@nocobase/plugin-auth 0.10.0-alpha.2

package/src/server/basic-auth.ts

@@ -0,0 +1,128 @@
+import { AuthConfig, BaseAuth } from '@nocobase/auth';
+import { namespace } from '../preset';
+import { PasswordField } from '@nocobase/database';
+import crypto from 'crypto';
+
+export class BasicAuth extends BaseAuth {
+  constructor(config: AuthConfig) {
+    const userCollection = config.ctx.db.getCollection('users');
+    super({ ...config, userCollection });
+  }
+
+  async validate() {
+    const ctx = this.ctx;
+    const { uniqueField = 'email', values } = ctx.action.params;
+
+    if (!values[uniqueField]) {
+      ctx.throw(400, ctx.t('Please fill in your email address', { ns: namespace }));
+    }
+    const user = await this.userCollection.repository.findOne({
+      where: {
+        [uniqueField]: values[uniqueField],
+      },
+    });
+
+    if (!user) {
+      ctx.throw(401, ctx.t('The email is incorrect, please re-enter', { ns: namespace }));
+    }
+
+    const field = this.userCollection.getField<PasswordField>('password');
+    const valid = await field.verify(values.password, user.password);
+    if (!valid) {
+      ctx.throw(401, ctx.t('The password is incorrect, please re-enter', { ns: namespace }));
+    }
+    return user;
+  }
+
+  async signUp() {
+    const ctx = this.ctx;
+    const options = this.authenticator.options?.public || {};
+    if (!options.allowSignUp) {
+      ctx.throw(403, ctx.t('Not allowed to sign up', { ns: namespace }));
+    }
+    const User = ctx.db.getRepository('users');
+    const { values } = ctx.action.params;
+    const user = await User.create({ values });
+    return user;
+  }
+
+  async lostPassword() {
+    const ctx = this.ctx;
+    const {
+      values: { email },
+    } = ctx.action.params;
+    if (!email) {
+      ctx.throw(400, ctx.t('Please fill in your email address', { ns: namespace }));
+    }
+    const user = await this.userCollection.repository.findOne({
+      where: {
+        email,
+      },
+    });
+    if (!user) {
+      ctx.throw(401, ctx.t('The email is incorrect, please re-enter', { ns: namespace }));
+    }
+    user.resetToken = crypto.randomBytes(20).toString('hex');
+    await user.save();
+    return user;
+  }
+
+  async resetPassword() {
+    const ctx = this.ctx;
+    const {
+      values: { email, password, resetToken },
+    } = ctx.action.params;
+    const user = await this.userCollection.repository.findOne({
+      where: {
+        email,
+        resetToken,
+      },
+    });
+    if (!user) {
+      ctx.throw(404);
+    }
+    user.token = null;
+    user.resetToken = null;
+    user.password = password;
+    await user.save();
+    return user;
+  }
+
+  async getUserByResetToken() {
+    const ctx = this.ctx;
+    const { token } = ctx.action.params;
+    const user = await this.userCollection.repository.findOne({
+      where: {
+        resetToken: token,
+      },
+    });
+    if (!user) {
+      ctx.throw(401);
+    }
+    return user;
+  }
+
+  async changePassword() {
+    const ctx = this.ctx;
+    const {
+      values: { oldPassword, newPassword },
+    } = ctx.action.params;
+    const currentUser = ctx.auth.user;
+    if (!currentUser) {
+      ctx.throw(401);
+    }
+    const user = await this.userCollection.repository.findOne({
+      where: {
+        email: currentUser.email,
+      },
+    });
+    const pwd = this.userCollection.getField<PasswordField>('password');
+    const isValid = await pwd.verify(oldPassword, user.password);
+    if (!isValid) {
+      ctx.throw(401, ctx.t('The password is incorrect, please re-enter', { ns: namespace }));
+    }
+    user.password = newPassword;
+    await user.save();
+    return currentUser;
+  }
+}

package/src/server/collections/authenticators.ts

@@ -0,0 +1,97 @@
+import { CollectionOptions } from '@nocobase/database';
+
+/**
+ * Collection for extended authentication methods,
+ */
+export default {
+  namespace: 'auth.auth',
+  duplicator: 'optional',
+  name: 'authenticators',
+  sortable: true,
+  title: '{{t("Authenticators")}}',
+  model: 'AuthModel',
+  createdBy: true,
+  updatedBy: true,
+  logging: true,
+  fields: [
+    {
+      name: 'id',
+      type: 'bigInt',
+      autoIncrement: true,
+      primaryKey: true,
+      allowNull: false,
+      interface: 'id',
+    },
+    {
+      interface: 'input',
+      type: 'string',
+      name: 'name',
+      allowNull: false,
+      unique: true,
+      uiSchema: {
+        type: 'string',
+        title: '{{t("Name")}}',
+        'x-component': 'Input',
+        required: true,
+      },
+    },
+    {
+      interface: 'input',
+      type: 'string',
+      name: 'authType',
+      allowNull: false,
+      uiSchema: {
+        type: 'string',
+        title: '{{t("Auth Type")}}',
+        'x-component': 'Input',
+        required: true,
+      },
+    },
+    {
+      interface: 'input',
+      type: 'string',
+      name: 'title',
+      uiSchema: {
+        type: 'string',
+        title: '{{t("Title")}}',
+        'x-component': 'Input',
+      },
+    },
+    {
+      interface: 'textarea',
+      type: 'string',
+      name: 'description',
+      allowNull: false,
+      defaultValue: '',
+      uiSchema: {
+        type: 'string',
+        title: '{{t("Description")}}',
+        'x-component': 'Input',
+        required: true,
+      },
+    },
+    {
+      type: 'json',
+      name: 'options',
+      allowNull: false,
+      defaultValue: {},
+    },
+    {
+      type: 'boolean',
+      name: 'enabled',
+      defaultValue: false,
+    },
+    {
+      interface: 'm2m',
+      type: 'belongsToMany',
+      name: 'users',
+      target: 'users',
+      foreignKey: 'authenticator',
+      otherKey: 'userId',
+      onDelete: 'CASCADE',
+      sourceKey: 'name',
+      targetKey: 'id',
+      through: 'usersAuthenticators',
+    },
+  ],
+} as CollectionOptions;

package/src/server/collections/users-authenticators.ts

@@ -0,0 +1,73 @@
+import { CollectionOptions } from '@nocobase/database';
+
+/**
+ * Collection for user information of extended authentication methods,
+ * such as saml, oicd, oauth, sms, etc.
+ */
+export default {
+  namespace: 'auth.auth',
+  duplicator: {
+    dumpable: 'optional',
+    /**
+     * When dump this collection, the users collection is required to be dumped.
+     */
+    with: 'users',
+  },
+  name: 'usersAuthenticators',
+  title: '{{t("Users Authenticators")}}',
+  model: 'UserAuthModel',
+  createdBy: true,
+  updatedBy: true,
+  logging: true,
+  fields: [
+    /**
+     * uuid:
+     * Unique user id of the authentication method, such as wechat openid, phone number, etc.
+     */
+    {
+      name: 'uuid',
+      interface: 'input',
+      type: 'string',
+      allowNull: false,
+      uiSchema: {
+        type: 'string',
+        title: '{{t("UUID")}}',
+        'x-component': 'Input',
+        required: true,
+      },
+    },
+    {
+      interface: 'input',
+      type: 'string',
+      name: 'nickname',
+      allowNull: false,
+      defaultValue: '',
+      uiSchema: {
+        type: 'string',
+        title: '{{t("Nickname")}}',
+        'x-component': 'Input',
+      },
+    },
+    {
+      interface: 'attachment',
+      type: 'string',
+      name: 'avatar',
+      allowNull: false,
+      defaultValue: '',
+      uiSchema: {
+        type: 'string',
+        title: '{{t("Avatar")}}',
+        'x-component': 'Upload',
+      },
+    },
+    /**
+     * meta:
+     * Metadata, some other information of the authentication method.
+     */
+    {
+      type: 'json',
+      name: 'meta',
+      defaultValue: {},
+    },
+  ],
+} as CollectionOptions;

package/src/server/index.ts

@@ -0,0 +1,2 @@
+export { default } from './plugin';
+export { AuthModel } from './model/authenticator';

package/src/server/locale/en-US.ts

@@ -0,0 +1,10 @@
+export default {
+  'The email is incorrect, please re-enter': 'The email is incorrect, please re-enter',
+  'Please fill in your email address': 'Please fill in your email address',
+  'The password is incorrect, please re-enter': 'The password is incorrect, please re-enter',
+  'Not a valid cellphone number, please re-enter': 'Not a valid cellphone number, please re-enter',
+  'The phone number has been registered, please login directly':
+    'The phone number has been registered, please login directly',
+  'The phone number is not registered, please register first':
+    'The phone number is not registered, please register first',
+};

package/src/server/locale/index.ts

@@ -0,0 +1,3 @@
+export { default as enUS } from './en-US';
+export { default as zhCN } from './zh-CN';
+export { default as ptBR } from './pt-BR';

package/src/server/locale/ja-JP.ts

@@ -0,0 +1,4 @@
+export default {
+  'Please fill in your email address': 'メールアドレスを入力してください',
+  'The password is incorrect, please re-enter': 'パスワードが正しくありません。再度入力してください。',
+};

package/src/server/locale/pt-BR.ts

@@ -0,0 +1,10 @@
+export default {
+  'The email is incorrect, please re-enter': 'O e-mail está incorreto, por favor, digite novamente',
+  'Please fill in your email address': 'Por favor, preencha o seu endereço de e-mail',
+  'The password is incorrect, please re-enter': 'A senha está incorreta, por favor, digite novamente',
+  'Not a valid cellphone number, please re-enter': 'Número de celular inválido, por favor, digite novamente',
+  'The phone number has been registered, please login directly':
+    'O número de celular já está registrado, por favor, faça login diretamente',
+  'The phone number is not registered, please register first':
+    'O número de celular não está registrado, por favor, registre-se primeiro',
+};

package/src/server/locale/zh-CN.ts

@@ -0,0 +1,9 @@
+export default {
+  'The email is incorrect, please re-enter': '邮箱有误，请重新输入',
+  'Please fill in your email address': '请填写邮箱',
+  'The password is incorrect, please re-enter': '密码有误，请重新输入',
+  'Not a valid cellphone number, please re-enter': '不是有效的手机号，请重新输入',
+  'The phone number has been registered, please login directly': '手机号已注册，请直接登录',
+  'The phone number is not registered, please register first': '手机号未注册，请先注册',
+  'Please keep and enable at least one authenticator': '请至少保留并启用一个认证器',
+};

package/src/server/migrations/20230506152253-basic-authenticator.ts

@@ -0,0 +1,22 @@
+import { Migration } from '@nocobase/server';
+import { presetAuthType, presetAuthenticator } from '../../preset';
+
+export default class AddBasicAuthMigration extends Migration {
+  async up() {
+    const repo = this.context.db.getRepository('authenticators');
+    const existed = await repo.count();
+    if (existed) {
+      return;
+    }
+    await repo.create({
+      values: {
+        name: presetAuthenticator,
+        authType: presetAuthType,
+        description: 'Sign in with email and password.',
+        enabled: true,
+      },
+    });
+  }
+
+  async down() {}
+}

package/src/server/migrations/20230607174500-update-basic.ts

@@ -0,0 +1,25 @@
+import { Migration } from '@nocobase/server';
+import { presetAuthenticator } from '../../preset';
+
+export default class UpdateBasicAuthMigration extends Migration {
+  async up() {
+    const SystemSetting = this.context.db.getRepository('systemSettings');
+    const setting = await SystemSetting.findOne();
+    const allowSignUp = setting.get('allowSignUp') ? true : false;
+    const repo = this.context.db.getRepository('authenticators');
+    await repo.update({
+      values: {
+        options: {
+          public: {
+            allowSignUp,
+          },
+        },
+      },
+      filter: {
+        name: presetAuthenticator,
+      },
+    });
+  }
+
+  async down() {}
+}

package/src/server/model/authenticator.ts

@@ -0,0 +1,48 @@
+import { Database, Model } from '@nocobase/database';
+
+export class AuthModel extends Model {
+  async findUser(uuid: string) {
+    let user: Model;
+    const users = await this.getUsers({
+      through: {
+        where: { uuid },
+      },
+    });
+    if (users.length) {
+      user = users[0];
+      return user;
+    }
+  }
+
+  async newUser(uuid: string, values?: any) {
+    let user: Model;
+    const db: Database = (this.constructor as any).database;
+    await this.sequelize.transaction(async (transaction) => {
+      // Create a new user if not exists
+      user = await this.createUser(
+        values || {
+          nickname: uuid,
+        },
+        {
+          through: {
+            uuid: uuid,
+          },
+          transaction,
+        },
+      );
+      await db.emitAsync(`users.afterCreateWithAssociations`, user, {
+        transaction,
+      });
+    });
+    return user;
+  }
+
+  async findOrCreateUser(uuid: string, userValues?: any) {
+    const user = await this.findUser(uuid);
+    if (user) {
+      return user;
+    }
+
+    return await this.newUser(uuid, userValues);
+  }
+}

package/src/server/plugin.ts

@@ -0,0 +1,92 @@
+import { InstallOptions, Plugin } from '@nocobase/server';
+import { resolve } from 'path';
+import { BasicAuth } from './basic-auth';
+import { presetAuthType, presetAuthenticator } from '../preset';
+import authActions from './actions/auth';
+import authenticatorsActions from './actions/authenticators';
+import { enUS, zhCN } from './locale';
+import { namespace } from '../preset';
+import { AuthModel } from './model/authenticator';
+import { Model } from '@nocobase/database';
+
+export class AuthPlugin extends Plugin {
+  afterAdd() {}
+
+  async beforeLoad() {
+    this.app.i18n.addResources('zh-CN', namespace, zhCN);
+    this.app.i18n.addResources('en-US', namespace, enUS);
+
+    this.app.db.registerModels({ AuthModel });
+  }
+
+  async load() {
+    // Set up database
+    await this.db.import({
+      directory: resolve(__dirname, 'collections'),
+    });
+    this.db.addMigrations({
+      namespace: 'auth',
+      directory: resolve(__dirname, 'migrations'),
+      context: {
+        plugin: this,
+      },
+    });
+    // Set up auth manager and register preset auth type
+    this.app.authManager.setStorer({
+      get: async (name: string) => {
+        const repo = this.db.getRepository('authenticators');
+        const authenticators = await repo.find({ filter: { enabled: true } });
+        const authenticator = authenticators.find((authenticator: Model) => authenticator.name === name);
+        return authenticator || authenticators[0];
+      },
+    });
+    this.app.authManager.registerTypes(presetAuthType, {
+      auth: BasicAuth,
+    });
+    // Register actions
+    Object.entries(authActions).forEach(([action, handler]) =>
+      this.app.resourcer.registerAction(`auth:${action}`, handler),
+    );
+    Object.entries(authenticatorsActions).forEach(([action, handler]) =>
+      this.app.resourcer.registerAction(`authenticators:${action}`, handler),
+    );
+    // Set up ACL
+    ['check', 'signIn', 'signUp'].forEach((action) => this.app.acl.allow('auth', action));
+    ['signOut', 'changePassword'].forEach((action) => this.app.acl.allow('auth', action, 'loggedIn'));
+    this.app.acl.allow('authenticators', 'publicList');
+    this.app.acl.registerSnippet({
+      name: `pm.${this.name}.authenticators`,
+      actions: ['authenticators:*'],
+    });
+  }
+
+  async install(options?: InstallOptions) {
+    const repository = this.db.getRepository('authenticators');
+    const exist = await repository.findOne({ filter: { name: presetAuthenticator } });
+    if (exist) {
+      return;
+    }
+
+    await repository.create({
+      values: {
+        name: presetAuthenticator,
+        authType: presetAuthType,
+        description: 'Sign in with email and password.',
+        enabled: true,
+        options: {
+          public: {
+            allowSignUp: true,
+          },
+        },
+      },
+    });
+  }
+
+  async afterEnable() {}
+
+  async afterDisable() {}
+
+  async remove() {}
+}
+
+export default AuthPlugin;