wabe 0.6.12 → 0.6.14

package/src/authentication/oauth/Google.ts

@@ -1,101 +0,0 @@
-import { OAuth2Client } from '.'
-import type { WabeConfig } from '../../server'
-import type { OAuth2ProviderWithPKCE, Tokens } from './utils'
-
-const authorizeEndpoint = 'https://accounts.google.com/o/oauth2/v2/auth'
-const tokenEndpoint = 'https://oauth2.googleapis.com/token'
-
-interface AuthorizationCodeResponseBody {
-	access_token: string
-	refresh_token?: string
-	expires_in: number
-	id_token: string
-}
-
-interface RefreshTokenResponseBody {
-	access_token: string
-	expires_in: number
-}
-
-export class Google implements OAuth2ProviderWithPKCE {
-	private client: OAuth2Client
-	private clientSecret: string
-
-	constructor(config: WabeConfig<any>) {
-		const googleConfig = config.authentication?.providers?.google
-
-		if (!googleConfig) throw new Error('Google config not found')
-
-		const baseUrl = `http${config.isProduction ? 's' : ''}://${config.authentication?.backDomain || '127.0.0.1:' + config.port || 3001}`
-
-		const redirectURI = `${baseUrl}/auth/oauth/callback`
-
-		this.client = new OAuth2Client(
-			googleConfig.clientId,
-			authorizeEndpoint,
-			tokenEndpoint,
-			redirectURI,
-		)
-
-		this.clientSecret = googleConfig.clientSecret
-	}
-
-	createAuthorizationURL(
-		state: string,
-		codeVerifier: string,
-		options?: {
-			scopes?: string[]
-		},
-	): URL {
-		const scopes = options?.scopes ?? []
-		const url = this.client.createAuthorizationURL({
-			state,
-			codeVerifier,
-			scopes: [...scopes, 'openid'],
-		})
-
-		url.searchParams.set('access_type', 'offline')
-		url.searchParams.set('prompt', 'select_account')
-
-		return url
-	}
-
-	async validateAuthorizationCode(code: string, codeVerifier: string): Promise<Tokens> {
-		const { access_token, expires_in, refresh_token, id_token } =
-			await this.client.validateAuthorizationCode<AuthorizationCodeResponseBody>(code, {
-				authenticateWith: 'request_body',
-				credentials: this.clientSecret,
-				codeVerifier,
-			})
-
-		return {
-			accessToken: access_token,
-			refreshToken: refresh_token,
-			accessTokenExpiresAt: new Date(Date.now() + expires_in * 1000),
-			idToken: id_token,
-		}
-	}
-
-	async refreshAccessToken(refreshToken: string): Promise<Tokens> {
-		const { access_token, expires_in } =
-			await this.client.refreshAccessToken<RefreshTokenResponseBody>(refreshToken, {
-				authenticateWith: 'request_body',
-				credentials: this.clientSecret,
-			})
-
-		return {
-			accessToken: access_token,
-			accessTokenExpiresAt: new Date(Date.now() + expires_in * 1000),
-		}
-	}
-
-	async getUserInfo(accessToken: string) {
-		const userInfo = await fetch(
-			`https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token=${accessToken}`,
-		)
-
-		const { email, verified_email } = await userInfo.json()
-
-		return { email, verifiedEmail: verified_email }
-	}
-}

package/src/authentication/oauth/Oauth2Client.test.ts

@@ -1,219 +0,0 @@
-import { describe, expect, it, spyOn, mock, afterAll } from 'bun:test'
-import { fail } from 'node:assert'
-import { OAuth2Client } from './Oauth2Client'
-import { base64URLencode } from './utils'
-
-const mockFetch = mock(() => {})
-
-const originalFetch = global.fetch
-
-// @ts-expect-error
-global.fetch = mockFetch
-
-describe('Oauth2Client', () => {
-	const oauthClient = new OAuth2Client(
-		'clientId',
-		'https://authorizationEndpoint',
-		'https://tokenEndpoint',
-		'https://redirectURI',
-	)
-
-	afterAll(() => {
-		global.fetch = originalFetch
-	})
-
-	it('should create authorization URl', () => {
-		const authorizationURL = oauthClient.createAuthorizationURL()
-
-		expect(authorizationURL.toString()).toEqual(
-			'https://authorizationendpoint/?response_type=code&client_id=clientId&redirect_uri=https%3A%2F%2FredirectURI',
-		)
-
-		const authorizationURLWithState = oauthClient.createAuthorizationURL({
-			state: 'state',
-		})
-
-		expect(authorizationURLWithState.toString()).toEqual(
-			'https://authorizationendpoint/?response_type=code&client_id=clientId&state=state&redirect_uri=https%3A%2F%2FredirectURI',
-		)
-
-		const authorizationURLWithScopes = oauthClient.createAuthorizationURL({
-			scopes: ['scope1', 'scope2'],
-		})
-
-		expect(authorizationURLWithScopes.toString()).toEqual(
-			'https://authorizationendpoint/?response_type=code&client_id=clientId&scope=scope1+scope2&redirect_uri=https%3A%2F%2FredirectURI',
-		)
-
-		const authorizationURLWithCodeVerifier = oauthClient.createAuthorizationURL({
-			codeVerifier: 'codeVerifier',
-		})
-
-		const codeChallenge = base64URLencode('codeVerifier')
-
-		expect(authorizationURLWithCodeVerifier.toString()).toEqual(
-			`https://authorizationendpoint/?response_type=code&client_id=clientId&redirect_uri=https%3A%2F%2FredirectURI&code_challenge_method=S256&code_challenge=${codeChallenge.replace(
-				'/',
-				'%2F',
-			)}`,
-		)
-	})
-
-	it('should validate authorization code', async () => {
-		const spySendTokenRequest = spyOn(
-			OAuth2Client.prototype,
-			'_sendTokenRequest',
-		).mockResolvedValue({} as any)
-
-		await oauthClient.validateAuthorizationCode('code')
-
-		const expectedBody = new URLSearchParams()
-		expectedBody.set('code', 'code')
-		expectedBody.set('client_id', 'clientId')
-		expectedBody.set('grant_type', 'authorization_code')
-		expectedBody.set('redirect_uri', 'https://redirectURI')
-
-		expect(spySendTokenRequest).toHaveBeenCalledTimes(1)
-		const body = spySendTokenRequest.mock.calls[0]?.[0]
-		const options = spySendTokenRequest.mock.calls[0]?.[1]
-		expect(body?.toString()).toEqual(expectedBody.toString())
-		expect(options).toBeUndefined()
-
-		await oauthClient.validateAuthorizationCode('code', {
-			codeVerifier: 'codeVerifier',
-			authenticateWith: 'http_basic_auth',
-			credentials: 'credentials',
-		})
-
-		const expectedBody2 = new URLSearchParams()
-		expectedBody2.set('code', 'code')
-		expectedBody2.set('client_id', 'clientId')
-		expectedBody2.set('grant_type', 'authorization_code')
-		expectedBody2.set('redirect_uri', 'https://redirectURI')
-		expectedBody2.set('code_verifier', 'codeVerifier')
-
-		expect(spySendTokenRequest).toHaveBeenCalledTimes(2)
-		const body2 = spySendTokenRequest.mock.calls[1]?.[0]
-		const options2 = spySendTokenRequest.mock.calls[1]?.[1]
-		expect(body2?.toString()).toEqual(expectedBody2.toString())
-		expect(options2).toEqual({
-			codeVerifier: 'codeVerifier',
-			authenticateWith: 'http_basic_auth',
-			credentials: 'credentials',
-		} as any)
-
-		spySendTokenRequest.mockRestore()
-	})
-
-	it('should refresh access token', async () => {
-		const spySendTokenRequest = spyOn(
-			OAuth2Client.prototype,
-			'_sendTokenRequest',
-		).mockResolvedValue({} as any)
-
-		await oauthClient.refreshAccessToken('refreshToken')
-
-		const expectedBody = new URLSearchParams()
-		expectedBody.set('refresh_token', 'refreshToken')
-		expectedBody.set('client_id', 'clientId')
-		expectedBody.set('grant_type', 'refresh_token')
-
-		expect(spySendTokenRequest).toHaveBeenCalledTimes(1)
-		const body = spySendTokenRequest.mock.calls[0]?.[0]
-		const options = spySendTokenRequest.mock.calls[0]?.[1]
-		expect(body?.toString()).toEqual(expectedBody.toString())
-		expect(options).toBeUndefined()
-
-		await oauthClient.refreshAccessToken('refreshToken', {
-			authenticateWith: 'http_basic_auth',
-			credentials: 'credentials',
-		})
-
-		const expectedBody2 = new URLSearchParams()
-		expectedBody2.set('refresh_token', 'refreshToken')
-		expectedBody2.set('client_id', 'clientId')
-		expectedBody2.set('grant_type', 'refresh_token')
-
-		expect(spySendTokenRequest).toHaveBeenCalledTimes(2)
-		const body2 = spySendTokenRequest.mock.calls[1]?.[0]
-		const options2 = spySendTokenRequest.mock.calls[1]?.[1]
-		expect(body2?.toString()).toEqual(expectedBody2.toString())
-		expect(options2).toEqual({
-			authenticateWith: 'http_basic_auth',
-			credentials: 'credentials',
-		})
-
-		spySendTokenRequest.mockRestore()
-	})
-
-	it('should send token request', async () => {
-		mockFetch.mockResolvedValue({
-			json: () => Promise.resolve({ access_token: 'access_token' }),
-			ok: true,
-			status: 200,
-		} as never)
-
-		await oauthClient._sendTokenRequest(new URLSearchParams(), {
-			authenticateWith: 'http_basic_auth',
-			credentials: 'credentials',
-		})
-
-		const encodeCredentials = btoa('clientId:credentials')
-
-		expect(mockFetch).toHaveBeenCalledTimes(1)
-		// @ts-expect-error
-		const receivedRequest = mockFetch.mock.calls[0][0] as any
-
-		if (!receivedRequest) fail()
-		expect(receivedRequest.url).toEqual('https://tokenendpoint/')
-		expect(receivedRequest.method).toEqual('POST')
-		expect(receivedRequest.headers.get('content-type')).toEqual('application/x-www-form-urlencoded')
-		expect(receivedRequest.headers.get('accept')).toEqual('application/json')
-		expect(receivedRequest.headers.get('user-agent')).toEqual('wabe')
-		expect(receivedRequest.headers.get('authorization')).toEqual(`Basic ${encodeCredentials}`)
-
-		mockFetch.mockRestore()
-	})
-
-	it('should throw an error if the result of the request is not valid', () => {
-		mockFetch.mockResolvedValue({
-			json: () => Promise.resolve({}),
-			ok: false,
-		} as never)
-
-		expect(
-			oauthClient._sendTokenRequest(new URLSearchParams(), {
-				authenticateWith: 'http_basic_auth',
-				credentials: 'credentials',
-			}),
-		).rejects.toThrow('Error in token request')
-
-		mockFetch.mockResolvedValue({
-			json: () => Promise.resolve({}),
-			ok: true,
-			status: 400,
-		} as never)
-
-		expect(
-			oauthClient._sendTokenRequest(new URLSearchParams(), {
-				authenticateWith: 'http_basic_auth',
-				credentials: 'credentials',
-			}),
-		).rejects.toThrow('Error in token request')
-
-		mockFetch.mockResolvedValue({
-			json: () => Promise.resolve({}),
-			ok: true,
-			status: 200,
-		} as never)
-
-		expect(
-			oauthClient._sendTokenRequest(new URLSearchParams(), {
-				authenticateWith: 'http_basic_auth',
-				credentials: 'credentials',
-			}),
-		).rejects.toThrow('Error in token request')
-
-		mockFetch.mockRestore()
-	})
-})

package/src/authentication/oauth/Oauth2Client.ts

@@ -1,135 +0,0 @@
-// Code inspired by Oslo : https://github.com/pilcrowOnPaper/oslo/blob/main/src/oauth2/index.ts
-
-import { base64URLencode } from './utils'
-
-export interface TokenResponseBody {
-	access_token: string
-	token_type?: string
-	expires_in?: number
-	refresh_token?: string
-	scope?: string
-}
-
-export class OAuth2Client {
-	public clientId: string
-
-	private authorizeEndpoint: string
-	private tokenEndpoint: string
-	private redirectURI: string
-
-	constructor(
-		clientId: string,
-		authorizeEndpoint: string,
-		tokenEndpoint: string,
-		redirectURI: string,
-	) {
-		this.clientId = clientId
-		this.authorizeEndpoint = authorizeEndpoint
-		this.tokenEndpoint = tokenEndpoint
-		this.redirectURI = redirectURI
-	}
-
-	createAuthorizationURL(options?: {
-		state?: string
-		codeVerifier?: string
-		scopes?: string[]
-	}): URL {
-		const scopes = Array.from(new Set(options?.scopes || [])) // remove duplicates
-		const authorizationUrl = new URL(this.authorizeEndpoint)
-		authorizationUrl.searchParams.set('response_type', 'code')
-		authorizationUrl.searchParams.set('client_id', this.clientId)
-
-		if (options?.state !== undefined) authorizationUrl.searchParams.set('state', options.state)
-
-		if (scopes.length > 0) authorizationUrl.searchParams.set('scope', scopes.join(' '))
-
-		if (this.redirectURI !== null)
-			authorizationUrl.searchParams.set('redirect_uri', this.redirectURI)
-
-		if (options?.codeVerifier !== undefined) {
-			const codeChallenge = base64URLencode(options.codeVerifier)
-
-			authorizationUrl.searchParams.set('code_challenge_method', 'S256')
-			authorizationUrl.searchParams.set('code_challenge', codeChallenge)
-		}
-
-		return authorizationUrl
-	}
-
-	validateAuthorizationCode<_TokenResponseBody extends TokenResponseBody>(
-		authorizationCode: string,
-		options?: {
-			codeVerifier?: string
-			credentials?: string
-			authenticateWith?: 'http_basic_auth' | 'request_body'
-		},
-	): Promise<_TokenResponseBody> {
-		const body = new URLSearchParams()
-		body.set('code', authorizationCode)
-		body.set('client_id', this.clientId)
-		body.set('grant_type', 'authorization_code')
-
-		if (this.redirectURI !== null) body.set('redirect_uri', this.redirectURI)
-
-		if (options?.codeVerifier !== undefined) body.set('code_verifier', options.codeVerifier)
-
-		return this._sendTokenRequest<_TokenResponseBody>(body, options)
-	}
-
-	async refreshAccessToken<_TokenResponseBody extends TokenResponseBody>(
-		refreshToken: string,
-		options?: {
-			credentials?: string
-			authenticateWith?: 'http_basic_auth' | 'request_body'
-			scopes?: string[]
-		},
-	): Promise<_TokenResponseBody> {
-		const body = new URLSearchParams()
-		body.set('refresh_token', refreshToken)
-		body.set('client_id', this.clientId)
-		body.set('grant_type', 'refresh_token')
-
-		const scopes = Array.from(new Set(options?.scopes ?? [])) // remove duplicates
-		if (scopes.length > 0) body.set('scope', scopes.join(' '))
-
-		return await this._sendTokenRequest<_TokenResponseBody>(body, options)
-	}
-
-	async _sendTokenRequest<_TokenResponseBody extends TokenResponseBody>(
-		body: URLSearchParams,
-		options?: {
-			credentials?: string
-			authenticateWith?: 'http_basic_auth' | 'request_body'
-		},
-	): Promise<_TokenResponseBody> {
-		const headers = new Headers()
-		headers.set('Content-Type', 'application/x-www-form-urlencoded')
-		headers.set('Accept', 'application/json')
-		headers.set('User-Agent', 'wabe')
-
-		if (options?.credentials !== undefined) {
-			const authenticateWith = options?.authenticateWith || 'http_basic_auth'
-			if (authenticateWith === 'http_basic_auth') {
-				const encodedCredentials = btoa(`${this.clientId}:${options.credentials}`)
-				headers.set('Authorization', `Basic ${encodedCredentials}`)
-			} else {
-				body.set('client_secret', options.credentials)
-			}
-		}
-
-		const request = new Request(this.tokenEndpoint, {
-			method: 'POST',
-			headers,
-			body,
-		})
-
-		const response = await fetch(request)
-		const result: _TokenResponseBody = await response.json()
-
-		// providers are allowed to return non-400 status code for errors
-		if (!('access_token' in result) || response.status !== 200 || !response.ok)
-			throw new Error('Error in token request')
-
-		return result
-	}
-}

package/src/authentication/oauth/index.ts

@@ -1,2 +0,0 @@
-export * from './Oauth2Client'
-export * from './Google'

package/src/authentication/oauth/utils.test.ts

@@ -1,33 +0,0 @@
-import { describe, expect, it } from 'bun:test'
-import { base64URLencode, generateRandomValues } from './utils'
-
-describe('Oauth utils', () => {
-	it('should encode url with base64', () => {
-		const content = 'test'
-
-		// Keep Bun. here to be sure the compatibility between node and Bun implem
-		const hasher = new Bun.CryptoHasher('sha256')
-		hasher.update(new TextEncoder().encode(content))
-		const resultWithPadding = hasher.digest('base64')
-
-		const result = base64URLencode(content)
-
-		expect(resultWithPadding).toBe('n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=')
-		expect(result).toBe('n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg')
-	})
-
-	// Real use case check with oauth simulator
-	it('should encode correctly with base64', () => {
-		const content = 'bIaNJCsNzrZE7QEzYjwbl0fa1CyzF49moM6Ua4H0d5cG-l7d'
-		const result = base64URLencode(content)
-
-		expect(result).toBe('1pdL2CLvBbNBnrfBZeNYlFzpedMhUTbgyhn0CnWVYoc')
-	})
-
-	it('should generate random values for code_verifier or state', () => {
-		const randomValue = generateRandomValues()
-
-		// Google recommends an entropy between 43 and 128 characters for the code_verifier
-		expect(randomValue.length).toEqual(80)
-	})
-})

package/src/authentication/oauth/utils.ts

@@ -1,27 +0,0 @@
-import crypto from 'node:crypto'
-
-export interface Tokens {
-	accessToken: string
-	refreshToken?: string | null
-	accessTokenExpiresAt?: Date
-	refreshTokenExpiresAt?: Date | null
-	idToken?: string
-}
-
-export interface OAuth2ProviderWithPKCE {
-	createAuthorizationURL(state: string, codeVerifier: string): URL
-	validateAuthorizationCode(code: string, codeVerifier: string): Promise<Tokens>
-	refreshAccessToken?(refreshToken: string): Promise<Tokens>
-}
-
-// https://datatracker.ietf.org/doc/html/rfc7636#appendix-A
-export const base64URLencode = (content: string) => {
-	const hasher = crypto.createHash('sha256').update(content)
-
-	const result = hasher.digest('base64')
-
-	// @ts-expect-error
-	return result.split('=')[0].replaceAll('+', '-').replaceAll('/', '_')
-}
-
-export const generateRandomValues = () => crypto.randomBytes(60).toString('base64url')

package/src/authentication/providers/EmailOTP.test.ts

@@ -1,127 +0,0 @@
-import { describe, expect, it, spyOn, beforeAll, afterAll, afterEach } from 'bun:test'
-import { EmailOTP } from './EmailOTP'
-import type { DevWabeTypes } from '../../utils/helper'
-import { setupTests, closeTests } from '../../utils/testHelper'
-import { EmailDevAdapter, type Wabe } from '../..'
-import * as sendOtpCodeTemplate from '../../email/templates/sendOtpCode'
-import { OTP } from '../OTP'
-
-describe('EmailOTPProvider', () => {
-	const spyEmailSend = spyOn(EmailDevAdapter.prototype, 'send')
-	const spySendOtpCodeTemplate = spyOn(sendOtpCodeTemplate, 'sendOtpCodeTemplate')
-
-	let wabe: Wabe<DevWabeTypes>
-
-	beforeAll(async () => {
-		const setup = await setupTests()
-		wabe = setup.wabe
-	})
-
-	afterAll(async () => {
-		await closeTests(wabe)
-	})
-
-	afterEach(async () => {
-		spyEmailSend.mockClear()
-		spySendOtpCodeTemplate.mockClear()
-
-		await wabe.controllers.database.clearDatabase()
-	})
-
-	it("should send an OTP code to the user's email", async () => {
-		const createdUser = await wabe.controllers.database.createObject({
-			className: 'User',
-			context: {
-				wabe,
-				isRoot: true,
-			},
-			data: {
-				email: 'email@test.fr',
-			},
-			select: {
-				id: true,
-				email: true,
-			},
-		})
-
-		if (!createdUser) throw new Error('User not created')
-
-		const emailOTP = new EmailOTP()
-
-		await emailOTP.onSendChallenge({
-			context: {
-				wabe,
-				isRoot: false,
-			},
-			user: createdUser,
-		})
-
-		expect(spyEmailSend).toHaveBeenCalledTimes(1)
-		expect(spyEmailSend).toHaveBeenCalledWith(
-			expect.objectContaining({
-				from: 'main.email@wabe.com',
-				to: ['email@test.fr'],
-				subject: 'Your OTP code',
-			}),
-		)
-
-		const otp = spySendOtpCodeTemplate.mock.calls[0]?.[0]
-
-		expect(spySendOtpCodeTemplate).toHaveBeenCalledTimes(1)
-		expect(otp?.length).toBe(6)
-	})
-
-	it('should return the userId if the OTP code is valid', async () => {
-		const createdUser = await wabe.controllers.database.createObject({
-			className: 'User',
-			context: {
-				wabe,
-				isRoot: true,
-			},
-			data: {
-				email: 'email@test.fr',
-			},
-			select: {
-				id: true,
-			},
-		})
-
-		if (!createdUser) throw new Error('User not created')
-
-		const otp = new OTP(wabe.config.rootKey).generate(createdUser.id)
-
-		const emailOTP = new EmailOTP()
-
-		expect(
-			await emailOTP.onVerifyChallenge({
-				context: {
-					wabe,
-					isRoot: false,
-				},
-				input: {
-					email: 'email@test.fr',
-					otp,
-				},
-			}),
-		).toEqual({
-			userId: createdUser.id,
-		})
-	})
-
-	it("should return null if the user doesn't exist", async () => {
-		const emailOTP = new EmailOTP()
-
-		expect(
-			await emailOTP.onVerifyChallenge({
-				context: {
-					wabe,
-					isRoot: false,
-				},
-				input: {
-					email: 'email@test.fr',
-					otp: '123456',
-				},
-			}),
-		).toEqual(null)
-	})
-})