feat: remove 2FA password requirement (#1053)

packages/lib/server-only/2fa/disable-2fa.ts

@@ -1,40 +1,30 @@
-import { compare } from '@node-rs/bcrypt';
-
 import { prisma } from '@documenso/prisma';
 import type { User } from '@documenso/prisma/client';
 import { UserSecurityAuditLogType } from '@documenso/prisma/client';
 
-import { ErrorCode } from '../../next-auth/error-codes';
+import { AppError } from '../../errors/app-error';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { validateTwoFactorAuthentication } from './validate-2fa';
 
 type DisableTwoFactorAuthenticationOptions = {
   user: User;
-  backupCode: string;
-  password: string;
+  token: string;
   requestMetadata?: RequestMetadata;
 };
 
 export const disableTwoFactorAuthentication = async ({
-  backupCode,
+  token,
   user,
-  password,
   requestMetadata,
 }: DisableTwoFactorAuthenticationOptions) => {
-  if (!user.password) {
-    throw new Error(ErrorCode.USER_MISSING_PASSWORD);
-  }
-
-  const isCorrectPassword = await compare(password, user.password);
-
-  if (!isCorrectPassword) {
-    throw new Error(ErrorCode.INCORRECT_PASSWORD);
-  }
-
-  const isValid = await validateTwoFactorAuthentication({ backupCode, user });
+  let isValid = await validateTwoFactorAuthentication({ totpCode: token, user });
 
   if (!isValid) {
-    throw new Error(ErrorCode.INCORRECT_TWO_FACTOR_BACKUP_CODE);
+    isValid = await validateTwoFactorAuthentication({ backupCode: token, user });
+  }
+
+  if (!isValid) {
+    throw new AppError('INCORRECT_TWO_FACTOR_CODE');
   }
 
   await prisma.$transaction(async (tx) => {

packages/lib/server-only/2fa/enable-2fa.ts

@@ -1,7 +1,7 @@
-import { ErrorCode } from '@documenso/lib/next-auth/error-codes';
 import { prisma } from '@documenso/prisma';
 import { type User, UserSecurityAuditLogType } from '@documenso/prisma/client';
 
+import { AppError } from '../../errors/app-error';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { getBackupCodes } from './get-backup-code';
 import { verifyTwoFactorAuthenticationToken } from './verify-2fa-token';
@@ -17,25 +17,38 @@ export const enableTwoFactorAuthentication = async ({
   code,
   requestMetadata,
 }: EnableTwoFactorAuthenticationOptions) => {
-  if (user.identityProvider !== 'DOCUMENSO') {
-    throw new Error(ErrorCode.INCORRECT_IDENTITY_PROVIDER);
-  }
-
   if (user.twoFactorEnabled) {
-    throw new Error(ErrorCode.TWO_FACTOR_ALREADY_ENABLED);
+    throw new AppError('TWO_FACTOR_ALREADY_ENABLED');
   }
 
   if (!user.twoFactorSecret) {
-    throw new Error(ErrorCode.TWO_FACTOR_SETUP_REQUIRED);
+    throw new AppError('TWO_FACTOR_SETUP_REQUIRED');
   }
 
   const isValidToken = await verifyTwoFactorAuthenticationToken({ user, totpCode: code });
 
   if (!isValidToken) {
-    throw new Error(ErrorCode.INCORRECT_TWO_FACTOR_CODE);
+    throw new AppError('INCORRECT_TWO_FACTOR_CODE');
   }
 
-  const updatedUser = await prisma.$transaction(async (tx) => {
+  let recoveryCodes: string[] = [];
+
+  await prisma.$transaction(async (tx) => {
+    const updatedUser = await tx.user.update({
+      where: {
+        id: user.id,
+      },
+      data: {
+        twoFactorEnabled: true,
+      },
+    });
+
+    recoveryCodes = getBackupCodes({ user: updatedUser }) ?? [];
+
+    if (recoveryCodes.length === 0) {
+      throw new AppError('MISSING_BACKUP_CODE');
+    }
+
     await tx.userSecurityAuditLog.create({
       data: {
         userId: user.id,
@@ -44,18 +57,7 @@ export const enableTwoFactorAuthentication = async ({
         ipAddress: requestMetadata?.ipAddress,
       },
     });
-
-    return await tx.user.update({
-      where: {
-        id: user.id,
-      },
-      data: {
-        twoFactorEnabled: true,
-      },
-    });
   });
 
-  const recoveryCodes = getBackupCodes({ user: updatedUser });
-
   return { recoveryCodes };
 };

packages/lib/server-only/2fa/setup-2fa.ts

@@ -1,4 +1,3 @@
-import { compare } from '@node-rs/bcrypt';
 import { base32 } from '@scure/base';
 import crypto from 'crypto';
 import { createTOTPKeyURI } from 'oslo/otp';
@@ -12,14 +11,12 @@ import { symmetricEncrypt } from '../../universal/crypto';
 
 type SetupTwoFactorAuthenticationOptions = {
   user: User;
-  password: string;
 };
 
 const ISSUER = 'Documenso';
 
 export const setupTwoFactorAuthentication = async ({
   user,
-  password,
 }: SetupTwoFactorAuthenticationOptions) => {
   const key = DOCUMENSO_ENCRYPTION_KEY;
 
@@ -27,20 +24,6 @@ export const setupTwoFactorAuthentication = async ({
     throw new Error(ErrorCode.MISSING_ENCRYPTION_KEY);
   }
 
-  if (user.identityProvider !== 'DOCUMENSO') {
-    throw new Error(ErrorCode.INCORRECT_IDENTITY_PROVIDER);
-  }
-
-  if (!user.password) {
-    throw new Error(ErrorCode.USER_MISSING_PASSWORD);
-  }
-
-  const isCorrectPassword = await compare(password, user.password);
-
-  if (!isCorrectPassword) {
-    throw new Error(ErrorCode.INCORRECT_PASSWORD);
-  }
-
   const secret = crypto.randomBytes(10);
 
   const backupCodes = Array.from({ length: 10 })

packages/lib/server-only/2fa/view-backup-codes.ts

@@ -0,0 +1,30 @@
+import type { User } from '@documenso/prisma/client';
+
+import { AppError } from '../../errors/app-error';
+import { getBackupCodes } from './get-backup-code';
+import { validateTwoFactorAuthentication } from './validate-2fa';
+
+type ViewBackupCodesOptions = {
+  user: User;
+  token: string;
+};
+
+export const viewBackupCodes = async ({ token, user }: ViewBackupCodesOptions) => {
+  let isValid = await validateTwoFactorAuthentication({ totpCode: token, user });
+
+  if (!isValid) {
+    isValid = await validateTwoFactorAuthentication({ backupCode: token, user });
+  }
+
+  if (!isValid) {
+    throw new AppError('INCORRECT_TWO_FACTOR_CODE');
+  }
+
+  const backupCodes = getBackupCodes({ user });
+
+  if (!backupCodes) {
+    throw new AppError('MISSING_BACKUP_CODE');
+  }
+
+  return backupCodes;
+};

packages/trpc/server/two-factor-authentication-router/router.ts

@@ -1,34 +1,34 @@
 import { TRPCError } from '@trpc/server';
 
-import { ErrorCode } from '@documenso/lib/next-auth/error-codes';
+import { AppError } from '@documenso/lib/errors/app-error';
 import { disableTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/disable-2fa';
 import { enableTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/enable-2fa';
-import { getBackupCodes } from '@documenso/lib/server-only/2fa/get-backup-code';
 import { setupTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/setup-2fa';
-import { compareSync } from '@documenso/lib/server-only/auth/hash';
+import { viewBackupCodes } from '@documenso/lib/server-only/2fa/view-backup-codes';
 import { extractNextApiRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 
 import { authenticatedProcedure, router } from '../trpc';
 import {
   ZDisableTwoFactorAuthenticationMutationSchema,
   ZEnableTwoFactorAuthenticationMutationSchema,
-  ZSetupTwoFactorAuthenticationMutationSchema,
   ZViewRecoveryCodesMutationSchema,
 } from './schema';
 
 export const twoFactorAuthenticationRouter = router({
-  setup: authenticatedProcedure
-    .input(ZSetupTwoFactorAuthenticationMutationSchema)
-    .mutation(async ({ ctx, input }) => {
-      const user = ctx.user;
-
-      const { password } = input;
-
+  setup: authenticatedProcedure.mutation(async ({ ctx }) => {
+    try {
       return await setupTwoFactorAuthentication({
-        user,
-        password,
+        user: ctx.user,
       });
-    }),
+    } catch (err) {
+      console.error(err);
+
+      throw new TRPCError({
+        code: 'BAD_REQUEST',
+        message: 'We were unable to setup two-factor authentication. Please try again later.',
+      });
+    }
+  }),
 
   enable: authenticatedProcedure
     .input(ZEnableTwoFactorAuthenticationMutationSchema)
@@ -44,7 +44,11 @@ export const twoFactorAuthenticationRouter = router({
           requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
-        console.error(err);
+        const error = AppError.parseError(err);
+
+        if (error.code !== 'INCORRECT_TWO_FACTOR_CODE') {
+          console.error(err);
+        }
 
         throw new TRPCError({
           code: 'BAD_REQUEST',
@@ -59,16 +63,17 @@ export const twoFactorAuthenticationRouter = router({
       try {
         const user = ctx.user;
 
-        const { password, backupCode } = input;
-
         return await disableTwoFactorAuthentication({
           user,
-          password,
-          backupCode,
+          token: input.token,
           requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
-        console.error(err);
+        const error = AppError.parseError(err);
+
+        if (error.code !== 'INCORRECT_TWO_FACTOR_CODE') {
+          console.error(err);
+        }
 
         throw new TRPCError({
           code: 'BAD_REQUEST',
@@ -81,38 +86,18 @@ export const twoFactorAuthenticationRouter = router({
     .input(ZViewRecoveryCodesMutationSchema)
     .mutation(async ({ ctx, input }) => {
       try {
-        const user = ctx.user;
-
-        const { password } = input;
-
-        if (!user.twoFactorEnabled) {
-          throw new TRPCError({
-            code: 'BAD_REQUEST',
-            message: ErrorCode.TWO_FACTOR_SETUP_REQUIRED,
-          });
-        }
-
-        if (!user.password || !compareSync(password, user.password)) {
-          throw new TRPCError({
-            code: 'UNAUTHORIZED',
-            message: ErrorCode.INCORRECT_PASSWORD,
-          });
-        }
-
-        const recoveryCodes = await getBackupCodes({ user });
-
-        return { recoveryCodes };
-      } catch (err) {
-        console.error(err);
-
-        if (err instanceof TRPCError) {
-          throw err;
-        }
-
-        throw new TRPCError({
-          code: 'BAD_REQUEST',
-          message: 'We were unable to view your recovery codes. Please try again later.',
+        return await viewBackupCodes({
+          user: ctx.user,
+          token: input.token,
         });
+      } catch (err) {
+        const error = AppError.parseError(err);
+
+        if (error.code !== 'INCORRECT_TWO_FACTOR_CODE') {
+          console.error(err);
+        }
+
+        throw AppError.parseErrorToTRPCError(err);
       }
     }),
 });

packages/trpc/server/two-factor-authentication-router/schema.ts

@@ -1,13 +1,5 @@
 import { z } from 'zod';
 
-export const ZSetupTwoFactorAuthenticationMutationSchema = z.object({
-  password: z.string().min(1),
-});
-
-export type TSetupTwoFactorAuthenticationMutationSchema = z.infer<
-  typeof ZSetupTwoFactorAuthenticationMutationSchema
->;
-
 export const ZEnableTwoFactorAuthenticationMutationSchema = z.object({
   code: z.string().min(6).max(6),
 });
@@ -17,8 +9,7 @@ export type TEnableTwoFactorAuthenticationMutationSchema = z.infer<
 >;
 
 export const ZDisableTwoFactorAuthenticationMutationSchema = z.object({
-  password: z.string().min(6).max(72),
-  backupCode: z.string().trim(),
+  token: z.string().trim().min(1),
 });
 
 export type TDisableTwoFactorAuthenticationMutationSchema = z.infer<
@@ -26,7 +17,7 @@ export type TDisableTwoFactorAuthenticationMutationSchema = z.infer<
 >;
 
 export const ZViewRecoveryCodesMutationSchema = z.object({
-  password: z.string().min(6).max(72),
+  token: z.string().trim().min(1),
 });
 
 export type TViewRecoveryCodesMutationSchema = z.infer<typeof ZViewRecoveryCodesMutationSchema>;