added twoFactorEnabled to authdata, added error when a user tries to …

…turn on 2fa when its already enabled

package.json

@@ -1,7 +1,7 @@
 {
     "name": "lbx-jwt",
     "description": "Provides JWT authentication for loopback applications. Includes storing roles inside tokens and handling refreshing. Built-in reuse detection.",
-    "version": "1.0.8",
+    "version": "1.0.9",
     "keywords": [
         "lb4",
         "LoopBack",
@@ -24,7 +24,8 @@
     "main": "dist/index.js",
     "author": "Tim Fabian",
     "scripts": {
-        "build": "lb-tsc && npm run copy:readme && npm run copy:license && npm run copy:contributing && npm run copy:mailTemplates",
+        "build": "lb-tsc && npm run copy:mailTemplates",
+        "build:prod": "lb-tsc && npm run copy:readme && npm run copy:license && npm run copy:contributing && npm run copy:mailTemplates",
         "build:watch": "npm run build --watch",
         "lint": "eslint --report-unused-disable-directives . --max-warnings 0",
         "lint:fix": "eslint --report-unused-disable-directives . --fix",

src/controllers/auth/auth-data.model.ts

@@ -60,6 +60,14 @@ export class AuthData<RoleType extends string> extends Model {
         // json schema restricting to certain roles is set in constructor.
     })
     roles: RoleType[];
+    /**
+     * Whether or not two factor authentication is enabled.
+     */
+    @property({
+        type: 'boolean',
+        required: true
+    })
+    twoFactorEnabled: boolean;
     /**
      * The id of the currently logged in user.
      */

src/controllers/auth/auth.controller.ts

@@ -108,6 +108,7 @@ export class LbxJwtAuthController<RoleType extends string> {
                 expirationDate: new Date(Date.now() + this.refreshTokenExpiresInMs)
             },
             roles: user.roles,
+            twoFactorEnabled: user.twoFactorEnabled ?? false,
             userId: user.id
         };
     }
@@ -146,6 +147,7 @@ export class LbxJwtAuthController<RoleType extends string> {
     ): Promise<Omit<AuthData<RoleType>, DefaultEntityOmitKeys>> {
         const refreshTokenObject: TokenObject = await this.refreshTokenService.refreshToken(refreshGrant.refreshToken);
         const encodedJwt: EncodedJwt<RoleType> = await JwtUtilities.verifyAsync(refreshTokenObject.accessToken, this.accessTokenSecret);
+        const user: BaseUser<string> = await this.baseUserRepository.findById(encodedJwt.payload.id);
         return {
             accessToken: {
                 value: refreshTokenObject.accessToken,
@@ -156,6 +158,7 @@ export class LbxJwtAuthController<RoleType extends string> {
                 expirationDate: new Date(Date.now() + this.refreshTokenExpiresInMs)
             },
             roles: encodedJwt.payload.roles,
+            twoFactorEnabled: user.twoFactorEnabled ?? false,
             userId: encodedJwt.payload.id
         };
     }

src/services/two-factor.service.ts

@@ -5,7 +5,7 @@ import crypto from 'crypto';
 import { encode } from 'hi-base32';
 import { TOTP } from 'otpauth';
 import { LbxJwtBindings } from '../keys';
-import { Credentials } from '../models';
+import { BaseUser, Credentials } from '../models';
 import { BaseUserRepository } from '../repositories';
 
 /**
@@ -32,6 +32,11 @@ export class TwoFactorService<RoleType extends string> {
      * @returns The qr code url.
      */
     async turnOn2FA(userId: string, options?: Options): Promise<string> {
+        const user: BaseUser<string> = await this.baseUserRepository.findById(userId);
+        if (user.twoFactorEnabled === true) {
+            throw new HttpErrors.BadRequest('The requesting user has already configured two factor authentication.');
+        }
+
         const secret: string = this.generateSecret();
         const totp: TOTP = new TOTP({ label: this.twoFactorLabel, secret: secret });