From c8f05f2475a5a54550cf64ef57c8b612580273be Mon Sep 17 00:00:00 2001
From: Elias Schneider <login@eliasschneider.com>
Date: Sat, 23 Nov 2024 18:55:47 +0100
Subject: [PATCH] fix: totp can't be enabled if user is a ldap user

---
 backend/src/auth/auth.service.ts     | 8 ++++++++
 backend/src/auth/authTotp.service.ts | 8 +++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/backend/src/auth/auth.service.ts b/backend/src/auth/auth.service.ts
index c9e987d..cc899b5 100644
--- a/backend/src/auth/auth.service.ts
+++ b/backend/src/auth/auth.service.ts
@@ -368,4 +368,12 @@ export class AuthService {
       return null;
     }
   }
+
+  async verifyPassword(user: User, password: string) {
+    if (!user.password && this.config.get("ldap.enabled")) {
+      return !!this.ldapService.authenticateUser(user.username, password);
+    }
+
+    return argon.verify(user.password, password);
+  }
 }
diff --git a/backend/src/auth/authTotp.service.ts b/backend/src/auth/authTotp.service.ts
index faa67c6..e832f20 100644
--- a/backend/src/auth/authTotp.service.ts
+++ b/backend/src/auth/authTotp.service.ts
@@ -5,7 +5,6 @@ import {
   UnauthorizedException,
 } from "@nestjs/common";
 import { User } from "@prisma/client";
-import * as argon from "argon2";
 import { authenticator, totp } from "otplib";
 import * as qrcode from "qrcode-svg";
 import { ConfigService } from "src/config/config.service";
@@ -65,7 +64,7 @@ export class AuthTotpService {
   }
 
   async enableTotp(user: User, password: string) {
-    if (!(await argon.verify(user.password, password)))
+    if (!this.authService.verifyPassword(user, password))
       throw new ForbiddenException("Invalid password");
 
     // Check if we have a secret already
@@ -106,9 +105,8 @@ export class AuthTotpService {
     };
   }
 
-  // TODO: Maybe require a token to verify that the user who started enabling totp is the one who is verifying it?
   async verifyTotp(user: User, password: string, code: string) {
-    if (!(await argon.verify(user.password, password)))
+    if (!this.authService.verifyPassword(user, password))
       throw new ForbiddenException("Invalid password");
 
     const { totpSecret } = await this.prisma.user.findUnique({
@@ -137,7 +135,7 @@ export class AuthTotpService {
   }
 
   async disableTotp(user: User, password: string, code: string) {
-    if (!(await argon.verify(user.password, password)))
+    if (!this.authService.verifyPassword(user, password))
       throw new ForbiddenException("Invalid password");
 
     const { totpSecret } = await this.prisma.user.findUnique({