@spinajs/rbac-http-user 2.0.372 → 2.0.374

package/lib/cjs/controllers/TwoFactorAuthController.js

@@ -1,57 +1,82 @@
-// import { TokenDto } from './../dto/token-dto.js';
-// import { BaseController, BasePath, Cookie, Ok, Post, Unauthorized } from '@spinajs/http';
-// import { ISession, SessionProvider, User as UserModel, _user_ev, _user_update} from '@spinajs/rbac';
-// import { Session } from "@spinajs/rbac-http";
-// import { Body, Policy } from '@spinajs/http';
-// import _ from 'lodash';
-// import { User } from '../decorators.js';
-// import { TwoFacRouteEnabled } from '../policies/2FaPolicy.js';
-// import { AutoinjectService, _service } from '@spinajs/configuration';
-// import { TwoFactorAuthProvider } from '../interfaces.js';
-// import { DateTime } from 'luxon';
-// import { UserLoginSuccess } from '../events/UserLoginSuccess.js';
-// import { Autoinject } from '@spinajs/di';
-// import { QueueService } from '@spinajs/queue';
-// import { _chain, _check_arg, _non_empty, _non_null, _tap, _trim, _use } from '@spinajs/util';
-// import { User2FaPassed } from '../events/User2FaPassed.js';
-// export async function auth2Fa(user: User, token: string) {
-//   user = _check_arg(_non_null())(user, 'user');
-//   token = _check_arg(_trim(), _non_empty)(token, 'token');
-//   return _chain(
-//     _use(_service<TwoFactorAuthProvider>('rbac.twoFactorAuth'), 'twoFa'),
-//     _tap(async ({ twoFa }: { twoFa: TwoFactorAuthProvider }) => {
-//       await twoFa.verifyToken(token, user);
-//     }),
-//     _user_update({
-//       LastLoginAt: DateTime.now()
-//     }),
-//     _user_ev(User2FaPassed)
-//   );
-// }
-// @BasePath('user/auth')
-// @Policy(TwoFacRouteEnabled)
-// export class TwoFactorAuthController extends BaseController {
-//   @Autoinject(QueueService)
-//   protected Queue: QueueService;
-//   @AutoinjectService('rbac.session')
-//   protected SessionProvider: SessionProvider;
-//   @AutoinjectService('rbac.twoFactorAuth')
-//   protected TwoFactorAuthProvider: TwoFactorAuthProvider;
-//   @Post('2fa/verify')
-//   public async verifyToken(@User() logged: UserModel, @Body() token: TokenDto, @Session() session : ISession) {
-//     const result = await this.TwoFactorAuthProvider.verifyToken(token.Token, logged);
-//     if (result) {
-//       return new Unauthorized(`invalid token`);
-//     }
-//     logged.LastLoginAt = DateTime.now();
-//     await logged.update();
-//     await this.Queue.emit(new UserLoginSuccess(logged.Uuid));
-//     await this.SessionProvider.save(ssid, {
-//       Authorized: true,
-//       TwoFactorAuth_check: true,
-//     });
-//     // return user data
-//     return new Ok(logged.dehydrate());
-//   }
-// }
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TwoFactorAuthController = void 0;
+const token_dto_js_1 = require("./../dto/token-dto.js");
+const http_1 = require("@spinajs/http");
+const rbac_1 = require("@spinajs/rbac");
+const rbac_http_1 = require("@spinajs/rbac-http");
+const http_2 = require("@spinajs/http");
+const _2FaPolicy_js_1 = require("../policies/2FaPolicy.js");
+const configuration_1 = require("@spinajs/configuration");
+const di_1 = require("@spinajs/di");
+const queue_1 = require("@spinajs/queue");
+const rbac_http_2 = require("@spinajs/rbac-http");
+const _2fa_js_1 = require("./../actions/2fa.js");
+let TwoFactorAuthController = class TwoFactorAuthController extends http_1.BaseController {
+    async verifyToken(logged, token, session) {
+        try {
+            await (0, _2fa_js_1.auth2Fa)(logged, token.Token);
+            // 2fa complete, mark as authorized
+            // fron now on user is considered authorized
+            session.Data.set('Authorized', true);
+            session.Data.delete('TwoFactorAuth');
+            await this.SessionProvider.save(session);
+            this._log.trace('User logged in, 2fa authorized', {
+                Uuid: logged.Uuid
+            });
+            const grants = this.AC.getGrants();
+            const userGrants = logged.Role.map(r => (0, rbac_1._unwindGrants)(r, grants));
+            const combinedGrants = Object.assign({}, ...userGrants);
+            return new http_1.Ok({
+                ...logged.dehydrateWithRelations({
+                    dateTimeFormat: "iso"
+                }),
+                Grants: combinedGrants,
+            });
+        }
+        catch (err) {
+            this._log.error(err);
+            return new http_1.Unauthorized({
+                error: {
+                    code: 'E_2FA_FAILED',
+                    message: '2fa check failed',
+                },
+            });
+        }
+    }
+};
+exports.TwoFactorAuthController = TwoFactorAuthController;
+__decorate([
+    (0, di_1.Autoinject)(queue_1.QueueService),
+    __metadata("design:type", queue_1.QueueService)
+], TwoFactorAuthController.prototype, "Queue", void 0);
+__decorate([
+    (0, configuration_1.AutoinjectService)('rbac.session'),
+    __metadata("design:type", rbac_1.SessionProvider)
+], TwoFactorAuthController.prototype, "SessionProvider", void 0);
+__decorate([
+    (0, http_1.Post)('2fa/verify'),
+    __param(0, (0, rbac_http_2.User)()),
+    __param(1, (0, http_2.Body)()),
+    __param(2, (0, rbac_http_1.Session)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [rbac_1.User, token_dto_js_1.TokenDto, Object]),
+    __metadata("design:returntype", Promise)
+], TwoFactorAuthController.prototype, "verifyToken", null);
+exports.TwoFactorAuthController = TwoFactorAuthController = __decorate([
+    (0, http_1.BasePath)('user/auth'),
+    (0, http_2.Policy)(_2FaPolicy_js_1.TwoFacRouteEnabled)
+], TwoFactorAuthController);
 //# sourceMappingURL=TwoFactorAuthController.js.map

package/lib/cjs/controllers/TwoFactorAuthController.js.map

@@ -1 +1 @@
-{"version":3,"file":"TwoFactorAuthController.js","sourceRoot":"","sources":["../../../src/controllers/TwoFactorAuthController.ts"],"names":[],"mappings":"AAAA,oDAAoD;AACpD,4FAA4F;AAC5F,uGAAuG;AACvG,gDAAgD;AAChD,gDAAgD;AAChD,0BAA0B;AAC1B,2CAA2C;AAC3C,iEAAiE;AACjE,wEAAwE;AACxE,4DAA4D;AAC5D,oCAAoC;AACpC,oEAAoE;AACpE,4CAA4C;AAC5C,iDAAiD;AACjD,gGAAgG;AAChG,8DAA8D;AAE9D,6DAA6D;AAC7D,kDAAkD;AAClD,6DAA6D;AAE7D,mBAAmB;AACnB,4EAA4E;AAC5E,oEAAoE;AACpE,8CAA8C;AAC9C,UAAU;AACV,qBAAqB;AACrB,oCAAoC;AACpC,UAAU;AACV,8BAA8B;AAC9B,OAAO;AACP,IAAI;AAEJ,yBAAyB;AACzB,8BAA8B;AAC9B,gEAAgE;AAChE,8BAA8B;AAC9B,mCAAmC;AAEnC,uCAAuC;AACvC,gDAAgD;AAEhD,6CAA6C;AAC7C,4DAA4D;AAE5D,wBAAwB;AACxB,kHAAkH;AAClH,wFAAwF;AAExF,oBAAoB;AACpB,kDAAkD;AAClD,QAAQ;AAER,2CAA2C;AAC3C,6BAA6B;AAE7B,gEAAgE;AAEhE,8CAA8C;AAC9C,0BAA0B;AAC1B,mCAAmC;AACnC,UAAU;AAEV,0BAA0B;AAC1B,yCAAyC;AACzC,MAAM;AACN,IAAI"}
+{"version":3,"file":"TwoFactorAuthController.js","sourceRoot":"","sources":["../../../src/controllers/TwoFactorAuthController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,wDAAiD;AACjD,wCAAiF;AACjF,wCAAoH;AACpH,kDAA6C;AAC7C,wCAA6C;AAE7C,4DAA8D;AAC9D,0DAAqE;AACrE,oCAAyC;AACzC,0CAA8C;AAE9C,kDAA0C;AAC1C,iDAA8C;AAIvC,IAAM,uBAAuB,GAA7B,MAAM,uBAAwB,SAAQ,qBAAc;IAQ1C,AAAN,KAAK,CAAC,WAAW,CAAS,MAAiB,EAAU,KAAe,EAAa,OAAiB;QAErG,IAAI,CAAC;YACD,MAAM,IAAA,iBAAO,EAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAEnC,mCAAmC;YACnC,4CAA4C;YAC5C,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;YACrC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;YACrC,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEzC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,gCAAgC,EAAE;gBAC9C,IAAI,EAAE,MAAM,CAAC,IAAI;aACpB,CAAC,CAAC;YAGH,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC;YACnC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAA,oBAAa,EAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;YAClE,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,UAAU,CAAC,CAAC;YAGxD,OAAO,IAAI,SAAE,CAAC;gBACV,GAAG,MAAM,CAAC,sBAAsB,CAAC;oBAC7B,cAAc,EAAE,KAAK;iBACxB,CAAC;gBACF,MAAM,EAAE,cAAc;aACzB,CAAC,CAAC;QACP,CAAC;QACD,OAAO,GAAG,EAAE,CAAC;YACT,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAErB,OAAO,IAAI,mBAAY,CAAC;gBACpB,KAAK,EAAE;oBACH,IAAI,EAAE,cAAc;oBACpB,OAAO,EAAE,kBAAkB;iBAC9B;aACJ,CAAC,CAAC;QACP,CAAC;IACL,CAAC;CACJ,CAAA;AA/CY,0DAAuB;AAEtB;IADT,IAAA,eAAU,EAAC,oBAAY,CAAC;8BACR,oBAAY;sDAAC;AAGpB;IADT,IAAA,iCAAiB,EAAC,cAAc,CAAC;8BACP,sBAAe;gEAAC;AAG9B;IADZ,IAAA,WAAI,EAAC,YAAY,CAAC;IACO,WAAA,IAAA,gBAAI,GAAE,CAAA;IAAqB,WAAA,IAAA,WAAI,GAAE,CAAA;IAAmB,WAAA,IAAA,mBAAO,GAAE,CAAA;;qCAA9C,WAAS,EAAiB,uBAAQ;;0DAsC1E;kCA9CQ,uBAAuB;IAFnC,IAAA,eAAQ,EAAC,WAAW,CAAC;IACrB,IAAA,aAAM,EAAC,kCAAkB,CAAC;GACd,uBAAuB,CA+CnC"}

package/lib/cjs/policies/2FaPolicy.d.ts

@@ -1,8 +1,8 @@
-import { BasePolicy } from '@spinajs/http';
+import { BasePolicy, Request as sRequest } from '@spinajs/http';
 import { TwoFactorAuthConfig } from '@spinajs/rbac-http';
 export declare class TwoFacRouteEnabled extends BasePolicy {
     protected TwoFactorConfig: TwoFactorAuthConfig;
     isEnabled(): boolean;
-    execute(): Promise<void>;
+    execute(req: sRequest): Promise<void>;
 }
 //# sourceMappingURL=2FaPolicy.d.ts.map

package/lib/cjs/policies/2FaPolicy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"2FaPolicy.d.ts","sourceRoot":"","sources":["../../../src/policies/2FaPolicy.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAEzD,qBAAa,kBAAmB,SAAQ,UAAU;IAEhD,SAAS,CAAC,eAAe,EAAE,mBAAmB,CAAC;IAExC,SAAS,IAAI,OAAO;IAGpB,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAOhC"}
+{"version":3,"file":"2FaPolicy.d.ts","sourceRoot":"","sources":["../../../src/policies/2FaPolicy.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,OAAO,IAAI,QAAQ,EAAE,MAAM,eAAe,CAAC;AAChE,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAGzD,qBAAa,kBAAmB,SAAQ,UAAU;IAEhD,SAAS,CAAC,eAAe,EAAE,mBAAmB,CAAC;IAExC,SAAS,IAAI,OAAO;IAGpB,OAAO,CAAC,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;CAe7C"}

package/lib/cjs/policies/2FaPolicy.js

@@ -13,14 +13,21 @@ exports.TwoFacRouteEnabled = void 0;
 const exceptions_1 = require("@spinajs/exceptions");
 const configuration_1 = require("@spinajs/configuration");
 const http_1 = require("@spinajs/http");
+const exceptions_2 = require("@spinajs/exceptions");
 class TwoFacRouteEnabled extends http_1.BasePolicy {
     isEnabled() {
         return true;
     }
-    execute() {
+    execute(req) {
         if (this.TwoFactorConfig.enabled === false) {
             throw new exceptions_1.InvalidOperation('2 factor auth is not enabled');
         }
+        /**
+         * Check only if user passed login page and waiting for TwoFactorAuth
+         */
+        if (!req.storage || !req.storage.User || !req.storage.Session?.Data.get('TwoFactorAuth')) {
+            throw new exceptions_2.AuthenticationFailed('user not logged');
+        }
         return Promise.resolve();
     }
 }

package/lib/cjs/policies/2FaPolicy.js.map

@@ -1 +1 @@
-{"version":3,"file":"2FaPolicy.js","sourceRoot":"","sources":["../../../src/policies/2FaPolicy.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAAuD;AACvD,0DAAgD;AAChD,wCAA2C;AAG3C,MAAa,kBAAmB,SAAQ,iBAAU;IAIzC,SAAS;QACd,OAAO,IAAI,CAAC;IACd,CAAC;IACM,OAAO;QACZ,IAAI,IAAI,CAAC,eAAe,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAC3C,MAAM,IAAI,6BAAgB,CAAC,8BAA8B,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;CACF;AAdD,gDAcC;AAZW;IADT,IAAA,sBAAM,EAAC,oBAAoB,CAAC;;2DACkB"}
+{"version":3,"file":"2FaPolicy.js","sourceRoot":"","sources":["../../../src/policies/2FaPolicy.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,oDAAuD;AACvD,0DAAgD;AAChD,wCAAgE;AAEhE,oDAA2D;AAE3D,MAAa,kBAAmB,SAAQ,iBAAU;IAIzC,SAAS;QACd,OAAO,IAAI,CAAC;IACd,CAAC;IACM,OAAO,CAAC,GAAa;QAC1B,IAAI,IAAI,CAAC,eAAe,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAC3C,MAAM,IAAI,6BAAgB,CAAC,8BAA8B,CAAC,CAAC;QAC7D,CAAC;QAED;;WAEG;QACH,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;YACzF,MAAM,IAAI,iCAAoB,CAAC,iBAAiB,CAAC,CAAC;QACpD,CAAC;QAGD,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;CACF;AAtBD,gDAsBC;AApBW;IADT,IAAA,sBAAM,EAAC,oBAAoB,CAAC;;2DACkB"}

package/lib/mjs/2fa/Default2FaToken.d.ts

@@ -0,0 +1,20 @@
+import { User } from '@spinajs/rbac';
+import { Log } from '@spinajs/log';
+import { TwoFactorAuthProvider } from "@spinajs/rbac-http";
+export declare enum TWO_FA_METATADATA_KEYS {
+    TOKEN = "2fa:token",
+    ENABLED = "2fa:enabled"
+}
+export declare class Default2FaToken extends TwoFactorAuthProvider {
+    protected Config: any;
+    protected Log: Log;
+    constructor();
+    private _getOTP;
+    execute(_: User): Promise<void>;
+    verifyToken(token: string, user: User): Promise<boolean>;
+    initialize(user: User): Promise<any>;
+    getOtpAuthUrl(user: User): Promise<string | null>;
+    isEnabled(user: User): Promise<boolean>;
+    isInitialized(user: User): Promise<boolean>;
+}
+//# sourceMappingURL=Default2FaToken.d.ts.map

package/lib/mjs/2fa/Default2FaToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Default2FaToken.d.ts","sourceRoot":"","sources":["../../../src/2fa/Default2FaToken.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAErC,OAAO,EAAE,GAAG,EAAU,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAG3D,oBAAY,sBAAsB;IAC9B,KAAK,cAAc;IACnB,OAAO,gBAAgB;CAC1B;AAED,qBACa,eAAgB,SAAQ,qBAAqB;IAEtD,SAAS,CAAC,MAAM,EAAE,GAAG,CAAC;IAGtB,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC;;IAMnB,OAAO,CAAC,OAAO;IAYR,OAAO,CAAC,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAMzB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBxD,UAAU,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC;IAiBpC,aAAa,CAAE,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAYlD,SAAS,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC;IAKvC,aAAa,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC;CAI3D"}

package/lib/mjs/2fa/Default2FaToken.js

@@ -0,0 +1,96 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Injectable } from '@spinajs/di';
+import { Config } from '@spinajs/configuration';
+import { Log, Logger } from '@spinajs/log';
+import { TwoFactorAuthProvider } from "@spinajs/rbac-http";
+import * as OTPAuth from "otpauth";
+export var TWO_FA_METATADATA_KEYS;
+(function (TWO_FA_METATADATA_KEYS) {
+    TWO_FA_METATADATA_KEYS["TOKEN"] = "2fa:token";
+    TWO_FA_METATADATA_KEYS["ENABLED"] = "2fa:enabled";
+})(TWO_FA_METATADATA_KEYS || (TWO_FA_METATADATA_KEYS = {}));
+let Default2FaToken = class Default2FaToken extends TwoFactorAuthProvider {
+    constructor() {
+        super();
+    }
+    _getOTP(user, secret) {
+        return new OTPAuth.TOTP({
+            issuer: this.Config.issuer,
+            label: user.Email,
+            algorithm: this.Config.algorithm,
+            digits: this.Config.digits,
+            period: this.Config.period,
+            secret: OTPAuth.Secret.fromBase32(secret),
+        });
+    }
+    execute(_) {
+        // empty, speakasy works offline eg. google authenticator
+        // we dont send any email or sms
+        return Promise.resolve();
+    }
+    async verifyToken(token, user) {
+        const twoFaToken = user.Metadata[TWO_FA_METATADATA_KEYS.TOKEN];
+        if (!twoFaToken) {
+            this.Log.trace(`Cannot verify 2fa token, no 2fa token for user ${user.Id}`);
+            return false;
+        }
+        const totp = this._getOTP(user, twoFaToken);
+        const verified = totp.validate({
+            token: token,
+            window: this.Config.window,
+        });
+        return verified == null;
+    }
+    async initialize(user) {
+        const secret = new OTPAuth.Secret({ size: this.Config.secretSize });
+        const totp = this._getOTP(user, secret.base32);
+        user.Metadata[TWO_FA_METATADATA_KEYS.TOKEN] = secret.base32;
+        await user.Metadata.sync();
+        this.Log.trace(`2fa token initialized for user ${user.Id}`, {
+            userId: user.Id,
+        });
+        /**
+         * returns: `otpauth://totp/ACME:Alice?issuer=ACME&secret=US3WHSG7X5KAPV27VANWKQHF3SH3HULL&algorithm=SHA1&digits=6&period=30`
+         */
+        return totp.toString();
+    }
+    async getOtpAuthUrl(user) {
+        const token = user.Metadata[TWO_FA_METATADATA_KEYS.TOKEN];
+        if (!token) {
+            this.Log.trace(`Cannot get 2fa auth url, no 2fa token for user ${user.Id}`);
+            return null;
+        }
+        const totp = this._getOTP(user, token);
+        return totp.toString();
+    }
+    async isEnabled(user) {
+        const val = await user.Metadata[TWO_FA_METATADATA_KEYS.ENABLED];
+        return val;
+    }
+    async isInitialized(user) {
+        const token = user.Metadata[TWO_FA_METATADATA_KEYS.TOKEN];
+        return token !== null && token !== undefined && token !== '';
+    }
+};
+__decorate([
+    Config('rbac.otpauth'),
+    __metadata("design:type", Object)
+], Default2FaToken.prototype, "Config", void 0);
+__decorate([
+    Logger('2fa-token'),
+    __metadata("design:type", Log)
+], Default2FaToken.prototype, "Log", void 0);
+Default2FaToken = __decorate([
+    Injectable(TwoFactorAuthProvider),
+    __metadata("design:paramtypes", [])
+], Default2FaToken);
+export { Default2FaToken };
+//# sourceMappingURL=Default2FaToken.js.map

package/lib/mjs/2fa/Default2FaToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Default2FaToken.js","sourceRoot":"","sources":["../../../src/2fa/Default2FaToken.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,KAAK,OAAO,MAAM,SAAS,CAAC;AAEnC,MAAM,CAAN,IAAY,sBAGX;AAHD,WAAY,sBAAsB;IAC9B,6CAAmB,CAAA;IACnB,iDAAuB,CAAA;AAC3B,CAAC,EAHW,sBAAsB,KAAtB,sBAAsB,QAGjC;AAGM,IAAM,eAAe,GAArB,MAAM,eAAgB,SAAQ,qBAAqB;IAOtD;QACI,KAAK,EAAE,CAAC;IACZ,CAAC;IAEO,OAAO,CAAC,IAAW,EAAE,MAAc;QACrC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;YACtB,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAChC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;SAC5C,CAAC,CAAC;IAEP,CAAC;IAEM,OAAO,CAAC,CAAO;QAClB,yDAAyD;QACzD,gCAAgC;QAChC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC7B,CAAC;IAEM,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,IAAU;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAE/D,IAAI,CAAC,UAAU,EAAE,CAAC;YACd,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,kDAAkD,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;YAC5E,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,MAAM,IAAI,GAAI,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;YAC3B,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;SAC7B,CAAC,CAAC;QAEH,OAAO,QAAS,IAAI,IAAI,CAAC;IAC7B,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,IAAU;QAC9B,MAAM,MAAM,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;QACpE,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QAE/C,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5D,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAE3B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,kCAAkC,IAAI,CAAC,EAAE,EAAE,EAAE;YACxD,MAAM,EAAE,IAAI,CAAC,EAAE;SAClB,CAAC,CAAC;QAEH;;WAEG;QACH,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;IAC3B,CAAC;IAEM,KAAK,CAAC,aAAa,CAAE,IAAU;QAClC,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAE1D,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,kDAAkD,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;YAC5E,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACvC,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;IAC3B,CAAC;IAEM,KAAK,CAAC,SAAS,CAAC,IAAU;QAC7B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAChE,OAAO,GAAc,CAAC;IAC1B,CAAC;IAEM,KAAK,CAAC,aAAa,CAAC,IAAU;QACjC,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,OAAO,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,EAAE,CAAC;IACjE,CAAC;CACJ,CAAA;AAlFa;IADT,MAAM,CAAC,cAAc,CAAC;;+CACD;AAGZ;IADT,MAAM,CAAC,WAAW,CAAC;8BACL,GAAG;4CAAC;AALV,eAAe;IAD3B,UAAU,CAAC,qBAAqB,CAAC;;GACrB,eAAe,CAoF3B"}

package/lib/mjs/actions/2fa.d.ts

@@ -0,0 +1,11 @@
+import { User } from '@spinajs/rbac';
+/**
+ *
+ * Verify 2fa token for user
+ *
+ * @param user
+ * @param token
+ * @returns
+ */
+export declare function auth2Fa(identifier: number | string | User, token: string): Promise<unknown>;
+//# sourceMappingURL=2fa.d.ts.map

package/lib/mjs/actions/2fa.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"2fa.d.ts","sourceRoot":"","sources":["../../../src/actions/2fa.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAwC,MAAM,eAAe,CAAC;AAU3E;;;;;;;GAOG;AACH,wBAAsB,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,EAAE,KAAK,EAAE,MAAM,oBAwB9E"}

package/lib/mjs/actions/2fa.js

@@ -0,0 +1,30 @@
+import { _user_ev, _user_unsafe, _user_update } from '@spinajs/rbac';
+import { _service } from '@spinajs/configuration';
+import { DateTime } from 'luxon';
+import { _chain, _check_arg, _non_empty, _trim, _catch } from '@spinajs/util';
+import { User2FaPassed } from '../events/User2FaPassed.js';
+import { TwoFactorAuthProvider } from '@spinajs/rbac-http';
+import { UserLoginFailed } from '@spinajs/rbac';
+/**
+ *
+ * Verify 2fa token for user
+ *
+ * @param user
+ * @param token
+ * @returns
+ */
+export async function auth2Fa(identifier, token) {
+    token = _check_arg(_trim(), _non_empty)(token, 'token');
+    return _chain(_user_unsafe(identifier), _catch((u) => {
+        return _chain(_service('rbac.twoFactorAuth', TwoFactorAuthProvider), async (twoFa) => twoFa.verifyToken(token, u), _user_update({ LastLoginAt: DateTime.now() }), _user_ev(User2FaPassed));
+    }, (err, u) => {
+        return _chain(() => u, 
+        // send event of failed login
+        _user_ev(UserLoginFailed, err), 
+        // rethrow error for caller
+        () => {
+            throw err;
+        });
+    }));
+}
+//# sourceMappingURL=2fa.js.map

package/lib/mjs/actions/2fa.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"2fa.js","sourceRoot":"","sources":["../../../src/actions/2fa.ts"],"names":[],"mappings":"AAAA,OAAO,EAAQ,QAAQ,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE3E,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAmB,KAAK,EAAQ,MAAM,EAAE,MAAM,eAAe,CAAC;AACrG,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAGhD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,UAAkC,EAAE,KAAa;IAC3E,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,EAAE,UAAU,CAAC,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAExD,OAAO,MAAM,CACT,YAAY,CAAC,UAAU,CAAC,EACxB,MAAM,CACF,CAAC,CAAO,EAAE,EAAE;QACR,OAAO,MAAM,CAAC,QAAQ,CAAC,oBAAoB,EAAE,qBAAqB,CAAC,EAAE,KAAK,EAAE,KAA4B,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,YAAY,CAAC,EAAE,WAAW,EAAE,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC;IACtN,CAAC,EACD,CAAC,GAAG,EAAE,CAAO,EAAE,EAAE;QACb,OAAO,MAAM,CACT,GAAG,EAAE,CAAC,CAAC;QAEP,6BAA6B;QAC7B,QAAQ,CAAC,eAAe,EAAE,GAAG,CAAC;QAE9B,2BAA2B;QAC3B,GAAG,EAAE;YACD,MAAM,GAAG,CAAC;QACd,CAAC,CACJ,CAAC;IACN,CAAC,CACJ,CACJ,CAAC;AACN,CAAC"}

package/lib/mjs/config/rbac-http.d.ts

@@ -7,6 +7,19 @@ declare const rbacHttp: {
         };
     };
     rbac: {
+        otpauth: {
+            /**
+             * change this to your app name, it will be used as issuer in otpauth token
+             */
+            issuer: string;
+            /**
+             * recommended defaults for rest
+             */
+            algorithm: string;
+            digits: number;
+            period: number;
+            window: number;
+        };
         twoFactorAuth: {
             enabled: boolean;
             service: string;

package/lib/mjs/config/rbac-http.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rbac-http.d.ts","sourceRoot":"","sources":["../../../src/config/rbac-http.ts"],"names":[],"mappings":"AAQA,QAAA,MAAM,QAAQ;;;;;;;;;;;;;;;;;;;;;;;;;YA2BR;;eAEG;;;QAGL;;WAEG;;;;CAQN,CAAC;AAEF,eAAe,QAAQ,CAAC"}
+{"version":3,"file":"rbac-http.d.ts","sourceRoot":"","sources":["../../../src/config/rbac-http.ts"],"names":[],"mappings":"AAQA,QAAA,MAAM,QAAQ;;;;;;;;;;YAUR;;eAEG;;YAGH;;eAEG;;;;;;;;;;;;;;;;;;;;;;YAwBH;;eAEG;;;QAGL;;WAEG;;;;CAQN,CAAC;AAEF,eAAe,QAAQ,CAAC"}

package/lib/mjs/config/rbac-http.js

@@ -12,9 +12,22 @@ const rbacHttp = {
         },
     },
     rbac: {
+        otpauth: {
+            /**
+             * change this to your app name, it will be used as issuer in otpauth token
+             */
+            issuer: 'Spinajs',
+            /**
+             * recommended defaults for rest
+             */
+            algorithm: 'SHA1',
+            digits: 6,
+            period: 30,
+            window: 1,
+        },
         twoFactorAuth: {
             enabled: true,
-            service: 'SpeakEasy2FaToken',
+            service: 'Default2FaToken',
         },
         fingerprint: {
             enabled: false,

package/lib/mjs/config/rbac-http.js.map

@@ -1 +1 @@
-{"version":3,"file":"rbac-http.js","sourceRoot":"","sources":["../../../src/config/rbac-http.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEhD,SAAS,GAAG,CAAC,IAAY;IACvB,MAAM,UAAU,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC;IACjD,OAAO,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;AACxI,CAAC;AAGD,MAAM,QAAQ,GAAG;IACf,MAAM,EAAE;QACN,IAAI,EAAE;YACJ,WAAW,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YACjC,OAAO,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACzB,KAAK,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;SACtB;KACF;IACD,IAAI,EAAE;QACJ,aAAa,EAAE;YACb,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,mBAAmB;SAC7B;QACD,WAAW,EAAE;YACX,OAAO,EAAE,KAAK;YACd,UAAU,EAAE,CAAC;YACb,OAAO,EAAE,eAAe;SACzB;QACD,OAAO,EAAC;YACN,MAAM,EAAE;gBACN,QAAQ,EAAE,KAAK;aAChB;SACF;QACD,QAAQ,EAAE;YACR,sCAAsC;YACtC,QAAQ,EAAE,EAAE;YAEZ;;eAEG;YACH,kBAAkB,EAAE,CAAC;SACtB;QACD;;WAEG;QACH,cAAc,EAAE,KAAK;KACtB;IACD,IAAI,EAAE;IACJ,iBAAiB;IACjB,+CAA+C;IAC/C,KAAK;KACN;CACF,CAAC;AAEF,eAAe,QAAQ,CAAC"}
+{"version":3,"file":"rbac-http.js","sourceRoot":"","sources":["../../../src/config/rbac-http.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEhD,SAAS,GAAG,CAAC,IAAY;IACvB,MAAM,UAAU,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC;IACjD,OAAO,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;AACxI,CAAC;AAGD,MAAM,QAAQ,GAAG;IACf,MAAM,EAAE;QACN,IAAI,EAAE;YACJ,WAAW,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YACjC,OAAO,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACzB,KAAK,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;SACtB;KACF;IACD,IAAI,EAAE;QACJ,OAAO,EAAE;YACP;;eAEG;YACH,MAAM,EAAE,SAAS;YAEjB;;eAEG;YACH,SAAS,EAAE,MAAM;YACjB,MAAM,EAAE,CAAC;YACT,MAAM,EAAE,EAAE;YACV,MAAM,EAAE,CAAC;SACV;QACD,aAAa,EAAE;YACb,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,iBAAiB;SAC3B;QACD,WAAW,EAAE;YACX,OAAO,EAAE,KAAK;YACd,UAAU,EAAE,CAAC;YACb,OAAO,EAAE,eAAe;SACzB;QACD,OAAO,EAAC;YACN,MAAM,EAAE;gBACN,QAAQ,EAAE,KAAK;aAChB;SACF;QACD,QAAQ,EAAE;YACR,sCAAsC;YACtC,QAAQ,EAAE,EAAE;YAEZ;;eAEG;YACH,kBAAkB,EAAE,CAAC;SACtB;QACD;;WAEG;QACH,cAAc,EAAE,KAAK;KACtB;IACD,IAAI,EAAE;IACJ,iBAAiB;IACjB,+CAA+C;IAC/C,KAAK;KACN;CACF,CAAC;AAEF,eAAe,QAAQ,CAAC"}

package/lib/mjs/controllers/LoginController.d.ts

@@ -8,6 +8,7 @@ export declare class LoginController extends BaseController {
     protected AuthProvider: AuthProvider;
     protected SessionProvider: SessionProvider;
     protected SessionExpirationTime: number;
+    protected TwoFactorAuthEnabled: boolean;
     protected SessionCookieConfig: any;
     protected AC: AccessControl;
     login(credentials: UserLoginDto): Promise<Ok | Unauthorized>;

package/lib/mjs/controllers/LoginController.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"LoginController.d.ts","sourceRoot":"","sources":["../../../src/controllers/LoginController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAwB,EAAE,EAAe,YAAY,EAAU,MAAM,eAAe,CAAC;AAC5G,OAAO,EAAE,YAAY,EAAE,eAAe,EAAqB,aAAa,EAAiB,MAAM,eAAe,CAAC;AAE/G,OAAO,EAA6B,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAGlF,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,qBACa,eAAgB,SAAQ,cAAc;IAEjD,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC;IAGvC,SAAS,CAAC,YAAY,EAAE,YAAY,CAAC;IAGrC,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAK3C,SAAS,CAAC,qBAAqB,EAAE,MAAM,CAAC;IAGxC,SAAS,CAAC,mBAAmB,EAAE,GAAG,CAAC;IAGnC,SAAS,CAAC,EAAE,EAAE,aAAa,CAAC;IAIf,KAAK,CAAS,WAAW,EAAE,YAAY;IAoKvC,MAAM,CAAW,IAAI,EAAE,MAAM;IA4B7B,MAAM,CAAiB,IAAI,EAAE,IAAI;CA0F/C"}
+{"version":3,"file":"LoginController.d.ts","sourceRoot":"","sources":["../../../src/controllers/LoginController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAwB,EAAE,EAAe,YAAY,EAAU,MAAM,eAAe,CAAC;AAC5G,OAAO,EAAE,YAAY,EAAE,eAAe,EAAqB,aAAa,EAAiB,MAAM,eAAe,CAAC;AAE/G,OAAO,EAA6B,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAGlF,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,qBACa,eAAgB,SAAQ,cAAc;IAEjD,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC;IAGvC,SAAS,CAAC,YAAY,EAAE,YAAY,CAAC;IAGrC,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAK3C,SAAS,CAAC,qBAAqB,EAAE,MAAM,CAAC;IAKxC,SAAS,CAAC,oBAAoB,EAAE,OAAO,CAAC;IAKxC,SAAS,CAAC,mBAAmB,EAAE,GAAG,CAAC;IAGnC,SAAS,CAAC,EAAE,EAAE,aAAa,CAAC;IAIf,KAAK,CAAS,WAAW,EAAE,YAAY;IA0EvC,MAAM,CAAW,IAAI,EAAE,MAAM;IA4B7B,MAAM,CAAiB,IAAI,EAAE,IAAI;CA0F/C"}