Added user account, user session and agent session per-domain limits.

2024-08-16 04:00:28 +03:00 · 2019-02-11 14:41:15 -08:00 · 2019-02-11 14:41:15 -08:00 · 91282677cd
commit 91282677cd
parent c7ac086648
11 changed files with 212 additions and 29 deletions
--- a/certoperations.js
+++ b/certoperations.js
@ -112,7 +112,9 @@ module.exports.CertificateOperations = function (parent) {

    // Create a self-signed certificate
    obj.GenerateRootCertificate = function (addThumbPrintToName, commonName, country, organization, strong) {
-        var keys = obj.pki.rsa.generateKeyPair((strong == true) ? 3072 : 2048);
+        // TODO: Use Async key generation to use web workers and go a lot faster.
+        // rsa.generateKeyPair({ bits: 3072, e: 0x10001, workers: -1 }, function (err, keypair) { /*keypair.privateKey, keypair.publicKey*/ });
+        var keys = obj.pki.rsa.generateKeyPair({ bits: (strong == true) ? 3072 : 2048, e: 0x10001 });
        var cert = obj.pki.createCertificate();
        cert.publicKey = keys.publicKey;
        cert.serialNumber = String(Math.floor((Math.random() * 100000) + 1));
@ -136,7 +138,7 @@ module.exports.CertificateOperations = function (parent) {

    // Issue a certificate from a root
    obj.IssueWebServerCertificate = function (rootcert, addThumbPrintToName, commonName, country, organization, extKeyUsage, strong) {
-        var keys = obj.pki.rsa.generateKeyPair((strong == true) ? 3072 : 2048);
+        var keys = obj.pki.rsa.generateKeyPair({ bits: (strong == true) ? 3072 : 2048, e: 0x10001 });
        var cert = obj.pki.createCertificate();
        cert.publicKey = keys.publicKey;
        cert.serialNumber = String(Math.floor((Math.random() * 100000) + 1));
--- a/db.js
+++ b/db.js
@ -175,7 +175,7 @@ module.exports.CreateDB = function (parent) {
    obj.getPowerTimeline = function (nodeid, func) { if (obj.databaseType == 1) { obj.file.find({ type: 'power', node: { $in: ['*', nodeid] } }).sort({ time: 1 }).exec(func); } else { obj.file.find({ type: 'power', node: { $in: ['*', nodeid] } }).sort({ time: 1 }, func); } };
    obj.getLocalAmtNodes = function (func) { obj.file.find({ type: 'node', host: { $exists: true, $ne: null }, intelamt: { $exists: true } }, func); };
    obj.getAmtUuidNode = function (meshid, uuid, func) { obj.file.find({ type: 'node', meshid: meshid, 'intelamt.uuid': uuid }, func); };
-    obj.isMaxType = function (max, type, func) { if (max == null) { func(false); } else { obj.file.count({ type: type }, function (err, count) { func((err != null) || (count > max)); }); } }
+    obj.isMaxType = function (max, type, domainid, func) { if (max == null) { func(false); } else { obj.file.count({ type: type, domain: domainid }, function (err, count) { func((err != null) || (count > max)); }); } }

    // Read a configuration file from the database
    obj.getConfigFile = function (path, func) { obj.Get('cfile/' + path, func); }
--- a/meshagent.js
+++ b/meshagent.js
@ -368,6 +368,16 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
        if ((obj.authenticated != 1) || (obj.meshid == null) || obj.pendingCompleteAgentConnection) return;
        obj.pendingCompleteAgentConnection = true;

+        // Check if we have too many agent sessions
+        if (typeof domain.limits.maxagentsessions == 'number') {
+            // Count the number of agent sessions for this domain
+            var domainAgentSessionCount = 0;
+            for (var i in obj.parent.wsagents) { if (obj.parent.wsagents[i].domain.id == domain.id) { domainAgentSessionCount++; } }
+
+            // Check if we have too many user sessions
+            if (domainAgentSessionCount >= domain.limits.maxagentsessions) { return; } // Too many, hold the connection.
+        }
+
        // Check that the mesh exists
        var mesh = obj.parent.meshes[obj.dbMeshKey];
        if (mesh == null) { console.log('Agent connected with invalid domain/mesh, holding connection (' + obj.remoteaddrport + ', ' + obj.dbMeshKey + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours.
--- a/meshcentral.js
+++ b/meshcentral.js
@ -437,6 +437,7 @@ function CreateMeshCentralServer(config, args) {
        var bannedDomains = ['public', 'private', 'images', 'scripts', 'styles', 'views']; // List of banned domains
        for (i in obj.config.domains) { for (var j in bannedDomains) { if (i == bannedDomains[j]) { console.log("ERROR: Domain '" + i + "' is not allowed domain name in ./data/config.json."); return; } } }
        for (i in obj.config.domains) {
+            if (obj.config.domains[i].limits == null) { obj.config.domains[i].limits = {}; }
            if (obj.config.domains[i].dns == null) { obj.config.domains[i].url = (i == '') ? '/' : ('/' + i + '/'); } else { obj.config.domains[i].url = '/'; }
            obj.config.domains[i].id = i;
            if (typeof obj.config.domains[i].userallowedip == 'string') { if (obj.config.domains[i].userallowedip == '') { obj.config.domains[i].userallowedip = null; } else { obj.config.domains[i].userallowedip = obj.config.domains[i].userallowedip.split(','); } }
--- a/meshuser.js
+++ b/meshuser.js
@ -127,6 +127,20 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
        // Check if the user is logged in
        if (user == null) { try { obj.ws.close(); } catch (e) { } return; }

+        // Check if we have exceeded the user session limit
+        if (typeof domain.limits.maxusersessions == 'number') {
+            // Count the number of user sessions for this domain
+            var domainUserSessionCount = 0;
+            for (var i in obj.parent.wssessions2) { if (obj.parent.wssessions2[i].domainid == domain.id) { domainUserSessionCount++; } }
+
+            // Check if we have too many user sessions
+            if (domainUserSessionCount >= domain.limits.maxusersessions) {
+                ws.send(JSON.stringify({ action: 'stopped', msg: 'Session count exceed' }));
+                try { obj.ws.close(); } catch (e) { }
+                return;
+            }
+        }
+
        // Associate this websocket session with the web session
        obj.ws.userid = req.session.userid;
        obj.ws.domainid = domain.id;
@ -643,7 +657,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                    if (obj.parent.users[newuserid]) break; // Account already exists

                    // Check if we exceed the maximum number of user accounts
-                    obj.db.isMaxType(domain.maxaccounts, 'user', function (maxExceed) {
+                    obj.db.isMaxType(domain.limits.maxuseraccounts, 'user', domain.id, function (maxExceed) {
                        if (maxExceed) {
                            // Account count exceed, do notification

--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "meshcentral",
-  "version": "0.2.7-u",
+  "version": "0.2.7-v",
  "keywords": [
    "Remote Management",
    "Intel AMT",
--- a/sample-config.json
+++ b/sample-config.json
@ -41,6 +41,11 @@
      "_UserBlockedIP": "127.0.0.1,::1,192.168.0.100",
      "_AgentAllowedIP": "192.168.0.100/24",
      "_AgentBlockedIP": "127.0.0.1,::1",
+      "_Limits": {
+        "MaxUserAccounts": 100,
+        "MaxUserSessions": 100,
+        "MaxAgentSessions": 100
+      },
      "_yubikey": { "id": "0000", "secret": "xxxxxxxxxxxxxxxxxxxxx", "_proxy": "http://myproxy.domain.com:80" },
    },
    "customer1": {
--- a/views/default.handlebars
+++ b/views/default.handlebars
@ -855,6 +855,7 @@
    <script type="text/javascript">
        'use strict';
        var args;
+        var autoReconnect = true;
        var powerStatetable = ['', 'Powered', 'Sleep', 'Sleep', 'Sleep', 'Hibernating', 'Power off', 'Present'];
        var StatusStrs = ['Disconnected', 'Connecting...', 'Setup...', 'Connected', 'Intel&reg; AMT Connected'];
        var sort = 0;
@ -1076,7 +1077,7 @@
                QV('verifyEmailId2', false);
                QV('logoutControl', false);
                if (errorCode == 'noauth') { QH('p0span', 'Unable to perform authentication'); return; }
-                if (prevState == 2) { setTimeout(serverPoll, 5000); } else { QH('p0span', 'Unable to connect web socket'); }
+                if (prevState == 2) { if (autoReconnect) { setTimeout(serverPoll, 5000); } } else { QH('p0span', 'Unable to connect web socket'); }
                if (authCookieRenewTimer != null) { clearInterval(authCookieRenewTimer); authCookieRenewTimer = null; }
            } else if (state == 2) {
                // Fetch list of meshes, nodes, files
@ -1751,7 +1752,8 @@
                            break;
                        }
                        case 'stopped': { // Server is stopping.
-                            // TODO: Disconnect
+                            // Disconnect
+                            console.log(message.msg);
                            break;
                        }
                        default:
@ -1760,6 +1762,12 @@
                    }
                    break;
                }
+                case 'stopped': { // Server is stopping.
+                    // Disconnect
+                    autoReconnect = false;
+                    QH('p0span', message.msg);
+                    break;
+                }
                default:
                    console.log('Unknown message.action', message.action);
                    break;
@ -6379,7 +6387,7 @@
            x += addDeviceAttribute('Creation', new Date(user.creation * 1000).toLocaleString());
            if (user.login) x += addDeviceAttribute('Last Login', new Date(user.login * 1000).toLocaleString());
            var multiFactor = 0;
-            if ((user.otpsecret > 0) || (user.otphkeys > 0) || (user.otpkeys > 0)) {
+            if ((user.otpsecret > 0) || (user.otphkeys > 0)) {
                multiFactor = 1;
                var factors = [];
                if (user.otpsecret > 0) { factors.push('Authentication App'); }
--- a/views/login-mobile.handlebars
+++ b/views/login-mobile.handlebars
@ -150,7 +150,7 @@
                                        <tr>
                                            <td align=right width=100>Login token:</td>
                                            <td>
-                                                <input id=tokenInput type=text name=token maxlength=50 onkeyup=checkToken(event) onkeydown=checkToken(event) />
+                                                <input id=tokenInput type=text name=token maxlength=50 onchange=checkToken(event) onkeyup=checkToken(event) onkeydown=checkToken(event) />
                                                <input id=hwtokenInput type=text name=hwtoken style="display:none" />
                                            </td>
                                        </tr>
@ -163,6 +163,31 @@
                                    <hr /><a onclick=xgo(1) style=cursor:pointer>Back to login</a>
                                </form>
                            </div>
+
+                            <div id=resettokenpanel style="background-color:#979797;border-radius:16px;width:260px;padding:16px;text-align:center;display:none;clear:both">
+                                <form action=resetaccount method=post autocomplete=off>
+                                    <div id=message5>
+                                        {{{message}}}
+                                    </div>
+                                    <table>
+                                        <tr>
+                                            <td align=right width=100>Login token:</td>
+                                            <td>
+                                                <input id=resetTokenInput type=text name=token maxlength=50 onchange=resetCheckToken(event) onkeyup=resetCheckToken(event) onkeydown=resetCheckToken(event) />
+                                                <input id=resetHwtokenInput type=text name=hwtoken style="display:none" />
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td colspan=2>
+                                                <div style=float:right><input id=resetTokenOkButton type=submit value="Login" disabled="disabled" /></div>
+                                            </td>
+                                        </tr>
+                                    </table>
+                                    <hr /><a onclick=xgo(1) style=cursor:pointer>Back to login</a>
+                                </form>
+                            </div>
+
+
                        </td>
                    </tr>
                </table>
@ -237,6 +262,19 @@
                    }, hardwareKeyChallenge.timeoutSeconds);
                }
            }
+
+            if ('{{loginmode}}' == '5') {
+                try { if (hardwareKeyChallenge.length > 0) { hardwareKeyChallenge = JSON.parse(hardwareKeyChallenge); } else { hardwareKeyChallenge = null; } } catch (ex) { hardwareKeyChallenge = null }
+                if ((hardwareKeyChallenge != null) && u2fSupported()) {
+                    window.u2f.sign(hardwareKeyChallenge.appId, hardwareKeyChallenge.challenge, hardwareKeyChallenge.registeredKeys, function (authResponse) {
+                        if (authResponse.signatureData) {
+                            Q('resetHwtokenInput').value = JSON.stringify(authResponse);
+                            QE('resetTokenOkButton', true);
+                            Q('resetTokenOkButton').click();
+                        }
+                    }, hardwareKeyChallenge.timeoutSeconds);
+                }
+            }
        }

        function showPassHint() {
@ -246,6 +284,9 @@
        function xgo(x) {
            QV('message1', false);
            QV('message2', false);
+            QV('message3', false);
+            QV('message4', false);
+            QV('message5', false);
            go(x);
        }

@ -256,6 +297,7 @@
            QV('createpanel', x == 2);
            QV('resetpanel', x == 3);
            QV('tokenpanel', x == 4);
+            QV('resettokenpanel', x == 5);
            if (x == 1) { Q('username').focus(); }
            if (x == 2) { Q('ausername').focus(); }
            if (x == 3) { Q('remail').focus(); }
@ -353,6 +395,13 @@
            QE('tokenOkButton', (Q('tokenInput').value.length == 6) || (Q('tokenInput').value.length == 8) || (Q('tokenInput').value.length == 44));
        }

+        function resetCheckToken() {
+            var t1 = Q('resetTokenInput').value;
+            var t2 = t1.split(' ').join('');
+            if (t1 != t2) { Q('resetTokenInput').value = t2; }
+            QE('resetTokenOkButton', (Q('resetTokenInput').value.length == 6) || (Q('resetTokenInput').value.length == 8) || (Q('resetTokenInput').value.length == 44));
+        }
+
        //
        // POPUP DIALOG
        //
--- a/views/login.handlebars
+++ b/views/login.handlebars
@ -223,7 +223,7 @@
                                        <tr>
                                            <td align=right width=100>Login token:</td>
                                            <td>
-                                                <input id=tokenInput type=text name=token maxlength=50 onkeyup=checkToken(event) onkeydown=checkToken(event) />
+                                                <input id=tokenInput type=text name=token maxlength=50 onchange=checkToken(event) onkeyup=checkToken(event) onkeydown=checkToken(event) />
                                                <input id=hwtokenInput type=text name=hwtoken style="display:none" />
                                            </td>
                                        </tr>
@ -236,6 +236,28 @@
                                    <hr /><a onclick=xgo(1) style=cursor:pointer>Back to login</a>
                                </form>
                            </div>
+                            <div id=resettokenpanel style="background-color: #979797;border-radius:16px;width:300px;padding:16px;text-align:center;display:none">
+                                <form action=resetaccount method=post>
+                                    <div id=message5>
+                                        {{{message}}}
+                                    </div>
+                                    <table>
+                                        <tr>
+                                            <td align=right width=100>Login token:</td>
+                                            <td>
+                                                <input id=resetTokenInput type=text name=token maxlength=50 onchange=resetCheckToken(event) onkeyup=resetCheckToken(event) onkeydown=resetCheckToken(event) />
+                                                <input id=resetHwtokenInput type=text name=hwtoken style="display:none" />
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td colspan=2>
+                                                <div style=float:right><input id=resetTokenOkButton type=submit value="Login" disabled="disabled" /></div>
+                                            </td>
+                                        </tr>
+                                    </table>
+                                    <hr /><a onclick=xgo(1) style=cursor:pointer>Back to login</a>
+                                </form>
+                            </div>
                        </td>
                    </tr>
                </table>
@ -320,6 +342,19 @@
                    }, hardwareKeyChallenge.timeoutSeconds);
                }
            }
+
+            if ('{{loginmode}}' == '5') {
+                try { if (hardwareKeyChallenge.length > 0) { hardwareKeyChallenge = JSON.parse(hardwareKeyChallenge); } else { hardwareKeyChallenge = null; } } catch (ex) { hardwareKeyChallenge = null }
+                if ((hardwareKeyChallenge != null) && u2fSupported()) {
+                    window.u2f.sign(hardwareKeyChallenge.appId, hardwareKeyChallenge.challenge, hardwareKeyChallenge.registeredKeys, function (authResponse) {
+                        if (authResponse.signatureData) {
+                            Q('resetHwtokenInput').value = JSON.stringify(authResponse);
+                            QE('resetTokenOkButton', true);
+                            Q('resetTokenOkButton').click();
+                        }
+                    }, hardwareKeyChallenge.timeoutSeconds);
+                }
+            }
        }

        function showPassHint() {
@ -329,6 +364,9 @@
        function xgo(x) {
            QV('message1', false);
            QV('message2', false);
+            QV('message3', false);
+            QV('message4', false);
+            QV('message5', false);
            go(x);
        }

@ -339,6 +377,7 @@
            QV('createpanel', x == 2);
            QV('resetpanel', x == 3);
            QV('tokenpanel', x == 4);
+            QV('resettokenpanel', x == 5);
            if (x == 1) { Q('username').focus(); }
            if (x == 2) { Q('ausername').focus(); }
            if (x == 3) { Q('remail').focus(); }
@ -448,6 +487,13 @@
            QE('tokenOkButton', (Q('tokenInput').value.length == 6) || (Q('tokenInput').value.length == 8) || (Q('tokenInput').value.length == 44));
        }

+        function resetCheckToken() {
+            var t1 = Q('resetTokenInput').value;
+            var t2 = t1.split(' ').join('');
+            if (t1 != t2) { Q('resetTokenInput').value = t2; }
+            QE('resetTokenOkButton', (Q('resetTokenInput').value.length == 6) || (Q('resetTokenInput').value.length == 8) || (Q('resetTokenInput').value.length == 44));
+        }
+
        //
        // POPUP DIALOG
        //
--- a/webserver.js
+++ b/webserver.js
@ -320,7 +320,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {

    // Return true if this user has 2-step auth active
    function checkUserOneTimePasswordRequired(domain, user) {
-        return (user.otpsecret) || (user.otphkeys && (user.otphkeys.length > 0));
+        return ((user.otpsecret != null) || ((user.otphkeys != null) && (user.otphkeys.length > 0)));
    }

    // Check the 2-step auth token
@ -377,7 +377,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
    }

    // Return a U2F hardware key challenge
-    // TODO: Figure out how to support many U2F keys at the same time.
    function getHardwareKeyChallenge(req, domain, user, func) {
        if (req.session.u2fchallenge) { delete req.session.u2fchallenge; };
        if (user.otphkeys && (user.otphkeys.length > 0)) {
@ -419,7 +418,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                var user = obj.users[userid];

                // Check if this user has 2-step login active
-                if (checkUserOneTimePasswordRequired(req.domain, user)) {
+                if (checkUserOneTimePasswordRequired(domain, user)) {
                    checkUserOneTimePassword(req, domain, user, req.body.token, req.body.hwtoken, function (result) {
                        if (result == false) {
                            // 2-step auth is required, but the token is not present or not valid.
@ -427,7 +426,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                            req.session.loginmode = '4';
                            req.session.tokenusername = xusername;
                            req.session.tokenpassword = xpassword;
-                            req.session.tokenRetry = true;
                            res.redirect(domain.url);
                        } else {
                            // Login succesful
@ -465,6 +463,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
        delete req.session.loginmode;
        delete req.session.tokenusername;
        delete req.session.tokenpassword;
+        delete req.session.tokenemail;
        delete req.session.success;
        delete req.session.error;
        delete req.session.passhint;
@ -503,7 +502,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
        if ((domain.newaccounts === 0) || (domain.newaccounts === false)) { res.sendStatus(401); return; }

        // Check if we exceed the maximum number of user accounts
-        obj.db.isMaxType(domain.maxaccounts, 'user', function (maxExceed) {
+        obj.db.isMaxType(domain.limits.maxuseraccounts, 'user', domain.id, function (maxExceed) {
            if (maxExceed) {
                req.session.loginmode = 2;
                req.session.error = '<b style=color:#8C001A>Account limit reached.</b>';
@ -569,28 +568,58 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
        const domain = checkUserIpAddress(req, res);
        if ((domain == null) || (domain.auth == 'sspi')) return;

+        var email = req.body.email;
+        if ((email == null) || (email == '')) { email = req.session.tokenemail; }
+
        if ((domain.newaccounts === 0) || (domain.newaccounts === false)) { res.sendStatus(401); return; }
-        if (!req.body.email || checkEmail(req.body.email) == false) {
+        if (!email || checkEmail(email) == false) {
            req.session.loginmode = 3;
            req.session.error = '<b style=color:#8C001A>Invalid email.</b>';
            res.redirect(domain.url);
        } else {
-            obj.db.GetUserWithVerifiedEmail(domain.id, req.body.email, function (err, docs) {
-                if (docs.length == 0) {
+            obj.db.GetUserWithVerifiedEmail(domain.id, email, function (err, docs) {
+                if ((err != null) || (docs.length == 0)) {
                    req.session.loginmode = 3;
                    req.session.error = '<b style=color:#8C001A>Account not found.</b>';
                    res.redirect(domain.url);
                } else {
-                    var userFound = docs[0];
-                    if (obj.parent.mailserver != null) {
-                        obj.parent.mailserver.sendAccountResetMail(domain, userFound.name, userFound.email);
-                        req.session.loginmode = 1;
-                        req.session.error = '<b style=color:darkgreen>Hold on, reset mail sent.</b>';
-                        res.redirect(domain.url);
+                    var user = docs[0];
+                    if (checkUserOneTimePasswordRequired(domain, user) == true) {
+                        // Second factor setup, request it now.
+                        checkUserOneTimePassword(req, domain, user, req.body.token, req.body.hwtoken, function (result) {
+                            if (result == false) {
+                                // 2-step auth is required, but the token is not present or not valid.
+                                if ((req.body.token != null) || (req.body.hwtoken != null)) { req.session.error = '<b style=color:#8C001A>Invalid token, try again.</b>'; }
+                                req.session.loginmode = '5';
+                                req.session.tokenemail = email;
+                                res.redirect(domain.url);
+                            } else {
+                                // Send email to perform recovery.
+                                delete req.session.tokenemail;
+                                if (obj.parent.mailserver != null) {
+                                    obj.parent.mailserver.sendAccountResetMail(domain, user.name, user.email);
+                                    req.session.loginmode = 1;
+                                    req.session.error = '<b style=color:darkgreen>Hold on, reset mail sent.</b>';
+                                    res.redirect(domain.url);
+                                } else {
+                                    req.session.loginmode = 3;
+                                    req.session.error = '<b style=color:#8C001A>Unable to sent email.</b>';
+                                    res.redirect(domain.url);
+                                }
+                            }
+                        });
                    } else {
-                        req.session.loginmode = 3;
-                        req.session.error = '<b style=color:#8C001A>Unable to sent email.</b>';
-                        res.redirect(domain.url);
+                        // No second factor, send email to perform recovery.
+                        if (obj.parent.mailserver != null) {
+                            obj.parent.mailserver.sendAccountResetMail(domain, user.name, user.email);
+                            req.session.loginmode = 1;
+                            req.session.error = '<b style=color:darkgreen>Hold on, reset mail sent.</b>';
+                            res.redirect(domain.url);
+                        } else {
+                            req.session.loginmode = 3;
+                            req.session.error = '<b style=color:#8C001A>Unable to sent email.</b>';
+                            res.redirect(domain.url);
+                        }
                    }
                }
            });
@ -632,7 +661,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                                                obj.db.SetUser(user);

                                                // Event the change
-                                                obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, { etype: 'user', username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'Verified email of user ' + EscapeHtml(user.name) + ' (' + EscapeHtml(userinfo.email) + ')', domain: domain.id });
+                                                obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, { etype: 'user', username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'Verified email of user ' + EscapeHtml(user.name) + ' (' + EscapeHtml(user.email) + ')', domain: domain.id });

                                                // Send the confirmation page
                                                res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', message: 'Verified email <b>' + EscapeHtml(user.email) + '</b> for user account <b>' + EscapeHtml(user.name) + '</b>. <a href="' + domain.url + '">Go to login page</a>.' });
@ -660,7 +689,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                                                userinfo.hash = hash;
                                                userinfo.passchange = Math.floor(Date.now() / 1000);
                                                userinfo.passhint = null;
-                                                delete userinfo.otpsecret; // Currently a email password reset will turn off 2-step login.
+                                                //delete userinfo.otpsecret; // Currently a email password reset will turn off 2-step login.
                                                obj.db.SetUser(userinfo);

                                                // Event the change
@ -920,6 +949,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
        } else {
            // Send back the login application
            // If this is a 2 factor auth request, look for a hardware key challenge.
+            // Normal login 2 factor request
            if ((req.session.loginmode == '4') && (req.session.tokenusername)) {
                var user = obj.users['user/' + domain.id + '/' + req.session.tokenusername];
                if (user != null) {
@ -927,6 +957,24 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                    return;
                }
            }
+            // Password recovery 2 factor request
+            if ((req.session.loginmode == '5') && (req.session.tokenemail)) {
+                obj.db.GetUserWithVerifiedEmail(domain.id, req.session.tokenemail, function (err, docs) {
+                    if ((err != null) || (docs.length == 0)) {
+                        req.session = null;
+                        res.redirect(domain.url);
+                    } else {
+                        var user = obj.users[docs[0]._id];
+                        if (user != null) {
+                            getHardwareKeyChallenge(req, domain, user, function (u2fChallenge) { handleRootRequestLogin(req, res, domain, u2fChallenge, passRequirements); });
+                        } else {
+                            req.session = null;
+                            res.redirect(domain.url);
+                        }
+                    }
+                });
+                return;
+            }
            handleRootRequestLogin(req, res, domain, '', passRequirements);
        }
    }