Prevent enable of 2FA without configure

2024-11-14 22:06:00 +00:00 · 2024-05-14 17:33:14 -04:00 · 2024-05-14 17:33:14 -04:00 · 923d5878c3
commit 923d5878c3
parent 9c5849fbce
2 changed files with 10 additions and 0 deletions
--- a/packages/backend/src/api/APIError.js
+++ b/packages/backend/src/api/APIError.js
@ -339,6 +339,10 @@ module.exports = class APIError {
            status: 409,
            message: '2FA is already enabled.',
        },
+        '2fa_not_configured': {
+            status: 409,
+            message: '2FA is not configured.',
+        },

        // protected endpoints
        'too_many_requests': {
--- a/packages/backend/src/routers/auth/configure-2fa.js
+++ b/packages/backend/src/routers/auth/configure-2fa.js
@ -88,10 +88,16 @@ module.exports = eggspress('/auth/configure-2fa/:action', {

        const user = await get_user({ id: req.user.id, force: true });

+        // Verify that 2FA isn't already enabled
        if ( user.otp_enabled ) {
            throw APIError.create('2fa_already_enabled');
        }

+        // Verify that TOTP secret was set (configuration step not skipped)
+        if ( ! user.otp_secret ) {
+            throw APIError.create('2fa_not_configured');
+        }
+
        await db.write(
            `UPDATE user SET otp_enabled = 1 WHERE uuid = ?`,
            [user.uuid]