[feature] add TOTP two-factor authentication (2FA) (#3960)

* [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions
2025-06-05 21:59:39 +02:00 · 2025-04-07 16:14:41 +02:00
parent 6f24205a26
commit 365b575341
78 changed files with 5593 additions and 825 deletions
--- a/internal/db/bundb/migrations/20250324173534_2fa.go
+++ b/internal/db/bundb/migrations/20250324173534_2fa.go
@@ -0,0 +1,70 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package migrations
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+
+	newmodel "github.com/superseriousbusiness/gotosocial/internal/db/bundb/migrations/20250324173534_2fa"
+	"github.com/superseriousbusiness/gotosocial/internal/log"
+	"github.com/uptrace/bun"
+)
+
+func init() {
+	up := func(ctx context.Context, db *bun.DB) error {
+		return db.RunInTx(ctx, nil, func(ctx context.Context, tx bun.Tx) error {
+			log.Info(ctx, "adding new 2fa columns to user table...")
+
+			var newUser *newmodel.User
+			newUserType := reflect.TypeOf(newUser)
+
+			for _, column := range []string{
+				"TwoFactorSecret",
+				"TwoFactorBackups",
+				"TwoFactorEnabledAt",
+			} {
+				// Generate new column definition from bun.
+				colDef, err := getBunColumnDef(tx, newUserType, column)
+				if err != nil {
+					return fmt.Errorf("error making column def: %w", err)
+				}
+
+				_, err = tx.
+					NewAddColumn().
+					Model(newUser).
+					ColumnExpr(colDef).
+					Exec(ctx)
+				if err != nil {
+					return fmt.Errorf("error adding column: %w", err)
+				}
+			}
+
+			return nil
+		})
+	}
+
+	down := func(ctx context.Context, db *bun.DB) error {
+		return nil
+	}
+
+	if err := Migrations.Register(up, down); err != nil {
+		panic(err)
+	}
+}
--- a/internal/db/bundb/migrations/20250324173534_2fa/user.go
+++ b/internal/db/bundb/migrations/20250324173534_2fa/user.go
@@ -0,0 +1,52 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package gtsmodel
+
+import (
+	"net"
+	"time"
+)
+
+type User struct {
+	ID                     string    `bun:"type:CHAR(26),pk,nullzero,notnull,unique"`
+	CreatedAt              time.Time `bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"`
+	UpdatedAt              time.Time `bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"`
+	Email                  string    `bun:",nullzero,unique"`
+	AccountID              string    `bun:"type:CHAR(26),nullzero,notnull,unique"`
+	EncryptedPassword      string    `bun:",nullzero,notnull"`
+	TwoFactorSecret        string    `bun:",nullzero"`
+	TwoFactorBackups       []string  `bun:",nullzero,array"`
+	TwoFactorEnabledAt     time.Time `bun:"type:timestamptz,nullzero"`
+	SignUpIP               net.IP    `bun:",nullzero"`
+	InviteID               string    `bun:"type:CHAR(26),nullzero"`
+	Reason                 string    `bun:",nullzero"`
+	Locale                 string    `bun:",nullzero"`
+	CreatedByApplicationID string    `bun:"type:CHAR(26),nullzero"`
+	LastEmailedAt          time.Time `bun:"type:timestamptz,nullzero"`
+	ConfirmationToken      string    `bun:",nullzero"`
+	ConfirmationSentAt     time.Time `bun:"type:timestamptz,nullzero"`
+	ConfirmedAt            time.Time `bun:"type:timestamptz,nullzero"`
+	UnconfirmedEmail       string    `bun:",nullzero"`
+	Moderator              *bool     `bun:",nullzero,notnull,default:false"`
+	Admin                  *bool     `bun:",nullzero,notnull,default:false"`
+	Disabled               *bool     `bun:",nullzero,notnull,default:false"`
+	Approved               *bool     `bun:",nullzero,notnull,default:false"`
+	ResetPasswordToken     string    `bun:",nullzero"`
+	ResetPasswordSentAt    time.Time `bun:"type:timestamptz,nullzero"`
+	ExternalID             string    `bun:",nullzero,unique"`
+}