feat(core): Add MFA

package.json

@@ -34,7 +34,7 @@
     "test:e2e:all": "cross-env E2E_TESTS=true start-server-and-test start http://localhost:5678/favicon.ico 'cypress run --headless'"
   },
   "dependencies": {
-    "n8n": "*"
+    "n8n": "^0.210.1"
   },
   "devDependencies": {
     "@n8n_io/eslint-config": "*",

packages/cli/package.json

@@ -118,6 +118,7 @@
     "@rudderstack/rudder-sdk-node": "1.0.6",
     "@sentry/integrations": "^7.28.1",
     "@sentry/node": "^7.28.1",
+    "@types/speakeasy": "^2.0.7",
     "axios": "^0.21.1",
     "basic-auth": "^2.0.1",
     "bcryptjs": "^2.4.3",
@@ -190,6 +191,7 @@
     "shelljs": "^0.8.5",
     "source-map-support": "^0.5.21",
     "sqlite3": "^5.1.4",
+    "speakeasy": "^2.0.0",
     "sse-channel": "^4.0.0",
     "swagger-ui-express": "^4.3.0",
     "syslog-client": "^1.1.1",

packages/cli/src/Mfa/MfaController.ts

@@ -0,0 +1,73 @@
+/* eslint-disable import/no-cycle */
+import express from 'express';
+import * as speakeasy from 'speakeasy';
+import { Db } from '..';
+import type { AuthenticatedRequest } from '../requests';
+import type { MFA } from './types';
+import { v4 as uuid } from 'uuid';
+
+export const mfaController = express.Router();
+
+/**
+ * GET /mfa/qr
+ */
+mfaController.get('/qr', async (req: AuthenticatedRequest, res: express.Response) => {
+	const secret = speakeasy.generateSecret({
+		issuer: 'n8n',
+		name: req.user.email,
+		otpauth_url: true,
+	});
+
+	const codes = Array.from(Array(5)).map(() => uuid());
+
+	await Db.collections.User.update(req.user.id, {
+		mfaSecret: secret.base32,
+		mfaRecoveryCodes: codes.join('|'),
+	});
+
+	return res
+		.status(200)
+		.json({ data: { secret: secret.base32, qrCode: secret.otpauth_url, recoveryCodes: codes } });
+});
+
+/**
+ * POST /mfa/enable
+ */
+mfaController.post('/enable', async (req: MFA.activate, res: express.Response) => {
+	const { id } = req.user;
+
+	await Db.collections.User.update(id, { mfaEnabled: true });
+
+	return res.status(200).json();
+});
+
+/**
+ * POST /mfa/disable
+ */
+mfaController.delete('/disable', async (req: AuthenticatedRequest, res: express.Response) => {
+	await Db.collections.User.update(req.user.id, { mfaEnabled: false, mfaSecret: '' });
+
+	return res.status(200).json();
+});
+
+/**
+ * POST /mfa/verify
+ */
+mfaController.post('/verify', async (req: MFA.verify, res: express.Response) => {
+	const { mfaSecret: secret, id } = req.user;
+	const { token } = req.body;
+
+	const user = await Db.collections.User.findOneBy({ id });
+
+	if (!user) return res.status(400).json();
+
+	const verified = speakeasy.totp.verify({
+		secret: secret ?? '',
+		encoding: 'base32',
+		token,
+	});
+
+	if (!verified) return res.status(400).json();
+
+	return res.status(200).json();
+});

packages/cli/src/Mfa/helpers.ts

@@ -0,0 +1,20 @@
+import type { User } from '@/databases/entities/User';
+import * as speakeasy from 'speakeasy';
+
+export const validateMfaToken = (user: User, mfaToken: string) => {
+	return speakeasy.totp.verify({
+		secret: user.mfaSecret ?? '',
+		encoding: 'base32',
+		token: mfaToken,
+	});
+};
+
+export const validateMfaRecoveryCode = (user: User, mfaRecoveryCode: string) => {
+	if (user?.mfaRecoveryCodes) {
+		const recoveryCodes = user.mfaRecoveryCodes.split('|');
+		if (recoveryCodes.includes(mfaRecoveryCode)) {
+			return true;
+		}
+	}
+	return false;
+};

packages/cli/src/Mfa/types.d.ts

@@ -0,0 +1,24 @@
+/* eslint-disable @typescript-eslint/naming-convention */
+import type express from 'express';
+import type { User } from '../databases/entities/User';
+
+export type AuthenticatedRequest<
+	RouteParams = {},
+	ResponseBody = {},
+	RequestBody = {},
+	RequestQuery = {},
+> = express.Request<RouteParams, ResponseBody, RequestBody, RequestQuery> & {
+	user: User;
+};
+
+export declare namespace MFA {
+	type verify = AuthenticatedRequest<{}, {}, { token: string }, {}>;
+	type activate = AuthenticatedRequest<{}, {}, { token: string }, {}>;
+	type config = AuthenticatedRequest<{}, {}, { login: { enabled: boolean } }, {}>;
+	type validateRecoveryCode = AuthenticatedRequest<
+		{},
+		{},
+		{ recoveryCode: { enabled: boolean } },
+		{}
+	>;
+}

packages/cli/src/ResponseHelper.ts

@@ -46,8 +46,8 @@ export class BadRequestError extends ResponseError {
 }
 
 export class AuthError extends ResponseError {
-	constructor(message: string) {
-		super(message, 401);
+	constructor(message: string, errorCode?: number) {
+		super(message, 401, errorCode);
 	}
 }
 

packages/cli/src/Server.ts

@@ -145,6 +145,7 @@ import { AbstractServer } from './AbstractServer';
 import { configureMetrics } from './metrics';
 import { setupBasicAuth } from './middlewares/basicAuth';
 import { setupExternalJWTAuth } from './middlewares/externalJWTAuth';
+import { mfaController } from './Mfa/MfaController';
 
 const exec = promisify(callbackExec);
 
@@ -448,6 +449,12 @@ class Server extends AbstractServer {
 			this.app.use(`/${this.restEndpoint}/nodes`, nodesController);
 		}
 
+		// ----------------------------------------
+		// MFA
+		// ----------------------------------------
+
+		this.app.use(`/${this.restEndpoint}/mfa`, mfaController);
+
 		// ----------------------------------------
 		// Workflow
 		// ----------------------------------------

packages/cli/src/controllers/auth.controller.ts

@@ -1,6 +1,6 @@
 import validator from 'validator';
 import { Get, Post, RestController } from '@/decorators';
-import { AuthError, BadRequestError, InternalServerError } from '@/ResponseHelper';
+import { BadRequestError, InternalServerError, AuthError } from '@/ResponseHelper';
 import { sanitizeUser } from '@/UserManagement/UserManagementHelper';
 import { issueCookie, resolveJwt } from '@/auth/jwt';
 import { AUTH_COOKIE_NAME } from '@/constants';
@@ -13,6 +13,7 @@ import { In } from 'typeorm';
 import type { Config } from '@/config';
 import type { PublicUser, IDatabaseCollections, IInternalHooksClass } from '@/Interfaces';
 import { handleEmailLogin, handleLdapLogin } from '@/auth';
+import { validateMfaRecoveryCode, validateMfaToken } from '@/Mfa/helpers';
 
 @RestController()
 export class AuthController {
@@ -47,14 +48,24 @@ export class AuthController {
 	 */
 	@Post('/login')
 	async login(req: LoginRequest, res: Response): Promise<PublicUser> {
-		const { email, password } = req.body;
+		const { email, password, mfaToken = '', mfaRecoveryCode = '' } = req.body;
 		if (!email) throw new Error('Email is required to log in');
 		if (!password) throw new Error('Password is required to log in');
 
 		const user =
 			(await handleLdapLogin(email, password)) ?? (await handleEmailLogin(email, password));
 
 		if (user) {
+			console.log(user);
+			console.log(mfaToken);
+			console.log('valid mFA TOKEN', validateMfaToken(user, mfaToken));
+			if (
+				user.mfaEnabled &&
+				!(validateMfaToken(user, mfaToken) || validateMfaRecoveryCode(user, mfaRecoveryCode))
+			) {
+				throw new AuthError('MFA Error', 998);
+			}
+
 			await issueCookie(res, user);
 			return sanitizeUser(user);
 		}

packages/cli/src/databases/entities/User.ts

@@ -103,6 +103,15 @@ export class User extends AbstractEntity implements IUser {
 	@Index({ unique: true })
 	apiKey?: string | null;
 
+	@Column({ type: String, nullable: true })
+	mfaSecret?: string | null;
+
+	@Column({ type: Boolean, default: false })
+	mfaEnabled?: boolean;
+
+	@Column({ type: String, nullable: true })
+	mfaRecoveryCodes?: string | null;
+
 	/**
 	 * Whether the user is pending setup completion.
 	 */

packages/cli/src/databases/migrations/sqlite/1669730543736-addMfaColumns.ts

@@ -0,0 +1,76 @@
+import { MigrationInterface, QueryRunner } from 'typeorm';
+import { getTablePrefix, logMigrationEnd, logMigrationStart } from '@db/utils/migrationHelpers';
+export class AddMfaColumns1669730543736 implements MigrationInterface {
+	name = 'AddMfaColumns1669730543736';
+
+	async up(queryRunner: QueryRunner): Promise<void> {
+		logMigrationStart(this.name);
+
+		const tablePrefix = getTablePrefix();
+
+		await queryRunner.query('PRAGMA foreign_keys=OFF');
+
+		await queryRunner.query(
+			`CREATE TABLE "temporary_user" (
+				"id" varchar PRIMARY KEY NOT NULL,
+				"email" varchar(255),
+				"firstName" varchar(32),
+				"lastName" varchar(32),
+				"password" varchar,
+				"resetPasswordToken" varchar,
+				"resetPasswordTokenExpiration" integer DEFAULT NULL,
+				"mfaEnabled" boolean DEFAULT false,
+				"mfaSecret" varchar DEFAULT NULL,
+				"mfaRecoveryCodes" varchar DEFAULT NULL,
+				"personalizationAnswers" text,
+				"createdAt" datetime(3) NOT NULL DEFAULT (STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')),
+				"updatedAt" datetime(3) NOT NULL DEFAULT (STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')),
+				"globalRoleId" integer NOT NULL,
+				"settings" text,
+				"apiKey" varchar DEFAULT NULL,
+				CONSTRAINT "FK_${tablePrefix}f0609be844f9200ff4365b1bb3d" FOREIGN KEY ("globalRoleId") REFERENCES "${tablePrefix}role" ("id") ON DELETE NO ACTION ON UPDATE NO ACTION)`,
+		);
+
+		await queryRunner.query(
+			`INSERT INTO "temporary_user"(
+				"id",
+				"email",
+				"firstName",
+				"lastName",
+				"password",
+				"resetPasswordToken",
+				"resetPasswordTokenExpiration",
+				"personalizationAnswers",
+				"createdAt",
+				"updatedAt",
+				"globalRoleId",
+				"settings",
+				"apiKey"
+				) SELECT
+				"id",
+				"email",
+				"firstName",
+				"lastName",
+				"password",
+				"resetPasswordToken",
+				"resetPasswordTokenExpiration",
+				"personalizationAnswers",
+				"createdAt",
+				"updatedAt",
+				"globalRoleId",
+				"settings",
+				"apiKey"
+				FROM "${tablePrefix}user"`,
+		);
+
+		await queryRunner.query(`DROP TABLE "${tablePrefix}user"`);
+
+		await queryRunner.query(`ALTER TABLE "temporary_user" RENAME TO "${tablePrefix}user"`);
+
+		await queryRunner.query('PRAGMA foreign_keys=ON');
+
+		logMigrationEnd(this.name);
+	}
+
+	async down(queryRunner: QueryRunner): Promise<void> {}
+}

packages/cli/src/databases/migrations/sqlite/index.ts

@@ -28,6 +28,7 @@ import { MessageEventBusDestinations1671535397530 } from './1671535397530-Messag
 import { DeleteExecutionsWithWorkflows1673268682475 } from './1673268682475-DeleteExecutionsWithWorkflows';
 import { CreateLdapEntities1674509946020 } from './1674509946020-CreateLdapEntities';
 import { PurgeInvalidWorkflowConnections1675940580449 } from './1675940580449-PurgeInvalidWorkflowConnections';
+import { AddMfaColumns1669730543736 } from './1669730543736-addMfaColumns';
 
 const sqliteMigrations = [
 	InitialMigration1588102412422,
@@ -60,6 +61,7 @@ const sqliteMigrations = [
 	DeleteExecutionsWithWorkflows1673268682475,
 	CreateLdapEntities1674509946020,
 	PurgeInvalidWorkflowConnections1675940580449,
+	AddMfaColumns1669730543736,
 ];
 
 export { sqliteMigrations };

packages/cli/src/requests.ts

@@ -250,6 +250,8 @@ export type LoginRequest = AuthlessRequest<
 	{
 		email: string;
 		password: string;
+		mfaToken?: string;
+		mfaRecoveryCode?: string;
 	}
 >;
 

packages/editor-ui/package.json

@@ -70,6 +70,7 @@
     "prettier": "^2.8.3",
     "prismjs": "^1.17.1",
     "stream-browserify": "^3.0.0",
+    "qrcode.vue": "^1.7.0",
     "timeago.js": "^4.0.2",
     "uuid": "^8.3.2",
     "v-click-outside": "^3.1.2",

packages/editor-ui/src/Interface.ts

@@ -543,6 +543,7 @@ export interface IUser extends IUserResponse {
 	inviteAcceptUrl?: string;
 	fullName?: string;
 	createdAt?: Date;
+	mfaEnabled: boolean;
 }
 
 export interface IVersionNotificationSettings {

packages/editor-ui/src/api/mfa.ts

@@ -0,0 +1,20 @@
+import { IRestApiContext } from '@/Interface';
+import { makeRestApiRequest } from '@/utils';
+
+export function getMfaQr(
+	context: IRestApiContext,
+): Promise<{ qrCode: string; secret: string; recoveryCodes: string[] }> {
+	return makeRestApiRequest(context, 'GET', '/mfa/qr');
+}
+
+export function enableMfa(context: IRestApiContext): Promise<void> {
+	return makeRestApiRequest(context, 'POST', '/mfa/enable');
+}
+
+export function verifyMfaToken(context: IRestApiContext, data: { token: string }): Promise<void> {
+	return makeRestApiRequest(context, 'POST', '/mfa/verify', data);
+}
+
+export function disableMfa(context: IRestApiContext): Promise<void> {
+	return makeRestApiRequest(context, 'DELETE', '/mfa/disable');
+}

packages/editor-ui/src/api/users.ts

@@ -17,7 +17,7 @@ export function getCurrentUser(context: IRestApiContext): Promise<IUserResponse
 
 export function login(
 	context: IRestApiContext,
-	params: { email: string; password: string },
+	params: { email: string; password: string; mfaToken?: string; mfaRecoveryToken?: string },
 ): Promise<IUserResponse> {
 	return makeRestApiRequest(context, 'POST', '/login', params);
 }