@things-factory/auth-base 8.0.0-alpha.8 → 8.0.0-beta.0

package/dist-server/utils/check-user-has-role.d.ts

@@ -0,0 +1,12 @@
+import { Domain } from '@things-factory/shell';
+import { User } from '../service/user/user';
+/**
+ * @description 사용자가 특정 도메인 또는 상위 도메인에서 특정 역할을 가지고 있는지 확인합니다.
+ *
+ * @param roleId 확인할 역할의 ID
+ * @param domain 역할을 확인할 도메인
+ * @param user 역할을 확인할 사용자
+ *
+ * @returns 사용자가 도메인 또는 상위 도메인에서 역할을 가지고 있는지 여부를 나타내는 boolean을 반환하는 Promise
+ */
+export declare function checkUserHasRole(roleId: string, domain: Domain, user: User): Promise<Boolean>;

package/dist-server/utils/check-user-has-role.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkUserHasRole = checkUserHasRole;
+const shell_1 = require("@things-factory/shell");
+const user_1 = require("../service/user/user");
+/**
+ * @description 사용자가 특정 도메인 또는 상위 도메인에서 특정 역할을 가지고 있는지 확인합니다.
+ *
+ * @param roleId 확인할 역할의 ID
+ * @param domain 역할을 확인할 도메인
+ * @param user 역할을 확인할 사용자
+ *
+ * @returns 사용자가 도메인 또는 상위 도메인에서 역할을 가지고 있는지 여부를 나타내는 boolean을 반환하는 Promise
+ */
+async function checkUserHasRole(roleId, domain, user) {
+    if (!roleId) {
+        return true;
+    }
+    const me = await (0, shell_1.getRepository)(user_1.User).findOne({
+        where: { id: user.id },
+        relations: ['roles']
+    });
+    return me.roles
+        .filter(role => role.domainId === domain.id || (domain.parentId && role.domainId === domain.parentId))
+        .map(role => role.id)
+        .includes(roleId);
+}
+//# sourceMappingURL=check-user-has-role.js.map

package/dist-server/utils/check-user-has-role.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-user-has-role.js","sourceRoot":"","sources":["../../server/utils/check-user-has-role.ts"],"names":[],"mappings":";;AAcA,4CAcC;AA5BD,iDAA6D;AAE7D,+CAA2C;AAG3C;;;;;;;;GAQG;AACI,KAAK,UAAU,gBAAgB,CAAC,MAAc,EAAE,MAAc,EAAE,IAAU;IAC/E,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,IAAA,qBAAa,EAAC,WAAI,CAAC,CAAC,OAAO,CAAC;QAC3C,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;QACtB,SAAS,EAAE,CAAC,OAAO,CAAC;KACrB,CAAC,CAAA;IAEF,OAAO,EAAE,CAAC,KAAK;SACZ,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,CAAC,CAAC;SACrG,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;SACpB,QAAQ,CAAC,MAAM,CAAC,CAAA;AACrB,CAAC","sourcesContent":["import { Domain, getRepository } from '@things-factory/shell'\n\nimport { User } from '../service/user/user'\nimport { Role } from 'service'\n\n/**\n * @description 사용자가 특정 도메인 또는 상위 도메인에서 특정 역할을 가지고 있는지 확인합니다.\n *\n * @param roleId 확인할 역할의 ID\n * @param domain 역할을 확인할 도메인\n * @param user 역할을 확인할 사용자\n *\n * @returns 사용자가 도메인 또는 상위 도메인에서 역할을 가지고 있는지 여부를 나타내는 boolean을 반환하는 Promise\n */\nexport async function checkUserHasRole(roleId: string, domain: Domain, user: User): Promise<Boolean> {\n  if (!roleId) {\n    return true\n  }\n\n  const me = await getRepository(User).findOne({\n    where: { id: user.id },\n    relations: ['roles']\n  })\n\n  return me.roles\n    .filter(role => role.domainId === domain.id || (domain.parentId && role.domainId === domain.parentId))\n    .map(role => role.id)\n    .includes(roleId)\n}\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@things-factory/auth-base",
-  "version": "8.0.0-alpha.8",
+  "version": "8.0.0-beta.0",
   "main": "dist-server/index.js",
   "browser": "dist-client/index.js",
   "things-factory": true,
@@ -32,10 +32,10 @@
   "dependencies": {
     "@simplewebauthn/browser": "^10.0.0",
     "@simplewebauthn/server": "^10.0.0",
-    "@things-factory/email-base": "^8.0.0-alpha.8",
-    "@things-factory/env": "^8.0.0-alpha.8",
-    "@things-factory/shell": "^8.0.0-alpha.8",
-    "@things-factory/utils": "^8.0.0-alpha.0",
+    "@things-factory/email-base": "^8.0.0-beta.0",
+    "@things-factory/env": "^8.0.0-beta.0",
+    "@things-factory/shell": "^8.0.0-beta.0",
+    "@things-factory/utils": "^8.0.0-beta.0",
     "@types/webappsec-credential-management": "^0.6.8",
     "jsonwebtoken": "^9.0.0",
     "koa-passport": "^6.0.0",
@@ -46,5 +46,5 @@
     "passport-jwt": "^4.0.0",
     "passport-local": "^1.0.0"
   },
-  "gitHead": "0a9fb3ab431934982294b58c743d01b6f782a15f"
+  "gitHead": "add6fb8224b2cb19cbea47bed6a5ecb0424c9a28"
 }

package/server/constants/error-code.ts

@@ -17,4 +17,6 @@ export const PASSWORD_USED_PAST = 'password used in the past'
 export const VERIFICATION_ERROR = 'user or verification token not found'
 export const AUTHN_VERIFICATION_FAILED = 'authn verification failed'
 export const USER_CREDENTIAL_NOT_FOUND = 'user credential not found'
+export const EMAIL_ALREADY_EXISTS = 'email already exists'
+export const USERNAME_ALREADY_EXISTS = 'email already exists'
 export const AUTH_ERROR = 'auth error'

package/server/controllers/change-pwd.ts

@@ -1,4 +1,3 @@
-import { ILike } from 'typeorm'
 import { config } from '@things-factory/env'
 import { getRepository } from '@things-factory/shell'
 
@@ -19,7 +18,8 @@ export async function changePwd(attrs, currentPass, newPass, confirmPass, contex
 
   // TODO 이 사용자가 이 도메인에 속한 사용자인지 확인해야함.
   const repository = getRepository(User)
-  const user: User = await repository.findOne({ where: { email: ILike(attrs.email) } })
+
+  const user: User = await repository.findOne({ where: { id: attrs.id } })
 
   if (!user) {
     throw new AuthError({
@@ -37,6 +37,7 @@ export async function changePwd(attrs, currentPass, newPass, confirmPass, contex
     throw new AuthError({
       errorCode: PASSWORD_NOT_MATCHED,
       detail: {
+        username: user.username,
         email: user.email,
         failCount: user.failCount
       }

package/server/controllers/delete-user.ts

@@ -8,7 +8,20 @@ export async function deleteUser(attrs, tx?: EntityManager) {
   // TODO 다른 도메인에도 포함되어있다면, domains-users 관게와 해당 도메인 관련 정보만 삭제해야 함.
 
   const repository = tx?.getRepository(User)
-  const user = await repository.findOne({ where: { email: ILike(attrs.email) } })
+  const { username } = attrs
+
+  var user = await repository.findOne({
+    where: { username },
+    relations: ['domains']
+  })
+
+  if (!user && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+    user = await repository.findOne({
+      where: { email: ILike(username) },
+      relations: ['domains']
+    })
+  }
+
   if (!user) {
     throw new AuthError({
       errorCode: USER_NOT_FOUND
@@ -19,29 +32,19 @@ export async function deleteUser(attrs, tx?: EntityManager) {
   user.domains = []
 
   await repository.save(user)
-
-  // repository api는 작동하지 않음.
-  // await txManager
-  //   .createQueryBuilder()
-  //   .delete()
-  //   .from('users_domains')
-  //   .where({
-  //     usersId: user.id
-  //   })
-  //   .execute()
 }
 
 export async function deleteUsers(attrs, tx?: EntityManager) {
   // TODO 이 사용자가 이 도메인에 속한 사용자인지 확인해야함.
   // TODO 다른 도메인에도 포함되어있다면, domains-users 관게와 해당 도메인 관련 정보만 삭제해야 함.
 
-  const { emails } = attrs
+  const { usernames } = attrs
 
   const repo = tx?.getRepository(User)
 
   const users = await repo.find({
     where: {
-      email: In(emails)
+      username: In(usernames)
     }
   })
 

package/server/controllers/invitation.ts

@@ -5,15 +5,27 @@ import { sendEmail } from '@things-factory/email-base'
 import { Domain, getRepository } from '@things-factory/shell'
 
 import { Invitation } from '../service/invitation/invitation'
-import { User } from '../service/user/user'
+import { User, UserStatus } from '../service/user/user'
 import { getInvitationEmailForm } from '../templates/invitation-email'
 import { makeInvitationToken } from './utils/make-invitation-token'
 import { saveInvitationToken } from './utils/save-invitation-token'
 
 export async function invite(attrs, withEmailInvitation?: Boolean) {
-  const { email, reference, type, context } = attrs
+  const { username, reference, type, context } = attrs
+  const repository = getRepository(User)
+
+  var user = await repository.findOne({
+    where: { username },
+    relations: ['domains']
+  })
+
+  if (!user && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+    user = await repository.findOne({
+      where: { email: ILike(username) },
+      relations: ['domains']
+    })
+  }
 
-  var user = await getRepository(User).findOne({ where: { email: ILike(email) }, relations: ['domains'] })
   var domains = user.domains
 
   // TODO reference should not be a domain.id (security reason)
@@ -28,6 +40,9 @@ export async function invite(attrs, withEmailInvitation?: Boolean) {
   }
 
   if (withEmailInvitation) {
+    const email = user.email
+
+    // TODO 초대장의 유효기간을 설정할 수 있어야 함.
     var invitation = await getRepository(Invitation).findOneBy({
       email: ILike(email),
       reference,
@@ -44,6 +59,7 @@ export async function invite(attrs, withEmailInvitation?: Boolean) {
 
     return await sendInvitationEmail({
       invitation,
+      user,
       context
     })
   }
@@ -89,7 +105,7 @@ export async function acceptInvitation(token) {
   return true
 }
 
-export async function sendInvitationEmail({ invitation, context }) {
+export async function sendInvitationEmail({ invitation, user, context }) {
   try {
     var token = makeInvitationToken()
     var verifaction = await saveInvitationToken(invitation.id, token)
@@ -101,6 +117,7 @@ export async function sendInvitationEmail({ invitation, context }) {
         receiver: invitation.email,
         subject: 'Invitation',
         content: getInvitationEmailForm({
+          username: user.username,
           email: invitation.email,
           acceptUrl: serviceUrl
         })
@@ -123,10 +140,24 @@ export async function resendInvitationEmail(
     type
   })
 
-  if (!invitation) return false
+  if (!invitation) {
+    throw new Error(`not found invitation.`)
+  }
+
+  var user = await getRepository(User).findOne({
+    where: {
+      email: ILike(email),
+      status: UserStatus.ACTIVATED
+    }
+  })
+
+  if (!user) {
+    throw new Error(`user not found: ${email}`)
+  }
 
   return await sendInvitationEmail({
     invitation,
+    user,
     context
   })
 }

package/server/controllers/profile.ts

@@ -1,3 +1,5 @@
+import { ILike } from 'typeorm'
+
 import { getRepository } from '@things-factory/shell'
 
 import { USER_NOT_FOUND } from '../constants/error-code'
@@ -13,14 +15,39 @@ export async function updateProfile({ id }, newProfiles) {
     })
   }
 
-  /* only 'name', 'email' and 'locale' attributes can be changed */
-  var allowed = ['name', 'email', 'locale']
+  /* only 'username', 'name', 'email' and 'locale' attributes can be changed */
+  var allowed: {
+    username?: string
+    name?: string
+    email?: string
+    locale?: string
+  } = ['username', 'name', 'email', 'locale']
     .filter(attr => attr in newProfiles)
     .reduce((sum, attr) => {
       sum[attr] = newProfiles[attr]
       return sum
     }, {})
 
+  /* check if email and username is unique */
+  if ('email' in allowed) {
+    var found: User = await repository.findOne({ where: { email: ILike(allowed.email) } })
+
+    if (found && found.id != id) {
+      throw new AuthError({
+        errorCode: AuthError.ERROR_CODES.EMAIL_ALREADY_EXISTS
+      })
+    }
+  }
+
+  if ('username' in allowed) {
+    var found: User = await repository.findOne({ where: { username: allowed.username } })
+    if (found && found.id != id) {
+      throw new AuthError({
+        errorCode: AuthError.ERROR_CODES.USERNAME_ALREADY_EXISTS
+      })
+    }
+  }
+
   return await repository.save({
     ...user,
     ...allowed

package/server/controllers/signin.ts

@@ -5,11 +5,26 @@ import { sendUnlockUserEmail } from '../controllers/unlock-user'
 import { AuthError } from '../errors/auth-error'
 import { User, UserStatus } from '../service/user/user'
 
-export async function signin(attrs, context?) {
+export async function signin(attrs: { username: string; password: string }, context?) {
   const { domain } = context?.state || {}
+  const { username } = attrs
 
   const repository = getRepository(User)
-  const user = await repository.findOne({ where: { email: ILike(attrs.email) }, relations: ['domains'] })
+
+  var user = await repository.findOne({
+    where: { username },
+    relations: ['domains']
+  })
+
+  if (!user && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+    user = await repository.findOne({
+      where: {
+        email: ILike(username)
+      },
+      relations: ['domains']
+    })
+  }
+
   if (!user)
     throw new AuthError({
       errorCode: AuthError.ERROR_CODES.USER_NOT_FOUND
@@ -29,6 +44,7 @@ export async function signin(attrs, context?) {
     throw new AuthError({
       errorCode: AuthError.ERROR_CODES.USER_LOCKED,
       detail: {
+        username: user.username,
         email: user.email
       }
     })
@@ -46,6 +62,7 @@ export async function signin(attrs, context?) {
       throw new AuthError({
         errorCode: AuthError.ERROR_CODES.USER_LOCKED,
         detail: {
+          username: user.username,
           email: user.email
         }
       })
@@ -53,6 +70,7 @@ export async function signin(attrs, context?) {
     throw new AuthError({
       errorCode: AuthError.ERROR_CODES.PASSWORD_NOT_MATCHED,
       detail: {
+        username: user.username,
         email: user.email,
         failCount: user.failCount
       }
@@ -66,6 +84,7 @@ export async function signin(attrs, context?) {
     throw new AuthError({
       errorCode: AuthError.ERROR_CODES.USER_NOT_ACTIVATED,
       detail: {
+        username: user.username,
         email: user.email
       }
     })

package/server/controllers/signup.ts

@@ -8,19 +8,31 @@ import { signin } from './signin'
 import { sendVerificationEmail } from './verification'
 
 export async function signup(attrs, withEmailVerification?: Boolean) {
-  const { name, email, password, domain, context } = attrs
+  const { name, username, password, domain, context } = attrs
 
   /* check if password is following the rule */
   User.validatePasswordByRule(password, context.lng)
 
   const repository = getRepository(User)
-  const duplicated = await repository.findOneBy({ email: ILike(email) })
+
+  var duplicated = await repository.findOne({
+    where: { username },
+    relations: ['domains']
+  })
+
+  if (!duplicated && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+    user = await repository.findOne({
+      where: { email: ILike(username) },
+      relations: ['domains']
+    })
+  }
+
   if (duplicated) {
     throw new AuthError({
       errorCode: USER_DUPLICATED,
       detail: {
         name,
-        email
+        username
       }
     })
   }
@@ -48,7 +60,7 @@ export async function signup(attrs, withEmailVerification?: Boolean) {
     return {
       token: await signin(
         {
-          email,
+          username,
           password
         },
         { domain }

package/server/controllers/unlock-user.ts

@@ -20,6 +20,7 @@ export async function sendUnlockUserEmail({ user, context }) {
         receiver: user.email,
         subject: 'Your account is locked',
         content: getUnlockUserEmailForm({
+          username: user.username,
           name: user.name,
           resetUrl: serviceUrl
         })

package/server/controllers/verification.ts

@@ -21,6 +21,7 @@ export async function sendVerificationEmail({ user, context }) {
         receiver: user.email,
         subject: 'Verify your email',
         content: getVerificationEmailForm({
+          username: user.username,
           name: user.name,
           verifyUrl: serviceUrl
         })

package/server/index.ts

@@ -17,6 +17,7 @@ export * from './utils/check-user-belongs-domain'
 export * from './utils/access-token-cookie'
 export * from './utils/encrypt-state'
 export * from './utils/check-permission'
+export * from './utils/check-user-has-role'
 
 export * from './errors'
 

package/server/middlewares/signin-middleware.ts

@@ -7,17 +7,17 @@ passport.use(
   'signin',
   new localStrategy(
     {
-      usernameField: 'email',
+      usernameField: 'username',
       passwordField: 'password'
     },
-    async (email, password, done) => {
+    async (username, password, done) => {
       try {
         const {
           user: userInfo,
           token,
           domains
         } = await signin({
-          email,
+          username,
           password
         })
 

package/server/middlewares/webauthn-middleware.ts

@@ -3,7 +3,6 @@ import { Strategy as CustomStrategy } from 'passport-custom'
 
 import { getRepository } from '@things-factory/shell'
 
-import { User } from '../service/user/user'
 import { AuthError } from '../errors/auth-error'
 
 import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
@@ -57,23 +56,23 @@ passport.use(
       const { body, session, origin, hostname } = context as any
 
       const challenge = session.challenge
-  
+
       const assertionResponse = body as {
         id: string
         response: AuthenticatorAssertionResponse
       }
-  
+
       const credential = await getRepository(WebAuthCredential).findOne({
         where: {
           credentialId: assertionResponse.id
         },
         relations: ['user']
       })
-  
+
       if (!credential) {
         return done(null, false)
       }
-  
+
       const verification = await verifyAuthenticationResponse({
         response: body,
         expectedChallenge: challenge,
@@ -86,18 +85,18 @@ passport.use(
           counter: credential.counter
         }
       })
-  
+
       if (verification.verified) {
         const { authenticationInfo } = verification
         credential.counter = authenticationInfo.newCounter
         await getRepository(WebAuthCredential).save(credential)
-  
+
         const user = credential.user
         return done(null, user)
       } else {
         return done(verification, false)
       }
-    } catch(error) {
+    } catch (error) {
       return done(error, false)
     }
   })

package/server/migrations/1548206416130-SeedUser.ts

@@ -6,6 +6,7 @@ import { Domain, getRepository } from '@things-factory/shell'
 import { User, UserStatus } from '../service/user/user'
 
 const ADMIN_ACCOUNT = config.get('adminAccount', {
+  username: 'admin',
   name: 'Admin',
   email: 'admin@hatiolab.com',
   password: 'admin'
@@ -42,7 +43,7 @@ export class SeedUsers1548206416130 implements MigrationInterface {
       logger.error(e)
     }
 
-    const admin = await userRepository.findOne({ where: { email: ILike('admin@hatiolab.com') } })
+    const admin = await userRepository.findOne({ where: { email: ILike(ADMIN_ACCOUNT.email) } })
     domain.owner = admin.id
 
     await domainRepository.save(domain)

package/server/router/auth-checkin-router.ts

@@ -63,7 +63,13 @@ authCheckinRouter.get('/auth/checkin/:subdomain?', async (context, next) => {
         pageElement: 'auth-checkin',
         elementScript: '/auth/checkin.js',
         data: {
-          user: { email: user.email, locale: user.locale, name: user.name, userType: user.userType },
+          user: {
+            username: user.username,
+            email: user.email,
+            locale: user.locale,
+            name: user.name,
+            userType: user.userType
+          },
           domains,
           domainType,
           redirectTo,
@@ -73,7 +79,7 @@ authCheckinRouter.get('/auth/checkin/:subdomain?', async (context, next) => {
     } catch (e) {
       clearAccessTokenCookie(context)
       context.redirect(
-        `/auth/signin?email=${encodeURIComponent(user.email)}&redirect_to=${encodeURIComponent(redirectTo)}`
+        `/auth/signin?username=${encodeURIComponent(user.username)}&redirect_to=${encodeURIComponent(redirectTo)}`
       )
     }
   }
@@ -95,9 +101,9 @@ async function checkIn(
   context: ResolverContext
 ): Promise<void> {
   const { user }: { user: User } = context.state
-  const remoteAddress = context.req.headers['x-forwarded-for'] 
-  ? (context.req.headers['x-forwarded-for'] as string).split(',')[0].trim()
-  : context.req.connection.remoteAddress
+  const remoteAddress = context.req.headers['x-forwarded-for']
+    ? (context.req.headers['x-forwarded-for'] as string).split(',')[0].trim()
+    : context.req.connection.remoteAddress
 
   await LoginHistory.stamp(checkInDomain, user, remoteAddress)
 

package/server/router/auth-private-process-router.ts

@@ -43,19 +43,25 @@ authPrivateProcessRouter
   .post('/delete-user', async (context, next) => {
     const { t, session } = context
     var { user } = context.state
-    var { email: userEmail } = user
+    var { id: userId } = user
 
-    var { password, email } = context.request.body
+    var { password, username } = context.request.body
 
     const userRepo = getRepository(User)
-    const userInfo = await userRepo.findOne({
-      where: {
-        email: ILike(userEmail)
-      },
+
+    var userInfo = await userRepo.findOne({
+      where: { username },
       relations: ['domains']
     })
 
-    if (email != userEmail || !User.verify(userInfo.password, password, userInfo.salt)) {
+    if (!userInfo && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+      userInfo = await userRepo.findOne({
+        where: { email: ILike(username) },
+        relations: ['domains']
+      })
+    }
+
+    if (userInfo.id != userId || !User.verify(userInfo.password, password, userInfo.salt)) {
       context.status = 401
       context.body = t('error.user validation failed')
       return
@@ -89,6 +95,7 @@ authPrivateProcessRouter
 
     context.body = {
       user: {
+        username: user.username,
         email: user.email,
         name: user.name,
         userType: user.userType,