[feature] add TOTP two-factor authentication (2FA) (#3960)

* [feature] add TOTP two-factor authentication (2FA)

* use byteutil.S2B to avoid allocations when comparing + generating password hashes

* don't bother with string conversion  for consts

* use io.ReadFull

* use MustGenerateSecret for backup codes

* rename util functions

internal/api/auth/auth.go

@@ -20,11 +20,10 @@ package auth
 import (
 	"net/http"
 
-	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
-	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/oidc"
 	"github.com/superseriousbusiness/gotosocial/internal/processing"
+	"github.com/superseriousbusiness/gotosocial/internal/state"
 )
 
 const (
@@ -32,61 +31,58 @@ const (
 		paths prefixed with 'auth'
 	*/
 
-	// AuthSignInPath is the API path for users to sign in through
-	AuthSignInPath = "/sign_in"
-	// AuthCheckYourEmailPath users land here after registering a new account, instructs them to confirm their email
-	AuthCheckYourEmailPath = "/check_your_email"
-	// AuthWaitForApprovalPath users land here after confirming their email
-	// but before an admin approves their account (if such is required)
+	AuthSignInPath          = "/sign_in"
+	Auth2FAPath             = "/2fa"
+	AuthCheckYourEmailPath  = "/check_your_email"
 	AuthWaitForApprovalPath = "/wait_for_approval"
-	// AuthAccountDisabledPath users land here when their account is suspended by an admin
 	AuthAccountDisabledPath = "/account_disabled"
-	// AuthCallbackPath is the API path for receiving callback tokens from external OIDC providers
-	AuthCallbackPath = "/callback"
+	AuthCallbackPath        = "/callback"
 
 	/*
 		paths prefixed with 'oauth'
 	*/
 
-	// OauthTokenPath is the API path to use for granting token requests to users with valid credentials
-	OauthTokenPath = "/token" // #nosec G101 else we get a hardcoded credentials warning
-	// OauthAuthorizePath is the API path for authorization requests (eg., authorize this app to act on my behalf as a user)
 	OauthAuthorizePath = "/authorize"
-	// OauthFinalizePath is the API path for completing user registration with additional user details
-	OauthFinalizePath = "/finalize"
-	// OauthOobTokenPath is the path for serving an html representation of an oob token page.
-	OauthOobTokenPath = "/oob" // #nosec G101 else we get a hardcoded credentials warning
+	OauthFinalizePath  = "/finalize"
+	OauthOOBTokenPath  = "/oob"   // #nosec G101 else we get a hardcoded credentials warning
+	OauthTokenPath     = "/token" // #nosec G101 else we get a hardcoded credentials warning
 
 	/*
 		params / session keys
 	*/
 
-	callbackStateParam   = "state"
-	callbackCodeParam    = "code"
-	sessionUserID        = "userid"
-	sessionClientID      = "client_id"
-	sessionRedirectURI   = "redirect_uri"
-	sessionForceLogin    = "force_login"
-	sessionResponseType  = "response_type"
-	sessionScope         = "scope"
-	sessionInternalState = "internal_state"
-	sessionClientState   = "client_state"
-	sessionClaims        = "claims"
-	sessionAppID         = "app_id"
+	callbackStateParam       = "state"
+	callbackCodeParam        = "code"
+	sessionUserID            = "userid"
+	sessionUserIDAwaiting2FA = "userid_awaiting_2fa"
+	sessionClientID          = "client_id"
+	sessionRedirectURI       = "redirect_uri"
+	sessionForceLogin        = "force_login"
+	sessionResponseType      = "response_type"
+	sessionScope             = "scope"
+	sessionInternalState     = "internal_state"
+	sessionClientState       = "client_state"
+	sessionClaims            = "claims"
+	sessionAppID             = "app_id"
 )
 
 type Module struct {
-	db        db.DB
+	state     *state.State
 	processor *processing.Processor
 	idp       oidc.IDP
 }
 
-// New returns an Auth module which provides both 'oauth' and 'auth' endpoints.
+// New returns an Auth module which provides
+// both 'oauth' and 'auth' endpoints.
 //
 // It is safe to pass a nil idp if oidc is disabled.
-func New(db db.DB, processor *processing.Processor, idp oidc.IDP) *Module {
+func New(
+	state *state.State,
+	processor *processing.Processor,
+	idp oidc.IDP,
+) *Module {
 	return &Module{
-		db:        db,
+		state:     state,
 		processor: processor,
 		idp:       idp,
 	}
@@ -96,21 +92,16 @@ func New(db db.DB, processor *processing.Processor, idp oidc.IDP) *Module {
 func (m *Module) RouteAuth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {
 	attachHandler(http.MethodGet, AuthSignInPath, m.SignInGETHandler)
 	attachHandler(http.MethodPost, AuthSignInPath, m.SignInPOSTHandler)
+	attachHandler(http.MethodGet, Auth2FAPath, m.TwoFactorCodeGETHandler)
+	attachHandler(http.MethodPost, Auth2FAPath, m.TwoFactorCodePOSTHandler)
 	attachHandler(http.MethodGet, AuthCallbackPath, m.CallbackGETHandler)
 }
 
-// RouteOauth routes all paths that should have an 'oauth' prefix
-func (m *Module) RouteOauth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {
+// RouteOAuth routes all paths that should have an 'oauth' prefix
+func (m *Module) RouteOAuth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {
 	attachHandler(http.MethodPost, OauthTokenPath, m.TokenPOSTHandler)
 	attachHandler(http.MethodGet, OauthAuthorizePath, m.AuthorizeGETHandler)
 	attachHandler(http.MethodPost, OauthAuthorizePath, m.AuthorizePOSTHandler)
 	attachHandler(http.MethodPost, OauthFinalizePath, m.FinalizePOSTHandler)
-	attachHandler(http.MethodGet, OauthOobTokenPath, m.OobHandler)
-}
-
-func (m *Module) clearSession(s sessions.Session) {
-	s.Clear()
-	if err := s.Save(); err != nil {
-		panic(err)
-	}
+	attachHandler(http.MethodGet, OauthOOBTokenPath, m.OOBTokenGETHandler)
 }