[feature] add TOTP two-factor authentication (2FA) (#3960)

* [feature] add TOTP two-factor authentication (2FA)

* use byteutil.S2B to avoid allocations when comparing + generating password hashes

* don't bother with string conversion  for consts

* use io.ReadFull

* use MustGenerateSecret for backup codes

* rename util functions

4 files changed, 99 insertions, 9 deletions

diff --git a/web/source/settings/lib/query/gts-api.ts b/web/source/settings/lib/query/gts-api.ts
index 540191132..9d38e435d 100644
--- a/web/source/settings/lib/query/gts-api.ts
+++ b/web/source/settings/lib/query/gts-api.ts
@@ -143,15 +143,20 @@ const gtsBaseQuery: BaseQueryFn<
 			return headers;
 		},
 		responseHandler: (response) => {
-			// Return just text if caller has
-			// set a custom accept content-type.
-			if (accept !== "application/json") {
-				return response.text();
+			switch (true) {
+				case (accept === "application/json"):
+					// return good old
+					// fashioned JSON baby!
+					return response.json();
+				case (accept.startsWith("image/")):
+					// It's an image,
+					// return the blob.
+					return response.blob();
+				default:
+					// God knows what it
+					// is, just return text.
+					return response.text();
 			}
-
-			// Else return good old
-			// fashioned JSON baby!
-			return response.json();
 		},
 	})(args, api, extraOptions);
 };
@@ -174,6 +179,7 @@ export const gtsApi = createApi({
 		"DomainPermissionExclude",
 		"DomainPermissionSubscription",
 		"TokenInfo",
+		"User",
 	],
 	endpoints: (build) => ({
 		instanceV1: build.query<InstanceV1, void>({
diff --git a/web/source/settings/lib/query/user/index.ts b/web/source/settings/lib/query/user/index.ts
index 80aeea2a4..7b0914cd8 100644
--- a/web/source/settings/lib/query/user/index.ts
+++ b/web/source/settings/lib/query/user/index.ts
@@ -58,7 +58,8 @@ const extended = gtsApi.injectEndpoints({
 		}),
 		
 		user: build.query<User, void>({
-			query: () => ({url: `/api/v1/user`})
+			query: () => ({url: `/api/v1/user`}),
+			providesTags: ["User"],
 		}),
 		
 		passwordChange: build.mutation({
diff --git a/web/source/settings/lib/query/user/twofactor.ts b/web/source/settings/lib/query/user/twofactor.ts
new file mode 100644
index 000000000..ea9d9981b
--- /dev/null
+++ b/web/source/settings/lib/query/user/twofactor.ts
@@ -0,0 +1,82 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import { gtsApi } from "../gts-api";
+import { FetchBaseQueryError } from "@reduxjs/toolkit/query";
+
+const extended = gtsApi.injectEndpoints({
+	endpoints: (build) => ({
+		twoFactorQRCodeURI: build.mutation<string, void>({
+			query: () => ({
+				url: `/api/v1/user/2fa/qruri`,
+				acceptContentType: "text/plain",
+			})
+		}),
+
+		twoFactorQRCodePng: build.mutation<string, void>({
+			async queryFn(_arg, _api, _extraOpts, fetchWithBQ) {
+				const blobRes = await fetchWithBQ({
+					url: `/api/v1/user/2fa/qr.png`,
+					acceptContentType: "image/png",
+				});
+				if (blobRes.error) {
+					return { error: blobRes.error as FetchBaseQueryError };
+				}
+
+				if (blobRes.meta?.response?.status !== 200) {
+					return { error: blobRes.data };
+				}
+
+				const blob = blobRes.data as Blob;
+				const url = URL.createObjectURL(blob);
+
+				return { data: url };
+			},
+		}),
+
+		twoFactorEnable: build.mutation<string[], { password: string }>({
+			query: (formData) => ({
+				method: "POST",
+				url: `/api/v1/user/2fa/enable`,
+				asForm: true,
+				body: formData,
+				discardEmpty: true
+			})
+		}),
+
+		twoFactorDisable: build.mutation<void, { password: string }>({
+			query: (formData) => ({
+				method: "POST",
+				url: `/api/v1/user/2fa/disable`,
+				asForm: true,
+				body: formData,
+				discardEmpty: true,
+				acceptContentType: "*/*",
+			}),
+			invalidatesTags: ["User"]
+		}),
+	})
+});
+
+export const {
+	useTwoFactorQRCodeURIMutation,
+	useTwoFactorQRCodePngMutation,
+	useTwoFactorEnableMutation,
+	useTwoFactorDisableMutation,
+} = extended;
diff --git a/web/source/settings/lib/types/user.ts b/web/source/settings/lib/types/user.ts
index 92210d5d3..34f7a8430 100644
--- a/web/source/settings/lib/types/user.ts
+++ b/web/source/settings/lib/types/user.ts
@@ -31,4 +31,5 @@ export interface User {
 	disabled: boolean;
 	approved: boolean;
 	reset_password_sent_at?: string;
+	two_factor_enabled_at?: string;
 }