wabe 0.6.8 → 0.6.10

package/dist/server/index.d.ts

@@ -11,7 +11,6 @@ import type { Context, CorsOptions, RateLimitOptions } from "wobe";
 import type { WabeContext } from "./interface";
 import type { EmailConfig } from "../email";
 import { EmailController } from "../email/EmailController";
-import type { AIConfig } from "../ai";
 import { FileController } from "../file/FileController";
 import type { CronConfig } from "../cron";
 import type { FileConfig } from "../file";
@@ -19,9 +18,13 @@ type SecurityConfig = {
 	corsOptions?: CorsOptions;
 	rateLimit?: RateLimitOptions;
 	hideSensitiveErrorMessage?: boolean;
+	disableCSRFProtection?: boolean;
+	allowIntrospectionInProduction?: boolean;
+	maxGraphqlDepth?: number;
 };
 export * from "./interface";
 export * from "./routes";
+export declare const defaultRoles: unknown;
 export interface WabeConfig<T extends WabeTypes> {
 	port: number;
 	isProduction: boolean;
@@ -41,7 +44,6 @@ export interface WabeConfig<T extends WabeTypes> {
 	rootKey: string;
 	hooks?: Hook<T, any>[];
 	email?: EmailConfig;
-	ai?: AIConfig;
 	file?: FileConfig<T>;
 	crons?: CronConfig<T>;
 }

package/dist/server/interface.d.ts

@@ -6,4 +6,5 @@ export interface WabeContext<T extends WabeTypes> {
 	sessionId?: string | null;
 	isRoot: boolean;
 	wabe: Wabe<T>;
+	isGraphQLCall?: boolean;
 }

package/dist/utils/crypto.d.ts

@@ -0,0 +1,18 @@
+/*
+* Hash a string with Argon2id and PHC format
+* @return : Returns the PHC format of the hashed text
+*/
+export declare const hashArgon2: unknown;
+/*
+* Verify if a hash matchs with a string
+* @return : Returns true if the password matchs with the hash, false otherwise
+*/
+export declare const verifyArgon2: unknown;
+export declare const isArgon2Hash: (value: string) => boolean;
+/**
+* Deterministic AES-256-GCM encryption for tokens.
+* IV is derived via HMAC-SHA256(key, token) to allow equality checks without storing plaintext.
+* Caller must provide a strong 32-byte key (already derived/hashed).
+*/
+export declare const encryptDeterministicToken: (token: string, key: Buffer) => string;
+export declare const decryptDeterministicToken: (encryptedToken: string | undefined, key: Buffer) => string | null;

package/dist/utils/export.d.ts

@@ -1,3 +1,4 @@
 import type { WabeContext } from "../server/interface";
 export declare const contextWithRoot: (context: WabeContext<any>) => WabeContext<any>;
 export declare const notEmpty: <T>(value: T | null | undefined) => value is T;
+export * from "./crypto";

package/dist/utils/helper.d.ts

@@ -10,7 +10,10 @@ export interface DevWabeTypes extends WabeTypes {
 export declare const firstLetterUpperCase: (str: string) => string;
 export declare const getGraphqlClient: (port: number) => GraphQLClient;
 export declare const getAnonymousClient: (port: number) => GraphQLClient;
-export declare const getUserClient: (port: number, accessToken: string) => GraphQLClient;
+export declare const getUserClient: (port: number, options: {
+	accessToken?: string;
+	csrfToken?: string;
+}) => GraphQLClient;
 export declare const getAdminUserClient: (port: number, wabe: Wabe<DevWabeTypes>, { email, password }: {
 	email: string;
 	password: string;

package/dist/utils/index.d.ts

@@ -1,9 +1,21 @@
 import type { ClassInterface } from "../schema";
-import type { WabeTypes, WabeConfig } from "../server";
-export declare const toBase32: (stringToEncode: string) => string;
+import type { WabeTypes, WabeConfig, WabeContext } from "../server";
+export declare const contextWithoutGraphQLCall: (context: WabeContext<any>) => WabeContext<any>;
+type Base32Variant = "RFC3548" | "RFC4648" | "RFC4648-HEX" | "Crockford";
+interface Base32Options {
+	padding?: boolean;
+}
+/**
+* Convert supported input types to Uint8Array.
+*/
+export declare const toUint8Array: (data: string | ArrayBuffer | Uint8Array | Buffer) => Uint8Array;
+/**
+* Encode binary data to base32 using specified variant.
+* Base on https://github.com/LinusU/base32-encode/blob/master/index.js
+*/
+export declare const base32Encode: (data: string | ArrayBuffer | Uint8Array | Buffer, variant: Base32Variant, options?: Base32Options) => string;
 export declare const getNewObjectAfterUpdateNestedProperty: unknown;
 export declare const getNestedProperty: unknown;
-export declare const isArgon2Hash: (value: string) => boolean;
 export declare const firstLetterInUpperCase: unknown;
 export declare const firstLetterInLowerCase: unknown;
 export declare const getClassFromClassName: <T extends WabeTypes>(className: string, config: WabeConfig<any>) => ClassInterface<T>;
@@ -20,3 +32,4 @@ export declare const getCookieInRequestHeaders: unknown;
 * - trim
 */
 export declare const tokenize: unknown;
+export {};

package/generated/schema.graphql

@@ -13,6 +13,7 @@ enum AuthenticationProvider {
 
 enum SecondaryFactor {
   emailOTP
+  qrcodeOTP
 }
 
 """Object containing information about the file"""
@@ -424,9 +425,9 @@ input PostRelationInput {
 type _Session {
   id: ID!
   user: User
-  accessToken: String!
+  accessTokenEncrypted: String!
   accessTokenExpiresAt: Date!
-  refreshToken: String
+  refreshTokenEncrypted: String!
   refreshTokenExpiresAt: Date!
   acl: _SessionACLObject
   createdAt: Date
@@ -453,9 +454,9 @@ type _SessionACLObjectRolesACL {
 
 input _SessionInput {
   user: UserPointerInput
-  accessToken: String!
+  accessTokenEncrypted: String!
   accessTokenExpiresAt: Date!
-  refreshToken: String
+  refreshTokenEncrypted: String!
   refreshTokenExpiresAt: Date!
   acl: _SessionACLObjectInput
   createdAt: Date
@@ -489,9 +490,9 @@ input _SessionPointerInput {
 
 input _SessionCreateFieldsInput {
   user: UserPointerInput
-  accessToken: String
+  accessTokenEncrypted: String
   accessTokenExpiresAt: Date
-  refreshToken: String
+  refreshTokenEncrypted: String
   refreshTokenExpiresAt: Date
   acl: _SessionACLObjectCreateFieldsInput
   createdAt: Date
@@ -936,9 +937,9 @@ input RoleACLObjectRolesACLWhereInput {
 input _SessionWhereInput {
   id: IdWhereInput
   user: UserWhereInput
-  accessToken: StringWhereInput
+  accessTokenEncrypted: StringWhereInput
   accessTokenExpiresAt: DateWhereInput
-  refreshToken: StringWhereInput
+  refreshTokenEncrypted: StringWhereInput
   refreshTokenExpiresAt: DateWhereInput
   acl: _SessionACLObjectWhereInput
   createdAt: DateWhereInput
@@ -1098,12 +1099,12 @@ enum PostOrder {
 enum _SessionOrder {
   user_ASC
   user_DESC
-  accessToken_ASC
-  accessToken_DESC
+  accessTokenEncrypted_ASC
+  accessTokenEncrypted_DESC
   accessTokenExpiresAt_ASC
   accessTokenExpiresAt_DESC
-  refreshToken_ASC
-  refreshToken_DESC
+  refreshTokenEncrypted_ASC
+  refreshTokenEncrypted_DESC
   refreshTokenExpiresAt_ASC
   refreshTokenExpiresAt_DESC
   acl_ASC
@@ -1506,9 +1507,9 @@ input Update_SessionInput {
 
 input _SessionUpdateFieldsInput {
   user: UserPointerInput
-  accessToken: String
+  accessTokenEncrypted: String
   accessTokenExpiresAt: Date
-  refreshToken: String
+  refreshTokenEncrypted: String
   refreshTokenExpiresAt: Date
   acl: _SessionACLObjectUpdateFieldsInput
   createdAt: Date
@@ -1742,9 +1743,10 @@ input SendEmailInput {
 }
 
 type SignInWithOutput {
-  id: String
+  user: User
   accessToken: String
   refreshToken: String
+  csrfToken: String
   srp: SignInWithOutputSRPOutputSignInWith
 }
 
@@ -1796,6 +1798,7 @@ type SignUpWithOutput {
   id: String
   accessToken: String!
   refreshToken: String!
+  csrfToken: String
 }
 
 input SignUpWithInput {

package/generated/wabe.ts

@@ -12,7 +12,8 @@ export enum AuthenticationProvider {
 }
 
 export enum SecondaryFactor {
-	emailOTP = "emailOTP"
+	emailOTP = "emailOTP",
+	qrcodeOTP = "qrcodeOTP"
 }
 
 export type ACLObjectUsersACL = {
@@ -115,9 +116,9 @@ export type Post = {
 export type _Session = {
 	id: string,
 	user: User,
-	accessToken: string,
+	accessTokenEncrypted: string,
 	accessTokenExpiresAt: string,
-	refreshToken?: string,
+	refreshTokenEncrypted: string,
 	refreshTokenExpiresAt: string,
 	acl?: ACLObject,
 	createdAt?: string,
@@ -180,9 +181,9 @@ export type WherePost = {
 export type Where_Session = {
 	id: string,
 	user: User,
-	accessToken: string,
+	accessTokenEncrypted: string,
 	accessTokenExpiresAt: Date,
-	refreshToken?: string,
+	refreshTokenEncrypted: string,
 	refreshTokenExpiresAt: Date,
 	acl?: ACLObject,
 	createdAt?: Date,

package/package.json

@@ -1,55 +1,54 @@
 {
-  "name": "wabe",
-  "version": "0.6.8",
-  "description": "Your backend in minutes not days",
-  "homepage": "https://wabe.dev",
-  "author": {
-    "name": "coratgerl",
-    "url": "https://github.com/coratgerl"
-  },
-  "license": "Apache-2.0",
-  "keywords": [
-    "backend",
-    "wabe",
-    "graphql",
-    "baas"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/palixir/wabe.git"
-  },
-  "main": "dist/index.js",
-  "scripts": {
-    "build": "bun --filter wabe-build build:package $(pwd)",
-    "check": "tsc --project $(pwd)/tsconfig.json",
-    "lint": "biome lint . --no-errors-on-unmatched --config-path=../../",
-    "ci": "bun generate:codegen && bun lint $(pwd) && bun check && bun test src",
-    "format": "biome format --write . --config-path=../../",
-    "dev": "bun run --watch dev/index.ts",
-    "generate:codegen": "touch generated/wabe.ts && CODEGEN=true bun dev/index.ts"
-  },
-  "dependencies": {
-    "@graphql-yoga/plugin-disable-introspection": "2.10.9",
-    "@node-rs/argon2": "2.0.2",
-    "croner": "9.0.0",
-    "js-srp6a": "1.0.2",
-    "jsonwebtoken": "9.0.2",
-    "libphonenumber-js": "1.11.18",
-    "otplib": "12.0.1",
-    "p-retry": "6.2.1",
-    "wobe": "1.1.10",
-    "wobe-graphql-yoga": "1.2.6"
-  },
-  "devDependencies": {
-    "@types/jsonwebtoken": "9.0.6",
-    "@types/uuid": "9.0.6",
-    "graphql-request": "6.1.0",
-    "get-port": "7.1.0",
-    "uuid": "10.0.0",
-    "wabe-mongodb-launcher": "workspace:*",
-    "wabe-pluralize": "workspace:*",
-    "wabe-build": "workspace:*",
-    "wabe-mongodb": "workspace:*",
-    "wabe": "workspace:*"
-  }
+	"name": "wabe",
+	"version": "0.6.10",
+	"description": "Your backend without vendor lock-in in Typescript",
+	"homepage": "https://palixir.github.io/wabe/",
+	"author": {
+		"name": "coratgerl",
+		"url": "https://github.com/coratgerl"
+	},
+	"license": "Apache-2.0",
+	"keywords": [
+		"backend",
+		"wabe",
+		"graphql",
+		"baas"
+	],
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/palixir/wabe.git"
+	},
+	"main": "dist/index.js",
+	"scripts": {
+		"build": "bun --filter wabe-build build:package $(pwd)",
+		"check": "tsc --project $(pwd)/tsconfig.json",
+		"lint": "biome lint . --no-errors-on-unmatched",
+		"ci": "bun generate:codegen && bun lint $(pwd) && bun check && bun test src",
+		"format": "biome format --write .",
+		"dev": "bun run --watch dev/index.ts",
+		"generate:codegen": "touch generated/wabe.ts && CODEGEN=true bun dev/index.ts"
+	},
+	"dependencies": {
+		"croner": "9.0.0",
+		"graphql": "16.12.0",
+		"js-srp6a": "1.0.2",
+		"jsonwebtoken": "9.0.2",
+		"libphonenumber-js": "1.11.18",
+		"otplib": "12.0.1",
+		"p-retry": "7.1.0",
+		"wobe": "1.1.14",
+		"wobe-graphql-yoga": "1.2.9"
+	},
+	"devDependencies": {
+		"@types/jsonwebtoken": "9.0.6",
+		"@types/uuid": "9.0.6",
+		"graphql-request": "6.1.0",
+		"get-port": "7.1.0",
+		"uuid": "13.0.0",
+		"wabe-mongodb-launcher": "0.5.2",
+		"wabe-pluralize": "0.0.1",
+		"wabe-build": "0.5.0",
+		"wabe-mongodb": "0.5.2",
+		"wabe": "0.6.9"
+	}
 }

package/src/authentication/OTP.test.ts

@@ -0,0 +1,69 @@
+import { describe, it, expect } from 'bun:test'
+import { OTP } from './OTP'
+
+describe('OTP', () => {
+	it('should generate a valid OTP code', () => {
+		const otp = new OTP('rootKey')
+
+		const otpValue = otp.generate('userId')
+
+		expect(otpValue.length).toBe(6)
+	})
+
+	it('should verify a valid OTP code', () => {
+		const otp = new OTP('rootKey')
+
+		const otpValue = otp.generate('userId')
+
+		expect(otpValue.length).toBe(6)
+
+		expect(otp.verify(otpValue, 'userId')).toBe(true)
+	})
+
+	it('should not verify an invalid OTP code', () => {
+		const otp = new OTP('rootKey')
+
+		const otpValue = otp.generate('userId')
+
+		expect(otpValue.length).toBe(6)
+
+		expect(otp.verify('invalidOtp', 'userId')).toBe(false)
+
+		const otpValue2 = otp.generate('invalidUserId')
+
+		expect(otpValue2.length).toBe(6)
+
+		expect(otp.verify(otpValue2, 'userId')).toBe(false)
+	})
+
+	it('should not verify an invalid OTP code (more than 5 minutes)', () => {
+		// Directly test the timeout is flaky we only test that the correct value is passed to totp
+		const otp = new OTP('rootKey')
+
+		expect(otp.internalTotp.options.window).toEqual([1, 0])
+	})
+
+	it('should generate a valid keyuri', () => {
+		const otp = new OTP('rootKey')
+
+		const keyuri = otp.generateKeyuri({
+			userId: 'userId',
+			emailOrUsername: 'email@test.fr',
+			applicationName: 'Wabe',
+		})
+
+		expect(keyuri).toBe(
+			'otpauth://totp/Wabe:email%40test.fr?secret=O54OZDANWM2YFHJKJMMVMQSV7DUMUZFT3BWE4Z5NOQCAATGGHKYA&period=30&digits=6&algorithm=SHA1&issuer=Wabe',
+		)
+	})
+
+	it('should verify an OTP generated from authenticator', () => {
+		const otp = new OTP('rootKey')
+
+		const code = otp.authenticatorGenerate('userId')
+
+		const isValid = otp.authenticatorVerify(code, 'userId')
+
+		expect(isValid).toBe(true)
+	})
+})

package/src/authentication/OTP.ts

@@ -0,0 +1,66 @@
+import { totp, authenticator } from 'otplib'
+import type { TOTP } from 'otplib/core'
+import { createHash } from 'node:crypto'
+import { base32Encode } from 'src/utils'
+
+const ONE_WINDOW = 1
+
+export class OTP {
+	private secret: string
+	public internalTotp: TOTP
+
+	constructor(rootKey: string) {
+		this.secret = rootKey
+		this.internalTotp = totp.clone({
+			window: [ONE_WINDOW, 0],
+		})
+	}
+
+	deriveSecret(userId: string): string {
+		const hash = createHash('sha256')
+			.update(`${this.secret}:${userId}`)
+			.digest()
+
+		return base32Encode(hash, 'RFC4648', { padding: false })
+	}
+
+	generate(userId: string): string {
+		const secret = this.deriveSecret(userId)
+
+		return this.internalTotp.generate(secret)
+	}
+
+	verify(otp: string, userId: string): boolean {
+		const secret = this.deriveSecret(userId)
+
+		return this.internalTotp.verify({ secret, token: otp })
+	}
+
+	authenticatorGenerate(userId: string): string {
+		const secret = this.deriveSecret(userId)
+		return authenticator.generate(secret)
+	}
+
+	authenticatorVerify(otp: string, userId: string): boolean {
+		const secret = this.deriveSecret(userId)
+
+		return authenticator.verify({
+			secret,
+			token: otp,
+		})
+	}
+
+	generateKeyuri({
+		userId,
+		emailOrUsername,
+		applicationName,
+	}: {
+		userId: string
+		emailOrUsername: string
+		applicationName: string
+	}): string {
+		const secret = this.deriveSecret(userId)
+
+		return authenticator.keyuri(emailOrUsername, applicationName, secret)
+	}
+}