Files
stoatchat/crates/delta/src/routes/mfa/create_ticket.rs
Zomatree d27917b824 chore: migrate authifier into codebase (#658)
Co-authored-by: izzy <me@insrt.uk>
Signed-off-by: Zomatree <me@zomatree.live>
Signed-off-by: izzy <me@insrt.uk>
2026-06-21 00:50:06 +01:00

158 lines
4.7 KiB
Rust

//! Create a new MFA ticket or validate an existing one.
//! PUT /mfa/ticket
use revolt_result::{Result, create_error};
use revolt_database::{Account, Database, MFATicket, UnvalidatedTicket};
use revolt_models::v0;
use rocket::serde::json::Json;
use rocket::State;
/// # Create MFA ticket
///
/// Create a new MFA ticket or validate an existing one.
#[openapi(tag = "MFA")]
#[put("/ticket", data = "<data>")]
pub async fn create_ticket(
db: &State<Database>,
account: Option<Account>,
existing_ticket: Option<UnvalidatedTicket>,
data: Json<v0::MFAResponse>,
) -> Result<Json<v0::MFATicket>> {
// Find the relevant account
let mut account = match (account, existing_ticket) {
(Some(_), Some(_)) => return Err(create_error!(OperationFailed)),
(Some(account), _) => account,
(_, Some(ticket)) => {
db.delete_ticket(&ticket.id).await?;
db.fetch_account(&ticket.account_id).await?
}
_ => return Err(create_error!(InvalidToken)),
};
// Validate the MFA response
account
.consume_mfa_response(db, data.into_inner(), None)
.await?;
// Create a new ticket for this account
let ticket = MFATicket::new(account.id, true);
ticket.save(db).await?;
Ok(Json(ticket.into()))
}
#[cfg(test)]
mod tests {
use crate::{rocket, util::test::TestHarness};
use revolt_database::Totp;
use rocket::http::{Header, Status};
use revolt_models::v0;
use revolt_result::{Error, ErrorType};
#[rocket::async_test]
async fn success() {
let harness = TestHarness::new().await;
let (_, session, _) = harness.new_user().await;
let res = harness.client
.put("/auth/mfa/ticket")
.header(Header::new("X-Session-Token", session.token.clone()))
.body(
json!({
"password": "password_insecure"
})
.to_string(),
)
.dispatch()
.await;
assert_eq!(res.status(), Status::Ok);
assert!(res.into_json::<v0::MFATicket>().await.unwrap().validated);
}
#[rocket::async_test]
async fn success_totp() {
let harness = TestHarness::new().await;
let (mut account, session, _) = harness.new_user().await;
account.mfa.totp_token = Totp::Enabled {
secret: "secret".to_string(),
};
account.save(&harness.db).await.unwrap();
let res = harness.client
.put("/auth/mfa/ticket")
.header(Header::new("X-Session-Token", session.token.clone()))
.body(
json!({
"totp_code": Totp::Enabled {
secret: "secret".to_string(),
}.generate_code().unwrap()
})
.to_string(),
)
.dispatch()
.await;
assert_eq!(res.status(), Status::Ok);
assert!(res.into_json::<v0::MFATicket>().await.is_some());
}
#[rocket::async_test]
async fn failure_totp() {
let harness = TestHarness::new().await;
let (mut account, session, _) = harness.new_user().await;
account.mfa.totp_token = Totp::Enabled {
secret: "secret".to_string(),
};
account.save(&harness.db).await.unwrap();
let res = harness.client
.put("/auth/mfa/ticket")
.header(Header::new("X-Session-Token", session.token.clone()))
.body(
json!({
"totp_code": "000000"
})
.to_string(),
)
.dispatch()
.await;
assert_eq!(res.status(), Status::Unauthorized);
assert!(matches!(
res.into_json::<Error>().await.unwrap().error_type,
ErrorType::InvalidToken,
));
}
#[rocket::async_test]
async fn failure_no_totp() {
let harness = TestHarness::new().await;
let (mut account, session, _) = harness.new_user().await;
account.mfa.totp_token = Totp::Enabled {
secret: "secret".to_string(),
};
account.save(&harness.db).await.unwrap();
let res = harness.client
.put("/auth/mfa/ticket")
.header(Header::new("X-Session-Token", session.token.clone()))
.body(
json!({
"password": "this is the wrong mfa method"
})
.to_string(),
)
.dispatch()
.await;
assert_eq!(res.status(), Status::BadRequest);
assert!(matches!(
res.into_json::<Error>().await.unwrap().error_type,
ErrorType::DisallowedMFAMethod,
));
}
}