#84: POST /user/disable_totp

This commit is contained in:
jendib 2016-03-23 22:03:45 +01:00
parent fb0bb62eaf
commit b33b7115ef
2 changed files with 72 additions and 2 deletions

View File

@ -488,7 +488,8 @@ public class UserResource extends BaseResource {
response.add("username", user.getUsername())
.add("email", user.getEmail())
.add("storage_quota", user.getStorageQuota())
.add("storage_current", user.getStorageCurrent());
.add("storage_current", user.getStorageCurrent())
.add("totp_enabled", user.getTotpKey() != null);
// Base functions
JsonArrayBuilder baseFunctions = Json.createArrayBuilder();
@ -657,6 +658,11 @@ public class UserResource extends BaseResource {
return Response.ok().entity(response.build()).build();
}
/**
* Enable time-based one-time password.
*
* @return Response
*/
@POST
@Path("enable_totp")
public Response enableTotp() {
@ -679,6 +685,39 @@ public class UserResource extends BaseResource {
return Response.ok().entity(response.build()).build();
}
/**
* Disable time-based one-time password.
*
* @param password Password
* @return Response
*/
@POST
@Path("disable_totp")
public Response disableTotp(@FormParam("password") String password) {
if (!authenticate()) {
throw new ForbiddenClientException();
}
// Validate the input data
password = ValidationUtil.validateLength(password, "password", 1, 100, false);
// Check the password and get the user
UserDao userDao = new UserDao();
User user = userDao.authenticate(principal.getName(), password);
if (user == null) {
throw new ForbiddenClientException();
}
// Remove the TOTP key
user.setTotpKey(null);
userDao.update(user, principal.getId());
// Always return OK
JsonObjectBuilder response = Json.createObjectBuilder()
.add("status", "ok");
return Response.ok().entity(response.build()).build();
}
/**
* Returns the authentication token value.
*

View File

@ -295,8 +295,14 @@ public class TestUserResource extends BaseJerseyTest {
clientUtil.createUser("totp1");
String totp1Token = clientUtil.login("totp1");
// Check TOTP enablement
JsonObject json = target().path("/user").request()
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)
.get(JsonObject.class);
Assert.assertFalse(json.getBoolean("totp_enabled"));
// Enable TOTP for totp1
JsonObject json = target().path("/user/enable_totp").request()
json = target().path("/user/enable_totp").request()
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)
.post(Entity.form(new Form()), JsonObject.class);
String secret = json.getString("secret");
@ -323,5 +329,30 @@ public class TestUserResource extends BaseJerseyTest {
.param("password", "12345678")
.param("code", Integer.toString(validationCode))
.param("remember", "false")), JsonObject.class);
// Check TOTP enablement
json = target().path("/user").request()
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)
.get(JsonObject.class);
Assert.assertTrue(json.getBoolean("totp_enabled"));
// Disable TOTP for totp1
json = target().path("/user/disable_totp").request()
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)
.post(Entity.form(new Form()
.param("password", "12345678")), JsonObject.class);
// Login with totp1 without a validation code
json = target().path("/user/login").request()
.post(Entity.form(new Form()
.param("username", "totp1")
.param("password", "12345678")
.param("remember", "false")), JsonObject.class);
// Check TOTP enablement
json = target().path("/user").request()
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)
.get(JsonObject.class);
Assert.assertFalse(json.getBoolean("totp_enabled"));
}
}