[feature] add TOTP two-factor authentication (2FA) (#3960)

* [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions
2025-10-31 02:22:26 -05:00 · 2025-04-07 16:14:41 +02:00 · 2025-04-07 16:14:41 +02:00 · 365b575341
commit 365b575341
parent 6f24205a26
78 changed files with 5593 additions and 825 deletions
--- a/web/source/settings/lib/query/user/index.ts
+++ b/web/source/settings/lib/query/user/index.ts
@ -58,7 +58,8 @@ const extended = gtsApi.injectEndpoints({
 		}),
 		
 		user: build.query<User, void>({
-			query: () => ({url: `/api/v1/user`})
+			query: () => ({url: `/api/v1/user`}),
+			providesTags: ["User"],
 		}),
 		
 		passwordChange: build.mutation({
--- a/web/source/settings/lib/query/user/twofactor.ts
+++ b/web/source/settings/lib/query/user/twofactor.ts
@ -0,0 +1,82 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import { gtsApi } from "../gts-api";
+import { FetchBaseQueryError } from "@reduxjs/toolkit/query";
+
+const extended = gtsApi.injectEndpoints({
+	endpoints: (build) => ({
+		twoFactorQRCodeURI: build.mutation<string, void>({
+			query: () => ({
+				url: `/api/v1/user/2fa/qruri`,
+				acceptContentType: "text/plain",
+			})
+		}),
+
+		twoFactorQRCodePng: build.mutation<string, void>({
+			async queryFn(_arg, _api, _extraOpts, fetchWithBQ) {
+				const blobRes = await fetchWithBQ({
+					url: `/api/v1/user/2fa/qr.png`,
+					acceptContentType: "image/png",
+				});
+				if (blobRes.error) {
+					return { error: blobRes.error as FetchBaseQueryError };
+				}
+
+				if (blobRes.meta?.response?.status !== 200) {
+					return { error: blobRes.data };
+				}
+
+				const blob = blobRes.data as Blob;
+				const url = URL.createObjectURL(blob);
+
+				return { data: url };
+			},
+		}),
+
+		twoFactorEnable: build.mutation<string[], { password: string }>({
+			query: (formData) => ({
+				method: "POST",
+				url: `/api/v1/user/2fa/enable`,
+				asForm: true,
+				body: formData,
+				discardEmpty: true
+			})
+		}),
+
+		twoFactorDisable: build.mutation<void, { password: string }>({
+			query: (formData) => ({
+				method: "POST",
+				url: `/api/v1/user/2fa/disable`,
+				asForm: true,
+				body: formData,
+				discardEmpty: true,
+				acceptContentType: "*/*",
+			}),
+			invalidatesTags: ["User"]
+		}),
+	})
+});
+
+export const {
+	useTwoFactorQRCodeURIMutation,
+	useTwoFactorQRCodePngMutation,
+	useTwoFactorEnableMutation,
+	useTwoFactorDisableMutation,
+} = extended;