lqb
/
nginx-ui
espejo de https://github.com/0xJacky/nginx-ui.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238
							package user

import (
	"bytes"
	"crypto/sha1"
	"encoding/base64"
	"encoding/hex"
	"fmt"
	"github.com/0xJacky/Nginx-UI/api"
	"github.com/0xJacky/Nginx-UI/internal/crypto"
	"github.com/0xJacky/Nginx-UI/internal/user"
	"github.com/0xJacky/Nginx-UI/query"
	"github.com/0xJacky/Nginx-UI/settings"
	"github.com/gin-gonic/gin"
	"github.com/pquerna/otp"
	"github.com/pquerna/otp/totp"
	"image/jpeg"
	"net/http"
	"strings"
)

func GenerateTOTP(c *gin.Context) {
	u := api.CurrentUser(c)

	issuer := fmt.Sprintf("Nginx UI %s", settings.ServerSettings.Name)
	issuer = strings.TrimSpace(issuer)

	otpOpts := totp.GenerateOpts{
		Issuer:      issuer,
		AccountName: u.Name,
		Period:      30, // seconds
		Digits:      otp.DigitsSix,
		Algorithm:   otp.AlgorithmSHA1,
	}
	otpKey, err := totp.Generate(otpOpts)
	if err != nil {
		api.ErrHandler(c, err)
		return
	}
	ciphertext, err := crypto.AesEncrypt([]byte(otpKey.Secret()))
	if err != nil {
		api.ErrHandler(c, err)
		return
	}

	qrCode, err := otpKey.Image(512, 512)
	if err != nil {
		api.ErrHandler(c, err)
		return
	}

	// Encode the image to a buffer
	var buf []byte
	buffer := bytes.NewBuffer(buf)
	err = jpeg.Encode(buffer, qrCode, nil)
	if err != nil {
		fmt.Println("Error encoding image:", err)
		return
	}

	// Convert the buffer to a base64 string
	base64Str := "data:image/jpeg;base64," + base64.StdEncoding.EncodeToString(buffer.Bytes())

	c.JSON(http.StatusOK, gin.H{
		"secret":  base64.StdEncoding.EncodeToString(ciphertext),
		"qr_code": base64Str,
	})
}

func EnrollTOTP(c *gin.Context) {
	cUser := api.CurrentUser(c)
	if cUser.EnabledOTP() {
		c.JSON(http.StatusBadRequest, gin.H{
			"message": "User already enrolled",
		})
		return
	}

	if settings.ServerSettings.Demo {
		c.JSON(http.StatusBadRequest, gin.H{
			"message": "This feature is disabled in demo mode",
		})
		return
	}

	var json struct {
		Secret   string `json:"secret" binding:"required"`
		Passcode string `json:"passcode" binding:"required"`
	}
	if !api.BindAndValid(c, &json) {
		return
	}

	secret, err := base64.StdEncoding.DecodeString(json.Secret)
	if err != nil {
		api.ErrHandler(c, err)
		return
	}

	decrypted, err := crypto.AesDecrypt(secret)
	if err != nil {
		api.ErrHandler(c, err)
		return
	}

	if ok := totp.Validate(json.Passcode, string(decrypted)); !ok {
		c.JSON(http.StatusNotAcceptable, gin.H{
			"message": "Invalid passcode",
		})
		return
	}

	ciphertext, err := crypto.AesEncrypt(decrypted)
	if err != nil {
		api.ErrHandler(c, err)
		return
	}

	u := query.Auth
	_, err = u.Where(u.ID.Eq(cUser.ID)).Update(u.OTPSecret, ciphertext)
	if err != nil {
		api.ErrHandler(c, err)
		return
	}

	recoveryCode := sha1.Sum(ciphertext)

	c.JSON(http.StatusOK, gin.H{
		"message":       "ok",
		"recovery_code": hex.EncodeToString(recoveryCode[:]),
	})
}

func ResetOTP(c *gin.Context) {
	var json struct {
		RecoveryCode string `json:"recovery_code"`
	}
	if !api.BindAndValid(c, &json) {
		return
	}
	recoverCode, err := hex.DecodeString(json.RecoveryCode)
	if err != nil {
		api.ErrHandler(c, err)
		return
	}
	cUser := api.CurrentUser(c)
	k := sha1.Sum(cUser.OTPSecret)
	if !bytes.Equal(k[:], recoverCode) {
		c.JSON(http.StatusBadRequest, gin.H{
			"message": "Invalid recovery code",
		})
		return
	}

	u := query.Auth
	_, err = u.Where(u.ID.Eq(cUser.ID)).UpdateSimple(u.OTPSecret.Null())
	if err != nil {
		api.ErrHandler(c, err)
		return
	}

	c.JSON(http.StatusOK, gin.H{
		"message": "ok",
	})
}

func OTPStatus(c *gin.Context) {
	c.JSON(http.StatusOK, gin.H{
		"status": len(api.CurrentUser(c).OTPSecret) > 0,
	})
}

func SecureSessionStatus(c *gin.Context) {
	cUser := api.CurrentUser(c)
	if !cUser.EnabledOTP() {
		c.JSON(http.StatusOK, gin.H{
			"status": false,
		})
		return
	}
	ssid := c.GetHeader("X-Secure-Session-ID")
	if ssid == "" {
		ssid = c.Query("X-Secure-Session-ID")
	}
	if ssid == "" {
		c.JSON(http.StatusOK, gin.H{
			"status": false,
		})
		return
	}

	if user.VerifySecureSessionID(ssid, cUser.ID) {
		c.JSON(http.StatusOK, gin.H{
			"status": true,
		})
		return
	}
	c.JSON(http.StatusOK, gin.H{
		"status": false,
	})
}

func StartSecure2FASession(c *gin.Context) {
	var json struct {
		OTP          string `json:"otp"`
		RecoveryCode string `json:"recovery_code"`
	}
	if !api.BindAndValid(c, &json) {
		return
	}
	u := api.CurrentUser(c)
	if !u.EnabledOTP() {
		c.JSON(http.StatusBadRequest, gin.H{
			"message": "User not configured with 2FA",
		})
		return
	}

	if json.OTP == "" && json.RecoveryCode == "" {
		c.JSON(http.StatusBadRequest, LoginResponse{
			Message: "The user has enabled 2FA",
		})
		return
	}

	if err := user.VerifyOTP(u, json.OTP, json.RecoveryCode); err != nil {
		c.JSON(http.StatusBadRequest, LoginResponse{
			Message: "Invalid 2FA or recovery code",
		})
		return
	}

	sessionId := user.SetSecureSessionID(u.ID)

	c.JSON(http.StatusOK, gin.H{
		"session_id": sessionId,
	})
}