feat: add TOTP 2FA, API key switcher, login progress bar, and alpha hardening plan
- TOTP 2FA: full setup/confirm/disable/login flow with Argon2id + ChaCha20-Poly1305 encrypted secret storage, QR code generation, and bcrypt-hashed backup codes - API key switcher: OAuth vs personal API key toggle in AIUI chat settings with status indicator, key validation, and help text - Login progress bar: server startup detection with health check polling, form disabled until server is ready - AI quarantine docs: comprehensive HTML page documenting all 6 security layers - Settings: AI Data Access permission toggles with per-category control - Alpha hardening plan: 28-task overnight automation plan across 7 phases (onboarding, login, app install, AIUI, UI polish, security, ISO build) - Backlog: node discovery spatial map feature for alpha demo Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -5,6 +5,7 @@ mod lnd;
|
||||
mod node;
|
||||
mod package;
|
||||
mod peers;
|
||||
mod totp;
|
||||
|
||||
use crate::auth::AuthManager;
|
||||
use crate::config::Config;
|
||||
@@ -44,6 +45,8 @@ pub(crate) const DEV_DEFAULT_PASSWORD: &str = "password123";
|
||||
/// Methods that do not require a valid session cookie.
|
||||
const UNAUTHENTICATED_METHODS: &[&str] = &[
|
||||
"auth.login",
|
||||
"auth.login.totp",
|
||||
"auth.login.backup",
|
||||
"auth.isOnboardingComplete",
|
||||
"health",
|
||||
];
|
||||
@@ -150,54 +153,70 @@ impl RpcHandler {
|
||||
}
|
||||
}
|
||||
|
||||
// Extract params; clone for post-routing use (login 2FA check needs password)
|
||||
let params = rpc_req.params;
|
||||
let login_params: Option<serde_json::Value> = if rpc_req.method == "auth.login" {
|
||||
params.clone()
|
||||
} else {
|
||||
None
|
||||
};
|
||||
|
||||
// Route to handler
|
||||
let result = match rpc_req.method.as_str() {
|
||||
"echo" => self.handle_echo(rpc_req.params).await,
|
||||
"server.echo" => self.handle_echo(rpc_req.params).await,
|
||||
"auth.login" => self.handle_auth_login(rpc_req.params).await,
|
||||
"echo" => self.handle_echo(params).await,
|
||||
"server.echo" => self.handle_echo(params).await,
|
||||
"auth.login" => self.handle_auth_login(params).await,
|
||||
"auth.logout" => self.handle_auth_logout().await,
|
||||
"auth.changePassword" => self.handle_auth_change_password(rpc_req.params).await,
|
||||
"auth.changePassword" => self.handle_auth_change_password(params).await,
|
||||
"auth.onboardingComplete" => self.handle_auth_onboarding_complete().await,
|
||||
"auth.isOnboardingComplete" => self.handle_auth_is_onboarding_complete().await,
|
||||
"auth.resetOnboarding" => self.handle_auth_reset_onboarding().await,
|
||||
|
||||
// Container orchestration (for Archipelago-managed containers)
|
||||
"container-install" => self.handle_container_install(rpc_req.params).await,
|
||||
"container-start" => self.handle_container_start(rpc_req.params).await,
|
||||
"container-stop" => self.handle_container_stop(rpc_req.params).await,
|
||||
"container-remove" => self.handle_container_remove(rpc_req.params).await,
|
||||
"container-install" => self.handle_container_install(params).await,
|
||||
"container-start" => self.handle_container_start(params).await,
|
||||
"container-stop" => self.handle_container_stop(params).await,
|
||||
"container-remove" => self.handle_container_remove(params).await,
|
||||
"container-list" => self.handle_container_list().await,
|
||||
"container-status" => self.handle_container_status(rpc_req.params).await,
|
||||
"container-logs" => self.handle_container_logs(rpc_req.params).await,
|
||||
"container-health" => self.handle_container_health(rpc_req.params).await,
|
||||
"container-status" => self.handle_container_status(params).await,
|
||||
"container-logs" => self.handle_container_logs(params).await,
|
||||
"container-health" => self.handle_container_health(params).await,
|
||||
|
||||
// Package management (for docker-compose apps)
|
||||
"package.install" => self.handle_package_install(rpc_req.params).await,
|
||||
"package.start" => self.handle_package_start(rpc_req.params).await,
|
||||
"package.stop" => self.handle_package_stop(rpc_req.params).await,
|
||||
"package.restart" => self.handle_package_restart(rpc_req.params).await,
|
||||
"package.uninstall" => self.handle_package_uninstall(rpc_req.params).await,
|
||||
"package.install" => self.handle_package_install(params).await,
|
||||
"package.start" => self.handle_package_start(params).await,
|
||||
"package.stop" => self.handle_package_stop(params).await,
|
||||
"package.restart" => self.handle_package_restart(params).await,
|
||||
"package.uninstall" => self.handle_package_uninstall(params).await,
|
||||
|
||||
// Bundled app management (for pre-loaded container images)
|
||||
"bundled-app-start" => self.handle_bundled_app_start(rpc_req.params).await,
|
||||
"bundled-app-stop" => self.handle_bundled_app_stop(rpc_req.params).await,
|
||||
"bundled-app-start" => self.handle_bundled_app_start(params).await,
|
||||
"bundled-app-stop" => self.handle_bundled_app_stop(params).await,
|
||||
|
||||
// Node identity and P2P peers
|
||||
"node-add-peer" => self.handle_node_add_peer(rpc_req.params).await,
|
||||
"node-add-peer" => self.handle_node_add_peer(params).await,
|
||||
"node-list-peers" => self.handle_node_list_peers().await,
|
||||
"node-remove-peer" => self.handle_node_remove_peer(rpc_req.params).await,
|
||||
"node-send-message" => self.handle_node_send_message(rpc_req.params).await,
|
||||
"node-check-peer" => self.handle_node_check_peer(rpc_req.params).await,
|
||||
"node-remove-peer" => self.handle_node_remove_peer(params).await,
|
||||
"node-send-message" => self.handle_node_send_message(params).await,
|
||||
"node-check-peer" => self.handle_node_check_peer(params).await,
|
||||
"node-messages-received" => self.handle_node_messages_received().await,
|
||||
"node-nostr-discover" => self.handle_node_nostr_discover().await,
|
||||
"node.did" => self.handle_node_did().await,
|
||||
"node.signChallenge" => self.handle_node_sign_challenge(rpc_req.params).await,
|
||||
"node.createBackup" => self.handle_node_create_backup(rpc_req.params).await,
|
||||
"node.signChallenge" => self.handle_node_sign_challenge(params).await,
|
||||
"node.createBackup" => self.handle_node_create_backup(params).await,
|
||||
"node.tor-address" => self.handle_node_tor_address().await,
|
||||
"node.nostr-publish" => self.handle_node_nostr_publish().await,
|
||||
"node.nostr-pubkey" => self.handle_node_nostr_pubkey().await,
|
||||
"node-nostr-verify-revoked" => self.handle_node_nostr_verify_revoked().await,
|
||||
|
||||
// TOTP 2FA
|
||||
"auth.totp.setup.begin" => self.handle_totp_setup_begin(params).await,
|
||||
"auth.totp.setup.confirm" => self.handle_totp_setup_confirm(params).await,
|
||||
"auth.totp.disable" => self.handle_totp_disable(params).await,
|
||||
"auth.totp.status" => self.handle_totp_status().await,
|
||||
"auth.login.totp" => self.handle_login_totp(params, &session_token).await,
|
||||
"auth.login.backup" => self.handle_login_backup(params, &session_token).await,
|
||||
|
||||
// Bitcoin & Lightning deep data
|
||||
"bitcoin.getinfo" => self.handle_bitcoin_getinfo().await,
|
||||
"lnd.getinfo" => self.handle_lnd_getinfo().await,
|
||||
@@ -241,17 +260,51 @@ impl RpcHandler {
|
||||
self.login_rate_limiter.record_failure(client_ip).await;
|
||||
}
|
||||
|
||||
// On successful login, create a session and set the cookie
|
||||
// On successful login, check if 2FA is required
|
||||
if rpc_req.method == "auth.login" && rpc_resp.error.is_none() {
|
||||
let token = self.session_store.create().await;
|
||||
response.headers_mut().insert(
|
||||
"Set-Cookie",
|
||||
format!("session={}; HttpOnly; SameSite=Strict; Path=/", token)
|
||||
.parse()
|
||||
.unwrap(),
|
||||
);
|
||||
let totp_enabled = self.auth_manager.is_totp_enabled().await.unwrap_or(false);
|
||||
if totp_enabled {
|
||||
// 2FA enabled: create a pending session with cached TOTP secret
|
||||
// We need the password to decrypt the TOTP secret for step 2
|
||||
let password = login_params
|
||||
.as_ref()
|
||||
.and_then(|p| p.get("password"))
|
||||
.and_then(|v| v.as_str())
|
||||
.unwrap_or("");
|
||||
if let Ok(Some(totp_data)) = self.auth_manager.get_totp_data().await {
|
||||
if let Ok(secret) = crate::totp::decrypt_secret(&totp_data, password) {
|
||||
let token = self.session_store.create_pending(secret).await;
|
||||
response.headers_mut().insert(
|
||||
"Set-Cookie",
|
||||
format!("session={}; HttpOnly; SameSite=Strict; Path=/", token)
|
||||
.parse()
|
||||
.unwrap(),
|
||||
);
|
||||
// Override the response body to indicate TOTP is required
|
||||
let totp_body = serde_json::json!({
|
||||
"result": { "requires_totp": true },
|
||||
"error": null
|
||||
});
|
||||
*response.body_mut() = hyper::Body::from(
|
||||
serde_json::to_vec(&totp_body).unwrap_or_default(),
|
||||
);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// No 2FA: create a full session immediately
|
||||
let token = self.session_store.create().await;
|
||||
response.headers_mut().insert(
|
||||
"Set-Cookie",
|
||||
format!("session={}; HttpOnly; SameSite=Strict; Path=/", token)
|
||||
.parse()
|
||||
.unwrap(),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
// On successful TOTP verification, the session is already upgraded to full
|
||||
// (handled inside handle_login_totp/handle_login_backup)
|
||||
|
||||
// On logout, invalidate session and expire the cookie
|
||||
if rpc_req.method == "auth.logout" {
|
||||
if let Some(token) = &session_token {
|
||||
|
||||
257
core/archipelago/src/api/rpc/totp.rs
Normal file
257
core/archipelago/src/api/rpc/totp.rs
Normal file
@@ -0,0 +1,257 @@
|
||||
use super::RpcHandler;
|
||||
use anyhow::Result;
|
||||
|
||||
impl RpcHandler {
|
||||
/// Begin 2FA setup: generate TOTP secret, return QR code + base32 secret.
|
||||
/// The secret is cached in a pending setup session (in memory only).
|
||||
pub(super) async fn handle_totp_setup_begin(
|
||||
&self,
|
||||
params: Option<serde_json::Value>,
|
||||
) -> Result<serde_json::Value> {
|
||||
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
|
||||
let password = params
|
||||
.get("password")
|
||||
.and_then(|v| v.as_str())
|
||||
.ok_or_else(|| anyhow::anyhow!("Missing password"))?;
|
||||
|
||||
// Re-verify password before setup
|
||||
if !self.auth_manager.verify_password(password).await? {
|
||||
anyhow::bail!("Password Incorrect");
|
||||
}
|
||||
|
||||
// Check 2FA isn't already enabled
|
||||
if self.auth_manager.is_totp_enabled().await? {
|
||||
anyhow::bail!("2FA is already enabled. Disable it first.");
|
||||
}
|
||||
|
||||
let setup = crate::totp::setup(password)?;
|
||||
|
||||
// Cache the setup result in a pending session so confirm can use it
|
||||
// We store the encrypted TotpData and backup codes temporarily
|
||||
let setup_json = serde_json::json!({
|
||||
"totp_data": setup.totp_data,
|
||||
"backup_codes": setup.backup_codes,
|
||||
});
|
||||
let setup_bytes = serde_json::to_vec(&setup_json)?;
|
||||
let pending_token = self.session_store.create_pending(setup_bytes).await;
|
||||
|
||||
// Return QR + secret for display (the pending token is set as a cookie by mod.rs)
|
||||
Ok(serde_json::json!({
|
||||
"qr_svg": setup.qr_svg,
|
||||
"secret_base32": setup.secret_base32,
|
||||
"pending_token": pending_token,
|
||||
}))
|
||||
}
|
||||
|
||||
/// Confirm 2FA setup: verify the user's first TOTP code, enable 2FA, return backup codes.
|
||||
pub(super) async fn handle_totp_setup_confirm(
|
||||
&self,
|
||||
params: Option<serde_json::Value>,
|
||||
) -> Result<serde_json::Value> {
|
||||
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
|
||||
let code = params
|
||||
.get("code")
|
||||
.and_then(|v| v.as_str())
|
||||
.ok_or_else(|| anyhow::anyhow!("Missing code"))?;
|
||||
let pending_token = params
|
||||
.get("pendingToken")
|
||||
.and_then(|v| v.as_str())
|
||||
.ok_or_else(|| anyhow::anyhow!("Missing pendingToken"))?;
|
||||
let password = params
|
||||
.get("password")
|
||||
.and_then(|v| v.as_str())
|
||||
.ok_or_else(|| anyhow::anyhow!("Missing password"))?;
|
||||
|
||||
// Re-verify password
|
||||
if !self.auth_manager.verify_password(password).await? {
|
||||
anyhow::bail!("Password Incorrect");
|
||||
}
|
||||
|
||||
// Retrieve the pending setup data
|
||||
let setup_bytes = self
|
||||
.session_store
|
||||
.get_pending_secret(pending_token)
|
||||
.await
|
||||
.ok_or_else(|| anyhow::anyhow!("Setup session expired or invalid. Please start again."))?;
|
||||
|
||||
let setup_json: serde_json::Value = serde_json::from_slice(&setup_bytes)?;
|
||||
let totp_data: crate::totp::TotpData =
|
||||
serde_json::from_value(setup_json["totp_data"].clone())?;
|
||||
let backup_codes: Vec<String> =
|
||||
serde_json::from_value(setup_json["backup_codes"].clone())?;
|
||||
|
||||
// Decrypt and verify the TOTP code
|
||||
let secret = crate::totp::decrypt_secret(&totp_data, password)?;
|
||||
let step = crate::totp::verify_code(&secret, code, &[])?;
|
||||
if step.is_none() {
|
||||
anyhow::bail!("Invalid code. Please check your authenticator app and try again.");
|
||||
}
|
||||
|
||||
// Persist TOTP data
|
||||
self.auth_manager.save_totp(totp_data).await?;
|
||||
|
||||
// Clean up the pending session
|
||||
self.session_store.remove(pending_token).await;
|
||||
|
||||
tracing::info!("2FA enabled successfully");
|
||||
|
||||
Ok(serde_json::json!({
|
||||
"enabled": true,
|
||||
"backup_codes": backup_codes,
|
||||
}))
|
||||
}
|
||||
|
||||
/// Disable 2FA. Requires password + current TOTP code.
|
||||
pub(super) async fn handle_totp_disable(
|
||||
&self,
|
||||
params: Option<serde_json::Value>,
|
||||
) -> Result<serde_json::Value> {
|
||||
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
|
||||
let password = params
|
||||
.get("password")
|
||||
.and_then(|v| v.as_str())
|
||||
.ok_or_else(|| anyhow::anyhow!("Missing password"))?;
|
||||
let code = params
|
||||
.get("code")
|
||||
.and_then(|v| v.as_str())
|
||||
.ok_or_else(|| anyhow::anyhow!("Missing code"))?;
|
||||
|
||||
// Verify password
|
||||
if !self.auth_manager.verify_password(password).await? {
|
||||
anyhow::bail!("Password Incorrect");
|
||||
}
|
||||
|
||||
// Get and verify TOTP
|
||||
let totp_data = self
|
||||
.auth_manager
|
||||
.get_totp_data()
|
||||
.await?
|
||||
.ok_or_else(|| anyhow::anyhow!("2FA is not enabled"))?;
|
||||
let secret = crate::totp::decrypt_secret(&totp_data, password)?;
|
||||
let step = crate::totp::verify_code(&secret, code, &totp_data.used_steps)?;
|
||||
if step.is_none() {
|
||||
anyhow::bail!("Invalid TOTP code");
|
||||
}
|
||||
|
||||
self.auth_manager.remove_totp().await?;
|
||||
tracing::info!("2FA disabled successfully");
|
||||
|
||||
Ok(serde_json::json!({ "disabled": true }))
|
||||
}
|
||||
|
||||
/// Get 2FA status.
|
||||
pub(super) async fn handle_totp_status(&self) -> Result<serde_json::Value> {
|
||||
let enabled = self.auth_manager.is_totp_enabled().await?;
|
||||
Ok(serde_json::json!({ "enabled": enabled }))
|
||||
}
|
||||
|
||||
/// Step 2 of login: verify TOTP code using the cached secret from the pending session.
|
||||
pub(super) async fn handle_login_totp(
|
||||
&self,
|
||||
params: Option<serde_json::Value>,
|
||||
session_token: &Option<String>,
|
||||
) -> Result<serde_json::Value> {
|
||||
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
|
||||
let code = params
|
||||
.get("code")
|
||||
.and_then(|v| v.as_str())
|
||||
.ok_or_else(|| anyhow::anyhow!("Missing code"))?;
|
||||
|
||||
let token = session_token
|
||||
.as_ref()
|
||||
.ok_or_else(|| anyhow::anyhow!("No pending session"))?;
|
||||
|
||||
let secret = self
|
||||
.session_store
|
||||
.get_pending_secret(token)
|
||||
.await
|
||||
.ok_or_else(|| {
|
||||
anyhow::anyhow!("Session expired or too many attempts. Please log in again.")
|
||||
})?;
|
||||
|
||||
// Get used steps from stored data for replay protection
|
||||
let totp_data = self.auth_manager.get_totp_data().await?;
|
||||
let used_steps = totp_data
|
||||
.as_ref()
|
||||
.map(|d| d.used_steps.clone())
|
||||
.unwrap_or_default();
|
||||
|
||||
let step = crate::totp::verify_code(&secret, code, &used_steps)?;
|
||||
match step {
|
||||
Some(used_step) => {
|
||||
// Record the used step for replay protection
|
||||
if let Some(mut data) = totp_data {
|
||||
data.used_steps.push(used_step);
|
||||
// Prune old steps (keep only last 5 minutes worth)
|
||||
let now = std::time::SystemTime::now()
|
||||
.duration_since(std::time::UNIX_EPOCH)
|
||||
.unwrap()
|
||||
.as_secs() as i64;
|
||||
let cutoff = (now / 30) - 10; // ~5 minutes
|
||||
data.used_steps.retain(|s| *s > cutoff);
|
||||
let _ = self.auth_manager.update_totp(data).await;
|
||||
}
|
||||
|
||||
// Upgrade pending session to full
|
||||
self.session_store.upgrade_to_full(token).await;
|
||||
|
||||
Ok(serde_json::json!({ "success": true }))
|
||||
}
|
||||
None => {
|
||||
anyhow::bail!("Invalid code. Please try again.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Step 2 of login (alternative): verify backup code.
|
||||
pub(super) async fn handle_login_backup(
|
||||
&self,
|
||||
params: Option<serde_json::Value>,
|
||||
session_token: &Option<String>,
|
||||
) -> Result<serde_json::Value> {
|
||||
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
|
||||
let code = params
|
||||
.get("code")
|
||||
.and_then(|v| v.as_str())
|
||||
.ok_or_else(|| anyhow::anyhow!("Missing code"))?;
|
||||
|
||||
let token = session_token
|
||||
.as_ref()
|
||||
.ok_or_else(|| anyhow::anyhow!("No pending session"))?;
|
||||
|
||||
// Verify the pending session is valid (increments attempts)
|
||||
let _secret = self
|
||||
.session_store
|
||||
.get_pending_secret(token)
|
||||
.await
|
||||
.ok_or_else(|| {
|
||||
anyhow::anyhow!("Session expired or too many attempts. Please log in again.")
|
||||
})?;
|
||||
|
||||
// Verify backup code against stored hashes
|
||||
let mut totp_data = self
|
||||
.auth_manager
|
||||
.get_totp_data()
|
||||
.await?
|
||||
.ok_or_else(|| anyhow::anyhow!("2FA is not enabled"))?;
|
||||
|
||||
match crate::totp::verify_backup_code(&totp_data.backup_codes, code)? {
|
||||
Some(idx) => {
|
||||
// Remove the used backup code (one-time use)
|
||||
totp_data.backup_codes.remove(idx);
|
||||
self.auth_manager.update_totp(totp_data).await?;
|
||||
|
||||
// Upgrade pending session to full
|
||||
self.session_store.upgrade_to_full(token).await;
|
||||
|
||||
tracing::info!("Login via backup code (codes remaining: {})",
|
||||
self.auth_manager.get_totp_data().await?.map(|d| d.backup_codes.len()).unwrap_or(0));
|
||||
|
||||
Ok(serde_json::json!({ "success": true }))
|
||||
}
|
||||
None => {
|
||||
anyhow::bail!("Invalid backup code");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user