init

Author: pilcrowonpaper

.env.example

@@ -0,0 +1 @@
+ENCRYPTION_KEY=""

.eslintrc.json

@@ -1,3 +1,3 @@
 {
-  "extends": ["next/core-web-vitals", "next/typescript"]
+	"extends": ["next/core-web-vitals", "next/typescript", "prettier"]
 }

.gitignore

@@ -34,3 +34,6 @@ yarn-error.log*
 # typescript
 *.tsbuildinfo
 next-env.d.ts
+
+.env
+sqlite.db

.prettierrc

@@ -0,0 +1,5 @@
+{
+	"useTabs": true,
+	"trailingComma": "none",
+	"printWidth": 120
+}

README.md

@@ -1,36 +1,47 @@
-This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app).
+# Email and password example with 2FA in Next.js
 
-## Getting Started
+Built with SQLite.
 
-First, run the development server:
+- Password check with HaveIBeenPwned
+- Email verification
+- 2FA with TOTP
+- 2FA recovery codes
+- Password reset
+- Login throttling and rate limiting
 
-```bash
-npm run dev
-# or
-yarn dev
-# or
-pnpm dev
-# or
-bun dev
-```
+Emails are just logged to the console. Rate limiting is implemented using JavaScript `Map`.
 
-Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
+## Initialize project
 
-You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file.
+Create `sqlite.db` and run `setup.sql`.
 
-This project uses [`next/font`](https://nextjs.org/docs/app/building-your-application/optimizing/fonts) to automatically optimize and load [Geist](https://vercel.com/font), a new font family for Vercel.
+```
+sqlite3 sqlite.db
+```
 
-## Learn More
+Create a .env file. Generate a 128 bit (16 byte) string, base64 encode it, and set it as `ENCRYPTION_KEY`.
 
-To learn more about Next.js, take a look at the following resources:
+```bash
+ENCRYPTION_KEY="L9pmqRJnO1ZJSQ2svbHuBA=="
+```
 
-- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API.
-- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
+> You can use OpenSSL to quickly generate a secure key.
+>
+> ```bash
+> openssl rand --base64 16
+> ```
 
-You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js) - your feedback and contributions are welcome!
+Run the application:
 
-## Deploy on Vercel
+```
+pnpm dev
+```
 
-The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js.
+## Notes
 
-Check out our [Next.js deployment documentation](https://nextjs.org/docs/app/building-your-application/deploying) for more details.
+- We do not consider user enumeration to be a real vulnerability so please don't open issues on it. If you really need to prevent it, just don't use emails.
+- This example does not handle unexpected errors gracefully.
+- There are some major code duplications (specifically for 2FA) to keep the codebase simple.
+- TODO: You may need to rewrite some queries and use transactions to avoid race conditions when using MySQL, Postgres, etc.
+- TODO: This project relies on the `X-Forwarded-For` header for getting the client's IP address.
+- TODO: Logging should be implemented.

actions/2fa.ts

@@ -0,0 +1,187 @@
+"use server";
+
+import { recoveryCodeBucket, resetUser2FAWithRecoveryCode, totpBucket } from "@/lib/server/2fa";
+import { RefillingTokenBucket } from "@/lib/server/rate-limit";
+import { getCurrentSession, setSessionAs2FAVerified } from "@/lib/server/session";
+import { getUserTOTPKey, updateUserTOTPKey } from "@/lib/server/user";
+import { decodeBase64 } from "@oslojs/encoding";
+import { verifyTOTP } from "@oslojs/otp";
+import { redirect } from "next/navigation";
+
+export async function verify2FAAction(_prev: ActionResult, formData: FormData): Promise<ActionResult> {
+	const { session, user } = getCurrentSession();
+	if (session === null) {
+		return {
+			message: "Not authenticated"
+		};
+	}
+	if (!user.emailVerified) {
+		return {
+			message: "Forbidden"
+		};
+	}
+	if (!user.registered2FA) {
+		return {
+			message: "Forbidden"
+		};
+	}
+	if (!totpBucket.check(user.id, 1)) {
+		return {
+			message: "Too many requests"
+		};
+	}
+
+	const code = formData.get("code");
+	if (typeof code !== "string") {
+		return {
+			message: "Invalid or missing fields"
+		};
+	}
+	if (code === "") {
+		return {
+			message: "Enter your code"
+		};
+	}
+	if (!totpBucket.consume(user.id, 1)) {
+		return {
+			message: "Too many requests"
+		};
+	}
+	const totpKey = getUserTOTPKey(user.id);
+	if (totpKey === null) {
+		return {
+			message: "Forbidden"
+		};
+	}
+	if (!verifyTOTP(totpKey, 30, 6, code)) {
+		return {
+			message: "Invalid code"
+		};
+	}
+	totpBucket.reset(user.id);
+	setSessionAs2FAVerified(session.id);
+	return redirect("/");
+}
+
+const totpUpdateBucket = new RefillingTokenBucket<number>(3, 60 * 10);
+
+export async function setup2FAAction(_prev: ActionResult, formData: FormData): Promise<ActionResult> {
+	const { session, user } = getCurrentSession();
+	if (session === null) {
+		return {
+			message: "Not authenticated"
+		};
+	}
+	if (!user.emailVerified) {
+		return {
+			message: "Forbidden"
+		};
+	}
+	if (user.registered2FA && !session.twoFactorVerified) {
+		return {
+			message: "Forbidden"
+		};
+	}
+	if (!totpUpdateBucket.check(user.id, 1)) {
+		return {
+			message: "Too many requests"
+		};
+	}
+
+	const encodedKey = formData.get("key");
+	const code = formData.get("code");
+	if (typeof encodedKey !== "string" || typeof code !== "string") {
+		return {
+			message: "Invalid or missing fields"
+		};
+	}
+	if (code === "") {
+		return {
+			message: "Please enter your code"
+		};
+	}
+	if (encodedKey.length !== 28) {
+		return {
+			message: "Please enter your code"
+		};
+	}
+	let key: Uint8Array;
+	try {
+		key = decodeBase64(encodedKey);
+	} catch {
+		return {
+			message: "Invalid key"
+		};
+	}
+	if (key.byteLength !== 20) {
+		return {
+			message: "Invalid key"
+		};
+	}
+	if (!totpUpdateBucket.consume(user.id, 1)) {
+		return {
+			message: "Too many requests"
+		};
+	}
+	if (!verifyTOTP(key, 30, 6, code)) {
+		return {
+			message: "Invalid code"
+		};
+	}
+	updateUserTOTPKey(session.userId, key);
+	setSessionAs2FAVerified(session.id);
+	return redirect("/recovery-code");
+}
+
+export async function reset2FAAction(_prev: ActionResult, formData: FormData): Promise<ActionResult> {
+	const { session, user } = getCurrentSession();
+	if (session === null) {
+		return {
+			message: "Not authenticated"
+		};
+	}
+	if (!user.emailVerified) {
+		return {
+			message: "Forbidden"
+		};
+	}
+	if (!user.registered2FA) {
+		return {
+			message: "Forbidden"
+		};
+	}
+	if (!recoveryCodeBucket.check(user.id, 1)) {
+		return {
+			message: "Too many requests"
+		};
+	}
+
+	const code = formData.get("code");
+	if (typeof code !== "string") {
+		return {
+			message: "Invalid or missing fields"
+		};
+	}
+	if (code === "") {
+		return {
+			message: "Please enter your code"
+		};
+	}
+	if (!recoveryCodeBucket.consume(user.id, 1)) {
+		return {
+			message: "Too many requests"
+		};
+	}
+	const valid = resetUser2FAWithRecoveryCode(user.id, code);
+	if (!valid) {
+		return {
+			message: "Invalid recovery code"
+		};
+	}
+	recoveryCodeBucket.reset(user.id);
+	return redirect("/2fa/setup");
+}
+
+interface ActionResult {
+	message: string;
+}