@things-factory/auth-base 8.0.0-beta.1 → 8.0.0-beta.2

package/server/router/webauthn-router.ts

@@ -1,149 +0,0 @@
-import Router from 'koa-router'
-import { getRepository } from '@things-factory/shell'
-import { appPackage } from '@things-factory/env'
-
-import { generateRegistrationOptions, generateAuthenticationOptions } from '@simplewebauthn/server'
-
-import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
-import { PublicKeyCredentialCreationOptionsJSON } from '@simplewebauthn/server/script/deps'
-import { setAccessTokenCookie } from '../utils/access-token-cookie'
-import { createWebAuthnMiddleware } from '../middlewares/webauthn-middleware'
-
-export const webAuthnGlobalPublicRouter = new Router()
-export const webAuthnGlobalPrivateRouter = new Router()
-
-const { name: rpName } = appPackage as any
-
-// Generate authentication challenge for the currently logged-in user
-webAuthnGlobalPrivateRouter.get('/auth/verify-webauthn/challenge', async (context, next) => {
-  const { user } = context.state
-  const rpID = context.hostname
-
-  if (!user) {
-    context.status = 401
-    context.body = { error: 'User not authenticated' }
-    return
-  }
-
-  const webAuthCredentials = await getRepository(WebAuthCredential).find({
-    where: { user: { id: user.id } }
-  })
-
-  if (webAuthCredentials.length === 0) {
-    context.status = 400
-    context.body = { error: 'No biometric credentials registered for this user' }
-    return
-  }
-
-  const options = await generateAuthenticationOptions({
-    rpID,
-    userVerification: 'preferred',
-    allowCredentials: webAuthCredentials.map(credential => ({
-      id: credential.credentialId,
-      type: 'public-key'
-    }))
-  })
-
-  context.session.challenge = options.challenge
-  context.body = options
-})
-
-// Verify biometric authentication
-webAuthnGlobalPrivateRouter.post(
-  '/auth/verify-webauthn',
-  /* reuse webauthn-login as webauthn-verify strategy */
-  createWebAuthnMiddleware('webauthn-login'),
-  async (context, next) => {
-    const { user } = context.state
-    const { request } = context
-    const { body: reqBody } = request
-
-    if (!user) {
-      context.status = 401
-      context.body = { verified: false, message: 'User not authenticated' }
-      return
-    }
-
-    context.body = {
-      verified: true,
-      message: 'Biometric authentication successful'
-    }
-
-    await next()
-  }
-)
-
-// Generate registration challenge for the currently logged-in user
-webAuthnGlobalPrivateRouter.get('/auth/register-webauthn/challenge', async (context, next) => {
-  const { user } = context.state
-  const rpID = context.hostname
-
-  const webAuthCredentials = await getRepository(WebAuthCredential).find({
-    where: {
-      user: { id: user.id }
-    }
-  })
-
-  const options: PublicKeyCredentialCreationOptionsJSON = await generateRegistrationOptions({
-    rpName,
-    rpID,
-    userName: user.email,
-    userDisplayName: user.name,
-    // Don't prompt users for additional information about the authenticator
-    // (Recommended for smoother UX)
-    attestationType: 'none',
-    // Prevent users from re-registering existing authenticators
-    excludeCredentials: webAuthCredentials.map(credential => ({
-      id: credential.credentialId
-      // Optional
-      // transports: credential.transports
-    })),
-    authenticatorSelection: {
-      // Defaults
-      residentKey: 'preferred',
-      userVerification: 'preferred',
-      // Optional
-      authenticatorAttachment: 'platform'
-    }
-  })
-
-  context.session.challenge = options.challenge
-  context.body = options
-})
-
-// Verify registration
-webAuthnGlobalPrivateRouter.post('/auth/verify-registration', createWebAuthnMiddleware('webauthn-register'))
-
-// Generate sign-in challenge
-webAuthnGlobalPublicRouter.get('/auth/signin-webauthn/challenge', async (context, next) => {
-  const rpID = context.hostname
-
-  const options = await generateAuthenticationOptions({
-    rpID,
-    userVerification: 'preferred'
-  })
-
-  context.session.challenge = options.challenge
-  context.body = options
-})
-
-// Sign in with biometric authentication
-webAuthnGlobalPublicRouter.post(
-  '/auth/signin-webauthn',
-  createWebAuthnMiddleware('webauthn-login'),
-  async (context, next) => {
-    const { domain, user } = context.state
-    const { request } = context
-    const { body: reqBody } = request
-
-    const token = await user.sign({ subdomain: domain?.subdomain })
-    setAccessTokenCookie(context, token)
-
-    var redirectURL = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(reqBody.redirectTo || '/')}`
-
-    /* Due to the two-step interaction, it will be processed by fetch(...) in the browser, so it cannot be handled with a redirect(3xx) response. Therefore, respond with redirectURL as data. */
-    context.body = { redirectURL, verified: true }
-
-    await next()
-  }
-)

package/server/routes.ts

@@ -1,80 +0,0 @@
-import { config } from '@things-factory/env'
-
-import { domainAuthenticateMiddleware, jwtAuthenticateMiddleware } from './middlewares'
-import {
-  authCheckinRouter,
-  authPrivateProcessRouter,
-  authPublicProcessRouter,
-  authSigninRouter,
-  authSignupRouter,
-  oauth2AuthorizeRouter,
-  oauth2Router,
-  pathBaseDomainRouter,
-  siteRootRouter,
-  webAuthnGlobalPublicRouter,
-  webAuthnGlobalPrivateRouter
-} from './router'
-
-import { setAccessTokenCookie } from './utils/access-token-cookie'
-
-const isPathBaseDomain = !config.get('subdomain') && !config.get('useVirtualHostBasedDomain')
-
-process.on('bootstrap-module-global-public-route' as any, (app, globalPublicRouter) => {
-  globalPublicRouter.use(siteRootRouter.routes(), siteRootRouter.allowedMethods())
-  globalPublicRouter.use(authPublicProcessRouter.routes(), authPublicProcessRouter.allowedMethods())
-
-  /* ssoMiddleware가 정의되어있다면, /auth/sso-signin 패스를 활성화한다. */
-  if (app.ssoMiddlewares.length > 0) {
-    authSigninRouter.get('/auth/sso-signin', app.ssoMiddlewares[0], async context => {
-      const { user } = context.state
-
-      const token = await user.sign()
-      setAccessTokenCookie(context, token)
-
-      context.redirect('/auth/checkin')
-    })
-  }
-})
-
-process.on('bootstrap-module-global-private-route' as any, (app, globalPrivateRouter) => {
-  globalPrivateRouter.use(jwtAuthenticateMiddleware)
-
-  /* globalPrivateRouter based nested-routers */
-  globalPrivateRouter.use(authCheckinRouter.routes(), authCheckinRouter.allowedMethods())
-  globalPrivateRouter.use(authPrivateProcessRouter.routes(), authPrivateProcessRouter.allowedMethods())
-  globalPrivateRouter.use(webAuthnGlobalPrivateRouter.routes(), webAuthnGlobalPrivateRouter.allowedMethods())
-})
-
-process.on('bootstrap-module-domain-public-route' as any, (app, domainPublicRouter) => {
-  /* domainPublicRouter based nested-routers */
-  domainPublicRouter.use(authSigninRouter.routes(), authSigninRouter.allowedMethods())
-  domainPublicRouter.use(authSignupRouter.routes(), authSignupRouter.allowedMethods())
-  domainPublicRouter.use(webAuthnGlobalPublicRouter.routes(), webAuthnGlobalPublicRouter.allowedMethods())
-
-  /* path '/admin/oauth/...' is deprecated. should use path '/oauth/...' for oauth2 related routing */
-  domainPublicRouter.use('/oauth', oauth2Router.routes(), oauth2Router.allowedMethods()) // if i use context
-})
-
-process.on('bootstrap-module-domain-private-route' as any, (app, domainPrivateRouter) => {
-  domainPrivateRouter.use(jwtAuthenticateMiddleware)
-  domainPrivateRouter.use(domainAuthenticateMiddleware)
-
-  /* domainPrivateRouter based nested-routers */
-  if (isPathBaseDomain) {
-    // pathBaseDomainRouter는 history-fallback의 경우에 인증 처리를 하기 위한 라우터이다.
-    // (보통, URL 링크등을 통해서 domain path URL로 바로 요청하는 경우에 해당한다.)
-    // pathBaseDomainRouter는 domain path를 domain-private-router를 사용하는 것을 전제로 한다.
-    domainPrivateRouter.use('/domain/:domain/oauth', oauth2AuthorizeRouter.routes(), oauth2AuthorizeRouter.allowedMethods())
-    domainPrivateRouter.use('/domain', pathBaseDomainRouter.routes(), pathBaseDomainRouter.allowedMethods())
-  }
-
-  // Client Routing : path 확장자가 없는 경우는 대부분 client 라우팅에 해당한다.
-  // 즉, browser-history-fallback 으로 index.html을 send 하는 경우에, 사용자 로그인이 필요한 경우에,
-  // 화면깜박임없이 signin page로 redirect 하고자하는 목적의 설정이다.
-  // domain-private 라우트를 통과하고 싶지 않다면, regexp를 조정한다.
-  // '(.[^.]+)' 은 '', '/'는 제외하고, '/xxx', '/yyy/zzz' 등 모두를 포함하지만, path에 '.'가 있는 경우는 제외한다.
-  // (테스트는 여기서 : http://forbeslindesay.github.io/express-route-tester/)
-  domainPrivateRouter.get('(.[^.]+)', async (context, next) => {
-    await next()
-  })
-})

package/server/service/app-binding/app-binding-mutation.ts

@@ -1,22 +0,0 @@
-import { Arg, Ctx, Mutation, Resolver } from 'type-graphql'
-
-import { getRepository } from '@things-factory/shell'
-
-import { User } from '../user/user'
-import { AppBinding } from './app-binding'
-
-@Resolver(AppBinding)
-export class AppBindingMutation {
-  @Mutation(returns => Boolean)
-  async deleteAppBinding(@Arg('id') id: string, @Ctx() context: ResolverContext) {
-    const { domain } = context.state
-
-    // TODO 이 사용자가 이 도메인에 속한 사용자인지 확인해야함.
-    // TODO 다른 도메인에도 포함되어있다면, domains-users 관게와 해당 도메인 관련 정보만 삭제해야 함.
-    await getRepository(User).delete({
-      id
-    })
-
-    return true
-  }
-}

package/server/service/app-binding/app-binding-query.ts

@@ -1,92 +0,0 @@
-import { Arg, Args, Ctx, FieldResolver, Query, Resolver, Root } from 'type-graphql'
-import { SelectQueryBuilder } from 'typeorm'
-
-import { buildQuery, getRepository, ListParam } from '@things-factory/shell'
-
-import { buildDomainUsersQueryBuilder } from '../../utils/get-domain-users'
-import { Application } from '../application/application'
-import { User } from '../user/user'
-import { UserList } from '../user/user-types'
-import { AppBinding } from './app-binding'
-import { AppBindingList } from './app-binding-types'
-
-@Resolver(AppBinding)
-export class AppBindingQuery {
-  @Query(returns => AppBinding)
-  async appBinding(@Arg('id') id: string, @Ctx() context: ResolverContext): Promise<User> {
-    const { domain } = context.state
-
-    // TODO should check domain is available
-    return await getRepository(User).findOneBy({ id, userType: 'application' })
-  }
-
-  /* TODO optimize query */
-  @Query(returns => AppBindingList)
-  async appBindings(@Args(type => ListParam) params: ListParam, @Ctx() context: ResolverContext): Promise<UserList> {
-    const { domain } = context.state
-
-    // const convertedParams = convertListParams(params)
-    // convertedParams.where = {
-    //   ...convertedParams.where,
-    //   userType: 'application'
-    // } as any
-
-    const alias: string = 'USER'
-    const qb: SelectQueryBuilder<User> = buildDomainUsersQueryBuilder(domain.id, alias)
-    buildQuery(qb, params, null, { domainRef: false })
-    var [items] = await qb
-      // .leftJoinAndSelect(`${alias}.roles`, 'ROLES')
-      // .leftJoinAndSelect(`${alias}.creator`, 'CREATOR')
-      // .leftJoinAndSelect(`${alias}.updater`, 'UPDATER')
-      .getManyAndCount()
-
-    items = items.filter((user: User) => user.userType == 'application')
-
-    // var boundApps = await Promise.all(
-    //   items
-    //     .filter((user: User) => user.userType == 'application')
-    //     .map(async (user: User) => {
-    //       const email = user.email
-    //       const appKey = email.substr(0, email.lastIndexOf('@'))
-    //       const application = await getRepository(Application).findOneBy({
-    //         appKey
-    //       })
-
-    //       return {
-    //         ...user,
-    //         application,
-    //         scope: user.roles.map(role => role.name).join(','),
-    //         refreshToken: user.password
-    //       }
-    //     })
-    // )
-
-    return { items, total: items.length }
-  }
-
-  @FieldResolver(type => Application)
-  async application(@Root() appBinding: AppBinding): Promise<Application> {
-    return await getRepository(Application).findOneBy({ id: appBinding.reference })
-  }
-
-  @FieldResolver(type => String)
-  async scope(@Root() appBinding: AppBinding): Promise<string> {
-    const u = await getRepository(User).findOne({ where: { reference: appBinding.reference }, relations: ['roles'] })
-    return u.roles.map(role => role.name).join(',')
-  }
-
-  @FieldResolver(type => String)
-  async refreshToken(@Root() appBinding: AppBinding): Promise<string> {
-    return appBinding.password
-  }
-
-  @FieldResolver(type => User)
-  async updater(@Root() appBinding: AppBinding): Promise<User> {
-    return await getRepository(User).findOneBy({ id: appBinding.updaterId })
-  }
-
-  @FieldResolver(type => User)
-  async creator(@Root() appBinding: AppBinding): Promise<User> {
-    return await getRepository(User).findOneBy({ id: appBinding.creatorId })
-  }
-}

package/server/service/app-binding/app-binding-types.ts

@@ -1,11 +0,0 @@
-import { Field, Int, ObjectType } from 'type-graphql'
-import { AppBinding } from './app-binding'
-
-@ObjectType()
-export class AppBindingList {
-  @Field(type => [AppBinding], { nullable: true })
-  items?: [AppBinding]
-
-  @Field(type => Int, { nullable: true })
-  total?: number
-}

package/server/service/app-binding/app-binding.ts

@@ -1,17 +0,0 @@
-import { ObjectType, Field, Directive } from 'type-graphql'
-import { Domain } from '@things-factory/shell'
-import { Application } from '../application/application'
-import { User, UserStatus } from '../user/user'
-
-@ObjectType()
-export class AppBinding extends User {
-  @Field({ nullable: true })
-  application: Application
-
-  @Field({ nullable: true })
-  scope: string
-
-  @Field({ nullable: true })
-  @Directive('@privilege(category: "security", privilege: "query", domainOwnerGranted: true)')
-  refreshToken: string
-}

package/server/service/app-binding/index.ts

@@ -1,4 +0,0 @@
-import { AppBindingQuery } from './app-binding-query'
-import { AppBindingMutation } from './app-binding-mutation'
-
-export const resolvers = [AppBindingQuery, AppBindingMutation]

package/server/service/appliance/appliance-mutation.ts

@@ -1,113 +0,0 @@
-import { Directive, Arg, Ctx, Mutation, Resolver } from 'type-graphql'
-
-import { getRepository } from '@things-factory/shell'
-
-import { User, UserStatus } from '../user/user'
-import { Appliance } from './appliance'
-import { AppliancePatch, NewAppliance } from './appliance-types'
-
-const crypto = require('crypto')
-
-@Resolver(Appliance)
-export class ApplianceMutation {
-  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
-  @Mutation(returns => Appliance, { description: 'To create new appliance' })
-  async createAppliance(
-    @Arg('appliance') appliance: NewAppliance,
-    @Ctx() context: ResolverContext
-  ): Promise<Appliance> {
-    return await getRepository(Appliance).save({
-      domain: context.state.domain,
-      creator: context.state.user,
-      updater: context.state.user,
-      ...appliance
-    })
-  }
-
-  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
-  @Mutation(returns => Boolean, { description: 'To delete appliance' })
-  async deleteAppliance(@Arg('id') id: string, @Ctx() context: ResolverContext): Promise<Boolean> {
-    const { domain } = context.state
-    // TODO 이 사용자가 이 도메인에 속한 사용자인지 확인해야함.
-    // TODO 다른 도메인에도 포함되어있다면, domains-users 관게와 해당 도메인 관련 정보만 삭제해야 함.
-    await getRepository(User).delete({
-      reference: id,
-      userType: 'appliance'
-    })
-
-    await getRepository(Appliance).delete({ domain: { id: domain.id }, id })
-
-    return true
-  }
-
-  @Directive('@privilege(category: "security", privilege: "mutation", domainOwnerGranted: true)')
-  @Mutation(returns => Appliance)
-  async generateApplianceSecret(@Arg('id') id: string, @Ctx() context: ResolverContext): Promise<Appliance> {
-    const { domain, user } = context.state
-
-    const appliance: Appliance = await getRepository(Appliance).findOneBy({ domain: { id: domain.id }, id })
-
-    const appuserEmail = `${crypto.randomUUID()}@${domain?.subdomain}`
-    let appuser: User = await getRepository(User).findOne({
-      where: {
-        reference: id,
-        userType: 'appliance'
-      },
-      relations: ['domains']
-    })
-
-    if (!appuser) {
-      /* newly create appuser */
-      appuser = await getRepository(User).save({
-        email: appuserEmail,
-        name: appliance.name,
-        userType: 'appliance',
-        reference: id,
-        status: UserStatus.ACTIVATED,
-        domains: [domain],
-        updater: user,
-        creator: user
-      })
-    }
-
-    if (!appuser.domains.find(d => d.id === domain.id)) {
-      context.throw(401, 'appliance is not allowed for this domain')
-    }
-
-    appuser.password = Appliance.generateAccessToken(domain, appuser, appliance)
-
-    await getRepository(User).save(appuser)
-
-    return await getRepository(Appliance).save({
-      ...appliance,
-      accessToken: appuser.password,
-      updater: user
-    })
-  }
-
-  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
-  @Mutation(returns => Appliance)
-  async updateAppliance(
-    @Arg('id') id: string,
-    @Arg('patch') patch: AppliancePatch,
-    @Ctx() context: ResolverContext
-  ): Promise<Appliance> {
-    const { domain } = context.state
-
-    const applianceRepository = getRepository(Appliance)
-    const userRepository = getRepository(User)
-    const appliance = await applianceRepository.findOne({ where: { domain: { id: domain.id }, id } })
-    const user = await userRepository.findOne({ where: { reference: id, userType: 'appliance' } })
-
-    userRepository.save({
-      ...user,
-      name: patch?.name || user.name
-    })
-
-    return await applianceRepository.save({
-      ...appliance,
-      ...patch,
-      updater: context.state.user
-    })
-  }
-}

package/server/service/appliance/appliance-query.ts

@@ -1,76 +0,0 @@
-import { Arg, Args, Ctx, Directive, FieldResolver, Query, Resolver, Root } from 'type-graphql'
-
-import { getQueryBuilderFromListParams, Domain, getRepository, ListParam } from '@things-factory/shell'
-
-import { Appliance } from '../appliance/appliance'
-import { User } from '../user/user'
-import { ApplianceList } from './appliance-types'
-
-@Resolver(Appliance)
-export class ApplianceQuery {
-  @Directive('@privilege(category: "user", privilege: "query", domainOwnerGranted: true, superUserGranted: true)')
-  @Query(returns => Appliance, { description: ' To fetch appliance' })
-  async appliance(@Arg('id') id: string, @Ctx() context: ResolverContext): Promise<Appliance> {
-    const { domain } = context.state
-    return await getRepository(Appliance).findOneBy({ domain: { id: domain.id }, id })
-  }
-
-  @Directive('@privilege(category: "user", privilege: "query", domainOwnerGranted: true, superUserGranted: true)')
-  @Query(returns => ApplianceList, { description: 'To fetch multiple appliance' })
-  async appliances(
-    @Args(type => ListParam) params: ListParam,
-    @Ctx() context: ResolverContext
-  ): Promise<ApplianceList> {
-    const { domain } = context.state
-
-    const queryBuilder = getQueryBuilderFromListParams({
-      domain,
-      params,
-      repository: getRepository(Appliance),
-      alias: 'appliance',
-      searchables: ['name', 'description']
-    })
-
-    const [items, total] = await queryBuilder.getManyAndCount()
-
-    return { items, total }
-  }
-
-  @Directive('@privilege(category: "user", privilege: "query", domainOwnerGranted: true, superUserGranted: true)')
-  @Query(returns => ApplianceList, { description: 'To fetch multiple appliance' })
-  async edges(@Args(type => ListParam) params: ListParam, @Ctx() context: ResolverContext): Promise<ApplianceList> {
-    const { domain } = context.state
-
-    const queryBuilder = getQueryBuilderFromListParams({
-      domain,
-      params,
-      repository: getRepository(Appliance),
-      alias: 'appliance',
-      searchables: ['name', 'description']
-    })
-
-    const [items, total] = await queryBuilder.getManyAndCount()
-
-    return { items, total }
-  }
-
-  @FieldResolver(type => String)
-  async accessToken(@Root() appliance: Appliance, @Ctx() context: ResolverContext) {
-    return appliance.accessToken
-  }
-
-  @FieldResolver(type => Domain)
-  async domain(@Ctx() context: ResolverContext) {
-    return context.state.domain
-  }
-
-  @FieldResolver(type => User)
-  async updater(@Root() appliance: Appliance): Promise<User> {
-    return await getRepository(User).findOneBy({ id: appliance.updaterId })
-  }
-
-  @FieldResolver(type => User)
-  async creator(@Root() appliance: Appliance): Promise<User> {
-    return await getRepository(User).findOneBy({ id: appliance.creatorId })
-  }
-}

package/server/service/appliance/appliance-types.ts

@@ -1,56 +0,0 @@
-import { ObjectType, InputType, Field, ID, Int } from 'type-graphql'
-import { Appliance } from './appliance'
-
-@ObjectType()
-export class ApplianceList {
-  @Field(type => [Appliance], { nullable: true })
-  items?: Appliance[]
-
-  @Field(type => Int, { nullable: true })
-  total?: number
-}
-
-@InputType()
-export class AppliancePatch {
-  @Field(type => ID, { nullable: true })
-  id?: string
-
-  @Field({ nullable: true })
-  serialNo?: string
-
-  @Field({ nullable: true })
-  name?: string
-
-  @Field({ nullable: true })
-  brand?: string
-
-  @Field({ nullable: true })
-  model?: string
-
-  @Field({ nullable: true })
-  description?: string
-
-  @Field({ nullable: true })
-  netmask?: string
-}
-
-@InputType()
-export class NewAppliance {
-  @Field()
-  serialNo: string
-
-  @Field()
-  name: string
-
-  @Field()
-  brand: string
-
-  @Field()
-  model: string
-
-  @Field({ nullable: true })
-  description?: string
-
-  @Field({ nullable: true })
-  netmask?: string
-}