Finish MFA implementation

backend/routes/main.js

@@ -27,6 +27,7 @@ router.get('/', (req, res/*, next*/) => {
 
 router.use('/schema', require('./schema'));
 router.use('/tokens', require('./tokens'));
+router.use('/mfa', require('./mfa'));
 router.use('/users', require('./users'));
 router.use('/audit-log', require('./audit-log'));
 router.use('/reports', require('./reports'));

backend/routes/mfa.js

@@ -0,0 +1,89 @@
+const express       = require('express');
+const jwtdecode     = require('../lib/express/jwt-decode');
+const apiValidator  = require('../lib/validator/api');
+const internalToken = require('../internal/token');
+const schema        = require('../schema');
+const internalMfa   = require('../internal/mfa');
+const qrcode        = require('qrcode');
+const speakeasy     = require('speakeasy');
+const userModel     = require('../models/user');
+
+let router = express.Router({
+	caseSensitive: true,
+	strict:        true,
+	mergeParams:   true
+});
+
+router
+	.route('/')
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+
+	.get(async (req, res, next) => {
+		internalToken.getFreshToken(res.locals.access, {
+			expiry: (typeof req.query.expiry !== 'undefined' ? req.query.expiry : null),
+			scope:  (typeof req.query.scope !== 'undefined' ? req.query.scope : null)
+		})
+			.then((data) => {
+				res.status(200)
+					.send(data);
+			})
+			.catch(next);
+	});
+
+router
+	.route('/create')
+	.post(jwtdecode(), (req, res, next) => {
+		if (!res.locals.access) {
+			return next(new Error('Invalid token'));
+		}
+		const userId = res.locals.access.token.getUserId();
+		internalMfa.createMfaSecretForUser(userId)
+			.then((secret) => {
+				return userModel.query()
+					.where('id', '=', userId)
+					.first()
+					.then((user) => {
+						if (!user) {
+							return next(new Error('User not found'));
+						}
+						return { secret, user };
+					});
+			})
+			.then(({ secret, user }) => {
+				const otpAuthUrl = speakeasy.otpauthURL({
+					secret: secret.ascii,
+					label:  user.email,
+					issuer: 'Nginx Proxy Manager'
+				});
+				qrcode.toDataURL(otpAuthUrl, (err, dataUrl) => {
+					if (err) {
+						console.error('Error generating QR code:', err);
+						return next(err);
+					}
+					res.status(200).send({ qrCode: dataUrl });
+				});
+			})
+			.catch(next);
+	});
+
+router
+	.route('/enable')
+	.post(jwtdecode(), (req, res, next) => {
+		apiValidator(schema.getValidationSchema('/mfa', 'post'), req.body).then((params) => {
+			internalMfa.enableMfaForUser(res.locals.access.token.getUserId(), params.token)
+				.then(() => res.status(200).send({ success: true }))
+				.catch(next);
+		}
+		);});
+
+router
+	.route('/check')
+	.get(jwtdecode(), (req, res, next) => {
+		internalMfa.isMfaEnabledForUser(res.locals.access.token.getUserId())
+			.then((active) => res.status(200).send({ active }))
+			.catch(next);
+	});
+
+module.exports = router;