alancasagrande/server.js

## server.js
app.post('/login', (req, res) => {
  let authenticatedUser;

  const { body } = req;
  if (body.username) {
    // try password login
    const user = getUser(body.username);
    if (user && user.password === body.password) {
      authenticatedUser = user;
      // create session
      req.session.username = body.username;
    }
  } else if (req.user) {
    // try session login
    authenticatedUser = req.user;

    // require one-time password
    if (req.user.mfaEnabled && !req.session.mfaVerified) {
      return res.status(403).end();
    }
  }

  if (!authenticatedUser) {
    // no user found, destroy session and return unauthorized
    req.session = null;
    return res.status(401).end();
  }

  // strip password and mfaSecret from response
  const { password, mfaSecret, ...response } = authenticatedUser;
  res.json(response);
});

app.post('/verify_otp', (req, res) => {
  const user = req.user;

  if (verifyTOTP(req.body.code, user.mfaSecret)) {
    user.mfaEnabled = true;
    req.session.mfaVerified = true;
    setUser(user);
    res.json(true);
  } else {
    res.json(false);
  }
});

// Routes beyond this point must have MFA verified if enabled
app.use(function (req, res, next) {
  const user = req.user;
  if (user && user.mfaEnabled && !req.session.mfaVerified) {
    return res.status(403).end();
  }
  next();
});
	app.post('/login', (req, res) => {
	let authenticatedUser;

	const { body } = req;
	if (body.username) {
	// try password login
	const user = getUser(body.username);
	if (user && user.password === body.password) {
	authenticatedUser = user;
	// create session
	req.session.username = body.username;
	}
	} else if (req.user) {
	// try session login
	authenticatedUser = req.user;

	// require one-time password
	if (req.user.mfaEnabled && !req.session.mfaVerified) {
	return res.status(403).end();
	}
	}

	if (!authenticatedUser) {
	// no user found, destroy session and return unauthorized
	req.session = null;
	return res.status(401).end();
	}

	// strip password and mfaSecret from response
	const { password, mfaSecret, ...response } = authenticatedUser;
	res.json(response);
	});

	app.post('/verify_otp', (req, res) => {
	const user = req.user;

	if (verifyTOTP(req.body.code, user.mfaSecret)) {
	user.mfaEnabled = true;
	req.session.mfaVerified = true;
	setUser(user);
	res.json(true);
	} else {
	res.json(false);
	}
	});

	// Routes beyond this point must have MFA verified if enabled
	app.use(function (req, res, next) {
	const user = req.user;
	if (user && user.mfaEnabled && !req.session.mfaVerified) {
	return res.status(403).end();
	}
	next();
	});