@things-factory/auth-base 8.0.0-alpha.2 → 8.0.0-alpha.22

package/dist-server/utils/check-user-has-role.d.ts

@@ -0,0 +1,12 @@
+import { Domain } from '@things-factory/shell';
+import { User } from '../service/user/user';
+/**
+ * @description 사용자가 특정 도메인 또는 상위 도메인에서 특정 역할을 가지고 있는지 확인합니다.
+ *
+ * @param roleId 확인할 역할의 ID
+ * @param domain 역할을 확인할 도메인
+ * @param user 역할을 확인할 사용자
+ *
+ * @returns 사용자가 도메인 또는 상위 도메인에서 역할을 가지고 있는지 여부를 나타내는 boolean을 반환하는 Promise
+ */
+export declare function checkUserHasRole(roleId: string, domain: Domain, user: User): Promise<Boolean>;

package/dist-server/utils/check-user-has-role.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkUserHasRole = checkUserHasRole;
+const shell_1 = require("@things-factory/shell");
+const user_1 = require("../service/user/user");
+/**
+ * @description 사용자가 특정 도메인 또는 상위 도메인에서 특정 역할을 가지고 있는지 확인합니다.
+ *
+ * @param roleId 확인할 역할의 ID
+ * @param domain 역할을 확인할 도메인
+ * @param user 역할을 확인할 사용자
+ *
+ * @returns 사용자가 도메인 또는 상위 도메인에서 역할을 가지고 있는지 여부를 나타내는 boolean을 반환하는 Promise
+ */
+async function checkUserHasRole(roleId, domain, user) {
+    if (!roleId) {
+        return true;
+    }
+    const me = await (0, shell_1.getRepository)(user_1.User).findOne({
+        where: { id: user.id },
+        relations: ['roles']
+    });
+    return me.roles
+        .filter(role => role.domainId === domain.id || (domain.parentId && role.domainId === domain.parentId))
+        .map(role => role.id)
+        .includes(roleId);
+}
+//# sourceMappingURL=check-user-has-role.js.map

package/dist-server/utils/check-user-has-role.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-user-has-role.js","sourceRoot":"","sources":["../../server/utils/check-user-has-role.ts"],"names":[],"mappings":";;AAcA,4CAcC;AA5BD,iDAA6D;AAE7D,+CAA2C;AAG3C;;;;;;;;GAQG;AACI,KAAK,UAAU,gBAAgB,CAAC,MAAc,EAAE,MAAc,EAAE,IAAU;IAC/E,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,IAAA,qBAAa,EAAC,WAAI,CAAC,CAAC,OAAO,CAAC;QAC3C,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;QACtB,SAAS,EAAE,CAAC,OAAO,CAAC;KACrB,CAAC,CAAA;IAEF,OAAO,EAAE,CAAC,KAAK;SACZ,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,CAAC,CAAC;SACrG,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;SACpB,QAAQ,CAAC,MAAM,CAAC,CAAA;AACrB,CAAC","sourcesContent":["import { Domain, getRepository } from '@things-factory/shell'\n\nimport { User } from '../service/user/user'\nimport { Role } from 'service'\n\n/**\n * @description 사용자가 특정 도메인 또는 상위 도메인에서 특정 역할을 가지고 있는지 확인합니다.\n *\n * @param roleId 확인할 역할의 ID\n * @param domain 역할을 확인할 도메인\n * @param user 역할을 확인할 사용자\n *\n * @returns 사용자가 도메인 또는 상위 도메인에서 역할을 가지고 있는지 여부를 나타내는 boolean을 반환하는 Promise\n */\nexport async function checkUserHasRole(roleId: string, domain: Domain, user: User): Promise<Boolean> {\n  if (!roleId) {\n    return true\n  }\n\n  const me = await getRepository(User).findOne({\n    where: { id: user.id },\n    relations: ['roles']\n  })\n\n  return me.roles\n    .filter(role => role.domainId === domain.id || (domain.parentId && role.domainId === domain.parentId))\n    .map(role => role.id)\n    .includes(roleId)\n}\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@things-factory/auth-base",
-  "version": "8.0.0-alpha.2",
+  "version": "8.0.0-alpha.22",
   "main": "dist-server/index.js",
   "browser": "dist-client/index.js",
   "things-factory": true,
@@ -32,10 +32,10 @@
   "dependencies": {
     "@simplewebauthn/browser": "^10.0.0",
     "@simplewebauthn/server": "^10.0.0",
-    "@things-factory/email-base": "^8.0.0-alpha.2",
-    "@things-factory/env": "^8.0.0-alpha.0",
-    "@things-factory/shell": "^8.0.0-alpha.2",
-    "@things-factory/utils": "^8.0.0-alpha.0",
+    "@things-factory/email-base": "^8.0.0-alpha.22",
+    "@things-factory/env": "^8.0.0-alpha.8",
+    "@things-factory/shell": "^8.0.0-alpha.22",
+    "@things-factory/utils": "^8.0.0-alpha.14",
     "@types/webappsec-credential-management": "^0.6.8",
     "jsonwebtoken": "^9.0.0",
     "koa-passport": "^6.0.0",
@@ -46,5 +46,5 @@
     "passport-jwt": "^4.0.0",
     "passport-local": "^1.0.0"
   },
-  "gitHead": "9599f03becd1263f0c6d7c1138b82180036f7dbf"
+  "gitHead": "27cd29ef5f60c8fc8a177dd52eb0f4979b463991"
 }

package/server/index.ts

@@ -17,6 +17,7 @@ export * from './utils/check-user-belongs-domain'
 export * from './utils/access-token-cookie'
 export * from './utils/encrypt-state'
 export * from './utils/check-permission'
+export * from './utils/check-user-has-role'
 
 export * from './errors'
 

package/server/middlewares/webauthn-middleware.ts

@@ -3,7 +3,6 @@ import { Strategy as CustomStrategy } from 'passport-custom'
 
 import { getRepository } from '@things-factory/shell'
 
-import { User } from '../service/user/user'
 import { AuthError } from '../errors/auth-error'
 
 import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
@@ -57,23 +56,23 @@ passport.use(
       const { body, session, origin, hostname } = context as any
 
       const challenge = session.challenge
-  
+
       const assertionResponse = body as {
         id: string
         response: AuthenticatorAssertionResponse
       }
-  
+
       const credential = await getRepository(WebAuthCredential).findOne({
         where: {
           credentialId: assertionResponse.id
         },
         relations: ['user']
       })
-  
+
       if (!credential) {
         return done(null, false)
       }
-  
+
       const verification = await verifyAuthenticationResponse({
         response: body,
         expectedChallenge: challenge,
@@ -86,18 +85,18 @@ passport.use(
           counter: credential.counter
         }
       })
-  
+
       if (verification.verified) {
         const { authenticationInfo } = verification
         credential.counter = authenticationInfo.newCounter
         await getRepository(WebAuthCredential).save(credential)
-  
+
         const user = credential.user
         return done(null, user)
       } else {
         return done(verification, false)
       }
-    } catch(error) {
+    } catch (error) {
       return done(error, false)
     }
   })

package/server/router/webauthn-router.ts

@@ -5,17 +5,75 @@ import { appPackage } from '@things-factory/env'
 import { generateRegistrationOptions, generateAuthenticationOptions } from '@simplewebauthn/server'
 
 import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
-import {
-  PublicKeyCredentialCreationOptionsJSON,
-} from '@simplewebauthn/server/script/deps'
+import { PublicKeyCredentialCreationOptionsJSON } from '@simplewebauthn/server/script/deps'
 import { setAccessTokenCookie } from '../utils/access-token-cookie'
-import { createWebAuthnMiddleware } from '../middlewares/webauthn-middleware';
+import { createWebAuthnMiddleware } from '../middlewares/webauthn-middleware'
 
 export const webAuthnGlobalPublicRouter = new Router()
 export const webAuthnGlobalPrivateRouter = new Router()
 
 const { name: rpName } = appPackage as any
 
+// Generate authentication challenge for the currently logged-in user
+webAuthnGlobalPrivateRouter.get('/auth/verify-webauthn/challenge', async (context, next) => {
+  const { user } = context.state
+  const rpID = context.hostname
+
+  if (!user) {
+    context.status = 401
+    context.body = { error: 'User not authenticated' }
+    return
+  }
+
+  const webAuthCredentials = await getRepository(WebAuthCredential).find({
+    where: { user: { id: user.id } }
+  })
+
+  if (webAuthCredentials.length === 0) {
+    context.status = 400
+    context.body = { error: 'No biometric credentials registered for this user' }
+    return
+  }
+
+  const options = await generateAuthenticationOptions({
+    rpID,
+    userVerification: 'preferred',
+    allowCredentials: webAuthCredentials.map(credential => ({
+      id: credential.credentialId,
+      type: 'public-key'
+    }))
+  })
+
+  context.session.challenge = options.challenge
+  context.body = options
+})
+
+// Verify biometric authentication
+webAuthnGlobalPrivateRouter.post(
+  '/auth/verify-webauthn',
+  /* reuse webauthn-login as webauthn-verify strategy */
+  createWebAuthnMiddleware('webauthn-login'),
+  async (context, next) => {
+    const { user } = context.state
+    const { request } = context
+    const { body: reqBody } = request
+
+    if (!user) {
+      context.status = 401
+      context.body = { verified: false, message: 'User not authenticated' }
+      return
+    }
+
+    context.body = {
+      verified: true,
+      message: 'Biometric authentication successful'
+    }
+
+    await next()
+  }
+)
+
+// Generate registration challenge for the currently logged-in user
 webAuthnGlobalPrivateRouter.get('/auth/register-webauthn/challenge', async (context, next) => {
   const { user } = context.state
   const rpID = context.hostname
@@ -53,8 +111,10 @@ webAuthnGlobalPrivateRouter.get('/auth/register-webauthn/challenge', async (cont
   context.body = options
 })
 
-webAuthnGlobalPrivateRouter.post('/auth/verify-registration', createWebAuthnMiddleware('webauthn-register'));
+// Verify registration
+webAuthnGlobalPrivateRouter.post('/auth/verify-registration', createWebAuthnMiddleware('webauthn-register'))
 
+// Generate sign-in challenge
 webAuthnGlobalPublicRouter.get('/auth/signin-webauthn/challenge', async (context, next) => {
   const rpID = context.hostname
 
@@ -67,10 +127,12 @@ webAuthnGlobalPublicRouter.get('/auth/signin-webauthn/challenge', async (context
   context.body = options
 })
 
+// Sign in with biometric authentication
 webAuthnGlobalPublicRouter.post(
-  '/auth/signin-webauthn', createWebAuthnMiddleware('webauthn-login'),
+  '/auth/signin-webauthn',
+  createWebAuthnMiddleware('webauthn-login'),
   async (context, next) => {
-    const { domain, user } = context. state
+    const { domain, user } = context.state
     const { request } = context
     const { body: reqBody } = request
 
@@ -79,9 +141,9 @@ webAuthnGlobalPublicRouter.post(
 
     var redirectURL = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(reqBody.redirectTo || '/')}`
 
-    /* 2단계 인터렉션 때문에 브라우저에서 fetch(...)로 진행될 것이므로, redirect(3xx) 응답으로 처리할 수 없다. 따라서, 데이타로 redirectURL를 응답한다. */
+    /* Due to the two-step interaction, it will be processed by fetch(...) in the browser, so it cannot be handled with a redirect(3xx) response. Therefore, respond with redirectURL as data. */
     context.body = { redirectURL, verified: true }
 
-    await next();
+    await next()
   }
 )

package/server/utils/check-user-has-role.ts

@@ -0,0 +1,29 @@
+import { Domain, getRepository } from '@things-factory/shell'
+
+import { User } from '../service/user/user'
+import { Role } from 'service'
+
+/**
+ * @description 사용자가 특정 도메인 또는 상위 도메인에서 특정 역할을 가지고 있는지 확인합니다.
+ *
+ * @param roleId 확인할 역할의 ID
+ * @param domain 역할을 확인할 도메인
+ * @param user 역할을 확인할 사용자
+ *
+ * @returns 사용자가 도메인 또는 상위 도메인에서 역할을 가지고 있는지 여부를 나타내는 boolean을 반환하는 Promise
+ */
+export async function checkUserHasRole(roleId: string, domain: Domain, user: User): Promise<Boolean> {
+  if (!roleId) {
+    return true
+  }
+
+  const me = await getRepository(User).findOne({
+    where: { id: user.id },
+    relations: ['roles']
+  })
+
+  return me.roles
+    .filter(role => role.domainId === domain.id || (domain.parentId && role.domainId === domain.parentId))
+    .map(role => role.id)
+    .includes(roleId)
+}