auth and redirection with totp (speakeasy)

Question

I did a TOTP (unique time-based password) with SpeakEasy, everything works fine, I put a condition (at the end of the code) to validate a token and then redirect it to a hidden page but it doesn't work, and I don't do not know why. Thank you for your help

views/validate.ejs

<form method='post' action='/hidden'>
    <input type="text" name="TokenClient" placeholder="your password">
    <button type="submit">submit</button>
</form>

<p><strong>remain :</strong><%= remaining %></p>

<p>
    <strong>token client :</strong><%= user %></br>
</p>

<strong>validation :</strong><%= valid %></br> 

views/hidden.ejs

<h1>Hidden Page</h1>

apps.js

const Express = require("express");
const BodyParser = require("body-parser");
const Speakeasy = require("speakeasy");
const app = Express();

app.use(BodyParser.json());
app.use(BodyParser.urlencoded({ extended: true }));

// EJS /////////////////////////
app.set("views", "./views");
app.set("view engine", "ejs");

// Menu = OK ///////////////////
app.get("/", (req, res) => {
  res.render("index", {});
});

// Secret Key = OK /////////////
app.get("/totp-secret", (req, res) => {
  //let secret = Speakeasy.generateSecret({ length: 20 }).base32;
  let secret = "azerty";
  res.render("secret", { secret });
});

// TOKEN = OK //////////////////
app.get("/totp-generate-token", (req, res) => {
  let token = Speakeasy.totp({
    secret: req.body.secret,
    encoding: "base32",
  });
  let remaining = 30 - Math.floor((new Date().getTime() / 1000.0) % 30);

  res.render("token", { token, remaining });
});

//Validation/////////////////////
app.get("/totp-validate", (req, res) => {
  let remaining = 30 - Math.floor((new Date().getTime() / 1000.0) % 30);
  ///////////////////////////////
  let user = req.body.TokenClient;
  ///////////////////////////////
  let valid = Speakeasy.totp.verify({
    secret: req.body.secret,
    encoding: "base32",
    token: req.body.TokenClient, // Token Client
    window: 0,
  });

  res.render("validate", { remaining, user, valid });
});

app.post("/totp-validate", (req, res) => {
  let remaining = 30 - Math.floor((new Date().getTime() / 1000.0) % 30);

  let user = req.body.TokenClient;

  let valid = Speakeasy.totp.verify({
    secret: req.body.secret,
    encoding: "base32",
    token: req.body.TokenClient, // Token Client
    window: 0,
  });

  // Probleme here !!! ////////////////////////////
  if (valid) {
    res.redirect("/hidden");
    console.log("valide");
  } else {
    res.redirect("/totp-validate");
  }

  res.render("validate", { remaining, user, valid });
});

app.listen(3000, () => {
  console.log("Listening at :3000...");
});

the variable "valid" is a boolean

Answer 1

I'm not exactly sure of your problem however I see what must be the issue. Your form redirects to the /hidden page with a POST request and express does not know how to handle that

When the user completes the form, this function should handle the response :

app.post('hidden', (req, res) => { /* Your code here */ });