objective categorical abstract machine language personal data server
Unify 2FA code verification logic
+47
-39
+2
-19
pegasus/lib/api/account_/login.ml
+2
-19
pegasus/lib/api/account_/login.ml
···
79
79
; pending_2fa_token= None
80
80
; two_fa_methods= None }
81
81
| Some pending -> (
82
-
(* try TOTP, then backup code, then email *)
83
82
let%lwt result =
84
-
let%lwt totp_result =
85
-
Two_factor.verify_totp_code ~session_token:token ~code
86
-
ctx.db
87
-
in
88
-
match totp_result with
89
-
| Ok did ->
90
-
Lwt.return_ok did
91
-
| Error _ -> (
92
-
let%lwt backup_result =
93
-
Two_factor.verify_backup_code ~session_token:token ~code
94
-
ctx.db
95
-
in
96
-
match backup_result with
97
-
| Ok did ->
98
-
Lwt.return_ok did
99
-
| Error _ ->
100
-
Two_factor.verify_email_code_by_token
101
-
~session_token:token ~code ctx.db )
83
+
Two_factor.verify_code_with_pending_session ~pending ~code
84
+
ctx.db
102
85
in
103
86
match result with
104
87
| Ok did ->
+1
-20
pegasus/lib/api/server/createSession.ml
+1
-20
pegasus/lib/api/server/createSession.ml
···
25
25
; status
26
26
; did_doc= None }
27
27
28
-
let verify_2fa_code ~(actor : Data_store.Types.actor) ~code db =
29
-
let did = actor.did in
30
-
let%lwt sk_valid = Security_key.verify_login ~did ~code db in
31
-
if sk_valid then Lwt.return_ok ()
32
-
else
33
-
let%lwt totp_valid = Totp.verify_login_code ~did ~code db in
34
-
if totp_valid then Lwt.return_ok ()
35
-
else
36
-
let%lwt backup_valid =
37
-
Totp.Backup_codes.verify_and_consume ~did ~code db
38
-
in
39
-
if backup_valid then Lwt.return_ok ()
40
-
else
41
-
match%lwt Two_factor.verify_email_code_by_did ~did ~code db with
42
-
| Ok _ ->
43
-
Lwt.return_ok ()
44
-
| Error e ->
45
-
Lwt.return_error e
46
-
47
28
let handler =
48
29
Xrpc.handler (fun {req; db; _} ->
49
30
let%lwt {identifier; password; auth_factor_token; _} =
···
71
52
else
72
53
match auth_factor_token with
73
54
| Some token when token <> "" -> (
74
-
match%lwt verify_2fa_code ~actor ~code:token db with
55
+
match%lwt Two_factor.verify_code ~did:actor.did ~code:token db with
75
56
| Ok () ->
76
57
complete_login actor
77
58
| Error msg ->
+44
pegasus/lib/two_factor.ml
+44
pegasus/lib/two_factor.ml
···
242
242
Lwt.return_true
243
243
| _ ->
244
244
Lwt.return_false
245
+
246
+
let verify_code ~did ~code db =
247
+
let%lwt sk_valid = Security_key.verify_login ~did ~code db in
248
+
if sk_valid then Lwt.return_ok ()
249
+
else
250
+
let%lwt totp_valid = Totp.verify_login_code ~did ~code db in
251
+
if totp_valid then Lwt.return_ok ()
252
+
else
253
+
let%lwt backup_valid =
254
+
Totp.Backup_codes.verify_and_consume ~did ~code db
255
+
in
256
+
if backup_valid then Lwt.return_ok ()
257
+
else
258
+
match%lwt verify_email_code_by_did ~did ~code db with
259
+
| Ok _ ->
260
+
Lwt.return_ok ()
261
+
| Error e ->
262
+
Lwt.return_error e
263
+
264
+
let verify_code_with_pending_session ~(pending : Types.pending_2fa) ~code db =
265
+
let did = pending.did in
266
+
let%lwt sk_valid = Security_key.verify_login ~did ~code db in
267
+
if sk_valid then Lwt.return_ok did
268
+
else
269
+
let%lwt totp_valid = Totp.verify_login_code ~did ~code db in
270
+
if totp_valid then Lwt.return_ok did
271
+
else
272
+
let%lwt backup_valid =
273
+
Totp.Backup_codes.verify_and_consume ~did ~code db
274
+
in
275
+
if backup_valid then Lwt.return_ok did
276
+
else
277
+
match%lwt _verify_email_code ~code ~session:pending with
278
+
| Ok did ->
279
+
Lwt.return_ok did
280
+
| Error e ->
281
+
Lwt.return_error e
282
+
283
+
let verify_code_by_session_token ~session_token ~code db =
284
+
match%lwt get_pending_session ~session_token db with
285
+
| None ->
286
+
Lwt.return_error "Invalid or expired session"
287
+
| Some pending ->
288
+
verify_code_with_pending_session ~pending ~code db