1f349/tulip
4
0
Fork 0
mirror of https://github.com/1f349/tulip.git synced 2024-11-09 22:42:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Convert edit OTP to all post requests

Browse Source
This commit is contained in:
Melon 2023-10-16 18:20:31 +01:00
parent 6dca637a16
commit 4bc46c5874
Signed by: melon
GPG Key ID: 6C9D970C50D26A25
3 changed files with 53 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pages/index.go.html
View File

@ -35,7 +35,7 @@
</form> </form>
</div> </div>
<div> <div>
<form method="GET" action="/edit/otp"> <form method="POST" action="/edit/otp">
<label><input type="radio" name="digits" value="6"/> 6 digits</label> <label><input type="radio" name="digits" value="6"/> 6 digits</label>
<label><input type="radio" name="digits" value="7"/> 7 digits</label> <label><input type="radio" name="digits" value="7"/> 7 digits</label>
<label><input type="radio" name="digits" value="8"/> 8 digits</label> <label><input type="radio" name="digits" value="8"/> 8 digits</label>

36
server/otp.go
View File

@ -75,7 +75,7 @@ func (h *HttpServer) fetchAndValidateOtp(rw http.ResponseWriter, sub uuid.UUID,
return false return false
} }
func (h *HttpServer) EditOtpGet(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) { func (h *HttpServer) EditOtpPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
var digits int var digits int
switch req.URL.Query().Get("digits") { switch req.URL.Query().Get("digits") {
case "6": case "6":
@ -89,6 +89,13 @@ func (h *HttpServer) EditOtpGet(rw http.ResponseWriter, req *http.Request, _ htt
return return
} }
secret := req.FormValue("secret")
if !gotp.IsSecretValid(secret) {
http.Error(rw, "400 Bad Request: Invalid secret", http.StatusBadRequest)
return
}
if secret == "" {
// get user email // get user email
var email string var email string
if h.DbTx(rw, func(tx *database.Tx) error { if h.DbTx(rw, func(tx *database.Tx) error {
@ -99,7 +106,7 @@ func (h *HttpServer) EditOtpGet(rw http.ResponseWriter, req *http.Request, _ htt
return return
} }
secret := gotp.RandomSecret(64) secret = gotp.RandomSecret(64)
if secret == "" { if secret == "" {
http.Error(rw, "500 Internal Server Error: failed to generate OTP secret", http.StatusInternalServerError) http.Error(rw, "500 Internal Server Error: failed to generate OTP secret", http.StatusInternalServerError)
return return
@ -130,25 +137,6 @@ func (h *HttpServer) EditOtpGet(rw http.ResponseWriter, req *http.Request, _ htt
"OtpSecret": secret, "OtpSecret": secret,
"OtpDigits": digits, "OtpDigits": digits,
}) })
}
func (h *HttpServer) EditOtpPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
var digits int
switch req.FormValue("digits") {
case "6":
digits = 6
case "7":
digits = 7
case "8":
digits = 8
default:
http.Error(rw, "400 Bad Request: Invalid number of digits for OTP code", http.StatusBadRequest)
return
}
secret := req.FormValue("secret")
if !gotp.IsSecretValid(secret) {
http.Error(rw, "400 Bad Request: Invalid secret", http.StatusBadRequest)
return return
} }
@ -159,6 +147,12 @@ func (h *HttpServer) EditOtpPost(rw http.ResponseWriter, req *http.Request, _ ht
return return
} }
if h.DbTx(rw, func(tx *database.Tx) error {
return tx.SetTwoFactor(auth.Data.ID, secret, digits)
}) {
return
}
http.Redirect(rw, req, "/", http.StatusFound) http.Redirect(rw, req, "/", http.StatusFound)
} }

1
server/server.go
View File

@ -168,7 +168,6 @@ func NewHttpServer(conf Conf, db *database.DB, privKey []byte) *http.Server {
// edit profile pages // edit profile pages
r.GET("/edit", RequireAuthentication(hs.EditGet)) r.GET("/edit", RequireAuthentication(hs.EditGet))
r.POST("/edit", RequireAuthentication(hs.EditPost)) r.POST("/edit", RequireAuthentication(hs.EditPost))
r.GET("/edit/otp", RequireAuthentication(hs.EditOtpGet))
r.POST("/edit/otp", RequireAuthentication(hs.EditOtpPost)) r.POST("/edit/otp", RequireAuthentication(hs.EditOtpPost))
// management pages // management pages