@semapps/auth 0.4.0-alpha.4 → 0.4.0-alpha.42

package/index.js

@@ -4,5 +4,6 @@ module.exports = {
   AuthOIDCService: require('./services/auth.oidc'),
   AuthAccountService: require('./services/account'),
   AuthJWTService: require('./services/jwt'),
-  AuthMigrationService: require('./services/migration')
+  AuthMigrationService: require('./services/migration'),
+  AuthMailService: require('./services/mail')
 };

package/mixins/auth.js

@@ -1,7 +1,8 @@
+const passport = require('passport');
+const { Errors: E } = require('moleculer-web');
+const { TripleStoreAdapter } = require('@semapps/triplestore');
 const AuthAccountService = require('../services/account');
 const AuthJWTService = require('../services/jwt');
-const { Errors: E } = require('moleculer-web');
-const passport = require('passport');
 
 const AuthMixin = {
   settings: {
@@ -9,18 +10,21 @@ const AuthMixin = {
     jwtPath: null,
     registrationAllowed: true,
     reservedUsernames: [],
-    webIdSelection: []
+    webIdSelection: [],
+    accountSelection: [],
+    accountsDataset: 'settings'
   },
   dependencies: ['api', 'webid'],
   async created() {
-    const { jwtPath, reservedUsernames } = this.settings;
+    const { jwtPath, reservedUsernames, accountsDataset } = this.settings;
 
     await this.broker.createService(AuthJWTService, {
       settings: { jwtPath }
     });
 
     await this.broker.createService(AuthAccountService, {
-      settings: { reservedUsernames }
+      settings: { reservedUsernames },
+      adapter: new TripleStoreAdapter({ type: 'AuthAccount', dataset: accountsDataset })
     });
   },
   async started() {
@@ -34,7 +38,7 @@ const AuthMixin = {
       done(null, user);
     });
 
-    this.strategy = this.getStrategy();
+    this.strategy = await this.getStrategy();
 
     this.passport.use(this.passportId, this.strategy);
 
@@ -108,6 +112,15 @@ const AuthMixin = {
       } else {
         return data;
       }
+    },
+    pickAccountData(data) {
+      if (this.settings.accountSelection.length > 0) {
+        return Object.fromEntries(
+          this.settings.accountSelection.filter(key => key in data).map(key => [key, data[key]])
+        );
+      } else {
+        return data || {};
+      }
     }
   }
 };

package/mixins/auth.sso.js

@@ -32,25 +32,33 @@ const AuthSSOMixin = {
         newUser = false;
 
         // TODO update account with recent information
-        // await this.broker.call('webid.edit', profileData, { meta: { webId } });
+        // await ctx.call('webid.edit', profileData, { meta: { webId } });
 
-        await this.broker.emit('auth.connected', { webId, accountData });
+        ctx.emit('auth.connected', { webId, accountData, ssoData }, { meta: { webId: null, dataset: null } });
       } else {
         if (!this.settings.registrationAllowed) {
           throw new Error('registration.not-allowed');
         }
 
-        accountData = await ctx.call('auth.account.create', { uuid: profileData.uuid, email: profileData.email });
-        webId = await ctx.call('webid.create', { nick: accountData.username, ...profileData });
+        accountData = await ctx.call('auth.account.create', {
+          uuid: profileData.uuid,
+          email: profileData.email,
+          username: profileData.username
+        });
+        webId = await ctx.call('webid.create', this.pickWebIdData({ nick: accountData.username, ...profileData }));
         newUser = true;
 
         // Link the webId with the account
         await ctx.call('auth.account.attachWebId', { accountUri: accountData['@id'], webId });
 
-        ctx.emit('auth.registered', { webId, profileData, accountData }, { meta: { webId: null, dataset: null } });
+        ctx.emit(
+          'auth.registered',
+          { webId, profileData, accountData, ssoData },
+          { meta: { webId: null, dataset: null } }
+        );
       }
 
-      const token = await ctx.call('auth.jwt.generateToken', { payload: { webId: accountData.webId } });
+      const token = await ctx.call('auth.jwt.generateToken', { payload: { webId } });
 
       return { token, newUser };
     }

package/package.json

@@ -1,26 +1,29 @@
 {
   "name": "@semapps/auth",
-  "version": "0.4.0-alpha.4",
+  "version": "0.4.0-alpha.42",
   "description": "Authentification module for SemApps",
   "license": "Apache-2.0",
   "author": "Virtual Assembly",
   "dependencies": {
-    "@semapps/mime-types": "0.4.0-alpha.4",
-    "@semapps/triplestore": "0.4.0-alpha.4",
+    "@semapps/mime-types": "0.4.0-alpha.42",
+    "@semapps/triplestore": "0.4.0-alpha.42",
     "bcrypt": "^5.0.1",
     "express-session": "^1.17.0",
     "jsonwebtoken": "^8.5.1",
     "moleculer": "^0.14.17",
     "moleculer-db": "^0.8.16",
+    "moleculer-mail": "^1.2.5",
     "moleculer-web": "^0.10.0-beta1",
+    "node-sass": "^7.0.1",
     "openid-client": "^4.7.4",
     "passport": "^0.4.1",
-    "passport-cas2": "0.0.11",
+    "passport-cas2": "0.0.12",
     "passport-local": "^1.0.0",
+    "pug": "^3.0.2",
     "url-join": "^4.0.1"
   },
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "2ba923a2a0799a03a99cbe9af67f0a1b3bdda139"
+  "gitHead": "e2711d7d742bc8a1399472567bbbe5bf82d063f9"
 }

package/services/account.js

@@ -1,6 +1,7 @@
 const bcrypt = require('bcrypt');
 const DbService = require('moleculer-db');
 const { TripleStoreAdapter } = require('@semapps/triplestore');
+const crypto = require('crypto');
 
 module.exports = {
   name: 'auth.account',
@@ -8,34 +9,41 @@ module.exports = {
   adapter: new TripleStoreAdapter({ type: 'AuthAccount', dataset: 'settings' }),
   settings: {
     idField: '@id',
-    reservedUsernames: []
+    reservedUsernames: ['relay']
   },
   dependencies: ['triplestore'],
   actions: {
     async create(ctx) {
-      let { uuid, username, password, email, webId } = ctx.params;
+      let { uuid, username, password, email, webId, ...rest } = ctx.params;
       const hashedPassword = password ? await this.hashPassword(password) : undefined;
 
-      const emailExists = await ctx.call('auth.account.emailExists', { email });
+      email = email && email.toLowerCase();
+
+      const emailExists = !email ? false : await ctx.call('auth.account.emailExists', { email });
       if (emailExists) {
         throw new Error('email.already.exists');
       }
 
       if (username) {
-        await this.isValidUsername(ctx, username);
-      } else {
+        if (!ctx.meta.isSystemCall) await this.isValidUsername(ctx, username);
+      } else if (email) {
         // If username is not provided, find an username based on the email
+        const usernameFromEmail = email.split('@')[0].toLowerCase();
         let usernameValid = false,
-          i = 1;
+          i = 0;
         do {
+          username = i === 0 ? usernameFromEmail : usernameFromEmail + i;
+          try {
+            usernameValid = await this.isValidUsername(ctx, username);
+          } catch (e) {
+            // Do nothing, the loop will continue
+          }
           i++;
-          username = email.split('@')[0].toLowerCase();
-          if (i > 2) username += i;
-          usernameValid = await this.isValidUsername(ctx, username);
-        } while (usernameValid);
-      }
+        } while (!usernameValid);
+      } else throw new Error('you must provide at least a username or an email address');
 
       return await this._create(ctx, {
+        ...rest,
         uuid,
         username,
         email,
@@ -85,21 +93,92 @@ module.exports = {
       const accounts = await this._find(ctx, { query: { webId } });
       return accounts.length > 0 ? accounts[0] : null;
     },
+    async findByEmail(ctx) {
+      const { email } = ctx.params;
+      const accounts = await this._find(ctx, { query: { email } });
+      return accounts.length > 0 ? accounts[0] : null;
+    },
     async setPassword(ctx) {
       const { webId, password } = ctx.params;
       const hashedPassword = await this.hashPassword(password);
       const account = await ctx.call('auth.account.findByWebId', { webId });
 
       return await this._update(ctx, {
-        '@id': account.id,
+        '@id': account['@id'],
         hashedPassword
       });
+    },
+    async setNewPassword(ctx) {
+      const { webId, token, password } = ctx.params;
+      const hashedPassword = await this.hashPassword(password);
+      const account = await ctx.call('auth.account.findByWebId', { webId });
+
+      if (account.resetPasswordToken !== token) {
+        throw new Error('auth.password.invalid_reset_token');
+      }
+
+      return await this._update(ctx, {
+        '@id': account['@id'],
+        hashedPassword,
+        resetPasswordToken: undefined
+      });
+    },
+    async generateResetPasswordToken(ctx) {
+      const { webId } = ctx.params;
+      const resetPasswordToken = await this.generateResetPasswordToken();
+      const account = await ctx.call('auth.account.findByWebId', { webId });
+
+      await this._update(ctx, {
+        '@id': account['@id'],
+        resetPasswordToken
+      });
+
+      return resetPasswordToken;
+    },
+    async findSettingsByWebId(ctx) {
+      const { webId } = ctx.meta;
+      const account = await ctx.call('auth.account.findByWebId', { webId });
+
+      return {
+        email: account['email'],
+        preferredLocale: account['preferredLocale']
+      };
+    },
+    async updateAccountSettings(ctx) {
+      const { currentPassword, email, newPassword } = ctx.params;
+      const { webId } = ctx.meta;
+      const account = await ctx.call('auth.account.findByWebId', { webId });
+      const passwordMatch = await this.comparePassword(currentPassword, account.hashedPassword);
+      let params = {};
+
+      if (!passwordMatch) {
+        throw new Error('auth.account.invalid_password');
+      }
+
+      if (newPassword) {
+        const hashedPassword = await this.hashPassword(newPassword);
+        params = { ...params, hashedPassword };
+      }
+
+      if (email !== account['email']) {
+        const existing = await ctx.call('auth.account.findByEmail', { email });
+        if (existing) {
+          throw new Error('email.already.exists');
+        }
+
+        params = { ...params, email };
+      }
+
+      return await this._update(ctx, {
+        '@id': account['@id'],
+        ...params
+      });
     }
   },
   methods: {
     async isValidUsername(ctx, username) {
       // Ensure the username has no space or special characters
-      if (!/^[a-z0-9\-_.]+$/.exec(username)) {
+      if (!/^[a-z0-9\-+_.]+$/.exec(username)) {
         throw new Error('username.invalid');
       }
 
@@ -108,11 +187,13 @@ module.exports = {
         throw new Error('username.already.exists');
       }
 
-      // Ensure email or username doesn't already exist
+      // Ensure username doesn't already exist
       const usernameExists = await ctx.call('auth.account.usernameExists', { username });
       if (usernameExists) {
         throw new Error('username.already.exists');
       }
+
+      return true;
     },
     async hashPassword(password) {
       return new Promise((resolve, reject) => {
@@ -135,6 +216,16 @@ module.exports = {
           }
         });
       });
+    },
+    async generateResetPasswordToken() {
+      return new Promise(resolve => {
+        crypto.randomBytes(32, function(ex, buf) {
+          if (ex) {
+            reject(ex);
+          }
+          resolve(buf.toString('hex'));
+        });
+      });
     }
   }
 };

package/services/auth.local.js

@@ -2,6 +2,7 @@ const { Strategy } = require('passport-local');
 const AuthMixin = require('../mixins/auth');
 const sendToken = require('../middlewares/sendToken');
 const { MoleculerError } = require('moleculer').Errors;
+const AuthMailService = require('../services/mail');
 
 const AuthLocalService = {
   name: 'auth',
@@ -11,18 +12,43 @@ const AuthLocalService = {
     jwtPath: null,
     registrationAllowed: true,
     reservedUsernames: [],
-    webIdSelection: []
+    webIdSelection: [],
+    accountSelection: [],
+    mail: {
+      from: null,
+      transport: {
+        host: null,
+        port: null
+      },
+      defaults: {
+        locale: null,
+        frontUrl: null
+      }
+    }
   },
-  created() {
+  async created() {
+    const { mail } = this.settings;
+
     this.passportId = 'local';
+
+    await this.broker.createService(AuthMailService, {
+      settings: {
+        ...mail
+      }
+    });
   },
   actions: {
     async signup(ctx) {
-      const { username, email, password, ...otherData } = ctx.params;
+      const { username, email, password, ...rest } = ctx.params;
 
-      let accountData = await ctx.call('auth.account.create', { username, email, password });
+      let accountData = await ctx.call('auth.account.create', {
+        username,
+        email,
+        password,
+        ...this.pickAccountData(rest)
+      });
 
-      const profileData = { nick: username, email, ...otherData };
+      const profileData = { nick: username, email, ...rest };
       const webId = await ctx.call('webid.create', this.pickWebIdData(profileData));
 
       // Link the webId with the account
@@ -44,6 +70,33 @@ const AuthLocalService = {
       const token = await ctx.call('auth.jwt.generateToken', { payload: { webId: accountData.webId } });
 
       return { token, webId: accountData.webId, newUser: true };
+    },
+    async resetPassword(ctx) {
+      const { email } = ctx.params;
+
+      const account = await ctx.call('auth.account.findByEmail', { email });
+
+      if (!account) {
+        throw new Error('email.not.exists');
+      }
+
+      const token = await ctx.call('auth.account.generateResetPasswordToken', { webId: account.webId });
+
+      await ctx.call('auth.mail.sendResetPasswordEmail', {
+        account,
+        token
+      });
+    },
+    async setNewPassword(ctx) {
+      const { email, token, password } = ctx.params;
+
+      const account = await ctx.call('auth.account.findByEmail', { email });
+
+      if (!account) {
+        throw new Error('email.not.exists');
+      }
+
+      await ctx.call('auth.account.setNewPassword', { webId: account.webId, token, password });
     }
   },
   methods: {
@@ -83,11 +136,35 @@ const AuthLocalService = {
         }
       };
 
+      const resetPasswordRoute = {
+        path: '/auth/reset_password',
+        aliases: {
+          'POST /': 'auth.resetPassword'
+        }
+      };
+      const setNewPasswordRoute = {
+        path: '/auth/new_password',
+        aliases: {
+          'POST /': 'auth.setNewPassword'
+        }
+      };
+
+      const accountSettingsRoute = {
+        path: '/auth/account',
+        aliases: {
+          'GET /': 'auth.account.findSettingsByWebId',
+          'POST /': 'auth.account.updateAccountSettings'
+        },
+        authorization: true
+      };
+
+      const routes = [loginRoute, resetPasswordRoute, setNewPasswordRoute, accountSettingsRoute];
+
       if (this.settings.registrationAllowed) {
-        return [loginRoute, signupRoute];
-      } else {
-        return [loginRoute];
+        return [...routes, signupRoute];
       }
+
+      return routes;
     }
   }
 };

package/services/auth.oidc.js

@@ -1,5 +1,8 @@
 const urlJoin = require('url-join');
-const { Issuer, Strategy } = require('openid-client');
+const { Issuer, Strategy, custom } = require('openid-client');
+custom.setHttpOptionsDefaults({
+  timeout: 10000
+});
 const AuthSSOMixin = require('../mixins/auth.sso');
 
 const AuthOIDCService = {
@@ -21,11 +24,12 @@ const AuthOIDCService = {
   },
   async created() {
     this.passportId = 'oidc';
-    this.issuer = await Issuer.discover(this.settings.issuer);
   },
   methods: {
-    getStrategy() {
-      const client = new this.issuer.Client({
+    async getStrategy() {
+      const issuer = await Issuer.discover(this.settings.issuer);
+
+      const client = new issuer.Client({
         client_id: this.settings.clientId,
         client_secret: this.settings.clientSecret,
         redirect_uri: urlJoin(this.settings.baseUrl, 'auth'),

package/services/jwt.js

@@ -14,6 +14,9 @@ module.exports = {
 
     if (!fs.existsSync(privateKeyPath) && !fs.existsSync(publicKeyPath)) {
       console.log('JWT keypair not found, generating...');
+      if (!fs.existsSync(this.settings.jwtPath)) {
+        fs.mkdirSync(this.settings.jwtPath);
+      }
       await this.actions.generateKeyPair({ privateKeyPath, publicKeyPath });
     }
 

package/services/mail.js

@@ -0,0 +1,49 @@
+const MailService = require('moleculer-mail');
+const path = require('path');
+
+module.exports = {
+  name: 'auth.mail',
+  mixins: [MailService],
+  settings: {
+    defaults: {
+      locale: 'en',
+      frontUrl: null
+    },
+    templateFolder: path.join(__dirname, '../templates'),
+    from: null,
+    transport: null
+  },
+  actions: {
+    async sendResetPasswordEmail(ctx) {
+      const { account, token } = ctx.params;
+
+      await this.actions.send(
+        {
+          to: account.email,
+          template: 'reset-password',
+          locale: this.getTemplateLocale(account.preferredLocale || this.settings.defaults.locale),
+          data: {
+            account,
+            token,
+            frontUrl: account.preferredFrontUrl || this.settings.defaults.frontUrl
+          }
+        },
+        {
+          parentCtx: ctx
+        }
+      );
+    }
+  },
+  methods: {
+    getTemplateLocale(userLocale) {
+      switch (userLocale) {
+        case 'fr':
+          return 'fr-FR';
+        case 'en':
+          return 'en-EN';
+        default:
+          return 'en-EN';
+      }
+    }
+  }
+};

package/services/migration.js

@@ -1,4 +1,5 @@
 const { MIME_TYPES } = require('@semapps/mime-types');
+const { getSlugFromUri } = require('@semapps/ldp');
 
 module.exports = {
   name: 'auth.migration',
@@ -13,7 +14,7 @@ module.exports = {
           try {
             await ctx.call('auth.account.create', {
               email: user[emailPredicate],
-              username: user[usernamePredicate],
+              username: usernamePredicate ? user[usernamePredicate] : getSlugFromUri(user.id),
               webId: user.id
             });
           } catch (e) {

package/templates/reset-password/en-EN/subject.hbs

@@ -0,0 +1 @@
+Password reset for {{account.username}} account

package/templates/reset-password/en-EN/text.hbs

@@ -0,0 +1,7 @@
+Hello {{account.username}},
+
+In order to reset your password, please click on the link below:
+
+{{frontUrl}}/login?new_password=true&token={{token}}
+
+If you did not request a password reset, please ignore this message.

package/templates/reset-password/fr-FR/subject.hbs

@@ -0,0 +1 @@
+Réinitialisation du mot de passe du compte {{account.username}}

package/templates/reset-password/fr-FR/text.hbs

@@ -0,0 +1,7 @@
+Bonjour {{account.username}},
+
+Pour réinitialiser votre mot de passe, veuillez cliquer sur le lien ci-dessous:
+
+{{frontUrl}}/login?new_password=true&token={{token}}
+
+Si vous n'avez pas fait une telle demande, vous pouvez ignorer ce message.