@supabase/gotrue-js 2.0.1 → 2.2.0

package/src/GoTrueClient.ts

@@ -17,7 +17,6 @@ import {
 } from './lib/errors'
 import { Fetch, _request, _sessionResponse, _userResponse } from './lib/fetch'
 import {
-  decodeBase64URL,
   Deferred,
   getItemAsync,
   getParameterByName,
@@ -26,6 +25,7 @@ import {
   resolveFetch,
   setItemAsync,
   uuid,
+  decodeJWTPayload,
 } from './lib/helpers'
 import localStorageAdapter from './lib/local-storage'
 import { polyfillGlobalThis } from './lib/polyfills'
@@ -48,6 +48,21 @@ import type {
   UserAttributes,
   UserResponse,
   VerifyOtpParams,
+  GoTrueMFAApi,
+  MFAEnrollParams,
+  AuthMFAEnrollResponse,
+  MFAChallengeParams,
+  AuthMFAChallengeResponse,
+  MFAUnenrollParams,
+  AuthMFAUnenrollResponse,
+  MFAVerifyParams,
+  AuthMFAVerifyResponse,
+  AuthMFAListFactorsResponse,
+  AMREntry,
+  AuthMFAGetAuthenticatorAssuranceLevelResponse,
+  AuthenticatorAssuranceLevels,
+  Factor,
+  MFAChallengeAndVerifyParams,
 } from './lib/types'
 
 polyfillGlobalThis() // Make "globalThis" available
@@ -67,6 +82,10 @@ export default class GoTrueClient {
    * These methods should only be used in a trusted server-side environment.
    */
   admin: GoTrueAdminApi
+  /**
+   * Namespace for the MFA methods.
+   */
+  mfa: GoTrueMFAApi
   /**
    * The storage key used to identify the values saved in localStorage
    */
@@ -121,6 +140,15 @@ export default class GoTrueClient {
     this.detectSessionInUrl = settings.detectSessionInUrl
 
     this.initialize()
+    this.mfa = {
+      verify: this._verify.bind(this),
+      enroll: this._enroll.bind(this),
+      unenroll: this._unenroll.bind(this),
+      challenge: this._challenge.bind(this),
+      listFactors: this._listFactors.bind(this),
+      challengeAndVerify: this._challengeAndVerify.bind(this),
+      getAuthenticatorAssuranceLevel: this._getAuthenticatorAssuranceLevel.bind(this),
+    }
   }
 
   /**
@@ -204,7 +232,7 @@ export default class GoTrueClient {
           body: {
             email,
             password,
-            data: options?.data,
+            data: options?.data ?? {},
             gotrue_meta_security: { captcha_token: options?.captchaToken },
           },
           xform: _sessionResponse,
@@ -216,7 +244,7 @@ export default class GoTrueClient {
           body: {
             phone,
             password,
-            data: options?.data,
+            data: options?.data ?? {},
             gotrue_meta_security: { captcha_token: options?.captchaToken },
           },
           xform: _sessionResponse,
@@ -266,6 +294,7 @@ export default class GoTrueClient {
           body: {
             email,
             password,
+            data: options?.data ?? {},
             gotrue_meta_security: { captcha_token: options?.captchaToken },
           },
           xform: _sessionResponse,
@@ -277,6 +306,7 @@ export default class GoTrueClient {
           body: {
             phone,
             password,
+            data: options?.data ?? {},
             gotrue_meta_security: { captcha_token: options?.captchaToken },
           },
           xform: _sessionResponse,
@@ -530,6 +560,17 @@ export default class GoTrueClient {
     }
   }
 
+  /**
+   * Decodes a JWT (without performing any validation).
+   */
+  private _decodeJWT(jwt: string): {
+    exp?: number
+    aal?: AuthenticatorAssuranceLevels | null
+    amr?: AMREntry[] | null
+  } {
+    return decodeJWTPayload(jwt)
+  }
+
   /**
    * Sets the session data from the current session. If the current session is expired, setSession will take care of refreshing it to obtain a new session.
    * If the refresh token in the current session is invalid and the current session has expired, an error will be thrown.
@@ -545,7 +586,8 @@ export default class GoTrueClient {
       let hasExpired = true
       let session: Session | null = null
       if (currentSession.access_token && currentSession.access_token.split('.')[1]) {
-        const payload = JSON.parse(decodeBase64URL(currentSession.access_token.split('.')[1]))
+        const payload = this._decodeJWT(currentSession.access_token)
+
         if (payload.exp) {
           expiresAt = payload.exp
           hasExpired = expiresAt <= timeNow
@@ -593,6 +635,46 @@ export default class GoTrueClient {
     }
   }
 
+  /**
+   * Returns a new session, regardless of expiry status.
+   * Takes in an optional current session. If not passed in, then refreshSession() will attempt to retrieve it from getSession().
+   * If the current session's refresh token is invalid, an error will be thrown.
+   * @param currentSession The current session. If passed in, it must contain a refresh token.
+   */
+  async refreshSession(currentSession?: { refresh_token: string }): Promise<AuthResponse> {
+    try {
+      if (!currentSession) {
+        const { data, error } = await this.getSession()
+        if (error) {
+          throw error
+        }
+
+        currentSession = data.session ?? undefined
+      }
+
+      if (!currentSession?.refresh_token) {
+        throw new AuthSessionMissingError()
+      }
+
+      const { session, error } = await this._callRefreshToken(currentSession.refresh_token)
+      if (error) {
+        return { data: { user: null, session: null }, error: error }
+      }
+
+      if (!session) {
+        return { data: { user: null, session: null }, error: null }
+      }
+
+      return { data: { user: session.user, session }, error: null }
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: { user: null, session: null }, error }
+      }
+
+      throw error
+    }
+  }
+
   /**
    * Gets the session data from a URL string
    */
@@ -1005,4 +1087,177 @@ export default class GoTrueClient {
     }
     return `${this.url}/authorize?${urlParams.join('&')}`
   }
+
+  private async _unenroll(params: MFAUnenrollParams): Promise<AuthMFAUnenrollResponse> {
+    const { data: sessionData, error: sessionError } = await this.getSession()
+    if (sessionError) {
+      return { data: null, error: sessionError }
+    }
+
+    return await _request(this.fetch, 'DELETE', `${this.url}/factors/${params.factorId}`, {
+      headers: this.headers,
+      jwt: sessionData?.session?.access_token,
+    })
+  }
+
+  /**
+   * Deletes a registered factor from GoTrue
+   * @param friendlyName Human readable name assigned to a device
+   * @param factorType device which we're validating against. Can only be TOTP for now.
+   * @param issuer domain which the user is enrolling with
+   */
+  private async _enroll(params: MFAEnrollParams): Promise<AuthMFAEnrollResponse> {
+    const { data: sessionData, error: sessionError } = await this.getSession()
+    if (sessionError) {
+      return { data: null, error: sessionError }
+    }
+
+    const { data, error } = await _request(this.fetch, 'POST', `${this.url}/factors`, {
+      body: {
+        friendly_name: params.friendlyName,
+        factor_type: params.factorType,
+        issuer: params.issuer,
+      },
+      headers: this.headers,
+      jwt: sessionData?.session?.access_token,
+    })
+
+    if (error) {
+      return { data: null, error }
+    }
+
+    if (data?.totp?.qr_code) {
+      data.totp.qr_code = `data:image/svg+xml;utf-8,${data.totp.qr_code}`
+    }
+
+    return { data, error: null }
+  }
+
+  /**
+   * Validates a device as part of the enrollment step.
+   * @param factorID System assigned identifier for authenticator device as returned by enroll
+   * @param code Code Generated by an authenticator device
+   */
+  private async _verify(params: MFAVerifyParams): Promise<AuthMFAVerifyResponse> {
+    const { data: sessionData, error: sessionError } = await this.getSession()
+    if (sessionError) {
+      return { data: null, error: sessionError }
+    }
+
+    const { data, error } = await _request(
+      this.fetch,
+      'POST',
+      `${this.url}/factors/${params.factorId}/verify`,
+      {
+        body: { code: params.code, challenge_id: params.challengeId },
+        headers: this.headers,
+        jwt: sessionData?.session?.access_token,
+      }
+    )
+    if (error) {
+      return { data: null, error }
+    }
+
+    await this._saveSession({
+      expires_at: Math.round(Date.now() / 1000) + data.expires_in,
+      ...data,
+    })
+    this._notifyAllSubscribers('MFA_CHALLENGE_VERIFIED', data)
+
+    return { data, error }
+  }
+
+  /**
+   * Creates a challenge which a user can verify against
+   * @param factorID System assigned identifier for authenticator device as returned by enroll
+   */
+  private async _challenge(params: MFAChallengeParams): Promise<AuthMFAChallengeResponse> {
+    const { data: sessionData, error: sessionError } = await this.getSession()
+    if (sessionError) {
+      return { data: null, error: sessionError }
+    }
+
+    return await _request(this.fetch, 'POST', `${this.url}/factors/${params.factorId}/challenge`, {
+      headers: this.headers,
+      jwt: sessionData?.session?.access_token,
+    })
+  }
+  private async _challengeAndVerify(
+    params: MFAChallengeAndVerifyParams
+  ): Promise<AuthMFAVerifyResponse> {
+    const { data: challengeData, error: challengeError } = await this._challenge({
+      factorId: params.factorId,
+    })
+    if (challengeError) {
+      return { data: null, error: challengeError }
+    }
+    return await this._verify({
+      factorId: params.factorId,
+      challengeId: challengeData.id,
+      code: params.code,
+    })
+  }
+
+  /**
+   * Displays all devices for a given user
+   */
+  private async _listFactors(): Promise<AuthMFAListFactorsResponse> {
+    const {
+      data: { user },
+      error: userError,
+    } = await this.getUser()
+    if (userError) {
+      return { data: null, error: userError }
+    }
+
+    const factors = user?.factors || []
+    const totp = factors.filter(
+      (factor) => factor.factor_type === 'totp' && factor.status === 'verified'
+    )
+
+    return {
+      data: {
+        all: factors,
+        totp,
+      },
+      error: null,
+    }
+  }
+
+  private async _getAuthenticatorAssuranceLevel(): Promise<AuthMFAGetAuthenticatorAssuranceLevelResponse> {
+    const {
+      data: { session },
+      error: sessionError,
+    } = await this.getSession()
+    if (sessionError) {
+      return { data: null, error: sessionError }
+    }
+    if (!session) {
+      return {
+        data: { currentLevel: null, nextLevel: null, currentAuthenticationMethods: [] },
+        error: null,
+      }
+    }
+
+    const payload = this._decodeJWT(session.access_token)
+
+    let currentLevel: AuthenticatorAssuranceLevels | null = null
+
+    if (payload.aal) {
+      currentLevel = payload.aal
+    }
+
+    let nextLevel: AuthenticatorAssuranceLevels | null = currentLevel
+
+    const verifiedFactors =
+      session.user.factors?.filter((factor: Factor) => factor.status === 'verified') ?? []
+
+    if (verifiedFactors.length > 0) {
+      nextLevel = 'aal2'
+    }
+
+    const currentAuthenticationMethods = payload.amr || []
+
+    return { data: { currentLevel, nextLevel, currentAuthenticationMethods }, error: null }
+  }
 }

package/src/index.ts

@@ -1,6 +1,5 @@
 import GoTrueAdminApi from './GoTrueAdminApi'
 import GoTrueClient from './GoTrueClient'
-
 export { GoTrueAdminApi, GoTrueClient }
 export * from './lib/types'
 export * from './lib/errors'

package/src/lib/helpers.ts

@@ -120,3 +120,14 @@ export class Deferred<T = any> {
     })
   }
 }
+// Taken from: https://stackoverflow.com/questions/38552003/how-to-decode-jwt-token-in-javascript-without-using-a-library
+export function decodeJWTPayload(token: string) {
+  const parts = token.split('.')
+
+  if (parts.length !== 3) {
+    throw new Error('JWT is not valid: not a JWT structure')
+  }
+
+  const base64Url = parts[1]
+  return JSON.parse(decodeBase64URL(base64Url))
+}