@things-factory/auth-base 7.0.1-alpha.1 → 7.0.1-alpha.100

package/dist-server/utils/access-token-cookie.d.ts

@@ -1,3 +1,4 @@
 export declare function getAccessTokenCookie(context: any): any;
 export declare function setAccessTokenCookie(context: any, token: any): void;
+export declare function setSessionAccessToken(context: any): void;
 export declare function clearAccessTokenCookie(context: any): void;

package/dist-server/utils/access-token-cookie.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.clearAccessTokenCookie = exports.setAccessTokenCookie = exports.getAccessTokenCookie = void 0;
+exports.clearAccessTokenCookie = exports.setSessionAccessToken = exports.setAccessTokenCookie = exports.getAccessTokenCookie = void 0;
 const shell_1 = require("@things-factory/shell");
 const env_1 = require("@things-factory/env");
 const max_age_1 = require("../constants/max-age");
@@ -24,6 +24,16 @@ function setAccessTokenCookie(context, token) {
     context.cookies.set(accessTokenCookieKey, token, cookie);
 }
 exports.setAccessTokenCookie = setAccessTokenCookie;
+function setSessionAccessToken(context) {
+    /* koa-session 을 사용하는 경우에는, cookie 직접 설정이 작동되지 않는다. 그런 경우에는 session에 설정해서 cookie를 변경한다. */
+    const { user } = context.state;
+    context.session = {
+        id: user.id,
+        userType: user.type,
+        status: user.state
+    };
+}
+exports.setSessionAccessToken = setSessionAccessToken;
 function clearAccessTokenCookie(context) {
     const { secure } = context;
     var cookie = {
@@ -40,6 +50,7 @@ function clearAccessTokenCookie(context) {
      * https://github.com/hatiolab/things-factory/issues/70
      */
     context.cookies.set('i18next', '', cookie);
+    context.session = null;
 }
 exports.clearAccessTokenCookie = clearAccessTokenCookie;
 //# sourceMappingURL=access-token-cookie.js.map

package/dist-server/utils/access-token-cookie.js.map

@@ -1 +1 @@
-{"version":3,"file":"access-token-cookie.js","sourceRoot":"","sources":["../../server/utils/access-token-cookie.ts"],"names":[],"mappings":";;;AAAA,iDAAmE;AACnE,6CAA4C;AAC5C,kDAA8C;AAE9C,MAAM,oBAAoB,GAAG,YAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,cAAc,CAAC,CAAA;AAE/E,SAAgB,oBAAoB,CAAC,OAAO;;IAC1C,OAAO,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,OAAO,0CAAE,GAAG,CAAC,oBAAoB,CAAC,CAAA;AACpD,CAAC;AAFD,oDAEC;AAED,SAAgB,oBAAoB,CAAC,OAAO,EAAE,KAAK;IACjD,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAE1B,IAAI,MAAM,GAAG;QACX,MAAM;QACN,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,iBAAO;KAChB,CAAA;IAED,MAAM,YAAY,GAAG,IAAA,mCAA2B,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAClE,IAAI,YAAY,EAAE;QAChB,MAAM,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAA;KAChC;IAED,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,KAAK,EAAE,MAAM,CAAC,CAAA;AAC1D,CAAC;AAfD,oDAeC;AAED,SAAgB,sBAAsB,CAAC,OAAO;IAC5C,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAE1B,IAAI,MAAM,GAAG;QACX,MAAM;QACN,QAAQ,EAAE,IAAI;KACf,CAAA;IAED,MAAM,YAAY,GAAG,IAAA,mCAA2B,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAClE,IAAI,YAAY,EAAE;QAChB,MAAM,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAA;KAChC;IAED,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,EAAE,EAAE,MAAM,CAAC,CAAA;IACrD;;;OAGG;IACH,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,EAAE,MAAM,CAAC,CAAA;AAC5C,CAAC;AAnBD,wDAmBC","sourcesContent":["import { getCookieDomainFromHostname } from '@things-factory/shell'\nimport { config } from '@things-factory/env'\nimport { MAX_AGE } from '../constants/max-age'\n\nconst accessTokenCookieKey = config.get('accessTokenCookieKey', 'access_token')\n\nexport function getAccessTokenCookie(context) {\n  return context?.cookies?.get(accessTokenCookieKey)\n}\n\nexport function setAccessTokenCookie(context, token) {\n  const { secure } = context\n\n  var cookie = {\n    secure,\n    httpOnly: true,\n    maxAge: MAX_AGE\n  }\n\n  const cookieDomain = getCookieDomainFromHostname(context.hostname)\n  if (cookieDomain) {\n    cookie['domain'] = cookieDomain\n  }\n\n  context.cookies.set(accessTokenCookieKey, token, cookie)\n}\n\nexport function clearAccessTokenCookie(context) {\n  const { secure } = context\n\n  var cookie = {\n    secure,\n    httpOnly: true\n  }\n\n  const cookieDomain = getCookieDomainFromHostname(context.hostname)\n  if (cookieDomain) {\n    cookie['domain'] = cookieDomain\n  }\n\n  context.cookies.set(accessTokenCookieKey, '', cookie)\n  /*\n   * TODO clear i18next cookie as well - need to support domain\n   * https://github.com/hatiolab/things-factory/issues/70\n   */\n  context.cookies.set('i18next', '', cookie)\n}\n"]}
+{"version":3,"file":"access-token-cookie.js","sourceRoot":"","sources":["../../server/utils/access-token-cookie.ts"],"names":[],"mappings":";;;AAAA,iDAAmE;AACnE,6CAA4C;AAC5C,kDAA8C;AAE9C,MAAM,oBAAoB,GAAG,YAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,cAAc,CAAC,CAAA;AAE/E,SAAgB,oBAAoB,CAAC,OAAO;;IAC1C,OAAO,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,OAAO,0CAAE,GAAG,CAAC,oBAAoB,CAAC,CAAA;AACpD,CAAC;AAFD,oDAEC;AAED,SAAgB,oBAAoB,CAAC,OAAO,EAAE,KAAK;IACjD,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAE1B,IAAI,MAAM,GAAG;QACX,MAAM;QACN,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,iBAAO;KAChB,CAAA;IAED,MAAM,YAAY,GAAG,IAAA,mCAA2B,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAClE,IAAI,YAAY,EAAE;QAChB,MAAM,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAA;KAChC;IAED,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,KAAK,EAAE,MAAM,CAAC,CAAA;AAC1D,CAAC;AAfD,oDAeC;AAED,SAAgB,qBAAqB,CAAC,OAAO;IAC3C,0FAA0F;IAC1F,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IAE9B,OAAO,CAAC,OAAO,GAAG;QAChB,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,QAAQ,EAAE,IAAI,CAAC,IAAI;QACnB,MAAM,EAAE,IAAI,CAAC,KAAK;KACnB,CAAA;AACH,CAAC;AATD,sDASC;AAED,SAAgB,sBAAsB,CAAC,OAAO;IAC5C,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAE1B,IAAI,MAAM,GAAG;QACX,MAAM;QACN,QAAQ,EAAE,IAAI;KACf,CAAA;IAED,MAAM,YAAY,GAAG,IAAA,mCAA2B,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAClE,IAAI,YAAY,EAAE;QAChB,MAAM,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAA;KAChC;IAED,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,EAAE,EAAE,MAAM,CAAC,CAAA;IACrD;;;OAGG;IACH,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,EAAE,MAAM,CAAC,CAAA;IAC1C,OAAO,CAAC,OAAO,GAAG,IAAI,CAAA;AACxB,CAAC;AApBD,wDAoBC","sourcesContent":["import { getCookieDomainFromHostname } from '@things-factory/shell'\nimport { config } from '@things-factory/env'\nimport { MAX_AGE } from '../constants/max-age'\n\nconst accessTokenCookieKey = config.get('accessTokenCookieKey', 'access_token')\n\nexport function getAccessTokenCookie(context) {\n  return context?.cookies?.get(accessTokenCookieKey)\n}\n\nexport function setAccessTokenCookie(context, token) {\n  const { secure } = context\n\n  var cookie = {\n    secure,\n    httpOnly: true,\n    maxAge: MAX_AGE\n  }\n\n  const cookieDomain = getCookieDomainFromHostname(context.hostname)\n  if (cookieDomain) {\n    cookie['domain'] = cookieDomain\n  }\n\n  context.cookies.set(accessTokenCookieKey, token, cookie)\n}\n\nexport function setSessionAccessToken(context) {\n  /* koa-session 을 사용하는 경우에는, cookie 직접 설정이 작동되지 않는다. 그런 경우에는 session에 설정해서 cookie를 변경한다. */\n  const { user } = context.state\n\n  context.session = {\n    id: user.id,\n    userType: user.type,\n    status: user.state\n  }\n}\n\nexport function clearAccessTokenCookie(context) {\n  const { secure } = context\n\n  var cookie = {\n    secure,\n    httpOnly: true\n  }\n\n  const cookieDomain = getCookieDomainFromHostname(context.hostname)\n  if (cookieDomain) {\n    cookie['domain'] = cookieDomain\n  }\n\n  context.cookies.set(accessTokenCookieKey, '', cookie)\n  /*\n   * TODO clear i18next cookie as well - need to support domain\n   * https://github.com/hatiolab/things-factory/issues/70\n   */\n  context.cookies.set('i18next', '', cookie)\n  context.session = null\n}\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@things-factory/auth-base",
-  "version": "7.0.1-alpha.1",
+  "version": "7.0.1-alpha.100",
   "main": "dist-server/index.js",
   "browser": "dist-client/index.js",
   "things-factory": true,
@@ -30,18 +30,20 @@
     "migration:create": "node ../../node_modules/typeorm/cli.js migration:create -d ./server/migrations"
   },
   "dependencies": {
-    "@things-factory/email-base": "^7.0.1-alpha.1",
-    "@things-factory/env": "^7.0.1-alpha.0",
-    "@things-factory/i18n-base": "^7.0.1-alpha.1",
-    "@things-factory/shell": "^7.0.1-alpha.1",
-    "@things-factory/utils": "^7.0.1-alpha.0",
+    "@things-factory/email-base": "^7.0.1-alpha.100",
+    "@things-factory/env": "^7.0.1-alpha.71",
+    "@things-factory/shell": "^7.0.1-alpha.100",
+    "@things-factory/utils": "^7.0.1-alpha.71",
+    "@types/webappsec-credential-management": "^0.6.8",
     "jsonwebtoken": "^9.0.0",
     "koa-passport": "^6.0.0",
     "koa-session": "^6.4.0",
     "oauth2orize-koa": "^1.3.2",
+    "passport": "^0.7.0",
+    "passport-fido2-webauthn": "^0.1.0",
     "passport-jwt": "^4.0.0",
     "passport-local": "^1.0.0",
     "popsicle-cookie-jar": "^1.0.0"
   },
-  "gitHead": "6cc9a9da9059f32f8c2968c57831c1d353a2ec97"
+  "gitHead": "f5062c5559383d06fc8f9f870b56163952557c70"
 }

package/server/constants/error-code.ts

@@ -15,3 +15,5 @@ export const PASSWORD_PATTERN_NOT_MATCHED = 'password should match the rule'
 export const USER_DUPLICATED = 'user duplicated'
 export const PASSWORD_USED_PAST = 'password used in the past'
 export const VERIFICATION_ERROR = 'user or verification token not found'
+export const USER_CREDENTIAL_NOT_FOUND = 'user credential not found'
+export const AUTH_ERROR = 'auth error'

package/server/middlewares/authenticate-401-middleware.ts

@@ -15,7 +15,7 @@ export async function authenticate401Middleware(context, next) {
     var message
 
     if (err instanceof AuthError) {
-      message = context.t(`error.${err.errorCode}`, err.detail || {})
+      message = (context.t && context.t(`error.${err.errorCode}`, err.detail || {})) || err.errorCode
     } else {
       if (err?.status !== 401) {
         throw err

package/server/middlewares/index.ts

@@ -20,7 +20,7 @@ export function initMiddlewares(app: any) {
   app.use(
     session(
       {
-        key: accessTokenCookieKey,
+        key: 'tfsession',
         maxAge: MAX_AGE,
         overwrite: true,
         httpOnly: true,
@@ -63,4 +63,5 @@ process.on('bootstrap-module-subscription' as any, (app, subscriptionMiddleware)
 export * from './jwt-authenticate-middleware'
 export * from './domain-authenticate-middleware'
 export * from './signin-middleware'
+export * from './webauthn-middleware'
 export * from './authenticate-401-middleware'

package/server/middlewares/webauthn-middleware.ts

@@ -0,0 +1,75 @@
+import passport from 'koa-passport'
+import { Strategy as WebAuthnStrategy, SessionChallengeStore } from 'passport-fido2-webauthn'
+
+import { getRepository } from '@things-factory/shell'
+
+import { User } from '../service/user/user'
+import { AuthError } from '../errors/auth-error'
+import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
+
+export const store = new SessionChallengeStore()
+
+passport.use(
+  new WebAuthnStrategy(
+    { store },
+    async function verify(id: string, userHandle: Uint8Array, cb) {
+      const user = await getRepository(User).findOne({ where: { id: userHandle.toString() } })
+      if (!user) {
+        return cb(null, false, { errorCode: AuthError.ERROR_CODES.USER_NOT_FOUND })
+      }
+      const credential = await getRepository(WebAuthCredential).findOne({
+        where: { credentialId: id, user: { id: user.id } }
+      })
+      if (!credential) {
+        return cb(null, false, { errorCode: AuthError.ERROR_CODES.USER_CREDENTIAL_NOT_FOUND })
+      }
+
+      return cb(null, user, credential.publicKey)
+    },
+    async function register(user, id, publicKey, cb) {
+      const userObject = await getRepository(User).findOne({ where: { id: user.id.toString() } })
+      const webAuthRepository = getRepository(WebAuthCredential)
+
+      const oldCredential = await webAuthRepository.findOne({
+        where: { user: { id: userObject.id }, publicKey: publicKey }
+      })
+
+      /* TODO publicKey 비교로는 중복된 등록을 막을 수 없다. */
+      if (oldCredential) {
+        await webAuthRepository.delete(oldCredential.id)
+      }
+
+      await webAuthRepository.save({
+        user: userObject,
+        credentialId: id,
+        publicKey,
+        counter: 0
+      })
+
+      return cb(null, userObject)
+    }
+  )
+)
+
+export async function webAuthnMiddleware(context, next) {
+  return passport.authenticate(
+    'webauthn',
+    { session: true, failureMessage: true, failWithError: true },
+    async (err, user, info) => {
+      if (err || !user) {
+        if (info.errorCode) {
+          throw new AuthError(info)
+        } else {
+          throw new AuthError({
+            errorCode: AuthError.ERROR_CODES.AUTH_ERROR,
+            detail: info
+          })
+        }
+      } else {
+        context.state.user = user
+
+        await next()
+      }
+    }
+  )(context, next)
+}

package/server/router/auth-private-process-router.ts

@@ -41,7 +41,7 @@ authPrivateProcessRouter
     }
   })
   .post('/delete-user', async (context, next) => {
-    const { t } = context
+    const { t, session } = context
     var { user } = context.state
     var { email: userEmail } = user
 
@@ -67,8 +67,15 @@ authPrivateProcessRouter
     clearAccessTokenCookie(context)
   })
   .get('/profile', async (context, next) => {
+    const { t } = context
     const { domain, user, unsafeIP, prohibitedPrivileges } = context.state
 
+    if (!domain) {
+      context.status = 401
+      context.body = t('error.user validation failed')
+      return
+    }
+
     let domains: Partial<Domain>[] = await getUserDomains(user)
     domains = domains.filter((d: Domain) => d.extType == domainType)
 

package/server/router/index.ts

@@ -6,3 +6,4 @@ export * from './oauth2'
 export * from './auth-checkin-router'
 export * from './auth-signin-router'
 export * from './auth-signup-router'
+export * from './webauthn-router'

package/server/router/webauthn-router.ts

@@ -0,0 +1,55 @@
+import util from 'util'
+import Router from 'koa-router'
+
+import { setAccessTokenCookie } from '../utils/access-token-cookie'
+import { store, webAuthnMiddleware } from '../middlewares/webauthn-middleware'
+
+export const webAuthnGlobalPublicRouter = new Router()
+export const webAuthnGlobalPrivateRouter = new Router()
+
+const challengeAsync = util.promisify(store.challenge).bind(store)
+
+webAuthnGlobalPublicRouter.post('/auth/signin-webauthn/challenge', async (context, next) => {
+  const challenge = await challengeAsync({ ...context.request, session: context.session })
+
+  context.body = {
+    challenge: Buffer.from(challenge).toString('base64')
+  }
+})
+
+webAuthnGlobalPublicRouter.post('/auth/signin-webauthn', webAuthnMiddleware, async (context, next) => {
+  const { domain, user } = context.state
+  const { request } = context
+  const { body: reqBody } = request
+
+  const token = await user.sign({ subdomain: domain?.subdomain })
+  setAccessTokenCookie(context, token)
+
+  var redirectURL = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(reqBody.redirectTo || '/')}`
+
+  /* 2단계 인터렉션 때문에 브라우저에서 fetch(...)로 진행될 것이므로, redirect(3xx) 응답으로 처리할 수 없다. 따라서, 데이타로 redirectURL를 응답한다. */
+  context.body = { redirectURL }
+})
+
+webAuthnGlobalPrivateRouter.post('/auth/register-webauthn/challenge', async (context, next) => {
+  const { user } = context.state
+  const { id, name } = user || {}
+
+  const challenge = await challengeAsync(
+    { ...context.request, session: context.session },
+    {
+      user: {
+        id
+      }
+    }
+  )
+
+  context.body = {
+    user: {
+      id: Buffer.from(id).toString('base64'),
+      name: name,
+      displayName: name
+    },
+    challenge: Buffer.from(challenge).toString('base64')
+  }
+})

package/server/routes.ts

@@ -10,11 +10,12 @@ import {
   oauth2AuthorizeRouter,
   oauth2Router,
   pathBaseDomainRouter,
-  siteRootRouter
+  siteRootRouter,
+  webAuthnGlobalPublicRouter,
+  webAuthnGlobalPrivateRouter
 } from './router'
 
 import { setAccessTokenCookie } from './utils/access-token-cookie'
-import { User } from './service/user/user'
 
 const isPathBaseDomain = !config.get('subdomain') && !config.get('useVirtualHostBasedDomain')
 
@@ -27,7 +28,7 @@ process.on('bootstrap-module-global-public-route' as any, (app, globalPublicRout
     authSigninRouter.get('/auth/sso-signin', app.ssoMiddlewares[0], async context => {
       const { user } = context.state
 
-      const token = user.sign()
+      const token = await user.sign()
       setAccessTokenCookie(context, token)
 
       context.redirect('/auth/checkin')
@@ -41,12 +42,14 @@ process.on('bootstrap-module-global-private-route' as any, (app, globalPrivateRo
   /* globalPrivateRouter based nested-routers */
   globalPrivateRouter.use(authCheckinRouter.routes(), authCheckinRouter.allowedMethods())
   globalPrivateRouter.use(authPrivateProcessRouter.routes(), authPrivateProcessRouter.allowedMethods())
+  globalPrivateRouter.use(webAuthnGlobalPrivateRouter.routes(), webAuthnGlobalPrivateRouter.allowedMethods())
 })
 
 process.on('bootstrap-module-domain-public-route' as any, (app, domainPublicRouter) => {
   /* domainPublicRouter based nested-routers */
   domainPublicRouter.use(authSigninRouter.routes(), authSigninRouter.allowedMethods())
   domainPublicRouter.use(authSignupRouter.routes(), authSignupRouter.allowedMethods())
+  domainPublicRouter.use(webAuthnGlobalPublicRouter.routes(), webAuthnGlobalPublicRouter.allowedMethods())
 
   /* path '/admin/oauth/...' is deprecated. should use path '/oauth/...' for oauth2 related routing */
   domainPublicRouter.use('/oauth', oauth2Router.routes(), oauth2Router.allowedMethods()) // if i use context
@@ -61,11 +64,7 @@ process.on('bootstrap-module-domain-private-route' as any, (app, domainPrivateRo
     // pathBaseDomainRouter는 history-fallback의 경우에 인증 처리를 하기 위한 라우터이다.
     // (보통, URL 링크등을 통해서 domain path URL로 바로 요청하는 경우에 해당한다.)
     // pathBaseDomainRouter는 domain path를 domain-private-router를 사용하는 것을 전제로 한다.
-    domainPrivateRouter.use(
-      '/domain/:domain/oauth',
-      oauth2AuthorizeRouter.routes(),
-      oauth2AuthorizeRouter.allowedMethods()
-    )
+    domainPrivateRouter.use('/domain/:domain/oauth', oauth2AuthorizeRouter.routes(), oauth2AuthorizeRouter.allowedMethods())
     domainPrivateRouter.use('/domain', pathBaseDomainRouter.routes(), pathBaseDomainRouter.allowedMethods())
   }
 

package/server/service/appliance/appliance.ts

@@ -30,7 +30,8 @@ export class Appliance {
   readonly id: string
 
   @ManyToOne(type => Domain)
-  domain: Domain
+  @Field(type => Domain)
+  domain?: Domain
 
   @RelationId((appliance: Appliance) => appliance.domain)
   domainId: string
@@ -71,8 +72,8 @@ export class Appliance {
       DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb'
         ? 'longtext'
         : DATABASE_TYPE == 'oracle'
-        ? 'clob'
-        : 'varchar'
+          ? 'clob'
+          : 'varchar'
   })
   @Field({ nullable: true })
   @Directive('@privilege(category: "security", privilege: "query", domainOwnerGranted: true)')

package/server/service/application/application.ts

@@ -54,6 +54,7 @@ export class Application {
   readonly id?: string
 
   @ManyToOne(type => Domain)
+  @Field(type => Domain)
   domain?: Domain
 
   @RelationId((application: Application) => application.domain)
@@ -97,8 +98,8 @@ export class Application {
       DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb'
         ? 'longtext'
         : DATABASE_TYPE == 'oracle'
-        ? 'clob'
-        : 'varchar'
+          ? 'clob'
+          : 'varchar'
   })
   @Field({ nullable: true })
   @Directive('@privilege(category: "security", privilege: "query", domainOwnerGranted: true)')
@@ -113,8 +114,8 @@ export class Application {
       DATABASE_TYPE == 'postgres' || DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb'
         ? 'enum'
         : DATABASE_TYPE == 'oracle'
-        ? 'varchar2'
-        : 'smallint',
+          ? 'varchar2'
+          : 'smallint',
     enum: ApplicationType,
     default: ApplicationType.OTHERS
   })

package/server/service/auth-provider/auth-provider-parameter-spec.ts

@@ -18,4 +18,7 @@ export class AuthProviderParameterSpec {
 
   @Field(type => ScalarObject, { nullable: true })
   property?: { [key: string]: any }
+
+  @Field(type => ScalarObject, { nullable: true })
+  styles?: { [key: string]: any }
 }

package/server/service/auth-provider/auth-provider-type.ts

@@ -1,11 +1,7 @@
-import type { FileUpload } from 'graphql-upload/GraphQLUpload.js'
-import GraphQLUpload from 'graphql-upload/GraphQLUpload.js'
-import { ObjectType, Field, InputType, Int, ID, registerEnumType } from 'type-graphql'
+import { ObjectType, Field, InputType, Int, ID } from 'type-graphql'
 
-import { ObjectRef, ScalarObject } from '@things-factory/shell'
-
-import { AuthProvider, AuthProviderStatus } from './auth-provider'
-import { AuthProviderParameterSpec } from './auth-provider-parameter-spec'
+import { ScalarObject } from '@things-factory/shell'
+import { AuthProvider } from './auth-provider'
 
 @InputType()
 export class NewAuthProvider {

package/server/service/auth-provider/auth-provider.ts

@@ -1,17 +1,15 @@
 import {
   CreateDateColumn,
   UpdateDateColumn,
-  DeleteDateColumn,
   Entity,
   Index,
   Column,
   RelationId,
   ManyToOne,
   OneToMany,
-  PrimaryGeneratedColumn,
-  VersionColumn
+  PrimaryGeneratedColumn
 } from 'typeorm'
-import { Directive, ObjectType, Field, Int, ID, registerEnumType } from 'type-graphql'
+import { Directive, ObjectType, Field, Int, ID } from 'type-graphql'
 
 import { Domain, ScalarObject, encryptTransformer } from '@things-factory/shell'
 import { User } from '../user/user'
@@ -30,16 +28,6 @@ export type AuthProviderRegistry = {
   [type: string]: AuthProviderImpl
 }
 
-export enum AuthProviderStatus {
-  STATUS_A = 'STATUS_A',
-  STATUS_B = 'STATUS_B'
-}
-
-registerEnumType(AuthProviderStatus, {
-  name: 'AuthProviderStatus',
-  description: 'state enumeration of a authProvider'
-})
-
 @ObjectType()
 export class AuthProviderType {
   @Field()
@@ -75,7 +63,7 @@ export class AuthProvider {
   readonly id: string
 
   @ManyToOne(type => Domain)
-  @Field({ nullable: true })
+  @Field(type => Domain)
   domain?: Domain
 
   @RelationId((authProvider: AuthProvider) => authProvider.domain)
@@ -89,10 +77,6 @@ export class AuthProvider {
   @Field({ nullable: true })
   active?: boolean
 
-  @Column({ nullable: true })
-  @Field({ nullable: true })
-  state?: AuthProviderStatus
-
   @Directive('@privilege(category: "security", privilege: "query", domainOwnerGranted: true)')
   @Column({ nullable: true })
   @Field({ nullable: true })

package/server/service/granted-role/granted-role.ts

@@ -19,8 +19,8 @@ export class GrantedRole {
   roleId: string
 
   @ManyToOne(type => Domain)
-  @Field()
-  domain: Domain
+  @Field(type => Domain)
+  domain?: Domain
 
   @RelationId((grantedRole: GrantedRole) => grantedRole.domain)
   domainId: string

package/server/service/index.ts

@@ -1,8 +1,5 @@
 /* IMPORT ENTITIES AND RESOLVERS */
-import {
-  entities as UsersAuthProvidersEntities,
-  resolvers as UsersAuthProvidersResolvers
-} from './users-auth-providers'
+import { entities as UsersAuthProvidersEntities, resolvers as UsersAuthProvidersResolvers } from './users-auth-providers'
 import { entities as AuthProviderEntities, resolvers as AuthProviderResolvers } from './auth-provider'
 import { resolvers as AppbindingResolver } from './app-binding'
 import { entities as ApplianceEntities, resolvers as ApplianceResolvers } from './appliance'
@@ -18,6 +15,7 @@ import { privilegeDirectiveResolver, privilegeDirectiveTypeDefs } from './privil
 import { entities as RoleEntities, resolvers as RoleResolvers } from './role'
 import { entities as UserEntities, resolvers as UserResolvers } from './user'
 import { entities as VerificationTokenEntities } from './verification-token'
+import { entities as WebAuthCredentialEntities } from './web-auth-credential'
 
 /* EXPORT ENTITY TYPES */
 export * from './users-auth-providers/users-auth-providers'
@@ -34,6 +32,7 @@ export * from './app-binding/app-binding'
 export * from './password-history/password-history'
 export * from './verification-token/verification-token'
 export * from './login-history/login-history'
+export * from './web-auth-credential/web-auth-credential'
 
 /* EXPORT TYPES */
 export * from './app-binding/app-binding-types'
@@ -60,7 +59,8 @@ export const entities = [
   ...InvitationEntities,
   ...PasswordHistoryEntities,
   ...VerificationTokenEntities,
-  ...LoginHistoryEntities
+  ...LoginHistoryEntities,
+  ...WebAuthCredentialEntities
 ]
 
 export const schema = {

package/server/service/login-history/login-history.ts

@@ -14,14 +14,14 @@ export class LoginHistory {
   readonly id: string
 
   @ManyToOne(type => Domain)
-  @Field()
-  accessDomain: Domain
+  @Field(type => Domain)
+  accessDomain?: Domain
 
   @RelationId((loginHistory: LoginHistory) => loginHistory.accessDomain)
   accessDomainId: string
 
   @ManyToOne(type => User)
-  @Field()
+  @Field(type => User)
   accessUser: User
 
   @RelationId((loginHistory: LoginHistory) => loginHistory.accessUser)

package/server/service/partner/partner.ts

@@ -20,25 +20,25 @@ export class Partner {
   readonly id: string
 
   @ManyToOne(type => Domain)
-  @Field()
-  domain: Domain
+  @Field(type => Domain)
+  domain?: Domain
 
   @RelationId((partner: Partner) => partner.domain)
   domainId: string
 
   @ManyToOne(type => Domain)
-  @Field()
-  partnerDomain: Domain
+  @Field(type => Domain)
+  partnerDomain?: Domain
 
   @RelationId((partner: Partner) => partner.partnerDomain)
   partnerDomainId: string
 
   @CreateDateColumn()
-  @Field()
+  @Field({ nullable: true })
   requestedAt: Date
 
   @UpdateDateColumn()
-  @Field()
+  @Field({ nullable: true })
   approvedAt: Date
 
   @ManyToOne(type => User, { nullable: true })

package/server/service/role/role.ts

@@ -24,13 +24,14 @@ export class Role {
   readonly id: string
 
   @ManyToOne(type => Domain)
-  domain: Domain
+  @Field(type => Domain)
+  domain?: Domain
 
   @RelationId((role: Role) => role.domain)
   domainId: string
 
   @Column()
-  @Field()
+  @Field({ nullable: true })
   name: string
 
   @ManyToMany(type => User, user => user.roles)