|
|
@@ -490,3 +490,33 @@ func (h *TgAccountHandler) reloadAccounts() {
|
|
|
}
|
|
|
h.tgManager.Init(accounts)
|
|
|
}
|
|
|
+
|
|
|
+// RevealTwoFA returns the decrypted 2FA password for an account.
|
|
|
+// Admin-only; every call is audit-logged.
|
|
|
+func (h *TgAccountHandler) RevealTwoFA(c *gin.Context) {
|
|
|
+ id, err := strconv.ParseUint(c.Param("id"), 10, 64)
|
|
|
+ if err != nil {
|
|
|
+ Fail(c, 400, "invalid id")
|
|
|
+ return
|
|
|
+ }
|
|
|
+ var acc model.TgAccount
|
|
|
+ if err := h.store.DB.First(&acc, id).Error; err != nil {
|
|
|
+ Fail(c, 404, "账号不存在")
|
|
|
+ return
|
|
|
+ }
|
|
|
+ if len(acc.TwoFAEnc) == 0 {
|
|
|
+ Fail(c, 404, "该账号未存储 2FA")
|
|
|
+ return
|
|
|
+ }
|
|
|
+ if h.crypto == nil {
|
|
|
+ Fail(c, 500, "crypto not configured")
|
|
|
+ return
|
|
|
+ }
|
|
|
+ plain, err := h.crypto.Decrypt(acc.TwoFAEnc)
|
|
|
+ if err != nil {
|
|
|
+ Fail(c, 500, "decrypt: "+err.Error())
|
|
|
+ return
|
|
|
+ }
|
|
|
+ LogAudit(h.store, c, "reveal_2fa", "tg_account", fmt.Sprintf("%d", id), nil)
|
|
|
+ OK(c, gin.H{"password": plain})
|
|
|
+}
|
dot