feat(auth) email verification

Author: fiftin

api/auth.go

@@ -160,7 +160,7 @@ func verifySession(w http.ResponseWriter, r *http.Request) {
 
 	switch session.VerificationMethod {
 	case db.SessionVerificationEmail:
-		verifySessionByEmail(w, r)
+		verifySessionByEmail(session, w, r)
 		return
 
 	case db.SessionVerificationTotp:
@@ -235,7 +235,14 @@ func authenticationHandler(w http.ResponseWriter, r *http.Request) (ok bool, req
 		}
 
 		if !session.IsVerified() {
-			helpers.WriteErrorStatus(w, "TOTP_REQUIRED", http.StatusUnauthorized)
+			switch session.VerificationMethod {
+			case db.SessionVerificationEmail:
+				helpers.WriteErrorStatus(w, "EMAIL_OTP_REQUIRED", http.StatusUnauthorized)
+			case db.SessionVerificationTotp:
+				helpers.WriteErrorStatus(w, "TOTP_REQUIRED", http.StatusUnauthorized)
+			default:
+				helpers.WriteErrorStatus(w, "SESSION_NOT_VERIFIED", http.StatusUnauthorized)
+			}
 			return
 		}
 

api/auth_verify.go

@@ -1,17 +1,127 @@
-//go:build !pro
-
 package api
 
 import (
+	"bytes"
+	"embed"
 	"net/http"
+	"text/template"
+
+	"github.com/semaphoreui/semaphore/api/helpers"
+	"github.com/semaphoreui/semaphore/db"
+	"github.com/semaphoreui/semaphore/util"
+	"github.com/semaphoreui/semaphore/util/mailer"
 )
 
-func verifySessionByEmail(w http.ResponseWriter, r *http.Request) {
-	w.WriteHeader(http.StatusBadRequest)
-	return
+//go:embed templates/*.tmpl
+var templates embed.FS
+
+type emailOtpRequestBody struct {
+	Passcode string `json:"passcode"`
+}
+
+func verifySessionByEmail(session *db.Session, w http.ResponseWriter, r *http.Request) {
+	if !util.Config.Auth.Email.Enabled {
+		helpers.WriteErrorStatus(w, "EMAIL_OTP_DISABLED", http.StatusForbidden)
+		return
+	}
+
+	var body emailOtpRequestBody
+	if !helpers.Bind(w, r, &body) {
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	user, err := helpers.Store(r).GetUser(session.UserID)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	if user.EmailOtp == nil {
+		helpers.WriteErrorStatus(w, "Cannot retrieve verification code from the server.", http.StatusInternalServerError)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	if user.EmailOtp.Code != body.Passcode {
+		helpers.WriteErrorStatus(w, "Invalid verification code.", http.StatusUnauthorized)
+		return
+	}
+
+	if user.EmailOtp.IsExpired() {
+		helpers.WriteErrorStatus(w, "The verification code has expired.", http.StatusUnauthorized)
+		return
+	}
+
+	err = helpers.Store(r).VerifySession(session.UserID, session.ID)
+	if err != nil {
+		helpers.WriteError(w, err)
+		return
+	}
+}
+
+func sendEmailVerificationCode(code string, email string) error {
+	body := bytes.NewBufferString("")
+	var alert struct {
+		Code string
+	}
+
+	alert.Code = code
+
+	tpl, err := template.ParseFS(templates, "templates/email_otp_code.tmpl")
+
+	if err != nil {
+		return err
+	}
+
+	err = tpl.Execute(body, alert)
+
+	if err != nil {
+		return err
+	}
+
+	err = mailer.Send(
+		util.Config.EmailSecure,
+		util.Config.EmailTls,
+		util.Config.EmailHost,
+		util.Config.EmailPort,
+		util.Config.EmailUsername,
+		util.Config.EmailPassword,
+		util.Config.EmailSender,
+		email,
+		"Email Verification Code",
+		body.String(),
+	)
+
+	return err
 }
 
 func startEmailVerification(w http.ResponseWriter, r *http.Request) {
-	w.WriteHeader(http.StatusBadRequest)
-	return
+	if !util.Config.Auth.Email.Enabled {
+		helpers.WriteErrorStatus(w, "EMAIL_VERIFICATION_DISABLED", http.StatusForbidden)
+		return
+	}
+
+	session, ok := getSession(r)
+
+	if !ok {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	store := helpers.Store(r)
+
+	user, err := store.GetUser(session.UserID)
+	if err != nil {
+		helpers.WriteError(w, err)
+		return
+	}
+
+	code := util.RandString(16)
+
+	err = sendEmailVerificationCode(code, user.Email)
+	if err != nil {
+		helpers.WriteError(w, err)
+		return
+	}
 }

api/router.go

@@ -4,16 +4,17 @@ import (
 	"bytes"
 	"embed"
 	"fmt"
-	proApi "github.com/semaphoreui/semaphore/pro/api"
-	proFeatures "github.com/semaphoreui/semaphore/pro/pkg/features"
-	"github.com/semaphoreui/semaphore/services/server"
-	task2 "github.com/semaphoreui/semaphore/services/tasks"
 	"net/http"
 	"os"
 	"path"
 	"strings"
 	"time"
 
+	proApi "github.com/semaphoreui/semaphore/pro/api"
+	proFeatures "github.com/semaphoreui/semaphore/pro/pkg/features"
+	"github.com/semaphoreui/semaphore/services/server"
+	task2 "github.com/semaphoreui/semaphore/services/tasks"
+
 	"github.com/semaphoreui/semaphore/api/debug"
 	"github.com/semaphoreui/semaphore/pkg/tz"
 	proSubscriptions "github.com/semaphoreui/semaphore/pro/api/subscriptions"

api/templates/email_otp_code.tmpl

@@ -1,6 +1,7 @@
 package db
 
 import (
+	"github.com/semaphoreui/semaphore/pkg/tz"
 	"time"
 )
 
@@ -17,7 +18,8 @@ type User struct {
 	Alert    bool      `db:"alert" json:"alert"`
 	Pro      bool      `db:"pro" json:"pro"`
 
-	Totp *UserTotp `db:"-" json:"totp,omitempty"`
+	Totp     *UserTotp     `db:"-" json:"totp,omitempty"`
+	EmailOtp *UserEmailOtp `db:"-" json:"email_otp,omitempty"`
 }
 
 type UserTotp struct {
@@ -59,3 +61,8 @@ func ValidateUser(user User) error {
 	}
 	return nil
 }
+
+func (o *UserEmailOtp) IsExpired() bool {
+	// Email OTP is valid for 10 minutes
+	return tz.Now().Sub(o.Created) > 10*time.Minute
+}