- added backup codes for 2 factor authentication

- npm updates
- coverage validation: elevation ust be positive, depth must be negative
- vinejs-provider.js: get enabled extensions from database, not via validOptions.extnames
- vue components for backup codes: e.g.: PersonalSettings.vue
- validate spaital coverage in leaflet map: draw.component.vue, map.component.vue
- add backup code authentication into Login.vue
- preset to use no preferred reviewer: Release.vue
- 2 new vinejs validation rules: file_scan.ts and file-length.ts

app/Controllers/Http/Auth/AuthController.ts

@@ -1,8 +1,10 @@
 import type { HttpContext } from '@adonisjs/core/http';
 import User from '#models/user';
+import BackupCode from '#models/backup_code';
 // import Hash from '@ioc:Adonis/Core/Hash';
 // import InvalidCredentialException from 'App/Exceptions/InvalidCredentialException';
 import { authValidator } from '#validators/auth';
+import hash from '@adonisjs/core/services/hash';
 
 import TwoFactorAuthProvider from '#app/services/TwoFactorAuthProvider';
 // import { Authenticator } from '@adonisjs/auth';
@@ -31,22 +33,22 @@ export default class AuthController {
             // await auth.use('web').attempt(email, plainPassword);
 
             // const user = await auth.use('web').verifyCredentials(email, password);
-            const user = await User.verifyCredentials(email, password)
-        
+            const user = await User.verifyCredentials(email, password);
+
             if (user.isTwoFactorEnabled) {
                 // session.put("login.id", user.id);
                 // return view.render("pages/two-factor-challenge");
 
                 session.flash('user_id', user.id);
                 return response.redirect().back();
-            
+
                 // let state = LoginState.STATE_VALIDATED;
                 // return response.status(StatusCodes.OK).json({
                 //     state: state,
                 //     new_user_id: user.id,
                 // });
-            }         
-            
+            }
+
             await auth.use('web').login(user);
         } catch (error) {
             // if login fails, return vague form message and redirect back
@@ -59,10 +61,9 @@ export default class AuthController {
     }
 
     public async twoFactorChallenge({ request, session, auth, response }: HttpContext) {
-        const { code, recoveryCode, login_id } = request.only(['code', 'recoveryCode', 'login_id']);
-        // const user = await User.query().where('id', session.get('login.id')).firstOrFail();
+        const { code, backup_code, login_id } = request.only(['code', 'backup_code', 'login_id']);      
         const user = await User.query().where('id', login_id).firstOrFail();
-      
+
         if (code) {
             const isValid = await TwoFactorAuthProvider.validate(user, code);
             if (isValid) {
@@ -70,17 +71,46 @@ export default class AuthController {
                 await auth.use('web').login(user);
                 response.redirect('/apps/dashboard');
             } else {
-                session.flash('message', 'Your tow factor code is incorrect');
+                session.flash('message', 'Your two-factor code is incorrect');
+            return response.redirect().back();
+            }
+        } else if (backup_code) {
+            const codes: BackupCode[] = await user.getBackupCodes();
+          
+            // const verifiedBackupCodes = await Promise.all(
+            //     codes.map(async (backupCode) => {
+            //         let isVerified = await hash.verify(backupCode.code, backup_code);
+            //         if (isVerified) {
+            //             return backupCode;
+            //         }
+            //     }),
+            // );
+            // const backupCodeToDelete = verifiedBackupCodes.find(Boolean);
+
+            let backupCodeToDelete = null;
+            for (const backupCode of codes) {
+                const isVerified = await hash.verify(backupCode.code, backup_code);
+                if (isVerified) {
+                    backupCodeToDelete = backupCode;
+                    break;
+                }
+            }
+
+            if (backupCodeToDelete) {   
+                    if (backupCodeToDelete.used === false) {
+                        backupCodeToDelete.used = true;
+                        await backupCodeToDelete.save();
+                        console.log(`BackupCode with id ${backupCodeToDelete.id} has been marked as used.`);
+                        await auth.use('web').login(user);
+                        response.redirect('/apps/dashboard');
+                    } else {
+                        session.flash('message', 'BackupCode already used');
+                        return response.redirect().back();
+                    }                              
+            } else {
+                session.flash('message', 'BackupCode not found');
                 return response.redirect().back();
-            }
-        } else if (recoveryCode) {
-            const codes = user?.twoFactorRecoveryCodes ?? [];
-            if (codes.includes(recoveryCode)) {
-                user.twoFactorRecoveryCodes = codes.filter((c) => c !== recoveryCode);
-                await user.save();
-                await auth.use('web').login(user);
-                response.redirect('/apps/dashboard');
-            }
+            }           
         }
     }