From 97d78b032ecdb3d106d13305c2abe77fc2a6fb2d Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Fri, 17 Apr 2020 18:30:14 +0200
Subject: [PATCH] Make totp enrollment work

---
 pkg/routes/routes.go |  6 +++---
 pkg/user/totp.go     | 25 +++++++++++--------------
 2 files changed, 14 insertions(+), 17 deletions(-)

diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go
index 013222824..fecbd08e4 100644
--- a/pkg/routes/routes.go
+++ b/pkg/routes/routes.go
@@ -209,9 +209,9 @@ func registerAPIRoutes(a *echo.Group) {
 	u.GET("s", apiv1.UserList)
 	u.POST("/token", apiv1.RenewToken)
 	u.POST("/settings/email", apiv1.UpdateUserEmail)
-	u.POST("/totp/enroll", apiv1.UserTOTPEnroll)
-	u.POST("/totp/enable", apiv1.UserTOTPEnable)
-	u.POST("/totp/qrcode", apiv1.UserTOTPQrCode)
+	u.POST("/settings/totp/enroll", apiv1.UserTOTPEnroll)
+	u.POST("/settings/totp/enable", apiv1.UserTOTPEnable)
+	u.GET("/settings/totp/qrcode", apiv1.UserTOTPQrCode)
 
 	listHandler := &handler.WebHandler{
 		EmptyStruct: func() handler.CObject {
diff --git a/pkg/user/totp.go b/pkg/user/totp.go
index 763f8849d..2b8fd35e6 100644
--- a/pkg/user/totp.go
+++ b/pkg/user/totp.go
@@ -40,22 +40,17 @@ func (T *TOTP) TableName() string {
 
 // TOTPPasscode is used to validate a users totp passcode
 type TOTPPasscode struct {
-	User     *User
-	Passcode string
-}
-
-// IsTotpEnabledForUser returns a boolean if an activated totp entry is available for this user
-func IsTotpEnabledForUser(user *User) (bool, error) {
-	return x.Where("user_id = ? AND enabled = ?", user.ID, true).Exist(&TOTP{})
+	User     *User  `json:"-"`
+	Passcode string `json:"passcode"`
 }
 
 func getTOTPForUser(user *User) (t *TOTP, err error) {
 	t = &TOTP{}
-	_, err = x.Where("user_id = ?", user.ID).Get(t)
+	exists, err := x.Where("user_id = ?", user.ID).Get(t)
 	if err != nil {
 		return
 	}
-	if !t.Enabled {
+	if !exists {
 		return nil, ErrTOTPNotEnabled{}
 	}
 
@@ -64,17 +59,17 @@ func getTOTPForUser(user *User) (t *TOTP, err error) {
 
 // EnrollTOTP creates a new TOTP entry for the user - it does not enable it yet.
 func EnrollTOTP(user *User) (t *TOTP, err error) {
-	is, err := IsTotpEnabledForUser(user)
+	isEnrolled, err := x.Where("user_id = ?", user.ID).Exist(&TOTP{})
 	if err != nil {
 		return
 	}
-	if is {
+	if isEnrolled {
 		return nil, ErrTOTPAlreadyEnabled{}
 	}
 
 	key, err := totp.Generate(totp.GenerateOpts{
 		Issuer:      "Vikunja",
-		AccountName: user.Email,
+		AccountName: user.Username,
 	})
 	if err != nil {
 		return
@@ -97,8 +92,10 @@ func EnableTOTP(passcode *TOTPPasscode) (err error) {
 		return
 	}
 
-	t.Enabled = true
-	_, err = x.Where("id = ?", t.ID).Update(t)
+	_, err = x.
+		Where("id = ?", t.ID).
+		Cols("enabled").
+		Update(&TOTP{Enabled: true})
 	return
 }