Convert edit OTP to all post requests

2024-12-22 16:24:10 +00:00 · 2023-10-16 18:20:31 +01:00 · 2023-10-16 18:20:31 +01:00 · 4bc46c5874
commit 4bc46c5874
parent 6dca637a16
3 changed files with 53 additions and 60 deletions
--- a/pages/index.go.html
+++ b/pages/index.go.html
@ -35,7 +35,7 @@
        </form>
    </div>
    <div>
-        <form method="GET" action="/edit/otp">
+        <form method="POST" action="/edit/otp">
            <label><input type="radio" name="digits" value="6"/> 6 digits</label>
            <label><input type="radio" name="digits" value="7"/> 7 digits</label>
            <label><input type="radio" name="digits" value="8"/> 8 digits</label>
--- a/server/otp.go
+++ b/server/otp.go
@ -75,7 +75,7 @@ func (h *HttpServer) fetchAndValidateOtp(rw http.ResponseWriter, sub uuid.UUID,
 	return false
 }

-func (h *HttpServer) EditOtpGet(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
+func (h *HttpServer) EditOtpPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
 	var digits int
 	switch req.URL.Query().Get("digits") {
 	case "6":
@ -89,6 +89,13 @@ func (h *HttpServer) EditOtpGet(rw http.ResponseWriter, req *http.Request, _ htt
 		return
 	}

+	secret := req.FormValue("secret")
+	if !gotp.IsSecretValid(secret) {
+		http.Error(rw, "400 Bad Request: Invalid secret", http.StatusBadRequest)
+		return
+	}
+
+	if secret == "" {
 		// get user email
 		var email string
 		if h.DbTx(rw, func(tx *database.Tx) error {
@ -99,7 +106,7 @@ func (h *HttpServer) EditOtpGet(rw http.ResponseWriter, req *http.Request, _ htt
 			return
 		}

-	secret := gotp.RandomSecret(64)
+		secret = gotp.RandomSecret(64)
 		if secret == "" {
 			http.Error(rw, "500 Internal Server Error: failed to generate OTP secret", http.StatusInternalServerError)
 			return
@ -130,25 +137,6 @@ func (h *HttpServer) EditOtpGet(rw http.ResponseWriter, req *http.Request, _ htt
 			"OtpSecret":   secret,
 			"OtpDigits":   digits,
 		})
-}
-
-func (h *HttpServer) EditOtpPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
-	var digits int
-	switch req.FormValue("digits") {
-	case "6":
-		digits = 6
-	case "7":
-		digits = 7
-	case "8":
-		digits = 8
-	default:
-		http.Error(rw, "400 Bad Request: Invalid number of digits for OTP code", http.StatusBadRequest)
-		return
-	}
-
-	secret := req.FormValue("secret")
-	if !gotp.IsSecretValid(secret) {
-		http.Error(rw, "400 Bad Request: Invalid secret", http.StatusBadRequest)
 		return
 	}

@ -159,6 +147,12 @@ func (h *HttpServer) EditOtpPost(rw http.ResponseWriter, req *http.Request, _ ht
 		return
 	}

+	if h.DbTx(rw, func(tx *database.Tx) error {
+		return tx.SetTwoFactor(auth.Data.ID, secret, digits)
+	}) {
+		return
+	}
+
 	http.Redirect(rw, req, "/", http.StatusFound)
 }

--- a/server/server.go
+++ b/server/server.go
@ -168,7 +168,6 @@ func NewHttpServer(conf Conf, db *database.DB, privKey []byte) *http.Server {
 	// edit profile pages
 	r.GET("/edit", RequireAuthentication(hs.EditGet))
 	r.POST("/edit", RequireAuthentication(hs.EditPost))
-	r.GET("/edit/otp", RequireAuthentication(hs.EditOtpGet))
 	r.POST("/edit/otp", RequireAuthentication(hs.EditOtpPost))

 	// management pages