From eca8c7a52f9d190a89b380290b5b50d0cb96c750 Mon Sep 17 00:00:00 2001 From: syuilo Date: Fri, 22 Sep 2023 10:01:34 +0900 Subject: [PATCH 01/62] tweak ui --- packages/frontend/src/store.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/frontend/src/store.ts b/packages/frontend/src/store.ts index b4713a323e..8a43ba892d 100644 --- a/packages/frontend/src/store.ts +++ b/packages/frontend/src/store.ts @@ -118,7 +118,7 @@ export const defaultStore = markRaw(new Storage('base', { where: 'deviceAccount', default: [ 'notifications', - 'favorites', + 'clips', 'drive', 'followRequests', '-', From c836157edb869e80b15f51bb8f48725e3b898b9a Mon Sep 17 00:00:00 2001 From: syuilo Date: Fri, 22 Sep 2023 14:12:33 +0900 Subject: [PATCH 02/62] =?UTF-8?q?enhance:=20=E4=BA=8C=E8=A6=81=E7=B4=A0?= =?UTF-8?q?=E8=AA=8D=E8=A8=BC=E8=A8=AD=E5=AE=9A=E6=99=82=E3=81=AE=E3=82=BB?= =?UTF-8?q?=E3=82=AD=E3=83=A5=E3=83=AA=E3=83=86=E3=82=A3=E3=82=92=E5=BC=B7?= =?UTF-8?q?=E5=8C=96=20(#11863)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * enhance: 二要素認証設定時のセキュリティを強化 パスワード入力が必要な操作を行う際、二要素認証が有効であれば確認コードの入力も必要にする * Update CoreModule.ts * Update 2fa.ts * wip * wip * Update 2fa.ts * tweak --- CHANGELOG.md | 9 +-- locales/index.d.ts | 3 +- locales/ja-JP.yml | 3 +- packages/backend/src/core/CoreModule.ts | 6 ++ packages/backend/src/core/UserAuthService.ts | 45 ++++++++++++ .../src/server/api/SigninApiService.ts | 28 +++----- .../src/server/api/endpoints/i/2fa/done.ts | 2 +- .../server/api/endpoints/i/2fa/key-done.ts | 20 +++++- .../api/endpoints/i/2fa/register-key.ts | 20 +++++- .../server/api/endpoints/i/2fa/register.ts | 21 +++++- .../server/api/endpoints/i/2fa/remove-key.ts | 20 +++++- .../server/api/endpoints/i/2fa/unregister.ts | 20 +++++- .../server/api/endpoints/i/change-password.ts | 22 +++++- .../server/api/endpoints/i/delete-account.ts | 23 ++++-- .../server/api/endpoints/i/update-email.ts | 20 +++++- packages/backend/test/e2e/2fa.ts | 49 +++++++++++++ packages/frontend/src/components/MkInput.vue | 4 ++ .../src/components/MkPasswordDialog.vue | 70 +++++++++++++++++++ packages/frontend/src/os.ts | 13 ++++ packages/frontend/src/pages/settings/2fa.vue | 65 ++++++++--------- .../frontend/src/pages/settings/email.vue | 20 +++--- .../frontend/src/pages/settings/other.vue | 10 ++- .../frontend/src/pages/settings/security.vue | 29 ++++---- 23 files changed, 400 insertions(+), 122 deletions(-) create mode 100644 packages/backend/src/core/UserAuthService.ts create mode 100644 packages/frontend/src/components/MkPasswordDialog.vue diff --git a/CHANGELOG.md b/CHANGELOG.md index 082b448c2b..92bb2c8161 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,8 @@ - Feat: プロフィールでのリンク検証 - Feat: 通知をテストできるようになりました - Feat: PWAのアイコンが設定できるようになりました +- Enhance: 二要素認証設定時のセキュリティを強化 + - パスワード入力が必要な操作を行う際、二要素認証が有効であれば確認コードの入力も必要になりました - Enhance: manifest.jsonをオーバーライド可能に - Enhance: 依存関係の更新 - Enhance: ローカリゼーションの更新 @@ -40,10 +42,8 @@ - Feat: Playで直接投稿フォームを埋め込めるように(`Ui:C:postForm`) - Feat: クライアントを起動している間、デバイスの画面が自動でオフになるのを防ぐオプションを追加 - Feat: 新しい実績を追加 -- Enhance: ノート詳細ページを改修 - - 読み込み時のパフォーマンスが向上しました - - リノート一覧、リアクション一覧がタブとして追加されました - - ノートのメニューからは当該項目は消えました +- Enhance: ノート詳細ページでリノート一覧、リアクション一覧タブを追加 + - ノートのメニューからは当該項目は消えました - Enhance: プロフィールにその人が作ったPlayの一覧出せるように - Enhance: メニューのスイッチの動作を改善 - Enhance: 絵文字ピッカーの検索の表示件数を100件に増加 @@ -62,6 +62,7 @@ - Enhance: AiScriptで`LOCALE`として現在の設定言語を取得できるように - Enhance: Mk:apiが失敗した時にエラー型の値(AiScript 0.16.0で追加)を返すように - Enhance: ScratchpadでAsync:系関数やボタンのコールバックなどのエラーにもダイアログを出すように(試験的なためPlayなどには未実装) +- Enhance: ノート詳細ページ読み込み時のパフォーマンスが向上しました - Enhance: タイムラインでリスト/アンテナ選択時のパフォーマンスを改善 - Enhance: 「Moderation note」、「Add moderation note」をローカライズできるように - Enhance: 細かなデザインの調整 diff --git a/locales/index.d.ts b/locales/index.d.ts index 784f53355a..f7bc350e2b 100644 --- a/locales/index.d.ts +++ b/locales/index.d.ts @@ -1119,6 +1119,8 @@ export interface Locale { "verifiedLink": string; "notifyNotes": string; "unnotifyNotes": string; + "authentication": string; + "authenticationRequiredToContinue": string; "_announcement": { "forExistingUsers": string; "forExistingUsersDescription": string; @@ -1833,7 +1835,6 @@ export interface Locale { "_2fa": { "alreadyRegistered": string; "registerTOTP": string; - "passwordToTOTP": string; "step1": string; "step2": string; "step2Click": string; diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml index a7a6200472..5436cf0494 100644 --- a/locales/ja-JP.yml +++ b/locales/ja-JP.yml @@ -1116,6 +1116,8 @@ keepScreenOn: "デバイスの画面を常にオンにする" verifiedLink: "このリンク先の所有者であることが確認されました" notifyNotes: "投稿を通知" unnotifyNotes: "投稿の通知を解除" +authentication: "認証" +authenticationRequiredToContinue: "続けるには認証を行ってください" _announcement: forExistingUsers: "既存ユーザーのみ" @@ -1750,7 +1752,6 @@ _timelineTutorial: _2fa: alreadyRegistered: "既に設定は完了しています。" registerTOTP: "認証アプリの設定を開始" - passwordToTOTP: "パスワードを入力してください" step1: "まず、{a}や{b}などの認証アプリをお使いのデバイスにインストールします。" step2: "次に、表示されているQRコードをアプリでスキャンします。" step2Click: "QRコードをクリックすると、お使いの端末にインストールされている認証アプリやキーリングに登録できます。" diff --git a/packages/backend/src/core/CoreModule.ts b/packages/backend/src/core/CoreModule.ts index 18271ee346..78333e70a5 100644 --- a/packages/backend/src/core/CoreModule.ts +++ b/packages/backend/src/core/CoreModule.ts @@ -51,6 +51,7 @@ import { UserKeypairService } from './UserKeypairService.js'; import { UserListService } from './UserListService.js'; import { UserMutingService } from './UserMutingService.js'; import { UserSuspendService } from './UserSuspendService.js'; +import { UserAuthService } from './UserAuthService.js'; import { VideoProcessingService } from './VideoProcessingService.js'; import { WebhookService } from './WebhookService.js'; import { ProxyAccountService } from './ProxyAccountService.js'; @@ -177,6 +178,7 @@ const $UserKeypairService: Provider = { provide: 'UserKeypairService', useExisti const $UserListService: Provider = { provide: 'UserListService', useExisting: UserListService }; const $UserMutingService: Provider = { provide: 'UserMutingService', useExisting: UserMutingService }; const $UserSuspendService: Provider = { provide: 'UserSuspendService', useExisting: UserSuspendService }; +const $UserAuthService: Provider = { provide: 'UserAuthService', useExisting: UserAuthService }; const $VideoProcessingService: Provider = { provide: 'VideoProcessingService', useExisting: VideoProcessingService }; const $WebhookService: Provider = { provide: 'WebhookService', useExisting: WebhookService }; const $UtilityService: Provider = { provide: 'UtilityService', useExisting: UtilityService }; @@ -306,6 +308,7 @@ const $ApQuestionService: Provider = { provide: 'ApQuestionService', useExisting UserListService, UserMutingService, UserSuspendService, + UserAuthService, VideoProcessingService, WebhookService, UtilityService, @@ -428,6 +431,7 @@ const $ApQuestionService: Provider = { provide: 'ApQuestionService', useExisting $UserListService, $UserMutingService, $UserSuspendService, + $UserAuthService, $VideoProcessingService, $WebhookService, $UtilityService, @@ -551,6 +555,7 @@ const $ApQuestionService: Provider = { provide: 'ApQuestionService', useExisting UserListService, UserMutingService, UserSuspendService, + UserAuthService, VideoProcessingService, WebhookService, UtilityService, @@ -672,6 +677,7 @@ const $ApQuestionService: Provider = { provide: 'ApQuestionService', useExisting $UserListService, $UserMutingService, $UserSuspendService, + $UserAuthService, $VideoProcessingService, $WebhookService, $UtilityService, diff --git a/packages/backend/src/core/UserAuthService.ts b/packages/backend/src/core/UserAuthService.ts new file mode 100644 index 0000000000..ccf4dfc6bd --- /dev/null +++ b/packages/backend/src/core/UserAuthService.ts @@ -0,0 +1,45 @@ +/* + * SPDX-FileCopyrightText: syuilo and other misskey contributors + * SPDX-License-Identifier: AGPL-3.0-only + */ + +import { Inject, Injectable } from '@nestjs/common'; +import { QueryFailedError } from 'typeorm'; +import * as OTPAuth from 'otpauth'; +import { DI } from '@/di-symbols.js'; +import type { MiUserProfile, UserProfilesRepository, UsersRepository } from '@/models/_.js'; +import { bindThis } from '@/decorators.js'; +import { isDuplicateKeyValueError } from '@/misc/is-duplicate-key-value-error.js'; +import type { MiLocalUser } from '@/models/User.js'; + +@Injectable() +export class UserAuthService { + constructor( + @Inject(DI.usersRepository) + private usersRepository: UsersRepository, + + @Inject(DI.userProfilesRepository) + private userProfilesRepository: UserProfilesRepository, + ) { + } + + @bindThis + public async twoFactorAuthenticate(profile: MiUserProfile, token: string): Promise { + if (profile.twoFactorBackupSecret?.includes(token)) { + await this.userProfilesRepository.update({ userId: profile.userId }, { + twoFactorBackupSecret: profile.twoFactorBackupSecret.filter((secret) => secret !== token), + }); + } else { + const delta = OTPAuth.TOTP.validate({ + secret: OTPAuth.Secret.fromBase32(profile.twoFactorSecret!), + digits: 6, + token, + window: 5, + }); + + if (delta === null) { + throw new Error('authentication failed'); + } + } + } +} diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts index 48d74e2b02..150f3f24d4 100644 --- a/packages/backend/src/server/api/SigninApiService.ts +++ b/packages/backend/src/server/api/SigninApiService.ts @@ -19,6 +19,7 @@ import type { MiLocalUser } from '@/models/User.js'; import { IdService } from '@/core/IdService.js'; import { bindThis } from '@/decorators.js'; import { WebAuthnService } from '@/core/WebAuthnService.js'; +import { UserAuthService } from '@/core/UserAuthService.js'; import { RateLimiterService } from './RateLimiterService.js'; import { SigninService } from './SigninService.js'; import type { AuthenticationResponseJSON } from '@simplewebauthn/typescript-types'; @@ -42,6 +43,7 @@ export class SigninApiService { private idService: IdService, private rateLimiterService: RateLimiterService, private signinService: SigninService, + private userAuthService: UserAuthService, private webAuthnService: WebAuthnService, ) { } @@ -124,7 +126,7 @@ export class SigninApiService { const same = await bcrypt.compare(password, profile.password!); const fail = async (status?: number, failure?: { id: string }) => { - // Append signin history + // Append signin history await this.signinsRepository.insert({ id: this.idService.genId(), createdAt: new Date(), @@ -154,27 +156,15 @@ export class SigninApiService { }); } - if (profile.twoFactorBackupSecret?.includes(token)) { - await this.userProfilesRepository.update({ userId: profile.userId }, { - twoFactorBackupSecret: profile.twoFactorBackupSecret.filter((secret) => secret !== token), - }); - return this.signinService.signin(request, reply, user); - } - - const delta = OTPAuth.TOTP.validate({ - secret: OTPAuth.Secret.fromBase32(profile.twoFactorSecret!), - digits: 6, - token, - window: 1, - }); - - if (delta === null) { + try { + await this.userAuthService.twoFactorAuthenticate(profile, token); + } catch (e) { return await fail(403, { id: 'cdf1235b-ac71-46d4-a3a6-84ccce48df6f', }); - } else { - return this.signinService.signin(request, reply, user); } + + return this.signinService.signin(request, reply, user); } else if (body.credential) { if (!same && !profile.usePasswordLessLogin) { return await fail(403, { @@ -203,6 +193,6 @@ export class SigninApiService { reply.code(200); return authRequest; } - // never get here + // never get here } } diff --git a/packages/backend/src/server/api/endpoints/i/2fa/done.ts b/packages/backend/src/server/api/endpoints/i/2fa/done.ts index c6a193fbb5..9f8e2894b8 100644 --- a/packages/backend/src/server/api/endpoints/i/2fa/done.ts +++ b/packages/backend/src/server/api/endpoints/i/2fa/done.ts @@ -47,7 +47,7 @@ export default class extends Endpoint { // eslint- secret: OTPAuth.Secret.fromBase32(profile.twoFactorTempSecret), digits: 6, token, - window: 1, + window: 5, }); if (delta === null) { diff --git a/packages/backend/src/server/api/endpoints/i/2fa/key-done.ts b/packages/backend/src/server/api/endpoints/i/2fa/key-done.ts index 4b0e761bb2..6d530aba3b 100644 --- a/packages/backend/src/server/api/endpoints/i/2fa/key-done.ts +++ b/packages/backend/src/server/api/endpoints/i/2fa/key-done.ts @@ -12,6 +12,7 @@ import { GlobalEventService } from '@/core/GlobalEventService.js'; import type { UserProfilesRepository, UserSecurityKeysRepository } from '@/models/_.js'; import { WebAuthnService } from '@/core/WebAuthnService.js'; import { ApiError } from '@/server/api/error.js'; +import { UserAuthService } from '@/core/UserAuthService.js'; export const meta = { requireCredential: true, @@ -37,6 +38,7 @@ export const paramDef = { type: 'object', properties: { password: { type: 'string' }, + token: { type: 'string', nullable: true }, name: { type: 'string', minLength: 1, maxLength: 30 }, credential: { type: 'object' }, }, @@ -54,16 +56,28 @@ export default class extends Endpoint { private userSecurityKeysRepository: UserSecurityKeysRepository, private webAuthnService: WebAuthnService, + private userAuthService: UserAuthService, private userEntityService: UserEntityService, private globalEventService: GlobalEventService, ) { super(meta, paramDef, async (ps, me) => { + const token = ps.token; const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id }); - // Compare password - const same = await bcrypt.compare(ps.password, profile.password ?? ''); + if (profile.twoFactorEnabled) { + if (token == null) { + throw new Error('authentication failed'); + } - if (!same) { + try { + await this.userAuthService.twoFactorAuthenticate(profile, token); + } catch (e) { + throw new Error('authentication failed'); + } + } + + const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? ''); + if (!passwordMatched) { throw new ApiError(meta.errors.incorrectPassword); } diff --git a/packages/backend/src/server/api/endpoints/i/2fa/register-key.ts b/packages/backend/src/server/api/endpoints/i/2fa/register-key.ts index b4d5237941..c39005f2dd 100644 --- a/packages/backend/src/server/api/endpoints/i/2fa/register-key.ts +++ b/packages/backend/src/server/api/endpoints/i/2fa/register-key.ts @@ -10,6 +10,7 @@ import type { UserProfilesRepository } from '@/models/_.js'; import { DI } from '@/di-symbols.js'; import { WebAuthnService } from '@/core/WebAuthnService.js'; import { ApiError } from '@/server/api/error.js'; +import { UserAuthService } from '@/core/UserAuthService.js'; export const meta = { requireCredential: true, @@ -41,6 +42,7 @@ export const paramDef = { type: 'object', properties: { password: { type: 'string' }, + token: { type: 'string', nullable: true }, }, required: ['password'], } as const; @@ -53,8 +55,10 @@ export default class extends Endpoint { private userProfilesRepository: UserProfilesRepository, private webAuthnService: WebAuthnService, + private userAuthService: UserAuthService, ) { super(meta, paramDef, async (ps, me) => { + const token = ps.token; const profile = await this.userProfilesRepository.findOne({ where: { userId: me.id, @@ -66,10 +70,20 @@ export default class extends Endpoint { throw new ApiError(meta.errors.userNotFound); } - // Compare password - const same = await bcrypt.compare(ps.password, profile.password ?? ''); + if (profile.twoFactorEnabled) { + if (token == null) { + throw new Error('authentication failed'); + } - if (!same) { + try { + await this.userAuthService.twoFactorAuthenticate(profile, token); + } catch (e) { + throw new Error('authentication failed'); + } + } + + const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? ''); + if (!passwordMatched) { throw new ApiError(meta.errors.incorrectPassword); } diff --git a/packages/backend/src/server/api/endpoints/i/2fa/register.ts b/packages/backend/src/server/api/endpoints/i/2fa/register.ts index 9d027b25bb..b358c812ee 100644 --- a/packages/backend/src/server/api/endpoints/i/2fa/register.ts +++ b/packages/backend/src/server/api/endpoints/i/2fa/register.ts @@ -12,6 +12,7 @@ import { Endpoint } from '@/server/api/endpoint-base.js'; import { DI } from '@/di-symbols.js'; import type { Config } from '@/config.js'; import { ApiError } from '@/server/api/error.js'; +import { UserAuthService } from '@/core/UserAuthService.js'; export const meta = { requireCredential: true, @@ -31,6 +32,7 @@ export const paramDef = { type: 'object', properties: { password: { type: 'string' }, + token: { type: 'string', nullable: true }, }, required: ['password'], } as const; @@ -43,14 +45,27 @@ export default class extends Endpoint { // eslint- @Inject(DI.userProfilesRepository) private userProfilesRepository: UserProfilesRepository, + + private userAuthService: UserAuthService, ) { super(meta, paramDef, async (ps, me) => { + const token = ps.token; const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id }); - // Compare password - const same = await bcrypt.compare(ps.password, profile.password ?? ''); + if (profile.twoFactorEnabled) { + if (token == null) { + throw new Error('authentication failed'); + } - if (!same) { + try { + await this.userAuthService.twoFactorAuthenticate(profile, token); + } catch (e) { + throw new Error('authentication failed'); + } + } + + const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? ''); + if (!passwordMatched) { throw new ApiError(meta.errors.incorrectPassword); } diff --git a/packages/backend/src/server/api/endpoints/i/2fa/remove-key.ts b/packages/backend/src/server/api/endpoints/i/2fa/remove-key.ts index ad2cb8c20b..da8ac98556 100644 --- a/packages/backend/src/server/api/endpoints/i/2fa/remove-key.ts +++ b/packages/backend/src/server/api/endpoints/i/2fa/remove-key.ts @@ -11,6 +11,7 @@ import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { GlobalEventService } from '@/core/GlobalEventService.js'; import { DI } from '@/di-symbols.js'; import { ApiError } from '@/server/api/error.js'; +import { UserAuthService } from '@/core/UserAuthService.js'; export const meta = { requireCredential: true, @@ -30,6 +31,7 @@ export const paramDef = { type: 'object', properties: { password: { type: 'string' }, + token: { type: 'string', nullable: true }, credentialId: { type: 'string' }, }, required: ['password', 'credentialId'], @@ -45,15 +47,27 @@ export default class extends Endpoint { // eslint- private userProfilesRepository: UserProfilesRepository, private userEntityService: UserEntityService, + private userAuthService: UserAuthService, private globalEventService: GlobalEventService, ) { super(meta, paramDef, async (ps, me) => { + const token = ps.token; const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id }); - // Compare password - const same = await bcrypt.compare(ps.password, profile.password ?? ''); + if (profile.twoFactorEnabled) { + if (token == null) { + throw new Error('authentication failed'); + } - if (!same) { + try { + await this.userAuthService.twoFactorAuthenticate(profile, token); + } catch (e) { + throw new Error('authentication failed'); + } + } + + const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? ''); + if (!passwordMatched) { throw new ApiError(meta.errors.incorrectPassword); } diff --git a/packages/backend/src/server/api/endpoints/i/2fa/unregister.ts b/packages/backend/src/server/api/endpoints/i/2fa/unregister.ts index b834dfff4c..338f12c5cd 100644 --- a/packages/backend/src/server/api/endpoints/i/2fa/unregister.ts +++ b/packages/backend/src/server/api/endpoints/i/2fa/unregister.ts @@ -11,6 +11,7 @@ import type { UserProfilesRepository } from '@/models/_.js'; import { GlobalEventService } from '@/core/GlobalEventService.js'; import { DI } from '@/di-symbols.js'; import { ApiError } from '@/server/api/error.js'; +import { UserAuthService } from '@/core/UserAuthService.js'; export const meta = { requireCredential: true, @@ -30,6 +31,7 @@ export const paramDef = { type: 'object', properties: { password: { type: 'string' }, + token: { type: 'string', nullable: true }, }, required: ['password'], } as const; @@ -41,15 +43,27 @@ export default class extends Endpoint { // eslint- private userProfilesRepository: UserProfilesRepository, private userEntityService: UserEntityService, + private userAuthService: UserAuthService, private globalEventService: GlobalEventService, ) { super(meta, paramDef, async (ps, me) => { + const token = ps.token; const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id }); - // Compare password - const same = await bcrypt.compare(ps.password, profile.password ?? ''); + if (profile.twoFactorEnabled) { + if (token == null) { + throw new Error('authentication failed'); + } - if (!same) { + try { + await this.userAuthService.twoFactorAuthenticate(profile, token); + } catch (e) { + throw new Error('authentication failed'); + } + } + + const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? ''); + if (!passwordMatched) { throw new ApiError(meta.errors.incorrectPassword); } diff --git a/packages/backend/src/server/api/endpoints/i/change-password.ts b/packages/backend/src/server/api/endpoints/i/change-password.ts index 868cff8ad7..a3c37ffdb7 100644 --- a/packages/backend/src/server/api/endpoints/i/change-password.ts +++ b/packages/backend/src/server/api/endpoints/i/change-password.ts @@ -8,6 +8,7 @@ import { Inject, Injectable } from '@nestjs/common'; import { Endpoint } from '@/server/api/endpoint-base.js'; import type { UserProfilesRepository } from '@/models/_.js'; import { DI } from '@/di-symbols.js'; +import { UserAuthService } from '@/core/UserAuthService.js'; export const meta = { requireCredential: true, @@ -20,6 +21,7 @@ export const paramDef = { properties: { currentPassword: { type: 'string' }, newPassword: { type: 'string', minLength: 1 }, + token: { type: 'string', nullable: true }, }, required: ['currentPassword', 'newPassword'], } as const; @@ -29,14 +31,28 @@ export default class extends Endpoint { // eslint- constructor( @Inject(DI.userProfilesRepository) private userProfilesRepository: UserProfilesRepository, + + private userAuthService: UserAuthService, ) { super(meta, paramDef, async (ps, me) => { + const token = ps.token; const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id }); - // Compare password - const same = await bcrypt.compare(ps.currentPassword, profile.password!); + if (profile.twoFactorEnabled) { + if (token == null) { + throw new Error('authentication failed'); + } - if (!same) { + try { + await this.userAuthService.twoFactorAuthenticate(profile, token); + } catch (e) { + throw new Error('authentication failed'); + } + } + + const passwordMatched = await bcrypt.compare(ps.currentPassword, profile.password!); + + if (!passwordMatched) { throw new Error('incorrect password'); } diff --git a/packages/backend/src/server/api/endpoints/i/delete-account.ts b/packages/backend/src/server/api/endpoints/i/delete-account.ts index f318d9cda9..fbac845fda 100644 --- a/packages/backend/src/server/api/endpoints/i/delete-account.ts +++ b/packages/backend/src/server/api/endpoints/i/delete-account.ts @@ -9,6 +9,7 @@ import type { UsersRepository, UserProfilesRepository } from '@/models/_.js'; import { Endpoint } from '@/server/api/endpoint-base.js'; import { DeleteAccountService } from '@/core/DeleteAccountService.js'; import { DI } from '@/di-symbols.js'; +import { UserAuthService } from '@/core/UserAuthService.js'; export const meta = { requireCredential: true, @@ -20,6 +21,7 @@ export const paramDef = { type: 'object', properties: { password: { type: 'string' }, + token: { type: 'string', nullable: true }, }, required: ['password'], } as const; @@ -33,19 +35,32 @@ export default class extends Endpoint { // eslint- @Inject(DI.userProfilesRepository) private userProfilesRepository: UserProfilesRepository, + private userAuthService: UserAuthService, private deleteAccountService: DeleteAccountService, ) { super(meta, paramDef, async (ps, me) => { + const token = ps.token; const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id }); + + if (profile.twoFactorEnabled) { + if (token == null) { + throw new Error('authentication failed'); + } + + try { + await this.userAuthService.twoFactorAuthenticate(profile, token); + } catch (e) { + throw new Error('authentication failed'); + } + } + const userDetailed = await this.usersRepository.findOneByOrFail({ id: me.id }); if (userDetailed.isDeleted) { return; } - // Compare password - const same = await bcrypt.compare(ps.password, profile.password!); - - if (!same) { + const passwordMatched = await bcrypt.compare(ps.password, profile.password!); + if (!passwordMatched) { throw new Error('incorrect password'); } diff --git a/packages/backend/src/server/api/endpoints/i/update-email.ts b/packages/backend/src/server/api/endpoints/i/update-email.ts index 77135bf855..a36b3a732b 100644 --- a/packages/backend/src/server/api/endpoints/i/update-email.ts +++ b/packages/backend/src/server/api/endpoints/i/update-email.ts @@ -14,6 +14,7 @@ import type { Config } from '@/config.js'; import { DI } from '@/di-symbols.js'; import { GlobalEventService } from '@/core/GlobalEventService.js'; import { L_CHARS, secureRndstr } from '@/misc/secure-rndstr.js'; +import { UserAuthService } from '@/core/UserAuthService.js'; import { ApiError } from '../../error.js'; export const meta = { @@ -46,6 +47,7 @@ export const paramDef = { properties: { password: { type: 'string' }, email: { type: 'string', nullable: true }, + token: { type: 'string', nullable: true }, }, required: ['password'], } as const; @@ -61,15 +63,27 @@ export default class extends Endpoint { // eslint- private userEntityService: UserEntityService, private emailService: EmailService, + private userAuthService: UserAuthService, private globalEventService: GlobalEventService, ) { super(meta, paramDef, async (ps, me) => { + const token = ps.token; const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id }); - // Compare password - const same = await bcrypt.compare(ps.password, profile.password!); + if (profile.twoFactorEnabled) { + if (token == null) { + throw new Error('authentication failed'); + } - if (!same) { + try { + await this.userAuthService.twoFactorAuthenticate(profile, token); + } catch (e) { + throw new Error('authentication failed'); + } + } + + const passwordMatched = await bcrypt.compare(ps.password, profile.password!); + if (!passwordMatched) { throw new ApiError(meta.errors.incorrectPassword); } diff --git a/packages/backend/test/e2e/2fa.ts b/packages/backend/test/e2e/2fa.ts index 80d2e9d353..ed967d2620 100644 --- a/packages/backend/test/e2e/2fa.ts +++ b/packages/backend/test/e2e/2fa.ts @@ -60,10 +60,12 @@ describe('2要素認証', () => { }; const keyDoneParam = (param: { + token: string, keyName: string, credentialId: Buffer, creationOptions: PublicKeyCredentialCreationOptionsJSON, }): { + token: string, password: string, name: string, credential: RegistrationResponseJSON, @@ -94,6 +96,7 @@ describe('2要素認証', () => { return { password, + token: param.token, name: param.keyName, credential: { id: param.credentialId.toString('base64url'), @@ -218,6 +221,12 @@ describe('2要素認証', () => { }); assert.strictEqual(signinResponse.status, 200); assert.notEqual(signinResponse.body.i, undefined); + + // 後片付け + await api('/i/2fa/unregister', { + password, + token: otpToken(registerResponse.body.secret), + }, alice); }); test('が設定でき、セキュリティキーでログインできる。', async () => { @@ -233,6 +242,7 @@ describe('2要素認証', () => { const registerKeyResponse = await api('/i/2fa/register-key', { password, + token: otpToken(registerResponse.body.secret), }, alice); assert.strictEqual(registerKeyResponse.status, 200); assert.notEqual(registerKeyResponse.body.rp, undefined); @@ -241,6 +251,7 @@ describe('2要素認証', () => { const keyName = 'example-key'; const credentialId = crypto.randomBytes(0x41); const keyDoneResponse = await api('/i/2fa/key-done', keyDoneParam({ + token: otpToken(registerResponse.body.secret), keyName, credentialId, creationOptions: registerKeyResponse.body, @@ -271,6 +282,12 @@ describe('2要素認証', () => { })); assert.strictEqual(signinResponse2.status, 200); assert.notEqual(signinResponse2.body.i, undefined); + + // 後片付け + await api('/i/2fa/unregister', { + password, + token: otpToken(registerResponse.body.secret), + }, alice); }); test('が設定でき、セキュリティキーでパスワードレスログインできる。', async () => { @@ -285,6 +302,7 @@ describe('2要素認証', () => { assert.strictEqual(doneResponse.status, 200); const registerKeyResponse = await api('/i/2fa/register-key', { + token: otpToken(registerResponse.body.secret), password, }, alice); assert.strictEqual(registerKeyResponse.status, 200); @@ -292,6 +310,7 @@ describe('2要素認証', () => { const keyName = 'example-key'; const credentialId = crypto.randomBytes(0x41); const keyDoneResponse = await api('/i/2fa/key-done', keyDoneParam({ + token: otpToken(registerResponse.body.secret), keyName, credentialId, creationOptions: registerKeyResponse.body, @@ -326,6 +345,12 @@ describe('2要素認証', () => { }); assert.strictEqual(signinResponse2.status, 200); assert.notEqual(signinResponse2.body.i, undefined); + + // 後片付け + await api('/i/2fa/unregister', { + password, + token: otpToken(registerResponse.body.secret), + }, alice); }); test('が設定でき、設定したセキュリティキーの名前を変更できる。', async () => { @@ -340,6 +365,7 @@ describe('2要素認証', () => { assert.strictEqual(doneResponse.status, 200); const registerKeyResponse = await api('/i/2fa/register-key', { + token: otpToken(registerResponse.body.secret), password, }, alice); assert.strictEqual(registerKeyResponse.status, 200); @@ -347,6 +373,7 @@ describe('2要素認証', () => { const keyName = 'example-key'; const credentialId = crypto.randomBytes(0x41); const keyDoneResponse = await api('/i/2fa/key-done', keyDoneParam({ + token: otpToken(registerResponse.body.secret), keyName, credentialId, creationOptions: registerKeyResponse.body, @@ -367,6 +394,12 @@ describe('2要素認証', () => { assert.strictEqual(securityKeys.length, 1); assert.strictEqual(securityKeys[0].name, renamedKey); assert.notEqual(securityKeys[0].lastUsed, undefined); + + // 後片付け + await api('/i/2fa/unregister', { + password, + token: otpToken(registerResponse.body.secret), + }, alice); }); test('が設定でき、設定したセキュリティキーを削除できる。', async () => { @@ -381,6 +414,7 @@ describe('2要素認証', () => { assert.strictEqual(doneResponse.status, 200); const registerKeyResponse = await api('/i/2fa/register-key', { + token: otpToken(registerResponse.body.secret), password, }, alice); assert.strictEqual(registerKeyResponse.status, 200); @@ -388,6 +422,7 @@ describe('2要素認証', () => { const keyName = 'example-key'; const credentialId = crypto.randomBytes(0x41); const keyDoneResponse = await api('/i/2fa/key-done', keyDoneParam({ + token: otpToken(registerResponse.body.secret), keyName, credentialId, creationOptions: registerKeyResponse.body, @@ -400,6 +435,7 @@ describe('2要素認証', () => { assert.strictEqual(iResponse.status, 200); for (const key of iResponse.body.securityKeysList) { const removeKeyResponse = await api('/i/2fa/remove-key', { + token: otpToken(registerResponse.body.secret), password, credentialId: key.id, }, alice); @@ -418,6 +454,12 @@ describe('2要素認証', () => { }); assert.strictEqual(signinResponse.status, 200); assert.notEqual(signinResponse.body.i, undefined); + + // 後片付け + await api('/i/2fa/unregister', { + password, + token: otpToken(registerResponse.body.secret), + }, alice); }); test('が設定でき、設定解除できる。(パスワードのみでログインできる。)', async () => { @@ -438,6 +480,7 @@ describe('2要素認証', () => { assert.strictEqual(usersShowResponse.body.twoFactorEnabled, true); const unregisterResponse = await api('/i/2fa/unregister', { + token: otpToken(registerResponse.body.secret), password, }, alice); assert.strictEqual(unregisterResponse.status, 204); @@ -447,5 +490,11 @@ describe('2要素認証', () => { }); assert.strictEqual(signinResponse.status, 200); assert.notEqual(signinResponse.body.i, undefined); + + // 後片付け + await api('/i/2fa/unregister', { + password, + token: otpToken(registerResponse.body.secret), + }, alice); }); }); diff --git a/packages/frontend/src/components/MkInput.vue b/packages/frontend/src/components/MkInput.vue index e9397ce86f..315ce958c5 100644 --- a/packages/frontend/src/components/MkInput.vue +++ b/packages/frontend/src/components/MkInput.vue @@ -155,6 +155,10 @@ onMounted(() => { } }); }); + +defineExpose({ + focus, +}); From 1924bd20bb294bf2fdec6df922b3ec663102ae7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=81=8B=E3=81=A3=E3=81=93=E3=81=8B=E3=82=8A?= <67428053+kakkokari-gtyih@users.noreply.github.com> Date: Sat, 23 Sep 2023 09:08:14 +0900 Subject: [PATCH 11/62] =?UTF-8?q?enhance(frontend):=20=E3=83=97=E3=83=A9?= =?UTF-8?q?=E3=82=B0=E3=82=A4=E3=83=B3=E3=81=AE=E3=82=BD=E3=83=BC=E3=82=B9?= =?UTF-8?q?=E3=82=B3=E3=83=BC=E3=83=89=E3=82=92=E7=A2=BA=E8=AA=8D=E3=83=BB?= =?UTF-8?q?=E3=82=B3=E3=83=94=E3=83=BC=E3=81=A7=E3=81=8D=E3=82=8B=E3=82=88?= =?UTF-8?q?=E3=81=86=E3=81=AB=20(#11873)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * (add) plugin: view and copy source code * (fix) plugin permission ui * Update Changelog --- CHANGELOG.md | 2 + locales/index.d.ts | 1 + locales/ja-JP.yml | 1 + .../frontend/src/pages/settings/plugin.vue | 61 ++++++++++++++----- packages/frontend/src/store.ts | 3 + 5 files changed, 52 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e6c66f0859..7c4134bdef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,6 +67,7 @@ - Enhance: ノート詳細ページ読み込み時のパフォーマンスが向上しました - Enhance: タイムラインでリスト/アンテナ選択時のパフォーマンスを改善 - Enhance: 「Moderation note」、「Add moderation note」をローカライズできるように +- Enhance: プラグインのソースコードを確認・コピーできるように - Enhance: 細かなデザインの調整 - Fix: サーバー情報画面(`/instance-info/{domain}`)でブロックができないのを修正 - Fix: 未読のお知らせの「わかった」をクリック・タップしてもその場で「わかった」が消えない問題を修正 @@ -76,6 +77,7 @@ - Fix: Misskeyプラグインをインストールする際のAiScriptバージョンのチェックが0.14.0以降に対応していない問題を修正 - Fix: 他のサーバーのユーザーへ「メッセージを送信」した時の初期テキストのメンションが間違っている問題を修正 - Fix: 環境によってはMisskey Webが開けない問題を修正 +- Fix: プラグインの権限リストが見れない問題を修正 ### Server - Change: cacheRemoteFilesの初期値はfalseになりました diff --git a/locales/index.d.ts b/locales/index.d.ts index f6b6daae89..256f178124 100644 --- a/locales/index.d.ts +++ b/locales/index.d.ts @@ -1632,6 +1632,7 @@ export interface Locale { "install": string; "installWarn": string; "manage": string; + "viewSource": string; }; "_preferencesBackups": { "list": string; diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml index 82ced0aa3b..90d025d80f 100644 --- a/locales/ja-JP.yml +++ b/locales/ja-JP.yml @@ -1549,6 +1549,7 @@ _plugin: install: "プラグインのインストール" installWarn: "信頼できないプラグインはインストールしないでください。" manage: "プラグインの管理" + viewSource: "ソースを表示" _preferencesBackups: list: "作成したバックアップ" diff --git a/packages/frontend/src/pages/settings/plugin.vue b/packages/frontend/src/pages/settings/plugin.vue index e9bc8573b3..4a2d8d600e 100644 --- a/packages/frontend/src/pages/settings/plugin.vue +++ b/packages/frontend/src/pages/settings/plugin.vue @@ -10,28 +10,49 @@ SPDX-License-Identifier: AGPL-3.0-only
-
- {{ plugin.name }}v{{ plugin.version }} +
+
+ {{ plugin.name }}v{{ plugin.version }} + {{ i18n.ts.makeActive }} +
- {{ i18n.ts.makeActive }} - - - - - - - - - - - - - +
+ + + + + + + + + + + + +
{{ i18n.ts.settings }} {{ i18n.ts.uninstall }}
+ + + + + +
+
+ {{ i18n.ts.copy }} +
+ + +
+
@@ -44,8 +65,11 @@ import FormLink from '@/components/form/link.vue'; import MkSwitch from '@/components/MkSwitch.vue'; import FormSection from '@/components/form/section.vue'; import MkButton from '@/components/MkButton.vue'; +import MkCode from '@/components/MkCode.vue'; +import MkFolder from '@/components/MkFolder.vue'; import MkKeyValue from '@/components/MkKeyValue.vue'; import * as os from '@/os.js'; +import copyToClipboard from '@/scripts/copy-to-clipboard.js'; import { ColdDeviceStorage } from '@/store.js'; import { unisonReload } from '@/scripts/unison-reload.js'; import { i18n } from '@/i18n.js'; @@ -61,6 +85,11 @@ function uninstall(plugin) { }); } +function copy(plugin) { + copyToClipboard(plugin.src ?? ''); + os.success(); +} + // TODO: この処理をstore側にactionとして移動し、設定画面を開くAiScriptAPIを実装できるようにする async function config(plugin) { const config = plugin.config; diff --git a/packages/frontend/src/store.ts b/packages/frontend/src/store.ts index 16483f0cf7..8a7ee62eff 100644 --- a/packages/frontend/src/store.ts +++ b/packages/frontend/src/store.ts @@ -381,6 +381,9 @@ export type Plugin = { src: string | null; version: string; ast: any[]; + author?: string; + description?: string; + permissions?: string[]; }; interface Watcher { From 98209be01ae4ec408e84df41c8c6f9d270792b68 Mon Sep 17 00:00:00 2001 From: syuilo Date: Sat, 23 Sep 2023 09:37:26 +0900 Subject: [PATCH 12/62] Update ja-JP.yml Fix #11870 --- locales/ja-JP.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml index 82ced0aa3b..287895959c 100644 --- a/locales/ja-JP.yml +++ b/locales/ja-JP.yml @@ -2080,6 +2080,7 @@ _notification: _types: all: "すべて" + note: "ユーザーの新規投稿" follow: "フォロー" mention: "メンション" reply: "リプライ" From e8a098af62c7bd2f9953a814f7c43a64e6602343 Mon Sep 17 00:00:00 2001 From: syuilo Date: Sat, 23 Sep 2023 09:59:45 +0900 Subject: [PATCH 13/62] Update index.d.ts --- locales/index.d.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/locales/index.d.ts b/locales/index.d.ts index 256f178124..dbd485379f 100644 --- a/locales/index.d.ts +++ b/locales/index.d.ts @@ -2166,6 +2166,7 @@ export interface Locale { "notificationWillBeDisplayedLikeThis": string; "_types": { "all": string; + "note": string; "follow": string; "mention": string; "reply": string; From ad8ddbf12f9750446bb46cdb9a671f069f5bfd9f Mon Sep 17 00:00:00 2001 From: syuilo Date: Sat, 23 Sep 2023 09:59:50 +0900 Subject: [PATCH 14/62] :art: --- packages/frontend/src/components/MkNoteDetailed.vue | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/frontend/src/components/MkNoteDetailed.vue b/packages/frontend/src/components/MkNoteDetailed.vue index 94c6833b14..2b61240b96 100644 --- a/packages/frontend/src/components/MkNoteDetailed.vue +++ b/packages/frontend/src/components/MkNoteDetailed.vue @@ -143,7 +143,7 @@ SPDX-License-Identifier: AGPL-3.0-only
- +