@things-factory/auth-base 8.0.0-beta.0 → 8.0.0-beta.2

package/server/middlewares/jwt-authenticate-middleware.ts

@@ -1,84 +0,0 @@
-import passport from 'koa-passport'
-import { ExtractJwt, Strategy as JWTstrategy } from 'passport-jwt'
-
-import { config } from '@things-factory/env'
-
-import { makeVerificationToken } from '../controllers/utils/make-verification-token'
-import { saveVerificationToken } from '../controllers/utils/save-verification-token'
-import { User, UserStatus } from '../service/user/user'
-import { VerificationTokenType } from '../service/verification-token/verification-token'
-import { clearAccessTokenCookie, getAccessTokenCookie, setAccessTokenCookie } from '../utils/access-token-cookie'
-import { SECRET } from '../utils/get-secret'
-
-const sessionExpiryPolicy = config.get('session/expiryPolicy', 'fixed')
-
-passport.use(
-  new JWTstrategy(
-    {
-      secretOrKey: SECRET,
-      passReqToCallback: true,
-      jwtFromRequest: ExtractJwt.fromExtractors([
-        ExtractJwt.fromAuthHeaderAsBearerToken(),
-        ExtractJwt.fromHeader('authorization'),
-        ExtractJwt.fromHeader('x-access-token'),
-        ExtractJwt.fromUrlQueryParameter('access_token'),
-        ExtractJwt.fromBodyField('access_token'),
-        req => {
-          var token = null
-          token = getAccessTokenCookie(req?.ctx)
-          return token
-        }
-      ])
-    },
-    async (request, decoded, done) => {
-      try {
-        return done(null, decoded)
-      } catch (error) {
-        return done(error)
-      }
-    }
-  )
-)
-
-export async function jwtAuthenticateMiddleware(context, next) {
-  const { path } = context
-  const { user } = context.state
-  if (user) {
-    return await next()
-  }
-
-  return await passport.authenticate('jwt', { session: false }, async (err, decoded, info) => {
-    if (err || !decoded) {
-      const e = (context.state.error = err || info)
-
-      clearAccessTokenCookie(context)
-
-      context.throw(401, e.message)
-    } else {
-      const userEntity = await User.checkAuth(decoded)
-
-      if (userEntity.status === UserStatus.PWD_RESET_REQUIRED) {
-        try {
-          const token = makeVerificationToken()
-          await saveVerificationToken(userEntity.id, token, VerificationTokenType.PASSWORD_RESET)
-          clearAccessTokenCookie(context)
-          context.redirect(`/auth/reset-password?token=${token}`)
-        } catch (e) {
-          throw err
-        }
-      } else {
-        context.state.user = userEntity
-        context.state.decodedToken = decoded
-
-        if (sessionExpiryPolicy == 'rolling') {
-          /* To renew the expiry time on each request, a token is issued and the session is updated. */
-
-          const token = await userEntity.sign()
-          setAccessTokenCookie(context, token)
-        }
-
-        await next()
-      }
-    }
-  })(context, next)
-}

package/server/middlewares/signin-middleware.ts

@@ -1,55 +0,0 @@
-import passport from 'koa-passport'
-import { Strategy as localStrategy } from 'passport-local'
-
-import { signin } from '../controllers/signin'
-
-passport.use(
-  'signin',
-  new localStrategy(
-    {
-      usernameField: 'username',
-      passwordField: 'password'
-    },
-    async (username, password, done) => {
-      try {
-        const {
-          user: userInfo,
-          token,
-          domains
-        } = await signin({
-          username,
-          password
-        })
-
-        return done(
-          null,
-          {
-            user: userInfo,
-            token,
-            domains
-          },
-          {
-            message: 'Logged in Successfully'
-          }
-        )
-      } catch (error) {
-        return done(error)
-      }
-    }
-  )
-)
-
-export async function signinMiddleware(context, next) {
-  return passport.authenticate('signin', { session: false }, async (err, user, info) => {
-    if (err || !user) {
-      throw err
-    } else {
-      const { user: userInfo, token } = user
-
-      context.state.user = userInfo
-      context.state.token = token
-
-      await next()
-    }
-  })(context, next)
-}

package/server/middlewares/webauthn-middleware.ts

@@ -1,126 +0,0 @@
-import passport from 'koa-passport'
-import { Strategy as CustomStrategy } from 'passport-custom'
-
-import { getRepository } from '@things-factory/shell'
-
-import { AuthError } from '../errors/auth-error'
-
-import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
-import { verifyRegistrationResponse, verifyAuthenticationResponse } from '@simplewebauthn/server'
-
-import { AuthenticatorAssertionResponse } from '@simplewebauthn/types'
-
-passport.use(
-  'webauthn-register',
-  new CustomStrategy(async (context, done) => {
-    const { body, session, user, hostname, origin } = context as any
-
-    const challenge = session.challenge
-
-    const verification = await verifyRegistrationResponse({
-      response: body,
-      expectedChallenge: challenge,
-      expectedOrigin: origin,
-      expectedRPID: hostname,
-      expectedType: 'webauthn.create',
-      requireUserVerification: false
-    })
-
-    if (verification.verified) {
-      const { registrationInfo } = verification
-      const publicKey = Buffer.from(registrationInfo.credentialPublicKey).toString('base64')
-
-      if (user) {
-        const webAuthRepository = getRepository(WebAuthCredential)
-        await webAuthRepository.save({
-          user,
-          credentialId: registrationInfo.credentialID,
-          publicKey,
-          counter: registrationInfo.counter,
-          creator: user,
-          updater: user
-        })
-      }
-
-      return done(null, user)
-    } else {
-      return done(null, false)
-    }
-  })
-)
-
-passport.use(
-  'webauthn-login',
-  new CustomStrategy(async (context, done) => {
-    try {
-      const { body, session, origin, hostname } = context as any
-
-      const challenge = session.challenge
-
-      const assertionResponse = body as {
-        id: string
-        response: AuthenticatorAssertionResponse
-      }
-
-      const credential = await getRepository(WebAuthCredential).findOne({
-        where: {
-          credentialId: assertionResponse.id
-        },
-        relations: ['user']
-      })
-
-      if (!credential) {
-        return done(null, false)
-      }
-
-      const verification = await verifyAuthenticationResponse({
-        response: body,
-        expectedChallenge: challenge,
-        expectedOrigin: origin,
-        expectedRPID: hostname,
-        requireUserVerification: false,
-        authenticator: {
-          credentialID: credential.credentialId,
-          credentialPublicKey: new Uint8Array(Buffer.from(credential.publicKey, 'base64')),
-          counter: credential.counter
-        }
-      })
-
-      if (verification.verified) {
-        const { authenticationInfo } = verification
-        credential.counter = authenticationInfo.newCounter
-        await getRepository(WebAuthCredential).save(credential)
-
-        const user = credential.user
-        return done(null, user)
-      } else {
-        return done(verification, false)
-      }
-    } catch (error) {
-      return done(error, false)
-    }
-  })
-)
-
-export function createWebAuthnMiddleware(strategy: 'webauthn-register' | 'webauthn-login') {
-  return async function webAuthnMiddleware(context, next) {
-    return passport.authenticate(
-      strategy,
-      { session: true, failureMessage: true, failWithError: true },
-      async (err, user) => {
-        if (err || !user) {
-          throw new AuthError({
-            errorCode: AuthError.ERROR_CODES.AUTHN_VERIFICATION_FAILED,
-            detail: err
-          })
-        } else {
-          context.state.user = user
-
-          context.body = { user, verified: true }
-        }
-
-        await next()
-      }
-    )(context, next)
-  }
-}

package/server/migrations/1548206416130-SeedUser.ts

@@ -1,60 +0,0 @@
-import { ILike, MigrationInterface, QueryRunner } from 'typeorm'
-
-import { config, logger } from '@things-factory/env'
-import { Domain, getRepository } from '@things-factory/shell'
-
-import { User, UserStatus } from '../service/user/user'
-
-const ADMIN_ACCOUNT = config.get('adminAccount', {
-  username: 'admin',
-  name: 'Admin',
-  email: 'admin@hatiolab.com',
-  password: 'admin'
-})
-
-const SEED_USERS = [
-  {
-    ...ADMIN_ACCOUNT,
-    userType: 'user',
-    status: UserStatus.ACTIVATED
-  }
-]
-export class SeedUsers1548206416130 implements MigrationInterface {
-  public async up(queryRunner: QueryRunner): Promise<any> {
-    const userRepository = getRepository(User)
-    const domainRepository = getRepository(Domain)
-
-    const domain: Domain = await domainRepository.findOne({ where: { name: 'SYSTEM' } })
-
-    try {
-      for (let i = 0; i < SEED_USERS.length; i++) {
-        const user = SEED_USERS[i]
-        const salt = User.generateSalt()
-        const password = User.encode(user.password, salt)
-
-        await userRepository.save({
-          ...user,
-          salt,
-          password,
-          domains: [domain]
-        })
-      }
-    } catch (e) {
-      logger.error(e)
-    }
-
-    const admin = await userRepository.findOne({ where: { email: ILike(ADMIN_ACCOUNT.email) } })
-    domain.owner = admin.id
-
-    await domainRepository.save(domain)
-  }
-
-  public async down(queryRunner: QueryRunner): Promise<any> {
-    const repository = getRepository(User)
-
-    SEED_USERS.reverse().forEach(async user => {
-      let record = await repository.findOneBy({ email: ILike(user.email) })
-      await repository.remove(record)
-    })
-  }
-}

package/server/migrations/1566805283882-SeedPrivilege.ts

@@ -1,28 +0,0 @@
-import { MigrationInterface, QueryRunner } from 'typeorm'
-
-import { logger } from '@things-factory/env'
-import { getRepository } from '@things-factory/shell'
-
-import { Privilege } from '../service/privilege/privilege'
-
-export class SeedPrivilege1566805283882 implements MigrationInterface {
-  public async up(queryRunner: QueryRunner): Promise<any> {
-    const privilegeRepository = getRepository(Privilege)
-
-    const { schema } = require('@things-factory/shell/dist-server/schema')
-    await schema()
-    const privileges = process['PRIVILEGES']
-
-    try {
-      for (const [category, name] of Object.values(privileges as [string, string])) {
-        if (0 == (await privilegeRepository.count({ where: { category, name } }))) {
-          await privilegeRepository.save({ category, name })
-        }
-      }
-    } catch (e) {
-      logger.error(e)
-    }
-  }
-
-  public async down(queryRunner: QueryRunner): Promise<any> {}
-}

package/server/migrations/index.ts

@@ -1,9 +0,0 @@
-const glob = require('glob')
-const path = require('path')
-
-export var migrations = []
-
-glob.sync(path.resolve(__dirname, '.', '**', '*.js')).forEach(function(file) {
-  if (file.indexOf('index.js') !== -1) return
-  migrations = migrations.concat(Object.values(require(path.resolve(file))) || [])
-})

package/server/router/auth-checkin-router.ts

@@ -1,113 +0,0 @@
-import Router from 'koa-router'
-
-import { config } from '@things-factory/env'
-import { Domain, findSubdomainFromPath, getRedirectSubdomainPath } from '@things-factory/shell'
-
-import { LoginHistory } from '../service/login-history/login-history'
-import { User } from '../service/user/user'
-import { accepts } from '../utils/accepts'
-import { clearAccessTokenCookie } from '../utils/access-token-cookie'
-import { getUserDomains } from '../utils/get-user-domains'
-
-const domainType = config.get('domainType')
-
-export const authCheckinRouter = new Router()
-
-authCheckinRouter.get('/auth/checkin/:subdomain?', async (context, next) => {
-  const { request, t } = context
-  const header = request.header
-  const { user } = context.state
-  let { subdomain } = context.params
-
-  let domains: Partial<Domain>[] = await getUserDomains(user)
-  if (domainType) domains = domains.filter(d => d.extType == domainType)
-
-  if (!accepts(header.accept, ['text/html', '*/*'])) {
-    // When request expects non html response
-    try {
-      if (!subdomain) throw new Error(t('error.domain not specified', { subdomain })) // When params doesn't have subdomain
-      const checkInDomain: Partial<Domain> | undefined = domains.find(d => d.subdomain === subdomain) // When no matched domain with subdomain
-      if (!checkInDomain) throw new Error(t('error.domain not specified', { subdomain }))
-
-      await checkIn(checkInDomain, null, context)
-      context.body = true
-    } catch (e) {
-      clearAccessTokenCookie(context)
-      throw e
-    }
-  } else {
-    // When request expects html response
-    const { redirect_to: redirectTo = '/' } = context.query
-
-    try {
-      let message: string
-
-      if (!subdomain) {
-        /* try to find domain from redirectTo path */
-        subdomain = findSubdomainFromPath(context, redirectTo)
-      }
-
-      let checkInDomain: Partial<Domain>
-      if (subdomain) {
-        checkInDomain = domains.find(d => d.subdomain == subdomain)
-        if (!checkInDomain) message = t('error.domain not allowed', { subdomain })
-      } else if (domains.length === 1) {
-        checkInDomain = domains[0]
-      }
-
-      if (checkInDomain) {
-        return await checkIn(checkInDomain, redirectTo, context)
-      }
-
-      await context.render('auth-page', {
-        pageElement: 'auth-checkin',
-        elementScript: '/auth/checkin.js',
-        data: {
-          user: {
-            username: user.username,
-            email: user.email,
-            locale: user.locale,
-            name: user.name,
-            userType: user.userType
-          },
-          domains,
-          domainType,
-          redirectTo,
-          message
-        }
-      })
-    } catch (e) {
-      clearAccessTokenCookie(context)
-      context.redirect(
-        `/auth/signin?username=${encodeURIComponent(user.username)}&redirect_to=${encodeURIComponent(redirectTo)}`
-      )
-    }
-  }
-})
-
-authCheckinRouter.get('/auth/domains', async context => {
-  const { user } = context.state
-  var domains = await getUserDomains(user)
-  if (domainType) {
-    domains = domains.filter(d => d.extType == domainType)
-  }
-
-  context.body = domains
-})
-
-async function checkIn(
-  checkInDomain: Partial<Domain>,
-  redirectTo: string | null,
-  context: ResolverContext
-): Promise<void> {
-  const { user }: { user: User } = context.state
-  const remoteAddress = context.req.headers['x-forwarded-for']
-    ? (context.req.headers['x-forwarded-for'] as string).split(',')[0].trim()
-    : context.req.connection.remoteAddress
-
-  await LoginHistory.stamp(checkInDomain, user, remoteAddress)
-
-  if (redirectTo) {
-    return context.redirect(getRedirectSubdomainPath(context, checkInDomain.subdomain, redirectTo))
-  }
-}

package/server/router/auth-private-process-router.ts

@@ -1,114 +0,0 @@
-import { ILike } from 'typeorm'
-import Router from 'koa-router'
-
-import { config } from '@things-factory/env'
-import { Domain, getRepository } from '@things-factory/shell'
-
-import { changePwd } from '../controllers/change-pwd'
-import { deleteUser } from '../controllers/delete-user'
-import { updateProfile } from '../controllers/profile'
-import { User } from '../service/user/user'
-import { clearAccessTokenCookie, setAccessTokenCookie } from '../utils/access-token-cookie'
-import { getUserDomains } from '../utils/get-user-domains'
-
-const domainType = config.get('domainType')
-const languages = config.get('i18n/languages') || []
-
-export const authPrivateProcessRouter = new Router({
-  prefix: '/auth'
-})
-
-authPrivateProcessRouter
-  .post('/change-pass', async (context, next) => {
-    const { t } = context
-    let { current_pass, new_pass, confirm_pass } = context.request.body
-
-    const token = await changePwd(context.state.user, current_pass, new_pass, confirm_pass, context)
-
-    context.body = t('text.password changed successfully')
-
-    setAccessTokenCookie(context, token)
-  })
-  .post('/update-profile', async (context, next) => {
-    const { i18next, t } = context
-    const newProfiles = context.request.body
-    await updateProfile(context.state.user, newProfiles)
-
-    if (newProfiles.locale) {
-      context.body = i18next.getFixedT(newProfiles.locale)('text.profile changed successfully')
-    } else {
-      context.body = t('text.profile changed successfully')
-    }
-  })
-  .post('/delete-user', async (context, next) => {
-    const { t, session } = context
-    var { user } = context.state
-    var { id: userId } = user
-
-    var { password, username } = context.request.body
-
-    const userRepo = getRepository(User)
-
-    var userInfo = await userRepo.findOne({
-      where: { username },
-      relations: ['domains']
-    })
-
-    if (!userInfo && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
-      userInfo = await userRepo.findOne({
-        where: { email: ILike(username) },
-        relations: ['domains']
-      })
-    }
-
-    if (userInfo.id != userId || !User.verify(userInfo.password, password, userInfo.salt)) {
-      context.status = 401
-      context.body = t('error.user validation failed')
-      return
-    }
-
-    await deleteUser(user)
-
-    context.body = t('text.delete account succeed')
-    clearAccessTokenCookie(context)
-  })
-  .get('/profile', async (context, next) => {
-    const { t } = context
-    const { domain, user, unsafeIP, prohibitedPrivileges } = context.state
-
-    if (!domain) {
-      context.status = 401
-      context.body = t('error.user validation failed')
-      return
-    }
-
-    let domains: Partial<Domain>[] = await getUserDomains(user)
-    domains = domains.filter((d: Domain) => d.extType == domainType)
-
-    var privileges = await User.getPrivilegesByDomain(user, domain)
-
-    if (prohibitedPrivileges) {
-      prohibitedPrivileges.forEach(({ category, privilege }) => {
-        privileges = privileges.filter(p => p.category != category || p.privilege != privilege)
-      })
-    }
-
-    context.body = {
-      user: {
-        username: user.username,
-        email: user.email,
-        name: user.name,
-        userType: user.userType,
-        owner: await process.domainOwnerGranted(domain, user),
-        super: await process.superUserGranted(domain, user),
-        unsafeIP,
-        privileges
-      },
-      domains,
-      domain: domain && {
-        name: domain.name,
-        subdomain: domain.subdomain
-      },
-      languages
-    }
-  })