@things-factory/auth-base 7.0.1-alpha.81 → 7.0.1-alpha.90

package/dist-server/utils/access-token-cookie.d.ts

@@ -1,3 +1,4 @@
 export declare function getAccessTokenCookie(context: any): any;
 export declare function setAccessTokenCookie(context: any, token: any): void;
+export declare function setSessionAccessToken(context: any): void;
 export declare function clearAccessTokenCookie(context: any): void;

package/dist-server/utils/access-token-cookie.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.clearAccessTokenCookie = exports.setAccessTokenCookie = exports.getAccessTokenCookie = void 0;
+exports.clearAccessTokenCookie = exports.setSessionAccessToken = exports.setAccessTokenCookie = exports.getAccessTokenCookie = void 0;
 const shell_1 = require("@things-factory/shell");
 const env_1 = require("@things-factory/env");
 const max_age_1 = require("../constants/max-age");
@@ -24,6 +24,16 @@ function setAccessTokenCookie(context, token) {
     context.cookies.set(accessTokenCookieKey, token, cookie);
 }
 exports.setAccessTokenCookie = setAccessTokenCookie;
+function setSessionAccessToken(context) {
+    /* koa-session 을 사용하는 경우에는, cookie 직접 설정이 작동되지 않는다. 그런 경우에는 session에 설정해서 cookie를 변경한다. */
+    const { user } = context.state;
+    context.session = {
+        "id": user.id,
+        "userType": user.type,
+        "status": user.state
+    };
+}
+exports.setSessionAccessToken = setSessionAccessToken;
 function clearAccessTokenCookie(context) {
     const { secure } = context;
     var cookie = {

package/dist-server/utils/access-token-cookie.js.map

@@ -1 +1 @@
-{"version":3,"file":"access-token-cookie.js","sourceRoot":"","sources":["../../server/utils/access-token-cookie.ts"],"names":[],"mappings":";;;AAAA,iDAAmE;AACnE,6CAA4C;AAC5C,kDAA8C;AAE9C,MAAM,oBAAoB,GAAG,YAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,cAAc,CAAC,CAAA;AAE/E,SAAgB,oBAAoB,CAAC,OAAO;;IAC1C,OAAO,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,OAAO,0CAAE,GAAG,CAAC,oBAAoB,CAAC,CAAA;AACpD,CAAC;AAFD,oDAEC;AAED,SAAgB,oBAAoB,CAAC,OAAO,EAAE,KAAK;IACjD,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAE1B,IAAI,MAAM,GAAG;QACX,MAAM;QACN,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,iBAAO;KAChB,CAAA;IAED,MAAM,YAAY,GAAG,IAAA,mCAA2B,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAClE,IAAI,YAAY,EAAE;QAChB,MAAM,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAA;KAChC;IAED,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,KAAK,EAAE,MAAM,CAAC,CAAA;AAC1D,CAAC;AAfD,oDAeC;AAED,SAAgB,sBAAsB,CAAC,OAAO;IAC5C,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAE1B,IAAI,MAAM,GAAG;QACX,MAAM;QACN,QAAQ,EAAE,IAAI;KACf,CAAA;IAED,MAAM,YAAY,GAAG,IAAA,mCAA2B,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAClE,IAAI,YAAY,EAAE;QAChB,MAAM,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAA;KAChC;IAED,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,EAAE,EAAE,MAAM,CAAC,CAAA;IACrD;;;OAGG;IACH,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,EAAE,MAAM,CAAC,CAAA;AAC5C,CAAC;AAnBD,wDAmBC","sourcesContent":["import { getCookieDomainFromHostname } from '@things-factory/shell'\nimport { config } from '@things-factory/env'\nimport { MAX_AGE } from '../constants/max-age'\n\nconst accessTokenCookieKey = config.get('accessTokenCookieKey', 'access_token')\n\nexport function getAccessTokenCookie(context) {\n  return context?.cookies?.get(accessTokenCookieKey)\n}\n\nexport function setAccessTokenCookie(context, token) {\n  const { secure } = context\n\n  var cookie = {\n    secure,\n    httpOnly: true,\n    maxAge: MAX_AGE\n  }\n\n  const cookieDomain = getCookieDomainFromHostname(context.hostname)\n  if (cookieDomain) {\n    cookie['domain'] = cookieDomain\n  }\n\n  context.cookies.set(accessTokenCookieKey, token, cookie)\n}\n\nexport function clearAccessTokenCookie(context) {\n  const { secure } = context\n\n  var cookie = {\n    secure,\n    httpOnly: true\n  }\n\n  const cookieDomain = getCookieDomainFromHostname(context.hostname)\n  if (cookieDomain) {\n    cookie['domain'] = cookieDomain\n  }\n\n  context.cookies.set(accessTokenCookieKey, '', cookie)\n  /*\n   * TODO clear i18next cookie as well - need to support domain\n   * https://github.com/hatiolab/things-factory/issues/70\n   */\n  context.cookies.set('i18next', '', cookie)\n}\n"]}
+{"version":3,"file":"access-token-cookie.js","sourceRoot":"","sources":["../../server/utils/access-token-cookie.ts"],"names":[],"mappings":";;;AAAA,iDAAmE;AACnE,6CAA4C;AAC5C,kDAA8C;AAE9C,MAAM,oBAAoB,GAAG,YAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,cAAc,CAAC,CAAA;AAE/E,SAAgB,oBAAoB,CAAC,OAAO;;IAC1C,OAAO,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,OAAO,0CAAE,GAAG,CAAC,oBAAoB,CAAC,CAAA;AACpD,CAAC;AAFD,oDAEC;AAED,SAAgB,oBAAoB,CAAC,OAAO,EAAE,KAAK;IACjD,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAE1B,IAAI,MAAM,GAAG;QACX,MAAM;QACN,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,iBAAO;KAChB,CAAA;IAED,MAAM,YAAY,GAAG,IAAA,mCAA2B,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAClE,IAAI,YAAY,EAAE;QAChB,MAAM,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAA;KAChC;IAED,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,KAAK,EAAE,MAAM,CAAC,CAAA;AAC1D,CAAC;AAfD,oDAeC;AAED,SAAgB,qBAAqB,CAAC,OAAO;IAC3C,0FAA0F;IAC1F,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IAE9B,OAAO,CAAC,OAAO,GAAG;QAChB,IAAI,EAAE,IAAI,CAAC,EAAE;QACb,UAAU,EAAE,IAAI,CAAC,IAAI;QACrB,QAAQ,EAAE,IAAI,CAAC,KAAK;KACrB,CAAA;AACH,CAAC;AATD,sDASC;AAED,SAAgB,sBAAsB,CAAC,OAAO;IAC5C,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAE1B,IAAI,MAAM,GAAG;QACX,MAAM;QACN,QAAQ,EAAE,IAAI;KACf,CAAA;IAED,MAAM,YAAY,GAAG,IAAA,mCAA2B,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAClE,IAAI,YAAY,EAAE;QAChB,MAAM,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAA;KAChC;IAED,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,EAAE,EAAE,MAAM,CAAC,CAAA;IACrD;;;OAGG;IACH,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,EAAE,MAAM,CAAC,CAAA;AAC5C,CAAC;AAnBD,wDAmBC","sourcesContent":["import { getCookieDomainFromHostname } from '@things-factory/shell'\nimport { config } from '@things-factory/env'\nimport { MAX_AGE } from '../constants/max-age'\n\nconst accessTokenCookieKey = config.get('accessTokenCookieKey', 'access_token')\n\nexport function getAccessTokenCookie(context) {\n  return context?.cookies?.get(accessTokenCookieKey)\n}\n\nexport function setAccessTokenCookie(context, token) {\n  const { secure } = context\n\n  var cookie = {\n    secure,\n    httpOnly: true,\n    maxAge: MAX_AGE\n  }\n\n  const cookieDomain = getCookieDomainFromHostname(context.hostname)\n  if (cookieDomain) {\n    cookie['domain'] = cookieDomain\n  }\n\n  context.cookies.set(accessTokenCookieKey, token, cookie)\n}\n\nexport function setSessionAccessToken(context) {\n  /* koa-session 을 사용하는 경우에는, cookie 직접 설정이 작동되지 않는다. 그런 경우에는 session에 설정해서 cookie를 변경한다. */\n  const { user } = context.state\n\n  context.session = {\n    \"id\": user.id,\n    \"userType\": user.type,\n    \"status\": user.state\n  }\n}\n\nexport function clearAccessTokenCookie(context) {\n  const { secure } = context\n\n  var cookie = {\n    secure,\n    httpOnly: true\n  }\n\n  const cookieDomain = getCookieDomainFromHostname(context.hostname)\n  if (cookieDomain) {\n    cookie['domain'] = cookieDomain\n  }\n\n  context.cookies.set(accessTokenCookieKey, '', cookie)\n  /*\n   * TODO clear i18next cookie as well - need to support domain\n   * https://github.com/hatiolab/things-factory/issues/70\n   */\n  context.cookies.set('i18next', '', cookie)\n}\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@things-factory/auth-base",
-  "version": "7.0.1-alpha.81",
+  "version": "7.0.1-alpha.90",
   "main": "dist-server/index.js",
   "browser": "dist-client/index.js",
   "things-factory": true,
@@ -30,17 +30,20 @@
     "migration:create": "node ../../node_modules/typeorm/cli.js migration:create -d ./server/migrations"
   },
   "dependencies": {
-    "@things-factory/email-base": "^7.0.1-alpha.71",
+    "@things-factory/email-base": "^7.0.1-alpha.90",
     "@things-factory/env": "^7.0.1-alpha.71",
-    "@things-factory/shell": "^7.0.1-alpha.71",
+    "@things-factory/shell": "^7.0.1-alpha.90",
     "@things-factory/utils": "^7.0.1-alpha.71",
+    "@types/webappsec-credential-management": "^0.6.8",
     "jsonwebtoken": "^9.0.0",
     "koa-passport": "^6.0.0",
     "koa-session": "^6.4.0",
     "oauth2orize-koa": "^1.3.2",
+    "passport": "^0.7.0",
+    "passport-fido2-webauthn": "^0.1.0",
     "passport-jwt": "^4.0.0",
     "passport-local": "^1.0.0",
     "popsicle-cookie-jar": "^1.0.0"
   },
-  "gitHead": "a84eff7066765905bf6a19fb61c641814bb7cac6"
+  "gitHead": "79086a82c81dadca6c105a37fa91a2cd34a74183"
 }

package/server/constants/error-code.ts

@@ -15,3 +15,4 @@ export const PASSWORD_PATTERN_NOT_MATCHED = 'password should match the rule'
 export const USER_DUPLICATED = 'user duplicated'
 export const PASSWORD_USED_PAST = 'password used in the past'
 export const VERIFICATION_ERROR = 'user or verification token not found'
+export const USER_CREDENTIAL_NOT_FOUND = 'user credential not found'

package/server/middlewares/authenticate-401-middleware.ts

@@ -15,7 +15,7 @@ export async function authenticate401Middleware(context, next) {
     var message
 
     if (err instanceof AuthError) {
-      message = context.t(`error.${err.errorCode}`, err.detail || {})
+      message = (context.t && context.t(`error.${err.errorCode}`, err.detail || {})) || err.errorCode
     } else {
       if (err?.status !== 401) {
         throw err

package/server/middlewares/index.ts

@@ -20,7 +20,7 @@ export function initMiddlewares(app: any) {
   app.use(
     session(
       {
-        key: accessTokenCookieKey,
+        key: 'tfsession',
         maxAge: MAX_AGE,
         overwrite: true,
         httpOnly: true,
@@ -63,4 +63,5 @@ process.on('bootstrap-module-subscription' as any, (app, subscriptionMiddleware)
 export * from './jwt-authenticate-middleware'
 export * from './domain-authenticate-middleware'
 export * from './signin-middleware'
+export * from './webauthn-middleware'
 export * from './authenticate-401-middleware'

package/server/middlewares/webauthn-middleware.ts

@@ -0,0 +1,68 @@
+import passport from 'koa-passport'
+import { Strategy as WebAuthnStrategy, SessionChallengeStore } from 'passport-fido2-webauthn'
+
+import { getRepository } from '@things-factory/shell'
+
+import { User } from '../service/user/user'
+import { AuthError } from '../errors/auth-error'
+import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
+
+export const store = new SessionChallengeStore()
+
+passport.use(
+  new WebAuthnStrategy(
+    { store },
+    async function verify(id: string, userHandle: Uint8Array, cb) {
+      const user = await getRepository(User).findOne({ where: { email: userHandle.toString() } })
+      if (!user) {
+        return cb(null, false, { errorCode: AuthError.ERROR_CODES.USER_NOT_FOUND })
+      }
+      const credential = await getRepository(WebAuthCredential).findOne({
+        where: { credentialId: id, user: { id: user.id } }
+      })
+      if (!credential) {
+        return cb(null, false, { errorCode: AuthError.ERROR_CODES.USER_CREDENTIAL_NOT_FOUND })
+      }
+
+      return cb(null, user, credential.publicKey)
+    },
+    async function register(user, id, publicKey, cb) {
+      const userObject = await getRepository(User).findOne({ where: { email: user.id.toString() } })
+      const webAuthRepository = getRepository(WebAuthCredential)
+
+      const oldCredential = await webAuthRepository.findOne({
+        where: { user: { id: userObject.id }, publicKey: publicKey }
+      })
+
+      /* TODO publicKey 비교로는 중복된 등록을 막을 수 없다. */
+      if (oldCredential) {
+        await webAuthRepository.delete(oldCredential.id)
+      }
+
+      await webAuthRepository.save({
+        user: userObject,
+        credentialId: id,
+        publicKey,
+        counter: 0
+      })
+
+      return cb(null, userObject)
+    }
+  )
+)
+
+export async function webAuthnMiddleware(context, next) {
+  return passport.authenticate(
+    'webauthn',
+    { session: true, failureMessage: true, failWithError: true },
+    async (err, user, info) => {
+      if (err || !user) {
+        throw new AuthError(info)
+      } else {
+        context.state.user = user
+
+        await next()
+      }
+    }
+  )(context, next)
+}

package/server/router/index.ts

@@ -6,3 +6,4 @@ export * from './oauth2'
 export * from './auth-checkin-router'
 export * from './auth-signin-router'
 export * from './auth-signup-router'
+export * from './webauthn-router'

package/server/router/webauthn-router.ts

@@ -0,0 +1,56 @@
+import util from 'util'
+import Router from 'koa-router'
+
+import { accepts } from '../utils/accepts'
+import { setAccessTokenCookie } from '../utils/access-token-cookie'
+import { store, webAuthnMiddleware } from '../middlewares/webauthn-middleware'
+
+export const webAuthnGlobalPublicRouter = new Router()
+export const webAuthnGlobalPrivateRouter = new Router()
+
+const challengeAsync = util.promisify(store.challenge).bind(store)
+
+webAuthnGlobalPublicRouter.post('/auth/signin-webauthn/challenge', async (context, next) => {
+  const challenge = await challengeAsync({ ...context.request, session: context.session })
+
+  context.body = {
+    challenge: Buffer.from(challenge).toString('base64')
+  }
+})
+
+webAuthnGlobalPublicRouter.post('/auth/signin-webauthn', webAuthnMiddleware, async (context, next) => {
+  const { domain, user } = context.state
+  const { request } = context
+  const { body: reqBody } = request
+
+  const token = await user.sign({ subdomain: domain?.subdomain })
+  setAccessTokenCookie(context, token)
+
+  var redirectURL = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(reqBody.redirectTo || '/')}`
+
+  /* 2단계 인터렉션 때문에 브라우저에서 fetch(...)로 진행될 것이므로, redirect(3xx) 응답으로 처리할 수 없다. 따라서, 데이타로 redirectURL를 응답한다. */
+  context.body = { redirectURL }
+})
+
+webAuthnGlobalPrivateRouter.post('/auth/register-webauthn/challenge', async (context, next) => {
+  const { user } = context.state
+  const { email, name } = user || {}
+
+  const challenge = await challengeAsync(
+    { ...context.request, session: context.session },
+    {
+      user: {
+        id: email
+      }
+    }
+  )
+
+  context.body = {
+    user: {
+      id: Buffer.from(email).toString('base64'),
+      name: name,
+      displayName: name
+    },
+    challenge: Buffer.from(challenge).toString('base64')
+  }
+})

package/server/routes.ts

@@ -10,11 +10,12 @@ import {
   oauth2AuthorizeRouter,
   oauth2Router,
   pathBaseDomainRouter,
-  siteRootRouter
+  siteRootRouter,
+  webAuthnGlobalPublicRouter,
+  webAuthnGlobalPrivateRouter
 } from './router'
 
 import { setAccessTokenCookie } from './utils/access-token-cookie'
-import { User } from './service/user/user'
 
 const isPathBaseDomain = !config.get('subdomain') && !config.get('useVirtualHostBasedDomain')
 
@@ -27,7 +28,7 @@ process.on('bootstrap-module-global-public-route' as any, (app, globalPublicRout
     authSigninRouter.get('/auth/sso-signin', app.ssoMiddlewares[0], async context => {
       const { user } = context.state
 
-      const token = user.sign()
+      const token = await user.sign()
       setAccessTokenCookie(context, token)
 
       context.redirect('/auth/checkin')
@@ -41,12 +42,14 @@ process.on('bootstrap-module-global-private-route' as any, (app, globalPrivateRo
   /* globalPrivateRouter based nested-routers */
   globalPrivateRouter.use(authCheckinRouter.routes(), authCheckinRouter.allowedMethods())
   globalPrivateRouter.use(authPrivateProcessRouter.routes(), authPrivateProcessRouter.allowedMethods())
+  globalPrivateRouter.use(webAuthnGlobalPrivateRouter.routes(), webAuthnGlobalPrivateRouter.allowedMethods())
 })
 
 process.on('bootstrap-module-domain-public-route' as any, (app, domainPublicRouter) => {
   /* domainPublicRouter based nested-routers */
   domainPublicRouter.use(authSigninRouter.routes(), authSigninRouter.allowedMethods())
   domainPublicRouter.use(authSignupRouter.routes(), authSignupRouter.allowedMethods())
+  domainPublicRouter.use(webAuthnGlobalPublicRouter.routes(), webAuthnGlobalPublicRouter.allowedMethods())
 
   /* path '/admin/oauth/...' is deprecated. should use path '/oauth/...' for oauth2 related routing */
   domainPublicRouter.use('/oauth', oauth2Router.routes(), oauth2Router.allowedMethods()) // if i use context
@@ -61,11 +64,7 @@ process.on('bootstrap-module-domain-private-route' as any, (app, domainPrivateRo
     // pathBaseDomainRouter는 history-fallback의 경우에 인증 처리를 하기 위한 라우터이다.
     // (보통, URL 링크등을 통해서 domain path URL로 바로 요청하는 경우에 해당한다.)
     // pathBaseDomainRouter는 domain path를 domain-private-router를 사용하는 것을 전제로 한다.
-    domainPrivateRouter.use(
-      '/domain/:domain/oauth',
-      oauth2AuthorizeRouter.routes(),
-      oauth2AuthorizeRouter.allowedMethods()
-    )
+    domainPrivateRouter.use('/domain/:domain/oauth', oauth2AuthorizeRouter.routes(), oauth2AuthorizeRouter.allowedMethods())
     domainPrivateRouter.use('/domain', pathBaseDomainRouter.routes(), pathBaseDomainRouter.allowedMethods())
   }
 

package/server/service/auth-provider/auth-provider-type.ts

@@ -1,11 +1,7 @@
-import type { FileUpload } from 'graphql-upload/GraphQLUpload.js'
-import GraphQLUpload from 'graphql-upload/GraphQLUpload.js'
-import { ObjectType, Field, InputType, Int, ID, registerEnumType } from 'type-graphql'
+import { ObjectType, Field, InputType, Int, ID } from 'type-graphql'
 
-import { ObjectRef, ScalarObject } from '@things-factory/shell'
-
-import { AuthProvider, AuthProviderStatus } from './auth-provider'
-import { AuthProviderParameterSpec } from './auth-provider-parameter-spec'
+import { ScalarObject } from '@things-factory/shell'
+import { AuthProvider } from './auth-provider'
 
 @InputType()
 export class NewAuthProvider {

package/server/service/auth-provider/auth-provider.ts

@@ -1,17 +1,15 @@
 import {
   CreateDateColumn,
   UpdateDateColumn,
-  DeleteDateColumn,
   Entity,
   Index,
   Column,
   RelationId,
   ManyToOne,
   OneToMany,
-  PrimaryGeneratedColumn,
-  VersionColumn
+  PrimaryGeneratedColumn
 } from 'typeorm'
-import { Directive, ObjectType, Field, Int, ID, registerEnumType } from 'type-graphql'
+import { Directive, ObjectType, Field, Int, ID } from 'type-graphql'
 
 import { Domain, ScalarObject, encryptTransformer } from '@things-factory/shell'
 import { User } from '../user/user'
@@ -30,16 +28,6 @@ export type AuthProviderRegistry = {
   [type: string]: AuthProviderImpl
 }
 
-export enum AuthProviderStatus {
-  STATUS_A = 'STATUS_A',
-  STATUS_B = 'STATUS_B'
-}
-
-registerEnumType(AuthProviderStatus, {
-  name: 'AuthProviderStatus',
-  description: 'state enumeration of a authProvider'
-})
-
 @ObjectType()
 export class AuthProviderType {
   @Field()
@@ -89,10 +77,6 @@ export class AuthProvider {
   @Field({ nullable: true })
   active?: boolean
 
-  @Column({ nullable: true })
-  @Field({ nullable: true })
-  state?: AuthProviderStatus
-
   @Directive('@privilege(category: "security", privilege: "query", domainOwnerGranted: true)')
   @Column({ nullable: true })
   @Field({ nullable: true })

package/server/service/index.ts

@@ -1,8 +1,5 @@
 /* IMPORT ENTITIES AND RESOLVERS */
-import {
-  entities as UsersAuthProvidersEntities,
-  resolvers as UsersAuthProvidersResolvers
-} from './users-auth-providers'
+import { entities as UsersAuthProvidersEntities, resolvers as UsersAuthProvidersResolvers } from './users-auth-providers'
 import { entities as AuthProviderEntities, resolvers as AuthProviderResolvers } from './auth-provider'
 import { resolvers as AppbindingResolver } from './app-binding'
 import { entities as ApplianceEntities, resolvers as ApplianceResolvers } from './appliance'
@@ -18,6 +15,7 @@ import { privilegeDirectiveResolver, privilegeDirectiveTypeDefs } from './privil
 import { entities as RoleEntities, resolvers as RoleResolvers } from './role'
 import { entities as UserEntities, resolvers as UserResolvers } from './user'
 import { entities as VerificationTokenEntities } from './verification-token'
+import { entities as WebAuthCredentialEntities } from './web-auth-credential'
 
 /* EXPORT ENTITY TYPES */
 export * from './users-auth-providers/users-auth-providers'
@@ -34,6 +32,7 @@ export * from './app-binding/app-binding'
 export * from './password-history/password-history'
 export * from './verification-token/verification-token'
 export * from './login-history/login-history'
+export * from './web-auth-credential/web-auth-credential'
 
 /* EXPORT TYPES */
 export * from './app-binding/app-binding-types'
@@ -60,7 +59,8 @@ export const entities = [
   ...InvitationEntities,
   ...PasswordHistoryEntities,
   ...VerificationTokenEntities,
-  ...LoginHistoryEntities
+  ...LoginHistoryEntities,
+  ...WebAuthCredentialEntities
 ]
 
 export const schema = {

package/server/service/user/user.ts

@@ -12,6 +12,7 @@ import { AuthError } from '../../errors/auth-error'
 import { SECRET } from '../../utils/get-secret'
 import { Role } from '../role/role'
 import { Privilege } from '../privilege/privilege'
+import { WebAuthCredential } from '../web-auth-credential/web-auth-credential'
 import { UsersAuthProviders } from '../users-auth-providers/users-auth-providers'
 import { getDomainsWithPrivilege } from '../../utils/get-user-domains'
 
@@ -31,7 +32,6 @@ export enum UserStatus {
 
 @Entity()
 @Index('ix_user_0', (user: User) => [user.email], { unique: true })
-//@Index('ix_user_1', (user: User) => [user.id], { unique: true })
 @ObjectType()
 export class User {
   @PrimaryGeneratedColumn('uuid')
@@ -39,12 +39,10 @@ export class User {
   readonly id: string
 
   @Column()
-  @Field()
+  @Field({ nullable: true })
   name: string
 
-  @Column({
-    nullable: true
-  })
+  @Column({ nullable: true })
   @Field({ nullable: true })
   description: string
 
@@ -69,22 +67,16 @@ export class User {
   @Field(type => [Role])
   roles?: Role[]
 
-  @Column({
-    nullable: true
-  })
+  @Column({ nullable: true })
   @Field({ nullable: true })
   userType: string // default: 'user', enum: 'user', 'application', 'appliance'
 
-  @Column({
-    nullable: true
-  })
+  @Column({ nullable: true })
   @Field({ nullable: true })
   reference: string
 
   @Directive('@privilege(category: "security", privilege: "query", domainOwnerGranted: true)')
-  @Column({
-    nullable: true
-  })
+  @Column({ nullable: true })
   salt: string
 
   @Column({ nullable: true })
@@ -104,20 +96,18 @@ export class User {
   @Field(type => String)
   status: UserStatus
 
-  @Column({
-    type: 'smallint',
-    default: 0
-  })
+  @Column({ type: 'smallint', default: 0 })
   failCount: number
 
-  @Column({
-    nullable: true
-  })
+  @Column({ nullable: true })
   passwordUpdatedAt: Date
 
   @Field({ nullable: true })
   owner: boolean /* should not be a column */
 
+  @OneToMany(() => WebAuthCredential, credential => credential.user)
+  credentials: WebAuthCredential[]
+
   @OneToMany(() => UsersAuthProviders, usersAuthProviders => usersAuthProviders.user)
   @Field(type => [UsersAuthProviders], { nullable: true })
   usersAuthProviders: UsersAuthProviders[]
@@ -252,7 +242,7 @@ export class User {
     const repository = getRepository(User)
     var user = await repository.findOne({
       where: { id: decoded.id },
-      relations: ['domains'],
+      relations: ['domains', 'credentials'],
       cache: true
     })
 

package/server/service/web-auth-credential/index.ts

@@ -0,0 +1,3 @@
+import { WebAuthCredential } from './web-auth-credential'
+
+export const entities = [WebAuthCredential]

package/server/service/web-auth-credential/web-auth-credential.ts

@@ -0,0 +1,66 @@
+import { Field, ID } from 'type-graphql'
+import {
+  CreateDateColumn,
+  UpdateDateColumn,
+  Entity,
+  Index,
+  Column,
+  RelationId,
+  ManyToOne,
+  PrimaryGeneratedColumn
+} from 'typeorm'
+
+import { User } from '../user/user'
+
+@Entity()
+@Index(
+  'ix_web_auth_credential_0',
+  (webAuthCredential: WebAuthCredential) => [webAuthCredential.user, webAuthCredential.credentialId],
+  { unique: true }
+)
+export class WebAuthCredential {
+  @PrimaryGeneratedColumn('uuid')
+  @Field(type => ID)
+  readonly id: string
+
+  @ManyToOne(type => User, { nullable: true })
+  @Field(type => User, { nullable: true })
+  user?: User
+
+  @RelationId((webAuthCredential: WebAuthCredential) => webAuthCredential.user)
+  userId?: string
+
+  @Column()
+  @Field({ nullable: true })
+  credentialId: string
+
+  @Column()
+  @Field({ nullable: true })
+  publicKey: string
+
+  @Column()
+  @Field({ nullable: true })
+  counter: number
+
+  @CreateDateColumn()
+  @Field({ nullable: true })
+  createdAt?: Date
+
+  @UpdateDateColumn()
+  @Field({ nullable: true })
+  updatedAt?: Date
+
+  @ManyToOne(type => User, { nullable: true })
+  @Field(type => User, { nullable: true })
+  creator?: User
+
+  @RelationId((webAuthCredential: WebAuthCredential) => webAuthCredential.creator)
+  creatorId?: string
+
+  @ManyToOne(type => User, { nullable: true })
+  @Field(type => User, { nullable: true })
+  updater?: User
+
+  @RelationId((webAuthCredential: WebAuthCredential) => webAuthCredential.updater)
+  updaterId?: string
+}

package/server/utils/access-token-cookie.ts

@@ -25,6 +25,17 @@ export function setAccessTokenCookie(context, token) {
   context.cookies.set(accessTokenCookieKey, token, cookie)
 }
 
+export function setSessionAccessToken(context) {
+  /* koa-session 을 사용하는 경우에는, cookie 직접 설정이 작동되지 않는다. 그런 경우에는 session에 설정해서 cookie를 변경한다. */
+  const { user } = context.state
+
+  context.session = {
+    "id": user.id,
+    "userType": user.type,
+    "status": user.state
+  }
+}
+
 export function clearAccessTokenCookie(context) {
   const { secure } = context
 

package/translations/en.json

@@ -1,4 +1,20 @@
 {
+  "error.confirm password not matched": "new password and confirm password is not matched",
+  "error.domain mismatch": "certificate is not for this domain",
+  "error.domain not allowed": "user not allowed domain `{subdomain}`",
+  "error.failed to find x": "failed to find {x}",
+  "error.password should match the rule": "password should match following rule. ${rule}",
+  "error.password used in the past": "password used in the past",
+  "error.subdomain not found": "domain not found",
+  "error.token or password is invalid": "token or password is invalid",
+  "error.unavailable-domain": "unavailable domain",
+  "error.user credential not found": "user credential not found. To use biometric authentication, you need to register your device first.",
+  "error.user duplicated": "user duplicated",
+  "error.user not activated": "user is not activated",
+  "error.user not found": "user not found",
+  "error.user or verification token not found": "user or verification token not found",
+  "error.user validation failed": "user validation failed",
+  "error.x is not a member of y": "{x} is not a member of {y}",
   "field.active": "active",
   "field.appliance_id": "appliance id",
   "field.brand": "brand",
@@ -13,43 +29,29 @@
   "field.user_account": "user account",
   "field.user_type": "user type",
   "label.partner": "partner",
+  "privilege.category.system": "system setting",
+  "privilege.description": "to {name} {category} data",
+  "privilege.name.mutation": "edit",
+  "privilege.name.query": "read",
   "text.account is reactivated": "account is reactivated",
   "text.delete account succeed": "delete account succeed",
   "text.inactive user": "inactive user",
   "text.invalid verification token": "invalid verification token",
   "text.invitation email sent": "invitation email sent",
-  "text.pattern_minimum_charaters": "minimum {length} charaters",
-  "text.pattern_atleast_1_lowercase": "at least 1 lowercase character",
-  "text.pattern_atleast_1_uppercase": "at least 1 uppercase character",
+  "text.password changed successfully": "password changed successfully",
+  "text.password reset email sent": "password reset email sent",
+  "text.password reset succeed": "password reset succeed",
   "text.pattern_atleast_1_digit": "at least 1 digit character",
+  "text.pattern_atleast_1_lowercase": "at least 1 lowercase character",
   "text.pattern_atleast_1_special": "at least 1 special character(!@#$%^&*())",
+  "text.pattern_atleast_1_uppercase": "at least 1 uppercase character",
+  "text.pattern_minimum_charaters": "minimum {length} charaters",
   "text.pattern_not_allowed": "not allowed repeated charater",
-  "text.password reset succeed": "password reset succeed",
-  "text.password changed successfully": "password changed successfully",
   "text.profile changed successfully": "profile changed successfully",
   "text.result": "result",
   "text.signout successfully": "signout successfully",
-  "text.user registered successfully": "user registered successfully. find your email to activate account",
   "text.user activated successfully": "user activated successfully",
-  "text.password reset email sent": "password reset email sent",
-  "text.verification email sent": "verification email sent",
-  "error.confirm password not matched": "new password and confirm password is not matched",
-  "error.domain not allowed": "user not allowed domain `{subdomain}`",
-  "error.domain mismatch": "certificate is not for this domain",
-  "error.failed to find x": "failed to find {x}",
-  "error.password should match the rule": "password should match following rule. ${rule}",
-  "error.password used in the past": "password used in the past",
-  "error.subdomain not found": "domain not found",
-  "error.token or password is invalid": "token or password is invalid",
-  "error.unavailable-domain": "unavailable domain",
-  "error.user not found": "user not found",
-  "error.user duplicated": "user duplicated",
-  "error.user or verification token not found": "user or verification token not found",
-  "error.user validation failed": "user validation failed",
-  "error.user not activated": "user is not activated",
-  "error.x is not a member of y": "{x} is not a member of {y}",
-  "privilege.category.system": "system setting",
-  "privilege.description": "to {name} {category} data",
-  "privilege.name.mutation": "edit",
-  "privilege.name.query": "read"
+  "text.user credential registered successfully": "device registration has been successfully completed. You can now use biometric authentication.",
+  "text.user registered successfully": "user registered successfully. find your email to activate account",
+  "text.verification email sent": "verification email sent"
 }