@lifeready/core 1.0.1 → 1.0.3

package/src/lib/auth/life-ready-auth.service.ts

@@ -1,454 +0,0 @@
-import { Inject, Injectable, isDevMode } from '@angular/core';
-import { CognitoUser } from '@aws-amplify/auth';
-import { Hub } from '@aws-amplify/core';
-import { CognitoUserAttribute } from 'amazon-cognito-identity-js';
-import { Observable, ReplaySubject } from 'rxjs';
-import { PassIdpParams } from '../cryptography/cryptography.types';
-import { KeyGraphService } from '../cryptography/key-graph.service';
-import { KeyService } from '../cryptography/key.service';
-import { ProfileService } from '../users/profile.service';
-import { PasswordChangeStatus } from '../users/profile.types';
-import {
-  LrConcurrentAccessException,
-  LrBadRequestException,
-} from '../_common/exceptions';
-import {
-  CognitoChallengeUser,
-  CurrentUser,
-  TpPasswordResetUser,
-  LoginResult,
-  RecoveryStatus,
-} from './auth.types';
-import { PasswordService } from './password.service';
-import { AuthClass } from '@aws-amplify/auth/lib-esm/Auth';
-import { TpPasswordResetUserQuery } from '../trusted-parties/tp-password-reset.gql';
-import { IdleService } from './idle.service';
-import { KeyFactoryService } from '../cryptography/key-factory.service';
-import { LrGraphQLService, LrMutation } from '../api/lr-graphql';
-import { TpPasswordResetUserNode } from '../api/types';
-import { TpPasswordResetProcessorService } from '../api/query-processor/tp-password-reset-processor.service';
-import { SetSessionEncryptionKeyMutation } from './auth.gql';
-import { PersistService } from '../api/persist.service';
-import { JWK } from 'node-jose';
-import { LifeReadyConfig, LR_CONFIG } from '../life-ready.config';
-
-export const initialiseAuth = (authService: LifeReadyAuthService) => {
-  return () => authService.initialise();
-};
-
-@Injectable({
-  providedIn: 'root',
-})
-export class LifeReadyAuthService {
-  private hubSubject: ReplaySubject<any> = new ReplaySubject<any>(1);
-  private currentUser: CurrentUser;
-
-  constructor(
-    @Inject(LR_CONFIG) private config: LifeReadyConfig,
-    private auth: AuthClass,
-    private keyFactory: KeyFactoryService,
-    private keyService: KeyService,
-    private profileService: ProfileService,
-    private keyGraphService: KeyGraphService,
-    private passwordService: PasswordService,
-    private idleService: IdleService,
-    private lrGraphQL: LrGraphQLService,
-    private tpPasswordResetProcessorService: TpPasswordResetProcessorService,
-    private persistService: PersistService
-  ) {}
-
-  public async initialise() {
-    Hub.listen('auth', (data) => this.hubSubject.next(data.payload));
-  }
-
-  private async loginIdpImpl(
-    emailOrPhone: string,
-    password: string,
-    passIdpParams: PassIdpParams,
-    recoveryStatus: RecoveryStatus
-  ): Promise<CognitoChallengeUser> {
-    const passIdpResult = await this.keyFactory.derivePassIdp({
-      password,
-      ...passIdpParams,
-    });
-    // Use the derived password to signin with cognito
-    const user = await this.auth.signIn(
-      emailOrPhone,
-      this.passwordService.getPassIdpString(passIdpResult.jwk)
-    );
-
-    user.recoveryStatus = recoveryStatus;
-
-    return user;
-  }
-
-  private async loginIdp(
-    emailOrPhone: string,
-    password: string
-  ): Promise<CognitoChallengeUser> {
-    // Download the salt needed to derive the PassIdp
-    const passIdpApiResult = await this.profileService.getPassIdpParams(
-      emailOrPhone
-    );
-
-    if (
-      passIdpApiResult.passwordChangeStatus === PasswordChangeStatus.InProgress
-    ) {
-      throw new LrConcurrentAccessException('A password change is in progress');
-    }
-
-    if (
-      passIdpApiResult.passwordChangeStatus === PasswordChangeStatus.Recovery
-    ) {
-      console.log('In recovery mode.');
-      // Let's say we don't know if the password is the new one or the old one. We just have to try both.
-      try {
-        const user = await this.loginIdpImpl(
-          emailOrPhone,
-          password,
-          passIdpApiResult.newPassIdpParams,
-          RecoveryStatus.NEW_PASSWORD
-        );
-        // New password worked. Let's set to the current password
-
-        // --Potential Failure Point 1--
-        // if changePasswordComplete() doesn't get called, then it should remain
-
-        console.log('New password works!');
-
-        return user;
-      } catch (error) {
-        // Just bubble up any other type of error.
-        if (error.code !== 'NotAuthorizedException') {
-          throw error;
-        }
-        // pass, try again assuming it's the old password
-      }
-
-      // Now assume it's the previous password. Any exception is allowed to bubble up.
-      try {
-        const user = await this.loginIdpImpl(
-          emailOrPhone,
-          password,
-          passIdpApiResult.currentPassIdpParams,
-          RecoveryStatus.OLD_PASSWORD
-        );
-        // Old password worked.
-        console.log('Old password works!');
-
-        return user;
-      } catch (error) {
-        // Just bubble up any other type of error.
-        throw error.code === 'NotAuthorizedException'
-          ? new LrBadRequestException(
-              'The password change request was interrupted, please try to login with both your new and old password'
-            )
-          : error;
-      }
-    }
-
-    // Try against as the TP password reset account
-    if (passIdpApiResult.tpPasswordReset) {
-      try {
-        // TP password reset is in process. We need to try the password against both
-        // original account and the new reset account.
-        const reset = passIdpApiResult.tpPasswordReset;
-        const ret = await this.loginIdpImpl(
-          reset.resetUsername,
-          password,
-          reset.passIdpParams,
-          RecoveryStatus.NONE
-        );
-        ret.isTpPasswordResetUser = true;
-
-        return ret;
-      } catch (err) {
-        // continue, try again as regular user.
-      }
-    }
-
-    // Login as regular user
-    return await this.loginIdpImpl(
-      emailOrPhone,
-      password,
-      passIdpApiResult.currentPassIdpParams,
-      RecoveryStatus.NONE
-    );
-  }
-
-  protected async handleSessionEncryptionKey() {
-    if (this.config.disableSessionEncryptionKey) {
-      if (!isDevMode()) {
-        const msg =
-          'You should not set disableSessionEncryptionKey=True in mode prod. It defaults to false.';
-        console.error(msg);
-        throw new Error(msg);
-      } else {
-        console.warn(
-          'You have set disableSessionEncryptionKey=True. Make sure not to do this in prod mode.'
-        );
-      }
-    } else {
-      // Set the session key to a new encryption key for this session
-      const sessionEncryptionKey = await this.keyFactory.createKey();
-      await this.lrGraphQL.lrMutate(
-        new LrMutation({
-          mutation: SetSessionEncryptionKeyMutation,
-          variables: {
-            input: {
-              sessionEncryptionKey: JSON.stringify(
-                sessionEncryptionKey.toJSON(true)
-              ),
-            },
-          },
-        }),
-        {
-          includeKeyGraph: false,
-        }
-      );
-
-      this.persistService.setServerSessionEncryptionKey(sessionEncryptionKey);
-    }
-  }
-
-  protected async handlePostAuth(cognitoUser: CognitoChallengeUser) {
-    await this.handlePasswordRecovery(cognitoUser);
-    await this.handleSessionEncryptionKey();
-  }
-
-  public async login(
-    emailOrPhone: string,
-    password: string
-  ): Promise<LoginResult> {
-    const cognitoUser = await this.loginIdp(emailOrPhone, password);
-
-    // todo: Meet MFA challenges.
-    if (['SMS_MFA', 'SOFTWARE_TOKEN_MFA'].includes(cognitoUser.challengeName)) {
-      return { hasChallenge: true, challenge: cognitoUser };
-    }
-
-    await this.handlePostAuth(cognitoUser);
-
-    if (cognitoUser.isTpPasswordResetUser) {
-      // Assuming there is no MFA on the TP reset user.
-      const resetUser = await this.loadResetUser(password);
-      return { hasChallenge: false, resetUser };
-    } else {
-      const user = await this.loadUser(cognitoUser, password);
-      await this.idleService.start(); // Run idleService whenever user is logged in.
-      return { hasChallenge: false, user };
-    }
-  }
-
-  // TODO <AZ> We need to handle the isTpPasswordResetUser=True case here after MFA as well.
-  public async verifyLogin(
-    challenge: CognitoChallengeUser,
-    password: string,
-    rememberMe: boolean,
-    code: string
-  ): Promise<CurrentUser> {
-    await this.auth.confirmSignIn(challenge, code, challenge.challengeName);
-
-    // TODO: this.auth.confirmSignIn() could return another challenge.
-
-    const cognitoUser: CognitoUser = await this.auth.currentAuthenticatedUser();
-
-    await this.handlePostAuth(challenge);
-
-    const user = await this.loadUser(cognitoUser, password);
-
-    if (rememberMe) {
-      cognitoUser.setDeviceStatusRemembered({
-        onSuccess: () => {},
-        onFailure: (e) => console.error(e),
-      });
-    }
-
-    return user;
-  }
-
-  async handlePasswordRecovery(user: CognitoChallengeUser) {
-    if (user.recoveryStatus !== RecoveryStatus.NONE) {
-      const jwtToken = user
-        .getSignInUserSession()
-        .getAccessToken()
-        .getJwtToken();
-      await this.passwordService.changePasswordComplete(
-        jwtToken,
-        user.recoveryStatus === RecoveryStatus.NEW_PASSWORD
-      );
-    }
-  }
-
-  async getUser(reload: boolean = false): Promise<CurrentUser> {
-    if (!reload && this.currentUser) {
-      return this.currentUser;
-    }
-    this.currentUser = await this.loadUser(
-      await this.auth.currentAuthenticatedUser()
-    );
-    console.log('Starting idle service.');
-    await this.idleService.start(); // Run idleService whenever user is logged in.
-    return this.currentUser;
-  }
-
-  private mapTPVaultAccess(features?: any): boolean {
-    const tpVaultFeature = features?.tpVault;
-    return (
-      tpVaultFeature?.length > 0 &&
-      tpVaultFeature.some((feature) => feature.toUpperCase() === 'ACCESS')
-    );
-  }
-
-  private async loadUser(
-    cognitoUser: CognitoUser,
-    password?: string
-  ): Promise<CurrentUser> {
-    const {
-      currentUser,
-      contactCard,
-      userPlans,
-    } = await this.profileService.getCurrentUser();
-
-    if (currentUser.sessionEncryptionKey) {
-      this.persistService.setServerSessionEncryptionKey(
-        await JWK.asKey(currentUser.sessionEncryptionKey)
-      );
-    }
-
-    const userAttributes = await this.auth.userAttributes(cognitoUser);
-
-    if (password) {
-      const passKey = (
-        await this.keyFactory.derivePassKey({
-          password,
-          ...currentUser.currentUserKey.passKey.passKeyParams,
-        })
-      ).jwk;
-
-      await this.idleService.persistMasterKey(
-        await this.keyGraphService.unwrapWithPassKey(
-          currentUser.currentUserKey.passKey.id,
-          passKey,
-          currentUser.currentUserKey.masterKey.id
-        )
-      );
-    }
-    await this.keyGraphService.populateKeys(currentUser.currentUserKey);
-
-    return {
-      id: currentUser.id,
-      sub: this.getUserAttribute('sub', userAttributes),
-      username: currentUser.username,
-      currentUserKey: currentUser.currentUserKey,
-      getAccessJwtToken: () =>
-        cognitoUser.getSignInUserSession().getAccessToken().getJwtToken(),
-      email: this.getUserAttribute('email', userAttributes),
-      emailVerified:
-        this.getUserAttribute('email_verified', userAttributes) === 'true',
-      phone: this.getUserAttribute('phone_number', userAttributes),
-      phoneVerified:
-        this.getUserAttribute('phone_number_verified', userAttributes) ===
-        'true',
-      contactCard: {
-        ...(await this.profileService.decryptContactCard(contactCard)),
-      },
-      userDelete: currentUser.userDelete,
-      userPlans,
-      hasTPVaultAccess: this.mapTPVaultAccess(currentUser.features),
-      features: currentUser.features,
-      sessionEncryptionKey: currentUser.sessionEncryptionKey,
-    };
-  }
-
-  public watchAuth(): Observable<any> {
-    return this.hubSubject;
-  }
-
-  public async logout(): Promise<void> {
-    this.currentUser = null;
-    this.keyService.purgeKeys();
-    this.keyGraphService.purgeKeys();
-
-    await Promise.all([this.auth.signOut(), this.profileService.signOut()]);
-  }
-
-  private getUserAttribute(
-    attributeName: string,
-    userAttributes: CognitoUserAttribute[]
-  ) {
-    const userAttribute = userAttributes.find(
-      (x) => x.getName() === attributeName
-    );
-
-    return userAttribute ? userAttribute.getValue() : null;
-  }
-
-  public async loadResetUser(password?: string): Promise<TpPasswordResetUser> {
-    const { tpPasswordResetUser: resetUser } = await this.lrGraphQL.query({
-      query: TpPasswordResetUserQuery,
-    });
-
-    if (resetUser.sessionEncryptionKey) {
-      this.persistService.setServerSessionEncryptionKey(
-        await JWK.asKey(resetUser.sessionEncryptionKey)
-      );
-    }
-
-    // Update the keys
-    if (password) {
-      const passKey = (
-        await this.keyFactory.derivePassKey({
-          password,
-          ...resetUser.passKey.passKeyParams,
-        })
-      ).jwk;
-
-      await this.idleService.persistMasterKey(
-        await this.keyGraphService.unwrapWithPassKey(
-          resetUser.passKey.id,
-          passKey,
-          resetUser.masterKey.id
-        )
-      );
-    }
-
-    this.keyService.populateKeys({
-      passKey: {
-        id: resetUser.passKey.id,
-      },
-      masterKey: {
-        id: resetUser.masterKey.id,
-      },
-    });
-
-    const userAttributes = await this.auth.userAttributes(
-      await this.auth.currentAuthenticatedUser()
-    );
-    const sub = this.getUserAttribute('sub', userAttributes);
-
-    return {
-      ...(await this.tpPasswordResetProcessorService.processTpPasswordResetUserNode(
-        resetUser
-      )),
-      sub,
-    };
-  }
-
-  public async refreshAccessToken() {
-    const cognitoUser: CognitoUser = await this.auth.currentAuthenticatedUser();
-    const refreshToken = cognitoUser.getSignInUserSession().getRefreshToken();
-
-    return new Promise((resolve, reject) => {
-      cognitoUser.refreshSession(refreshToken, (err, data) => {
-        if (err) {
-          console.error('Error refreshing token: ', err);
-          reject(err);
-        } else {
-          console.log('Token refresh complete: ', data);
-          resolve(0);
-        }
-      });
-    });
-  }
-}

package/src/lib/auth/password.service.spec.ts

@@ -1,51 +0,0 @@
-import { TestBed } from '@angular/core/testing';
-import {
-  EncryptionService,
-  KeyGraphService,
-  KeyService,
-  ProfileService,
-} from '../../public-api';
-import { KeyFactoryService } from '../cryptography/key-factory.service';
-import { lrConfigureTestingModule } from '../_common/tests';
-import { PasswordService } from './password.service';
-
-describe('PasswordService', () => {
-  let service: PasswordService;
-
-  beforeEach(async () => {
-    lrConfigureTestingModule();
-
-    service = TestBed.inject(PasswordService);
-  });
-
-  it('should be created', () => {
-    expect(service).toBeTruthy();
-  });
-
-  it('should check quality of current password', async () => {
-    const res = await service.checkPassword('123456');
-    expect(res.passwordExposed).toBeGreaterThan(0);
-    console.log(res);
-  });
-
-  it('should compute password strength', () => {
-    const res = service.passwordStrength('123456789aBc');
-    expect(res.years).toEqual(54000);
-    expect(res.bits).toEqual(71);
-
-    const res2 = service.passwordStrength('123456789aBC');
-    expect(res2.years).toEqual(res.years);
-    expect(res2.bits).toEqual(res.bits);
-
-    const res3 = service.passwordStrength('*23456789aBC');
-    expect(res3.years).toBeGreaterThan(res.years);
-    expect(res3.bits).toBeGreaterThan(res.bits);
-
-    const res4 = service.passwordStrength('');
-    expect(res4.years).toEqual(0);
-    expect(res4.bits).toEqual(0);
-
-    const res5 = service.passwordStrength('abcdefgh');
-    console.log('res5', res5);
-  });
-});