Bump glob from 10.4.5 to 10.5.0 in /test

Bumps [glob](https://github.com/isaacs/node-glob) from 10.4.5 to 10.5.0.
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](https://github.com/isaacs/node-glob/compare/v10.4.5...v10.5.0)

---
updated-dependencies:
- dependency-name: glob
  dependency-version: 10.5.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

.version

@@ -1 +1 @@
-2.13.6
+2.13.5

README.md

@@ -1,7 +1,7 @@
 <p align="center">
 	<img src="https://nginxproxymanager.com/github.png">
 	<br><br>
-	<img src="https://img.shields.io/badge/version-2.13.6-green.svg?style=for-the-badge">
+	<img src="https://img.shields.io/badge/version-2.13.5-green.svg?style=for-the-badge">
 	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
 		<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
 	</a>

backend/internal/2fa.js

@@ -1,9 +1,9 @@
-import crypto from "node:crypto";
 import bcrypt from "bcrypt";
+import crypto from "node:crypto";
 import { authenticator } from "otplib";
-import errs from "../lib/error.js";
 import authModel from "../models/auth.js";
-import internalUser from "./user.js";
+import userModel from "../models/user.js";
+import errs from "../lib/error.js";
 
 const APP_NAME = "Nginx Proxy Manager";
 const BACKUP_CODE_COUNT = 8;
@@ -26,7 +26,38 @@ const generateBackupCodes = async () => {
 	return { plain, hashed };
 };
 
-const internal2fa = {
+export default {
+	/**
+	 * Generate a new TOTP secret
+	 * @returns {string}
+	 */
+	generateSecret: () => {
+		return authenticator.generateSecret();
+	},
+
+	/**
+	 * Generate otpauth URL for QR code
+	 * @param {string} email
+	 * @param {string} secret
+	 * @returns {string}
+	 */
+	generateOTPAuthURL: (email, secret) => {
+		return authenticator.keyuri(email, APP_NAME, secret);
+	},
+
+	/**
+	 * Verify a TOTP code
+	 * @param {string} secret
+	 * @param {string} code
+	 * @returns {boolean}
+	 */
+	verifyCode: (secret, code) => {
+		try {
+			return authenticator.verify({ token: code, secret });
+		} catch {
+			return false;
+		}
+	},
 
 	/**
 	 * Check if user has 2FA enabled
@@ -34,85 +65,94 @@ const internal2fa = {
 	 * @returns {Promise<boolean>}
 	 */
 	isEnabled: async (userId) => {
-		const auth = await internal2fa.getUserPasswordAuth(userId);
+		const auth = await authModel
-		return auth?.meta?.totp_enabled === true;
+			.query()
+			.where("user_id", userId)
+			.where("type", "password")
+			.first();
+
+		if (!auth || !auth.meta) {
+			return false;
+		}
+
+		return auth.meta.totp_enabled === true;
 	},
 
 	/**
 	 * Get 2FA status for user
-	 * @param   {Access}  access
 	 * @param {number} userId
-	 * @returns {Promise<{enabled: boolean, backup_codes_remaining: number}>}
+	 * @returns {Promise<{enabled: boolean, backupCodesRemaining: number}>}
 	 */
-	getStatus: async (access, userId) => {
+	getStatus: async (userId) => {
-		await access.can("users:password", userId);
+		const auth = await authModel
-		await internalUser.get(access, { id: userId });
+			.query()
-		const auth = await internal2fa.getUserPasswordAuth(userId);
+			.where("user_id", userId)
-		const enabled = auth?.meta?.totp_enabled === true;
+			.where("type", "password")
-		let backup_codes_remaining = 0;
+			.first();
 
-		if (enabled) {
+		if (!auth || !auth.meta || !auth.meta.totp_enabled) {
-			const backupCodes = auth.meta.backup_codes || [];
+			return { enabled: false, backupCodesRemaining: 0 };
-			backup_codes_remaining = backupCodes.length;
 		}
 
+		const backupCodes = auth.meta.backup_codes || [];
 		return {
-			enabled,
+			enabled: true,
-			backup_codes_remaining,
+			backupCodesRemaining: backupCodes.length,
 		};
 	},
 
 	/**
 	 * Start 2FA setup - store pending secret
-	 *
-	 * @param   {Access}  access
 	 * @param {number} userId
-	 * @returns {Promise<{secret: string, otpauth_url: string}>}
+	 * @returns {Promise<{secret: string, otpauthUrl: string}>}
 	 */
-	startSetup: async (access, userId) => {
+	startSetup: async (userId) => {
-		await access.can("users:password", userId);
+		const user = await userModel.query().where("id", userId).first();
-		const user = await internalUser.get(access, { id: userId });
+		if (!user) {
-		const secret = authenticator.generateSecret();
+			throw new errs.ItemNotFoundError("User not found");
-		const otpauth_url = authenticator.keyuri(user.email, APP_NAME, secret);
+		}
-		const auth = await internal2fa.getUserPasswordAuth(userId);
 
-		// ensure user isn't already setup for 2fa
+		const secret = authenticator.generateSecret();
-		const enabled = auth?.meta?.totp_enabled === true;
+		const otpauthUrl = authenticator.keyuri(user.email, APP_NAME, secret);
-		if (enabled) {
+
-			throw new errs.ValidationError("2FA is already enabled");
+		const auth = await authModel
+			.query()
+			.where("user_id", userId)
+			.where("type", "password")
+			.first();
+
+		if (!auth) {
+			throw new errs.ItemNotFoundError("Auth record not found");
 		}
 
 		const meta = auth.meta || {};
 		meta.totp_pending_secret = secret;
 
-		await authModel.query()
+		await authModel.query().where("id", auth.id).patch({ meta });
-			.where("id", auth.id)
-			.andWhere("user_id", userId)
-			.andWhere("type", "password")
-			.patch({ meta });
 
-		return { secret, otpauth_url };
+		return { secret, otpauthUrl };
 	},
 
 	/**
 	 * Enable 2FA after verifying code
-	 *
-	 * @param   {Access}  access
 	 * @param {number} userId
 	 * @param {string} code
-	 * @returns {Promise<{backup_codes: string[]}>}
+	 * @returns {Promise<{backupCodes: string[]}>}
 	 */
-	enable: async (access, userId, code) => {
+	enable: async (userId, code) => {
-		await access.can("users:password", userId);
+		const auth = await authModel
-		await internalUser.get(access, { id: userId });
+			.query()
-		const auth = await internal2fa.getUserPasswordAuth(userId);
+			.where("user_id", userId)
-		const secret = auth?.meta?.totp_pending_secret || false;
+			.where("type", "password")
+			.first();
 
-		if (!secret) {
+		if (!auth || !auth.meta || !auth.meta.totp_pending_secret) {
 			throw new errs.ValidationError("No pending 2FA setup found");
 		}
 
+		const secret = auth.meta.totp_pending_secret;
 		const valid = authenticator.verify({ token: code, secret });
+
 		if (!valid) {
 			throw new errs.ValidationError("Invalid verification code");
 		}
@@ -128,31 +168,25 @@ const internal2fa = {
 		};
 		delete meta.totp_pending_secret;
 
-		await authModel
+		await authModel.query().where("id", auth.id).patch({ meta });
-			.query()
-			.where("id", auth.id)
-			.andWhere("user_id", userId)
-			.andWhere("type", "password")
-			.patch({ meta });
 
-		return { backup_codes: plain };
+		return { backupCodes: plain };
 	},
 
 	/**
 	 * Disable 2FA
-	 *
-	 * @param   {Access}  access
 	 * @param {number} userId
 	 * @param {string} code
 	 * @returns {Promise<void>}
 	 */
-	disable: async (access, userId, code) => {
+	disable: async (userId, code) => {
-		await access.can("users:password", userId);
+		const auth = await authModel
-		await internalUser.get(access, { id: userId });
+			.query()
-		const auth = await internal2fa.getUserPasswordAuth(userId);
+			.where("user_id", userId)
+			.where("type", "password")
+			.first();
 
-		const enabled = auth?.meta?.totp_enabled === true;
+		if (!auth || !auth.meta || !auth.meta.totp_enabled) {
-		if (!enabled) {
 			throw new errs.ValidationError("2FA is not enabled");
 		}
 
@@ -162,7 +196,7 @@ const internal2fa = {
 		});
 
 		if (!valid) {
-			throw new errs.AuthError("Invalid verification code");
+			throw new errs.ValidationError("Invalid verification code");
 		}
 
 		const meta = { ...auth.meta };
@@ -171,33 +205,30 @@ const internal2fa = {
 		delete meta.totp_enabled_at;
 		delete meta.backup_codes;
 
-		await authModel
+		await authModel.query().where("id", auth.id).patch({ meta });
-			.query()
-			.where("id", auth.id)
-			.andWhere("user_id", userId)
-			.andWhere("type", "password")
-			.patch({ meta });
 	},
 
 	/**
 	 * Verify 2FA code for login
-	 *
 	 * @param {number} userId
-	 * @param   {string} token
+	 * @param {string} code
 	 * @returns {Promise<boolean>}
 	 */
-	verifyForLogin: async (userId, token) => {
+	verifyForLogin: async (userId, code) => {
-		const auth = await internal2fa.getUserPasswordAuth(userId);
+		const auth = await authModel
-		const secret = auth?.meta?.totp_secret || false;
+			.query()
+			.where("user_id", userId)
+			.where("type", "password")
+			.first();
 
-		if (!secret) {
+		if (!auth || !auth.meta || !auth.meta.totp_secret) {
 			return false;
 		}
 
 		// Try TOTP code first
 		const valid = authenticator.verify({
-			token,
+			token: code,
-			secret,
+			secret: auth.meta.totp_secret,
 		});
 
 		if (valid) {
@@ -205,7 +236,7 @@ const internal2fa = {
 		}
 
 		// Try backup codes
-		const backupCodes = auth?.meta?.backup_codes || [];
+		const backupCodes = auth.meta.backup_codes || [];
 		for (let i = 0; i < backupCodes.length; i++) {
 			const match = await bcrypt.compare(code.toUpperCase(), backupCodes[i]);
 			if (match) {
@@ -213,12 +244,7 @@ const internal2fa = {
 				const updatedCodes = [...backupCodes];
 				updatedCodes.splice(i, 1);
 				const meta = { ...auth.meta, backup_codes: updatedCodes };
-				await authModel
+				await authModel.query().where("id", auth.id).patch({ meta });
-					.query()
-					.where("id", auth.id)
-					.andWhere("user_id", userId)
-					.andWhere("type", "password")
-					.patch({ meta });
 				return true;
 			}
 		}
@@ -228,29 +254,24 @@ const internal2fa = {
 
 	/**
 	 * Regenerate backup codes
-	 *
-	 * @param   {Access}  access
 	 * @param {number} userId
-	 * @param   {string}  token
+	 * @param {string} code
-	 * @returns {Promise<{backup_codes: string[]}>}
+	 * @returns {Promise<{backupCodes: string[]}>}
 	 */
-	regenerateBackupCodes: async (access, userId, token) => {
+	regenerateBackupCodes: async (userId, code) => {
-		await access.can("users:password", userId);
+		const auth = await authModel
-		await internalUser.get(access, { id: userId });
+			.query()
-		const auth = await internal2fa.getUserPasswordAuth(userId);
+			.where("user_id", userId)
-		const enabled = auth?.meta?.totp_enabled === true;
+			.where("type", "password")
-		const secret = auth?.meta?.totp_secret || false;
+			.first();
 
-		if (!enabled) {
+		if (!auth || !auth.meta || !auth.meta.totp_enabled) {
 			throw new errs.ValidationError("2FA is not enabled");
 		}
-		if (!secret) {
-			throw new errs.ValidationError("No 2FA secret found");
-		}
 
 		const valid = authenticator.verify({
-			token,
+			token: code,
-			secret,
+			secret: auth.meta.totp_secret,
 		});
 
 		if (!valid) {
@@ -260,29 +281,8 @@ const internal2fa = {
 		const { plain, hashed } = await generateBackupCodes();
 
 		const meta = { ...auth.meta, backup_codes: hashed };
-		await authModel
+		await authModel.query().where("id", auth.id).patch({ meta });
-			.query()
-			.where("id", auth.id)
-			.andWhere("user_id", userId)
-			.andWhere("type", "password")
-			.patch({ meta });
 
-		return { backup_codes: plain };
+		return { backupCodes: plain };
-	},
-
-	getUserPasswordAuth: async (userId) => {
-		const auth = await authModel
-			.query()
-			.where("user_id", userId)
-			.andWhere("type", "password")
-			.first();
-
-		if (!auth) {
-			throw new errs.ItemNotFoundError("Auth not found");
-		}
-
-		return auth;
 	},
 };
-
-export default internal2fa;

backend/routes/tokens.js

@@ -66,7 +66,16 @@ router
 	 */
 	.post(async (req, res, next) => {
 		try {
-			const { challenge_token, code } = await apiValidator(getValidationSchema("/tokens/2fa", "post"), req.body);
+			const { challenge_token, code } = req.body;
+
+			if (!challenge_token || !code) {
+				return res.status(400).json({
+					error: {
+						message: "Missing challenge_token or code",
+					},
+				});
+			}
+
 			const result = await internalToken.verify2FA(challenge_token, code);
 			res.status(200).send(result);
 		} catch (err) {

backend/routes/users.js

@@ -339,21 +339,6 @@ router
 	.all(jwtdecode())
 	.all(userIdFromMe)
 
-	/**
-	 * POST /api/users/123/2fa
-	 *
-	 * Start 2FA setup, returns QR code URL
-	 */
-	.post(async (req, res, next) => {
-		try {
-			const result = await internal2FA.startSetup(res.locals.access, req.params.user_id);
-			res.status(200).send(result);
-		} catch (err) {
-			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
-			next(err);
-		}
-	})
-
 	/**
 	 * GET /api/users/123/2fa
 	 *
@@ -361,7 +346,15 @@ router
 	 */
 	.get(async (req, res, next) => {
 		try {
-			const status = await internal2FA.getStatus(res.locals.access, req.params.user_id);
+			const userId = Number.parseInt(req.params.user_id, 10);
+			const access = res.locals.access;
+
+			// Users can only view their own 2FA status
+			if (access.token.getUserId() !== userId && !access.token.hasScope("admin")) {
+				throw new errs.PermissionError("Cannot view 2FA status for other users");
+			}
+
+			const status = await internal2FA.getStatus(userId);
 			res.status(200).send(status);
 		} catch (err) {
 			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
@@ -370,18 +363,63 @@ router
 	})
 
 	/**
-	 * DELETE /api/users/123/2fa?code=XXXXXX
+	 * DELETE /api/users/123/2fa
 	 *
 	 * Disable 2FA for a user
 	 */
 	.delete(async (req, res, next) => {
 		try {
-			const code = typeof req.query.code === "string" ? req.query.code : null;
+			const userId = Number.parseInt(req.params.user_id, 10);
-			if (!code) {
+			const access = res.locals.access;
-				throw new errs.ValidationError("Missing required parameter: code");
+
+			// Users can only disable their own 2FA
+			if (access.token.getUserId() !== userId && !access.token.hasScope("admin")) {
+				throw new errs.PermissionError("Cannot disable 2FA for other users");
 			}
-			await internal2FA.disable(res.locals.access, req.params.user_id, code);
+
-			res.status(200).send(true);
+			const { code } = req.body;
+			if (!code) {
+				throw new errs.ValidationError("Verification code is required");
+			}
+
+			await internal2FA.disable(userId, code);
+			res.status(200).send({ success: true });
+		} catch (err) {
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * User 2FA setup
+ *
+ * /api/users/123/2fa/setup
+ */
+router
+	.route("/:user_id/2fa/setup")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+	.all(userIdFromMe)
+
+	/**
+	 * POST /api/users/123/2fa/setup
+	 *
+	 * Start 2FA setup, returns QR code URL
+	 */
+	.post(async (req, res, next) => {
+		try {
+			const userId = Number.parseInt(req.params.user_id, 10);
+			const access = res.locals.access;
+
+			// Users can only setup their own 2FA
+			if (access.token.getUserId() !== userId) {
+				throw new errs.PermissionError("Cannot setup 2FA for other users");
+			}
+
+			const result = await internal2FA.startSetup(userId);
+			res.status(200).send(result);
 		} catch (err) {
 			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
@@ -402,17 +440,26 @@ router
 	.all(userIdFromMe)
 
 	/**
-	 * POST /api/users/123/2fa/enable
+	 * PUT /api/users/123/2fa/enable
 	 *
 	 * Verify code and enable 2FA
 	 */
-	.post(async (req, res, next) => {
+	.put(async (req, res, next) => {
 		try {
-			const { code } = await apiValidator(
+			const userId = Number.parseInt(req.params.user_id, 10);
-				getValidationSchema("/users/{userID}/2fa/enable", "post"),
+			const access = res.locals.access;
-				req.body,
+
-			);
+			// Users can only enable their own 2FA
-			const result = await internal2FA.enable(res.locals.access, req.params.user_id, code);
+			if (access.token.getUserId() !== userId) {
+				throw new errs.PermissionError("Cannot enable 2FA for other users");
+			}
+
+			const { code } = req.body;
+			if (!code) {
+				throw new errs.ValidationError("Verification code is required");
+			}
+
+			const result = await internal2FA.enable(userId, code);
 			res.status(200).send(result);
 		} catch (err) {
 			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
@@ -440,11 +487,20 @@ router
 	 */
 	.post(async (req, res, next) => {
 		try {
-			const { code } = await apiValidator(
+			const userId = Number.parseInt(req.params.user_id, 10);
-				getValidationSchema("/users/{userID}/2fa/backup-codes", "post"),
+			const access = res.locals.access;
-				req.body,
+
-			);
+			// Users can only regenerate their own backup codes
-			const result = await internal2FA.regenerateBackupCodes(res.locals.access, req.params.user_id, code);
+			if (access.token.getUserId() !== userId) {
+				throw new errs.PermissionError("Cannot regenerate backup codes for other users");
+			}
+
+			const { code } = req.body;
+			if (!code) {
+				throw new errs.ValidationError("Verification code is required");
+			}
+
+			const result = await internal2FA.regenerateBackupCodes(userId, code);
 			res.status(200).send(result);
 		} catch (err) {
 			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);

backend/schema/components/token-challenge.json

@@ -1,18 +0,0 @@
-{
-	"type": "object",
-	"description": "Token object",
-	"required": ["requires_2fa", "challenge_token"],
-	"additionalProperties": false,
-	"properties": {
-		"requires_2fa": {
-			"description": "Whether this token request requires two-factor authentication",
-			"example": true,
-			"type": "boolean"
-		},
-		"challenge_token": {
-			"description": "Challenge Token used in subsequent 2FA verification",
-			"example": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4",
-			"type": "string"
-		}
-	}
-}

backend/schema/paths/tokens/2fa/post.json

@@ -1,55 +0,0 @@
-{
-	"operationId": "loginWith2FA",
-	"summary": "Verify 2FA code and get full token",
-	"tags": ["tokens"],
-	"requestBody": {
-		"description": "2fa Challenge Payload",
-		"required": true,
-		"content": {
-			"application/json": {
-				"schema": {
-					"additionalProperties": false,
-					"properties": {
-						"challenge_token": {
-							"minLength": 1,
-							"type": "string",
-							"example": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4"
-						},
-						"code": {
-							"minLength": 6,
-							"maxLength": 6,
-							"type": "string",
-							"example": "012345"
-						}
-					},
-					"required": ["challenge_token", "code"],
-					"type": "object"
-				},
-				"example": {
-					"challenge_token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4",
-					"code": "012345"
-				}
-			}
-		}
-	},
-	"responses": {
-		"200": {
-			"content": {
-				"application/json": {
-					"examples": {
-						"default": {
-							"value": {
-								"expires": "2025-02-04T20:40:46.340Z",
-								"token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4"
-							}
-						}
-					},
-					"schema": {
-						"$ref": "../../../components/token-object.json"
-					}
-				}
-			},
-			"description": "200 response"
-		}
-	}
-}

backend/schema/paths/tokens/post.json

@@ -50,14 +50,7 @@
 						}
 					},
 					"schema": {
-						"oneOf": [
-							{
 						"$ref": "../../components/token-object.json"
-							},
-							{
-								"$ref": "../../components/token-challenge.json"
-							}
-						]
 					}
 				}
 			},

backend/schema/paths/users/userID/2fa/backup-codes/post.json

@@ -1,92 +0,0 @@
-{
-	"operationId": "regenUser2faCodes",
-	"summary": "Regenerate 2FA backup codes",
-	"tags": ["users"],
-	"parameters": [
-		{
-			"in": "path",
-			"name": "userID",
-			"schema": {
-				"type": "integer",
-				"minimum": 1
-			},
-			"required": true,
-			"description": "User ID",
-			"example": 2
-		}
-	],
-	"requestBody": {
-		"description": "Verififcation Payload",
-		"required": true,
-		"content": {
-			"application/json": {
-				"schema": {
-					"additionalProperties": false,
-					"properties": {
-						"code": {
-							"minLength": 6,
-							"maxLength": 6,
-							"type": "string",
-							"example": "123456"
-						}
-					},
-					"required": ["code"],
-					"type": "object"
-				},
-				"example": {
-					"code": "123456"
-				}
-			}
-		}
-	},
-	"responses": {
-		"200": {
-			"content": {
-				"application/json": {
-					"examples": {
-						"default": {
-							"value": {
-								"backup_codes": [
-									"6CD7CB06",
-									"495302F3",
-									"D8037852",
-									"A6FFC956",
-									"BC1A1851",
-									"A05E644F",
-									"A406D2E8",
-									"0AE3C522"
-								]
-							}
-						}
-					},
-					"schema": {
-						"type": "object",
-						"required": ["backup_codes"],
-						"additionalProperties": false,
-						"properties": {
-							"backup_codes": {
-								"description": "Backup codes",
-								"example": [
-									"6CD7CB06",
-									"495302F3",
-									"D8037852",
-									"A6FFC956",
-									"BC1A1851",
-									"A05E644F",
-									"A406D2E8",
-									"0AE3C522"
-								],
-								"type": "array",
-								"items": {
-									"type": "string",
-									"example": "6CD7CB06"
-								}
-							}
-						}
-					}
-				}
-			},
-			"description": "200 response"
-		}
-	}
-}

backend/schema/paths/users/userID/2fa/delete.json

@@ -1,48 +0,0 @@
-{
-	"operationId": "disableUser2fa",
-	"summary": "Disable 2fa for user",
-	"tags": ["users"],
-	"parameters": [
-		{
-			"in": "path",
-			"name": "userID",
-			"schema": {
-				"type": "integer",
-				"minimum": 1
-			},
-			"required": true,
-			"description": "User ID",
-			"example": 2
-		},
-		{
-			"in": "query",
-			"name": "code",
-			"schema": {
-				"type": "string",
-				"minLength": 6,
-				"maxLength": 6,
-				"example": "012345"
-			},
-			"required": true,
-			"description": "2fa Code",
-			"example": "012345"
-		}
-	],
-	"responses": {
-		"200": {
-			"content": {
-				"application/json": {
-					"examples": {
-						"default": {
-							"value": true
-						}
-					},
-					"schema": {
-						"type": "boolean"
-					}
-				}
-			},
-			"description": "200 response"
-		}
-	}
-}

backend/schema/paths/users/userID/2fa/enable/post.json

@@ -1,92 +0,0 @@
-{
-	"operationId": "enableUser2fa",
-	"summary": "Verify code and enable 2FA",
-	"tags": ["users"],
-	"parameters": [
-		{
-			"in": "path",
-			"name": "userID",
-			"schema": {
-				"type": "integer",
-				"minimum": 1
-			},
-			"required": true,
-			"description": "User ID",
-			"example": 2
-		}
-	],
-	"requestBody": {
-		"description": "Verififcation Payload",
-		"required": true,
-		"content": {
-			"application/json": {
-				"schema": {
-					"additionalProperties": false,
-					"properties": {
-						"code": {
-							"minLength": 6,
-							"maxLength": 6,
-							"type": "string",
-							"example": "123456"
-						}
-					},
-					"required": ["code"],
-					"type": "object"
-				},
-				"example": {
-					"code": "123456"
-				}
-			}
-		}
-	},
-	"responses": {
-		"200": {
-			"content": {
-				"application/json": {
-					"examples": {
-						"default": {
-							"value": {
-								"backup_codes": [
-									"6CD7CB06",
-									"495302F3",
-									"D8037852",
-									"A6FFC956",
-									"BC1A1851",
-									"A05E644F",
-									"A406D2E8",
-									"0AE3C522"
-								]
-							}
-						}
-					},
-					"schema": {
-						"type": "object",
-						"required": ["backup_codes"],
-						"additionalProperties": false,
-						"properties": {
-							"backup_codes": {
-								"description": "Backup codes",
-								"example": [
-									"6CD7CB06",
-									"495302F3",
-									"D8037852",
-									"A6FFC956",
-									"BC1A1851",
-									"A05E644F",
-									"A406D2E8",
-									"0AE3C522"
-								],
-								"type": "array",
-								"items": {
-									"type": "string",
-									"example": "6CD7CB06"
-								}
-							}
-						}
-					}
-				}
-			},
-			"description": "200 response"
-		}
-	}
-}

backend/schema/paths/users/userID/2fa/get.json

@@ -1,57 +0,0 @@
-{
-	"operationId": "getUser2faStatus",
-	"summary": "Get user 2fa Status",
-	"tags": ["users"],
-	"security": [
-		{
-			"bearerAuth": []
-		}
-	],
-	"parameters": [
-		{
-			"in": "path",
-			"name": "userID",
-			"schema": {
-				"type": "integer",
-				"minimum": 1
-			},
-			"required": true,
-			"description": "User ID",
-			"example": 2
-		}
-	],
-	"responses": {
-		"200": {
-			"description": "200 response",
-			"content": {
-				"application/json": {
-					"examples": {
-						"default": {
-							"value": {
-								"enabled": false,
-								"backup_codes_remaining": 0
-							}
-						}
-					},
-					"schema": {
-						"type": "object",
-						"additionalProperties": false,
-						"required": ["enabled", "backup_codes_remaining"],
-						"properties": {
-							"enabled": {
-								"type": "boolean",
-								"description": "Is 2FA enabled for this user",
-								"example": true
-							},
-							"backup_codes_remaining": {
-								"type": "integer",
-								"description": "Number of remaining backup codes for this user",
-								"example": 5
-							}
-						}
-					}
-				}
-			}
-		}
-	}
-}

backend/schema/paths/users/userID/2fa/post.json

@@ -1,52 +0,0 @@
-{
-	"operationId": "setupUser2fa",
-	"summary": "Start 2FA setup, returns QR code URL",
-	"tags": ["users"],
-	"parameters": [
-		{
-			"in": "path",
-			"name": "userID",
-			"schema": {
-				"type": "integer",
-				"minimum": 1
-			},
-			"required": true,
-			"description": "User ID",
-			"example": 2
-		}
-	],
-	"responses": {
-		"200": {
-			"content": {
-				"application/json": {
-					"examples": {
-						"default": {
-							"value": {
-								"secret": "JZYCEBIEEJYUGPQM",
-								"otpauth_url": "otpauth://totp/Nginx%20Proxy%20Manager:jc%40jc21.com?secret=JZYCEBIEEJYUGPQM&period=30&digits=6&algorithm=SHA1&issuer=Nginx%20Proxy%20Manager"
-							}
-						}
-					},
-					"schema": {
-						"type": "object",
-						"required": ["secret", "otpauth_url"],
-						"additionalProperties": false,
-						"properties": {
-							"secret": {
-								"description": "TOTP Secret",
-								"example": "JZYCEBIEEJYUGPQM",
-								"type": "string"
-							},
-							"otpauth_url": {
-								"description": "OTP Auth URL for QR Code generation",
-								"example": "otpauth://totp/Nginx%20Proxy%20Manager:jc%40jc21.com?secret=JZYCEBIEEJYUGPQM&period=30&digits=6&algorithm=SHA1&issuer=Nginx%20Proxy%20Manager",
-								"type": "string"
-							}
-						}
-					}
-				}
-			},
-			"description": "200 response"
-		}
-	}
-}

backend/schema/swagger.json

@@ -293,11 +293,6 @@
 				"$ref": "./paths/tokens/post.json"
 			}
 		},
-		"/tokens/2fa": {
-			"post": {
-				"$ref": "./paths/tokens/2fa/post.json"
-			}
-		},
 		"/version/check": {
 			"get": {
 				"$ref": "./paths/version/check/get.json"
@@ -322,27 +317,6 @@
 				"$ref": "./paths/users/userID/delete.json"
 			}
 		},
-		"/users/{userID}/2fa": {
-			"post": {
-				"$ref": "./paths/users/userID/2fa/post.json"
-			},
-			"get": {
-				"$ref": "./paths/users/userID/2fa/get.json"
-			},
-			"delete": {
-				"$ref": "./paths/users/userID/2fa/delete.json"
-			}
-		},
-		"/users/{userID}/2fa/enable": {
-			"post": {
-				"$ref": "./paths/users/userID/2fa/enable/post.json"
-			}
-		},
-		"/users/{userID}/2fa/backup-codes": {
-			"post": {
-				"$ref": "./paths/users/userID/2fa/backup-codes/post.json"
-			}
-		},
 		"/users/{userID}/auth": {
 			"put": {
 				"$ref": "./paths/users/userID/auth/put.json"

docs/src/2fa-implementation.md

@@ -0,0 +1,176 @@
+# Two-Factor Authentication Implementation
+
+> **Note:** This document should be deleted after PR approval. It serves as a reference for reviewers to understand the scope of the contribution.
+
+---
+
+**Acknowledgments**
+
+Thanks to all contributors and authors from the Inte.Team for the great work on Nginx Proxy Manager. It saves us time and effort, and we're happy to contribute back to the project.
+
+---
+
+## Overview
+
+Add TOTP-based two-factor authentication to the login flow. Users can enable 2FA from their profile settings, scan a QR code with any authenticator app (Google Authenticator, Authy, etc.), and will be required to enter a 6-digit code on login.
+
+## Current Authentication Flow
+
+```
+POST /tokens {identity, secret}
+  -> Validate user exists and is not disabled
+  -> Verify password against auth.secret
+  -> Return JWT token
+```
+
+## Proposed 2FA Flow
+
+```
+POST /tokens {identity, secret}
+  -> Validate user exists and is not disabled
+  -> Verify password against auth.secret
+  -> If 2FA enabled:
+       Return {requires_2fa: true, challenge_token: <short-lived JWT>}
+  -> Else:
+       Return {token: <JWT>, expires: <timestamp>}
+
+POST /tokens/2fa {challenge_token, code}
+  -> Validate challenge_token
+  -> Verify TOTP code against user's secret
+  -> Return {token: <JWT>, expires: <timestamp>}
+```
+
+## Database Changes
+
+Extend the existing `auth.meta` JSON column to store 2FA data:
+
+```json
+{
+  "totp_secret": "<encrypted-secret>",
+  "totp_enabled": true,
+  "totp_enabled_at": "<timestamp>",
+  "backup_codes": ["<hashed-code-1>", "<hashed-code-2>", ...]
+}
+```
+
+No new tables required. The `auth.meta` column is already designed for this purpose.
+
+## Backend Changes
+
+### New Files
+
+1. `backend/internal/2fa.js` - Core 2FA logic
+   - `generateSecret()` - Generate TOTP secret
+   - `generateQRCodeURL(user, secret)` - Generate otpauth URL
+   - `verifyCode(secret, code)` - Verify TOTP code
+   - `generateBackupCodes()` - Generate 8 backup codes
+   - `verifyBackupCode(user, code)` - Verify and consume backup code
+
+2. `backend/routes/2fa.js` - 2FA management endpoints
+   - `GET /users/:id/2fa` - Get 2FA status
+   - `POST /users/:id/2fa/setup` - Start 2FA setup, return QR code
+   - `PUT /users/:id/2fa/enable` - Verify code and enable 2FA
+   - `DELETE /users/:id/2fa` - Disable 2FA (requires code)
+   - `GET /users/:id/2fa/backup-codes` - View remaining backup codes count
+   - `POST /users/:id/2fa/backup-codes` - Regenerate backup codes
+
+### Modified Files
+
+1. `backend/internal/token.js`
+   - Update `getTokenFromEmail()` to check for 2FA
+   - Add `verifyTwoFactorChallenge()` function
+   - Add `createChallengeToken()` for short-lived 2FA tokens
+
+2. `backend/routes/tokens.js`
+   - Add `POST /tokens/2fa` endpoint
+
+3. `backend/index.js`
+   - Register new 2FA routes
+
+### Dependencies
+
+Add to `package.json`:
+```json
+"otplib": "^12.0.1"
+```
+
+## Frontend Changes
+
+### New Files
+
+1. `frontend/src/pages/Login2FA/index.tsx` - 2FA code entry page
+2. `frontend/src/modals/TwoFactorSetupModal.tsx` - Setup wizard modal
+3. `frontend/src/api/backend/twoFactor.ts` - 2FA API functions
+4. `frontend/src/api/backend/verify2FA.ts` - Token verification
+
+### Modified Files
+
+1. `frontend/src/api/backend/responseTypes.ts`
+   - Add `TwoFactorChallengeResponse` type
+   - Add `TwoFactorStatusResponse` type
+
+2. `frontend/src/context/AuthContext.tsx`
+   - Add `twoFactorRequired` state
+   - Add `challengeToken` state
+   - Update `login()` to handle 2FA response
+   - Add `verify2FA()` function
+
+3. `frontend/src/pages/Login/index.tsx`
+   - Handle 2FA challenge response
+   - Redirect to 2FA entry when required
+
+4. `frontend/src/pages/Settings/` (or user profile)
+   - Add 2FA enable/disable section
+
+### Dependencies
+
+Add to `package.json`:
+```json
+"qrcode.react": "^3.1.0"
+```
+
+## API Endpoints Summary
+
+| Method | Endpoint | Auth | Description |
+|--------|----------|------|-------------|
+| POST | /tokens | No | Login (returns challenge if 2FA) |
+| POST | /tokens/2fa | Challenge | Complete 2FA login |
+| GET | /users/:id/2fa | JWT | Get 2FA status |
+| POST | /users/:id/2fa/setup | JWT | Start setup, get QR code |
+| PUT | /users/:id/2fa/enable | JWT | Verify and enable |
+| DELETE | /users/:id/2fa | JWT | Disable (requires code) |
+| GET | /users/:id/2fa/backup-codes | JWT | Get backup codes count |
+| POST | /users/:id/2fa/backup-codes | JWT | Regenerate codes |
+
+## Security Considerations
+
+1. Challenge tokens expire in 5 minutes
+2. TOTP secrets encrypted at rest
+3. Backup codes hashed with bcrypt
+4. Rate limit on 2FA attempts (5 attempts, 15 min lockout)
+5. Backup codes single-use only
+6. 2FA disable requires valid TOTP code
+
+## Implementation Order
+
+1. Backend: Add `otplib` dependency
+2. Backend: Create `internal/2fa.js` module
+3. Backend: Update `internal/token.js` for challenge flow
+4. Backend: Add `POST /tokens/2fa` route
+5. Backend: Create `routes/2fa.js` for management
+6. Frontend: Add `qrcode.react` dependency
+7. Frontend: Update API types and functions
+8. Frontend: Update AuthContext for 2FA state
+9. Frontend: Create Login2FA page
+10. Frontend: Update Login to handle 2FA
+11. Frontend: Add 2FA settings UI
+
+## Testing
+
+1. Enable 2FA for user
+2. Login with password only - should get challenge
+3. Submit correct TOTP - should get token
+4. Submit wrong TOTP - should fail
+5. Use backup code - should work once
+6. Disable 2FA - should require valid code
+7. Login after disable - should work without 2FA

frontend/src/api/backend/base.ts

@@ -156,6 +156,7 @@ export async function del({ url, params }: DeleteArgs, abortController?: AbortCo
 	const method = "DELETE";
 	const headers = {
 		...buildAuthHeader(),
+		[contentTypeHeader]: "application/json",
 	};
 	const signal = abortController?.signal;
 	const response = await fetch(apiUrl, { method, headers, signal });

frontend/src/api/backend/twoFactor.ts

@@ -1,5 +1,11 @@
+import { camelizeKeys, decamelizeKeys } from "humps";
+import AuthStore from "src/modules/AuthStore";
+import type {
+	TwoFactorEnableResponse,
+	TwoFactorSetupResponse,
+	TwoFactorStatusResponse,
+} from "./responseTypes";
 import * as api from "./base";
-import type { TwoFactorEnableResponse, TwoFactorSetupResponse, TwoFactorStatusResponse } from "./responseTypes";
 
 export async function get2FAStatus(userId: number | "me"): Promise<TwoFactorStatusResponse> {
 	return await api.get({
@@ -9,27 +15,42 @@ export async function get2FAStatus(userId: number | "me"): Promise<TwoFactorStat
 
 export async function start2FASetup(userId: number | "me"): Promise<TwoFactorSetupResponse> {
 	return await api.post({
-		url: `/users/${userId}/2fa`,
+		url: `/users/${userId}/2fa/setup`,
 	});
 }
 
 export async function enable2FA(userId: number | "me", code: string): Promise<TwoFactorEnableResponse> {
-	return await api.post({
+	return await api.put({
 		url: `/users/${userId}/2fa/enable`,
 		data: { code },
 	});
 }
 
-export async function disable2FA(userId: number | "me", code: string): Promise<boolean> {
+export async function disable2FA(userId: number | "me", code: string): Promise<{ success: boolean }> {
-	return await api.del({
+	const headers: Record<string, string> = {
-		url: `/users/${userId}/2fa`,
+		"Content-Type": "application/json",
-		params: {
+	};
-			code,
+	if (AuthStore.token) {
-		},
+		headers.Authorization = `Bearer ${AuthStore.token.token}`;
-	});
 	}
 
-export async function regenerateBackupCodes(userId: number | "me", code: string): Promise<TwoFactorEnableResponse> {
+	const response = await fetch(`/api/users/${userId}/2fa`, {
+		method: "DELETE",
+		headers,
+		body: JSON.stringify(decamelizeKeys({ code })),
+	});
+
+	const payload = await response.json();
+	if (!response.ok) {
+		throw new Error(payload.error?.messageI18n || payload.error?.message || "Failed to disable 2FA");
+	}
+	return camelizeKeys(payload) as { success: boolean };
+}
+
+export async function regenerateBackupCodes(
+	userId: number | "me",
+	code: string,
+): Promise<TwoFactorEnableResponse> {
 	return await api.post({
 		url: `/users/${userId}/2fa/backup-codes`,
 		data: { code },

frontend/src/locale/src/pl.json

@@ -1,12 +1,12 @@
 {
 	"access-list": {
-		"defaultMessage": "wpis listy dostępu"
+		"defaultMessage": "Lista dostępu"
 	},
 	"access-list.access-count": {
 		"defaultMessage": "{count} {count, plural, one {Reguła} few {Reguły} other {Reguł}}"
 	},
 	"access-list.auth-count": {
-		"defaultMessage": "{count} {count, plural, one {Użytkownik} few {Użytkownicy} other {Użytkowników}}"
+		"defaultMessage": "{count} {count, plural, one {Użytkownik} few {Użytkowników} other {Użytkowników}}"
 	},
 	"access-list.help-rules-last": {
 		"defaultMessage": "Gdy istnieje co najmniej 1 reguła, ta reguła blokująca wszystko zostanie dodana na końcu"
@@ -38,18 +38,12 @@
 	"action.add-location": {
 		"defaultMessage": "Dodaj lokalizację"
 	},
-	"action.allow": {
-		"defaultMessage": "Zezwól"
-	},
 	"action.close": {
 		"defaultMessage": "Zamknij"
 	},
 	"action.delete": {
 		"defaultMessage": "Usuń"
 	},
-	"action.deny": {
-		"defaultMessage": "Odrzuć"
-	},
 	"action.disable": {
 		"defaultMessage": "Wyłącz"
 	},
@@ -72,13 +66,13 @@
 		"defaultMessage": "Pokaż szczegóły"
 	},
 	"auditlogs": {
-		"defaultMessage": "Logi"
+		"defaultMessage": "Logi audytu"
 	},
 	"cancel": {
 		"defaultMessage": "Anuluj"
 	},
 	"certificate": {
-		"defaultMessage": "certyfikat"
+		"defaultMessage": "Certyfikat"
 	},
 	"certificate.custom-certificate": {
 		"defaultMessage": "Certyfikat"
@@ -111,7 +105,7 @@
 		"defaultMessage": "Certyfikaty"
 	},
 	"certificates.custom": {
-		"defaultMessage": "Własny certyfikat"
+		"defaultMessage": "Certyfikat własny"
 	},
 	"certificates.custom.warning": {
 		"defaultMessage": "Pliki kluczy chronione hasłem nie są obsługiwane."
@@ -159,7 +153,7 @@
 		"defaultMessage": "Wyniki testu"
 	},
 	"certificates.http.warning": {
-		"defaultMessage": "Te domeny muszą być już skonfigurowane tak, aby wskazywały na ten serwer"
+		"defaultMessage": "Te domeny muszą być już skonfigurowane tak, aby wskazywały na ten serwer www"
 	},
 	"certificates.key-type": {
 		"defaultMessage": "Typ klucza"
@@ -177,7 +171,7 @@
 		"defaultMessage": "z Let's Encrypt"
 	},
 	"certificates.request.title": {
-		"defaultMessage": "Wygeneruj nowy certyfikat"
+		"defaultMessage": "Zamów nowy certyfikat"
 	},
 	"column.access": {
 		"defaultMessage": "Dostęp"
@@ -189,7 +183,7 @@
 		"defaultMessage": "Autoryzacje"
 	},
 	"column.custom-locations": {
-		"defaultMessage": "Własne ustawienia lokalizacji"
+		"defaultMessage": "Własne lokalizacje"
 	},
 	"column.destination": {
 		"defaultMessage": "Cel"
@@ -255,13 +249,13 @@
 		"defaultMessage": "Panel"
 	},
 	"dead-host": {
-		"defaultMessage": "host 404"
+		"defaultMessage": "Host 404"
 	},
 	"dead-hosts": {
-		"defaultMessage": "404"
+		"defaultMessage": "Hosty 404"
 	},
 	"dead-hosts.count": {
-		"defaultMessage": "{count} {count, plural, one {host 404} few {hosty 404} other {hostów 404}}"
+		"defaultMessage": "{count} {count, plural, one {Host 404} few {Hosty 404} other {Hostów 404}}"
 	},
 	"disabled": {
 		"defaultMessage": "Wyłączone"
@@ -285,7 +279,7 @@
 		"defaultMessage": "Wymuś SSL"
 	},
 	"domains.hsts-enabled": {
-		"defaultMessage": "Włącz HSTS "
+		"defaultMessage": "HSTS włączone"
 	},
 	"domains.hsts-subdomains": {
 		"defaultMessage": "HSTS dla subdomen"
@@ -354,7 +348,7 @@
 		"defaultMessage": "Blokuj typowe exploity"
 	},
 	"host.flags.cache-assets": {
-		"defaultMessage": "Buforuj zasoby statyczne (ang. cache)"
+		"defaultMessage": "Buforuj zasoby"
 	},
 	"host.flags.preserve-path": {
 		"defaultMessage": "Zachowaj ścieżkę"
@@ -366,7 +360,7 @@
 		"defaultMessage": "Obsługa WebSockets"
 	},
 	"host.forward-port": {
-		"defaultMessage": "Port docelowy"
+		"defaultMessage": "Port przekierowania"
 	},
 	"host.forward-scheme": {
 		"defaultMessage": "Schemat"
@@ -507,22 +501,22 @@
 		"defaultMessage": "Tylko utworzone elementy"
 	},
 	"proxy-host": {
-		"defaultMessage": "host proxy"
+		"defaultMessage": "Host proxy"
 	},
 	"proxy-host.forward-host": {
 		"defaultMessage": "Przekieruj na hostname / IP"
 	},
 	"proxy-hosts": {
-		"defaultMessage": "Proxy"
+		"defaultMessage": "Hosty proxy"
 	},
 	"proxy-hosts.count": {
-		"defaultMessage": "{count} {count, plural, one {host proxy} few {hosty proxy} many {hostów proxy} other {hostów proxy}}"
+		"defaultMessage": "{count} {count, plural, one {Host proxy} few {Hosty proxy} other {Hostów proxy}}"
 	},
 	"public": {
 		"defaultMessage": "Publiczne"
 	},
 	"redirection-host": {
-		"defaultMessage": "adres przekierowania"
+		"defaultMessage": "Host przekierowania"
 	},
 	"redirection-host.forward-domain": {
 		"defaultMessage": "Domena docelowa"
@@ -531,10 +525,10 @@
 		"defaultMessage": "Kod HTTP"
 	},
 	"redirection-hosts": {
-		"defaultMessage": "Przekierowania"
+		"defaultMessage": "Hosty przekierowań"
 	},
 	"redirection-hosts.count": {
-		"defaultMessage": "{count} {count, plural, one {przekierowanie} few {przekierowania} many {przekierowań} other {przekierowań}}"
+		"defaultMessage": "{count} {count, plural, one {Host przekierowania} few {Hosty przekierowań} other {Hostów przekierowań}}"
 	},
 	"role.admin": {
 		"defaultMessage": "Administrator"
@@ -588,7 +582,7 @@
 		"defaultMessage": "Certyfikat SSL"
 	},
 	"stream": {
-		"defaultMessage": "strumień"
+		"defaultMessage": "Strumień"
 	},
 	"stream.forward-host": {
 		"defaultMessage": "Host docelowy"
@@ -600,7 +594,7 @@
 		"defaultMessage": "Strumienie"
 	},
 	"streams.count": {
-		"defaultMessage": "{count} {count, plural, one {strumień} few {strumienie} many {strumieni} other {strumieni}}"
+		"defaultMessage": "{count} {count, plural, one {Strumień} few {Strumienie} other {Strumieni}}"
 	},
 	"streams.tcp": {
 		"defaultMessage": "TCP"
@@ -612,13 +606,13 @@
 		"defaultMessage": "Test"
 	},
 	"user": {
-		"defaultMessage": "użytkownik"
+		"defaultMessage": "Użytkownik"
 	},
 	"user.change-password": {
 		"defaultMessage": "Zmień hasło"
 	},
 	"user.confirm-password": {
-		"defaultMessage": "Potwierdź nowe hasło"
+		"defaultMessage": "Potwierdź hasło"
 	},
 	"user.current-password": {
 		"defaultMessage": "Aktualne hasło"
@@ -627,7 +621,7 @@
 		"defaultMessage": "Edytuj profil"
 	},
 	"user.full-name": {
-		"defaultMessage": "Imię / Nazwisko"
+		"defaultMessage": "Pełne imię i nazwisko"
 	},
 	"user.login-as": {
 		"defaultMessage": "Zaloguj jako {name}"

test/yarn.lock

@@ -1307,9 +1307,9 @@ glob-parent@^6.0.2:
     is-glob "^4.0.3"
 
 glob@^10.4.5:
-  version "10.4.5"
+  version "10.5.0"
-  resolved "https://registry.yarnpkg.com/glob/-/glob-10.4.5.tgz#f4d9f0b90ffdbab09c9d77f5f29b4262517b0956"
+  resolved "https://registry.yarnpkg.com/glob/-/glob-10.5.0.tgz#8ec0355919cd3338c28428a23d4f24ecc5fe738c"
-  integrity sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==
+  integrity sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==
   dependencies:
     foreground-child "^3.1.0"
     jackspeak "^3.1.2"