feat: 🎸 Ask user to login if any MFA configs are changed

2025-07-29 11:02:28 +08:00 · 2025-03-26 00:04:55 +01:00 · 2025-03-26 00:04:55 +01:00 · c1ed471403
commit c1ed471403
parent c2a6d517f0
3 changed files with 55 additions and 1 deletions
--- a/src/express.d.ts
+++ b/src/express.d.ts
@ -4,6 +4,10 @@ export declare module "express-serve-static-core" {
    interface Request {
        session: Session & {
            loggedIn: boolean;
+            lastAuthState: {
+                totpEnabled: boolean;
+                ssoEnabled: boolean;
+            };
        };
        headers: {
            "x-local-date"?: string;
--- a/src/routes/login.ts
+++ b/src/routes/login.ts
@ -88,6 +88,12 @@ function login(req: Request, res: Response) {
                req.session.cookie.maxAge = undefined;
            }

+            // 记录当前的认证状态
+            req.session.lastAuthState = {
+                totpEnabled: totp.isTotpEnabled(),
+                ssoEnabled: open_id.isOpenIDEnabled()
+            };
+
            req.session.loggedIn = true;
            res.redirect('.');
        });
--- a/src/routes/session_parser.ts
+++ b/src/routes/session_parser.ts
@ -3,6 +3,10 @@ import sessionFileStore from "session-file-store";
 import sessionSecret from "../services/session_secret.js";
 import dataDir from "../services/data_dir.js";
 import config from "../services/config.js";
+import totp from "../services/totp.js";
+import open_id from "../services/open_id.js";
+import type { Request, Response, NextFunction } from "express";
+
 const FileStore = sessionFileStore(session);

 const sessionParser = session({
@ -21,4 +25,44 @@ const sessionParser = session({
    })
 });

-export default sessionParser;
+// 创建一个检查认证状态的中间件
+const checkAuthState = (req: Request, res: Response, next: NextFunction) => {
+    // 如果用户未登录或者是登录页面，直接继续
+    if (!req.session.loggedIn || req.path === '/login') {
+        return next();
+    }
+
+    const currentTotpStatus = totp.isTotpEnabled();
+    const currentSsoStatus = open_id.isOpenIDEnabled();
+
+    // 从 session 中获取上次登录时的认证状态
+    const lastAuthState = req.session.lastAuthState || {
+        totpEnabled: false,
+        ssoEnabled: false
+    };
+
+    // 检查认证状态是否发生变化
+    if (lastAuthState.totpEnabled !== currentTotpStatus ||
+        lastAuthState.ssoEnabled !== currentSsoStatus) {
+        // 如果认证状态发生变化，先销毁当前 session
+        req.session.destroy((err) => {
+            if (err) {
+                console.error('Error destroying session:', err);
+            }
+            // 清除 cookie
+            res.clearCookie('trilium.sid');
+            // 重定向到登录页面
+            res.redirect('/login');
+        });
+        return;
+    }
+
+    next();
+};
+
+// 导出一个组合的中间件
+export default function (req: Request, res: Response, next: NextFunction) {
+    sessionParser(req, res, () => {
+        checkAuthState(req, res, next);
+    });
+}