@things-factory/auth-base 8.0.0-beta.9 → 8.0.2

package/server/middlewares/jwt-authenticate-middleware.ts

@@ -0,0 +1,84 @@
+import passport from 'koa-passport'
+import { ExtractJwt, Strategy as JWTstrategy } from 'passport-jwt'
+
+import { config } from '@things-factory/env'
+
+import { makeVerificationToken } from '../controllers/utils/make-verification-token'
+import { saveVerificationToken } from '../controllers/utils/save-verification-token'
+import { User, UserStatus } from '../service/user/user'
+import { VerificationTokenType } from '../service/verification-token/verification-token'
+import { clearAccessTokenCookie, getAccessTokenCookie, setAccessTokenCookie } from '../utils/access-token-cookie'
+import { SECRET } from '../utils/get-secret'
+
+const sessionExpiryPolicy = config.get('session/expiryPolicy', 'fixed')
+
+passport.use(
+  new JWTstrategy(
+    {
+      secretOrKey: SECRET,
+      passReqToCallback: true,
+      jwtFromRequest: ExtractJwt.fromExtractors([
+        ExtractJwt.fromAuthHeaderAsBearerToken(),
+        ExtractJwt.fromHeader('authorization'),
+        ExtractJwt.fromHeader('x-access-token'),
+        ExtractJwt.fromUrlQueryParameter('access_token'),
+        ExtractJwt.fromBodyField('access_token'),
+        req => {
+          var token = null
+          token = getAccessTokenCookie(req?.ctx)
+          return token
+        }
+      ])
+    },
+    async (request, decoded, done) => {
+      try {
+        return done(null, decoded)
+      } catch (error) {
+        return done(error)
+      }
+    }
+  )
+)
+
+export async function jwtAuthenticateMiddleware(context, next) {
+  const { path } = context
+  const { user } = context.state
+  if (user) {
+    return await next()
+  }
+
+  return await passport.authenticate('jwt', { session: false }, async (err, decoded, info) => {
+    if (err || !decoded) {
+      const e = (context.state.error = err || info)
+
+      clearAccessTokenCookie(context)
+
+      context.throw(401, e.message)
+    } else {
+      const userEntity = await User.checkAuth(decoded)
+
+      if (userEntity.status === UserStatus.PWD_RESET_REQUIRED) {
+        try {
+          const token = makeVerificationToken()
+          await saveVerificationToken(userEntity.id, token, VerificationTokenType.PASSWORD_RESET)
+          clearAccessTokenCookie(context)
+          context.redirect(`/auth/reset-password?token=${token}`)
+        } catch (e) {
+          throw err
+        }
+      } else {
+        context.state.user = userEntity
+        context.state.decodedToken = decoded
+
+        if (sessionExpiryPolicy == 'rolling') {
+          /* To renew the expiry time on each request, a token is issued and the session is updated. */
+
+          const token = await userEntity.sign()
+          setAccessTokenCookie(context, token)
+        }
+
+        await next()
+      }
+    }
+  })(context, next)
+}

package/server/middlewares/signin-middleware.ts

@@ -0,0 +1,55 @@
+import passport from 'koa-passport'
+import { Strategy as localStrategy } from 'passport-local'
+
+import { signin } from '../controllers/signin'
+
+passport.use(
+  'signin',
+  new localStrategy(
+    {
+      usernameField: 'email',
+      passwordField: 'password'
+    },
+    async (email, password, done) => {
+      try {
+        const {
+          user: userInfo,
+          token,
+          domains
+        } = await signin({
+          email,
+          password
+        })
+
+        return done(
+          null,
+          {
+            user: userInfo,
+            token,
+            domains
+          },
+          {
+            message: 'Logged in Successfully'
+          }
+        )
+      } catch (error) {
+        return done(error)
+      }
+    }
+  )
+)
+
+export async function signinMiddleware(context, next) {
+  return passport.authenticate('signin', { session: false }, async (err, user, info) => {
+    if (err || !user) {
+      throw err
+    } else {
+      const { user: userInfo, token } = user
+
+      context.state.user = userInfo
+      context.state.token = token
+
+      await next()
+    }
+  })(context, next)
+}

package/server/middlewares/webauthn-middleware.ts

@@ -0,0 +1,127 @@
+import passport from 'koa-passport'
+import { Strategy as CustomStrategy } from 'passport-custom'
+
+import { getRepository } from '@things-factory/shell'
+
+import { User } from '../service/user/user'
+import { AuthError } from '../errors/auth-error'
+
+import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
+import { verifyRegistrationResponse, verifyAuthenticationResponse } from '@simplewebauthn/server'
+
+import { AuthenticatorAssertionResponse } from '@simplewebauthn/types'
+
+passport.use(
+  'webauthn-register',
+  new CustomStrategy(async (context, done) => {
+    const { body, session, user, hostname, origin } = context as any
+
+    const challenge = session.challenge
+
+    const verification = await verifyRegistrationResponse({
+      response: body,
+      expectedChallenge: challenge,
+      expectedOrigin: origin,
+      expectedRPID: hostname,
+      expectedType: 'webauthn.create',
+      requireUserVerification: false
+    })
+
+    if (verification.verified) {
+      const { registrationInfo } = verification
+      const publicKey = Buffer.from(registrationInfo.credentialPublicKey).toString('base64')
+
+      if (user) {
+        const webAuthRepository = getRepository(WebAuthCredential)
+        await webAuthRepository.save({
+          user,
+          credentialId: registrationInfo.credentialID,
+          publicKey,
+          counter: registrationInfo.counter,
+          creator: user,
+          updater: user
+        })
+      }
+
+      return done(null, user)
+    } else {
+      return done(null, false)
+    }
+  })
+)
+
+passport.use(
+  'webauthn-login',
+  new CustomStrategy(async (context, done) => {
+    try {
+      const { body, session, origin, hostname } = context as any
+
+      const challenge = session.challenge
+  
+      const assertionResponse = body as {
+        id: string
+        response: AuthenticatorAssertionResponse
+      }
+  
+      const credential = await getRepository(WebAuthCredential).findOne({
+        where: {
+          credentialId: assertionResponse.id
+        },
+        relations: ['user']
+      })
+  
+      if (!credential) {
+        return done(null, false)
+      }
+  
+      const verification = await verifyAuthenticationResponse({
+        response: body,
+        expectedChallenge: challenge,
+        expectedOrigin: origin,
+        expectedRPID: hostname,
+        requireUserVerification: false,
+        authenticator: {
+          credentialID: credential.credentialId,
+          credentialPublicKey: new Uint8Array(Buffer.from(credential.publicKey, 'base64')),
+          counter: credential.counter
+        }
+      })
+  
+      if (verification.verified) {
+        const { authenticationInfo } = verification
+        credential.counter = authenticationInfo.newCounter
+        await getRepository(WebAuthCredential).save(credential)
+  
+        const user = credential.user
+        return done(null, user)
+      } else {
+        return done(verification, false)
+      }
+    } catch(error) {
+      return done(error, false)
+    }
+  })
+)
+
+export function createWebAuthnMiddleware(strategy: 'webauthn-register' | 'webauthn-login') {
+  return async function webAuthnMiddleware(context, next) {
+    return passport.authenticate(
+      strategy,
+      { session: true, failureMessage: true, failWithError: true },
+      async (err, user) => {
+        if (err || !user) {
+          throw new AuthError({
+            errorCode: AuthError.ERROR_CODES.AUTHN_VERIFICATION_FAILED,
+            detail: err
+          })
+        } else {
+          context.state.user = user
+
+          context.body = { user, verified: true }
+        }
+
+        await next()
+      }
+    )(context, next)
+  }
+}

package/server/migrations/1548206416130-SeedUser.ts

@@ -0,0 +1,59 @@
+import { ILike, MigrationInterface, QueryRunner } from 'typeorm'
+
+import { config, logger } from '@things-factory/env'
+import { Domain, getRepository } from '@things-factory/shell'
+
+import { User, UserStatus } from '../service/user/user'
+
+const ADMIN_ACCOUNT = config.get('adminAccount', {
+  name: 'Admin',
+  email: 'admin@hatiolab.com',
+  password: 'admin'
+})
+
+const SEED_USERS = [
+  {
+    ...ADMIN_ACCOUNT,
+    userType: 'user',
+    status: UserStatus.ACTIVATED
+  }
+]
+export class SeedUsers1548206416130 implements MigrationInterface {
+  public async up(queryRunner: QueryRunner): Promise<any> {
+    const userRepository = getRepository(User)
+    const domainRepository = getRepository(Domain)
+
+    const domain: Domain = await domainRepository.findOne({ where: { name: 'SYSTEM' } })
+
+    try {
+      for (let i = 0; i < SEED_USERS.length; i++) {
+        const user = SEED_USERS[i]
+        const salt = User.generateSalt()
+        const password = User.encode(user.password, salt)
+
+        await userRepository.save({
+          ...user,
+          salt,
+          password,
+          domains: [domain]
+        })
+      }
+    } catch (e) {
+      logger.error(e)
+    }
+
+    const admin = await userRepository.findOne({ where: { email: ILike('admin@hatiolab.com') } })
+    domain.owner = admin.id
+
+    await domainRepository.save(domain)
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<any> {
+    const repository = getRepository(User)
+
+    SEED_USERS.reverse().forEach(async user => {
+      let record = await repository.findOneBy({ email: ILike(user.email) })
+      await repository.remove(record)
+    })
+  }
+}

package/server/migrations/1566805283882-SeedPrivilege.ts

@@ -0,0 +1,28 @@
+import { MigrationInterface, QueryRunner } from 'typeorm'
+
+import { logger } from '@things-factory/env'
+import { getRepository } from '@things-factory/shell'
+
+import { Privilege } from '../service/privilege/privilege'
+
+export class SeedPrivilege1566805283882 implements MigrationInterface {
+  public async up(queryRunner: QueryRunner): Promise<any> {
+    const privilegeRepository = getRepository(Privilege)
+
+    const { schema } = require('@things-factory/shell/dist-server/schema')
+    await schema()
+    const privileges = process['PRIVILEGES']
+
+    try {
+      for (const [category, name] of Object.values(privileges as [string, string])) {
+        if (0 == (await privilegeRepository.count({ where: { category, name } }))) {
+          await privilegeRepository.save({ category, name })
+        }
+      }
+    } catch (e) {
+      logger.error(e)
+    }
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<any> {}
+}

package/server/migrations/index.ts

@@ -0,0 +1,9 @@
+const glob = require('glob')
+const path = require('path')
+
+export var migrations = []
+
+glob.sync(path.resolve(__dirname, '.', '**', '*.js')).forEach(function(file) {
+  if (file.indexOf('index.js') !== -1) return
+  migrations = migrations.concat(Object.values(require(path.resolve(file))) || [])
+})

package/server/router/auth-checkin-router.ts

@@ -0,0 +1,107 @@
+import Router from 'koa-router'
+
+import { config } from '@things-factory/env'
+import { Domain, findSubdomainFromPath, getRedirectSubdomainPath } from '@things-factory/shell'
+
+import { LoginHistory } from '../service/login-history/login-history'
+import { User } from '../service/user/user'
+import { accepts } from '../utils/accepts'
+import { clearAccessTokenCookie } from '../utils/access-token-cookie'
+import { getUserDomains } from '../utils/get-user-domains'
+
+const domainType = config.get('domainType')
+
+export const authCheckinRouter = new Router()
+
+authCheckinRouter.get('/auth/checkin/:subdomain?', async (context, next) => {
+  const { request, t } = context
+  const header = request.header
+  const { user } = context.state
+  let { subdomain } = context.params
+
+  let domains: Partial<Domain>[] = await getUserDomains(user)
+  if (domainType) domains = domains.filter(d => d.extType == domainType)
+
+  if (!accepts(header.accept, ['text/html', '*/*'])) {
+    // When request expects non html response
+    try {
+      if (!subdomain) throw new Error(t('error.domain not specified', { subdomain })) // When params doesn't have subdomain
+      const checkInDomain: Partial<Domain> | undefined = domains.find(d => d.subdomain === subdomain) // When no matched domain with subdomain
+      if (!checkInDomain) throw new Error(t('error.domain not specified', { subdomain }))
+
+      await checkIn(checkInDomain, null, context)
+      context.body = true
+    } catch (e) {
+      clearAccessTokenCookie(context)
+      throw e
+    }
+  } else {
+    // When request expects html response
+    const { redirect_to: redirectTo = '/' } = context.query
+
+    try {
+      let message: string
+
+      if (!subdomain) {
+        /* try to find domain from redirectTo path */
+        subdomain = findSubdomainFromPath(context, redirectTo)
+      }
+
+      let checkInDomain: Partial<Domain>
+      if (subdomain) {
+        checkInDomain = domains.find(d => d.subdomain == subdomain)
+        if (!checkInDomain) message = t('error.domain not allowed', { subdomain })
+      } else if (domains.length === 1) {
+        checkInDomain = domains[0]
+      }
+
+      if (checkInDomain) {
+        return await checkIn(checkInDomain, redirectTo, context)
+      }
+
+      await context.render('auth-page', {
+        pageElement: 'auth-checkin',
+        elementScript: '/auth/checkin.js',
+        data: {
+          user: { email: user.email, locale: user.locale, name: user.name, userType: user.userType },
+          domains,
+          domainType,
+          redirectTo,
+          message
+        }
+      })
+    } catch (e) {
+      clearAccessTokenCookie(context)
+      context.redirect(
+        `/auth/signin?email=${encodeURIComponent(user.email)}&redirect_to=${encodeURIComponent(redirectTo)}`
+      )
+    }
+  }
+})
+
+authCheckinRouter.get('/auth/domains', async context => {
+  const { user } = context.state
+  var domains = await getUserDomains(user)
+  if (domainType) {
+    domains = domains.filter(d => d.extType == domainType)
+  }
+
+  context.body = domains
+})
+
+async function checkIn(
+  checkInDomain: Partial<Domain>,
+  redirectTo: string | null,
+  context: ResolverContext
+): Promise<void> {
+  const { user }: { user: User } = context.state
+  const remoteAddress = context.req.headers['x-forwarded-for'] 
+  ? (context.req.headers['x-forwarded-for'] as string).split(',')[0].trim()
+  : context.req.connection.remoteAddress
+
+  await LoginHistory.stamp(checkInDomain, user, remoteAddress)
+
+  if (redirectTo) {
+    return context.redirect(getRedirectSubdomainPath(context, checkInDomain.subdomain, redirectTo))
+  }
+}

package/server/router/auth-private-process-router.ts

@@ -0,0 +1,107 @@
+import { ILike } from 'typeorm'
+import Router from 'koa-router'
+
+import { config } from '@things-factory/env'
+import { Domain, getRepository } from '@things-factory/shell'
+
+import { changePwd } from '../controllers/change-pwd'
+import { deleteUser } from '../controllers/delete-user'
+import { updateProfile } from '../controllers/profile'
+import { User } from '../service/user/user'
+import { clearAccessTokenCookie, setAccessTokenCookie } from '../utils/access-token-cookie'
+import { getUserDomains } from '../utils/get-user-domains'
+
+const domainType = config.get('domainType')
+const languages = config.get('i18n/languages') || []
+
+export const authPrivateProcessRouter = new Router({
+  prefix: '/auth'
+})
+
+authPrivateProcessRouter
+  .post('/change-pass', async (context, next) => {
+    const { t } = context
+    let { current_pass, new_pass, confirm_pass } = context.request.body
+
+    const token = await changePwd(context.state.user, current_pass, new_pass, confirm_pass, context)
+
+    context.body = t('text.password changed successfully')
+
+    setAccessTokenCookie(context, token)
+  })
+  .post('/update-profile', async (context, next) => {
+    const { i18next, t } = context
+    const newProfiles = context.request.body
+    await updateProfile(context.state.user, newProfiles)
+
+    if (newProfiles.locale) {
+      context.body = i18next.getFixedT(newProfiles.locale)('text.profile changed successfully')
+    } else {
+      context.body = t('text.profile changed successfully')
+    }
+  })
+  .post('/delete-user', async (context, next) => {
+    const { t, session } = context
+    var { user } = context.state
+    var { email: userEmail } = user
+
+    var { password, email } = context.request.body
+
+    const userRepo = getRepository(User)
+    const userInfo = await userRepo.findOne({
+      where: {
+        email: ILike(userEmail)
+      },
+      relations: ['domains']
+    })
+
+    if (email != userEmail || !User.verify(userInfo.password, password, userInfo.salt)) {
+      context.status = 401
+      context.body = t('error.user validation failed')
+      return
+    }
+
+    await deleteUser(user)
+
+    context.body = t('text.delete account succeed')
+    clearAccessTokenCookie(context)
+  })
+  .get('/profile', async (context, next) => {
+    const { t } = context
+    const { domain, user, unsafeIP, prohibitedPrivileges } = context.state
+
+    if (!domain) {
+      context.status = 401
+      context.body = t('error.user validation failed')
+      return
+    }
+
+    let domains: Partial<Domain>[] = await getUserDomains(user)
+    domains = domains.filter((d: Domain) => d.extType == domainType)
+
+    var privileges = await User.getPrivilegesByDomain(user, domain)
+
+    if (prohibitedPrivileges) {
+      prohibitedPrivileges.forEach(({ category, privilege }) => {
+        privileges = privileges.filter(p => p.category != category || p.privilege != privilege)
+      })
+    }
+
+    context.body = {
+      user: {
+        email: user.email,
+        name: user.name,
+        userType: user.userType,
+        owner: await process.domainOwnerGranted(domain, user),
+        super: await process.superUserGranted(domain, user),
+        unsafeIP,
+        privileges
+      },
+      domains,
+      domain: domain && {
+        name: domain.name,
+        subdomain: domain.subdomain
+      },
+      languages
+    }
+  })