
|
// wire format both API versions serve.
|
||||||
|
func GetTOTPQrCodeAsJpegForUser(s *xorm.Session, user *User) ([]byte, error) {
|
||||||
|
qrcode, err := GetTOTPQrCodeForUser(s, user)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
buff := &bytes.Buffer{}
|
||||||
|
if err := jpeg.Encode(buff, qrcode, nil); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return buff.Bytes(), nil
|
||||||
|
}
|
||||||
|
|
||||||
// HandleFailedTOTPAuth records a failed TOTP attempt and locks the account
|
// HandleFailedTOTPAuth records a failed TOTP attempt and locks the account
|
||||||
// after 10 consecutive failures.
|
// after 10 consecutive failures.
|
||||||
//
|
//
|
||||||
|
|
|
||||||
|
|
@ -34,8 +34,7 @@ import (
|
||||||
var testuser14 = user.User{ID: 14, Username: "user14", Issuer: "https://some.service.com"}
|
var testuser14 = user.User{ID: 14, Username: "user14", Issuer: "https://some.service.com"}
|
||||||
|
|
||||||
// TestHumaTOTP mirrors v1's TestUserTOTPLocalUser and adds the enable/disable
|
// TestHumaTOTP mirrors v1's TestUserTOTPLocalUser and adds the enable/disable
|
||||||
// flows plus the local-account-only guard. The QR-code endpoint is not ported
|
// flows, the qr-code blob endpoint, and the local-account-only guard.
|
||||||
// to v2 (binary streaming, later wave), so there is no test for it here.
|
|
||||||
//
|
//
|
||||||
// Fixture topology (pkg/db/fixtures/totp.yml + users.yml):
|
// Fixture topology (pkg/db/fixtures/totp.yml + users.yml):
|
||||||
// - user1: totp enrolled, not enabled (secret HXDMVJEC…).
|
// - user1: totp enrolled, not enabled (secret HXDMVJEC…).
|
||||||
|
|
@ -59,6 +58,15 @@ func TestHumaTOTP(t *testing.T) {
|
||||||
require.Equal(t, http.StatusPreconditionFailed, rec.Code, "body: %s", rec.Body.String())
|
require.Equal(t, http.StatusPreconditionFailed, rec.Code, "body: %s", rec.Body.String())
|
||||||
})
|
})
|
||||||
|
|
||||||
|
t.Run("Get qr code for enrolled user", func(t *testing.T) {
|
||||||
|
e, err := setupTestEnv()
|
||||||
|
require.NoError(t, err)
|
||||||
|
rec := humaRequest(t, e, http.MethodGet, "/api/v2/user/settings/totp/qrcode", "", humaTokenFor(t, &testuser1), "")
|
||||||
|
require.Equal(t, http.StatusOK, rec.Code, "body: %s", rec.Body.String())
|
||||||
|
assert.Equal(t, "image/jpeg", rec.Header().Get("Content-Type"))
|
||||||
|
assert.NotEmpty(t, rec.Body.Bytes(), "the qr code jpeg must have bytes")
|
||||||
|
})
|
||||||
|
|
||||||
t.Run("Enroll a fresh user", func(t *testing.T) {
|
t.Run("Enroll a fresh user", func(t *testing.T) {
|
||||||
e, err := setupTestEnv()
|
e, err := setupTestEnv()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
@ -123,6 +131,7 @@ func TestHumaTOTP(t *testing.T) {
|
||||||
method, path, body string
|
method, path, body string
|
||||||
}{
|
}{
|
||||||
{http.MethodGet, "/api/v2/user/settings/totp", ""},
|
{http.MethodGet, "/api/v2/user/settings/totp", ""},
|
||||||
|
{http.MethodGet, "/api/v2/user/settings/totp/qrcode", ""},
|
||||||
{http.MethodPost, "/api/v2/user/settings/totp/enroll", ""},
|
{http.MethodPost, "/api/v2/user/settings/totp/enroll", ""},
|
||||||
{http.MethodPost, "/api/v2/user/settings/totp/enable", `{"passcode":"000000"}`},
|
{http.MethodPost, "/api/v2/user/settings/totp/enable", `{"passcode":"000000"}`},
|
||||||
{http.MethodPost, "/api/v2/user/settings/totp/disable", `{"password":"12345678"}`},
|
{http.MethodPost, "/api/v2/user/settings/totp/disable", `{"password":"12345678"}`},
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue