feat: 2fa by email and TOTP (sahat#1545)

Author: YasharF

README.md

@@ -77,6 +77,7 @@ I also tried to make it as **generic** and **reusable** as possible to cover mos
   - Profile Details
   - Password management (Change, Reset, Forgot)
   - Verify Email
+  - **Two-Factor Authentication (2FA)** Email codes and Authenticator apps
   - Link multiple OAuth provider accounts to one account
   - Delete Account
 - Contact Form (powered by SMTP via Mailgun, AWS SES, etc.)
@@ -635,6 +636,7 @@ Required to run the project before your modifications
 | multer                        | Node.js middleware for handling `multipart/form-data`.                |
 | nodemailer                    | Node.js library for sending emails.                                   |
 | oauth                         | OAuth API library without middleware constraints.                     |
+| otpauth                       | One-Time Password (TOTP/HOTP) library for 2FA authenticator apps.     |
 | passport                      | Simple and elegant authentication library for node.js.                |
 | passport-facebook             | Sign-in with Facebook plugin.                                         |
 | passport-github2              | Sign-in with GitHub plugin.                                           |

app.js

@@ -41,7 +41,7 @@ const limiter = rateLimit({
   standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
   legacyHeaders: false, // Disable the `X-RateLimit-*` headers
 });
-// Strict Auth Rate Limiter Config for signup, password recover, account verification, login by email
+// Strict Auth Rate Limiter Config for signup, password recover, account verification, login by email, send 2FA email
 const strictLimiter = rateLimit({
   windowMs: 60 * 60 * 1000, // 1 hour
   max: RATE_LIMIT_STRICT, // attempts per hour
@@ -56,6 +56,15 @@ const loginLimiter = rateLimit({
   standardHeaders: true,
   legacyHeaders: false,
 });
+// Login 2FA Rate Limiter Config - allow more requests for 2FA pages per login to avoid UX issues.
+// This is after a valid username/password submission, so the attack surface is smaller
+// and we want to avoid locking out legitimate users who mistype their 2FA code.
+const login2FALimiter = rateLimit({
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: RATE_LIMIT_LOGIN * 5,
+  standardHeaders: true,
+  legacyHeaders: false,
+});
 
 // This logic for numberOfProxies works for local testing, ngrok use, single host deployments
 // behind cloudflare, etc. You may need to change it for more complex network settings.
@@ -205,6 +214,11 @@ app.get('/', homeController.index);
 app.get('/login', userController.getLogin);
 app.post('/login', loginLimiter, userController.postLogin);
 app.get('/login/verify/:token', loginLimiter, userController.getLoginByEmail);
+app.get('/login/2fa', login2FALimiter, userController.getTwoFactor);
+app.post('/login/2fa', login2FALimiter, userController.postTwoFactor);
+app.post('/login/2fa/resend', strictLimiter, userController.resendTwoFactorCode);
+app.get('/login/2fa/totp', login2FALimiter, userController.getTotpVerify);
+app.post('/login/2fa/totp', login2FALimiter, userController.postTotpVerify);
 app.post('/login/webauthn-start', loginLimiter, webauthnController.postLoginStart);
 app.get('/login/webauthn-start', (req, res) => res.redirect('/login')); // webauthn-start requires a POST
 app.post('/login/webauthn-verify', loginLimiter, webauthnController.postLoginVerify);
@@ -222,6 +236,11 @@ app.get('/account/verify/:token', passportConfig.isAuthenticated, userController
 app.get('/account', passportConfig.isAuthenticated, userController.getAccount);
 app.post('/account/profile', passportConfig.isAuthenticated, userController.postUpdateProfile);
 app.post('/account/password', passportConfig.isAuthenticated, userController.postUpdatePassword);
+app.post('/account/2fa/email/enable', passportConfig.isAuthenticated, userController.postEnable2FA);
+app.post('/account/2fa/email/remove', passportConfig.isAuthenticated, userController.postRemoveEmail2FA);
+app.get('/account/2fa/totp/setup', passportConfig.isAuthenticated, userController.getTotpSetup);
+app.post('/account/2fa/totp/setup', passportConfig.isAuthenticated, userController.postTotpSetup);
+app.post('/account/2fa/totp/remove', passportConfig.isAuthenticated, userController.postRemoveTotp);
 app.post('/account/delete', passportConfig.isAuthenticated, userController.postDeleteAccount);
 app.post('/account/logout-everywhere', passportConfig.isAuthenticated, userController.postLogoutEverywhere);
 app.get('/account/unlink/:provider', passportConfig.isAuthenticated, userController.getOauthUnlink);