@stamhoofd/backend 2.70.0 → 2.72.0

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.70.0",
+    "version": "2.72.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -37,14 +37,14 @@
         "@simonbackx/simple-encoding": "2.19.0",
         "@simonbackx/simple-endpoints": "1.15.0",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.70.0",
-        "@stamhoofd/backend-middleware": "2.70.0",
-        "@stamhoofd/email": "2.70.0",
-        "@stamhoofd/models": "2.70.0",
-        "@stamhoofd/queues": "2.70.0",
-        "@stamhoofd/sql": "2.70.0",
-        "@stamhoofd/structures": "2.70.0",
-        "@stamhoofd/utility": "2.70.0",
+        "@stamhoofd/backend-i18n": "2.72.0",
+        "@stamhoofd/backend-middleware": "2.72.0",
+        "@stamhoofd/email": "2.72.0",
+        "@stamhoofd/models": "2.72.0",
+        "@stamhoofd/queues": "2.72.0",
+        "@stamhoofd/sql": "2.72.0",
+        "@stamhoofd/structures": "2.72.0",
+        "@stamhoofd/utility": "2.72.0",
         "archiver": "^7.0.1",
         "aws-sdk": "^2.885.0",
         "axios": "1.6.8",
@@ -64,5 +64,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "5c6f4bbab24bf118b45da350bdaf3c62756909ad"
+    "gitHead": "9ca2f0fff00eafff2a398dbfdbfb032367473d1c"
 }

package/src/audit-logs/OrganizationLogger.ts

@@ -3,7 +3,7 @@ import { AuditLogType } from '@stamhoofd/structures';
 import { getDefaultGenerator, ModelLogger } from './ModelLogger';
 
 export const OrganizationLogger = new ModelLogger(Organization, {
-    skipKeys: ['searchIndex'],
+    skipKeys: ['searchIndex', 'serverMeta'],
     optionsGenerator: getDefaultGenerator({
         created: AuditLogType.OrganizationAdded,
         updated: AuditLogType.OrganizationEdited,

package/src/audit-logs/PlatformLogger.ts

@@ -3,6 +3,7 @@ import { getDefaultGenerator, ModelLogger } from './ModelLogger';
 import { AuditLogType } from '@stamhoofd/structures';
 
 export const PlatformLogger = new ModelLogger(Platform, {
+    skipKeys: ['serverConfig'],
     optionsGenerator: getDefaultGenerator({
         updated: AuditLogType.PlatformSettingsChanged,
     }),

package/src/endpoints/auth/CreateTokenEndpoint.ts

@@ -86,7 +86,8 @@ export class CreateTokenEndpoint extends Endpoint<Params, Query, Body, ResponseB
 
                 if (STAMHOOFD.userMode === 'platform') {
                     const platform = await Platform.getShared();
-                    if (!platform.config.loginMethods.includes(LoginMethod.Password)) {
+                    const config = platform.config.loginMethods.get(LoginMethod.Password);
+                    if (!config) {
                         throw new SimpleError({
                             code: 'not_supported',
                             message: 'This platform does not support password login',
@@ -94,6 +95,15 @@ export class CreateTokenEndpoint extends Endpoint<Params, Query, Body, ResponseB
                             statusCode: 400,
                         });
                     }
+
+                    if (!config.isEnabledForEmail(request.body.username)) {
+                        throw new SimpleError({
+                            code: 'not_supported',
+                            message: 'Login method not supported',
+                            human: 'Je kan op dit account niet inloggen met een wachtwoord. Gebruik een andere methode om in te loggen.',
+                            statusCode: 400,
+                        });
+                    }
                 }
 
                 const user = await User.login(organization?.id ?? null, request.body.username, request.body.password);

package/src/endpoints/auth/ForgotPasswordEndpoint.ts

@@ -1,8 +1,9 @@
 import { Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
-import { PasswordToken, sendEmailTemplate, User } from '@stamhoofd/models';
-import { EmailTemplateType, ForgotPasswordRequest, Recipient, Replacement } from '@stamhoofd/structures';
+import { PasswordToken, Platform, sendEmailTemplate, User } from '@stamhoofd/models';
+import { EmailTemplateType, ForgotPasswordRequest, LoginMethod, Recipient, Replacement } from '@stamhoofd/structures';
 
+import { SimpleError } from '@simonbackx/simple-errors';
 import { Context } from '../../helpers/Context';
 
 type Params = Record<string, never>;
@@ -28,6 +29,29 @@ export class ForgotPasswordEndpoint extends Endpoint<Params, Query, Body, Respon
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
         const organization = await Context.setOptionalOrganizationScope();
+
+        if (STAMHOOFD.userMode === 'platform') {
+            const platform = await Platform.getShared();
+            const config = platform.config.loginMethods.get(LoginMethod.Password);
+            if (!config) {
+                throw new SimpleError({
+                    code: 'not_supported',
+                    message: 'This platform does not support password login',
+                    human: 'Dit platform ondersteunt geen wachtwoord login',
+                    statusCode: 400,
+                });
+            }
+
+            if (!config.isEnabledForEmail(request.body.email)) {
+                throw new SimpleError({
+                    code: 'not_supported',
+                    message: 'Login method not supported',
+                    human: 'Je kan op dit account geen wachtwoord gebruiken om in te loggen.',
+                    statusCode: 400,
+                });
+            }
+        }
+
         const user = await User.getForAuthentication(organization?.id ?? null, request.body.email, { allowWithoutAccount: true });
 
         if (!user) {

package/src/endpoints/auth/OpenIDConnectCallbackEndpoint.ts

@@ -1,11 +1,8 @@
 import { AnyDecoder, Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request } from '@simonbackx/simple-endpoints';
-import { SimpleError } from '@simonbackx/simple-errors';
 
 import { Context } from '../../helpers/Context';
-import { OpenIDConnectHelper } from '../../helpers/OpenIDConnectHelper';
-import { OpenIDClientConfiguration } from '@stamhoofd/structures';
-import { Platform } from '@stamhoofd/models';
+import { SSOServiceWithSession } from '../../services/SSOService';
 
 type Params = Record<string, never>;
 type Query = undefined;
@@ -29,26 +26,8 @@ export class OpenIDConnectCallbackEndpoint extends Endpoint<Params, Query, Body,
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOptionalOrganizationScope();
-        let configuration: OpenIDClientConfiguration | null;
-        const platform = await Platform.getShared();
-
-        if (organization) {
-            configuration = organization.serverMeta.ssoConfiguration;
-        }
-        else {
-            configuration = platform.serverConfig.ssoConfiguration;
-        }
-
-        if (!configuration) {
-            throw new SimpleError({
-                code: 'invalid_client',
-                message: 'SSO not configured',
-                statusCode: 400,
-            });
-        }
-
-        const helper = new OpenIDConnectHelper(organization, configuration);
-        return await helper.callback(request);
+        await Context.setUserOrganizationScope();
+        const ssoService = await SSOServiceWithSession.fromSession(request);
+        return await ssoService.callback();
     }
 }

package/src/endpoints/auth/OpenIDConnectStartEndpoint.ts

@@ -1,11 +1,9 @@
 import { Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request } from '@simonbackx/simple-endpoints';
-import { SimpleError } from '@simonbackx/simple-errors';
-import { Platform, Webshop } from '@stamhoofd/models';
-import { OpenIDClientConfiguration, StartOpenIDFlowStruct } from '@stamhoofd/structures';
+import { StartOpenIDFlowStruct } from '@stamhoofd/structures';
 
 import { Context } from '../../helpers/Context';
-import { OpenIDConnectHelper } from '../../helpers/OpenIDConnectHelper';
+import { SSOService } from '../../services/SSOService';
 
 type Params = Record<string, never>;
 type Query = undefined;
@@ -30,78 +28,14 @@ export class OpenIDConnectStartEndpoint extends Endpoint<Params, Query, Body, Re
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
         // Check webshop and/or organization
-        const organization = await Context.setOptionalOrganizationScope();
-        const webshopId = request.body.webshopId;
-        const platform = await Platform.getShared();
+        await Context.setUserOrganizationScope();
+        await Context.optionalAuthenticate({ allowWithoutAccount: false });
+        console.log('Full start connect body;', await request.request.body);
 
-        // Host should match correctly
-        let redirectUri = 'https://' + STAMHOOFD.domains.dashboard;
-
-        if (organization) {
-            redirectUri = 'https://' + organization.getHost();
-        }
-
-        // todo: also support the app as redirect uri using app schemes (could be required for mobile apps)
-
-        if (webshopId) {
-            if (!organization) {
-                throw new SimpleError({
-                    code: 'invalid_organization',
-                    message: 'Organization required when specifying webshopId',
-                    statusCode: 400,
-                });
-            }
-
-            const webshop = await Webshop.getByID(webshopId);
-            if (!webshop || webshop.organizationId !== organization.id) {
-                throw new SimpleError({
-                    code: 'invalid_webshop',
-                    message: 'Invalid webshop',
-                    statusCode: 400,
-                });
-            }
-            redirectUri = 'https://' + webshop.setRelation(Webshop.organization, organization).getHost();
-        }
-
-        if (request.body.redirectUri) {
-            try {
-                const allowedHost = new URL(redirectUri);
-                const givenUrl = new URL(request.body.redirectUri);
-
-                if (allowedHost.host === givenUrl.host && givenUrl.protocol === 'https:') {
-                    redirectUri = givenUrl.href;
-                }
-            }
-            catch (e) {
-                console.error('Invalid redirect uri', request.body.redirectUri);
-            }
-        }
-
-        if (request.body.spaState.length < 10) {
-            throw new SimpleError({
-                code: 'invalid_state',
-                message: 'Invalid state',
-                statusCode: 400,
-            });
-        }
-
-        let configuration: OpenIDClientConfiguration | null;
-
-        if (organization) {
-            configuration = organization.serverMeta.ssoConfiguration;
-        }
-        else {
-            configuration = platform.serverConfig.ssoConfiguration;
-        }
-
-        if (!configuration) {
-            throw new SimpleError({
-                code: 'invalid_client',
-                message: 'SSO not configured',
-                statusCode: 400,
-            });
+        if (Context.user) {
+            console.log('User:', Context.user);
         }
-        const helper = new OpenIDConnectHelper(organization, configuration);
-        return await helper.startAuthCodeFlow(redirectUri, request.body.provider, request.body.spaState, request.body.prompt);
+        const service = await SSOService.fromContext(request.body.provider);
+        return await service.validateAndStartAuthCodeFlow(request.body);
     }
 }

package/src/endpoints/auth/PatchUserEndpoint.ts

@@ -1,8 +1,8 @@
-import { AutoEncoderPatchType, Decoder } from '@simonbackx/simple-encoding';
+import { AutoEncoderPatchType, Decoder, isPatch } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
-import { EmailVerificationCode, Member, PasswordToken, Token, User } from '@stamhoofd/models';
-import { NewUser, PermissionLevel, SignupResponse, UserPermissions, UserWithMembers } from '@stamhoofd/structures';
+import { EmailVerificationCode, Member, PasswordToken, Platform, Token, User } from '@stamhoofd/models';
+import { LoginMethod, NewUser, PermissionLevel, SignupResponse, UserPermissions, UserWithMembers } from '@stamhoofd/structures';
 
 import { Context } from '../../helpers/Context';
 import { MemberUserSyncer } from '../../helpers/MemberUserSyncer';
@@ -109,13 +109,77 @@ export class PatchUserEndpoint extends Endpoint<Params, Query, Body, ResponseBod
             }
         }
 
+        if (request.body.meta) {
+            if (request.body.meta.loginProviderIds && isPatch(request.body.meta.loginProviderIds)) {
+                // Delete deleted login providers
+                for (const [key, value] of request.body.meta.loginProviderIds) {
+                    if (value !== null) {
+                        // Not allowed
+                        throw Context.auth.error('You are not allowed to change the login provider ids');
+                    }
+
+                    if (editUser.meta?.loginProviderIds.has(key)) {
+                        // Check has remaining method
+                        if (editUser.meta.loginProviderIds.size <= 1 && !editUser.hasPasswordBasedAccount()) {
+                            throw new SimpleError({
+                                code: 'invalid_request',
+                                message: 'You cannot remove the last login provider',
+                                human: 'Stel eerst een wachtwoord in voor jouw account voor je deze loginmethode uitschakelt.',
+                                statusCode: 400,
+                            });
+                        }
+                        editUser.meta.loginProviderIds.delete(key);
+                    }
+                }
+            }
+        }
+
         if (editUser.id === user.id && request.body.password) {
+            if (STAMHOOFD.userMode === 'platform') {
+                const platform = await Platform.getShared();
+                const config = platform.config.loginMethods.get(LoginMethod.Password);
+                if (!config) {
+                    throw new SimpleError({
+                        code: 'not_supported',
+                        message: 'This platform does not support password login',
+                        human: 'Dit platform ondersteunt geen wachtwoord login',
+                        statusCode: 400,
+                    });
+                }
+
+                if (!config.isEnabledForEmail(editUser.email)) {
+                    throw new SimpleError({
+                        code: 'not_supported',
+                        message: 'Login method not supported',
+                        human: 'Je kan op dit account geen wachtwoord gebruiken om in te loggen.',
+                        statusCode: 400,
+                    });
+                }
+            }
+
             // password changes
             await editUser.changePassword(request.body.password);
             await PasswordToken.clearFor(editUser.id);
             await Token.clearFor(editUser.id, token.accessToken);
         }
 
+        if (request.body.hasPassword === false) {
+            if (editUser.hasPasswordBasedAccount()) {
+                // Check other login methods available
+                if (!editUser.meta?.loginProviderIds?.size) {
+                    throw new SimpleError({
+                        code: 'invalid_request',
+                        message: 'You cannot remove the last login provider',
+                        human: 'Je kan jouw wachtwoord niet verwijderen als je geen andere loginmethode hebt.',
+                        statusCode: 400,
+                    });
+                }
+                editUser.password = null;
+                await PasswordToken.clearFor(editUser.id);
+                await Token.clearFor(editUser.id, token.accessToken);
+            }
+        }
+
         await editUser.save();
 
         if (await Context.auth.canEditUserEmail(editUser)) {

package/src/endpoints/auth/SignupEndpoint.ts

@@ -32,7 +32,7 @@ export class SignupEndpoint extends Endpoint<Params, Query, Body, ResponseBody>
 
         if (STAMHOOFD.userMode === 'platform') {
             const platform = await Platform.getShared();
-            if (!platform.config.loginMethods.includes(LoginMethod.Password)) {
+            if (!platform.config.loginMethods.has(LoginMethod.Password)) {
                 throw new SimpleError({
                     code: 'not_supported',
                     message: 'This platform does not support password login',

package/src/endpoints/global/members/GetMembersEndpoint.ts

@@ -3,15 +3,15 @@ import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-
 import { SimpleError } from '@simonbackx/simple-errors';
 import { Member, Platform } from '@stamhoofd/models';
 import { SQL, compileToSQLFilter, compileToSQLSorter } from '@stamhoofd/sql';
-import { CountFilteredRequest, Country, LimitedFilteredRequest, MembersBlob, PaginatedResponse, PermissionLevel, StamhoofdFilter, assertSort, getSortFilter } from '@stamhoofd/structures';
+import { CountFilteredRequest, Country, CountryCode, LimitedFilteredRequest, MembersBlob, PaginatedResponse, PermissionLevel, StamhoofdFilter, assertSort, getSortFilter } from '@stamhoofd/structures';
 import { DataValidator } from '@stamhoofd/utility';
 
+import { SQLResultNamespacedRow } from '@simonbackx/simple-database';
 import parsePhoneNumber from 'libphonenumber-js/max';
 import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructures';
 import { Context } from '../../../helpers/Context';
 import { memberFilterCompilers } from '../../../sql-filters/members';
 import { memberSorters } from '../../../sql-sorters/members';
-import { SQLResultNamespacedRow } from '@simonbackx/simple-database';
 
 type Params = Record<string, never>;
 type Query = LimitedFilteredRequest;
@@ -141,7 +141,9 @@ export class GetMembersEndpoint extends Endpoint<Params, Query, Body, ResponseBo
             if (!searchFilter && q.search.match(/^\+?[0-9\s-]+$/)) {
                 // Try to format as phone so we have 1:1 space matches
                 try {
-                    const phoneNumber = parsePhoneNumber(q.search, (Context.i18n.country as Country) || Country.Belgium);
+                    const country = (Context.i18n.country as CountryCode) || Country.Belgium;
+
+                    const phoneNumber = parsePhoneNumber(q.search, country);
                     if (phoneNumber && phoneNumber.isValid()) {
                         const formatted = phoneNumber.formatInternational();
                         searchFilter = {

package/src/endpoints/global/sso/GetSSOEndpoint.ts

@@ -1,11 +1,17 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
-import { OpenIDClientConfiguration } from '@stamhoofd/structures';
+import { LoginProviderType, OpenIDClientConfiguration } from '@stamhoofd/structures';
 
 import { Context } from '../../../helpers/Context';
 import { Platform } from '@stamhoofd/models';
+import { AutoEncoder, Decoder, EnumDecoder, field } from '@simonbackx/simple-encoding';
+import { SSOService } from '../../../services/SSOService';
 
 type Params = Record<string, never>;
-type Query = undefined;
+export class SSOQuery extends AutoEncoder {
+    @field({ decoder: new EnumDecoder(LoginProviderType) })
+    provider: LoginProviderType;
+}
+type Query = SSOQuery;
 type Body = undefined;
 type ResponseBody = OpenIDClientConfiguration;
 
@@ -14,6 +20,8 @@ type ResponseBody = OpenIDClientConfiguration;
  */
 
 export class GetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    queryDecoder = SSOQuery as Decoder<Query>;
+
     protected doesMatch(request: Request): [true, Params] | [false] {
         if (request.method !== 'GET') {
             return [false];
@@ -27,19 +35,22 @@ export class GetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, Re
         return [false];
     }
 
-    async handle(_: DecodedRequest<Params, Query, Body>) {
+    async handle(request: DecodedRequest<Params, Query, Body>) {
         const organization = await Context.setOptionalOrganizationScope();
         await Context.authenticate();
+        const service = await SSOService.fromContext(request.query.provider);
 
         if (!await Context.auth.canManageSSOSettings(organization?.id ?? null)) {
             throw Context.auth.error();
         }
 
-        if (organization) {
-            return new Response(organization.serverMeta.ssoConfiguration ?? OpenIDClientConfiguration.create({}));
+        const configuration = service.configuration.clone();
+
+        // Remove secret by placeholder asterisks
+        if (configuration.clientSecret.length > 0) {
+            configuration.clientSecret = OpenIDClientConfiguration.placeholderClientSecret;
         }
 
-        const platform = await Platform.getShared();
-        return new Response(platform.serverConfig.ssoConfiguration ?? OpenIDClientConfiguration.create({}));
+        return new Response(configuration);
     }
 }

package/src/endpoints/global/sso/SetSSOEndpoint.ts

@@ -3,11 +3,11 @@ import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-
 import { OpenIDClientConfiguration } from '@stamhoofd/structures';
 
 import { Context } from '../../../helpers/Context';
-import { OpenIDConnectHelper } from '../../../helpers/OpenIDConnectHelper';
-import { Platform } from '@stamhoofd/models';
+import { SSOService } from '../../../services/SSOService';
+import { SSOQuery } from './GetSSOEndpoint';
 
 type Params = Record<string, never>;
-type Query = undefined;
+type Query = SSOQuery;
 type Body = AutoEncoderPatchType<OpenIDClientConfiguration>;
 type ResponseBody = OpenIDClientConfiguration;
 
@@ -17,6 +17,7 @@ type ResponseBody = OpenIDClientConfiguration;
 
 export class SetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
     bodyDecoder = OpenIDClientConfiguration.patchType() as Decoder<AutoEncoderPatchType<OpenIDClientConfiguration>>;
+    queryDecoder = SSOQuery as Decoder<Query>;
 
     protected doesMatch(request: Request): [true, Params] | [false] {
         if (request.method !== 'POST') {
@@ -34,34 +35,18 @@ export class SetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, Re
     async handle(request: DecodedRequest<Params, Query, Body>) {
         const organization = await Context.setOptionalOrganizationScope();
         await Context.authenticate();
+        const service = await SSOService.fromContext(request.query.provider);
 
         if (!await Context.auth.canManageSSOSettings(organization?.id ?? null)) {
             throw Context.auth.error();
         }
 
-        let newConfig: OpenIDClientConfiguration;
-
-        if (organization) {
-            newConfig = (organization.serverMeta.ssoConfiguration ?? OpenIDClientConfiguration.create({})).patch(request.body);
-
-            // Validate configuration
-            const helper = new OpenIDConnectHelper(organization, newConfig);
-            await helper.getClient();
-
-            organization.serverMeta.ssoConfiguration = newConfig;
-            await organization.save();
+        if (request.body.clientSecret === OpenIDClientConfiguration.placeholderClientSecret) {
+            delete request.body.clientSecret;
         }
-        else {
-            const platform = await Platform.getShared();
-            newConfig = (platform.serverConfig.ssoConfiguration ?? OpenIDClientConfiguration.create({})).patch(request.body);
 
-            // Validate configuration
-            const helper = new OpenIDConnectHelper(null, newConfig);
-            await helper.getClient();
-
-            platform.serverConfig.ssoConfiguration = newConfig;
-            await platform.save();
-        }
+        const newConfig: OpenIDClientConfiguration = service.configuration.patch(request.body);
+        await service.setConfiguration(newConfig);
 
         return new Response(newConfig);
     }

package/src/helpers/AdminPermissionChecker.ts

@@ -538,6 +538,10 @@ export class AdminPermissionChecker {
     }
 
     async canEditUserName(user: User) {
+        if (user.hasAccount() && !user.hasPasswordBasedAccount()) {
+            return false;
+        }
+
         if (user.id === this.user.id) {
             return true;
         }
@@ -556,9 +560,6 @@ export class AdminPermissionChecker {
     }
 
     async canEditUserEmail(user: User) {
-        if (user.meta?.loginProviderIds?.size) {
-            return false;
-        }
         return this.canEditUserName(user);
     }
 

package/src/helpers/AuthenticatedStructures.ts

@@ -287,6 +287,7 @@ export class AuthenticatedStructures {
         return UserWithMembers.create({
             ...user,
             hasAccount: user.hasAccount(),
+            hasPassword: user.hasPasswordBasedAccount(),
 
             // Always include the current context organization - because it is possible we switch organization and we don't want to refetch every time
             members: await this.membersBlob(members, true, user),
@@ -306,6 +307,7 @@ export class AuthenticatedStructures {
             structs.push(UserWithMembers.create({
                 ...user,
                 hasAccount: user.hasAccount(),
+                hasPassword: user.hasPasswordBasedAccount(),
                 members: await this.membersBlob(filteredMembers, false),
             }));
         }

package/src/helpers/Context.ts

@@ -1,10 +1,11 @@
-import { Request } from '@simonbackx/simple-endpoints';
+import { DecodedRequest, Request } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
 import { I18n } from '@stamhoofd/backend-i18n';
 import { Organization, Platform, RateLimiter, Token, User } from '@stamhoofd/models';
 import { AsyncLocalStorage } from 'async_hooks';
 
 import { AdminPermissionChecker } from './AdminPermissionChecker';
+import { AutoEncoder, field, Decoder, StringDecoder } from '@simonbackx/simple-encoding';
 
 export const apiUserRateLimiter = new RateLimiter({
     limits: [
@@ -31,6 +32,11 @@ export const apiUserRateLimiter = new RateLimiter({
     ],
 });
 
+export class AuthorizationPostBody extends AutoEncoder {
+    @field({ decoder: StringDecoder })
+    header_authorization: string;
+}
+
 export class ContextInstance {
     request: Request;
 
@@ -150,15 +156,27 @@ export class ContextInstance {
     }
 
     async optionalAuthenticate({ allowWithoutAccount = false }: { allowWithoutAccount?: boolean } = {}): Promise<{ user?: User }> {
-        const header = this.request.headers.authorization;
-        if (!header) {
+        try {
+            return await this.authenticate({ allowWithoutAccount });
+        }
+        catch (e) {
             return {};
         }
-        return this.authenticate({ allowWithoutAccount });
     }
 
     async authenticate({ allowWithoutAccount = false }: { allowWithoutAccount?: boolean } = {}): Promise<{ user: User; token: Token }> {
-        const header = this.request.headers.authorization;
+        let header = this.request.headers.authorization;
+
+        if (!header && this.request.method === 'POST') {
+            try {
+                const decoded = await DecodedRequest.fromRequest(this.request, undefined, undefined, AuthorizationPostBody as Decoder<AuthorizationPostBody>);
+                header = decoded.body.header_authorization;
+            }
+            catch (e) {
+                // Ignore: failed to read from body
+            }
+        }
+
         if (!header) {
             throw new SimpleError({
                 code: 'not_authenticated',

package/src/helpers/CookieHelper.ts

@@ -1,10 +1,15 @@
-import { DecodedRequest, Response } from '@simonbackx/simple-endpoints';
+import { Response } from '@simonbackx/simple-endpoints';
 import cookie from 'cookie';
+import http from 'http';
 
-type DecodedRequestWithCookies = DecodedRequest<any, any, any> & { cookies?: Record<string, string> };
+export type ObjectWithHeaders = {
+    headers: http.IncomingHttpHeaders;
+};
+
+type DecodedRequestWithCookies = ObjectWithHeaders & { cookies?: Record<string, string> };
 
 export class CookieHelper {
-    static getCookies(request: DecodedRequest<any, any, any>): Record<string, string> {
+    static getCookies(request: ObjectWithHeaders): Record<string, string> {
         const r = request as DecodedRequestWithCookies;
         if (r.cookies) {
             return r.cookies;
@@ -21,7 +26,7 @@ export class CookieHelper {
         return r.cookies;
     }
 
-    static getCookie(request: DecodedRequest<any, any, any>, name: string): string | undefined {
+    static getCookie(request: ObjectWithHeaders, name: string): string | undefined {
         const cookies = this.getCookies(request);
         return cookies[name];
     }