wabe 0.6.12 → 0.6.13

package/src/authentication/resolvers/verifyChallenge.test.ts

@@ -1,230 +0,0 @@
-import { describe, expect, it, beforeEach, mock, spyOn } from 'bun:test'
-import { verifyChallengeResolver } from './verifyChallenge'
-import type { WabeContext } from '../../server/interface'
-import { Session } from '../Session'
-import { createMfaChallenge } from '../security'
-
-describe('verifyChallenge', () => {
-	const mockOnVerifyChallenge = mock(() => Promise.resolve(true))
-	let pendingChallenges: Array<{ token: string; provider: string; expiresAt: Date }> = []
-	const mockGetObject = mock(() => Promise.resolve({ pendingChallenges }))
-	const mockUpdateObject = mock((options: any) => {
-		pendingChallenges = options?.data?.pendingChallenges || []
-		return Promise.resolve({})
-	})
-
-	const context: WabeContext<any> = {
-		sessionId: 'sessionId',
-		user: {
-			id: 'userId',
-		} as any,
-		wabe: {
-			controllers: {
-				database: {
-					getObject: mockGetObject,
-					updateObject: mockUpdateObject,
-				},
-			},
-			config: {
-				authentication: {
-					customAuthenticationMethods: [
-						{
-							name: 'fakeOtp',
-							input: {
-								code: {
-									type: 'String',
-									required: true,
-								},
-							},
-							provider: {
-								onVerifyChallenge: mockOnVerifyChallenge,
-								onSendChallenge: () => Promise.resolve(),
-							},
-						},
-					],
-				},
-			},
-		},
-	} as any
-
-	beforeEach(() => {
-		mockOnVerifyChallenge.mockClear()
-		mockGetObject.mockClear()
-		mockUpdateObject.mockClear()
-		pendingChallenges = []
-	})
-
-	it('should throw an error if no one factor is provided', () => {
-		expect(
-			verifyChallengeResolver(
-				undefined,
-				{
-					input: {},
-				},
-				context,
-			),
-		).rejects.toThrow('One factor is required')
-	})
-
-	it('should throw an error if more than one factor is provided', () => {
-		expect(
-			verifyChallengeResolver(
-				undefined,
-				{
-					input: {
-						secondFA: {
-							// @ts-expect-error
-							factor1: {},
-							factor2: {},
-						},
-					},
-				},
-				context,
-			),
-		).rejects.toThrow('Only one factor is allowed')
-	})
-
-	it('should throw an error if the onVerifyChallenge failed', () => {
-		mockOnVerifyChallenge.mockResolvedValue(false as never)
-
-		expect(
-			verifyChallengeResolver(
-				undefined,
-				{
-					input: {
-						secondFA: {
-							// @ts-expect-error
-							fakeOtp: {
-								code: '123456',
-							},
-						},
-					},
-				},
-				context,
-			),
-		).rejects.toThrow('Invalid challenge')
-	})
-
-	it('should return userId if the verifyChallenge is correct', async () => {
-		const spyCreateSession = spyOn(Session.prototype, 'create').mockResolvedValue({
-			accessToken: 'accessToken',
-			refreshToken: 'refreshToken',
-			sessionId: 'sessionId',
-			csrfToken: 'csrfToken',
-		})
-
-		mockOnVerifyChallenge.mockResolvedValue({ userId: 'userId' } as never)
-
-		expect(
-			await verifyChallengeResolver(
-				undefined,
-				{
-					input: {
-						secondFA: {
-							// @ts-expect-error
-							fakeOtp: {
-								code: '123456',
-							},
-						},
-					},
-				},
-				context,
-			),
-		).toEqual({
-			accessToken: 'accessToken',
-			srp: undefined,
-		})
-
-		expect(mockOnVerifyChallenge).toHaveBeenCalledTimes(1)
-		expect(mockOnVerifyChallenge).toHaveBeenCalledWith({
-			input: { code: '123456' },
-			context: expect.any(Object),
-		})
-
-		expect(spyCreateSession).toHaveBeenCalledTimes(1)
-		expect(spyCreateSession).toHaveBeenCalledWith('userId', context)
-
-		spyCreateSession.mockRestore()
-	})
-
-	it('should require challenge token in production', () => {
-		mockOnVerifyChallenge.mockResolvedValue({ userId: 'userId' } as never)
-
-		const productionContext = {
-			...context,
-			wabe: {
-				...context.wabe,
-				config: {
-					...context.wabe.config,
-					isProduction: true,
-				},
-			},
-		} as WabeContext<any>
-
-		expect(
-			verifyChallengeResolver(
-				undefined,
-				{
-					input: {
-						secondFA: {
-							// @ts-expect-error
-							fakeOtp: {
-								code: '123456',
-							},
-						},
-					},
-				},
-				productionContext,
-			),
-		).rejects.toThrow('Invalid challenge')
-	})
-
-	it('should validate challenge token in production', async () => {
-		const spyCreateSession = spyOn(Session.prototype, 'create').mockResolvedValue({
-			accessToken: 'accessToken',
-			refreshToken: 'refreshToken',
-			sessionId: 'sessionId',
-			csrfToken: 'csrfToken',
-		})
-		mockOnVerifyChallenge.mockResolvedValue({ userId: 'userId' } as never)
-
-		const productionContext = {
-			...context,
-			wabe: {
-				...context.wabe,
-				config: {
-					...context.wabe.config,
-					isProduction: true,
-				},
-			},
-		} as WabeContext<any>
-
-		const challengeToken = await createMfaChallenge(productionContext, {
-			userId: 'userId',
-			provider: 'fakeOtp',
-		})
-
-		expect(
-			await verifyChallengeResolver(
-				undefined,
-				{
-					input: {
-						challengeToken,
-						secondFA: {
-							// @ts-expect-error
-							fakeOtp: {
-								code: '123456',
-							},
-						},
-					},
-				},
-				productionContext,
-			),
-		).toEqual({
-			accessToken: 'accessToken',
-			srp: undefined,
-		})
-
-		spyCreateSession.mockRestore()
-	})
-})

package/src/authentication/resolvers/verifyChallenge.ts

@@ -1,78 +0,0 @@
-import type { VerifyChallengeInput } from '../../../generated/wabe'
-import type { WabeContext } from '../../server/interface'
-import type { DevWabeTypes } from '../../utils/helper'
-import { getSessionCookieSameSite } from '../cookies'
-import { consumeMfaChallenge, shouldRequireMfaChallenge } from '../security'
-import { Session } from '../Session'
-import type { SecondaryProviderInterface } from '../interface'
-import { getAuthenticationMethod } from '../utils'
-
-export const verifyChallengeResolver = async (
-	_: any,
-	{
-		input,
-	}: {
-		input: VerifyChallengeInput
-	},
-	context: WabeContext<DevWabeTypes>,
-) => {
-	if (!input.secondFA) throw new Error('One factor is required')
-
-	const listOfFactor = Object.keys(input.secondFA)
-
-	if (listOfFactor.length > 1) throw new Error('Only one factor is allowed')
-
-	const { provider, name } = getAuthenticationMethod<any, SecondaryProviderInterface<DevWabeTypes>>(
-		listOfFactor,
-		context,
-	)
-
-	const result = await provider.onVerifyChallenge({
-		context,
-		// @ts-expect-error
-		input: input.secondFA[name],
-	})
-
-	if (!result?.userId) throw new Error('Invalid challenge')
-
-	if (shouldRequireMfaChallenge(context)) {
-		const challengeToken = input.challengeToken
-		if (!challengeToken) throw new Error('Invalid challenge')
-
-		const isValidChallenge = await consumeMfaChallenge(context, {
-			challengeToken,
-			userId: result.userId,
-			provider: name,
-		})
-
-		if (!isValidChallenge) throw new Error('Invalid challenge')
-	}
-
-	const session = new Session<DevWabeTypes>()
-
-	const { accessToken, refreshToken } = await session.create(result.userId, context)
-
-	if (context.wabe.config.authentication?.session?.cookieSession) {
-		const accessTokenExpiresAt = session.getAccessTokenExpireAt(context.wabe.config)
-		const refreshTokenExpiresAt = session.getRefreshTokenExpireAt(context.wabe.config)
-		const sameSite = getSessionCookieSameSite(context.wabe.config)
-
-		context.response?.setCookie('refreshToken', refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite,
-			secure: true,
-			expires: refreshTokenExpiresAt,
-		})
-
-		context.response?.setCookie('accessToken', accessToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite,
-			secure: true,
-			expires: accessTokenExpiresAt,
-		})
-	}
-
-	return { accessToken, srp: result.srp }
-}

package/src/authentication/roles.test.ts

@@ -1,49 +0,0 @@
-import { afterAll, beforeAll, describe, it, expect } from 'bun:test'
-import type { Wabe } from '../server'
-import type { DevWabeTypes } from '../utils/helper'
-import { initializeRoles } from './roles'
-import { setupTests, closeTests } from '../utils/testHelper'
-
-describe('roles', () => {
-	let wabe: Wabe<DevWabeTypes>
-
-	beforeAll(async () => {
-		const setup = await setupTests()
-		wabe = setup.wabe
-	})
-
-	afterAll(async () => {
-		await closeTests(wabe)
-	})
-
-	it('should create all roles', async () => {
-		await wabe.controllers.database.clearDatabase()
-
-		await initializeRoles(wabe)
-
-		const res = await wabe.controllers.database.getObjects({
-			className: 'Role',
-			context: { isRoot: true, wabe: wabe },
-			select: { name: true },
-		})
-
-		expect(res.length).toEqual(4)
-		expect(res.map((role) => role?.name)).toEqual(['Client', 'Client2', 'Client3', 'Admin'])
-	})
-
-	it('should not create all roles if there already exist', async () => {
-		await wabe.controllers.database.clearDatabase()
-
-		await initializeRoles(wabe)
-		await initializeRoles(wabe)
-
-		const res = await wabe.controllers.database.getObjects({
-			className: 'Role',
-			context: { isRoot: true, wabe: wabe },
-			select: { name: true },
-		})
-
-		expect(res.length).toEqual(4)
-		expect(res.map((role) => role?.name)).toEqual(['Client', 'Client2', 'Client3', 'Admin'])
-	})
-})

package/src/authentication/roles.ts

@@ -1,40 +0,0 @@
-import { notEmpty, type Wabe } from '..'
-import type { DevWabeTypes } from '../utils/helper'
-
-export const initializeRoles = async (wabe: Wabe<DevWabeTypes>) => {
-	const roles = wabe.config?.authentication?.roles || []
-
-	if (roles.length === 0) return
-
-	const res = await wabe.controllers.database.getObjects({
-		className: 'Role',
-		context: {
-			isRoot: true,
-			wabe,
-		},
-		select: { name: true },
-		where: {
-			name: {
-				in: roles,
-			},
-		},
-	})
-
-	const alreadyCreatedRoles = res.map((role) => role?.name).filter(notEmpty)
-
-	const objectsToCreate = roles
-		.filter((role) => !alreadyCreatedRoles.includes(role))
-		.map((role) => ({ name: role }))
-
-	if (objectsToCreate.length === 0) return
-
-	await wabe.controllers.database.createObjects({
-		className: 'Role',
-		context: {
-			isRoot: true,
-			wabe,
-		},
-		data: objectsToCreate,
-		select: {},
-	})
-}

package/src/authentication/security.ts

@@ -1,278 +0,0 @@
-import crypto from 'node:crypto'
-import type { WabeContext } from '../server/interface'
-import type { WabeTypes } from '../server'
-import { contextWithRoot, getDatabaseController } from '../utils/export'
-import { DevWabeTypes } from 'src/utils/helper'
-
-type RateLimitScope = 'signIn' | 'signUp' | 'verifyChallenge'
-
-type RateLimitOptions = {
-	enabled: boolean
-	maxAttempts: number
-	windowMs: number
-	blockDurationMs: number
-}
-
-type RateLimitState = {
-	attempts: number
-	windowStartedAt: number
-	blockedUntil: number
-}
-
-type PendingChallenge = {
-	token: string
-	provider: string
-	expiresAt: number
-}
-
-const DEFAULT_SIGN_IN_RATE_LIMIT = {
-	maxAttempts: 10,
-	windowMs: 10 * 60 * 1000,
-	blockDurationMs: 15 * 60 * 1000,
-}
-
-const DEFAULT_SIGN_UP_RATE_LIMIT = {
-	maxAttempts: 10,
-	windowMs: 10 * 60 * 1000,
-	blockDurationMs: 15 * 60 * 1000,
-}
-
-const DEFAULT_VERIFY_CHALLENGE_RATE_LIMIT = {
-	maxAttempts: 10,
-	windowMs: 10 * 60 * 1000,
-	blockDurationMs: 15 * 60 * 1000,
-}
-
-const DEFAULT_MFA_CHALLENGE_TTL_MS = 5 * 60 * 1000
-
-const rateLimitStorage = new Map<string, RateLimitState>()
-
-const getRateLimitOptions = <T extends WabeTypes>(
-	context: WabeContext<T>,
-	scope: RateLimitScope,
-): RateLimitOptions => {
-	const wabeConfig = context.wabe.config
-	const securityConfig = wabeConfig?.authentication?.security
-	const scopeConfigMap = {
-		signIn: securityConfig?.signInRateLimit,
-		signUp: securityConfig?.signUpRateLimit,
-		verifyChallenge: securityConfig?.verifyChallengeRateLimit,
-	}
-	const defaultsMap = {
-		signIn: DEFAULT_SIGN_IN_RATE_LIMIT,
-		signUp: DEFAULT_SIGN_UP_RATE_LIMIT,
-		verifyChallenge: DEFAULT_VERIFY_CHALLENGE_RATE_LIMIT,
-	}
-	const scopeConfig = scopeConfigMap[scope]
-	const defaults = defaultsMap[scope]
-
-	return {
-		enabled: scopeConfig?.enabled ?? !!wabeConfig?.isProduction,
-		maxAttempts: scopeConfig?.maxAttempts ?? defaults.maxAttempts,
-		windowMs: scopeConfig?.windowMs ?? defaults.windowMs,
-		blockDurationMs: scopeConfig?.blockDurationMs ?? defaults.blockDurationMs,
-	}
-}
-
-const getRateLimitKey = (scope: RateLimitScope, key: string) =>
-	`${scope}:${key.trim().toLowerCase()}`
-
-export const isRateLimited = <T extends WabeTypes>(
-	context: WabeContext<T>,
-	scope: RateLimitScope,
-	key: string,
-): boolean => {
-	const options = getRateLimitOptions(context, scope)
-
-	if (!options.enabled) return false
-
-	const now = Date.now()
-	const storageKey = getRateLimitKey(scope, key)
-	const state = rateLimitStorage.get(storageKey)
-
-	if (!state) return false
-
-	if (state.blockedUntil <= now) {
-		if (state.windowStartedAt + options.windowMs <= now) {
-			rateLimitStorage.delete(storageKey)
-		}
-		return false
-	}
-
-	return true
-}
-
-export const registerRateLimitFailure = <T extends WabeTypes>(
-	context: WabeContext<T>,
-	scope: RateLimitScope,
-	key: string,
-) => {
-	const options = getRateLimitOptions(context, scope)
-
-	if (!options.enabled) return
-
-	const now = Date.now()
-	const storageKey = getRateLimitKey(scope, key)
-	const currentState = rateLimitStorage.get(storageKey)
-	const hasExpiredBlock =
-		!!currentState && currentState.blockedUntil > 0 && currentState.blockedUntil <= now
-	const shouldResetWindow =
-		!currentState || currentState.windowStartedAt + options.windowMs <= now || hasExpiredBlock
-
-	const state: RateLimitState = shouldResetWindow
-		? {
-				attempts: 0,
-				windowStartedAt: now,
-				blockedUntil: 0,
-			}
-		: currentState
-
-	state.attempts += 1
-
-	if (state.attempts >= options.maxAttempts) {
-		state.attempts = 0
-		state.windowStartedAt = now
-		state.blockedUntil = now + options.blockDurationMs
-	}
-
-	rateLimitStorage.set(storageKey, state)
-}
-
-export const clearRateLimit = <T extends WabeTypes>(
-	context: WabeContext<T>,
-	scope: RateLimitScope,
-	key: string,
-) => {
-	const options = getRateLimitOptions(context, scope)
-
-	if (!options.enabled) return
-
-	rateLimitStorage.delete(getRateLimitKey(scope, key))
-}
-
-const getMfaChallengeTTL = <T extends WabeTypes>(context: WabeContext<T>) =>
-	context.wabe.config?.authentication?.security?.mfaChallengeTtlMs || DEFAULT_MFA_CHALLENGE_TTL_MS
-
-const parsePendingChallenges = (input: unknown): PendingChallenge[] => {
-	if (!Array.isArray(input)) return []
-
-	return input.reduce((acc, item) => {
-		if (!item || typeof item !== 'object') return acc
-		const challenge = item as Record<string, unknown>
-		const token = typeof challenge.token === 'string' ? challenge.token : null
-		const provider = typeof challenge.provider === 'string' ? challenge.provider : null
-		const expiresAtRaw = challenge.expiresAt
-		const expiresAt = new Date(expiresAtRaw as string | Date).getTime()
-
-		if (!token || !provider || Number.isNaN(expiresAt)) return acc
-
-		acc.push({
-			token,
-			provider: provider.toLowerCase(),
-			expiresAt,
-		})
-		return acc
-	}, [] as PendingChallenge[])
-}
-
-const pruneExpiredChallenges = (challenges: PendingChallenge[]) => {
-	const now = Date.now()
-	return challenges.filter((challenge) => challenge.expiresAt > now)
-}
-
-const getUserPendingChallenges = async (
-	context: WabeContext<DevWabeTypes>,
-	userId: string,
-): Promise<PendingChallenge[] | null> => {
-	try {
-		const user = await getDatabaseController(context).getObject({
-			className: 'User',
-			id: userId,
-			context: contextWithRoot(context),
-			select: {
-				pendingChallenges: true,
-			},
-		})
-
-		return parsePendingChallenges(user?.pendingChallenges)
-	} catch {
-		return null
-	}
-}
-
-const saveUserPendingChallenges = async (
-	context: WabeContext<DevWabeTypes>,
-	userId: string,
-	challenges: PendingChallenge[],
-) =>
-	getDatabaseController(context).updateObject({
-		className: 'User',
-		id: userId,
-		context: contextWithRoot(context),
-		data: {
-			pendingChallenges: challenges.map((challenge) => ({
-				token: challenge.token,
-				provider: challenge.provider,
-				expiresAt: new Date(challenge.expiresAt),
-			})),
-		},
-		select: {},
-	})
-
-export const createMfaChallenge = async (
-	context: WabeContext<DevWabeTypes>,
-	{ userId, provider }: { userId: string; provider: string },
-): Promise<string> => {
-	const token = crypto.randomUUID()
-	const expiresAt = Date.now() + getMfaChallengeTTL(context)
-
-	const currentChallenges = (await getUserPendingChallenges(context, userId)) || []
-	const nextChallenges = [
-		...pruneExpiredChallenges(currentChallenges),
-		{
-			token,
-			provider: provider.toLowerCase(),
-			expiresAt,
-		},
-	]
-
-	await saveUserPendingChallenges(context, userId, nextChallenges)
-
-	return token
-}
-
-export const consumeMfaChallenge = async (
-	context: WabeContext<DevWabeTypes>,
-	{
-		challengeToken,
-		userId,
-		provider,
-	}: {
-		challengeToken: string
-		userId: string
-		provider: string
-	},
-): Promise<boolean> => {
-	const currentChallenges = await getUserPendingChallenges(context, userId)
-	if (!currentChallenges) return false
-
-	const activeChallenges = pruneExpiredChallenges(currentChallenges)
-	const normalizedProvider = provider.toLowerCase()
-	const isValid = activeChallenges.some(
-		(challenge) => challenge.token === challengeToken && challenge.provider === normalizedProvider,
-	)
-	const remainingChallenges = activeChallenges.filter(
-		(challenge) =>
-			!(challenge.token === challengeToken && challenge.provider === normalizedProvider),
-	)
-
-	if (remainingChallenges.length !== currentChallenges.length || isValid) {
-		await saveUserPendingChallenges(context, userId, remainingChallenges)
-	}
-
-	return isValid
-}
-
-export const shouldRequireMfaChallenge = <T extends WabeTypes>(context: WabeContext<T>) =>
-	context.wabe.config?.authentication?.security?.requireMfaChallengeInProduction ??
-	!!context.wabe.config?.isProduction