Need to perform 2FA before modifying factors

src/controllers/login_controller.rs

@@ -14,7 +14,7 @@ use crate::controllers::base_controller::{
 };
 use crate::data::action_logger::{Action, ActionLogger};
 use crate::data::force_2fa_auth::Force2FAAuth;
-use crate::data::login_redirect::LoginRedirect;
+use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
 use crate::data::provider::{Provider, ProvidersManager};
 use crate::data::session_identity::{SessionIdentity, SessionStatus};
 use crate::data::user::User;
@@ -129,10 +129,7 @@ pub async fn login_route(
     }
     // Check if the user has to validate a second factor
     else if SessionIdentity(id.as_ref()).need_2fa_auth() {
-        return redirect_user(&format!(
-            "/2fa_auth?redirect={}",
-            query.redirect.get_encoded()
-        ));
+        return redirect_user(&get_2fa_url(&query.redirect, false));
     }
     // Check if given login is not acceptable
     else if req

src/controllers/two_factor_api.rs

@@ -7,6 +7,7 @@ use crate::actors::users_actor;
 use crate::actors::users_actor::UsersActor;
 use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
 use crate::data::action_logger::{Action, ActionLogger};
+use crate::data::critical_route::CriticalRoute;
 use crate::data::current_user::CurrentUser;
 use crate::data::totp_key::TotpKey;
 use crate::data::user::{FactorID, TwoFactor, TwoFactorType};
@@ -29,6 +30,7 @@ pub struct AddTOTPRequest {
 }
 
 pub async fn save_totp_factor(
+    _critical: CriticalRoute,
     user: CurrentUser,
     form: web::Json<AddTOTPRequest>,
     users: web::Data<Addr<UsersActor>>,
@@ -77,6 +79,7 @@ pub struct AddWebauthnRequest {
 }
 
 pub async fn save_webauthn_factor(
+    _critical: CriticalRoute,
     user: CurrentUser,
     form: web::Json<AddWebauthnRequest>,
     users: web::Data<Addr<UsersActor>>,
@@ -121,6 +124,7 @@ pub struct DeleteFactorRequest {
 }
 
 pub async fn delete_factor(
+    _critical: CriticalRoute,
     user: CurrentUser,
     form: web::Json<DeleteFactorRequest>,
     users: web::Data<Addr<UsersActor>>,
@@ -145,6 +149,7 @@ pub async fn delete_factor(
 }
 
 pub async fn clear_login_history(
+    _critical: CriticalRoute,
     user: CurrentUser,
     users: web::Data<Addr<UsersActor>>,
     logger: ActionLogger,

src/controllers/two_factors_controller.rs

@@ -9,6 +9,7 @@ use qrcode_generator::QrCodeEcc;
 use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
 use crate::controllers::settings_controller::BaseSettingsPage;
 use crate::data::app_config::AppConfig;
+use crate::data::critical_route::CriticalRoute;
 use crate::data::current_user::CurrentUser;
 use crate::data::totp_key::TotpKey;
 use crate::data::user::User;
@@ -43,7 +44,7 @@ struct AddWebauhtnPage<'a> {
 }
 
 /// Manage two factors authentication methods route
-pub async fn two_factors_route(user: CurrentUser) -> impl Responder {
+pub async fn two_factors_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder {
     HttpResponse::Ok().body(
         TwoFactorsPage {
             p: BaseSettingsPage::get("Two factor auth", &user, None, None),
@@ -56,7 +57,7 @@ pub async fn two_factors_route(user: CurrentUser) -> impl Responder {
 }
 
 /// Configure a new TOTP authentication factor
-pub async fn add_totp_factor_route(user: CurrentUser) -> impl Responder {
+pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder {
     let key = TotpKey::new_random();
 
     let qr_code = qrcode_generator::to_png_to_vec(
@@ -87,6 +88,7 @@ pub async fn add_totp_factor_route(user: CurrentUser) -> impl Responder {
 
 /// Configure a new security key factor
 pub async fn add_webauthn_factor_route(
+    _critical: CriticalRoute,
     user: CurrentUser,
     manager: WebAuthManagerReq,
 ) -> impl Responder {