请按照以下说明启用 MFA。如果您配置不正确,登录将仅使用密码。",
+ "mfa_enabled": "启用多因素认证",
+ "mfa_method": "MFA 方法",
+ "electron_disabled": "当前桌面版本不支持多因素认证。",
+ "totp_title": "基于时间的一次性密码(TOTP)",
+ "totp_description": "TOTP(基于时间的一次性密码)是一种安全功能,它会生成一个每30秒变化的唯一临时代码。您需要使用这个代码和您的密码一起登录账户,这使得他人更难访问您的账户。",
+ "totp_secret_title": "生成 TOTP 密钥",
+ "totp_secret_generate": "生成 TOTP 密钥",
+ "totp_secret_regenerate": "重新生成 TOTP 密钥",
+ "no_totp_secret_warning": "要启用 TOTP,您需要先生成一个 TOTP 密钥。",
+ "totp_secret_description_warning": "生成新的 TOTP 密钥后,您需要使用新的 TOTP 密钥重新登录。",
+ "totp_secret_generated": "TOTP 密钥已生成",
+ "totp_secret_warning": "请将生成的密钥保存在安全的地方。它将不会再次显示。",
+ "totp_secret_regenerate_confirm": "您确定要重新生成 TOTP 密钥吗?这将使之前的 TOTP 密钥失效,并使所有现有的恢复代码失效。请将生成的密钥保存在安全的地方。它将不会再次显示。",
+ "recovery_keys_title": "单点登录恢复密钥",
+ "recovery_keys_description": "单点登录恢复密钥用于在您无法访问您的认证器代码时登录。离开页面后,恢复密钥将不会再次显示。请将它们保存在安全的地方。",
+ "recovery_keys_description_warning": "离开页面后,恢复密钥将不会再次显示。请将它们保存在安全的地方。 一旦恢复密钥被使用,它将无法再次使用。",
+ "recovery_keys_error": "生成恢复代码时出错",
+ "recovery_keys_no_key_set": "未设置恢复代码",
+ "recovery_keys_generate": "生成恢复代码",
+ "recovery_keys_regenerate": "重新生成恢复代码",
+ "recovery_keys_used": "已使用: {{date}}",
+ "recovery_keys_unused": "恢复代码 {{index}} 未使用",
+ "oauth_title": "OAuth/OpenID 认证",
+ "oauth_description": "OpenID 是一种标准化方式,允许您使用其他服务(如 Google)的账户登录网站,以验证您的身份。请参阅这些 指南 通过 Google 设置 OpenID 服务。",
+ "oauth_description_warning": "要启用 OAuth/OpenID,您需要设置 config.ini 文件中的 OAuth/OpenID 基础 URL、客户端 ID 和客户端密钥,并重新启动应用程序。如果要从环境变量设置,请设置 TRILIUM_OAUTH_BASE_URL、TRILIUM_OAUTH_CLIENT_ID 和 TRILIUM_OAUTH_CLIENT_SECRET 环境变量。",
+ "oauth_missing_vars": "缺少以下设置项: {{missingVars}}",
+ "oauth_user_account": "用户账号:",
+ "oauth_user_email": "用户邮箱:",
+ "oauth_user_not_logged_in": "未登录!"
+ },
"shortcuts": {
"keyboard_shortcuts": "快捷键",
"multiple_shortcuts": "同一操作的多个快捷键可以用逗号分隔。",
diff --git a/src/public/translations/en/translation.json b/src/public/translations/en/translation.json
index 998d9f2dc6..13bb74dfd8 100644
--- a/src/public/translations/en/translation.json
+++ b/src/public/translations/en/translation.json
@@ -1310,6 +1310,39 @@
"password_mismatch": "New passwords are not the same.",
"password_changed_success": "Password has been changed. Trilium will be reloaded after you press OK."
},
+ "multi_factor_authentication": {
+ "title": "Multi-Factor Authentication",
+ "description": "Multi-Factor Authentication (MFA) adds an extra layer of security to your account. Instead of just entering a password to log in, MFA requires you to provide one or more additional pieces of evidence to verify your identity. This way, even if someone gets hold of your password, they still can't access your account without the second piece of information. It's like adding an extra lock to your door, making it much harder for anyone else to break in.
Please follow the instructions below to enable MFA. If you don't config correctly, login will fall back to password only.",
+ "mfa_enabled": "Enable Multi-Factor Authentication",
+ "mfa_method": "MFA Method",
+ "electron_disabled": "Multi-Factor Authentication is not supported in the desktop build currently.",
+ "totp_title": "Time-based One-Time Password (TOTP)",
+ "totp_description": "TOTP (Time-Based One-Time Password) is a security feature that generates a unique, temporary code which changes every 30 seconds. You use this code, along with your password to log into your account, making it much harder for anyone else to access it.",
+ "totp_secret_title": "Generate TOTP Secret",
+ "totp_secret_generate": "Generate TOTP Secret",
+ "totp_secret_regenerate": "Regenerate TOTP Secret",
+ "no_totp_secret_warning": "To enable TOTP, you need to generate a TOTP secret first.",
+ "totp_secret_description_warning": "After generating a new TOTP secret, you will be required to login again with the new TOTP secret.",
+ "totp_secret_generated": "TOTP Secret Generated",
+ "totp_secret_warning": "Please save the generated secret in a secure location. It will not be shown again.",
+ "totp_secret_regenerate_confirm": "Are you sure you want to regenerate the TOTP secret? This will invalidate previous TOTP secret and all existing recovery codes.",
+ "recovery_keys_title": "Single Sign-on Recovery Keys",
+ "recovery_keys_description": "Single sign-on recovery keys are used to login in the even you cannot access your Authenticator codes.",
+ "recovery_keys_description_warning": "Recovery keys won't be shown again after leaving the page, keep them somewhere safe and secure. After a recovery key is used it cannot be used again.",
+ "recovery_keys_error": "Error generating recovery codes",
+ "recovery_keys_no_key_set": "No recovery codes set",
+ "recovery_keys_generate": "Generate Recovery Codes",
+ "recovery_keys_regenerate": "Regenerate Recovery Codes",
+ "recovery_keys_used": "Used: {{date}}",
+ "recovery_keys_unused": "Recovery code {{index}} is unused",
+ "oauth_title": "OAuth/OpenID",
+ "oauth_description": "OpenID is a standardized way to let you log into websites using an account from another service, like Google, to verify your identity. Follow these instructions to setup an OpenID service through Google.",
+ "oauth_description_warning": "To enable OAuth/OpenID, you need to set the OAuth/OpenID base URL, client ID and client secret in the config.ini file and restart the application. If you want to set from environment variables, please set TRILIUM_OAUTH_BASE_URL, TRILIUM_OAUTH_CLIENT_ID and TRILIUM_OAUTH_CLIENT_SECRET.",
+ "oauth_missing_vars": "Missing settings: {{variables}}",
+ "oauth_user_account": "User Account: ",
+ "oauth_user_email": "User Email: ",
+ "oauth_user_not_logged_in": "Not logged in!"
+ },
"shortcuts": {
"keyboard_shortcuts": "Keyboard Shortcuts",
"multiple_shortcuts": "Multiple shortcuts for the same action can be separated by comma.",
@@ -1433,7 +1466,8 @@
"widget": "Widget",
"confirm-change": "It is not recommended to change note type when note content is not empty. Do you want to continue anyway?",
"geo-map": "Geo Map",
- "beta-feature": "Beta"
+ "beta-feature": "Beta",
+ "task-list": "Task List"
},
"protect_note": {
"toggle-on": "Protect the note",
diff --git a/src/routes/api/app_info.ts b/src/routes/api/app_info.ts
index fb2f84aec8..ece825a30b 100644
--- a/src/routes/api/app_info.ts
+++ b/src/routes/api/app_info.ts
@@ -1,5 +1,3 @@
-"use strict";
-
import appInfo from "../../services/app_info.js";
/**
diff --git a/src/routes/api/options.ts b/src/routes/api/options.ts
index 1716d51268..140e2448e4 100644
--- a/src/routes/api/options.ts
+++ b/src/routes/api/options.ts
@@ -80,7 +80,9 @@ const ALLOWED_OPTIONS = new Set([
"allowedHtmlTags",
"redirectBareDomain",
"showLoginInShareTheme",
- "splitEditorOrientation"
+ "splitEditorOrientation",
+ "mfaEnabled",
+ "mfaMethod"
]);
function getOptions() {
diff --git a/src/routes/api/recovery_codes.ts b/src/routes/api/recovery_codes.ts
new file mode 100644
index 0000000000..a8487eab32
--- /dev/null
+++ b/src/routes/api/recovery_codes.ts
@@ -0,0 +1,65 @@
+import recovery_codes from '../../services/encryption/recovery_codes.js';
+import type { Request } from 'express';
+import { randomBytes } from 'crypto';
+
+function setRecoveryCodes(req: Request) {
+ const success = recovery_codes.setRecoveryCodes(req.body.recoveryCodes.join(','));
+ return { success: success, message: 'Recovery codes set!' };
+}
+
+function veryifyRecoveryCode(req: Request) {
+ const success = recovery_codes.verifyRecoveryCode(req.body.recovery_code_guess);
+
+ return { success: success };
+}
+
+function checkForRecoveryKeys() {
+ return {
+ success: true, keysExist: recovery_codes.isRecoveryCodeSet()
+ };
+}
+
+function generateRecoveryCodes() {
+ const recoveryKeys = [
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64'),
+ randomBytes(16).toString('base64')
+ ];
+
+ recovery_codes.setRecoveryCodes(recoveryKeys.join(','));
+
+ return { success: true, recoveryCodes: recoveryKeys };
+}
+
+function getUsedRecoveryCodes() {
+ if (!recovery_codes.isRecoveryCodeSet()) {
+ return []
+ }
+
+ const dateRegex = RegExp(/^\d{4}\/\d{2}\/\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z$/gm);
+ const recoveryCodes = recovery_codes.getRecoveryCodes();
+ const usedStatus: string[] = [];
+
+ recoveryCodes.forEach((recoveryKey: string) => {
+ if (dateRegex.test(recoveryKey)) usedStatus.push(recoveryKey);
+ else usedStatus.push(recoveryCodes.indexOf(recoveryKey));
+ });
+
+ return {
+ success: true,
+ usedRecoveryCodes: usedStatus
+ };
+}
+
+export default {
+ setRecoveryCodes,
+ generateRecoveryCodes,
+ veryifyRecoveryCode,
+ checkForRecoveryKeys,
+ getUsedRecoveryCodes
+};
\ No newline at end of file
diff --git a/src/routes/api/totp.ts b/src/routes/api/totp.ts
new file mode 100644
index 0000000000..ece982960d
--- /dev/null
+++ b/src/routes/api/totp.ts
@@ -0,0 +1,19 @@
+import totpService from '../../services/totp.js';
+
+function generateTOTPSecret() {
+ return totpService.createSecret();
+}
+
+function getTOTPStatus() {
+ return { success: true, message: totpService.isTotpEnabled(), set: totpService.checkForTotpSecret() };
+}
+
+function getSecret() {
+ return totpService.getTotpSecret();
+}
+
+export default {
+ generateSecret: generateTOTPSecret,
+ getTOTPStatus,
+ getSecret
+};
\ No newline at end of file
diff --git a/src/routes/login.ts b/src/routes/login.ts
index a739faa2e7..7b0ace3aa9 100644
--- a/src/routes/login.ts
+++ b/src/routes/login.ts
@@ -1,5 +1,3 @@
-"use strict";
-
import utils from "../services/utils.js";
import optionService from "../services/options.js";
import myScryptService from "../services/encryption/my_scrypt.js";
@@ -8,13 +6,20 @@ import passwordService from "../services/encryption/password.js";
import assetPath from "../services/asset_path.js";
import appPath from "../services/app_path.js";
import ValidationError from "../errors/validation_error.js";
-import type { Request, Response } from "express";
+import type { Request, Response } from 'express';
+import totp from '../services/totp.js';
+import recoveryCodeService from '../services/encryption/recovery_codes.js';
+import openID from '../services/open_id.js';
+import openIDEncryption from '../services/encryption/open_id_encryption.js';
function loginPage(req: Request, res: Response) {
- res.render("login", {
- failedAuth: false,
- assetPath,
- appPath
+ res.render('login', {
+ wrongPassword: false,
+ wrongTotp: false,
+ totpEnabled: totp.isTotpEnabled(),
+ ssoEnabled: openID.isOpenIDEnabled(),
+ assetPath: assetPath,
+ appPath: appPath,
});
}
@@ -58,43 +63,95 @@ function setPassword(req: Request, res: Response) {
}
function login(req: Request, res: Response) {
- const { password, rememberMe } = req.body;
+ if (openID.isOpenIDEnabled()) {
+ res.oidc.login({
+ returnTo: '/',
+ authorizationParams: {
+ prompt: 'consent',
+ access_type: 'offline'
+ }
+ });
+ return;
+ }
- if (!verifyPassword(password)) {
- // note that logged IP address is usually meaningless since the traffic should come from a reverse proxy
- log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
+ const submittedPassword = req.body.password;
+ const submittedTotpToken = req.body.totpToken;
- return res.status(401).render("login", {
- failedAuth: true,
- assetPath,
- appPath
- });
+ if (!verifyPassword(submittedPassword)) {
+ sendLoginError(req, res, 'password');
+ return;
}
+ if (totp.isTotpEnabled()) {
+ if (!verifyTOTP(submittedTotpToken)) {
+ sendLoginError(req, res, 'totp');
+ return;
+ }
+ }
+
+ const rememberMe = req.body.rememberMe;
+
req.session.regenerate(() => {
- if (!rememberMe) {
+ if (rememberMe) {
+ req.session.cookie.maxAge = 21 * 24 * 3600000; // 3 weeks
+ } else {
// unset default maxAge set by sessionParser
// Cookie becomes non-persistent and expires after current browser session (e.g. when browser is closed)
req.session.cookie.maxAge = undefined;
}
- req.session.loggedIn = true;
+ req.session.lastAuthState = {
+ totpEnabled: totp.isTotpEnabled(),
+ ssoEnabled: openID.isOpenIDEnabled()
+ };
- res.redirect(".");
+ req.session.loggedIn = true;
+ res.redirect('.');
});
}
-function verifyPassword(guessedPassword: string) {
+function verifyTOTP(submittedTotpToken: string) {
+ if (totp.validateTOTP(submittedTotpToken)) return true;
+
+ const recoveryCodeValidates = recoveryCodeService.verifyRecoveryCode(submittedTotpToken);
+
+ return recoveryCodeValidates;
+}
+
+function verifyPassword(submittedPassword: string) {
const hashed_password = utils.fromBase64(optionService.getOption("passwordVerificationHash"));
- const guess_hashed = myScryptService.getVerificationHash(guessedPassword);
+ const guess_hashed = myScryptService.getVerificationHash(submittedPassword);
return guess_hashed.equals(hashed_password);
}
+function sendLoginError(req: Request, res: Response, errorType: 'password' | 'totp' = 'password') {
+ // note that logged IP address is usually meaningless since the traffic should come from a reverse proxy
+ if (totp.isTotpEnabled()) {
+ log.info(`WARNING: Wrong ${errorType} from ${req.ip}, rejecting.`);
+ } else {
+ log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
+ }
+
+ res.render('login', {
+ wrongPassword: errorType === 'password',
+ wrongTotp: errorType === 'totp',
+ totpEnabled: totp.isTotpEnabled(),
+ ssoEnabled: openID.isOpenIDEnabled(),
+ assetPath: assetPath,
+ appPath: appPath,
+ });
+}
+
function logout(req: Request, res: Response) {
req.session.regenerate(() => {
req.session.loggedIn = false;
+
+ if (openID.isOpenIDEnabled() && openIDEncryption.isSubjectIdentifierSaved()) {
+ res.oidc.logout({ returnTo: '/' });
+ } else res.redirect('login');
+
res.sendStatus(200);
});
}
diff --git a/src/routes/routes.ts b/src/routes/routes.ts
index de2055d997..abae1acaa6 100644
--- a/src/routes/routes.ts
+++ b/src/routes/routes.ts
@@ -6,6 +6,9 @@ import log from "../services/log.js";
import express from "express";
const router = express.Router();
import auth from "../services/auth.js";
+import openID from '../services/open_id.js';
+import totp from './api/totp.js';
+import recoveryCodes from './api/recovery_codes.js';
import cls from "../services/cls.js";
import sql from "../services/sql.js";
import entityChangesService from "../services/entity_changes.js";
@@ -70,9 +73,9 @@ import etapiNoteRoutes from "../etapi/notes.js";
import etapiSpecialNoteRoutes from "../etapi/special_notes.js";
import etapiSpecRoute from "../etapi/spec.js";
import etapiBackupRoute from "../etapi/backup.js";
-
import apiDocsRoute from "./api_docs.js";
+
const MAX_ALLOWED_FILE_SIZE_MB = 250;
const GET = "get",
PST = "post",
@@ -114,8 +117,22 @@ function register(app: express.Application) {
route(PST, "/set-password", [auth.checkAppInitialized, auth.checkPasswordNotSet], loginRoute.setPassword);
route(GET, "/setup", [], setupRoute.setupPage);
- apiRoute(GET, "/api/tree", treeApiRoute.getTree);
- apiRoute(PST, "/api/tree/load", treeApiRoute.load);
+
+ apiRoute(GET, '/api/totp/generate', totp.generateSecret);
+ apiRoute(GET, '/api/totp/status', totp.getTOTPStatus);
+ apiRoute(GET, '/api/totp/get', totp.getSecret);
+
+ apiRoute(GET, '/api/oauth/status', openID.getOAuthStatus);
+ apiRoute(GET, '/api/oauth/validate', openID.isTokenValid);
+
+ apiRoute(PST, '/api/totp_recovery/set', recoveryCodes.setRecoveryCodes);
+ apiRoute(PST, '/api/totp_recovery/verify', recoveryCodes.veryifyRecoveryCode);
+ apiRoute(GET, '/api/totp_recovery/generate', recoveryCodes.generateRecoveryCodes);
+ apiRoute(GET, '/api/totp_recovery/enabled', recoveryCodes.checkForRecoveryKeys);
+ apiRoute(GET, '/api/totp_recovery/used', recoveryCodes.getUsedRecoveryCodes);
+
+ apiRoute(GET, '/api/tree', treeApiRoute.getTree);
+ apiRoute(PST, '/api/tree/load', treeApiRoute.load);
apiRoute(GET, "/api/notes/:noteId", notesApiRoute.getNote);
apiRoute(GET, "/api/notes/:noteId/blob", notesApiRoute.getNoteBlob);
@@ -492,7 +509,7 @@ function handleException(e: unknown | Error, method: HttpMethod, path: string, r
log.error(`${method} ${path} threw exception: '${errMessage}', stack: ${errStack}`);
- const resStatusCode = (e instanceof ValidationError || e instanceof NotFoundError) ? e.statusCode : 500;
+ const resStatusCode = (e instanceof ValidationError || e instanceof NotFoundError) ? e.statusCode : 500;
res.status(resStatusCode).json({
message: errMessage
diff --git a/src/routes/session_parser.ts b/src/routes/session_parser.ts
index 89df0e037e..cc69cc6a22 100644
--- a/src/routes/session_parser.ts
+++ b/src/routes/session_parser.ts
@@ -3,6 +3,7 @@ import sessionFileStore from "session-file-store";
import sessionSecret from "../services/session_secret.js";
import dataDir from "../services/data_dir.js";
import config from "../services/config.js";
+
const FileStore = sessionFileStore(session);
const sessionParser = session({
diff --git a/src/services/app_info.ts b/src/services/app_info.ts
index 72b1f0fcad..bd1436912b 100644
--- a/src/services/app_info.ts
+++ b/src/services/app_info.ts
@@ -1,11 +1,9 @@
-"use strict";
-
import path from "path";
import build from "./build.js";
import packageJson from "../../package.json" with { type: "json" };
import dataDir from "./data_dir.js";
-const APP_DB_VERSION = 228;
+const APP_DB_VERSION = 229;
const SYNC_VERSION = 34;
const CLIPPER_PROTOCOL_VERSION = "1.0";
diff --git a/src/services/auth.ts b/src/services/auth.ts
index 03f40e6e7b..69bffa73be 100644
--- a/src/services/auth.ts
+++ b/src/services/auth.ts
@@ -1,5 +1,3 @@
-"use strict";
-
import etapiTokenService from "./etapi_tokens.js";
import log from "./log.js";
import sqlInit from "./sql_init.js";
@@ -7,6 +5,8 @@ import { isElectron } from "./utils.js";
import passwordEncryptionService from "./encryption/password_encryption.js";
import config from "./config.js";
import passwordService from "./encryption/password.js";
+import totp from "./totp.js";
+import openID from "./open_id.js";
import options from "./options.js";
import attributes from "./attributes.js";
import type { NextFunction, Request, Response } from "express";
@@ -15,8 +15,30 @@ const noAuthentication = config.General && config.General.noAuthentication === t
function checkAuth(req: Request, res: Response, next: NextFunction) {
if (!sqlInit.isDbInitialized()) {
- res.redirect("setup");
- } else if (!req.session.loggedIn && !isElectron && !noAuthentication) {
+ res.redirect('setup');
+ }
+
+ const currentTotpStatus = totp.isTotpEnabled();
+ const currentSsoStatus = openID.isOpenIDEnabled();
+ const lastAuthState = req.session.lastAuthState || { totpEnabled: false, ssoEnabled: false };
+
+ if (isElectron) {
+ next();
+ return;
+ } else if (currentTotpStatus !== lastAuthState.totpEnabled || currentSsoStatus !== lastAuthState.ssoEnabled) {
+ req.session.destroy((err) => {
+ if (err) console.error('Error destroying session:', err);
+ res.redirect('/login');
+ });
+ return;
+ } else if (currentSsoStatus) {
+ if (req.oidc?.isAuthenticated() && req.session.loggedIn) {
+ next();
+ return;
+ }
+ res.redirect('/login');
+ return;
+ } else if (!req.session.loggedIn && !noAuthentication) {
const redirectToShare = options.getOptionBool("redirectBareDomain");
if (redirectToShare) {
// Check if any note has the #shareRoot label
diff --git a/src/services/config.ts b/src/services/config.ts
index f61eb19f5f..99704e0cf7 100644
--- a/src/services/config.ts
+++ b/src/services/config.ts
@@ -1,5 +1,3 @@
-"use strict";
-
import ini from "ini";
import fs from "fs";
import dataDir from "./data_dir.js";
@@ -41,6 +39,11 @@ export interface TriliumConfig {
syncServerTimeout: string;
syncProxy: string;
};
+ MultiFactorAuthentication: {
+ oauthBaseUrl: string;
+ oauthClientId: string;
+ oauthClientSecret: string;
+ };
}
//prettier-ignore
@@ -50,13 +53,13 @@ const config: TriliumConfig = {
instanceName:
process.env.TRILIUM_GENERAL_INSTANCENAME || iniConfig.General.instanceName || "",
- noAuthentication:
+ noAuthentication:
envToBoolean(process.env.TRILIUM_GENERAL_NOAUTHENTICATION) || iniConfig.General.noAuthentication || false,
- noBackup:
+ noBackup:
envToBoolean(process.env.TRILIUM_GENERAL_NOBACKUP) || iniConfig.General.noBackup || false,
- noDesktopIcon:
+ noDesktopIcon:
envToBoolean(process.env.TRILIUM_GENERAL_NODESKTOPICON) || iniConfig.General.noDesktopIcon || false
},
@@ -67,14 +70,14 @@ const config: TriliumConfig = {
port:
process.env.TRILIUM_NETWORK_PORT || iniConfig.Network.port || "3000",
- https:
+ https:
envToBoolean(process.env.TRILIUM_NETWORK_HTTPS) || iniConfig.Network.https || false,
- certPath:
+ certPath:
process.env.TRILIUM_NETWORK_CERTPATH || iniConfig.Network.certPath || "",
- keyPath:
- process.env.TRILIUM_NETWORK_KEYPATH || iniConfig.Network.keyPath || "",
+ keyPath:
+ process.env.TRILIUM_NETWORK_KEYPATH || iniConfig.Network.keyPath || "",
trustedReverseProxy:
process.env.TRILIUM_NETWORK_TRUSTEDREVERSEPROXY || iniConfig.Network.trustedReverseProxy || false
@@ -98,8 +101,18 @@ const config: TriliumConfig = {
syncProxy:
// additionally checking in iniConfig for inconsistently named syncProxy for backwards compatibility
process.env.TRILIUM_SYNC_SERVER_PROXY || iniConfig?.Sync?.syncProxy || iniConfig?.Sync?.syncServerProxy || ""
- }
+ },
+ MultiFactorAuthentication: {
+ oauthBaseUrl:
+ process.env.TRILIUM_OAUTH_BASE_URL || iniConfig?.MultiFactorAuthentication?.oauthBaseUrl || "",
+
+ oauthClientId:
+ process.env.TRILIUM_OAUTH_CLIENT_ID || iniConfig?.MultiFactorAuthentication?.oauthClientId || "",
+
+ oauthClientSecret:
+ process.env.TRILIUM_OAUTH_CLIENT_SECRET || iniConfig?.MultiFactorAuthentication?.oauthClientSecret || ""
+ }
};
export default config;
diff --git a/src/services/encryption/data_encryption.ts b/src/services/encryption/data_encryption.ts
index 624a845ede..250db687b2 100644
--- a/src/services/encryption/data_encryption.ts
+++ b/src/services/encryption/data_encryption.ts
@@ -1,5 +1,3 @@
-"use strict";
-
import crypto from "crypto";
import log from "../log.js";
diff --git a/src/services/encryption/my_scrypt.ts b/src/services/encryption/my_scrypt.ts
index ec8adc18cd..d1bd9a5361 100644
--- a/src/services/encryption/my_scrypt.ts
+++ b/src/services/encryption/my_scrypt.ts
@@ -1,7 +1,6 @@
-"use strict";
-
import optionService from "../options.js";
import crypto from "crypto";
+import sql from "../sql.js";
function getVerificationHash(password: crypto.BinaryLike) {
const salt = optionService.getOption("passwordVerificationSalt");
@@ -21,7 +20,45 @@ function getScryptHash(password: crypto.BinaryLike, salt: crypto.BinaryLike) {
return hashed;
}
+function getSubjectIdentifierVerificationHash(
+ guessedUserId: string | crypto.BinaryLike,
+ salt?: string
+) {
+ if (salt != null) return getScryptHash(guessedUserId, salt);
+
+ const savedSalt = sql.getValue("SELECT salt FROM user_data;");
+ if (!savedSalt) {
+ console.error("User salt undefined!");
+ return undefined;
+ }
+ return getScryptHash(guessedUserId, savedSalt.toString());
+}
+
+function getSubjectIdentifierDerivedKey(
+ subjectIdentifer: crypto.BinaryLike,
+ givenSalt?: string
+) {
+ if (givenSalt !== undefined) {
+ return getScryptHash(subjectIdentifer, givenSalt.toString());
+ }
+
+ const salt = sql.getValue("SELECT salt FROM user_data;");
+ if (!salt) return undefined;
+
+ return getScryptHash(subjectIdentifer, salt.toString());
+}
+
+function createSubjectIdentifierDerivedKey(
+ subjectIdentifer: string | crypto.BinaryLike,
+ salt: string | crypto.BinaryLike
+) {
+ return getScryptHash(subjectIdentifer, salt);
+}
+
export default {
getVerificationHash,
- getPasswordDerivedKey
+ getPasswordDerivedKey,
+ getSubjectIdentifierVerificationHash,
+ getSubjectIdentifierDerivedKey,
+ createSubjectIdentifierDerivedKey
};
diff --git a/src/services/encryption/open_id_encryption.ts b/src/services/encryption/open_id_encryption.ts
new file mode 100644
index 0000000000..5dad9c06ba
--- /dev/null
+++ b/src/services/encryption/open_id_encryption.ts
@@ -0,0 +1,145 @@
+import myScryptService from "./my_scrypt.js";
+import utils from "../utils.js";
+import dataEncryptionService from "./data_encryption.js";
+import sql from "../sql.js";
+import sqlInit from "../sql_init.js";
+import OpenIdError from "../../errors/open_id_error.js";
+
+function saveUser(subjectIdentifier: string, name: string, email: string) {
+ if (isUserSaved()) return false;
+
+ const verificationSalt = utils.randomSecureToken(32);
+ const derivedKeySalt = utils.randomSecureToken(32);
+
+ const verificationHash = myScryptService.getSubjectIdentifierVerificationHash(
+ subjectIdentifier,
+ verificationSalt
+ );
+ if (!verificationHash) {
+ throw new OpenIdError("Verification hash undefined!")
+ }
+
+ const userIDEncryptedDataKey = setDataKey(
+ subjectIdentifier,
+ utils.randomSecureToken(16),
+ verificationSalt
+ );
+
+ if (!userIDEncryptedDataKey) {
+ console.error("UserID encrypted data key null");
+ return undefined;
+ }
+
+ const data = {
+ tmpID: 0,
+ userIDVerificationHash: utils.toBase64(verificationHash),
+ salt: verificationSalt,
+ derivedKey: derivedKeySalt,
+ userIDEncryptedDataKey: userIDEncryptedDataKey,
+ isSetup: "true",
+ username: name,
+ email: email
+ };
+
+ sql.upsert("user_data", "tmpID", data);
+ return true;
+}
+
+function isSubjectIdentifierSaved() {
+ const value = sql.getValue("SELECT userIDEncryptedDataKey FROM user_data;");
+ if (value === undefined || value === null || value === "") return false;
+ return true;
+}
+
+function isUserSaved() {
+ const isSaved = sql.getValue("SELECT isSetup FROM user_data;");
+ return isSaved === "true" ? true : false;
+}
+
+function verifyOpenIDSubjectIdentifier(subjectIdentifier: string) {
+ if (!sqlInit.isDbInitialized()) {
+ throw new OpenIdError("Database not initialized!");
+ }
+
+ if (isUserSaved()) {
+ return false;
+ }
+
+ const salt = sql.getValue("SELECT salt FROM user_data;");
+ if (salt == undefined) {
+ console.log("Salt undefined");
+ return undefined;
+ }
+
+ const givenHash = myScryptService
+ .getSubjectIdentifierVerificationHash(subjectIdentifier)
+ ?.toString("base64");
+ if (givenHash === undefined) {
+ console.log("Sub id hash undefined!");
+ return undefined;
+ }
+
+ const savedHash = sql.getValue(
+ "SELECT userIDVerificationHash FROM user_data"
+ );
+ if (savedHash === undefined) {
+ console.log("verification hash undefined");
+ return undefined;
+ }
+
+ console.log("Matches: " + givenHash === savedHash);
+ return givenHash === savedHash;
+}
+
+function setDataKey(
+ subjectIdentifier: string,
+ plainTextDataKey: string | Buffer,
+ salt: string
+) {
+ const subjectIdentifierDerivedKey =
+ myScryptService.getSubjectIdentifierDerivedKey(subjectIdentifier, salt);
+
+ if (subjectIdentifierDerivedKey === undefined) {
+ console.error("SOMETHING WENT WRONG SAVING USER ID DERIVED KEY");
+ return undefined;
+ }
+ const newEncryptedDataKey = dataEncryptionService.encrypt(
+ subjectIdentifierDerivedKey,
+ plainTextDataKey
+ );
+
+ return newEncryptedDataKey;
+}
+
+function getDataKey(subjectIdentifier: string) {
+ const subjectIdentifierDerivedKey =
+ myScryptService.getSubjectIdentifierDerivedKey(subjectIdentifier);
+
+ const encryptedDataKey = sql.getValue(
+ "SELECT userIDEncryptedDataKey FROM user_data"
+ );
+
+ if (!encryptedDataKey) {
+ console.error("Encrypted data key empty!");
+ return undefined;
+ }
+
+ if (!subjectIdentifierDerivedKey) {
+ console.error("SOMETHING WENT WRONG SAVING USER ID DERIVED KEY");
+ return undefined;
+ }
+ const decryptedDataKey = dataEncryptionService.decrypt(
+ subjectIdentifierDerivedKey,
+ encryptedDataKey.toString()
+ );
+
+ return decryptedDataKey;
+}
+
+export default {
+ verifyOpenIDSubjectIdentifier,
+ getDataKey,
+ setDataKey,
+ saveUser,
+ isSubjectIdentifierSaved,
+};
diff --git a/src/services/encryption/password.ts b/src/services/encryption/password.ts
index bbfe9577b0..62046f47ac 100644
--- a/src/services/encryption/password.ts
+++ b/src/services/encryption/password.ts
@@ -1,5 +1,3 @@
-"use strict";
-
import sql from "../sql.js";
import optionService from "../options.js";
import myScryptService from "./my_scrypt.js";
diff --git a/src/services/encryption/recovery_codes.ts b/src/services/encryption/recovery_codes.ts
new file mode 100644
index 0000000000..72c0012a83
--- /dev/null
+++ b/src/services/encryption/recovery_codes.ts
@@ -0,0 +1,73 @@
+import sql from '../sql.js';
+import optionService from '../options.js';
+import crypto from 'crypto';
+
+function isRecoveryCodeSet() {
+ return optionService.getOptionBool('encryptedRecoveryCodes');
+}
+
+function setRecoveryCodes(recoveryCodes: string) {
+ const iv = crypto.randomBytes(16);
+ const securityKey = crypto.randomBytes(32);
+ const cipher = crypto.createCipheriv('aes-256-cbc', securityKey, iv);
+ let encryptedRecoveryCodes = cipher.update(recoveryCodes, 'utf-8', 'hex');
+
+ sql.transactional(() => {
+ optionService.setOption('recoveryCodeInitialVector', iv.toString('hex'));
+ optionService.setOption('recoveryCodeSecurityKey', securityKey.toString('hex'));
+ optionService.setOption('recoveryCodesEncrypted', encryptedRecoveryCodes + cipher.final('hex'));
+ optionService.setOption('encryptedRecoveryCodes', 'true');
+ return true;
+ });
+ return false;
+}
+
+function getRecoveryCodes() {
+ if (!isRecoveryCodeSet()) {
+ return []
+ }
+
+ return sql.transactional(() => {
+ const iv = Buffer.from(optionService.getOption('recoveryCodeInitialVector'), 'hex');
+ const securityKey = Buffer.from(optionService.getOption('recoveryCodeSecurityKey'), 'hex');
+ const encryptedRecoveryCodes = optionService.getOption('recoveryCodesEncrypted');
+
+ const decipher = crypto.createDecipheriv('aes-256-cbc', securityKey, iv);
+ const decryptedData = decipher.update(encryptedRecoveryCodes, 'hex', 'utf-8');
+
+ const decryptedString = decryptedData + decipher.final('utf-8');
+ return decryptedString.split(',');
+ });
+}
+
+function removeRecoveryCode(usedCode: string) {
+ const oldCodes: string[] = getRecoveryCodes();
+ const today = new Date();
+ oldCodes[oldCodes.indexOf(usedCode)] = today.toJSON().replace(/-/g, '/');
+ setRecoveryCodes(oldCodes.toString());
+}
+
+function verifyRecoveryCode(recoveryCodeGuess: string) {
+ const recoveryCodeRegex = RegExp(/^.{22}==$/gm);
+ if (!recoveryCodeRegex.test(recoveryCodeGuess)) {
+ return false;
+ }
+
+ const recoveryCodes = getRecoveryCodes();
+ var loginSuccess = false;
+ recoveryCodes.forEach((recoveryCode: string) => {
+ if (recoveryCodeGuess === recoveryCode) {
+ removeRecoveryCode(recoveryCode);
+ loginSuccess = true;
+ return;
+ }
+ });
+ return loginSuccess;
+}
+
+export default {
+ setRecoveryCodes,
+ getRecoveryCodes,
+ verifyRecoveryCode,
+ isRecoveryCodeSet
+};
\ No newline at end of file
diff --git a/src/services/encryption/totp_encryption.ts b/src/services/encryption/totp_encryption.ts
new file mode 100644
index 0000000000..bf079cc9d2
--- /dev/null
+++ b/src/services/encryption/totp_encryption.ts
@@ -0,0 +1,83 @@
+import optionService from "../options.js";
+import myScryptService from "./my_scrypt.js";
+import { randomSecureToken, toBase64 } from "../utils.js";
+import dataEncryptionService from "./data_encryption.js";
+import type { OptionNames } from "../options_interface.js";
+
+const TOTP_OPTIONS: Record = {
+ SALT: "totpEncryptionSalt",
+ ENCRYPTED_SECRET: "totpEncryptedSecret",
+ VERIFICATION_HASH: "totpVerificationHash"
+};
+
+function verifyTotpSecret(secret: string): boolean {
+ const givenSecretHash = toBase64(myScryptService.getVerificationHash(secret));
+ const dbSecretHash = optionService.getOptionOrNull(TOTP_OPTIONS.VERIFICATION_HASH);
+
+ if (!dbSecretHash) {
+ return false;
+ }
+
+ return givenSecretHash === dbSecretHash;
+}
+
+function setTotpSecret(secret: string) {
+ if (!secret) {
+ throw new Error("TOTP secret cannot be empty");
+ }
+
+ const encryptionSalt = randomSecureToken(32);
+ optionService.setOption(TOTP_OPTIONS.SALT, encryptionSalt);
+
+ const verificationHash = toBase64(myScryptService.getVerificationHash(secret));
+ optionService.setOption(TOTP_OPTIONS.VERIFICATION_HASH, verificationHash);
+
+ const encryptedSecret = dataEncryptionService.encrypt(
+ Buffer.from(encryptionSalt),
+ secret
+ );
+ optionService.setOption(TOTP_OPTIONS.ENCRYPTED_SECRET, encryptedSecret);
+}
+
+function getTotpSecret(): string | null {
+ const encryptionSalt = optionService.getOptionOrNull(TOTP_OPTIONS.SALT);
+ const encryptedSecret = optionService.getOptionOrNull(TOTP_OPTIONS.ENCRYPTED_SECRET);
+
+ if (!encryptionSalt || !encryptedSecret) {
+ return null;
+ }
+
+ try {
+ const decryptedSecret = dataEncryptionService.decrypt(
+ Buffer.from(encryptionSalt),
+ encryptedSecret
+ );
+
+ if (!decryptedSecret) {
+ return null;
+ }
+
+ return decryptedSecret.toString();
+ } catch (e) {
+ console.error("Failed to decrypt TOTP secret:", e);
+ return null;
+ }
+}
+
+function resetTotpSecret() {
+ optionService.setOption(TOTP_OPTIONS.SALT, "");
+ optionService.setOption(TOTP_OPTIONS.ENCRYPTED_SECRET, "");
+ optionService.setOption(TOTP_OPTIONS.VERIFICATION_HASH, "");
+}
+
+function isTotpSecretSet(): boolean {
+ return !!optionService.getOptionOrNull(TOTP_OPTIONS.VERIFICATION_HASH);
+}
+
+export default {
+ verifyTotpSecret,
+ setTotpSecret,
+ getTotpSecret,
+ resetTotpSecret,
+ isTotpSecretSet
+};
diff --git a/src/services/hidden_subtree.ts b/src/services/hidden_subtree.ts
index 79c80f29e0..369b23aeae 100644
--- a/src/services/hidden_subtree.ts
+++ b/src/services/hidden_subtree.ts
@@ -271,6 +271,7 @@ function buildHiddenSubtreeDefinition(helpSubtree: HiddenSubtreeItem[]): HiddenS
{ id: "_optionsImages", title: t("hidden-subtree.images-title"), type: "contentWidget", icon: "bx-image" },
{ id: "_optionsSpellcheck", title: t("hidden-subtree.spellcheck-title"), type: "contentWidget", icon: "bx-check-double" },
{ id: "_optionsPassword", title: t("hidden-subtree.password-title"), type: "contentWidget", icon: "bx-lock" },
+ { id: '_optionsMFA', title: t('hidden-subtree.multi-factor-authentication-title'), type: 'contentWidget', icon: 'bx-lock ' },
{ id: "_optionsEtapi", title: t("hidden-subtree.etapi-title"), type: "contentWidget", icon: "bx-extension" },
{ id: "_optionsBackup", title: t("hidden-subtree.backup-title"), type: "contentWidget", icon: "bx-data" },
{ id: "_optionsSync", title: t("hidden-subtree.sync-title"), type: "contentWidget", icon: "bx-wifi" },
diff --git a/src/services/open_id.ts b/src/services/open_id.ts
new file mode 100644
index 0000000000..e45ed65997
--- /dev/null
+++ b/src/services/open_id.ts
@@ -0,0 +1,154 @@
+import type { NextFunction, Request, Response } from "express";
+import openIDEncryption from "./encryption/open_id_encryption.js";
+import sqlInit from "./sql_init.js";
+import options from "./options.js";
+import type { Session } from "express-openid-connect";
+import sql from "./sql.js";
+import config from "./config.js";
+
+
+function checkOpenIDConfig() {
+ let missingVars: string[] = []
+ if (config.MultiFactorAuthentication.oauthBaseUrl === "") {
+ missingVars.push("oauthBaseUrl");
+ }
+ if (config.MultiFactorAuthentication.oauthClientId === "") {
+ missingVars.push("oauthClientId");
+ }
+ if (config.MultiFactorAuthentication.oauthClientSecret === "") {
+ missingVars.push("oauthClientSecret");
+ }
+ return missingVars;
+}
+
+function isOpenIDEnabled() {
+ return !(checkOpenIDConfig().length > 0) && options.getOptionOrNull('mfaMethod') === 'oauth';
+}
+
+function isUserSaved() {
+ const data = sql.getValue("SELECT isSetup FROM user_data;");
+ return data === "true" ? true : false;
+}
+
+function getUsername() {
+ const username = sql.getValue("SELECT username FROM user_data;");
+ return username;
+}
+
+function getUserEmail() {
+ const email = sql.getValue("SELECT email FROM user_data;");
+ return email;
+}
+
+function clearSavedUser() {
+ sql.execute("DELETE FROM user_data");
+ options.setOption("userSubjectIdentifierSaved", false);
+ return {
+ success: true,
+ message: "Account data removed."
+ };
+}
+
+function getOAuthStatus() {
+ return {
+ success: true,
+ name: getUsername(),
+ email: getUserEmail(),
+ enabled: isOpenIDEnabled(),
+ missingVars: checkOpenIDConfig()
+ };
+}
+
+function isTokenValid(req: Request, res: Response, next: NextFunction) {
+ const userStatus = openIDEncryption.isSubjectIdentifierSaved();
+
+ if (req.oidc !== undefined) {
+ const result = req.oidc
+ .fetchUserInfo()
+ .then((result) => {
+ return {
+ success: true,
+ message: "Token is valid",
+ user: userStatus,
+ };
+ })
+ .catch((result) => {
+ return {
+ success: false,
+ message: "Token is not valid",
+ user: userStatus,
+ };
+ });
+ return result;
+ } else {
+ return {
+ success: false,
+ message: "Token not set up",
+ user: userStatus,
+ };
+ }
+}
+
+function generateOAuthConfig() {
+ const authRoutes = {
+ callback: "/callback",
+ login: "/authenticate",
+ postLogoutRedirect: "/login",
+ logout: "/logout",
+ };
+
+ const logoutParams = {
+ };
+
+ const authConfig = {
+ authRequired: false,
+ auth0Logout: false,
+ baseURL: config.MultiFactorAuthentication.oauthBaseUrl,
+ clientID: config.MultiFactorAuthentication.oauthClientId,
+ issuerBaseURL: "https://accounts.google.com",
+ secret: config.MultiFactorAuthentication.oauthClientSecret,
+ clientSecret: config.MultiFactorAuthentication.oauthClientSecret,
+ authorizationParams: {
+ response_type: "code",
+ scope: "openid profile email",
+ access_type: "offline",
+ prompt: "consent",
+ state: "random_state_" + Math.random().toString(36).substring(2)
+ },
+ routes: authRoutes,
+ idpLogout: true,
+ logoutParams: logoutParams,
+ afterCallback: async (req: Request, res: Response, session: Session) => {
+ if (!sqlInit.isDbInitialized()) return session;
+
+ if (!req.oidc.user) {
+ console.log("user invalid!");
+ return session;
+ }
+
+ openIDEncryption.saveUser(
+ req.oidc.user.sub.toString(),
+ req.oidc.user.name.toString(),
+ req.oidc.user.email.toString()
+ );
+
+ req.session.loggedIn = true;
+ req.session.lastAuthState = {
+ totpEnabled: false,
+ ssoEnabled: true
+ };
+
+ return session;
+ },
+ };
+ return authConfig;
+}
+
+export default {
+ generateOAuthConfig,
+ getOAuthStatus,
+ isOpenIDEnabled,
+ clearSavedUser,
+ isTokenValid,
+ isUserSaved,
+};
diff --git a/src/services/options_init.ts b/src/services/options_init.ts
index 491edc65f9..14967a6d67 100644
--- a/src/services/options_init.ts
+++ b/src/services/options_init.ts
@@ -131,6 +131,10 @@ const defaultOptions: DefaultOption[] = [
{ name: "customSearchEngineUrl", value: "https://duckduckgo.com/?q={keyword}", isSynced: true },
{ name: "promotedAttributesOpenInRibbon", value: "true", isSynced: true },
{ name: "editedNotesOpenInRibbon", value: "true", isSynced: true },
+ { name: "mfaEnabled", value: "false", isSynced: false },
+ { name: "mfaMethod", value: "totp", isSynced: false },
+ { name: "encryptedRecoveryCodes", value: "false", isSynced: false },
+ { name: "userSubjectIdentifierSaved", value: "false", isSynced: false },
// Appearance
{ name: "splitEditorOrientation", value: "horizontal", isSynced: true },
diff --git a/src/services/options_interface.ts b/src/services/options_interface.ts
index 26c4f1b40f..cdd9184fb6 100644
--- a/src/services/options_interface.ts
+++ b/src/services/options_interface.ts
@@ -48,6 +48,18 @@ export interface OptionDefinitions extends KeyboardShortcutsOptions