@tomei/sso 0.64.0-staging.1 → 0.64.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tomei/sso",
-  "version": "0.64.0-staging.1",
+  "version": "0.64.0",
   "description": "Tomei SSO Package",
   "main": "dist/index.js",
   "scripts": {

package/sonar-project.properties

@@ -0,0 +1,23 @@
+sonar.projectKey=all-tomei-projects_sso
+sonar.organization=all-tomei-projects
+sonar.exclusions=**/*.js,test-data,dist,coverage, node_modules, __tests__, **/*.spec.ts, __mocks__
+sonar.scm.provider=git
+
+sonar.sources=src
+sonar.test=__tests__
+sonar.test.inclusions=src/**/*.spec.ts
+
+sonar.javascript.lcov.reportPaths=./coverage/lcov.info
+sonar.testExecutionReportPaths=coverage/test-report.xml
+sonar.sourceEnconding=UTF-8
+
+# This is the name and version displayed in the SonarCloud UI.
+#sonar.projectName=sso
+#sonar.projectVersion=1.0
+
+
+# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
+#sonar.sources=.
+
+# Encoding of the source code. Default is default system encoding
+#sonar.sourceEncoding=UTF-8

package/src/components/login-user/user.ts

@@ -560,11 +560,13 @@ export class User extends UserBase {
           this.UpdatedAt = userAttr.UpdatedAt;
           this.staffs = userAttr.staffs;
         } else {
+          console.error('User not found for email:', email);
           throw new ClassError('User', 'UserErrMsg0X', 'Invalid Credentials');
         }
       }
 
       if (this.ObjectId && this.Email !== email) {
+        console.error('Email mismatch:', this.Email, email);
         throw new Error('Invalid credentials.');
       }
 
@@ -585,7 +587,7 @@ export class User extends UserBase {
           },
         });
         if (!system) {
-          throw new Error('Invalid credentials.');
+          throw new Error('Access denied: invalid or unauthorized system.');
         }
 
         // 1.5: Instantiate new PasswordHashService object and call PasswordHashService.verify method to check whether the param.Password is correct.
@@ -596,6 +598,7 @@ export class User extends UserBase {
           this.Password,
         );
         if (!isPasswordValid) {
+          console.error('Invalid password for user:', this.UserId);
           throw new Error('Invalid credentials.');
         }
 
@@ -614,12 +617,14 @@ export class User extends UserBase {
             await User.releaseLock(this.UserId, dbTransaction);
             this.Status = UserStatus.ACTIVE;
           } else {
-            throw new Error('Invalid credentials.');
+            throw new Error(
+              'Your account has been locked. Please contact the administrator for assistance.',
+            );
           }
         }
       } catch (error) {
         await this.incrementFailedLoginAttemptCount(dbTransaction);
-        throw new Error('Invalid credentials.');
+        throw error;
       }
 
       // 2.1:  Call alertNewLogin to check whether the ip used is new ip and alert the user if it's new.
@@ -674,6 +679,7 @@ export class User extends UserBase {
         ApplicationConfig.getComponentConfigValue('sessionName');
 
       if (!sessionName) {
+        console.error('Session name is not set in the configuration');
         throw new Error('Session name is not set in the configuration');
       }
 
@@ -765,6 +771,7 @@ export class User extends UserBase {
           },
         );
       }
+      console.error('Login failed:', error);
       throw error;
     }
   }
@@ -803,7 +810,7 @@ export class User extends UserBase {
           dbTransaction,
         });
 
-        for (const usergroup of userGroups) {
+        outer: for (const usergroup of userGroups) {
           const group = usergroup.Group;
           const groupSystemAccess = await User.getInheritedSystemAccess(
             dbTransaction,
@@ -813,7 +820,7 @@ export class User extends UserBase {
           for (const system of groupSystemAccess) {
             if (system.SystemCode === systemCode) {
               isUserHaveAccess = true;
-              break;
+              break outer;
             }
           }
         }
@@ -823,6 +830,7 @@ export class User extends UserBase {
         throw new Error("User don't have access to the system.");
       }
     } catch (error) {
+      console.error('Error checking system access:', error);
       throw error;
     }
   }
@@ -1732,7 +1740,7 @@ export class User extends UserBase {
       throw new ClassError(
         'LoginUser',
         'LoginUserErrMsg0X',
-        'Invalid credentials.',
+        'Your account has been locked due to too many failed login attempts, please contact IT Support for instructions on how to unlock your account.',
       );
     }
   }
@@ -2003,15 +2011,31 @@ export class User extends UserBase {
     }
 
     // 3. Verify the mfaToken by calling speakeasy.totp.verify
-    const isVerified = await speakeasy.totp.verify({
+    const isCurrentValid = await speakeasy.totp.verify({
       secret: userMFAConfig.totp.secret,
       encoding: 'base32',
       token: mfaToken,
+      window: 0, // strict current time window
     });
+    if (!isCurrentValid) {
+      const isExpired = await speakeasy.totp.verify({
+        secret: userMFAConfig.totp.secret,
+        encoding: 'base32',
+        token: mfaToken,
+        window: 2, // allow slight leeway: previous or next 2 time steps
+      });
 
-    // 4. if not verified, then return false. if verified, Call LoginUser._Repo.update and update user data in database
-    if (!isVerified) {
-      return false;
+      if (isExpired) {
+        return {
+          success: false,
+          reason: 'MFA token has expired. Please try again.',
+        };
+      } else {
+        return {
+          success: false,
+          reason: 'Invalid MFA token. Check your authenticator app.',
+        };
+      }
     }
 
     user.MFAEnabled = 1;
@@ -2040,7 +2064,7 @@ export class User extends UserBase {
     const systemLogin = userSession.systemLogins.find(
       (e) => e.code === systemCode,
     );
-    return `${userId}:${systemLogin.sessionId}`;
+    return { success: true, sessionId: `${userId}:${systemLogin.sessionId}` };
   }
 
   // This method will verify  2FA codes
@@ -2078,15 +2102,31 @@ export class User extends UserBase {
     }
 
     // 3. Verify the mfaToken by calling speakeasy.totp.verify
-    const isVerified = await speakeasy.totp.verify({
+    const isCurrentValid = await speakeasy.totp.verify({
       secret: userMFAConfig.totp.secret,
       encoding: 'base32',
       token: mfaToken,
+      window: 0, // strict current time window
     });
+    if (!isCurrentValid) {
+      const isExpired = await speakeasy.totp.verify({
+        secret: userMFAConfig.totp.secret,
+        encoding: 'base32',
+        token: mfaToken,
+        window: 2, // allow slight leeway: previous or next 2 time steps
+      });
 
-    // 4. if not verified, then return false. if verified, Call LoginUser._Repo.update and update user data in database
-    if (!isVerified) {
-      return false;
+      if (isExpired) {
+        return {
+          success: false,
+          reason: 'MFA token has expired. Please try again.',
+        };
+      } else {
+        return {
+          success: false,
+          reason: 'Invalid MFA token. Check your authenticator app.',
+        };
+      }
     }
 
     // 5. Retrieve Session
@@ -2109,7 +2149,7 @@ export class User extends UserBase {
     const systemLogin = userSession.systemLogins.find(
       (e) => e.code === systemCode,
     );
-    return `${userId}:${systemLogin.sessionId}`;
+    return { success: true, sessionId: `${userId}:${systemLogin.sessionId}` };
   }
 
   public async bypass2FA(systemCode: string, dbTransaction: any) {
@@ -2152,7 +2192,10 @@ export class User extends UserBase {
       const systemLogin = userSession.systemLogins.find(
         (e) => e.code === systemCode,
       );
-      return `${this.UserId}:${systemLogin.sessionId}`;
+      return {
+        success: true,
+        sessionId: `${this.UserId}:${systemLogin.sessionId}`,
+      };
     } catch (error) {
       throw error;
     }