@things-factory/auth-base 8.0.5 → 8.0.13

package/server/middlewares/webauthn-middleware.ts

@@ -7,9 +7,11 @@ import { User } from '../service/user/user'
 import { AuthError } from '../errors/auth-error'
 
 import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
-import { verifyRegistrationResponse, verifyAuthenticationResponse } from '@simplewebauthn/server'
-
-import { AuthenticatorAssertionResponse } from '@simplewebauthn/types'
+import {
+  AuthenticatorAssertionResponse,
+  verifyRegistrationResponse,
+  verifyAuthenticationResponse
+} from '@simplewebauthn/server'
 
 passport.use(
   'webauthn-register',
@@ -29,15 +31,17 @@ passport.use(
 
     if (verification.verified) {
       const { registrationInfo } = verification
-      const publicKey = Buffer.from(registrationInfo.credentialPublicKey).toString('base64')
-
+      const publicKey = Buffer.from(registrationInfo.credential.publicKey).toString('base64')
+      if (!registrationInfo) {
+        return done(null, false)
+      }
       if (user) {
         const webAuthRepository = getRepository(WebAuthCredential)
         await webAuthRepository.save({
           user,
-          credentialId: registrationInfo.credentialID,
+          credentialId: registrationInfo.credential.id,
           publicKey,
-          counter: registrationInfo.counter,
+          counter: registrationInfo.credential.counter,
           creator: user,
           updater: user
         })
@@ -80,9 +84,9 @@ passport.use(
         expectedOrigin: origin,
         expectedRPID: hostname,
         requireUserVerification: false,
-        authenticator: {
-          credentialID: credential.credentialId,
-          credentialPublicKey: new Uint8Array(Buffer.from(credential.publicKey, 'base64')),
+        credential: {
+          id: credential.credentialId,
+          publicKey: new Uint8Array(Buffer.from(credential.publicKey, 'base64')),
           counter: credential.counter
         }
       })

package/server/migrations/1548206416130-SeedUser.ts

@@ -6,6 +6,7 @@ import { Domain, getRepository } from '@things-factory/shell'
 import { User, UserStatus } from '../service/user/user'
 
 const ADMIN_ACCOUNT = config.get('adminAccount', {
+  username: 'admin',
   name: 'Admin',
   email: 'admin@hatiolab.com',
   password: 'admin'
@@ -42,7 +43,7 @@ export class SeedUsers1548206416130 implements MigrationInterface {
       logger.error(e)
     }
 
-    const admin = await userRepository.findOne({ where: { email: ILike('admin@hatiolab.com') } })
+    const admin = await userRepository.findOne({ where: { email: ILike(ADMIN_ACCOUNT.email) } })
     domain.owner = admin.id
 
     await domainRepository.save(domain)

package/server/router/auth-checkin-router.ts

@@ -9,7 +9,7 @@ import { accepts } from '../utils/accepts'
 import { clearAccessTokenCookie } from '../utils/access-token-cookie'
 import { getUserDomains } from '../utils/get-user-domains'
 
-const domainType = config.get('domainType')
+const domainTypes = config.get('domainTypes')
 
 export const authCheckinRouter = new Router()
 
@@ -20,7 +20,9 @@ authCheckinRouter.get('/auth/checkin/:subdomain?', async (context, next) => {
   let { subdomain } = context.params
 
   let domains: Partial<Domain>[] = await getUserDomains(user)
-  if (domainType) domains = domains.filter(d => d.extType == domainType)
+  if (domainTypes) {
+    domains = domains.filter(d => !d.extType || domainTypes.includes(d.extType))
+  }
 
   if (!accepts(header.accept, ['text/html', '*/*'])) {
     // When request expects non html response
@@ -63,9 +65,15 @@ authCheckinRouter.get('/auth/checkin/:subdomain?', async (context, next) => {
         pageElement: 'auth-checkin',
         elementScript: '/auth/checkin.js',
         data: {
-          user: { email: user.email, locale: user.locale, name: user.name, userType: user.userType },
+          user: {
+            username: user.username,
+            email: user.email,
+            locale: user.locale,
+            name: user.name,
+            userType: user.userType
+          },
           domains,
-          domainType,
+          domainTypes,
           redirectTo,
           message
         }
@@ -73,7 +81,7 @@ authCheckinRouter.get('/auth/checkin/:subdomain?', async (context, next) => {
     } catch (e) {
       clearAccessTokenCookie(context)
       context.redirect(
-        `/auth/signin?email=${encodeURIComponent(user.email)}&redirect_to=${encodeURIComponent(redirectTo)}`
+        `/auth/signin?username=${encodeURIComponent(user.username)}&redirect_to=${encodeURIComponent(redirectTo)}`
       )
     }
   }
@@ -82,8 +90,8 @@ authCheckinRouter.get('/auth/checkin/:subdomain?', async (context, next) => {
 authCheckinRouter.get('/auth/domains', async context => {
   const { user } = context.state
   var domains = await getUserDomains(user)
-  if (domainType) {
-    domains = domains.filter(d => d.extType == domainType)
+  if (domainTypes) {
+    domains = domains.filter(d => d.extType == domainTypes)
   }
 
   context.body = domains
@@ -95,13 +103,13 @@ async function checkIn(
   context: ResolverContext
 ): Promise<void> {
   const { user }: { user: User } = context.state
-  const remoteAddress = context.req.headers['x-forwarded-for'] 
-  ? (context.req.headers['x-forwarded-for'] as string).split(',')[0].trim()
-  : context.req.connection.remoteAddress
+  const remoteAddress = context.req.headers['x-forwarded-for']
+    ? (context.req.headers['x-forwarded-for'] as string).split(',')[0].trim()
+    : context.req.connection.remoteAddress
 
   await LoginHistory.stamp(checkInDomain, user, remoteAddress)
 
   if (redirectTo) {
-    return context.redirect(getRedirectSubdomainPath(context, checkInDomain.subdomain, redirectTo))
+    return context.redirect(getRedirectSubdomainPath(context, checkInDomain, redirectTo))
   }
 }

package/server/router/auth-private-process-router.ts

@@ -11,7 +11,7 @@ import { User } from '../service/user/user'
 import { clearAccessTokenCookie, setAccessTokenCookie } from '../utils/access-token-cookie'
 import { getUserDomains } from '../utils/get-user-domains'
 
-const domainType = config.get('domainType')
+const domainTypes = config.get('domainTypes')
 const languages = config.get('i18n/languages') || []
 
 export const authPrivateProcessRouter = new Router({
@@ -43,19 +43,25 @@ authPrivateProcessRouter
   .post('/delete-user', async (context, next) => {
     const { t, session } = context
     var { user } = context.state
-    var { email: userEmail } = user
+    var { id: userId } = user
 
-    var { password, email } = context.request.body
+    var { password, username } = context.request.body
 
     const userRepo = getRepository(User)
-    const userInfo = await userRepo.findOne({
-      where: {
-        email: ILike(userEmail)
-      },
+
+    var userInfo = await userRepo.findOne({
+      where: { username },
       relations: ['domains']
     })
 
-    if (email != userEmail || !User.verify(userInfo.password, password, userInfo.salt)) {
+    if (!userInfo && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+      userInfo = await userRepo.findOne({
+        where: { email: ILike(username) },
+        relations: ['domains']
+      })
+    }
+
+    if (userInfo.id != userId || !User.verify(userInfo.password, password, userInfo.salt)) {
       context.status = 401
       context.body = t('error.user validation failed')
       return
@@ -77,7 +83,7 @@ authPrivateProcessRouter
     }
 
     let domains: Partial<Domain>[] = await getUserDomains(user)
-    domains = domains.filter((d: Domain) => d.extType == domainType)
+    domains = domains.filter((d: Domain) => !d.extType || domainTypes.includes(d.extType))
 
     var privileges = await User.getPrivilegesByDomain(user, domain)
 
@@ -89,6 +95,7 @@ authPrivateProcessRouter
 
     context.body = {
       user: {
+        username: user.username,
         email: user.email,
         name: user.name,
         userType: user.userType,
@@ -97,10 +104,18 @@ authPrivateProcessRouter
         unsafeIP,
         privileges
       },
-      domains,
+      domains: domains.map(({ id, name, description, subdomain, extType, brandName, brandImage }) => {
+        return {
+          name,
+          description,
+          subdomain,
+          extType
+        }
+      }),
       domain: domain && {
         name: domain.name,
-        subdomain: domain.subdomain
+        subdomain: domain.subdomain,
+        type: domain.extType
       },
       languages
     }

package/server/router/auth-public-process-router.ts

@@ -1,4 +1,5 @@
 import Router from 'koa-router'
+import { ILike } from 'typeorm'
 
 import { config } from '@things-factory/env'
 import { getRepository, getSiteRootPath } from '@things-factory/shell'
@@ -31,16 +32,26 @@ export const authPublicProcessRouter = new Router({
 })
 
 authPublicProcessRouter.post('/join', async (context, next) => {
-  const { email } = context.request.body || {}
+  const { username } = context.request.body || {}
 
-  const user: User = await getRepository(User).findOneBy({
-    email
+  const repository = getRepository(User)
+
+  var user = await repository.findOne({
+    where: { username },
+    relations: ['domains']
   })
 
+  if (!user && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+    user = await repository.findOne({
+      where: { email: ILike(username) },
+      relations: ['domains']
+    })
+  }
+
   if (user) {
-    context.redirect(`/auth/signin?email=${email}`)
+    context.redirect(`/auth/signin?username=${username}`)
   } else {
-    context.redirect(`/auth/signup?email=${email}`)
+    context.redirect(`/auth/signup?username=${username}`)
   }
 })
 
@@ -200,10 +211,9 @@ authPublicProcessRouter.post('/forgot-password', async (context, next) => {
 
 authPublicProcessRouter.post('/reset-password', async (context, next) => {
   const { header, t } = context
+  const { password, token } = context.request.body
 
   try {
-    const { password, token } = context.request.body
-
     if (!(token && password)) {
       let message = t('error.token or password is invalid')
 
@@ -232,7 +242,7 @@ authPublicProcessRouter.post('/reset-password', async (context, next) => {
 
     await resetPassword(token, password, context)
 
-    var message = t('text.password reset succeed')
+    var message = t('text.password changed successfully')
     context.body = message
 
     clearAccessTokenCookie(context)
@@ -255,10 +265,12 @@ authPublicProcessRouter.post('/reset-password', async (context, next) => {
 
     if (accepts(header.accept, ['text/html', '*/*'])) {
       await context.render('auth-page', {
-        pageElement: 'auth-result',
-        elementScript: '/auth/result.js',
+        pageElement: 'reset-password',
+        elementScript: '/auth/reset-password.js',
         data: {
+          token,
           message: e.message,
+          passwordRule,
           disableUserSignupProcess,
           disableUserFavoredLanguage,
           languages

package/server/router/auth-signin-router.ts

@@ -28,13 +28,13 @@ authSigninRouter.get(
     await next()
   },
   async (context, next) => {
-    const { redirect_to, email } = context.query
+    const { redirect_to, username } = context.query
 
     await context.render('auth-page', {
       pageElement: 'auth-signin',
       elementScript: '/auth/signin.js',
       data: {
-        email,
+        username,
         redirectTo: redirect_to,
         ssoLinks: SSOLinks,
         disableUserSignupProcess,
@@ -45,21 +45,32 @@ authSigninRouter.get(
   }
 )
 
-authSigninRouter.post('/auth/signin', signinMiddleware, async (context, next) => {
-  const { request, t } = context
-  const { token, user, domain } = context.state
-  const { body: reqBody, header } = request
+authSigninRouter.post(
+  '/auth/signin',
+  async (ctx, next) => {
+    /* For backward compatibility, cover the case of logging in with email instead of username */
+    if (!ctx.request.body.username && ctx.request.body.email) {
+      ctx.request.body.username = ctx.request.body.email
+    }
+    await next()
+  },
+  signinMiddleware,
+  async (context, next) => {
+    const { request, t } = context
+    const { token, domain } = context.state
+    const { body: reqBody, header } = request
 
-  if (!accepts(header.accept, ['text/html', '*/*'])) {
-    context.body = token
-    return
-  }
+    if (!accepts(header.accept, ['text/html', '*/*'])) {
+      context.body = token
+      return
+    }
 
-  var redirectTo = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(
-    reqBody.redirectTo || '/'
-  )}`
+    var redirectTo = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(
+      reqBody.redirectTo || '/'
+    )}`
 
-  setAccessTokenCookie(context, token)
+    setAccessTokenCookie(context, token)
 
-  context.redirect(redirectTo)
-})
+    context.redirect(redirectTo)
+  }
+)

package/server/router/webauthn-router.ts

@@ -5,11 +5,8 @@ import { appPackage } from '@things-factory/env'
 import { generateRegistrationOptions, generateAuthenticationOptions } from '@simplewebauthn/server'
 
 import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
-import {
-  PublicKeyCredentialCreationOptionsJSON,
-} from '@simplewebauthn/server/script/deps'
 import { setAccessTokenCookie } from '../utils/access-token-cookie'
-import { createWebAuthnMiddleware } from '../middlewares/webauthn-middleware';
+import { createWebAuthnMiddleware } from '../middlewares/webauthn-middleware'
 
 export const webAuthnGlobalPublicRouter = new Router()
 export const webAuthnGlobalPrivateRouter = new Router()
@@ -53,7 +50,7 @@ webAuthnGlobalPrivateRouter.get('/auth/register-webauthn/challenge', async (cont
   context.body = options
 })
 
-webAuthnGlobalPrivateRouter.post('/auth/verify-registration', createWebAuthnMiddleware('webauthn-register'));
+webAuthnGlobalPrivateRouter.post('/auth/verify-registration', createWebAuthnMiddleware('webauthn-register'))
 
 webAuthnGlobalPublicRouter.get('/auth/signin-webauthn/challenge', async (context, next) => {
   const rpID = context.hostname
@@ -68,9 +65,10 @@ webAuthnGlobalPublicRouter.get('/auth/signin-webauthn/challenge', async (context
 })
 
 webAuthnGlobalPublicRouter.post(
-  '/auth/signin-webauthn', createWebAuthnMiddleware('webauthn-login'),
+  '/auth/signin-webauthn',
+  createWebAuthnMiddleware('webauthn-login'),
   async (context, next) => {
-    const { domain, user } = context. state
+    const { domain, user } = context.state
     const { request } = context
     const { body: reqBody } = request
 
@@ -82,6 +80,6 @@ webAuthnGlobalPublicRouter.post(
     /* 2단계 인터렉션 때문에 브라우저에서 fetch(...)로 진행될 것이므로, redirect(3xx) 응답으로 처리할 수 없다. 따라서, 데이타로 redirectURL를 응답한다. */
     context.body = { redirectURL, verified: true }
 
-    await next();
+    await next()
   }
 )

package/server/routes.ts

@@ -1,4 +1,5 @@
 import { config } from '@things-factory/env'
+import { getRoutePrefixForDomainType } from '@things-factory/shell'
 
 import { domainAuthenticateMiddleware, jwtAuthenticateMiddleware } from './middlewares'
 import {
@@ -17,7 +18,7 @@ import {
 
 import { setAccessTokenCookie } from './utils/access-token-cookie'
 
-const isPathBaseDomain = !config.get('subdomain') && !config.get('useVirtualHostBasedDomain')
+const isPathBaseDomain = !config.get('subdomain')
 
 process.on('bootstrap-module-global-public-route' as any, (app, globalPublicRouter) => {
   globalPublicRouter.use(siteRootRouter.routes(), siteRootRouter.allowedMethods())
@@ -39,8 +40,8 @@ process.on('bootstrap-module-global-public-route' as any, (app, globalPublicRout
 process.on('bootstrap-module-global-private-route' as any, (app, globalPrivateRouter) => {
   globalPrivateRouter.use(jwtAuthenticateMiddleware)
 
-  /* globalPrivateRouter based nested-routers */
   globalPrivateRouter.use(authCheckinRouter.routes(), authCheckinRouter.allowedMethods())
+  /* globalPrivateRouter based nested-routers */
   globalPrivateRouter.use(authPrivateProcessRouter.routes(), authPrivateProcessRouter.allowedMethods())
   globalPrivateRouter.use(webAuthnGlobalPrivateRouter.routes(), webAuthnGlobalPrivateRouter.allowedMethods())
 })
@@ -64,8 +65,16 @@ process.on('bootstrap-module-domain-private-route' as any, (app, domainPrivateRo
     // pathBaseDomainRouter는 history-fallback의 경우에 인증 처리를 하기 위한 라우터이다.
     // (보통, URL 링크등을 통해서 domain path URL로 바로 요청하는 경우에 해당한다.)
     // pathBaseDomainRouter는 domain path를 domain-private-router를 사용하는 것을 전제로 한다.
-    domainPrivateRouter.use('/domain/:domain/oauth', oauth2AuthorizeRouter.routes(), oauth2AuthorizeRouter.allowedMethods())
-    domainPrivateRouter.use('/domain', pathBaseDomainRouter.routes(), pathBaseDomainRouter.allowedMethods())
+    domainPrivateRouter.use(
+      `/${getRoutePrefixForDomainType()}/:domain/oauth`,
+      oauth2AuthorizeRouter.routes(),
+      oauth2AuthorizeRouter.allowedMethods()
+    )
+    domainPrivateRouter.use(
+      `/${getRoutePrefixForDomainType()}`,
+      pathBaseDomainRouter.routes(),
+      pathBaseDomainRouter.allowedMethods()
+    )
   }
 
   // Client Routing : path 확장자가 없는 경우는 대부분 client 라우팅에 해당한다.

package/server/service/invitation/invitation-mutation.ts

@@ -1,8 +1,11 @@
+import { ILike } from 'typeorm'
+
 import { Arg, Ctx, Mutation, Resolver } from 'type-graphql'
 import { GraphQLEmailAddress } from 'graphql-scalars'
 
 import { getRepository } from '@things-factory/shell'
 
+import { User, UserStatus } from '../../service/user/user'
 import { sendInvitationEmail } from '../../controllers/invitation'
 import { Invitation } from './invitation'
 
@@ -32,32 +35,44 @@ export class InvitationMutation {
     @Arg('type') type: string,
     @Ctx() context: ResolverContext
   ) {
-    const repository = getRepository(Invitation)
+    const { user: updater } = context.state
+    const invitationRepository = getRepository(Invitation)
 
-    const oldone = await repository.findOneBy({
-      email,
-      type,
-      reference
+    var user = await getRepository(User).findOne({
+      where: {
+        email: ILike(email),
+        status: UserStatus.ACTIVATED
+      }
     })
 
-    // TODO send invitation
+    if (!user) {
+      throw new Error(`user not found: ${email}`)
+    }
+
     await sendInvitationEmail({
       invitation: {
         email,
         reference,
         type
       },
+      user,
       context
     })
 
+    const oldone = await invitationRepository.findOneBy({
+      email,
+      type,
+      reference
+    })
+
     // update or create
-    return await repository.save({
+    return await invitationRepository.save({
+      creator: updater,
       ...oldone, // take only id from oldone for update
       email,
       reference,
       type,
-      creator: context.state.user,
-      updater: context.state.user
+      updater: updater
     })
   }
 }