Add 2FA on login

Author: Toowise

client/src/views/pages/login/Login.js

@@ -15,7 +15,6 @@ import {
   CInputGroupText,
   CFormInput,
   CButton,
-  CButtonGroup,
   CTooltip,
   CSpinner,
 } from '@coreui/react'
@@ -25,6 +24,8 @@ import { useStateContext } from '../../../context/contextProvider'
 const Login = () => {
   const [username, setUsername] = useState('')
   const [password, setPassword] = useState('')
+  const [code, setCode] = useState('')
+  const [step, setStep] = useState(1)
   const [isPasswordVisible, setIsPasswordVisible] = useState(false)
   const [errorMessage, setErrorMessage] = useState(null)
   const [isLoading, setIsLoading] = useState(false)
@@ -38,33 +39,35 @@ const Login = () => {
 
     try {
       const response = await axios.post('/login', { username, password })
-      const { token, user } = response.data
 
-      if (token && user?.userRole) {
-        // Store token and user info
-        sessionStorage.setItem('token', token)
-        sessionStorage.setItem('user', JSON.stringify(user))
+      // Proceed to 2FA step
+      setStep(2)
+    } catch (err) {
+      console.error(err)
+      setErrorMessage(err.response?.data?.message || 'Login failed.')
+    } finally {
+      setIsLoading(false)
+    }
+  }
 
-        // Notify app
-        window.dispatchEvent(new Event('storage'))
+  const handle2FAVerification = async (e) => {
+    e.preventDefault()
+    setIsLoading(true)
+    setErrorMessage(null)
 
-        // Set global user (if you're using context)
-        setUser(user)
+    try {
+      const response = await axios.post('/verify-2fa', { username, code })
+      const { token, user } = response.data
 
-        // Redirect based on role
-        if (user.userRole === 'admin') {
-          navigate('/admindashboard')
-        } else if (user.userRole === 'user') {
-          navigate('/')
-        } else {
-          setErrorMessage('Unknown role. Please contact support.')
-        }
-      } else {
-        setErrorMessage('Invalid credentials or user role not found.')
-      }
+      sessionStorage.setItem('token', token)
+      sessionStorage.setItem('user', JSON.stringify(user))
+      window.dispatchEvent(new Event('storage'))
+      setUser(user)
+
+      navigate(user.userRole === 'admin' ? '/admindashboard' : '/')
     } catch (err) {
       console.error(err)
-      setErrorMessage('Login failed. Please try again.')
+      setErrorMessage(err.response?.data?.message || '2FA verification failed.')
     } finally {
       setIsLoading(false)
     }
@@ -88,81 +91,78 @@ const Login = () => {
                     {errorMessage}
                   </CAlert>
                 )}
-                <CForm onSubmit={handleLogin}>
-                  <h1>Login</h1>
+
+                <CForm onSubmit={step === 1 ? handleLogin : handle2FAVerification}>
+                  <h1>{step === 1 ? 'Login' : '2FA Verification'}</h1>
                   <p className="text-body-secondary">Sign in to your account</p>
-                  <CInputGroup className="mb-3">
-                    <CInputGroupText>
-                      <FontAwesomeIcon icon={faUser} />
-                    </CInputGroupText>
-                    <CFormInput
-                      type="text"
-                      placeholder="Username"
-                      autoComplete="username"
-                      value={username}
-                      onChange={(e) => setUsername(e.target.value)}
-                      required
-                    />
-                  </CInputGroup>
-                  <CInputGroup className="mb-3">
-                    <CInputGroupText>
-                      <FontAwesomeIcon icon={faLock} />
-                    </CInputGroupText>
-                    <CFormInput
-                      type={isPasswordVisible ? 'text' : 'password'}
-                      placeholder="Password"
-                      autoComplete="current-password"
-                      value={password}
-                      onChange={(e) => setPassword(e.target.value)}
-                      required
-                    />
-                    <CInputGroupText>
-                      <CTooltip
-                        content={isPasswordVisible ? 'Hide password' : 'Show password'}
-                        placement="top"
-                      >
-                        <span onClick={() => setIsPasswordVisible(!isPasswordVisible)}>
-                          <FontAwesomeIcon icon={isPasswordVisible ? faEyeSlash : faEye} />
-                        </span>
-                      </CTooltip>
-                    </CInputGroupText>
-                  </CInputGroup>
-                  <p>
-                    <small>
-                      By continuing, you agree to our
-                      <a href="/policy" className="text-primary">
-                        {' '}
-                        Privacy Policy{' '}
-                      </a>
-                      and
-                      <a href="/terms" className="text-primary">
-                        {' '}
-                        Terms of Service
-                      </a>
-                      .
-                    </small>
-                  </p>
+
+                  {step === 1 ? (
+                    <>
+                      <CInputGroup className="mb-3">
+                        <CInputGroupText>
+                          <FontAwesomeIcon icon={faUser} />
+                        </CInputGroupText>
+                        <CFormInput
+                          type="text"
+                          placeholder="Username"
+                          autoComplete="username"
+                          value={username}
+                          onChange={(e) => setUsername(e.target.value)}
+                          required
+                        />
+                      </CInputGroup>
+
+                      <CInputGroup className="mb-3">
+                        <CInputGroupText>
+                          <FontAwesomeIcon icon={faLock} />
+                        </CInputGroupText>
+                        <CFormInput
+                          type={isPasswordVisible ? 'text' : 'password'}
+                          placeholder="Password"
+                          autoComplete="current-password"
+                          value={password}
+                          onChange={(e) => setPassword(e.target.value)}
+                          required
+                        />
+                        <CInputGroupText>
+                          <CTooltip
+                            content={isPasswordVisible ? 'Hide password' : 'Show password'}
+                            placement="top"
+                          >
+                            <span onClick={() => setIsPasswordVisible(!isPasswordVisible)}>
+                              <FontAwesomeIcon icon={isPasswordVisible ? faEyeSlash : faEye} />
+                            </span>
+                          </CTooltip>
+                        </CInputGroupText>
+                      </CInputGroup>
+                    </>
+                  ) : (
+                    <CInputGroup className="mb-3">
+                      <CInputGroupText>🔐</CInputGroupText>
+                      <CFormInput
+                        type="text"
+                        placeholder="Enter 2FA Code"
+                        value={code}
+                        onChange={(e) => setCode(e.target.value)}
+                        required
+                      />
+                    </CInputGroup>
+                  )}
+
                   <div className="d-grid mb-3">
-                    <CButtonGroup>
-                      <CButton type="submit" color="primary" className="rounded">
-                        Login
-                      </CButton>
-                      <CButton
-                        color="primary"
-                        className="rounded"
-                        onClick={() => navigate('/signup')}
-                      >
-                        Signup
-                      </CButton>
-                    </CButtonGroup>
+                    <CButton type="submit" color="primary" className="rounded">
+                      {step === 1 ? 'Login' : 'Verify Code'}
+                    </CButton>
                   </div>
-                  <CButton
-                    color="link"
-                    className="px-0 text-primary"
-                    onClick={() => console.log('Forgot password clicked')}
-                  >
-                    Forgot password?
-                  </CButton>
+
+                  {step === 1 && (
+                    <p>
+                      {"Don't have an account?"}{' '}
+                      <a href="/signup" className="signup-link">
+                        Signup
+                      </a>
+                    </p>
+                  )}
                 </CForm>
               </CCardBody>
             </CCard>

server/index.js

@@ -8,6 +8,7 @@ const socketIo = require('socket.io');
 const path = require("path");
 const bcryptjs = require('bcryptjs');
 const jwt = require('jsonwebtoken');
+const nodemailer = require('nodemailer')
 const admin = require("firebase-admin");
 const rateLimit = require('express-rate-limit');
 const serviceAccount = require("./firebase-service-account.json");
@@ -154,46 +155,71 @@ const getCoordinates = async (address) => {
   }
 };
 
+const twoFACodes = {}
+
+const transporter = nodemailer.createTransport({
+  service: 'gmail',
+  auth: {
+    user: process.env.MAIL_USER,
+    pass: process.env.MAIL_PASS,
+  },
+})
 
 //Login
 app.post('/login', async (req, res) => {
-  const { username, password } = req.body;
+  const { username, password } = req.body
 
   try {
-    
-    const user = await User.findOne({ username });
+    const user = await User.findOne({ username })
+    if (!user) return res.status(404).json({ message: 'User not found' })
+
+    const isPasswordValid = await bcryptjs.compare(password, user.password)
+    if (!isPasswordValid) return res.status(401).json({ message: 'Invalid credentials' })
+
+    // Generate a 2FA code
+    const code = Math.floor(100000 + Math.random() * 900000).toString()
+    twoFACodes[username] = { code, expires: Date.now() + 5 * 60 * 1000 }
+
+    // Send the code via email
+    await transporter.sendMail({
+      from: '"Login Verification" <noreply@example.com>',
+      to: user.email,
+      subject: 'Your Login 2FA Code',
+      text: `Your 2FA code is: ${code}. It expires in 5 minutes.`,
+    })
 
-    if (!user) {
-      return res.status(404).json({ message: 'User not found' });
-    }
+    res.json({ requires2FA: true, username })
+  } catch (error) {
+    console.error('Error during login:', error)
+    res.status(500).json({ message: 'Server error' })
+  }
+})
+// Verify 
+app.post('/verify-2fa', async (req, res) => {
+  const { username, code } = req.body
+  const entry = twoFACodes[username]
 
-    
-    const isPasswordValid = await bcryptjs.compare(password, user.password);
+  if (!entry || entry.code !== code || Date.now() > entry.expires) {
+    return res.status(401).json({ message: 'Invalid or expired 2FA code' })
+  }
 
-    if (!isPasswordValid) {
-      return res.status(401).json({ message: 'Invalid credentials' });
-    }
+  delete twoFACodes[username]
 
-   
-    const token = jwt.sign(
-      { username: user.username, userRole: user.userRole },
-      process.env.JWT_SECRET,  
-      { expiresIn: '1h' }  
-    );
+  const user = await User.findOne({ username })
+  const token = jwt.sign(
+    { username: user.username, userRole: user.userRole },
+    process.env.JWT_SECRET,
+    { expiresIn: '1h' }
+  )
 
-    console.log(user);
-    res.json({ 
-      token, 
-      user: { 
-        username: user.username, 
-        userRole: user.userRole  
-      } 
-    });
-  } catch (error) {
-    console.error('Error during login:', error);
-    res.status(500).json({ message: 'Server error' });
-  }
-});
+  res.json({
+    token,
+    user: {
+      username: user.username,
+      userRole: user.userRole,
+    },
+  })
+})
 
 //Signup 
 app.post("/signup", async (req, res) => {

server/package-lock.json

@@ -28,6 +28,7 @@
         "lint": "^1.1.2",
         "mongodb": "^6.9.0",
         "mongoose": "^8.7.1",
+        "nodemailer": "^6.10.1",
         "pino": "^9.3.2",
         "pino-http": "^10.3.0",
         "pino-pretty": "^11.2.2",