#268: endpoint to test TOTP code

This commit is contained in:
Benjamin Gamard 2019-02-01 14:47:18 +01:00
parent 0d50676586
commit c6eb1c813c
2 changed files with 51 additions and 1 deletions

View File

@ -920,6 +920,47 @@ public class UserResource extends BaseResource {
return Response.ok().entity(response.build()).build();
}
/**
* Test time-based one-time password.
*
* @api {post} /user/test_totp Test TOTP authentication
* @apiDescription Test a TOTP validation code.
* @apiName PostUserTestTotp
* @apiParam {String} code TOTP validation code
* @apiGroup User
* @apiSuccess {String} status Status OK
* @apiError (client) ForbiddenError The validation code is not valid or access denied
* @apiPermission user
* @apiVersion 1.6.0
*
* @return Response
*/
@POST
@Path("test_totp")
public Response testTotp(@FormParam("code") String validationCodeStr) {
if (!authenticate() || principal.isGuest()) {
throw new ForbiddenClientException();
}
// Get the user
UserDao userDao = new UserDao();
User user = userDao.getActiveByUsername(principal.getName());
// Test the validation code
if (user.getTotpKey() != null) {
int validationCode = ValidationUtil.validateInteger(validationCodeStr, "code");
GoogleAuthenticator googleAuthenticator = new GoogleAuthenticator();
if (!googleAuthenticator.authorize(user.getTotpKey(), validationCode)) {
throw new ForbiddenClientException();
}
}
// Always return OK
JsonObjectBuilder response = Json.createObjectBuilder()
.add("status", "ok");
return Response.ok().entity(response.build()).build();
}
/**
* Disable time-based one-time password for the current user.
*

View File

@ -371,6 +371,15 @@ public class TestUserResource extends BaseJerseyTest {
.get(JsonObject.class);
Assert.assertTrue(json.getBoolean("totp_enabled"));
// Generate a OTP
validationCode = googleAuthenticator.calculateCode(secret, new Date().getTime() / 30000);
// Test a validation code
target().path("/user/test_totp").request()
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)
.post(Entity.form(new Form()
.param("code", Integer.toString(validationCode))), JsonObject.class);
// Disable TOTP for totp1
target().path("/user/disable_totp").request()
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)