[feature] add TOTP two-factor authentication (2FA) (#3960)

* [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions
2025-10-31 12:42:25 -05:00 · 2025-04-07 16:14:41 +02:00 · 2025-04-07 16:14:41 +02:00 · 365b575341
commit 365b575341
parent 6f24205a26
78 changed files with 5593 additions and 825 deletions
--- a/internal/processing/user/password_test.go
+++ b/internal/processing/user/password_test.go
@ -22,6 +22,7 @@ import (
 	"net/http"
 	"testing"

+	"codeberg.org/gruf/go-byteutil"
 	"github.com/stretchr/testify/suite"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
 	"golang.org/x/crypto/bcrypt"
@ -37,7 +38,10 @@ func (suite *ChangePasswordTestSuite) TestChangePasswordOK() {
 	errWithCode := suite.user.PasswordChange(context.Background(), user, "password", "verygoodnewpassword")
 	suite.NoError(errWithCode)

-	err := bcrypt.CompareHashAndPassword([]byte(user.EncryptedPassword), []byte("verygoodnewpassword"))
+	err := bcrypt.CompareHashAndPassword(
+		byteutil.S2B(user.EncryptedPassword),
+		byteutil.S2B("verygoodnewpassword"),
+	)
 	suite.NoError(err)

 	// get user from the db again
@ -46,7 +50,10 @@ func (suite *ChangePasswordTestSuite) TestChangePasswordOK() {
 	suite.NoError(err)

 	// check the password has changed
-	err = bcrypt.CompareHashAndPassword([]byte(dbUser.EncryptedPassword), []byte("verygoodnewpassword"))
+	err = bcrypt.CompareHashAndPassword(
+		byteutil.S2B(dbUser.EncryptedPassword),
+		byteutil.S2B("verygoodnewpassword"),
+	)
 	suite.NoError(err)
 }

@ -64,7 +71,10 @@ func (suite *ChangePasswordTestSuite) TestChangePasswordIncorrectOld() {
 	suite.NoError(err)

 	// check the password has not changed
-	err = bcrypt.CompareHashAndPassword([]byte(dbUser.EncryptedPassword), []byte("password"))
+	err = bcrypt.CompareHashAndPassword(
+		byteutil.S2B(dbUser.EncryptedPassword),
+		byteutil.S2B("password"),
+	)
 	suite.NoError(err)
 }

@ -82,7 +92,10 @@ func (suite *ChangePasswordTestSuite) TestChangePasswordWeakNew() {
 	suite.NoError(err)

 	// check the password has not changed
-	err = bcrypt.CompareHashAndPassword([]byte(dbUser.EncryptedPassword), []byte("password"))
+	err = bcrypt.CompareHashAndPassword(
+		byteutil.S2B(dbUser.EncryptedPassword),
+		byteutil.S2B("password"),
+	)
 	suite.NoError(err)
 }