[feature] add TOTP two-factor authentication (2FA) (#3960)

* [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions
2025-10-29 18:52:24 -05:00 · 2025-04-07 16:14:41 +02:00 · 2025-04-07 16:14:41 +02:00 · 365b575341
commit 365b575341
parent 6f24205a26
78 changed files with 5593 additions and 825 deletions
--- a/internal/processing/user/password.go
+++ b/internal/processing/user/password.go
@ -20,6 +20,7 @@ package user
 import (
 	"context"

+	"codeberg.org/gruf/go-byteutil"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
 	"github.com/superseriousbusiness/gotosocial/internal/validate"
@ -29,7 +30,10 @@ import (
 // PasswordChange processes a password change request for the given user.
 func (p *Processor) PasswordChange(ctx context.Context, user *gtsmodel.User, oldPassword string, newPassword string) gtserror.WithCode {
 	// Ensure provided oldPassword is the correct current password.
-	if err := bcrypt.CompareHashAndPassword([]byte(user.EncryptedPassword), []byte(oldPassword)); err != nil {
+	if err := bcrypt.CompareHashAndPassword(
+		byteutil.S2B(user.EncryptedPassword),
+		byteutil.S2B(oldPassword),
+	); err != nil {
 		err := gtserror.Newf("%w", err)
 		return gtserror.NewErrorUnauthorized(err, "old password was incorrect")
 	}
@ -48,7 +52,7 @@ func (p *Processor) PasswordChange(ctx context.Context, user *gtsmodel.User, old

 	// Hash the new password.
 	encryptedPassword, err := bcrypt.GenerateFromPassword(
-		[]byte(newPassword),
+		byteutil.S2B(newPassword),
 		bcrypt.DefaultCost,
 	)
 	if err != nil {