[feature] add TOTP two-factor authentication (2FA) (#3960)

* [feature] add TOTP two-factor authentication (2FA)

* use byteutil.S2B to avoid allocations when comparing + generating password hashes

* don't bother with string conversion  for consts

* use io.ReadFull

* use MustGenerateSecret for backup codes

* rename util functions

internal/api/auth/oob.go

@@ -18,97 +18,56 @@
 package auth
 
 import (
-	"context"
 	"errors"
-	"fmt"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
-	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
 	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
-	"github.com/superseriousbusiness/gotosocial/internal/db"
-	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
-	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )
 
-func (m *Module) OobHandler(c *gin.Context) {
+// OOBTokenGETHandler parses the OAuth code from the query
+// params and serves a nice little HTML page showing the code.
+func (m *Module) OOBTokenGETHandler(c *gin.Context) {
+	s := sessions.Default(c)
+
+	oobToken := c.Query("code")
+	if oobToken == "" {
+		const errText = "no 'code' query value provided in callback redirect"
+		m.clearSessionWithBadRequest(c, s, errors.New(errText), errText)
+		return
+	}
+
+	user := m.mustUserFromSession(c, s)
+	if user == nil {
+		// Error already
+		// written.
+		return
+	}
+
+	scope := m.mustStringFromSession(c, s, sessionScope)
+	if scope == "" {
+		// Error already
+		// written.
+		return
+	}
+
+	// We're done with
+	// the session now.
+	m.mustClearSession(s)
+
 	instance, errWithCode := m.processor.InstanceGetV1(c.Request.Context())
 	if errWithCode != nil {
 		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
 		return
 	}
 
-	instanceGet := func(ctx context.Context) (*apimodel.InstanceV1, gtserror.WithCode) {
-		return instance, nil
-	}
-
-	oobToken := c.Query("code")
-	if oobToken == "" {
-		err := errors.New("no 'code' query value provided in callback redirect")
-		apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error(), oauth.HelpfulAdvice), instanceGet)
-		return
-	}
-
-	s := sessions.Default(c)
-
-	errs := []string{}
-
-	scope, ok := s.Get(sessionScope).(string)
-	if !ok {
-		errs = append(errs, fmt.Sprintf("key %s was not found in session", sessionScope))
-	}
-
-	userID, ok := s.Get(sessionUserID).(string)
-	if !ok {
-		errs = append(errs, fmt.Sprintf("key %s was not found in session", sessionUserID))
-	}
-
-	if len(errs) != 0 {
-		errs = append(errs, oauth.HelpfulAdvice)
-		apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(errors.New("one or more missing keys on session during OobHandler"), errs...), m.processor.InstanceGetV1)
-		return
-	}
-
-	user, err := m.db.GetUserByID(c.Request.Context(), userID)
-	if err != nil {
-		m.clearSession(s)
-		safe := fmt.Sprintf("user with id %s could not be retrieved", userID)
-		var errWithCode gtserror.WithCode
-		if err == db.ErrNoEntries {
-			errWithCode = gtserror.NewErrorBadRequest(err, safe, oauth.HelpfulAdvice)
-		} else {
-			errWithCode = gtserror.NewErrorInternalError(err, safe, oauth.HelpfulAdvice)
-		}
-		apiutil.ErrorHandler(c, errWithCode, instanceGet)
-		return
-	}
-
-	acct, err := m.db.GetAccountByID(c.Request.Context(), user.AccountID)
-	if err != nil {
-		m.clearSession(s)
-		safe := fmt.Sprintf("account with id %s could not be retrieved", user.AccountID)
-		var errWithCode gtserror.WithCode
-		if err == db.ErrNoEntries {
-			errWithCode = gtserror.NewErrorBadRequest(err, safe, oauth.HelpfulAdvice)
-		} else {
-			errWithCode = gtserror.NewErrorInternalError(err, safe, oauth.HelpfulAdvice)
-		}
-		apiutil.ErrorHandler(c, errWithCode, instanceGet)
-		return
-	}
-
-	// we're done with the session now, so just clear it out
-	m.clearSession(s)
-
-	page := apiutil.WebPage{
+	apiutil.TemplateWebPage(c, apiutil.WebPage{
 		Template: "oob.tmpl",
 		Instance: instance,
 		Extra: map[string]any{
-			"user":     acct.Username,
+			"user":     user.Account.Username,
 			"oobToken": oobToken,
 			"scope":    scope,
 		},
-	}
-
-	apiutil.TemplateWebPage(c, page)
+	})
 }