From 0149fde4874ea7d05ad970099fb0c91515bd9927 Mon Sep 17 00:00:00 2001
From: Jesusaves <cpntb1@ymail.com>
Date: Sun, 9 May 2021 20:29:13 -0300
Subject: [PATCH 1/4] Add a TOTP field to store a 16-chars TOTP secret for 2FA
 applications. It's currently unused.

...Honestly, 2FA+Email would be pointless, so the idea would be 2FA+Password.
---
 src/routers/vault/models/vault/identity.js | 4 ++++
 src/routers/vault/types/Identity.js        | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/src/routers/vault/models/vault/identity.js b/src/routers/vault/models/vault/identity.js
index d2b57fa..5162b14 100644
--- a/src/routers/vault/models/vault/identity.js
+++ b/src/routers/vault/models/vault/identity.js
@@ -16,6 +16,10 @@ module.exports = {
             type: Sequelize.STRING(320),
             allowNull: false,
         },
+        totp: {
+            type: Sequelize.STRING(16),
+            allowNull: true,
+        },
         addedDate: {
             type: Sequelize.DATE,
             allowNull: false,
diff --git a/src/routers/vault/types/Identity.js b/src/routers/vault/types/Identity.js
index fb5171f..9a83ffe 100644
--- a/src/routers/vault/types/Identity.js
+++ b/src/routers/vault/types/Identity.js
@@ -22,6 +22,11 @@ class Identity extends Model {
      * the Vault user id
      * @type {number}
      */
+    //totp;
+    /**
+     * TOTP 16-chars base64 secret
+     * @type {string}
+     */
     //userId;
 
     /**

From 126cd33af0fca8051eb9ecc357adcd2f11b7eed8 Mon Sep 17 00:00:00 2001
From: Jesusaves <cpntb1@ymail.com>
Date: Sun, 9 May 2021 20:32:04 -0300
Subject: [PATCH 2/4] Add an (unused) password field to store PBKDF2 hashes to
 go along TOTP

---
 src/routers/vault/models/vault/identity.js | 4 ++++
 src/routers/vault/types/Identity.js        | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/routers/vault/models/vault/identity.js b/src/routers/vault/models/vault/identity.js
index 5162b14..aeac081 100644
--- a/src/routers/vault/models/vault/identity.js
+++ b/src/routers/vault/models/vault/identity.js
@@ -20,6 +20,10 @@ module.exports = {
             type: Sequelize.STRING(16),
             allowNull: true,
         },
+        pass: {
+            type: Sequelize.STRING(128),
+            allowNull: true,
+        },
         addedDate: {
             type: Sequelize.DATE,
             allowNull: false,
diff --git a/src/routers/vault/types/Identity.js b/src/routers/vault/types/Identity.js
index 9a83ffe..2a836b2 100644
--- a/src/routers/vault/types/Identity.js
+++ b/src/routers/vault/types/Identity.js
@@ -24,7 +24,12 @@ class Identity extends Model {
      */
     //totp;
     /**
-     * TOTP 16-chars base64 secret
+     * TOTP 16-chars base64 secret (optional)
+     * @type {string}
+     */
+    //pass;
+    /**
+     * Optional PBKDF2 cryptographic secret to use with 2FA.
      * @type {string}
      */
     //userId;

From e357c0caeaad6f4daabd3be49e222ef521b2707c Mon Sep 17 00:00:00 2001
From: Jesusaves <cpntb1@ymail.com>
Date: Sun, 9 May 2021 20:36:38 -0300
Subject: [PATCH 3/4] (untested) extend login table to allow 2FA activation
 (method itself still unsupported)

---
 src/routers/vault/middlewares/account.js | 6 ++++++
 src/routers/vault/middlewares/session.js | 2 ++
 src/routers/vault/models/vault/login.js  | 6 ++++++
 src/routers/vault/types/Session.js       | 5 +++++
 4 files changed, 19 insertions(+)

diff --git a/src/routers/vault/middlewares/account.js b/src/routers/vault/middlewares/account.js
index 5a5fa85..93c6fc8 100644
--- a/src/routers/vault/middlewares/account.js
+++ b/src/routers/vault/middlewares/account.js
@@ -28,6 +28,7 @@ const update_account = async (req, res, next) => {
         primary:  +validate.get_prop(req, "primary"),
         allow:     validate.get_prop(req, "allow") === "true",
         strict:    validate.get_prop(req, "strict") === "true",
+        2fa:       validate.get_prop(req, "2fa") === "true",
     };
 
     const update_fields = {};
@@ -62,6 +63,10 @@ const update_account = async (req, res, next) => {
         // update allow non-primary
         update_fields.strictIPCheck = data.strict;
     }
+    if (session.allow2FA !== data.2fa) {
+        // update allow 2FA auth
+        update_fields.allow2FA = data.2fa;
+    }
 
     // update SQL
     if (Object.keys(update_fields).length) {
@@ -73,6 +78,7 @@ const update_account = async (req, res, next) => {
     // now update our cache
     session.allowNonPrimary = data.allow;
     session.strictIPCheck = data.strict;
+    session.allow2FA = data.allow2FA;
 
     for (const ident of session.identities) {
         if (ident.id === session.primaryIdentity.id) {
diff --git a/src/routers/vault/middlewares/session.js b/src/routers/vault/middlewares/session.js
index 71db21c..2c3b6b8 100644
--- a/src/routers/vault/middlewares/session.js
+++ b/src/routers/vault/middlewares/session.js
@@ -156,6 +156,7 @@ const auth_session = async (req, res) => {
         session.primaryIdentity = ident;
         session.allowNonPrimary = user.allowNonPrimary;
         session.strictIPCheck = user.strictIPCheck;
+        session.allow2FA = user.allow2FA;
         session.identities.push(ident);
     } else {
         if (session.identity !== session.primaryIdentity && !session.allowNonPrimary) {
@@ -351,6 +352,7 @@ const new_session = async (req, res, next) => {
             session.primaryIdentity = primary;
             session.allowNonPrimary = account.allowNonPrimary;
             session.strictIPCheck = account.strictIPCheck;
+            session.allow2FA = account.allow2FA;
             session.identity = identity;
             req.app.locals.session.set(uuid, session);
 
diff --git a/src/routers/vault/models/vault/login.js b/src/routers/vault/models/vault/login.js
index 2167376..32b6c42 100644
--- a/src/routers/vault/models/vault/login.js
+++ b/src/routers/vault/models/vault/login.js
@@ -23,6 +23,12 @@ module.exports = {
             defaultValue: false,
             allowNull: false,
         },
+        allow2FA: {
+            field: "allow_2fa_login",
+            type: Sequelize.BOOLEAN,
+            defaultValue: false,
+            allowNull: false,
+        },
         creationDate: {
             type: Sequelize.DATE,
             allowNull: false,
diff --git a/src/routers/vault/types/Session.js b/src/routers/vault/types/Session.js
index d1b3943..e7b44ca 100644
--- a/src/routers/vault/types/Session.js
+++ b/src/routers/vault/types/Session.js
@@ -75,6 +75,10 @@ module.exports = class Session {
      * refuse to authenticate a session with a different IP
      */
     strictIPCheck = true;
+    /**
+     * allow to authenticate a session with 2FA + PBKDF2 password
+     */
+    allow2FA = false;
 
     constructor (ip, email) {
         this.ip = ip;
@@ -109,6 +113,7 @@ module.exports = class Session {
             primaryIdentity: this.primaryIdentity.id,
             allowNonPrimary: this.allowNonPrimary,
             strictIPCheck: this.strictIPCheck,
+            allow2FA: this.allow2FA,
             vaultId: this.vault,
         };
     }

From a8aef9daf726a106f5f91d9b6bb33752342d56e0 Mon Sep 17 00:00:00 2001
From: Jesusaves <cpntb1@ymail.com>
Date: Mon, 10 May 2021 00:10:50 -0300
Subject: [PATCH 4/4] Ooops, my bad, it is actually 32 bytes

---
 src/routers/vault/models/vault/identity.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routers/vault/models/vault/identity.js b/src/routers/vault/models/vault/identity.js
index aeac081..1496ae2 100644
--- a/src/routers/vault/models/vault/identity.js
+++ b/src/routers/vault/models/vault/identity.js
@@ -17,7 +17,7 @@ module.exports = {
             allowNull: false,
         },
         totp: {
-            type: Sequelize.STRING(16),
+            type: Sequelize.STRING(32),
             allowNull: true,
         },
         pass: {