wabe 0.6.12 → 0.6.14

package/src/authentication/resolvers/signInWithResolver.test.ts

@@ -1,306 +0,0 @@
-import { describe, expect, it, mock, spyOn, afterEach } from 'bun:test'
-import { signInWithResolver } from './signInWithResolver'
-import { Session } from '../Session'
-import { SecondaryFactor } from '../interface'
-
-describe('SignInWith', () => {
-	const mockOnLogin = mock(() =>
-		Promise.resolve({
-			user: {
-				id: 'id',
-			},
-		}),
-	)
-	const mockOnSignUp = mock(() =>
-		Promise.resolve({
-			authenticationDataToSave: {
-				id: 'id',
-			},
-		}),
-	)
-
-	const mockCreateObject = mock(() => Promise.resolve({}))
-	const mockGetObject = mock(() => Promise.resolve({ pendingChallenges: [] }))
-	const mockUpdateObject = mock(() => Promise.resolve({}))
-
-	const mockOnSendChallenge = mock(() => Promise.resolve())
-	const mockOnVerifyChallenge = mock(() => Promise.resolve(true))
-
-	const context = {
-		wabe: {
-			controllers: {
-				database: {
-					getObject: mockGetObject,
-					updateObject: mockUpdateObject,
-				},
-			},
-			config: {
-				authentication: {
-					session: {
-						cookieSession: true,
-					},
-					customAuthenticationMethods: [
-						{
-							name: 'emailPassword',
-							input: {
-								email: { type: 'Email', required: true },
-								password: { type: 'String', required: true },
-							},
-							provider: {
-								onSignUp: mockOnSignUp,
-								onSignIn: mockOnLogin,
-							},
-						},
-						{
-							name: 'emailOTP',
-							input: {
-								email: {
-									type: 'Email',
-									required: true,
-								},
-								code: {
-									type: 'String',
-									required: true,
-								},
-							},
-							provider: {
-								onSendChallenge: mockOnSendChallenge,
-								onVerifyChallenge: mockOnVerifyChallenge,
-							},
-						},
-					],
-				},
-			},
-		},
-	}
-
-	afterEach(() => {
-		mockCreateObject.mockClear()
-		mockGetObject.mockClear()
-		mockUpdateObject.mockClear()
-		mockOnLogin.mockClear()
-		mockOnSignUp.mockClear()
-	})
-
-	it('should call the secondary factor authentication on signIn', async () => {
-		mockOnLogin.mockResolvedValueOnce({
-			user: {
-				id: 'id',
-				// @ts-expect-error
-				email: 'email@test.fr',
-				secondFA: {
-					enabled: true,
-					provider: SecondaryFactor.EmailOTP,
-				},
-			},
-		})
-
-		const res = await signInWithResolver(
-			{},
-			{
-				input: {
-					authentication: {
-						emailPassword: {
-							email: 'email@test.fr',
-							password: 'password',
-						},
-					},
-				},
-			},
-			// @ts-expect-error
-			context,
-		)
-
-		expect(mockOnLogin).toHaveBeenCalledTimes(1)
-		expect(mockOnLogin).toHaveBeenCalledWith({
-			input: {
-				email: 'email@test.fr',
-				password: 'password',
-			},
-			context: expect.any(Object),
-		})
-
-		expect(mockOnSendChallenge).toHaveBeenCalledTimes(1)
-		expect(mockOnSendChallenge).toHaveBeenCalledWith({
-			context: expect.any(Object),
-			user: expect.objectContaining({
-				email: 'email@test.fr',
-			}),
-		})
-
-		expect(res).toEqual({
-			accessToken: null,
-			refreshToken: null,
-			srp: null,
-			challengeToken: expect.any(String),
-			user: {
-				id: 'id',
-				email: 'email@test.fr',
-				secondFA: {
-					enabled: true,
-					// @ts-expect-error
-					provider: SecondaryFactor.EmailOTP,
-				},
-			},
-		})
-	})
-
-	it('should throw an error if no custom authentication configuration is provided', () => {
-		expect(
-			signInWithResolver(
-				{},
-				{
-					input: {
-						authentication: {
-							emailPassword: {
-								email: 'email@test.fr',
-								password: 'password',
-							},
-						},
-					},
-				},
-				{ wabe: { config: { authentication: undefined } } } as any,
-			),
-		).rejects.toThrow('No custom authentication methods found')
-	})
-
-	it('should throw an error if a custom authentication is provided but not in the custom authentication config', () => {
-		expect(
-			signInWithResolver(
-				{},
-				{
-					input: {
-						authentication: {
-							emailPassword: {
-								email: 'email@test.fr',
-								password: 'password',
-							},
-						},
-					},
-				},
-				{
-					wabe: {
-						config: {
-							authentication: {
-								customAuthenticationMethods: [
-									{
-										name: 'phonePassword',
-										input: {
-											email: {
-												type: 'Email',
-												required: true,
-											},
-											password: {
-												type: 'String',
-												required: true,
-											},
-										},
-										provider: {
-											onSignUp: mockOnSignUp,
-											onSignIn: mockOnLogin,
-										},
-									},
-								],
-							},
-						},
-					},
-				} as any,
-			),
-		).rejects.toThrow('No available custom authentication methods found')
-	})
-
-	it('should signInWith email and password when the user already exist (on cookieSession)', async () => {
-		const mockCreateSession = spyOn(Session.prototype, 'create').mockResolvedValue({
-			refreshToken: 'refreshToken',
-			accessToken: 'accessToken',
-			csrfToken: 'csrfToken',
-		} as any)
-
-		const mockSetCookie = mock(() => {})
-
-		const mockResponse = {
-			setCookie: mockSetCookie,
-		}
-
-		const res = await signInWithResolver(
-			{},
-			{
-				input: {
-					authentication: {
-						emailPassword: {
-							email: 'email@test.fr',
-							password: 'password',
-						},
-					},
-				},
-			},
-			{
-				...context,
-				response: mockResponse,
-			} as any,
-		)
-
-		expect(res).toEqual({
-			accessToken: 'accessToken',
-			refreshToken: 'refreshToken',
-			challengeToken: null,
-			user: {
-				id: 'id',
-			},
-			srp: undefined,
-		})
-		expect(mockOnLogin).toHaveBeenCalledTimes(1)
-		expect(mockOnLogin).toHaveBeenCalledWith({
-			input: {
-				email: 'email@test.fr',
-				password: 'password',
-			},
-			context: expect.any(Object),
-		})
-
-		expect(mockSetCookie).toHaveBeenCalledTimes(3)
-		expect(mockSetCookie).toHaveBeenNthCalledWith(1, 'refreshToken', 'refreshToken', {
-			httpOnly: true,
-			path: '/',
-			secure: true,
-			sameSite: 'Strict',
-			expires: expect.any(Date),
-		})
-
-		expect(mockSetCookie).toHaveBeenNthCalledWith(2, 'accessToken', 'accessToken', {
-			httpOnly: true,
-			path: '/',
-			secure: true,
-			sameSite: 'Strict',
-			expires: expect.any(Date),
-		})
-
-		expect(mockSetCookie).toHaveBeenNthCalledWith(3, 'csrfToken', 'csrfToken', {
-			httpOnly: false,
-			path: '/',
-			secure: true,
-			sameSite: 'Strict',
-			expires: expect.any(Date),
-		})
-
-		// @ts-expect-error
-		const refreshTokenExpiresIn = mockSetCookie.mock.calls[0][2].expires
-		// @ts-expect-error
-		const accessTokenExpiresIn = mockSetCookie.mock.calls[1][2].expires
-
-		// - 1000 to avoid flaky
-		expect(refreshTokenExpiresIn.getTime() - Date.now()).toBeGreaterThanOrEqual(
-			1000 * 7 * 24 * 60 * 60 - 1000,
-		)
-		expect(accessTokenExpiresIn.getTime() - Date.now()).toBeGreaterThanOrEqual(
-			1000 * 15 * 60 - 1000,
-		)
-
-		expect(mockCreateSession).toHaveBeenCalledTimes(1)
-		expect(mockCreateSession).toHaveBeenCalledWith('id', expect.anything())
-
-		expect(mockOnSignUp).toHaveBeenCalledTimes(0)
-
-		mockCreateSession.mockRestore()
-	})
-})

package/src/authentication/resolvers/signInWithResolver.ts

@@ -1,106 +0,0 @@
-import type { SignInWithInput } from '../../../generated/wabe'
-import type { WabeContext } from '../../server/interface'
-import type { DevWabeTypes } from '../../utils/helper'
-import { getSessionCookieSameSite } from '../cookies'
-import { createMfaChallenge } from '../security'
-import { Session } from '../Session'
-import type { ProviderInterface, SecondaryProviderInterface } from '../interface'
-import { getAuthenticationMethod } from '../utils'
-
-// 0 - Get the authentication method
-// 1 - We check if the signIn is possible (call onSign)
-// 2 - If secondaryFactor is present, we call the onSendChallenge method of the provider
-// 3 - We create session
-export const signInWithResolver = async (
-	_: any,
-	{
-		input,
-	}: {
-		input: SignInWithInput
-	},
-	context: WabeContext<DevWabeTypes>,
-) => {
-	const { provider, name } = getAuthenticationMethod<DevWabeTypes, ProviderInterface<DevWabeTypes>>(
-		Object.keys(input.authentication || {}),
-		context,
-	)
-
-	const inputOfTheGoodAuthenticationMethod =
-		// @ts-expect-error
-		input.authentication[name]
-
-	// 1 - We call the onSignIn method of the provider
-	const { user, srp } = await provider.onSignIn({
-		input: inputOfTheGoodAuthenticationMethod,
-		context,
-	})
-
-	const userId = user.id
-
-	if (!userId) throw new Error('Authentication failed')
-
-	const secondFAObject = user.secondFA
-
-	// 2 - We call the onSendChallenge method of the provider
-	if (secondFAObject?.enabled) {
-		const secondaryProvider = getAuthenticationMethod<
-			DevWabeTypes,
-			SecondaryProviderInterface<DevWabeTypes>
-		>([secondFAObject.provider], context)
-
-		await secondaryProvider.provider.onSendChallenge?.({
-			context,
-			// @ts-expect-error
-			user,
-		})
-
-		const challengeToken = await createMfaChallenge(context, {
-			userId,
-			provider: secondFAObject.provider,
-		})
-
-		return {
-			accessToken: null,
-			refreshToken: null,
-			user,
-			challengeToken,
-			srp: null,
-		}
-	}
-
-	const session = new Session<DevWabeTypes>()
-
-	const { refreshToken, accessToken, csrfToken } = await session.create(userId, context)
-
-	if (context.wabe.config.authentication?.session?.cookieSession) {
-		const accessTokenExpiresAt = session.getAccessTokenExpireAt(context.wabe.config)
-		const refreshTokenExpiresAt = session.getRefreshTokenExpireAt(context.wabe.config)
-		const sameSite = getSessionCookieSameSite(context.wabe.config)
-
-		context.response?.setCookie('refreshToken', refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite,
-			secure: true,
-			expires: refreshTokenExpiresAt,
-		})
-
-		context.response?.setCookie('accessToken', accessToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite,
-			secure: true,
-			expires: accessTokenExpiresAt,
-		})
-
-		context.response?.setCookie('csrfToken', csrfToken, {
-			httpOnly: false, // OWASP specification specify that the csrfToken should not be httpOnly
-			path: '/',
-			sameSite,
-			secure: true,
-			expires: accessTokenExpiresAt,
-		})
-	}
-
-	return { accessToken, refreshToken, user, srp, challengeToken: null }
-}

package/src/authentication/resolvers/signOutResolver.test.ts

@@ -1,38 +0,0 @@
-import { describe, expect, it, mock, spyOn } from 'bun:test'
-import { signOutResolver } from './signOutResolver'
-import { Session } from '../Session'
-
-describe('signOut', () => {
-	const mockDeleteCookie = mock(() => {})
-
-	const context = {
-		sessionId: 'sessionId',
-		wabe: {
-			config: {
-				authentication: {
-					session: {
-						cookieSession: true,
-					},
-				},
-			},
-		},
-		response: {
-			deleteCookie: mockDeleteCookie,
-		},
-	} as any
-
-	it('should sign out the current user', async () => {
-		const spyDeleteSession = spyOn(Session.prototype, 'delete').mockResolvedValue(undefined)
-
-		const res = await signOutResolver(undefined, {}, context)
-
-		expect(res).toBe(true)
-
-		expect(spyDeleteSession).toHaveBeenCalledTimes(1)
-		expect(spyDeleteSession).toHaveBeenCalledWith(context)
-
-		expect(mockDeleteCookie).toHaveBeenCalledTimes(2)
-		expect(mockDeleteCookie).toHaveBeenNthCalledWith(1, 'accessToken')
-		expect(mockDeleteCookie).toHaveBeenNthCalledWith(2, 'refreshToken')
-	})
-})

package/src/authentication/resolvers/signOutResolver.ts

@@ -1,18 +0,0 @@
-import type { WabeContext } from '../../server/interface'
-import type { DevWabeTypes } from '../../utils/helper'
-import { Session } from '../Session'
-
-export const signOutResolver = async (_: any, __: any, context: WabeContext<DevWabeTypes>) => {
-	const session = new Session<DevWabeTypes>()
-
-	// For the moment we only delete the session because we suppose the token
-	// are used with headers. We will need to delete the cookies in the future.
-	await session.delete(context)
-
-	if (context.wabe.config.authentication?.session?.cookieSession) {
-		context.response?.deleteCookie('accessToken')
-		context.response?.deleteCookie('refreshToken')
-	}
-
-	return true
-}

package/src/authentication/resolvers/signUpWithResolver.test.ts

@@ -1,180 +0,0 @@
-import { beforeAll, afterAll, describe, expect, it, beforeEach } from 'bun:test'
-import { type DevWabeTypes, getAnonymousClient } from '../../utils/helper'
-import type { Wabe } from '../../server'
-import { gql } from 'graphql-request'
-import { setupTests, closeTests } from '../../utils/testHelper'
-
-describe('SignUpWith', () => {
-	let wabe: Wabe<DevWabeTypes>
-
-	beforeAll(async () => {
-		const setup = await setupTests()
-		wabe = setup.wabe
-	})
-
-	beforeEach(async () => {
-		await wabe.controllers.database.clearDatabase()
-	})
-
-	afterAll(async () => {
-		await closeTests(wabe)
-	})
-
-	it('should throw an error if user already exist with emailPassword', async () => {
-		const anonymousClient = getAnonymousClient(wabe.config.port)
-
-		await anonymousClient.request<any>(
-			gql`
-				mutation signUpWith($input: SignUpWithInput!) {
-					signUpWith(input: $input) {
-						id
-					}
-				}
-			`,
-			{
-				input: {
-					authentication: {
-						emailPassword: {
-							email: 'test@gmail.com',
-							password: 'password',
-						},
-					},
-				},
-			},
-		)
-
-		expect(
-			anonymousClient.request<any>(
-				gql`
-					mutation signUpWith($input: SignUpWithInput!) {
-						signUpWith(input: $input) {
-							id
-						}
-					}
-				`,
-				{
-					input: {
-						authentication: {
-							emailPassword: {
-								email: 'test@gmail.com',
-								password: 'password',
-							},
-						},
-					},
-				},
-			),
-		).rejects.toThrow('Not authorized to create user')
-	})
-
-	it('should throw an error if the signUp is disabled', () => {
-		if (wabe.config) {
-			wabe.config.authentication = {
-				...wabe.config.authentication,
-				disableSignUp: true,
-			}
-		}
-		const anonymousClient = getAnonymousClient(wabe.config.port)
-
-		const userSchema = wabe.config.schema?.classes?.find((classItem) => classItem.name === 'User')
-
-		if (!userSchema) throw new Error('Failed to find user schema')
-
-		// @ts-expect-error
-		userSchema.permissions.create.requireAuthentication = true
-
-		expect(
-			anonymousClient.request<any>(
-				gql`
-					mutation signUpWith($input: SignUpWithInput!) {
-						signUpWith(input: $input) {
-							id
-						}
-					}
-				`,
-				{
-					input: {
-						authentication: {
-							emailPassword: {
-								email: 'email@test.fr',
-								password: 'password',
-							},
-						},
-					},
-				},
-			),
-		).rejects.toThrow('SignUp is disabled')
-
-		if (wabe.config) {
-			wabe.config.authentication = {
-				...wabe.config.authentication,
-				disableSignUp: false,
-			}
-		}
-	})
-
-	it('should block the signUpWith if the user creation is blocked for anonymous (the creation is done with root to avoid ACL issues)', () => {
-		const anonymousClient = getAnonymousClient(wabe.config.port)
-
-		const userSchema = wabe.config.schema?.classes?.find((classItem) => classItem.name === 'User')
-
-		if (!userSchema) throw new Error('Failed to find user schema')
-
-		// @ts-expect-error
-		userSchema.permissions.create.requireAuthentication = true
-
-		expect(
-			anonymousClient.request<any>(
-				gql`
-					mutation signUpWith($input: SignUpWithInput!) {
-						signUpWith(input: $input) {
-							id
-						}
-					}
-				`,
-				{
-					input: {
-						authentication: {
-							emailPassword: {
-								email: 'email@test.fr',
-								password: 'password',
-							},
-						},
-					},
-				},
-			),
-		).rejects.toThrow('Permission denied to create class User')
-
-		// @ts-expect-error
-		userSchema.permissions.create.requireAuthentication = false
-	})
-
-	it('should signUpWith email and password when the user not exist', async () => {
-		const anonymousClient = getAnonymousClient(wabe.config.port)
-
-		const res = await anonymousClient.request<any>(
-			gql`
-				mutation signUpWith($input: SignUpWithInput!) {
-					signUpWith(input: $input) {
-						id
-						accessToken
-						refreshToken
-					}
-				}
-			`,
-			{
-				input: {
-					authentication: {
-						emailPassword: {
-							email: 'test@gmail.com',
-							password: 'password',
-						},
-					},
-				},
-			},
-		)
-
-		expect(res.signUpWith.id).toEqual(expect.any(String))
-		expect(res.signUpWith.accessToken).toEqual(expect.any(String))
-		expect(res.signUpWith.refreshToken).toEqual(expect.any(String))
-	})
-})

package/src/authentication/resolvers/signUpWithResolver.ts

@@ -1,68 +0,0 @@
-import type { SignUpWithInput } from '../../../generated/wabe'
-import type { WabeContext } from '../../server/interface'
-import { getSessionCookieSameSite } from '../cookies'
-import { Session } from '../Session'
-
-// 0 - Get the authentication method
-// 1 - We check if the signUp is possible (call onSign)
-// 2 - We create the user
-// 3 - We create session
-export const signUpWithResolver = async (
-	_: any,
-	{
-		input,
-	}: {
-		input: SignUpWithInput
-	},
-	context: WabeContext<any>,
-) => {
-	if (context.wabe.config.authentication?.disableSignUp) throw new Error('SignUp is disabled')
-
-	// Create object call the provider signUp
-	const res = await context.wabe.controllers.database.createObject({
-		className: 'User',
-		data: {
-			authentication: input.authentication,
-		},
-		context,
-		select: { id: true },
-	})
-
-	const createdUserId = res?.id
-
-	const session = new Session<any>()
-
-	if (!createdUserId) throw new Error('User not created')
-
-	const { accessToken, refreshToken, csrfToken } = await session.create(createdUserId, context)
-
-	if (context.wabe.config.authentication?.session?.cookieSession) {
-		const sameSite = getSessionCookieSameSite(context.wabe.config)
-
-		context.response?.setCookie('refreshToken', refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite,
-			secure: true,
-			expires: session.getRefreshTokenExpireAt(context.wabe.config),
-		})
-
-		context.response?.setCookie('accessToken', accessToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite,
-			secure: true,
-			expires: session.getAccessTokenExpireAt(context.wabe.config),
-		})
-
-		context.response?.setCookie('csrfToken', csrfToken, {
-			httpOnly: false, // OWASP specification specify that the csrfToken should not be httpOnly
-			path: '/',
-			sameSite,
-			secure: true,
-			expires: session.getAccessTokenExpireAt(context.wabe.config),
-		})
-	}
-
-	return { accessToken, refreshToken, id: createdUserId }
-}