feat: remove 2FA password requirement (#1053)

2025-11-12 15:53:02 +10:00 · 2024-03-25 11:34:50 +08:00
parent 715c14a6ae
commit 43400c07de
12 changed files with 432 additions and 658 deletions
--- a/packages/trpc/server/two-factor-authentication-router/router.ts
+++ b/packages/trpc/server/two-factor-authentication-router/router.ts
@ -1,34 +1,34 @@
 import { TRPCError } from '@trpc/server';

-import { ErrorCode } from '@documenso/lib/next-auth/error-codes';
+import { AppError } from '@documenso/lib/errors/app-error';
 import { disableTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/disable-2fa';
 import { enableTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/enable-2fa';
-import { getBackupCodes } from '@documenso/lib/server-only/2fa/get-backup-code';
 import { setupTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/setup-2fa';
-import { compareSync } from '@documenso/lib/server-only/auth/hash';
+import { viewBackupCodes } from '@documenso/lib/server-only/2fa/view-backup-codes';
 import { extractNextApiRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';

 import { authenticatedProcedure, router } from '../trpc';
 import {
  ZDisableTwoFactorAuthenticationMutationSchema,
  ZEnableTwoFactorAuthenticationMutationSchema,
-  ZSetupTwoFactorAuthenticationMutationSchema,
  ZViewRecoveryCodesMutationSchema,
 } from './schema';

 export const twoFactorAuthenticationRouter = router({
-  setup: authenticatedProcedure
-    .input(ZSetupTwoFactorAuthenticationMutationSchema)
-    .mutation(async ({ ctx, input }) => {
-      const user = ctx.user;
-
-      const { password } = input;
-
+  setup: authenticatedProcedure.mutation(async ({ ctx }) => {
+    try {
      return await setupTwoFactorAuthentication({
-        user,
-        password,
+        user: ctx.user,
      });
-    }),
+    } catch (err) {
+      console.error(err);
+
+      throw new TRPCError({
+        code: 'BAD_REQUEST',
+        message: 'We were unable to setup two-factor authentication. Please try again later.',
+      });
+    }
+  }),

  enable: authenticatedProcedure
    .input(ZEnableTwoFactorAuthenticationMutationSchema)
@ -44,7 +44,11 @@ export const twoFactorAuthenticationRouter = router({
          requestMetadata: extractNextApiRequestMetadata(ctx.req),
        });
      } catch (err) {
-        console.error(err);
+        const error = AppError.parseError(err);
+
+        if (error.code !== 'INCORRECT_TWO_FACTOR_CODE') {
+          console.error(err);
+        }

        throw new TRPCError({
          code: 'BAD_REQUEST',
@ -59,16 +63,17 @@ export const twoFactorAuthenticationRouter = router({
      try {
        const user = ctx.user;

-        const { password, backupCode } = input;
-
        return await disableTwoFactorAuthentication({
          user,
-          password,
-          backupCode,
+          token: input.token,
          requestMetadata: extractNextApiRequestMetadata(ctx.req),
        });
      } catch (err) {
-        console.error(err);
+        const error = AppError.parseError(err);
+
+        if (error.code !== 'INCORRECT_TWO_FACTOR_CODE') {
+          console.error(err);
+        }

        throw new TRPCError({
          code: 'BAD_REQUEST',
@ -81,38 +86,18 @@ export const twoFactorAuthenticationRouter = router({
    .input(ZViewRecoveryCodesMutationSchema)
    .mutation(async ({ ctx, input }) => {
      try {
-        const user = ctx.user;
-
-        const { password } = input;
-
-        if (!user.twoFactorEnabled) {
-          throw new TRPCError({
-            code: 'BAD_REQUEST',
-            message: ErrorCode.TWO_FACTOR_SETUP_REQUIRED,
-          });
-        }
-
-        if (!user.password || !compareSync(password, user.password)) {
-          throw new TRPCError({
-            code: 'UNAUTHORIZED',
-            message: ErrorCode.INCORRECT_PASSWORD,
-          });
-        }
-
-        const recoveryCodes = await getBackupCodes({ user });
-
-        return { recoveryCodes };
-      } catch (err) {
-        console.error(err);
-
-        if (err instanceof TRPCError) {
-          throw err;
-        }
-
-        throw new TRPCError({
-          code: 'BAD_REQUEST',
-          message: 'We were unable to view your recovery codes. Please try again later.',
+        return await viewBackupCodes({
+          user: ctx.user,
+          token: input.token,
        });
+      } catch (err) {
+        const error = AppError.parseError(err);
+
+        if (error.code !== 'INCORRECT_TWO_FACTOR_CODE') {
+          console.error(err);
+        }
+
+        throw AppError.parseErrorToTRPCError(err);
      }
    }),
 });
--- a/packages/trpc/server/two-factor-authentication-router/schema.ts
+++ b/packages/trpc/server/two-factor-authentication-router/schema.ts
@ -1,13 +1,5 @@
 import { z } from 'zod';

-export const ZSetupTwoFactorAuthenticationMutationSchema = z.object({
-  password: z.string().min(1),
-});
-
-export type TSetupTwoFactorAuthenticationMutationSchema = z.infer<
-  typeof ZSetupTwoFactorAuthenticationMutationSchema
->;
-
 export const ZEnableTwoFactorAuthenticationMutationSchema = z.object({
  code: z.string().min(6).max(6),
 });
@ -17,8 +9,7 @@ export type TEnableTwoFactorAuthenticationMutationSchema = z.infer<
 >;

 export const ZDisableTwoFactorAuthenticationMutationSchema = z.object({
-  password: z.string().min(6).max(72),
-  backupCode: z.string().trim(),
+  token: z.string().trim().min(1),
 });

 export type TDisableTwoFactorAuthenticationMutationSchema = z.infer<
@ -26,7 +17,7 @@ export type TDisableTwoFactorAuthenticationMutationSchema = z.infer<
 >;

 export const ZViewRecoveryCodesMutationSchema = z.object({
-  password: z.string().min(6).max(72),
+  token: z.string().trim().min(1),
 });

 export type TViewRecoveryCodesMutationSchema = z.infer<typeof ZViewRecoveryCodesMutationSchema>;