#268: endpoint to test TOTP code

2024-11-22 05:57:57 +01:00 · 2019-02-01 14:47:18 +01:00 · 2019-02-01 14:47:18 +01:00 · c6eb1c813c
commit c6eb1c813c
parent 0d50676586
2 changed files with 51 additions and 1 deletions
--- a/docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java
+++ b/docs-web/src/main/java/com/sismics/docs/rest/resource/UserResource.java
@ -919,6 +919,47 @@ public class UserResource extends BaseResource {
                .add("secret", key.getKey());
        return Response.ok().entity(response.build()).build();
    }
+
+    /**
+     * Test time-based one-time password.
+     *
+     * @api {post} /user/test_totp Test TOTP authentication
+     * @apiDescription Test a TOTP validation code.
+     * @apiName PostUserTestTotp
+     * @apiParam {String} code TOTP validation code
+     * @apiGroup User
+     * @apiSuccess {String} status Status OK
+     * @apiError (client) ForbiddenError The validation code is not valid or access denied
+     * @apiPermission user
+     * @apiVersion 1.6.0
+     *
+     * @return Response
+     */
+    @POST
+    @Path("test_totp")
+    public Response testTotp(@FormParam("code") String validationCodeStr) {
+        if (!authenticate() || principal.isGuest()) {
+            throw new ForbiddenClientException();
+        }
+
+        // Get the user
+        UserDao userDao = new UserDao();
+        User user = userDao.getActiveByUsername(principal.getName());
+
+        // Test the validation code
+        if (user.getTotpKey() != null) {
+            int validationCode = ValidationUtil.validateInteger(validationCodeStr, "code");
+            GoogleAuthenticator googleAuthenticator = new GoogleAuthenticator();
+            if (!googleAuthenticator.authorize(user.getTotpKey(), validationCode)) {
+                throw new ForbiddenClientException();
+            }
+        }
+
+        // Always return OK
+        JsonObjectBuilder response = Json.createObjectBuilder()
+                .add("status", "ok");
+        return Response.ok().entity(response.build()).build();
+    }
    
    /**
     * Disable time-based one-time password for the current user.
--- a/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java
+++ b/docs-web/src/test/java/com/sismics/docs/rest/TestUserResource.java
@ -370,7 +370,16 @@ public class TestUserResource extends BaseJerseyTest {
                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)
                .get(JsonObject.class);
        Assert.assertTrue(json.getBoolean("totp_enabled"));
-        
+
+        // Generate a OTP
+        validationCode = googleAuthenticator.calculateCode(secret, new Date().getTime() / 30000);
+
+        // Test a validation code
+        target().path("/user/test_totp").request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)
+                .post(Entity.form(new Form()
+                        .param("code", Integer.toString(validationCode))), JsonObject.class);
+
        // Disable TOTP for totp1
        target().path("/user/disable_totp").request()
                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)