@stamhoofd/backend 1.0.0

package/src/endpoints/auth/CreateTokenEndpoint.test.ts

@@ -0,0 +1,68 @@
+import { Request } from "@simonbackx/simple-endpoints";
+import { OrganizationFactory, Token, UserFactory } from "@stamhoofd/models";
+import { Token as TokenStruct } from "@stamhoofd/structures";
+
+import { testServer } from "../../../tests/helpers/TestServer";
+import { CreateTokenEndpoint } from './CreateTokenEndpoint';
+
+describe("Endpoint.CreateToken", () => {
+    // Test endpoint
+    const endpoint = new CreateTokenEndpoint();
+
+    test("Can get a token via password flow", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        // Also check UTF8 passwords
+        const password = "54😂test👌🏾86s&é"
+        const user = await new UserFactory({ organization, password }).create()
+
+        const r = Request.buildJson("POST", "/oauth/token", organization.getApiHost(), {
+            grant_type: "password",
+            username: user.email,
+            password: password
+        });
+
+        const response = await testServer.test(endpoint, r);
+        expect(response.body).toBeDefined();
+
+        if (!(response.body instanceof TokenStruct)) {
+            throw new Error("Expected TokenStruct")
+        }
+
+        // Check token is valid
+        const token = await Token.getByAccessToken(response.body.accessToken)
+        expect(token).toBeDefined()
+
+        const byRefresh = await Token.getByRefreshToken(response.body.refreshToken)
+        expect(byRefresh).toBeDefined()
+    });
+
+    test("Can get a token via refresh flow", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        // Also check UTF8 passwords
+        const password = "54😂test👌🏾86s&é"
+        const user = await new UserFactory({ organization, password }).create()
+        const token = await Token.createToken(user);
+
+        const r = Request.buildJson("POST", "/oauth/token", organization.getApiHost(), {
+            grant_type: "refresh_token",
+            refresh_token: token.refreshToken
+        });
+
+        const response = await testServer.test(endpoint, r);
+        expect(response.body).toBeDefined();
+
+        if (!(response.body instanceof TokenStruct)) {
+            throw new Error("Expected TokenStruct")
+        }
+
+        expect(response.body.accessToken).not.toEqual(token.accessToken)
+        expect(response.body.refreshToken).not.toEqual(token.refreshToken)
+
+        // Check token is valid
+        const byAccess = await Token.getByAccessToken(response.body.accessToken)
+        expect(byAccess).toBeDefined()
+
+        const byRefresh = await Token.getByRefreshToken(response.body.refreshToken)
+        expect(byRefresh).toBeDefined()
+    });
+});

package/src/endpoints/auth/CreateTokenEndpoint.ts

@@ -0,0 +1,200 @@
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { EmailVerificationCode, PasswordToken, Token, User } from '@stamhoofd/models';
+import { ChallengeGrantStruct, CreateTokenStruct, PasswordGrantStruct, PasswordTokenGrantStruct, RefreshTokenGrantStruct, RequestChallengeGrantStruct, SignupResponse, Token as TokenStruct } from '@stamhoofd/structures';
+
+import { Context } from '../../helpers/Context';
+
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = RequestChallengeGrantStruct | ChallengeGrantStruct | RefreshTokenGrantStruct | PasswordTokenGrantStruct | PasswordGrantStruct;
+type ResponseBody = TokenStruct;
+
+export class CreateTokenEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    protected bodyDecoder = CreateTokenStruct;
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/oauth/token", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        // TODO: add some extra brute force measurements here
+        // - add random delay here, increased by the amount of failed attempts (used to slow down). Also on a successfull comparison!
+        // - add required CAPTCHA after x failed attempts for a given username (no matter if the username exists or not)
+        // - if, even after the CAPTCHAs, the account reaches a given count of failed attempts, the account should be locked out for an hour or even a day (only login endpoint)
+        // - check if not multiple attempts for the same username are started in parallel
+        // - Limit the amount of failed attemps by IP (will only make it a bit harder)
+        // - Detect attacks on random accounts (using email list + most used passwords) and temorary require CAPTCHA on all accounts
+        const organization = await Context.setOptionalOrganizationScope()
+        
+        switch (request.body.grantType) {
+        case "refresh_token": {
+            const oldToken = await Token.getByRefreshToken(request.body.refreshToken)
+            if (!oldToken) {
+                throw new SimpleError({
+                    code: "invalid_refresh_token",
+                    message: "Invalid refresh token",
+                    statusCode: 400
+                });
+            }
+
+            if (oldToken.user.organizationId !== null && oldToken.user.organizationId !== (organization?.id ?? null)) {
+                // Invalid scope
+                throw new SimpleError({
+                    code: "invalid_refresh_token",
+                    message: "Invalid refresh token",
+                    statusCode: 400
+                });
+            }
+
+            // Important to create a new token before adjusting the old token
+            const token = await Token.createToken(oldToken.user);
+
+            // In the rare event our response doesn't reach the client anymore, we don't want the client to sign out...
+            // So we give them a second chance and create a new token BUT we expire our existing token in an hour (forever!)
+            oldToken.refreshTokenValidUntil = new Date(Date.now() + 60*60*1000)
+            oldToken.accessTokenValidUntil = new Date(Date.now() - 60 * 60 * 1000)
+
+            // Do not delete the old one, only expire it fast so it will get deleted in the future
+            await oldToken.save();
+   
+            if (!token) {
+                throw new SimpleError({
+                    code: "error",
+                    message: "Could not generate token",
+                    human: "Er ging iets mis bij het aanmelden",
+                    statusCode: 500
+                });
+            }
+
+            const st = new TokenStruct(token);
+            return new Response(st);            
+        }
+
+        case "password": {
+            // Increase timout for legacy
+            request.request.request?.setTimeout(30 * 1000);
+            const user = await User.login(organization?.id ?? null, request.body.username, request.body.password)
+
+            const errBody = {
+                code: "invalid_username_or_password",
+                message: "Invalid username or password",
+                human: "Foutief wachtwoord of onbekend emailadres",
+                statusCode: 400
+            };
+
+            if (!user) {
+                // TODO: increase counter
+                throw new SimpleError(errBody);
+            }
+
+            // Yay! Valid password
+            // Now check if e-mail is already validated
+            // if not: throw a validation error (e-mail validation is required)
+            if (!user.verified) {
+                const code = await EmailVerificationCode.createFor(user, user.email)
+                code.send(user, organization, request.i18n)
+                
+                throw new SimpleError({
+                    code: "verify_email",
+                    message: "Your email address needs verification",
+                    human: "Jouw e-mailadres is nog niet geverifieerd. Verifieer jouw e-mailadres via de link in de e-mail.",
+                    meta: SignupResponse.create({
+                        token: code.token
+                    }).encode({ version: request.request.getVersion() }),
+                    statusCode: 403
+                });
+            }
+
+            const token = await Token.createToken(user);
+            
+            if (!token) {
+                throw new SimpleError({
+                    code: "error",
+                    message: "Could not generate token",
+                    human: "Er ging iets mis bij het aanmelden",
+                    statusCode: 500
+                });
+            }
+
+            const st = new TokenStruct(token);
+            return new Response(st);      
+        }
+
+        case "password_token": {
+            const passwordToken = await PasswordToken.getToken(request.body.token)
+            if (!passwordToken) {
+                throw new SimpleError({
+                    code: "invalid_token",
+                    message: "Invalid token",
+                    human: "Deze link is ongeldig of is al vervallen. Je zal nogmaals een e-mail moeten versturen om je wachtwoord te herstellen.",
+                    statusCode: 400
+                });
+            }
+
+            // Check scope
+            if (organization && passwordToken.user.organizationId && passwordToken.user.organizationId != organization.id) {
+                // user of a different organization
+                throw new SimpleError({
+                    code: "invalid_token",
+                    message: "Invalid token",
+                    human: "Deze link is ongeldig of is al vervallen. Je zal nogmaals een e-mail moeten versturen om je wachtwoord te herstellen.",
+                    statusCode: 400
+                });
+            }
+
+            if (!organization && passwordToken.user.organizationId) {
+                // User is scoped to a single organization, while the request is not
+                throw new SimpleError({
+                    code: "invalid_token",
+                    message: "Invalid token",
+                    human: "Deze link is ongeldig of is al vervallen. Je zal nogmaals een e-mail moeten versturen om je wachtwoord te herstellen.",
+                    statusCode: 400
+                });
+            }
+
+            // Important to create a new token before adjusting the old token
+            const token = await Token.createToken(passwordToken.user);
+
+            // TODO: make token short lived until renewal
+   
+            if (!token) {
+                throw new SimpleError({
+                    code: "error",
+                    message: "Could not generate token",
+                    human: "Er ging iets mis bij het inloggen",
+                    statusCode: 500
+                });
+            }
+
+            // For now we keep the password token because the user might want to reload the page or load it on a different device/browser
+            //await passwordToken.delete();
+
+            // Verify this email address, since the user can't change its email address without being verified
+            if (!token.user.verified) {
+                token.user.verified = true
+                await token.user.save()
+            }
+
+            const st = new TokenStruct(token);
+            return new Response(st);           
+        }
+
+        default: {
+            // t should always be 'never' so we get no compiler error when this compiles
+            // if you get a compiler error here, you missed a possible value for grantType
+            throw new Error("Grant type " + request.body.grantType + " not supported");
+        }
+        }
+        
+    }
+}

package/src/endpoints/auth/DeleteTokenEndpoint.ts

@@ -0,0 +1,31 @@
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+
+import { Context } from '../../helpers/Context';
+
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = undefined;
+type ResponseBody = undefined;
+
+export class CreateTokenEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "DELETE") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/oauth/token", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(_: DecodedRequest<Params, Query, Body>) {
+        await Context.setOptionalOrganizationScope()
+        const {token} = await Context.authenticate({allowWithoutAccount: true})
+        await token.delete()
+        
+        return new Response(undefined)
+    }
+}

package/src/endpoints/auth/ForgotPasswordEndpoint.ts

@@ -0,0 +1,70 @@
+import { Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { Email } from '@stamhoofd/email';
+import { PasswordToken, User } from '@stamhoofd/models';
+import { ForgotPasswordRequest } from '@stamhoofd/structures';
+
+import { Context } from '../../helpers/Context';
+
+// eslint-disable-next-line @typescript-eslint/ban-types
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = ForgotPasswordRequest;
+type ResponseBody = undefined;
+
+export class ForgotPasswordEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    protected bodyDecoder = ForgotPasswordRequest as Decoder<ForgotPasswordRequest>;
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/forgot-password", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        // for now we care more about UX, so we show a mesage if the user doesn't exist
+        const organization = await Context.setOptionalOrganizationScope()
+        const user = await User.getForAuthentication(organization?.id ?? null, request.body.email, {allowWithoutAccount: true});
+        
+        const { from, replyTo } = {
+            from: organization ? organization.getStrongEmail(request.i18n) : Email.getInternalEmailFor(request.i18n),
+            replyTo: undefined
+        }
+        const name = organization ? organization.name : request.i18n.t("shared.platformName");
+
+        if (!user) {
+            // Send email
+            Email.send({
+                from,
+                replyTo,
+                to: request.body.email,
+                subject: "["+name+"] Wachtwoord vergeten",
+                type: "transactional",
+                text: "Hallo, \n\nJe gaf aan dat je jouw wachtwoord bent vergeten, maar er bestaat geen account op het e-mailadres dat je hebt ingegeven ("+request.body.email+"). Niet zeker meer welk e-mailadres je kan gebruiken? Wij sturen altijd e-mails naar een e-mailadres waarop je een account hebt. Lukt dat niet? Dan moet je je eerst registreren.\n\nMet vriendelijke groeten,\n"+(name),
+            });
+
+            return new Response(undefined)
+        }
+
+        const recoveryUrl = await PasswordToken.getPasswordRecoveryUrl(user, organization, request.i18n)
+        
+        // Send email
+        Email.send({
+            from,
+            replyTo,
+            to: user.email,
+            subject: "Wachtwoord vergeten",
+            type: "transactional",
+            text: (user.firstName ? "Hey "+user.firstName : "Hey") + ", \n\nJe gaf aan dat je jouw wachtwoord bent vergeten. Je kan een nieuw wachtwoord instellen door op de volgende link te klikken of door deze te kopiëren in de URL-balk van je browser:\n"+recoveryUrl+"\n\nWachtwoord al teruggevonden of heb je helemaal niet aangeduid dat je je wachtwoord vergeten bent? Dan mag je deze e-mail gewoon negeren.\n\nMet vriendelijke groeten,\n"+(user.permissions ? request.i18n.t("shared.platformName") : name)
+        });
+
+        return new Response(undefined);
+    }
+}

package/src/endpoints/auth/GetUserEndpoint.test.ts

@@ -0,0 +1,64 @@
+import { Request } from "@simonbackx/simple-endpoints";
+import { OrganizationFactory, Token, UserFactory } from '@stamhoofd/models';
+import { NewUser } from '@stamhoofd/structures';
+
+import { testServer } from "../../../tests/helpers/TestServer";
+import { GetUserEndpoint } from './GetUserEndpoint';
+
+
+describe("Endpoint.GetUser", () => {
+    // Test endpoint
+    const endpoint = new GetUserEndpoint();
+
+    test("Request user details when signed in", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({ organization }).create()
+        const token = await Token.createToken(user)
+
+        const r = Request.buildJson("GET", "/v1/user", organization.getApiHost());
+        r.headers.authorization = "Bearer "+token.accessToken
+
+        const response = await testServer.test(endpoint, r);
+        expect(response.body).toBeDefined();
+
+        if (!(response.body instanceof NewUser)) {
+            throw new Error("Expected NewUser")
+        }   
+
+        expect(response.body.id).toEqual(user.id)
+    });
+
+    test("Request user details when not signed in is not working", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({ organization }).create()
+        const token = await Token.createToken(user)
+
+        const r = Request.buildJson("GET", "/v1/user", organization.getApiHost());
+
+        await expect(testServer.test(endpoint, r)).rejects.toThrow(/missing/i)
+    });
+
+    test("Request user details with invalid token is not working", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({ organization }).create()
+        const token = await Token.createToken(user)
+
+        const r = Request.buildJson("GET", "/v1/user", organization.getApiHost());
+        r.headers.authorization = "Bearer " + token.accessToken+"d"
+
+        await expect(testServer.test(endpoint, r)).rejects.toThrow(/invalid/i)
+    });
+
+    test("Request user details with expired token is not working", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({ organization }).create()
+        const token = await Token.createExpiredToken(user)
+
+        const r = Request.buildJson("GET", "/v1/user", organization.getApiHost());
+        r.headers.authorization = "Bearer " + token.accessToken
+
+        await expect(testServer.test(endpoint, r)).rejects.toThrow(/expired/i)
+    });
+
+    
+});

package/src/endpoints/auth/GetUserEndpoint.ts

@@ -0,0 +1,57 @@
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { MyUser, User as UserStruct } from '@stamhoofd/structures';
+
+import { Context } from '../../helpers/Context';
+
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = undefined;
+type ResponseBody = UserStruct|MyUser;
+
+export class GetUserEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "GET") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/user", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        await Context.setOptionalOrganizationScope()
+        const {user} = await Context.authenticate({allowWithoutAccount: true})
+
+        if (request.request.getVersion() < 243) {
+            // Password
+            const st = MyUser.create({
+                firstName: user.firstName,
+                lastName: user.lastName,
+                id: user.id,
+                organizationId: user.organizationId,
+                email: user.email,
+                verified: user.verified,
+                permissions: user.permissions,
+                hasAccount: user.hasAccount()
+            })
+            return new Response(st);
+        }
+
+        const st = UserStruct.create({
+            firstName: user.firstName,
+            lastName: user.lastName,
+            id: user.id,
+            organizationId: user.organizationId,
+            email: user.email,
+            verified: user.verified,
+            permissions: user.permissions,
+            hasAccount: user.hasAccount()
+        })
+        return new Response(st);
+    }
+}

package/src/endpoints/auth/PatchApiUserEndpoint.ts

@@ -0,0 +1,90 @@
+import { AutoEncoderPatchType, Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
+import { SimpleError } from "@simonbackx/simple-errors";
+import { Token, User } from '@stamhoofd/models';
+import { ApiUser, PermissionLevel, UserPermissions } from "@stamhoofd/structures";
+
+import { Context } from '../../helpers/Context';
+
+type Params = { id: string };
+type Query = undefined;
+type Body = AutoEncoderPatchType<ApiUser>
+type ResponseBody = ApiUser
+
+export class PatchUserEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = ApiUser.patchType() as Decoder<AutoEncoderPatchType<ApiUser>>
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "PATCH") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/api-keys/@id", { id: String });
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        const {user} = await Context.authenticate()
+
+        if (request.body.id !== request.params.id) {
+            throw new SimpleError({
+                code: "invalid_request",
+                message: "Invalid request: id mismatch",
+                statusCode: 400
+            })
+        }
+
+        const editUser = request.body.id === user.id ? user : await User.getByID(request.body.id)
+        
+        if (!editUser || !await Context.auth.canAccessUser(editUser, PermissionLevel.Write) || !editUser.isApiUser) {
+            throw Context.auth.notFoundOrNoAccess("Je hebt geen toegang om deze API-user te wijzigen")
+        }
+
+        editUser.firstName = request.body.name ?? editUser.name
+        editUser.lastName = null
+
+        if (request.body.permissions !== undefined && editUser.permissions) {
+            if (!await Context.auth.canAccessUser(editUser, PermissionLevel.Full)) {
+                throw new SimpleError({
+                    code: "permission_denied",
+                    message: "Je hebt geen rechten om de rechten van deze API-user te wijzigen"
+                })
+            }
+
+            if (request.body.permissions) {
+                if (organization) {
+                    editUser.permissions = UserPermissions.limitedPatch(editUser.permissions, request.body.permissions, organization.id)
+
+                    if (editUser.id === user.id && (!editUser.permissions || !editUser.permissions.forOrganization(organization)?.hasFullAccess())) {
+                        throw new SimpleError({
+                            code: "permission_denied",
+                            message: "Je kan jezelf niet verwijderen als hoofdbeheerder"
+                        })
+                    }
+                } else {
+                    if (editUser.permissions) {
+                        editUser.permissions.patchOrPut(request.body.permissions)
+                    } else {
+                        editUser.permissions = request.body.permissions.isPut() ? request.body.permissions : null
+                    }
+
+                    if (editUser.id === user.id && !editUser.permissions?.platform?.hasFullAccess()) {
+                        throw new SimpleError({
+                            code: "permission_denied",
+                            message: "Je kan jezelf niet verwijderen als hoofdbeheerder"
+                        })
+                    }
+                }
+            }
+        }
+
+        await editUser.save();
+
+        return new Response(await Token.getAPIUserWithToken(editUser));      
+    }
+}