wabe 0.6.12 → 0.6.14

package/src/authentication/providers/PhonePassword.test.ts

@@ -1,221 +0,0 @@
-import { describe, expect, it, mock, spyOn, afterEach, afterAll } from 'bun:test'
-import * as crypto from '../../utils/crypto'
-
-import { PhonePassword } from './PhonePassword'
-
-describe('Phone password', () => {
-	const mockGetObject = mock(() => Promise.resolve(null)) as any
-	const mockGetObjects = mock(() => Promise.resolve([]))
-	const mockCount = mock(() => Promise.resolve(0)) as any
-	const mockCreateObject = mock(() => Promise.resolve({ id: 'userId' })) as any
-
-	const spyArgonPasswordVerify = spyOn(crypto, 'verifyArgon2')
-	const spyBunPasswordHash = spyOn(crypto, 'hashArgon2')
-
-	const controllers = {
-		controllers: {
-			database: {
-				getObject: mockGetObject,
-				getObjects: mockGetObjects,
-				createObject: mockCreateObject,
-				count: mockCount,
-			},
-		},
-	} as any
-
-	afterEach(() => {
-		mockGetObject.mockClear()
-		mockGetObjects.mockClear()
-		mockCount.mockClear()
-		mockCreateObject.mockClear()
-		spyArgonPasswordVerify.mockClear()
-		spyBunPasswordHash.mockClear()
-	})
-
-	afterAll(() => {
-		spyArgonPasswordVerify.mockRestore()
-		spyBunPasswordHash.mockRestore()
-	})
-
-	const phonePassword = new PhonePassword()
-
-	it('should signUp with phone password', async () => {
-		spyBunPasswordHash.mockResolvedValueOnce('$argon2id$hashedPassword')
-
-		const {
-			authenticationDataToSave: { phone },
-		} = await phonePassword.onSignUp({
-			context: { wabe: controllers } as any,
-			input: { phone: 'phone@test.fr', password: 'password' },
-		})
-
-		expect(phone).toBe('phone@test.fr')
-	})
-
-	it('should signIn with phone password', async () => {
-		mockGetObjects.mockResolvedValue([
-			{
-				id: 'userId',
-				authentication: {
-					phonePassword: {
-						phone: 'phone@test.fr',
-						password: 'hashedPassword',
-					},
-				},
-			} as never,
-		])
-
-		spyArgonPasswordVerify.mockResolvedValueOnce(true)
-
-		const { user } = await phonePassword.onSignIn({
-			context: { wabe: controllers } as any,
-			input: { phone: 'phone@test.fr', password: 'password' },
-		})
-
-		expect(user).toEqual({
-			id: 'userId',
-			authentication: {
-				phonePassword: {
-					phone: 'phone@test.fr',
-					password: 'hashedPassword',
-				},
-			},
-		})
-
-		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
-		expect(spyArgonPasswordVerify).toHaveBeenCalledWith('password', 'hashedPassword')
-	})
-
-	it('should not signIn with phone password if password is undefined', () => {
-		spyArgonPasswordVerify.mockResolvedValueOnce(false)
-
-		expect(
-			phonePassword.onSignIn({
-				context: { wabe: controllers } as any,
-				// @ts-expect-error
-				input: { phone: 'phone@test.fr' },
-			}),
-		).rejects.toThrow('Invalid authentication credentials')
-	})
-
-	it('should not signIn with phone password if there is no user found', () => {
-		mockGetObjects.mockResolvedValue([])
-
-		expect(
-			phonePassword.onSignIn({
-				context: { wabe: controllers } as any,
-				input: {
-					phone: 'invalidEmail@test.fr',
-					password: 'password',
-				},
-			}),
-		).rejects.toThrow('Invalid authentication credentials')
-
-		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
-	})
-
-	it('should not signIn with phone password if there is phone is invalid', () => {
-		mockGetObjects.mockResolvedValue([
-			{
-				authentication: {
-					phonePassword: {
-						password: 'hashedPassword',
-					},
-				},
-			} as never,
-		])
-
-		spyArgonPasswordVerify.mockResolvedValueOnce(true)
-
-		expect(
-			phonePassword.onSignIn({
-				context: { wabe: controllers } as any,
-				input: {
-					phone: 'invalidEmail@test.fr',
-					password: 'password',
-				},
-			}),
-		).rejects.toThrow('Invalid authentication credentials')
-
-		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
-	})
-
-	it('should rate limit signUp attempts in production', async () => {
-		mockCount.mockResolvedValue(1)
-
-		const context = {
-			wabe: {
-				...controllers,
-				config: {
-					isProduction: true,
-					authentication: {
-						security: {
-							signUpRateLimit: {
-								enabled: true,
-								maxAttempts: 2,
-								windowMs: 60_000,
-								blockDurationMs: 60_000,
-							},
-						},
-					},
-				},
-			},
-		} as any
-
-		const input = {
-			phone: 'ratelimit-signup-phone-password',
-			password: 'password',
-		}
-
-		await expect(phonePassword.onSignUp({ context, input })).rejects.toThrow(
-			'Not authorized to create user',
-		)
-		await expect(phonePassword.onSignUp({ context, input })).rejects.toThrow(
-			'Not authorized to create user',
-		)
-
-		const callsBeforeBlockedAttempt = mockCount.mock.calls.length
-
-		await expect(phonePassword.onSignUp({ context, input })).rejects.toThrow(
-			'Not authorized to create user',
-		)
-
-		expect(mockCount.mock.calls.length).toBe(callsBeforeBlockedAttempt)
-	})
-
-	it('should not update authentication data if there is no user found', () => {
-		mockGetObjects.mockResolvedValue([])
-
-		spyArgonPasswordVerify.mockResolvedValueOnce(true)
-
-		expect(
-			phonePassword.onUpdateAuthenticationData?.({
-				context: { wabe: controllers } as any,
-				input: {
-					phone: 'phone@test.fr',
-					password: 'password',
-				},
-				userId: 'userId',
-			}),
-		).rejects.toThrow('User not found')
-	})
-
-	it('should update authentication data if the userId match with an user', async () => {
-		mockGetObject.mockResolvedValue({
-			id: 'id',
-		})
-
-		spyBunPasswordHash.mockResolvedValueOnce('$argon2id$hashedPassword')
-
-		const res = await phonePassword.onUpdateAuthenticationData?.({
-			context: { wabe: controllers } as any,
-			input: {
-				phone: 'phone@test.fr',
-				password: 'password',
-			},
-			userId: 'userId',
-		})
-
-		expect(res.authenticationDataToSave.phone).toBe('phone@test.fr')
-	})
-})

package/src/authentication/providers/PhonePassword.ts

@@ -1,136 +0,0 @@
-import type {
-	AuthenticationEventsOptions,
-	AuthenticationEventsOptionsWithUserId,
-	ProviderInterface,
-} from '../interface'
-import { contextWithRoot, verifyArgon2 } from '../../utils/export'
-import type { DevWabeTypes } from '../../utils/helper'
-import { clearRateLimit, isRateLimited, registerRateLimitFailure } from '../security'
-
-const DUMMY_PASSWORD_HASH =
-	'$argon2id$v=19$m=65536,t=2,p=1$wHZB9xRS/Mbo7L3SL9e935Ag5K+T2EuT/XgB8akwZgo$SPf8EZ4T1HYkuIll4v2hSzNCH7woX3VrZJo3yWg5u8U'
-
-type PhonePasswordInterface = {
-	password: string
-	phone: string
-	otp?: string
-}
-
-export class PhonePassword implements ProviderInterface<DevWabeTypes, PhonePasswordInterface> {
-	async onSignIn({
-		input,
-		context,
-	}: AuthenticationEventsOptions<DevWabeTypes, PhonePasswordInterface>) {
-		const normalizedPhone = input.phone.trim().toLowerCase()
-		const rateLimitKey = `phonePassword:${normalizedPhone}`
-
-		if (isRateLimited(context, 'signIn', rateLimitKey))
-			throw new Error('Invalid authentication credentials')
-
-		const users = await context.wabe.controllers.database.getObjects({
-			className: 'User',
-			where: {
-				authentication: {
-					phonePassword: {
-						phone: { equalTo: normalizedPhone },
-					},
-				},
-			},
-			context: contextWithRoot(context),
-			select: {
-				authentication: true,
-				role: true,
-				secondFA: true,
-				email: true,
-				id: true,
-				provider: true,
-				isOauth: true,
-				createdAt: true,
-				updatedAt: true,
-			},
-			first: 1,
-		})
-
-		const user = users[0]
-		const userDatabasePassword = user?.authentication?.phonePassword?.password
-
-		const passwordHashToCheck = userDatabasePassword ?? DUMMY_PASSWORD_HASH
-
-		const isPasswordEquals = await verifyArgon2(input.password, passwordHashToCheck)
-
-		if (
-			!user ||
-			!isPasswordEquals ||
-			normalizedPhone !== user.authentication?.phonePassword?.phone
-		) {
-			registerRateLimitFailure(context, 'signIn', rateLimitKey)
-			throw new Error('Invalid authentication credentials')
-		}
-
-		clearRateLimit(context, 'signIn', rateLimitKey)
-
-		return {
-			user,
-		}
-	}
-
-	async onSignUp({
-		input,
-		context,
-	}: AuthenticationEventsOptions<DevWabeTypes, PhonePasswordInterface>) {
-		const normalizedPhone = input.phone.trim().toLowerCase()
-		const rateLimitKey = `phonePassword:${normalizedPhone}`
-
-		if (isRateLimited(context, 'signUp', rateLimitKey))
-			throw new Error('Not authorized to create user')
-
-		const users = await context.wabe.controllers.database.count({
-			className: 'User',
-			where: {
-				authentication: {
-					phonePassword: {
-						phone: { equalTo: normalizedPhone },
-					},
-				},
-			},
-			context: contextWithRoot(context),
-		})
-
-		if (users > 0) {
-			registerRateLimitFailure(context, 'signUp', rateLimitKey)
-			throw new Error('Not authorized to create user')
-		}
-
-		clearRateLimit(context, 'signUp', rateLimitKey)
-
-		return {
-			authenticationDataToSave: {
-				phone: normalizedPhone,
-				password: input.password,
-			},
-		}
-	}
-
-	async onUpdateAuthenticationData({
-		userId,
-		input,
-		context,
-	}: AuthenticationEventsOptionsWithUserId<DevWabeTypes, PhonePasswordInterface>) {
-		const normalizedPhone = input.phone.trim().toLowerCase()
-		const user = await context.wabe.controllers.database.getObject({
-			className: 'User',
-			id: userId,
-			context: contextWithRoot(context),
-			select: { authentication: true },
-		})
-
-		if (!user) throw new Error('User not found')
-
-		return {
-			authenticationDataToSave: {
-				phone: normalizedPhone ?? user?.authentication?.phonePassword?.phone,
-				password: input.password ? input.password : user?.authentication?.phonePassword?.password,
-			},
-		}
-	}
-}

package/src/authentication/providers/QRCodeOTP.test.ts

@@ -1,77 +0,0 @@
-import { describe, expect, it, beforeAll, afterAll, afterEach } from 'bun:test'
-import type { DevWabeTypes } from '../../utils/helper'
-import { setupTests, closeTests } from '../../utils/testHelper'
-import type { Wabe } from '../..'
-import { OTP } from '../OTP'
-import { QRCodeOTP } from './QRCodeOTP'
-
-describe('QRCodeOTPProvider', () => {
-	let wabe: Wabe<DevWabeTypes>
-
-	beforeAll(async () => {
-		const setup = await setupTests()
-		wabe = setup.wabe
-	})
-
-	afterAll(async () => {
-		await closeTests(wabe)
-	})
-
-	afterEach(async () => {
-		await wabe.controllers.database.clearDatabase()
-	})
-
-	it('should return the userId if the OTP code is valid', async () => {
-		const createdUser = await wabe.controllers.database.createObject({
-			className: 'User',
-			context: {
-				wabe,
-				isRoot: true,
-			},
-			data: {
-				email: 'email@test.fr',
-			},
-			select: {
-				id: true,
-			},
-		})
-
-		if (!createdUser) throw new Error('User not created')
-
-		const otp = new OTP(wabe.config.rootKey).authenticatorGenerate(createdUser.id)
-
-		const qrCodeOTP = new QRCodeOTP()
-
-		expect(
-			await qrCodeOTP.onVerifyChallenge({
-				context: {
-					wabe,
-					isRoot: false,
-				},
-				input: {
-					email: 'email@test.fr',
-					otp,
-				},
-			}),
-		).toEqual({
-			userId: createdUser.id,
-		})
-	})
-
-	it("should return null if the user doesn't exist", async () => {
-		const qrCodeOTP = new QRCodeOTP()
-
-		expect(
-			await qrCodeOTP.onVerifyChallenge({
-				context: {
-					wabe,
-					isRoot: false,
-				},
-				input: {
-					email: 'email@test.fr',
-					otp: '123456',
-				},
-			}),
-		).toEqual(null)
-	})
-})

package/src/authentication/providers/QRCodeOTP.ts

@@ -1,69 +0,0 @@
-import { contextWithRoot } from '../..'
-import type { DevWabeTypes } from '../../utils/helper'
-import type { OnVerifyChallengeOptions, SecondaryProviderInterface } from '../interface'
-import { OTP } from '../OTP'
-import { clearRateLimit, isRateLimited, registerRateLimitFailure } from '../security'
-
-const DUMMY_USER_ID = '00000000-0000-0000-0000-000000000000'
-
-type QRCodeOTPInterface = {
-	email: string
-	otp: string
-}
-
-export class QRCodeOTP implements SecondaryProviderInterface<DevWabeTypes, QRCodeOTPInterface> {
-	async onSendChallenge() {
-		// The user should check the application and get the OTP code
-	}
-
-	async onVerifyChallenge({
-		context,
-		input,
-	}: OnVerifyChallengeOptions<DevWabeTypes, QRCodeOTPInterface>) {
-		const normalizedEmail = input.email.trim().toLowerCase()
-		const rateLimitKey = `qrCodeOtp:${normalizedEmail}`
-
-		if (isRateLimited(context, 'verifyChallenge', rateLimitKey)) return null
-
-		const users = await context.wabe.controllers.database.getObjects({
-			className: 'User',
-			where: {
-				email: {
-					equalTo: input.email,
-				},
-			},
-			select: {
-				authentication: true,
-				role: true,
-				secondFA: true,
-				email: true,
-				id: true,
-				provider: true,
-				isOauth: true,
-				createdAt: true,
-				updatedAt: true,
-			},
-			first: 1,
-			context: contextWithRoot(context),
-		})
-
-		const realUser = users.length > 0 ? users[0] : null
-		const userId = realUser?.id ?? DUMMY_USER_ID
-
-		const isDevBypass =
-			!context.wabe.config.isProduction && input.otp === '000000' && realUser !== null
-
-		const otpClass = new OTP(context.wabe.config.rootKey)
-
-		const isOtpValid = otpClass.authenticatorVerify(input.otp, userId)
-
-		if (realUser && (isOtpValid || isDevBypass)) {
-			clearRateLimit(context, 'verifyChallenge', rateLimitKey)
-			return { userId: realUser.id }
-		}
-
-		registerRateLimitFailure(context, 'verifyChallenge', rateLimitKey)
-
-		return null
-	}
-}

package/src/authentication/providers/index.ts

@@ -1,6 +0,0 @@
-export * from './EmailPassword'
-export * from './Google'
-export * from './GitHub'
-export * from './PhonePassword'
-export * from './EmailOTP'
-export * from './QRCodeOTP'

package/src/authentication/resolvers/refreshResolver.test.ts

@@ -1,30 +0,0 @@
-import { describe, expect, it, spyOn } from 'bun:test'
-import { refreshResolver } from './refreshResolver'
-import type { WabeContext } from '../../server/interface'
-import { Session } from '../Session'
-
-const context: WabeContext<any> = {
-	sessionId: 'sessionId',
-	user: {} as any,
-	isRoot: false,
-} as WabeContext<any>
-
-describe('refreshResolver', () => {
-	it('should refresh the session', async () => {
-		const spyRefreshSession = spyOn(Session.prototype, 'refresh').mockResolvedValue({} as any)
-
-		await refreshResolver(
-			null,
-			{
-				input: {
-					accessToken: 'accessToken',
-					refreshToken: 'refreshToken',
-				},
-			},
-			context,
-		)
-
-		expect(spyRefreshSession).toHaveBeenCalledTimes(1)
-		expect(spyRefreshSession).toHaveBeenCalledWith('accessToken', 'refreshToken', context)
-	})
-})

package/src/authentication/resolvers/refreshResolver.ts

@@ -1,19 +0,0 @@
-import type { WabeContext } from '../../server/interface'
-import type { DevWabeTypes } from '../../utils/helper'
-import { Session } from '../Session'
-
-export const refreshResolver = async (_: any, args: any, context: WabeContext<DevWabeTypes>) => {
-	const {
-		input: { refreshToken, accessToken },
-	} = args
-
-	const session = new Session<DevWabeTypes>()
-
-	const { accessToken: newAccessToken, refreshToken: newRefreshToken } = await session.refresh(
-		accessToken,
-		refreshToken,
-		context,
-	)
-
-	return { accessToken: newAccessToken, refreshToken: newRefreshToken }
-}

package/src/authentication/resolvers/signInWithResolver.inte.test.ts

@@ -1,59 +0,0 @@
-import { describe, it, beforeAll, afterAll, expect } from 'bun:test'
-import { gql } from 'graphql-request'
-import type { Wabe } from 'src'
-import { getAdminUserClient, type DevWabeTypes } from 'src/utils/helper'
-import { setupTests, closeTests } from 'src/utils/testHelper'
-
-describe('signInWithResolver integration test', () => {
-	let wabe: Wabe<DevWabeTypes>
-
-	beforeAll(async () => {
-		const setup = await setupTests()
-		wabe = setup.wabe
-	})
-
-	afterAll(async () => {
-		await closeTests(wabe)
-	})
-
-	it('should return all fields of the user on signInWith resolver', async () => {
-		const adminClient = await getAdminUserClient(wabe.config.port, wabe, {
-			email: 'admin@wabe.dev',
-			password: 'admin',
-		})
-		const res = await adminClient.request<any>(
-			gql`
-				mutation signInWith($input: SignInWithInput!) {
-					signInWith(input: $input) {
-						user {
-							id
-							authentication {
-								emailPassword {
-									email
-								}
-							}
-							role {
-								name
-							}
-						}
-					}
-				}
-			`,
-			{
-				input: {
-					authentication: {
-						emailPassword: {
-							email: 'admin@wabe.dev',
-							password: 'admin',
-						},
-					},
-				},
-			},
-		)
-
-		expect(res.signInWith.user.role.name).toBe('Admin')
-		expect(res.signInWith.user.authentication.emailPassword).toEqual({
-			email: 'admin@wabe.dev',
-		})
-	})
-})