wabe 0.6.12 → 0.6.14

package/src/authentication/providers/EmailOTP.ts

@@ -1,95 +0,0 @@
-import { contextWithRoot } from '../..'
-import { sendOtpCodeTemplate } from '../../email/templates/sendOtpCode'
-import type { DevWabeTypes } from '../../utils/helper'
-import type {
-	OnSendChallengeOptions,
-	OnVerifyChallengeOptions,
-	SecondaryProviderInterface,
-} from '../interface'
-import { OTP } from '../OTP'
-import { clearRateLimit, isRateLimited, registerRateLimitFailure } from '../security'
-
-const DUMMY_USER_ID = '00000000-0000-0000-0000-000000000000'
-
-type EmailOTPInterface = {
-	email: string
-	otp: string
-}
-
-export class EmailOTP implements SecondaryProviderInterface<DevWabeTypes, EmailOTPInterface> {
-	async onSendChallenge({ context, user }: OnSendChallengeOptions<DevWabeTypes>) {
-		const emailController = context.wabe.controllers.email
-
-		if (!emailController) throw new Error('Email controller not found')
-
-		const mainEmail = context.wabe.config.email?.mainEmail
-
-		if (!mainEmail) throw new Error('No main email found')
-
-		if (!user.email) throw new Error('No user email found')
-
-		const otpClass = new OTP(context.wabe.config.rootKey)
-
-		const otp = otpClass.generate(user.id)
-
-		const template = context.wabe.config.email?.htmlTemplates?.sendOTPCode
-
-		await emailController.send({
-			from: mainEmail,
-			to: [user.email],
-			subject: template?.subject || 'Your OTP code',
-			html: template?.fn ? await template.fn({ otp }) : sendOtpCodeTemplate(otp),
-		})
-	}
-
-	async onVerifyChallenge({
-		context,
-		input,
-	}: OnVerifyChallengeOptions<DevWabeTypes, EmailOTPInterface>) {
-		const normalizedEmail = input.email.trim().toLowerCase()
-		const rateLimitKey = `emailOtp:${normalizedEmail}`
-
-		if (isRateLimited(context, 'verifyChallenge', rateLimitKey)) return null
-
-		const users = await context.wabe.controllers.database.getObjects({
-			className: 'User',
-			where: {
-				email: {
-					equalTo: input.email,
-				},
-			},
-			select: {
-				authentication: true,
-				role: true,
-				secondFA: true,
-				email: true,
-				id: true,
-				provider: true,
-				isOauth: true,
-				createdAt: true,
-				updatedAt: true,
-			},
-			first: 1,
-			context: contextWithRoot(context),
-		})
-
-		const realUser = users.length > 0 ? users[0] : null
-		const userId = realUser?.id ?? DUMMY_USER_ID
-
-		const isDevBypass =
-			!context.wabe.config.isProduction && input.otp === '000000' && realUser !== null
-
-		const otpClass = new OTP(context.wabe.config.rootKey)
-
-		const isOtpValid = otpClass.verify(input.otp, userId)
-
-		if (realUser && (isOtpValid || isDevBypass)) {
-			clearRateLimit(context, 'verifyChallenge', rateLimitKey)
-			return { userId: realUser.id }
-		}
-
-		registerRateLimitFailure(context, 'verifyChallenge', rateLimitKey)
-
-		return null
-	}
-}

package/src/authentication/providers/EmailPassword.test.ts

@@ -1,263 +0,0 @@
-import { describe, expect, it, mock, spyOn, afterEach, afterAll } from 'bun:test'
-import * as crypto from '../../utils/crypto'
-
-import { EmailPassword } from './EmailPassword'
-
-describe('Email password', () => {
-	const mockGetObjects = mock(() => Promise.resolve([]))
-	const mockCount = mock(() => Promise.resolve(0)) as any
-	const mockCreateObject = mock(() => Promise.resolve({ id: 'userId' })) as any
-
-	const spyArgonPasswordVerify = spyOn(crypto, 'verifyArgon2')
-	const spyBunPasswordHash = spyOn(crypto, 'hashArgon2')
-
-	const controllers = {
-		controllers: {
-			database: {
-				getObjects: mockGetObjects,
-				createObject: mockCreateObject,
-				count: mockCount,
-			},
-		},
-	} as any
-
-	afterEach(() => {
-		mockGetObjects.mockClear()
-		mockCount.mockClear()
-		mockCreateObject.mockClear()
-		spyArgonPasswordVerify.mockClear()
-		spyBunPasswordHash.mockClear()
-	})
-
-	afterAll(() => {
-		spyArgonPasswordVerify.mockRestore()
-		spyBunPasswordHash.mockRestore()
-	})
-
-	const emailPassword = new EmailPassword()
-
-	it('should signUp with email password', async () => {
-		spyBunPasswordHash.mockResolvedValueOnce('$argon2id$hashedPassword')
-
-		const {
-			authenticationDataToSave: { email },
-		} = await emailPassword.onSignUp({
-			context: { wabe: controllers } as any,
-			input: { email: 'email@test.fr', password: 'password' },
-		})
-
-		expect(email).toBe('email@test.fr')
-	})
-
-	it('should signIn with email password', async () => {
-		mockGetObjects.mockResolvedValue([
-			{
-				id: 'userId',
-				authentication: {
-					emailPassword: {
-						email: 'email@test.fr',
-						password: 'hashedPassword',
-					},
-				},
-			} as never,
-		])
-
-		spyArgonPasswordVerify.mockResolvedValueOnce(true)
-
-		const { user } = await emailPassword.onSignIn({
-			context: { wabe: controllers } as any,
-			input: { email: 'email@test.fr', password: 'password' },
-		})
-
-		expect(user).toEqual({
-			id: 'userId',
-			authentication: {
-				emailPassword: {
-					email: 'email@test.fr',
-					password: 'hashedPassword',
-				},
-			},
-		})
-
-		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
-		expect(spyArgonPasswordVerify).toHaveBeenCalledWith('password', 'hashedPassword')
-	})
-
-	it('should not signIn with email password if password is undefined', () => {
-		spyArgonPasswordVerify.mockResolvedValueOnce(false)
-
-		expect(
-			emailPassword.onSignIn({
-				context: { wabe: controllers } as any,
-				// @ts-expect-error
-				input: { email: 'email@test.fr' },
-			}),
-		).rejects.toThrow('Invalid authentication credentials')
-	})
-
-	it('should not signIn with email password if there is no user found', () => {
-		mockGetObjects.mockResolvedValue([])
-
-		expect(
-			emailPassword.onSignIn({
-				context: { wabe: controllers } as any,
-				input: {
-					email: 'invalidEmail@test.fr',
-					password: 'password',
-				},
-			}),
-		).rejects.toThrow('Invalid authentication credentials')
-
-		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
-	})
-
-	it('should not signIn with email password if there is email is invalid', () => {
-		mockGetObjects.mockResolvedValue([
-			{
-				authentication: {
-					emailPassword: {
-						password: 'hashedPassword',
-					},
-				},
-			} as never,
-		])
-
-		spyArgonPasswordVerify.mockResolvedValueOnce(true)
-
-		expect(
-			emailPassword.onSignIn({
-				context: { wabe: controllers } as any,
-				input: {
-					email: 'invalidEmail@test.fr',
-					password: 'password',
-				},
-			}),
-		).rejects.toThrow('Invalid authentication credentials')
-
-		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
-	})
-
-	it('should rate limit signIn attempts in production', async () => {
-		mockGetObjects.mockResolvedValue([])
-
-		const context = {
-			wabe: {
-				...controllers,
-				config: {
-					isProduction: true,
-					authentication: {
-						security: {
-							signInRateLimit: {
-								enabled: true,
-								maxAttempts: 2,
-								windowMs: 60_000,
-								blockDurationMs: 60_000,
-							},
-						},
-					},
-				},
-			},
-		} as any
-
-		const input = {
-			email: 'ratelimit-email-password@test.fr',
-			password: 'password',
-		}
-
-		await expect(emailPassword.onSignIn({ context, input })).rejects.toThrow(
-			'Invalid authentication credentials',
-		)
-		await expect(emailPassword.onSignIn({ context, input })).rejects.toThrow(
-			'Invalid authentication credentials',
-		)
-
-		const callsBeforeBlockedAttempt = mockGetObjects.mock.calls.length
-
-		await expect(emailPassword.onSignIn({ context, input })).rejects.toThrow(
-			'Invalid authentication credentials',
-		)
-
-		expect(mockGetObjects.mock.calls.length).toBe(callsBeforeBlockedAttempt)
-	})
-
-	it('should rate limit signUp attempts in production', async () => {
-		mockCount.mockResolvedValue(1)
-
-		const context = {
-			wabe: {
-				...controllers,
-				config: {
-					isProduction: true,
-					authentication: {
-						security: {
-							signUpRateLimit: {
-								enabled: true,
-								maxAttempts: 2,
-								windowMs: 60_000,
-								blockDurationMs: 60_000,
-							},
-						},
-					},
-				},
-			},
-		} as any
-
-		const input = {
-			email: 'ratelimit-signup-email-password@test.fr',
-			password: 'password',
-		}
-
-		await expect(emailPassword.onSignUp({ context, input })).rejects.toThrow(
-			'Not authorized to create user',
-		)
-		await expect(emailPassword.onSignUp({ context, input })).rejects.toThrow(
-			'Not authorized to create user',
-		)
-
-		const callsBeforeBlockedAttempt = mockCount.mock.calls.length
-
-		await expect(emailPassword.onSignUp({ context, input })).rejects.toThrow(
-			'Not authorized to create user',
-		)
-
-		expect(mockCount.mock.calls.length).toBe(callsBeforeBlockedAttempt)
-	})
-
-	it('should not update authentication data if there is no user found', () => {
-		mockGetObjects.mockResolvedValue([])
-
-		spyArgonPasswordVerify.mockResolvedValueOnce(true)
-
-		expect(
-			emailPassword.onUpdateAuthenticationData?.({
-				context: { wabe: controllers } as any,
-				input: {
-					email: 'email@test.fr',
-					password: 'password',
-				},
-				userId: 'userId',
-			}),
-		).rejects.toThrow('User not found')
-	})
-
-	it('should update authentication data if the userId match with an user', async () => {
-		mockGetObjects.mockResolvedValue([
-			{
-				id: 'id',
-			},
-		] as any)
-
-		spyBunPasswordHash.mockResolvedValueOnce('$argon2id$hashedPassword')
-
-		const res = await emailPassword.onUpdateAuthenticationData?.({
-			context: { wabe: controllers } as any,
-			input: {
-				email: 'email@test.fr',
-				password: 'password',
-			},
-			userId: 'userId',
-		})
-
-		expect(res.authenticationDataToSave.email).toBe('email@test.fr')
-	})
-})

package/src/authentication/providers/EmailPassword.ts

@@ -1,138 +0,0 @@
-import type {
-	AuthenticationEventsOptions,
-	AuthenticationEventsOptionsWithUserId,
-	ProviderInterface,
-} from '../interface'
-import { contextWithRoot, verifyArgon2 } from '../../utils/export'
-import type { DevWabeTypes } from '../../utils/helper'
-import { clearRateLimit, isRateLimited, registerRateLimitFailure } from '../security'
-
-type EmailPasswordInterface = {
-	password: string
-	email: string
-	otp?: string
-}
-
-const DUMMY_PASSWORD_HASH =
-	'$argon2id$v=19$m=65536,t=2,p=1$wHZB9xRS/Mbo7L3SL9e935Ag5K+T2EuT/XgB8akwZgo$SPf8EZ4T1HYkuIll4v2hSzNCH7woX3VrZJo3yWg5u8U'
-
-export class EmailPassword implements ProviderInterface<DevWabeTypes, EmailPasswordInterface> {
-	async onSignIn({
-		input,
-		context,
-	}: AuthenticationEventsOptions<DevWabeTypes, EmailPasswordInterface>) {
-		const normalizedEmail = input.email.trim().toLowerCase()
-		const rateLimitKey = `emailPassword:${normalizedEmail}`
-
-		if (isRateLimited(context, 'signIn', rateLimitKey))
-			throw new Error('Invalid authentication credentials')
-
-		const users = await context.wabe.controllers.database.getObjects({
-			className: 'User',
-			where: {
-				authentication: {
-					emailPassword: {
-						email: { equalTo: input.email },
-					},
-				},
-			},
-			context: contextWithRoot(context),
-			select: {
-				authentication: true,
-				role: true,
-				secondFA: true,
-				email: true,
-				id: true,
-				provider: true,
-				isOauth: true,
-				createdAt: true,
-				updatedAt: true,
-			},
-			first: 1,
-		})
-
-		const user = users[0]
-		const userDatabasePassword = user?.authentication?.emailPassword?.password
-
-		const passwordHashToCheck = userDatabasePassword ?? DUMMY_PASSWORD_HASH
-
-		const isPasswordEquals = await verifyArgon2(input.password, passwordHashToCheck)
-
-		if (!user || !isPasswordEquals || input.email !== user.authentication?.emailPassword?.email) {
-			registerRateLimitFailure(context, 'signIn', rateLimitKey)
-			throw new Error('Invalid authentication credentials')
-		}
-
-		clearRateLimit(context, 'signIn', rateLimitKey)
-
-		return {
-			user,
-		}
-	}
-
-	async onSignUp({
-		input,
-		context,
-	}: AuthenticationEventsOptions<DevWabeTypes, EmailPasswordInterface>) {
-		const normalizedEmail = input.email.trim().toLowerCase()
-		const rateLimitKey = `emailPassword:${normalizedEmail}`
-
-		if (isRateLimited(context, 'signUp', rateLimitKey))
-			throw new Error('Not authorized to create user')
-
-		const users = await context.wabe.controllers.database.count({
-			className: 'User',
-			where: {
-				authentication: {
-					emailPassword: {
-						email: { equalTo: input.email },
-					},
-				},
-			},
-			context: contextWithRoot(context),
-		})
-
-		// Hide real message
-		if (users > 0) {
-			registerRateLimitFailure(context, 'signUp', rateLimitKey)
-			throw new Error('Not authorized to create user')
-		}
-
-		clearRateLimit(context, 'signUp', rateLimitKey)
-
-		return {
-			authenticationDataToSave: {
-				email: input.email,
-				password: input.password,
-			},
-		}
-	}
-
-	async onUpdateAuthenticationData({
-		userId,
-		input,
-		context,
-	}: AuthenticationEventsOptionsWithUserId<DevWabeTypes, EmailPasswordInterface>) {
-		const users = await context.wabe.controllers.database.getObjects({
-			className: 'User',
-			where: {
-				id: {
-					equalTo: userId,
-				},
-			},
-			context,
-			select: { authentication: true },
-		})
-
-		if (users.length === 0) throw new Error('User not found')
-
-		const user = users[0]
-
-		return {
-			authenticationDataToSave: {
-				email: input.email ?? user?.authentication?.emailPassword?.email,
-				password: input.password ? input.password : user?.authentication?.emailPassword?.password,
-			},
-		}
-	}
-}

package/src/authentication/providers/EmailPasswordSRP.test.ts

@@ -1,208 +0,0 @@
-import { afterAll, beforeAll, describe, it, expect } from 'bun:test'
-import { createSRPClient } from 'js-srp6a'
-import type { Wabe } from '../../server'
-import { type DevWabeTypes, getAnonymousClient } from '../../utils/helper'
-import { setupTests, closeTests } from '../../utils/testHelper'
-import { gql } from 'graphql-request'
-
-describe('EmailPasswordSRP', () => {
-	let wabe: Wabe<DevWabeTypes>
-
-	beforeAll(async () => {
-		const setup = await setupTests()
-		wabe = setup.wabe
-	})
-
-	afterAll(async () => {
-		await closeTests(wabe)
-	})
-
-	it('should authenticate an user with SRP', async () => {
-		const anonymousClient = getAnonymousClient(wabe.config.port)
-		const email = 'test@gmail.com'
-		const password = 'password'
-
-		const client = createSRPClient('SHA-256', 3072)
-
-		// Sign up
-		const salt = client.generateSalt()
-		const privateKey = await client.deriveSafePrivateKey(salt, password)
-		const verifier = client.deriveVerifier(privateKey)
-
-		await anonymousClient.request<any>(
-			gql`
-				mutation signUpWith($input: SignUpWithInput!) {
-					signUpWith(input: $input) {
-						accessToken
-					}
-				}
-			`,
-			{
-				input: {
-					authentication: {
-						emailPasswordSRP: {
-							email,
-							salt,
-							verifier,
-						},
-					},
-				},
-			},
-		)
-
-		// Sign in
-		const clientEphemeral = client.generateEphemeral()
-
-		const { signInWith } = await anonymousClient.request<any>(
-			gql`
-				mutation signInWith($input: SignInWithInput!) {
-					signInWith(input: $input) {
-						srp {
-							salt
-							serverPublic
-						}
-					}
-				}
-			`,
-			{
-				input: {
-					authentication: {
-						emailPasswordSRP: {
-							email,
-							clientPublic: clientEphemeral.public,
-						},
-					},
-				},
-			},
-		)
-
-		const clientSession = await client.deriveSession(
-			clientEphemeral.secret,
-			signInWith.srp.serverPublic,
-			salt,
-			'', // Because we don't hash the username
-			privateKey,
-		)
-
-		const { verifyChallenge } = await anonymousClient.request<any>(
-			gql`
-				mutation verifyChallenge($input: VerifyChallengeInput!) {
-					verifyChallenge(input: $input) {
-						srp {
-							serverSessionProof
-						}
-					}
-				}
-			`,
-			{
-				input: {
-					secondFA: {
-						emailPasswordSRPChallenge: {
-							email,
-							clientPublic: clientEphemeral.public,
-							clientSessionProof: clientSession.proof,
-						},
-					},
-				},
-			},
-		)
-
-		expect(
-			client.verifySession(
-				clientEphemeral.public,
-				clientSession,
-				verifyChallenge.srp.serverSessionProof,
-			),
-		).resolves.toBeUndefined()
-	})
-
-	it('should not authenticate with invalid password', async () => {
-		const anonymousClient = getAnonymousClient(wabe.config.port)
-		const email = 'invalid@test.com'
-		const correctPassword = 'correct_password'
-		const wrongPassword = 'wrong_password'
-
-		const client = createSRPClient('SHA-256', 3072)
-
-		const salt = client.generateSalt()
-		const privateKey = await client.deriveSafePrivateKey(salt, correctPassword)
-		const verifier = client.deriveVerifier(privateKey)
-
-		await anonymousClient.request<any>(
-			gql`
-				mutation signUpWith($input: SignUpWithInput!) {
-					signUpWith(input: $input) {
-						accessToken
-					}
-				}
-			`,
-			{
-				input: {
-					authentication: {
-						emailPasswordSRP: { email, salt, verifier },
-					},
-				},
-			},
-		)
-
-		const clientEphemeral = client.generateEphemeral()
-
-		const { signInWith } = await anonymousClient.request<any>(
-			gql`
-				mutation signInWith($input: SignInWithInput!) {
-					signInWith(input: $input) {
-						srp {
-							salt
-							serverPublic
-						}
-					}
-				}
-			`,
-			{
-				input: {
-					authentication: {
-						emailPasswordSRP: {
-							email,
-							clientPublic: clientEphemeral.public,
-						},
-					},
-				},
-			},
-		)
-
-		// Derive with wrong password
-		const wrongPrivateKey = await client.deriveSafePrivateKey(salt, wrongPassword)
-		const wrongClientSession = await client.deriveSession(
-			clientEphemeral.secret,
-			signInWith.srp.serverPublic,
-			salt,
-			'',
-			wrongPrivateKey,
-		)
-
-		expect(
-			anonymousClient.request<any>(
-				gql`
-					mutation verifyChallenge($input: VerifyChallengeInput!) {
-						verifyChallenge(input: $input) {
-							srp {
-								serverSessionProof
-							}
-						}
-					}
-				`,
-				{
-					input: {
-						secondFA: {
-							emailPasswordSRPChallenge: {
-								email,
-								clientPublic: clientEphemeral.public,
-								clientSessionProof: wrongClientSession.proof,
-							},
-						},
-					},
-				},
-			),
-		).rejects.toThrow('Invalid authentication credentials')
-	})
-})