@things-factory/auth-base 8.0.0-beta.8 → 8.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@things-factory/auth-base",
-  "version": "8.0.0-beta.8",
+  "version": "8.0.0",
   "main": "dist-server/index.js",
   "browser": "dist-client/index.js",
   "things-factory": true,
@@ -32,10 +32,10 @@
   "dependencies": {
     "@simplewebauthn/browser": "^10.0.0",
     "@simplewebauthn/server": "^10.0.0",
-    "@things-factory/email-base": "^8.0.0-beta.5",
-    "@things-factory/env": "^8.0.0-beta.4",
-    "@things-factory/shell": "^8.0.0-beta.5",
-    "@things-factory/utils": "^8.0.0-beta.4",
+    "@things-factory/email-base": "^8.0.0",
+    "@things-factory/env": "^8.0.0",
+    "@things-factory/shell": "^8.0.0",
+    "@things-factory/utils": "^8.0.0",
     "@types/webappsec-credential-management": "^0.6.8",
     "jsonwebtoken": "^9.0.0",
     "koa-passport": "^6.0.0",
@@ -46,5 +46,5 @@
     "passport-jwt": "^4.0.0",
     "passport-local": "^1.0.0"
   },
-  "gitHead": "bf5206511b2d84dfb95edc3dae7f54f6cbb9bcca"
+  "gitHead": "07ef27d272dd9a067a9648ac7013748510556a18"
 }

package/server/constants/error-code.ts

@@ -0,0 +1,20 @@
+export const USER_NOT_FOUND = 'user not found'
+export const PASSWORD_NOT_MATCHED = 'password-not-matched'
+export const USER_NOT_ACTIVATED = 'user not activated'
+export const USER_LOCKED = 'user-locked'
+export const USER_DELETED = 'user-deleted'
+export const NO_AVAILABLE_DOMAIN = 'no-available-domain'
+export const UNAVAILABLE_DOMAIN = 'unavailable-domain'
+export const NO_SELECTED_DOMAIN = 'no-selected-domain'
+export const REDIRECT_TO_DEFAULT_DOMAIN = 'redirect-to-default-domain'
+export const TOKEN_INVALID = 'token-invalid'
+export const AUTH_INVALID = 'auth-invalid'
+export const SUBDOMAIN_NOTFOUND = 'subdomain not found'
+export const CONFIRM_PASSWORD_NOT_MATCHED = 'confirm password not matched'
+export const PASSWORD_PATTERN_NOT_MATCHED = 'password should match the rule'
+export const USER_DUPLICATED = 'user duplicated'
+export const PASSWORD_USED_PAST = 'password used in the past'
+export const VERIFICATION_ERROR = 'user or verification token not found'
+export const AUTHN_VERIFICATION_FAILED = 'authn verification failed'
+export const USER_CREDENTIAL_NOT_FOUND = 'user credential not found'
+export const AUTH_ERROR = 'auth error'

package/server/constants/max-age.ts

@@ -0,0 +1 @@
+export const MAX_AGE = 7 * 24 * 3600 * 1000

package/server/controllers/auth.ts

@@ -0,0 +1,5 @@
+export * from './change-pwd'
+export * from './signin'
+export * from './signup'
+export * from './verification'
+export * from './invitation'

package/server/controllers/change-pwd.ts

@@ -0,0 +1,99 @@
+import { ILike } from 'typeorm'
+import { config } from '@things-factory/env'
+import { getRepository } from '@things-factory/shell'
+
+import {
+  CONFIRM_PASSWORD_NOT_MATCHED,
+  PASSWORD_NOT_MATCHED,
+  PASSWORD_USED_PAST,
+  USER_NOT_FOUND
+} from '../constants/error-code'
+import { AuthError } from '../errors/auth-error'
+import { PasswordHistory } from '../service/password-history/password-history'
+import { User } from '../service/user/user'
+
+const HISTORY_SIZE = config.get('password', { history: 0 }).history
+
+export async function changePwd(attrs, currentPass, newPass, confirmPass, context) {
+  const { domain } = context.state
+
+  // TODO 이 사용자가 이 도메인에 속한 사용자인지 확인해야함.
+  const repository = getRepository(User)
+  const user: User = await repository.findOne({ where: { email: ILike(attrs.email) } })
+
+  if (!user) {
+    throw new AuthError({
+      errorCode: USER_NOT_FOUND
+    })
+  }
+
+  if (newPass !== confirmPass) {
+    throw new AuthError({
+      errorCode: CONFIRM_PASSWORD_NOT_MATCHED
+    })
+  }
+
+  if (!User.verify(user.password, currentPass, user.salt)) {
+    throw new AuthError({
+      errorCode: PASSWORD_NOT_MATCHED,
+      detail: {
+        email: user.email,
+        failCount: user.failCount
+      }
+    })
+  }
+
+  /* check if password is following the rule */
+  User.validatePasswordByRule(newPass, context?.lng)
+
+  user.password = User.encode(newPass, user.salt)
+
+  if (HISTORY_SIZE > 0) {
+    var passwordHistory: PasswordHistory = await getRepository(PasswordHistory).findOneBy({ userId: user.id })
+    var history = []
+
+    if (passwordHistory) {
+      try {
+        history = JSON.parse(passwordHistory.history)
+        if (!(history instanceof Array)) {
+          console.error('password history maybe currupted - not an array')
+          history = []
+        }
+      } catch (e) {
+        console.error('password history currupted - not json format')
+      }
+
+      const found = history.slice(0, HISTORY_SIZE).find(h => {
+        return User.verify(h.password, newPass, h.salt)
+      })
+
+      if (found) {
+        throw new AuthError({
+          errorCode: PASSWORD_USED_PAST
+        })
+      }
+    }
+  }
+
+  await repository.save({
+    ...user,
+    passwordUpdatedAt: new Date()
+  })
+
+  if (HISTORY_SIZE > 0) {
+    history = [
+      {
+        password: user.password,
+        salt: user.salt
+      },
+      ...history
+    ].slice(0, HISTORY_SIZE)
+
+    await getRepository(PasswordHistory).save({
+      userId: user.id,
+      history: JSON.stringify(history)
+    })
+  }
+
+  return await user.sign({ subdomain: domain.subdomain })
+}

package/server/controllers/checkin.ts

@@ -0,0 +1,21 @@
+import { Domain, getRepository } from '@things-factory/shell'
+
+import { User } from '../service/user/user'
+import { getUserDomains } from '../utils/get-user-domains'
+
+export async function checkin({ userId, subdomain }) {
+  const userRepo = getRepository(User)
+  const user = await userRepo.findOne({ where: { id: userId } })
+  const domains: Partial<Domain>[] = await getUserDomains(user)
+
+  if (!domains?.length) {
+    return false
+  }
+
+  const domain = domains.find(domain => domain.subdomain == subdomain)
+  if (!domain) {
+    return false
+  }
+
+  return await user.sign({ subdomain })
+}

package/server/controllers/delete-user.ts

@@ -0,0 +1,68 @@
+import { EntityManager, ILike, In } from 'typeorm'
+import { User, UserStatus } from '../service/user/user'
+import { AuthError } from '../errors/auth-error'
+import { USER_NOT_FOUND } from '../constants/error-code'
+
+export async function deleteUser(attrs, tx?: EntityManager) {
+  // TODO 이 사용자가 이 도메인에 속한 사용자인지 확인해야함.
+  // TODO 다른 도메인에도 포함되어있다면, domains-users 관게와 해당 도메인 관련 정보만 삭제해야 함.
+
+  const repository = tx?.getRepository(User)
+  const user = await repository.findOne({ where: { email: ILike(attrs.email) } })
+  if (!user) {
+    throw new AuthError({
+      errorCode: USER_NOT_FOUND
+    })
+  }
+
+  user.status = UserStatus.DELETED
+  user.domains = []
+
+  await repository.save(user)
+
+  // repository api는 작동하지 않음.
+  // await txManager
+  //   .createQueryBuilder()
+  //   .delete()
+  //   .from('users_domains')
+  //   .where({
+  //     usersId: user.id
+  //   })
+  //   .execute()
+}
+
+export async function deleteUsers(attrs, tx?: EntityManager) {
+  // TODO 이 사용자가 이 도메인에 속한 사용자인지 확인해야함.
+  // TODO 다른 도메인에도 포함되어있다면, domains-users 관게와 해당 도메인 관련 정보만 삭제해야 함.
+
+  const { emails } = attrs
+
+  const repo = tx?.getRepository(User)
+
+  const users = await repo.find({
+    where: {
+      email: In(emails)
+    }
+  })
+
+  const userIds = []
+  users.forEach(user => {
+    user.status = UserStatus.DELETED
+    user.domains = []
+
+    userIds.push(user.id)
+  })
+
+  await repo.save(users)
+
+  // repository api는 작동하지 않음.
+  // await txManager
+  //   .createQueryBuilder()
+  //   .delete()
+  //   .from('users_domains')
+  //   .where({
+  //     usersId: In(userIds)
+  //   })
+  //   .execute()
+  return true
+}

package/server/controllers/invitation.ts

@@ -0,0 +1,132 @@
+import { ILike } from 'typeorm'
+import { URL } from 'url'
+
+import { sendEmail } from '@things-factory/email-base'
+import { Domain, getRepository } from '@things-factory/shell'
+
+import { Invitation } from '../service/invitation/invitation'
+import { User } from '../service/user/user'
+import { getInvitationEmailForm } from '../templates/invitation-email'
+import { makeInvitationToken } from './utils/make-invitation-token'
+import { saveInvitationToken } from './utils/save-invitation-token'
+
+export async function invite(attrs, withEmailInvitation?: Boolean) {
+  const { email, reference, type, context } = attrs
+
+  var user = await getRepository(User).findOne({ where: { email: ILike(email) }, relations: ['domains'] })
+  var domains = user.domains
+
+  // TODO reference should not be a domain.id (security reason)
+
+  if (user) {
+    const domain = domains.find(domain => domain.id == reference)
+
+    if (domain) {
+      const msg = `user already a member of the ${type}.`
+      throw new Error(msg)
+    }
+  }
+
+  if (withEmailInvitation) {
+    var invitation = await getRepository(Invitation).findOneBy({
+      email: ILike(email),
+      reference,
+      type
+    })
+
+    if (!invitation) {
+      invitation = await getRepository(Invitation).save({
+        email,
+        reference,
+        type
+      })
+    }
+
+    return await sendInvitationEmail({
+      invitation,
+      context
+    })
+  }
+
+  if (user) {
+    user.domains = [...domains, await getRepository(Domain).findOneBy({ id: reference })]
+    await getRepository(User).save(user)
+  } else {
+    // TODO need to signup
+  }
+}
+
+export async function acceptInvitation(token) {
+  var invitation = await getRepository(Invitation).findOneBy({
+    token
+  })
+
+  if (!invitation) {
+    throw new Error(`not found invitation.`)
+  }
+
+  var { email, reference, type } = invitation
+
+  var user = await getRepository(User).findOne({ where: { email: ILike(email) }, relations: ['domains'] })
+
+  if (user) {
+    var domains = user.domains
+    const domain = domains.find(domain => domain.id == reference)
+
+    if (domain) {
+      const msg = `user already a member of the ${type}.`
+      throw new Error(msg)
+    }
+
+    user.domains = [...domains, await getRepository(Domain).findOneBy({ id: reference })]
+    await getRepository(User).save(user)
+
+    await getRepository(Invitation).delete(invitation.id)
+  } else {
+    // TODO goto signup
+  }
+
+  return true
+}
+
+export async function sendInvitationEmail({ invitation, context }) {
+  try {
+    var token = makeInvitationToken()
+    var verifaction = await saveInvitationToken(invitation.id, token)
+
+    if (verifaction) {
+      var serviceUrl = new URL(`/auth/accept/${token}`, context.header.referer)
+
+      await sendEmail({
+        receiver: invitation.email,
+        subject: 'Invitation',
+        content: getInvitationEmailForm({
+          email: invitation.email,
+          acceptUrl: serviceUrl
+        })
+      })
+
+      return true
+    }
+  } catch (e) {
+    return false
+  }
+}
+
+export async function resendInvitationEmail(
+  { email, reference, type }: { email: string; reference: string; type: string },
+  context
+) {
+  var invitation = await getRepository(Invitation).findOneBy({
+    email: ILike(email),
+    reference,
+    type
+  })
+
+  if (!invitation) return false
+
+  return await sendInvitationEmail({
+    invitation,
+    context
+  })
+}

package/server/controllers/profile.ts

@@ -0,0 +1,28 @@
+import { getRepository } from '@things-factory/shell'
+
+import { USER_NOT_FOUND } from '../constants/error-code'
+import { AuthError } from '../errors/auth-error'
+import { User } from '../service/user/user'
+
+export async function updateProfile({ id }, newProfiles) {
+  const repository = getRepository(User)
+  const user = await repository.findOneBy({ id })
+  if (!user) {
+    throw new AuthError({
+      errorCode: USER_NOT_FOUND
+    })
+  }
+
+  /* only 'name', 'email' and 'locale' attributes can be changed */
+  var allowed = ['name', 'email', 'locale']
+    .filter(attr => attr in newProfiles)
+    .reduce((sum, attr) => {
+      sum[attr] = newProfiles[attr]
+      return sum
+    }, {})
+
+  return await repository.save({
+    ...user,
+    ...allowed
+  })
+}

package/server/controllers/reset-password.ts

@@ -0,0 +1,126 @@
+import { URL } from 'url'
+
+import { sendEmail } from '@things-factory/email-base'
+import { config } from '@things-factory/env'
+import { getRepository } from '@things-factory/shell'
+
+import { PASSWORD_USED_PAST } from '../constants/error-code'
+import { AuthError } from '../errors/auth-error'
+import { PasswordHistory } from '../service/password-history/password-history'
+import { User } from '../service/user/user'
+import { VerificationToken, VerificationTokenType } from '../service/verification-token/verification-token'
+import { getResetPasswordEmailForm } from '../templates/reset-password-email'
+import { makeVerificationToken } from './utils/make-verification-token'
+import { saveVerificationToken } from './utils/save-verification-token'
+
+const HISTORY_SIZE = config.get('password', { history: 0 }).history
+
+export async function sendPasswordResetEmail({ user, context }) {
+  try {
+    var token = makeVerificationToken()
+    var verifaction = await saveVerificationToken(user.id, token, VerificationTokenType.PASSWORD_RESET)
+
+    if (verifaction) {
+      var serviceUrl = new URL(`/auth/reset-password?token=${token}`, context.header.referer)
+      await sendEmail({
+        receiver: user.email,
+        subject: 'Reset your password',
+        content: getResetPasswordEmailForm({
+          name: user.name,
+          resetUrl: serviceUrl
+        })
+      })
+
+      return true
+    }
+  } catch (e) {
+    return false
+  }
+}
+
+export async function resetPassword(token, password, context) {
+  const { t } = context
+
+  const verificationToken = await getRepository(VerificationToken).findOne({
+    where: {
+      token,
+      type: VerificationTokenType.PASSWORD_RESET
+    }
+  })
+
+  if (!verificationToken) {
+    throw new Error(t('text.invalid verification token'))
+  }
+
+  const { userId } = verificationToken
+  if (!userId) {
+    throw new Error(t('text.invalid verification token'))
+  }
+
+  var user = await getRepository(User).findOneBy({ id: userId })
+  if (!user) {
+    throw new Error(t('error.user not found'))
+  }
+
+  // if (user.status == UserStatus.INACTIVE) {
+  //   throw new Error(t('text.inactive user'))
+  // }
+
+  /* check if password is following the rule */
+  User.validatePasswordByRule(password, context?.lng)
+
+  user.password = User.encode(password, user.salt)
+
+  if (HISTORY_SIZE > 0) {
+    var passwordHistory: PasswordHistory = await getRepository(PasswordHistory).findOneBy({ userId: user.id })
+    var history = []
+
+    if (passwordHistory) {
+      try {
+        history = JSON.parse(passwordHistory.history)
+        if (!(history instanceof Array)) {
+          console.error('password history maybe currupted - not an array')
+          history = []
+        }
+      } catch (e) {
+        console.error('password history currupted - not json format')
+      }
+
+      const found = history.slice(0, HISTORY_SIZE).find(h => {
+        return User.verify(h.password, password, h.salt)
+      })
+
+      if (found) {
+        throw new AuthError({
+          errorCode: PASSWORD_USED_PAST
+        })
+      }
+    }
+  }
+
+  await getRepository(User).save({
+    ...user,
+    passwordUpdatedAt: new Date()
+  })
+
+  await getRepository(VerificationToken).delete({
+    userId,
+    token,
+    type: VerificationTokenType.PASSWORD_RESET
+  })
+
+  if (HISTORY_SIZE > 0) {
+    history = [
+      {
+        password: user.password,
+        salt: user.salt
+      },
+      ...history
+    ].slice(0, HISTORY_SIZE)
+
+    await getRepository(PasswordHistory).save({
+      userId: user.id,
+      history: JSON.stringify(history)
+    })
+  }
+}

package/server/controllers/signin.ts

@@ -0,0 +1,79 @@
+import { ILike } from 'typeorm'
+import { getRepository } from '@things-factory/shell'
+
+import { sendUnlockUserEmail } from '../controllers/unlock-user'
+import { AuthError } from '../errors/auth-error'
+import { User, UserStatus } from '../service/user/user'
+
+export async function signin(attrs, context?) {
+  const { domain } = context?.state || {}
+
+  const repository = getRepository(User)
+  const user = await repository.findOne({ where: { email: ILike(attrs.email) }, relations: ['domains'] })
+  if (!user)
+    throw new AuthError({
+      errorCode: AuthError.ERROR_CODES.USER_NOT_FOUND
+    })
+
+  if (user.status == UserStatus.DELETED) {
+    throw new AuthError({
+      errorCode: AuthError.ERROR_CODES.USER_DELETED
+    })
+  }
+
+  if (user.status == UserStatus.LOCKED) {
+    sendUnlockUserEmail({
+      user,
+      context
+    })
+    throw new AuthError({
+      errorCode: AuthError.ERROR_CODES.USER_LOCKED,
+      detail: {
+        email: user.email
+      }
+    })
+  }
+
+  if (!User.verify(user.password, attrs.password, user.salt)) {
+    user.failCount++
+    if (user.failCount >= 5) user.status = UserStatus.LOCKED
+    await repository.save(user)
+    if (user.status == UserStatus.LOCKED) {
+      sendUnlockUserEmail({
+        user,
+        context
+      })
+      throw new AuthError({
+        errorCode: AuthError.ERROR_CODES.USER_LOCKED,
+        detail: {
+          email: user.email
+        }
+      })
+    }
+    throw new AuthError({
+      errorCode: AuthError.ERROR_CODES.PASSWORD_NOT_MATCHED,
+      detail: {
+        email: user.email,
+        failCount: user.failCount
+      }
+    })
+  } else {
+    user.failCount = 0
+    await repository.save(user)
+  }
+
+  if (user.status == UserStatus.INACTIVE) {
+    throw new AuthError({
+      errorCode: AuthError.ERROR_CODES.USER_NOT_ACTIVATED,
+      detail: {
+        email: user.email
+      }
+    })
+  }
+
+  return {
+    user,
+    token: await user.sign({ subdomain: domain?.subdomain }),
+    domains: user.domains || []
+  }
+}

package/server/controllers/signup.ts

@@ -0,0 +1,60 @@
+import { ILike } from 'typeorm'
+import { getRepository } from '@things-factory/shell'
+
+import { USER_DUPLICATED } from '../constants/error-code'
+import { AuthError } from '../errors/auth-error'
+import { User } from '../service/user/user'
+import { signin } from './signin'
+import { sendVerificationEmail } from './verification'
+
+export async function signup(attrs, withEmailVerification?: Boolean) {
+  const { name, email, password, domain, context } = attrs
+
+  /* check if password is following the rule */
+  User.validatePasswordByRule(password, context.lng)
+
+  const repository = getRepository(User)
+  const duplicated = await repository.findOneBy({ email: ILike(email) })
+  if (duplicated) {
+    throw new AuthError({
+      errorCode: USER_DUPLICATED,
+      detail: {
+        name,
+        email
+      }
+    })
+  }
+
+  const salt = User.generateSalt()
+
+  var user = await repository.save({
+    userType: 'user',
+    ...attrs,
+    salt,
+    password: User.encode(password, salt),
+    passwordUpdatedAt: new Date(),
+    domains: domain ? [domain] : []
+  })
+
+  var succeed = false
+  if (withEmailVerification) {
+    succeed = await sendVerificationEmail({
+      context,
+      user
+    })
+  }
+
+  try {
+    return {
+      token: await signin(
+        {
+          email,
+          password
+        },
+        { domain }
+      )
+    }
+  } catch (e) {
+    return { token: null }
+  }
+}