Enforce TOTP verification during desktop sync setup

[JYC333]

address part of #5650
close #8209
close #8272

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security of the desktop sync setup process by integrating Two-Factor Authentication (TOTP). It introduces the necessary UI elements for users to provide their TOTP tokens and implements both client-side and server-side validation to ensure that synchronization attempts are properly authenticated with the required second factor, thereby protecting user data from unauthorized access.

Highlights

• TOTP Integration in Desktop Sync Setup: Introduced a new input field for TOTP tokens in the desktop sync setup UI, allowing users to provide their two-factor authentication code during the synchronization process.
• Client-Side TOTP Status Check and Enforcement: Implemented client-side logic to dynamically check if TOTP is enabled on the sync server. If enabled, the system now enforces the entry of a TOTP token before proceeding with the sync setup, providing immediate feedback to the user.
• Server-Side TOTP Validation for Sync API: Updated the server-side API endpoints responsible for desktop sync setup to accept and validate TOTP tokens. This ensures that even if a client attempts to bypass the client-side check, the server will still enforce TOTP verification for enhanced security.
• Enhanced Authentication Middleware: Modified the core authentication middleware to include TOTP verification for all incoming requests when two-factor authentication is enabled, accepting either a valid TOTP code or a recovery code.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• apps/client/src/setup.ts
  • Reordered imports for better organization.
  • Added totpToken and totpEnabled observable properties to SetupModel to manage TOTP state.
  • Initialized new TOTP related observables in the SetupModel constructor.
  • Converted selectSetupType method to an asynchronous function.
  • Introduced checkTotpStatus asynchronous method to query the sync server for its TOTP status.
  • Modified setupSyncFromServer to perform a checkTotpStatus before submission, validate the totpToken if TOTP is enabled, and include the totpToken in the API request.
• apps/server/src/assets/translations/cn/server.json
  • Added Chinese translations for 'TOTP Token' and its placeholder text.
• apps/server/src/assets/translations/en/server.json
  • Added English translations for 'TOTP Token' and its placeholder text.
• apps/server/src/assets/translations/tw/server.json
  • Added Traditional Chinese translations for 'TOTP Token' and its placeholder text.
• apps/server/src/assets/views/setup.ejs
  • Added a blur event handler to the syncServerHost input to trigger checkTotpStatus.
  • Included a new form group for the TOTP token input, which is conditionally visible based on the totpEnabled observable.
• apps/server/src/express.d.ts
  • Extended the Request.headers interface to include trilium-totp for TOTP token transmission.
• apps/server/src/routes/api/setup.ts
  • Reordered imports and added totp service import.
  • Included totpEnabled status in the getStatus API response.
  • Updated setupSyncFromServer to receive and pass the totpToken to the setup service.
  • Added a new checkServerTotpStatus API endpoint to determine if TOTP is enabled on the remote server.
  • Exported the new checkServerTotpStatus function.
• apps/server/src/routes/routes.ts
  • Registered a new POST route /api/setup/check-server-totp to expose the TOTP status check API.
• apps/server/src/services/api-interface.ts
  • Added totpEnabled: boolean to the SetupStatusResponse interface.
• apps/server/src/services/auth.ts
  • Reordered imports and added recoveryCodeService import.
  • Modified checkCredentials to verify TOTP tokens from the trilium-totp header if TOTP is enabled, accepting either a valid TOTP code or a recovery code.
• apps/server/src/services/request.ts
  • Added logic to include the trilium-totp header in outgoing requests if a totpToken is provided in the authentication options.
• apps/server/src/services/request_interface.ts
  • Added an optional totpToken property to the ExecOpts.auth interface.
• apps/server/src/services/setup.ts
  • Reordered imports for consistency.
  • Updated setupSyncFromSyncServer to accept and forward the totpToken when requesting the sync seed.
  • Implemented checkRemoteTotpStatus to query a remote sync server's TOTP status.
  • Exported the new checkRemoteTotpStatus function.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively enforces TOTP verification during the desktop sync setup process. However, the implementation of the remote TOTP status check introduces a Server-Side Request Forgery (SSRF) vulnerability, requiring validation of user-supplied server addresses and proxies before making network requests. Additionally, a potential issue in how HTTP headers are handled could lead to authentication failures in edge cases.