1245f07a2d
新增功能: - 支持 Google Authenticator 等应用进行 TOTP 二次验证 - 用户可在个人设置中启用/禁用 2FA - 登录时支持 TOTP 验证流程 - 管理后台可全局开关 TOTP 功能 安全增强: - TOTP 密钥使用 AES-256-GCM 加密存储 - 添加 TOTP_ENCRYPTION_KEY 配置项,必须手动配置才能启用功能 - 防止服务重启导致加密密钥变更使用户无法登录 - 验证失败次数限制,防止暴力破解 配置说明: - Docker 部署:在 .env 中设置 TOTP_ENCRYPTION_KEY - 非 Docker 部署:在 config.yaml 中设置 totp.encryption_key - 生成密钥命令:openssl rand -hex 32
182 lines
4.8 KiB
Go
182 lines
4.8 KiB
Go
package handler
|
|
|
|
import (
|
|
"github.com/gin-gonic/gin"
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/pkg/response"
|
|
middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
|
|
"github.com/Wei-Shaw/sub2api/internal/service"
|
|
)
|
|
|
|
// TotpHandler handles TOTP-related requests
|
|
type TotpHandler struct {
|
|
totpService *service.TotpService
|
|
}
|
|
|
|
// NewTotpHandler creates a new TotpHandler
|
|
func NewTotpHandler(totpService *service.TotpService) *TotpHandler {
|
|
return &TotpHandler{
|
|
totpService: totpService,
|
|
}
|
|
}
|
|
|
|
// TotpStatusResponse represents the TOTP status response
|
|
type TotpStatusResponse struct {
|
|
Enabled bool `json:"enabled"`
|
|
EnabledAt *int64 `json:"enabled_at,omitempty"` // Unix timestamp
|
|
FeatureEnabled bool `json:"feature_enabled"`
|
|
}
|
|
|
|
// GetStatus returns the TOTP status for the current user
|
|
// GET /api/v1/user/totp/status
|
|
func (h *TotpHandler) GetStatus(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
status, err := h.totpService.GetStatus(c.Request.Context(), subject.UserID)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
resp := TotpStatusResponse{
|
|
Enabled: status.Enabled,
|
|
FeatureEnabled: status.FeatureEnabled,
|
|
}
|
|
|
|
if status.EnabledAt != nil {
|
|
ts := status.EnabledAt.Unix()
|
|
resp.EnabledAt = &ts
|
|
}
|
|
|
|
response.Success(c, resp)
|
|
}
|
|
|
|
// TotpSetupRequest represents the request to initiate TOTP setup
|
|
type TotpSetupRequest struct {
|
|
EmailCode string `json:"email_code"`
|
|
Password string `json:"password"`
|
|
}
|
|
|
|
// TotpSetupResponse represents the TOTP setup response
|
|
type TotpSetupResponse struct {
|
|
Secret string `json:"secret"`
|
|
QRCodeURL string `json:"qr_code_url"`
|
|
SetupToken string `json:"setup_token"`
|
|
Countdown int `json:"countdown"`
|
|
}
|
|
|
|
// InitiateSetup starts the TOTP setup process
|
|
// POST /api/v1/user/totp/setup
|
|
func (h *TotpHandler) InitiateSetup(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
var req TotpSetupRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
// Allow empty body (optional params)
|
|
req = TotpSetupRequest{}
|
|
}
|
|
|
|
result, err := h.totpService.InitiateSetup(c.Request.Context(), subject.UserID, req.EmailCode, req.Password)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, TotpSetupResponse{
|
|
Secret: result.Secret,
|
|
QRCodeURL: result.QRCodeURL,
|
|
SetupToken: result.SetupToken,
|
|
Countdown: result.Countdown,
|
|
})
|
|
}
|
|
|
|
// TotpEnableRequest represents the request to enable TOTP
|
|
type TotpEnableRequest struct {
|
|
TotpCode string `json:"totp_code" binding:"required,len=6"`
|
|
SetupToken string `json:"setup_token" binding:"required"`
|
|
}
|
|
|
|
// Enable completes the TOTP setup
|
|
// POST /api/v1/user/totp/enable
|
|
func (h *TotpHandler) Enable(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
var req TotpEnableRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, "Invalid request: "+err.Error())
|
|
return
|
|
}
|
|
|
|
if err := h.totpService.CompleteSetup(c.Request.Context(), subject.UserID, req.TotpCode, req.SetupToken); err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, gin.H{"success": true})
|
|
}
|
|
|
|
// TotpDisableRequest represents the request to disable TOTP
|
|
type TotpDisableRequest struct {
|
|
EmailCode string `json:"email_code"`
|
|
Password string `json:"password"`
|
|
}
|
|
|
|
// Disable disables TOTP for the current user
|
|
// POST /api/v1/user/totp/disable
|
|
func (h *TotpHandler) Disable(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
var req TotpDisableRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, "Invalid request: "+err.Error())
|
|
return
|
|
}
|
|
|
|
if err := h.totpService.Disable(c.Request.Context(), subject.UserID, req.EmailCode, req.Password); err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, gin.H{"success": true})
|
|
}
|
|
|
|
// GetVerificationMethod returns the verification method for TOTP operations
|
|
// GET /api/v1/user/totp/verification-method
|
|
func (h *TotpHandler) GetVerificationMethod(c *gin.Context) {
|
|
method := h.totpService.GetVerificationMethod(c.Request.Context())
|
|
response.Success(c, method)
|
|
}
|
|
|
|
// SendVerifyCode sends an email verification code for TOTP operations
|
|
// POST /api/v1/user/totp/send-code
|
|
func (h *TotpHandler) SendVerifyCode(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
if err := h.totpService.SendVerifyCode(c.Request.Context(), subject.UserID); err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, gin.H{"success": true})
|
|
}
|