Read authenticator_token from the database

Author: dormant-user

auth/json.go

@@ -27,7 +27,8 @@ type jsonCred struct {
 
 // JSONAuth is a json implementation of an Auther.
 type JSONAuth struct {
-	ReCaptcha *ReCaptcha `json:"recaptcha" yaml:"recaptcha"`
+	ReCaptcha          *ReCaptcha `json:"recaptcha" yaml:"recaptcha"`
+	AuthenticatorToken string     `json:"authenticator_token" yaml:"authenticator_token"`
 }
 
 // decodeUnicodeEscape decodes Unicode escape sequences in a string
@@ -230,7 +231,7 @@ func (a JSONAuth) Auth(r *http.Request, usr users.Store, _ *settings.Settings, s
 		return nil, os.ErrPermission
 	}
 
-	if !users.CheckOtp(cred.Otp, settings.AuthenticatorToken) {
+	if !users.CheckOtp(cred.Otp, a.AuthenticatorToken) {
 		log.Printf("Warning: Login error for %s - invalid otp: [%s]", cred.Username, cred.Otp)
 		handleAuthError(r)
 		return nil, os.ErrPermission

cmd/config.go

@@ -39,6 +39,8 @@ func addConfigFlags(flags *pflag.FlagSet) {
 	flags.String("auth.header", "", "HTTP header for auth.method=proxy")
 	flags.String("auth.command", "", "command for auth.method=hook")
 
+	flags.String("authenticator_token", "", "OTP shared secret (leave blank to disable)")
+
 	flags.String("recaptcha.host", "https://www.google.com", "use another host for ReCAPTCHA. recaptcha.net might be useful in China")
 	flags.String("recaptcha.key", "", "ReCaptcha site key")
 	flags.String("recaptcha.secret", "", "ReCaptcha secret")
@@ -109,6 +111,19 @@ func getNoAuth() auth.Auther {
 
 func getJSONAuth(flags *pflag.FlagSet, defaultAuther map[string]interface{}) (auth.Auther, error) {
 	jsonAuth := &auth.JSONAuth{}
+	authenticationToken, err := getString(flags, "authenticator_token")
+	if err != nil {
+		return nil, err
+	}
+
+	if authenticationToken == "" {
+		if atok, ok := defaultAuther["authenticator_token"].(string); ok {
+			authenticationToken = atok
+		}
+	}
+
+	jsonAuth.AuthenticatorToken = authenticationToken
+
 	host, err := getString(flags, "recaptcha.host")
 	if err != nil {
 		return nil, err

http/static.go

@@ -78,8 +78,7 @@ func handleWithStaticData(w http.ResponseWriter, _ *http.Request, d *data, fSys
 			data["ReCaptchaKey"] = auther.ReCaptcha.Key
 		}
 
-		// If AUTHENTICATOR_TOKEN environment variable is set, enable OTP on frontend.
-		if settings.AuthenticatorToken != "" {
+		if auther.AuthenticatorToken != "" {
 			data["Otp"] = true
 		}
 	}

settings/settings.go

@@ -4,7 +4,6 @@ import (
 	"crypto/rand"
 	"io/fs"
 	"log"
-	"os"
 	"strings"
 	"time"
 
@@ -16,14 +15,6 @@ const DefaultMinimumPasswordLength = 12
 const DefaultFileMode = 0640
 const DefaultDirMode = 0750
 
-// Use env variable instead of config/database to easily override as/when needed.
-var AuthenticatorToken = func(a, b string) string {
-	if a != "" {
-		return a
-	}
-	return b
-}(os.Getenv("AUTHENTICATOR_TOKEN"), os.Getenv("authenticator_token"))
-
 // AuthMethod describes an authentication method.
 type AuthMethod string
 

storage/bolt/importer/conf.go

@@ -163,6 +163,7 @@ func importConf(db *storm.DB, path string, sto *storage.Storage) error {
 				Key:    cfg.ReCaptcha.Key,
 				Secret: cfg.ReCaptcha.Secret,
 			},
+			AuthenticatorToken: "",
 		}
 		s.AuthMethod = auth.MethodJSONAuth
 	}