feat(totp): allow reliers to request totp on login

mozilla · Sep 11, 2018 · 6e18646 · 6e18646
1 parent d13b455
commit 6e18646
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 1 deletion.
diff --git a/docs/api.md b/docs/api.md
@@ -291,6 +291,8 @@ for `code` and `errno` are:
   Recovery key not found.
 * `code: 400, errno: 159`:
   Recovery key is not valid.
+* `code: 400, errno: 160`:
+  This request requires two step authentication enabled on your account.
 * `code: 503, errno: 201`:
   Service unavailable
 * `code: 503, errno: 202`:
@@ -708,6 +710,9 @@ by the following errors
 * `code: 400, errno: 149`:
   This email can not currently be used to login
 
+* `code: 400, errno: 160`:
+  This request requires two step authentication enabled on your account.
+
 
 #### GET /account/status
 
@@ -2621,6 +2626,9 @@ by the following errors
 * `code: 400, errno: 149`:
   This email can not currently be used to login
 
+* `code: 400, errno: 160`:
+  This request requires two step authentication enabled on your account.
+
 
 #### GET /session/status
 

diff --git a/lib/error.js b/lib/error.js
@@ -72,6 +72,7 @@ var ERRNO = {
 
   RECOVERY_KEY_NOT_FOUND: 158,
   RECOVERY_KEY_INVALID: 159,
+  TOTP_REQUIRED: 160,
 
   SERVER_BUSY: 201,
   FEATURE_NOT_ENABLED: 202,
@@ -819,6 +820,15 @@ AppError.recoveryKeyInvalid = () => {
   })
 }
 
+AppError.totpRequired = (service, operation) => {
+  return new AppError({
+    code: 400,
+    error: 'Bad Request',
+    errno: ERRNO.TOTP_REQUIRED,
+    message: 'This request requires two step authentication enabled on your account.'
+  })
+}
+
 AppError.backendServiceFailure = (service, operation) => {
   return new AppError({
     code: 500,

diff --git a/lib/routes/account.js b/lib/routes/account.js
@@ -520,6 +520,13 @@ module.exports = (log, db, mailer, Password, config, customs, signinUtils, push)
               if (result) {
                 verificationMethod = 'totp-2fa'
               }
+
+              // This request is asking to be verified with TOTP but does not have
+              // a TOTP token setup. Lets error out and defer to content-server
+              // for helping the user set it up.
+              if (! result && verificationMethod === 'totp-2fa') {
+                throw error.totpRequired()
+              }
             })
         }
 

diff --git a/lib/routes/session.js b/lib/routes/session.js
@@ -142,6 +142,13 @@ module.exports = function (log, db, Password, config, signinUtils) {
               if (result) {
                 verificationMethod = 'totp-2fa'
               }
+
+              // This request is asking to be verified with TOTP but does not have
+              // a TOTP token setup. Lets error out and defer to content-server
+              // for helping the user set it up.
+              if (! result && verificationMethod === 'totp-2fa') {
+                throw error.totpRequired()
+              }
             })
         }
 

diff --git a/lib/routes/validators.js b/lib/routes/validators.js
@@ -201,7 +201,7 @@ function isValidUrl(url, hostnameRegex) {
   return parsed.href
 }
 
-module.exports.verificationMethod = isA.string().valid(['email', 'email-2fa', 'email-captcha'])
+module.exports.verificationMethod = isA.string().valid(['email', 'email-2fa', 'email-captcha', 'totp-2fa'])
 
 module.exports.authPW = isA.string().length(64).regex(HEX_STRING).required()
 module.exports.wrapKb = isA.string().length(64).regex(HEX_STRING)