Need to perform 2FA before modifying factors

src/data/critical_route.rs

@@ -0,0 +1,32 @@
+use crate::data::current_user::CurrentUser;
+use crate::data::from_request_redirect::FromRequestRedirect;
+use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
+use actix_web::dev::Payload;
+use actix_web::{FromRequest, HttpRequest};
+use std::future::Future;
+use std::pin::Pin;
+
+pub struct CriticalRoute;
+
+impl FromRequest for CriticalRoute {
+    type Error = FromRequestRedirect;
+    type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
+
+    fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
+        let req = req.clone();
+
+        Box::pin(async move {
+            let current_user = CurrentUser::from_request(&req, &mut Payload::None)
+                .await
+                .expect("Failed to extract user identity!");
+
+            if current_user.should_request_2fa_for_critical_function() {
+                let url = get_2fa_url(&LoginRedirect::from_req(&req), true);
+
+                return Err(FromRequestRedirect::new(url));
+            }
+
+            Ok(Self)
+        })
+    }
+}

src/data/current_user.rs

@@ -10,8 +10,10 @@ use actix_web::{web, Error, FromRequest, HttpRequest};
 
 use crate::actors::users_actor;
 use crate::actors::users_actor::UsersActor;
+use crate::constants::SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS;
 use crate::data::session_identity::SessionIdentity;
 use crate::data::user::User;
+use crate::utils::time::time;
 
 pub struct CurrentUser {
     user: User,
@@ -19,6 +21,16 @@ pub struct CurrentUser {
     pub last_2fa_auth: Option<u64>,
 }
 
+impl CurrentUser {
+    pub fn should_request_2fa_for_critical_function(&self) -> bool {
+        self.user.has_two_factor()
+            && self
+                .last_2fa_auth
+                .map(|t| t + SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS < time())
+                .unwrap_or(true)
+    }
+}
+
 impl From<CurrentUser> for User {
     fn from(user: CurrentUser) -> Self {
         user.user

src/data/from_request_redirect.rs

@@ -0,0 +1,32 @@
+use actix_web::body::BoxBody;
+use actix_web::http::StatusCode;
+use actix_web::{HttpResponse, ResponseError};
+use std::fmt::{Debug, Display, Formatter};
+
+#[derive(Debug)]
+pub struct FromRequestRedirect {
+    url: String,
+}
+
+impl FromRequestRedirect {
+    pub fn new(url: String) -> Self {
+        Self { url }
+    }
+}
+
+impl Display for FromRequestRedirect {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        write!(f, "Redirect to {}", self.url)
+    }
+}
+
+impl ResponseError for FromRequestRedirect {
+    fn status_code(&self) -> StatusCode {
+        StatusCode::FOUND
+    }
+    fn error_response(&self) -> HttpResponse<BoxBody> {
+        HttpResponse::Found()
+            .insert_header(("Location", self.url.as_str()))
+            .body("Redirecting...")
+    }
+}

src/data/login_redirect.rs

@@ -1,7 +1,13 @@
+use actix_web::HttpRequest;
+
 #[derive(serde::Serialize, serde::Deserialize, Debug, Eq, PartialEq, Clone)]
 pub struct LoginRedirect(String);
 
 impl LoginRedirect {
+    pub fn from_req(req: &HttpRequest) -> Self {
+        Self(req.uri().to_string())
+    }
+
     pub fn get(&self) -> &str {
         match self.0.starts_with('/') && !self.0.starts_with("//") {
             true => self.0.as_str(),
@@ -19,3 +25,11 @@ impl Default for LoginRedirect {
         Self("/".to_string())
     }
 }
+
+/// Get the URL for 2FA authentication
+pub fn get_2fa_url(redir: &LoginRedirect, force_2fa: bool) -> String {
+    format!(
+        "/2fa_auth?redirect={}&force_2fa={force_2fa}",
+        redir.get_encoded()
+    )
+}

src/data/mod.rs

@@ -3,9 +3,11 @@ pub mod action_logger;
 pub mod app_config;
 pub mod client;
 pub mod code_challenge;
+pub mod critical_route;
 pub mod current_user;
 pub mod entity_manager;
 pub mod force_2fa_auth;
+pub mod from_request_redirect;
 pub mod id_token;
 pub mod jwt_signer;
 pub mod login_redirect;