TOTP google authenticator implemented properly well

src/controllers/account.rs

@@ -363,6 +363,177 @@ async fn change_password(
     password_view(&v, &jar, &user, true, None)
 }
 
+// ---- Two-factor authentication (TOTP / Google Authenticator) -------------
+//
+// Entirely opt-in. The security page has three shapes, all rendered from
+// `security.html`:
+//   * disabled  -> an "enable" button,
+//   * enrolling -> the QR + a confirm-code field (secret staged, not yet on),
+//   * enabled   -> status, remaining backup codes, disable/regenerate forms.
+// Both turning 2FA off and regenerating backup codes require re-entering the
+// account password, so a walk-up attacker on an open session can't weaken it.
+
+#[derive(Debug, Deserialize)]
+struct ConfirmTotpForm {
+    code: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct PasswordConfirmForm {
+    current_password: String,
+}
+
+/// Render the security page. Exactly one of (`enrolling`, plain status) applies;
+/// `backup_codes` is non-empty only on the one render right after enabling or
+/// regenerating, where the plaintext codes are shown once.
+#[allow(clippy::too_many_arguments)]
+fn security_view(
+    v: &TeraView,
+    jar: &CookieJar,
+    user: &users::Model,
+    enrolling: bool,
+    qr: Option<&str>,
+    secret: Option<&str>,
+    backup_codes: &[String],
+    error: Option<&str>,
+) -> Result<Response> {
+    format::view(
+        v,
+        "account/security.html",
+        json!({
+            "logged_in_admin": false,
+            "logged_in_customer": true,
+            "account_nav": true,
+            "customer_name": user.name,
+            "customer_account_type": user.account_type,
+            "totp_enabled": user.totp_enabled(),
+            "enrolling": enrolling,
+            "qr": qr,
+            "secret": secret,
+            "backup_codes": backup_codes,
+            "backup_remaining": user.backup_codes_remaining(),
+            "error": error,
+            "lang": current_lang(jar),
+        }),
+    )
+}
+
+/// Common guard for every security handler: a signed-in, non-admin customer.
+async fn require_customer(ctx: &AppContext, jar: &CookieJar) -> Result<users::Model> {
+    match guard::current_user(ctx, jar).await {
+        Some(user) if guard::is_admin(ctx, &user) => Err(Error::string("admin")),
+        Some(user) => Ok(user),
+        None => Err(Error::Unauthorized("login required".into())),
+    }
+}
+
+#[debug_handler]
+async fn security_page(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+) -> Result<Response> {
+    let Some(user) = guard::current_user(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    if guard::is_admin(&ctx, &user) {
+        return format::redirect("/admin/dashboard");
+    }
+    security_view(&v, &jar, &user, false, None, None, &[], None)
+}
+
+/// Stage a fresh secret and show the QR + confirm-code field.
+#[debug_handler]
+async fn enable_totp(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+) -> Result<Response> {
+    let Ok(user) = require_customer(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    // Already on — nothing to enroll.
+    if user.totp_enabled() {
+        return security_view(&v, &jar, &user, false, None, None, &[], None);
+    }
+    let user = user.into_active_model().begin_totp_enrollment(&ctx.db).await?;
+    let Some((qr, secret)) = user.totp_provisioning() else {
+        return security_view(&v, &jar, &user, false, None, None, &[], Some("enroll"));
+    };
+    security_view(&v, &jar, &user, true, Some(&qr), Some(&secret), &[], None)
+}
+
+/// Verify the first code against the staged secret; on success flip 2FA on and
+/// show the one-time backup codes. On a wrong code, re-show the QR to retry.
+#[debug_handler]
+async fn confirm_totp(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(form): Form<ConfirmTotpForm>,
+) -> Result<Response> {
+    let Ok(user) = require_customer(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    if user.totp_enabled() {
+        return security_view(&v, &jar, &user, false, None, None, &[], None);
+    }
+    if !user.verify_totp_code(&form.code) {
+        let qr = user.totp_provisioning();
+        let (qr, secret) = match &qr {
+            Some((q, s)) => (Some(q.as_str()), Some(s.as_str())),
+            None => (None, None),
+        };
+        return security_view(&v, &jar, &user, true, qr, secret, &[], Some("code"));
+    }
+    let (user, backup_codes) = user.into_active_model().enable_totp(&ctx.db).await?;
+    security_view(&v, &jar, &user, false, None, None, &backup_codes, None)
+}
+
+/// Turn 2FA off — requires the account password as confirmation.
+#[debug_handler]
+async fn disable_totp(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(form): Form<PasswordConfirmForm>,
+) -> Result<Response> {
+    let Ok(user) = require_customer(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    if !user.totp_enabled() {
+        return security_view(&v, &jar, &user, false, None, None, &[], None);
+    }
+    if !user.verify_password(&form.current_password) {
+        return security_view(&v, &jar, &user, false, None, None, &[], Some("password"));
+    }
+    let user = user.into_active_model().disable_totp(&ctx.db).await?;
+    security_view(&v, &jar, &user, false, None, None, &[], None)
+}
+
+/// Issue a fresh set of backup codes (invalidating the old ones) — also gated by
+/// the account password.
+#[debug_handler]
+async fn regenerate_backup_codes(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(form): Form<PasswordConfirmForm>,
+) -> Result<Response> {
+    let Ok(user) = require_customer(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    if !user.totp_enabled() {
+        return security_view(&v, &jar, &user, false, None, None, &[], None);
+    }
+    if !user.verify_password(&form.current_password) {
+        return security_view(&v, &jar, &user, false, None, None, &[], Some("password"));
+    }
+    let (user, backup_codes) =
+        user.into_active_model().regenerate_backup_codes(&ctx.db).await?;
+    security_view(&v, &jar, &user, false, None, None, &backup_codes, None)
+}
+
 pub fn routes() -> Routes {
     Routes::new()
         .add("/account/profile", get(profile_page))
@@ -371,4 +542,9 @@ pub fn routes() -> Routes {
         .add("/account/orders/{order_number}", get(order_detail_page))
         .add("/account/password", get(change_password_page))
         .add("/account/password", post(change_password))
+        .add("/account/security", get(security_page))
+        .add("/account/security/enable", post(enable_totp))
+        .add("/account/security/confirm", post(confirm_totp))
+        .add("/account/security/disable", post(disable_totp))
+        .add("/account/security/backup-codes", post(regenerate_backup_codes))
 }