@proofkit/cli 1.0.0-beta.0

package/template/extras/fmaddon-auth/emails/auth-code.tsx

@@ -0,0 +1,156 @@
+import {
+  Body,
+  Container,
+  Head,
+  Heading,
+  Html,
+  Img,
+  Section,
+  Text,
+} from "@react-email/components";
+import * as React from "react";
+
+interface AuthCodeEmailProps {
+  validationCode: string;
+  type: "verification" | "password-reset";
+}
+
+export const AuthCodeEmail = ({ validationCode, type }: AuthCodeEmailProps) => (
+  <Html>
+    <Head />
+    <Body style={main}>
+      <Container style={container}>
+        <Img
+          // TODO: Replace with your logo
+          src="https://proofkit.dev/_astro/proofkit.DNcFg0_B_1JN3Dz.webp"
+          width="238"
+          height="175"
+          alt="ProofKit"
+          style={logo}
+        />
+        <Text style={tertiary}>
+          {type === "verification"
+            ? "Verify Your Email"
+            : "Reset Your Password"}
+        </Text>
+        <Heading style={secondary}>
+          Enter the following code to{" "}
+          {type === "verification"
+            ? "verify your email"
+            : "reset your password"}
+        </Heading>
+        <Section style={codeContainer}>
+          <Text style={code}>{validationCode}</Text>
+        </Section>
+        <Text style={paragraph}>
+          If you did not request this code, you can ignore this email.
+        </Text>
+      </Container>
+    </Body>
+  </Html>
+);
+
+AuthCodeEmail.PreviewProps = {
+  validationCode: "D7CU4GOV",
+  type: "verification",
+} as AuthCodeEmailProps;
+
+export default AuthCodeEmail;
+
+const main = {
+  backgroundColor: "#ffffff",
+  fontFamily: "HelveticaNeue,Helvetica,Arial,sans-serif",
+};
+
+const container = {
+  backgroundColor: "#ffffff",
+  border: "1px solid #eee",
+  borderRadius: "5px",
+  boxShadow: "0 5px 10px rgba(20,50,70,.2)",
+  marginTop: "20px",
+  maxWidth: "360px",
+  margin: "0 auto",
+  padding: "68px 0 130px",
+};
+
+const logo: React.CSSProperties = {
+  margin: "0 auto",
+};
+
+const tertiary = {
+  color: "#0a85ea",
+  fontSize: "11px",
+  fontWeight: 700,
+  fontFamily: "HelveticaNeue,Helvetica,Arial,sans-serif",
+  height: "16px",
+  letterSpacing: "0",
+  lineHeight: "16px",
+  margin: "16px 8px 8px 8px",
+  textTransform: "uppercase" as const,
+  textAlign: "center" as const,
+};
+
+const secondary = {
+  color: "#000",
+  display: "inline-block",
+  fontFamily: "HelveticaNeue-Medium,Helvetica,Arial,sans-serif",
+  fontSize: "20px",
+  fontWeight: 500,
+  lineHeight: "24px",
+  marginBottom: "0",
+  marginTop: "0",
+  textAlign: "center" as const,
+  padding: "0 40px",
+};
+
+const codeContainer = {
+  background: "rgba(0,0,0,.05)",
+  borderRadius: "4px",
+  margin: "16px auto 14px",
+  verticalAlign: "middle",
+  width: "280px",
+};
+
+const code = {
+  color: "#000",
+  display: "inline-block",
+  fontFamily: "HelveticaNeue-Bold",
+  fontSize: "32px",
+  fontWeight: 700,
+  letterSpacing: "6px",
+  lineHeight: "40px",
+  paddingBottom: "8px",
+  paddingTop: "8px",
+  margin: "0 auto",
+  width: "100%",
+  textAlign: "center" as const,
+};
+
+const paragraph = {
+  color: "#444",
+  fontSize: "15px",
+  fontFamily: "HelveticaNeue,Helvetica,Arial,sans-serif",
+  letterSpacing: "0",
+  lineHeight: "23px",
+  padding: "0 40px",
+  margin: "0",
+  textAlign: "center" as const,
+};
+
+const link = {
+  color: "#444",
+  textDecoration: "underline",
+};
+
+const footer = {
+  color: "#000",
+  fontSize: "12px",
+  fontWeight: 800,
+  letterSpacing: "0",
+  lineHeight: "23px",
+  margin: "0",
+  marginTop: "20px",
+  fontFamily: "HelveticaNeue,Helvetica,Arial,sans-serif",
+  textAlign: "center" as const,
+  textTransform: "uppercase" as const,
+};

package/template/extras/fmaddon-auth/middleware.ts

@@ -0,0 +1,45 @@
+import { NextResponse } from "next/server";
+
+import type { NextRequest } from "next/server";
+
+export async function middleware(request: NextRequest): Promise<NextResponse> {
+  if (request.method === "GET") {
+    const response = NextResponse.next();
+    const token = request.cookies.get("session")?.value ?? null;
+    if (token !== null) {
+      // Only extend cookie expiration on GET requests since we can be sure
+      // a new session wasn't set when handling the request.
+      response.cookies.set("session", token, {
+        path: "/",
+        maxAge: 60 * 60 * 24 * 30,
+        sameSite: "lax",
+        httpOnly: true,
+        secure: process.env.NODE_ENV === "production",
+      });
+    }
+    return response;
+  }
+
+  const originHeader = request.headers.get("Origin");
+  // NOTE: You may need to use `X-Forwarded-Host` instead
+  const hostHeader = request.headers.get("Host");
+  if (originHeader === null || hostHeader === null) {
+    return new NextResponse(null, {
+      status: 403,
+    });
+  }
+  let origin: URL;
+  try {
+    origin = new URL(originHeader);
+  } catch {
+    return new NextResponse(null, {
+      status: 403,
+    });
+  }
+  if (origin.host !== hostHeader) {
+    return new NextResponse(null, {
+      status: 403,
+    });
+  }
+  return NextResponse.next();
+}

package/template/extras/fmaddon-auth/server/auth/utils/email-verification.ts

@@ -0,0 +1,136 @@
+import { generateRandomOTP } from "./index";
+import { encodeBase32 } from "@oslojs/encoding";
+import { cookies } from "next/headers";
+import { getCurrentSession } from "./session";
+import { emailVerificationLayout } from "../db/client";
+import { TemailVerification } from "../db/emailVerification";
+import { sendEmail } from "../email";
+
+/**
+ * An Email Verification Request is a record in the email verification table that is created when a user requests to change their email address. It's like a temporary session which can expire if the user doesn't verify the new email address within a certain amount of time.
+ */
+
+/**
+ * Get a user's email verification request.
+ * @param userId - The ID of the user.
+ * @param id - The ID of the email verification request.
+ * @returns The email verification request, or null if it doesn't exist.
+ */
+export async function getUserEmailVerificationRequest(
+  userId: string,
+  id: string,
+): Promise<TemailVerification | null> {
+  const result = await emailVerificationLayout.maybeFindFirst({
+    query: { id_user: `==${userId}`, id: `==${id}` },
+  });
+  return result?.data.fieldData ?? null;
+}
+
+/**
+ * Create a new email verification request for a user.
+ * @param id_user - The ID of the user.
+ * @param email - The email address to verify.
+ * @returns The email verification request.
+ */
+export async function createEmailVerificationRequest(
+  id_user: string,
+  email: string,
+): Promise<TemailVerification> {
+  deleteUserEmailVerificationRequest(id_user);
+  const idBytes = new Uint8Array(20);
+  crypto.getRandomValues(idBytes);
+  const id = encodeBase32(idBytes).toLowerCase();
+
+  const code = generateRandomOTP();
+  const expiresAt = new Date(Date.now() + 1000 * 60 * 10);
+
+  const request: TemailVerification = {
+    id,
+    code,
+    expires_at: Math.floor(expiresAt.getTime() / 1000),
+    email,
+    id_user,
+  };
+
+  await emailVerificationLayout.create({
+    fieldData: request,
+  });
+
+  return request;
+}
+
+/**
+ * Delete a user's email verification request.
+ * @param id_user - The ID of the user.
+ */
+export async function deleteUserEmailVerificationRequest(
+  id_user: string,
+): Promise<void> {
+  const result = await emailVerificationLayout.maybeFindFirst({
+    query: { id_user: `==${id_user}` },
+  });
+  if (result === null) return;
+
+  await emailVerificationLayout.delete({ recordId: result.data.recordId });
+}
+
+/**
+ * Send a verification email to a user.
+ * @param email - The email address to send the verification email to.
+ * @param code - The verification code to send to the user.
+ */
+export async function sendVerificationEmail(
+  email: string,
+  code: string,
+): Promise<void> {
+  await sendEmail({ to: email, code, type: "verification" });
+}
+
+/**
+ * Set a cookie for a user's email verification request.
+ * @param request - The email verification request.
+ */
+export async function setEmailVerificationRequestCookie(
+  request: TemailVerification,
+): Promise<void> {
+  (await cookies()).set("email_verification", request.id, {
+    httpOnly: true,
+    path: "/",
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    expires: request.expires_at
+      ? new Date(request.expires_at * 1000)
+      : new Date(Date.now() + 1000 * 60 * 60),
+  });
+}
+
+/**
+ * Delete the cookie for a user's email verification request.
+ */
+export async function deleteEmailVerificationRequestCookie(): Promise<void> {
+  (await cookies()).set("email_verification", "", {
+    httpOnly: true,
+    path: "/",
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    maxAge: 0,
+  });
+}
+
+/**
+ * Get a user's email verification request from the cookie.
+ * @returns The email verification request, or null if it doesn't exist.
+ */
+export async function getUserEmailVerificationRequestFromRequest(): Promise<TemailVerification | null> {
+  const { user } = await getCurrentSession();
+  if (user === null) {
+    return null;
+  }
+  const id = (await cookies()).get("email_verification")?.value ?? null;
+  if (id === null) {
+    return null;
+  }
+  const request = await getUserEmailVerificationRequest(user.id, id);
+
+  return request;
+}

package/template/extras/fmaddon-auth/server/auth/utils/encryption.ts

@@ -0,0 +1,51 @@
+import { decodeBase64 } from "@oslojs/encoding";
+import { createCipheriv, createDecipheriv } from "crypto";
+import { DynamicBuffer } from "@oslojs/binary";
+
+const key = decodeBase64(process.env.ENCRYPTION_KEY ?? "");
+
+export function encrypt(data: Uint8Array): Uint8Array {
+  const iv = new Uint8Array(16);
+  crypto.getRandomValues(iv);
+  const cipher = createCipheriv("aes-128-gcm", key, iv);
+  const encrypted = new DynamicBuffer(0);
+  encrypted.write(iv);
+  encrypted.write(cipher.update(data));
+  encrypted.write(cipher.final());
+  encrypted.write(cipher.getAuthTag());
+  return encrypted.bytes();
+}
+
+/**
+ * Encrypt a string for storage in the database.
+ * Here we're returning a base64 encoded string since FileMaker doesn't store binary data.
+ * @param data - The string to encrypt.
+ * @returns The encrypted string.
+ */
+export function encryptString(data: string): string {
+  const encrypted = encrypt(new TextEncoder().encode(data));
+  return Buffer.from(encrypted).toString("base64");
+}
+
+/**
+ * Decrypt a string stored in the database.
+ * @param encrypted - The encrypted string to decrypt.
+ * @returns The decrypted string.
+ */
+export function decrypt(encrypted: Uint8Array): Uint8Array {
+  if (encrypted.byteLength < 33) {
+    throw new Error("Invalid data");
+  }
+  const decipher = createDecipheriv("aes-128-gcm", key, encrypted.slice(0, 16));
+  decipher.setAuthTag(encrypted.slice(encrypted.byteLength - 16));
+  const decrypted = new DynamicBuffer(0);
+  decrypted.write(
+    decipher.update(encrypted.slice(16, encrypted.byteLength - 16)),
+  );
+  decrypted.write(decipher.final());
+  return decrypted.bytes();
+}
+
+export function decryptToString(data: Uint8Array): string {
+  return new TextDecoder().decode(decrypt(data));
+}

package/template/extras/fmaddon-auth/server/auth/utils/index.ts

@@ -0,0 +1,16 @@
+import { encodeBase32UpperCaseNoPadding } from "@oslojs/encoding";
+
+export function generateRandomOTP(): string {
+  const bytes = new Uint8Array(5);
+  crypto.getRandomValues(bytes);
+  const code = encodeBase32UpperCaseNoPadding(bytes);
+  return code;
+}
+
+export const options = {
+  password: {
+    minLength: 8,
+    maxLength: 255,
+    checkCompromised: false, // set to true to prevent known compromised passwords on signup
+  },
+};

package/template/extras/fmaddon-auth/server/auth/utils/password-reset.ts

@@ -0,0 +1,152 @@
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { generateRandomOTP } from "./index";
+import { sha256 } from "@oslojs/crypto/sha2";
+import { cookies } from "next/headers";
+import { passwordResetLayout } from "../db/client";
+import { TpasswordReset } from "../db/passwordReset";
+
+import type { User } from "./user";
+import { sendEmail } from "../email";
+type PasswordResetSession = Omit<
+  TpasswordReset,
+  | "proofkit_auth_users::email"
+  | "proofkit_auth_users::emailVerified"
+  | "proofkit_auth_users::username"
+>;
+
+export async function createPasswordResetSession(
+  token: string,
+  id_user: string,
+  email: string
+): Promise<PasswordResetSession> {
+  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+  const session: PasswordResetSession = {
+    id: sessionId,
+    id_user,
+    email,
+    expires_at: Math.floor(
+      new Date(Date.now() + 1000 * 60 * 10).getTime() / 1000
+    ),
+    code: generateRandomOTP(),
+    email_verified: 0,
+  };
+  await passwordResetLayout.create({ fieldData: session });
+
+  return session;
+}
+
+/**
+ * Validate a password reset session token.
+ * @param token - The password reset session token.
+ * @returns The password reset session, or null if it doesn't exist.
+ */
+export async function validatePasswordResetSessionToken(
+  token: string
+): Promise<PasswordResetSessionValidationResult> {
+  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+  const row = await passwordResetLayout.maybeFindFirst({
+    query: { id: `==${sessionId}` },
+  });
+
+  if (row === null) {
+    return { session: null, user: null };
+  }
+  const session: PasswordResetSession = {
+    id: row.data.fieldData.id,
+    id_user: row.data.fieldData.id_user,
+    email: row.data.fieldData.email,
+    code: row.data.fieldData.code,
+    expires_at: row.data.fieldData.expires_at,
+    email_verified: row.data.fieldData.email_verified,
+  };
+
+  const user: User = {
+    id: row.data.fieldData.id_user,
+    email: row.data.fieldData["proofkit_auth_users::email"],
+    username: row.data.fieldData["proofkit_auth_users::username"],
+    emailVerified: Boolean(
+      row.data.fieldData["proofkit_auth_users::emailVerified"]
+    ),
+  };
+  if (session.expires_at && Date.now() >= session.expires_at * 1000) {
+    await passwordResetLayout.delete({ recordId: row.data.recordId });
+    return { session: null, user: null };
+  }
+  return { session, user };
+}
+
+async function fetchPasswordResetSession(sessionId: string) {
+  return (
+    await passwordResetLayout.findOne({ query: { id: `==${sessionId}` } })
+  ).data;
+}
+
+export async function setPasswordResetSessionAsEmailVerified(
+  sessionId: string
+): Promise<void> {
+  const { recordId } = await fetchPasswordResetSession(sessionId);
+  await passwordResetLayout.update({
+    recordId,
+    fieldData: { email_verified: 1 },
+  });
+}
+
+export async function invalidateUserPasswordResetSessions(
+  userId: string
+): Promise<void> {
+  const sessions = await passwordResetLayout.find({
+    query: { id_user: `==${userId}` },
+    ignoreEmptyResult: true,
+  });
+  for (const session of sessions.data) {
+    await passwordResetLayout.delete({ recordId: session.recordId });
+  }
+}
+
+export async function validatePasswordResetSessionRequest(): Promise<PasswordResetSessionValidationResult> {
+  const token = (await cookies()).get("password_reset_session")?.value ?? null;
+  if (token === null) {
+    return { session: null, user: null };
+  }
+  const result = await validatePasswordResetSessionToken(token);
+  if (result.session === null) {
+    deletePasswordResetSessionTokenCookie();
+  }
+  return result;
+}
+
+export async function setPasswordResetSessionTokenCookie(
+  token: string,
+  expiresAt: number | null
+): Promise<void> {
+  (await cookies()).set("password_reset_session", token, {
+    expires: expiresAt
+      ? new Date(expiresAt * 1000)
+      : new Date(Date.now() + 60 * 60 * 1000),
+    sameSite: "lax",
+    httpOnly: true,
+    path: "/",
+    secure: process.env.NODE_ENV === "production",
+  });
+}
+
+export async function deletePasswordResetSessionTokenCookie(): Promise<void> {
+  (await cookies()).set("password_reset_session", "", {
+    maxAge: 0,
+    sameSite: "lax",
+    httpOnly: true,
+    path: "/",
+    secure: process.env.NODE_ENV === "production",
+  });
+}
+
+export async function sendPasswordResetEmail(
+  email: string,
+  code: string
+): Promise<void> {
+  await sendEmail({ to: email, code, type: "password-reset" });
+}
+
+export type PasswordResetSessionValidationResult =
+  | { session: PasswordResetSession; user: User }
+  | { session: null; user: null };

package/template/extras/fmaddon-auth/server/auth/utils/password.ts

@@ -0,0 +1,67 @@
+import { options } from ".";
+import { hash, verify } from "@node-rs/argon2";
+import { sha1 } from "@oslojs/crypto/sha1";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+
+/**
+ * Hash a password using Argon2.
+ * @param password - The password to hash.
+ * @returns The hashed password.
+ */
+export async function hashPassword(password: string): Promise<string> {
+  return await hash(password, {
+    memoryCost: 19456,
+    timeCost: 2,
+    outputLen: 32,
+    parallelism: 1,
+  });
+}
+
+/**
+ * Verify that a password matches a hash.
+ * @param hash - The hash to verify against.
+ * @param password - The password to verify.
+ * @returns True if the password matches the hash, false otherwise.
+ */
+export async function verifyPasswordHash(
+  hash: string,
+  password: string
+): Promise<boolean> {
+  return await verify(hash, password);
+}
+
+/**
+ * Verify that a password is strong enough.
+ * @param password - The password to verify.
+ * @returns True if the password is strong enough, false otherwise.
+ */
+export async function verifyPasswordStrength(
+  password: string
+): Promise<boolean> {
+  if (
+    password.length < options.password.minLength ||
+    password.length > options.password.maxLength
+  ) {
+    return false;
+  }
+
+  if (options.password.checkCompromised) {
+    const hash = encodeHexLowerCase(sha1(new TextEncoder().encode(password)));
+    const hashPrefix = hash.slice(0, 5);
+    const response = await fetch(
+      `https://api.pwnedpasswords.com/range/${hashPrefix}`
+    );
+    const data = await response.text();
+    const items = data.split("\n");
+    for (const item of items) {
+      const hashSuffix = item.slice(0, 35).toLowerCase();
+      if (hash === hashPrefix + hashSuffix) {
+        console.log(
+          "User's new password was found in list of compromised passwords, reject"
+        );
+        return false;
+      }
+    }
+  }
+  return true;
+}

package/template/extras/fmaddon-auth/server/auth/utils/redirect.ts

@@ -0,0 +1,8 @@
+import { cookies } from "next/headers";
+
+export async function getRedirectCookie() {
+  const cookieStore = await cookies();
+  const redirectTo = cookieStore.get("redirectTo")?.value;
+  cookieStore.delete("redirectTo");
+  return redirectTo ?? "/";
+}