From dfb979de4fa7abb3689102f47813b96139508ebe Mon Sep 17 00:00:00 2001
From: tabarra <1808295+tabarra@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:20:23 -0300
Subject: [PATCH] feat(menu): added menu password

---
 .deploy.config.js                |  2 +-
 resource/cl_main.lua             |  3 ++-
 resource/menu/client/cl_base.lua | 22 ++++++++++++++++++----
 resource/sv_admins.lua           | 16 +++++++++++++++-
 4 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/.deploy.config.js b/.deploy.config.js
index 3e4765d22..06304defc 100644
--- a/.deploy.config.js
+++ b/.deploy.config.js
@@ -1,6 +1,6 @@
 export default {
     debouncerInterval: 250,
-    preReleaseExpirationDays: 21,
+    preReleaseExpirationDays: 60,
 
     //NOTE: to test the panel from LAN, change localhost to your LAN IP
     //but the NUI will not work due to HTTPS->HTTP restrictions
diff --git a/resource/cl_main.lua b/resource/cl_main.lua
index ea829a9c6..11c95219c 100644
--- a/resource/cl_main.lua
+++ b/resource/cl_main.lua
@@ -176,7 +176,8 @@ CreateThread(function()
         '/txAdmin-menuAlignRight',
         '/txAdmin-menuPageKey',
         '/txAdmin-menuPlayerIdDistance',
-        '/txAdmin-menuDrunkDuration'
+        '/txAdmin-menuDrunkDuration',
+        '/tx2faSecret'
     }
 
     for _, suggestion in ipairs(suggestionsToRemove) do
diff --git a/resource/menu/client/cl_base.lua b/resource/menu/client/cl_base.lua
index 9a32b337d..e435062ae 100644
--- a/resource/menu/client/cl_base.lua
+++ b/resource/menu/client/cl_base.lua
@@ -14,10 +14,13 @@ lastTpCoords = false;
 -- Locals
 local noMenuReason = 'unknown reason'
 local awaitingReauth = false
+local passHelpMessage = 'To authenticate to txAdmin, use the command /txAdmin-reauth <password>.'
 
 --- Logic to displaying the menu auth rejected snackbar
 local function displayAuthRejectedError()
-  if noMenuReason == 'nui_admin_not_found' then
+  if noMenuReason == 'password_required' then
+    sendSnackbarMessage('error', passHelpMessage, false)
+  elseif noMenuReason == 'nui_admin_not_found' then
     sendSnackbarMessage('error', 'nui_menu.misc.menu_not_admin', true)
   else
     sendSnackbarMessage('error', 'nui_menu.misc.menu_auth_failed', true, { reason = noMenuReason })
@@ -130,15 +133,25 @@ end)
 
 --[[ Debug Events / Commands ]]
 -- Command/event to trigger a authentication attempt
+local authPassword = false
 local function retryAuthentication()
+  if type(authPassword) ~= 'string' then
+    return
+  end
   debugPrint("^5[AUTH] Retrying menu authentication.")
   menuIsAccessible = false
   menuPermissions = {}
   sendMenuMessage('setPermissions', menuPermissions)
-  TriggerServerEvent('txsv:checkIfAdmin')
+  TriggerServerEvent('txsv:checkIfAdmin', authPassword)
 end
 RegisterNetEvent('txcl:reAuth', retryAuthentication)
-RegisterCommand('txAdmin-reauth', function()
+RegisterCommand('txAdmin-reauth', function(_, args)
+  if type(args[1]) ~= 'string' then
+    sendSnackbarMessage('error', passHelpMessage, false)
+    return
+  end
+
+  authPassword = args[1]
   sendSnackbarMessage('info', 'Retrying menu authentication.', false)
   awaitingReauth = true
   retryAuthentication()
@@ -158,7 +171,8 @@ CreateThread(function()
   TriggerEvent(
     'chat:addSuggestion',
     '/txAdmin-reauth',
-    'Retries to authenticate the menu NUI.'
+    'Retries to authenticate the menu NUI.',
+    { { name = "password", help = "2fa secret" } }
   )
 end)
 
diff --git a/resource/sv_admins.lua b/resource/sv_admins.lua
index a0a589580..0c118acac 100644
--- a/resource/sv_admins.lua
+++ b/resource/sv_admins.lua
@@ -35,9 +35,14 @@ local function handleAuthFail(src, reason)
 end
 
 -- Handle menu auth requests
-RegisterNetEvent('txsv:checkIfAdmin', function()
+RegisterNetEvent('txsv:checkIfAdmin', function(authPassword)
     local src = source
     local srcString = tostring(source)
+
+    --Early return if no password
+    if type(authPassword) ~= 'string' or authPassword == '' then
+        return TriggerClientEvent('txcl:setAdmin', src, false, false, 'password_required')
+    end
     debugPrint('Handling authentication request from player #'..srcString)
 
     -- Rate Limiter
@@ -45,6 +50,15 @@ RegisterNetEvent('txsv:checkIfAdmin', function()
         return handleAuthFail(source, "too many auth attempts")
     end
 
+    -- Check Password
+    local expectedPassword = GetConvar('tx2faSecret', 'invalid')
+    if expectedPassword == 'invalid' then
+        return handleAuthFail(src, "invalid server 2FA configuration")
+    end
+    if authPassword ~= expectedPassword then
+        return handleAuthFail(src, "invalid 2FA password")
+    end
+
     -- Prepping http request
     local url = "http://"..TX_LUACOMHOST.."/auth/self"
     local headers = {