1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController do
6 @moduledoc "The module represents actions to manage MFA"
7 use Pleroma.Web, :controller
9 import Pleroma.Web.ControllerHelper, only: [json_response: 3]
12 alias Pleroma.MFA.TOTP
13 alias Pleroma.Plugs.OAuthScopesPlug
14 alias Pleroma.Web.CommonAPI.Utils
16 plug(OAuthScopesPlug, %{scopes: ["read:security"]} when action in [:settings])
20 %{scopes: ["write:security"]} when action in [:setup, :confirm, :disable, :backup_codes]
24 Gets user multi factor authentication settings
27 GET /api/pleroma/accounts/mfa
30 def settings(%{assigns: %{user: user}} = conn, _params) do
31 json(conn, %{settings: MFA.mfa_settings(user)})
35 Prepare setup mfa method
38 GET /api/pleroma/accounts/mfa/setup/[:method]
41 def setup(%{assigns: %{user: user}} = conn, %{"method" => "totp"} = _params) do
42 with {:ok, user} <- MFA.setup_totp(user),
43 %{secret: secret} = _ <- user.multi_factor_authentication_settings.totp do
44 provisioning_uri = TOTP.provisioning_uri(secret, "#{user.email}")
46 json(conn, %{provisioning_uri: provisioning_uri, key: secret})
49 json_response(conn, :unprocessable_entity, %{error: message})
53 def setup(conn, _params) do
54 json_response(conn, :bad_request, %{error: "undefined method"})
58 Confirms setup and enable mfa method
61 POST /api/pleroma/accounts/mfa/confirm/:method
64 `code` - confirmation code
65 `password` - current password
68 %{assigns: %{user: user}} = conn,
69 %{"method" => "totp", "password" => _, "code" => _} = params
71 with {:ok, _user} <- Utils.confirm_current_password(user, params["password"]),
72 {:ok, _user} <- MFA.confirm_totp(user, params) do
76 json_response(conn, :unprocessable_entity, %{error: message})
80 def confirm(conn, _) do
81 json_response(conn, :bad_request, %{error: "undefined mfa method"})
85 Disable mfa method and disable mfa if need.
87 def disable(%{assigns: %{user: user}} = conn, %{"method" => "totp"} = params) do
88 with {:ok, user} <- Utils.confirm_current_password(user, params["password"]),
89 {:ok, _user} <- MFA.disable_totp(user) do
93 json_response(conn, :unprocessable_entity, %{error: message})
97 def disable(%{assigns: %{user: user}} = conn, %{"method" => "mfa"} = params) do
98 with {:ok, user} <- Utils.confirm_current_password(user, params["password"]),
99 {:ok, _user} <- MFA.disable(user) do
103 json_response(conn, :unprocessable_entity, %{error: message})
107 def disable(conn, _) do
108 json_response(conn, :bad_request, %{error: "undefined mfa method"})
112 Generates backup codes.
115 GET /api/pleroma/accounts/mfa/backup_codes
122 `{error: [error_message]}`
125 def backup_codes(%{assigns: %{user: user}} = conn, _params) do
126 with {:ok, codes} <- MFA.generate_backup_codes(user) do
127 json(conn, %{codes: codes})
130 json_response(conn, :unprocessable_entity, %{error: message})