wabe 0.6.9 → 0.6.10

package/src/authentication/providers/PhonePassword.test.ts

@@ -0,0 +1,187 @@
+import {
+	describe,
+	expect,
+	it,
+	mock,
+	spyOn,
+	afterEach,
+	afterAll,
+} from 'bun:test'
+import * as crypto from '../../utils/crypto'
+
+import { PhonePassword } from './PhonePassword'
+
+describe('Phone password', () => {
+	const mockGetObjects = mock(() => Promise.resolve([]))
+	const mockCount = mock(() => Promise.resolve(0)) as any
+	const mockCreateObject = mock(() => Promise.resolve({ id: 'userId' })) as any
+
+	const spyArgonPasswordVerify = spyOn(crypto, 'verifyArgon2')
+	const spyBunPasswordHash = spyOn(crypto, 'hashArgon2')
+
+	const controllers = {
+		controllers: {
+			database: {
+				getObjects: mockGetObjects,
+				createObject: mockCreateObject,
+				count: mockCount,
+			},
+		},
+	} as any
+
+	afterEach(() => {
+		mockGetObjects.mockClear()
+		mockCreateObject.mockClear()
+		spyArgonPasswordVerify.mockClear()
+		spyBunPasswordHash.mockClear()
+	})
+
+	afterAll(() => {
+		spyArgonPasswordVerify.mockRestore()
+		spyBunPasswordHash.mockRestore()
+	})
+
+	const phonePassword = new PhonePassword()
+
+	it('should signUp with phone password', async () => {
+		spyBunPasswordHash.mockResolvedValueOnce('$argon2id$hashedPassword')
+
+		const {
+			authenticationDataToSave: { phone },
+		} = await phonePassword.onSignUp({
+			context: { wabe: controllers } as any,
+			input: { phone: 'phone@test.fr', password: 'password' },
+		})
+
+		expect(phone).toBe('phone@test.fr')
+	})
+
+	it('should signIn with phone password', async () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'userId',
+				authentication: {
+					phonePassword: {
+						phone: 'phone@test.fr',
+						password: 'hashedPassword',
+					},
+				},
+			} as never,
+		])
+
+		spyArgonPasswordVerify.mockResolvedValueOnce(true)
+
+		const { user } = await phonePassword.onSignIn({
+			context: { wabe: controllers } as any,
+			input: { phone: 'phone@test.fr', password: 'password' },
+		})
+
+		expect(user).toEqual({
+			id: 'userId',
+			authentication: {
+				phonePassword: {
+					phone: 'phone@test.fr',
+					password: 'hashedPassword',
+				},
+			},
+		})
+
+		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
+		expect(spyArgonPasswordVerify).toHaveBeenCalledWith(
+			'password',
+			'hashedPassword',
+		)
+	})
+
+	it('should not signIn with phone password if password is undefined', () => {
+		spyArgonPasswordVerify.mockResolvedValueOnce(false)
+
+		expect(
+			phonePassword.onSignIn({
+				context: { wabe: controllers } as any,
+				// @ts-expect-error
+				input: { phone: 'phone@test.fr' },
+			}),
+		).rejects.toThrow('Invalid authentication credentials')
+	})
+
+	it('should not signIn with phone password if there is no user found', () => {
+		mockGetObjects.mockResolvedValue([])
+
+		expect(
+			phonePassword.onSignIn({
+				context: { wabe: controllers } as any,
+				input: {
+					phone: 'invalidEmail@test.fr',
+					password: 'password',
+				},
+			}),
+		).rejects.toThrow('Invalid authentication credentials')
+
+		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
+	})
+
+	it('should not signIn with phone password if there is phone is invalid', () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				authentication: {
+					phonePassword: {
+						password: 'hashedPassword',
+					},
+				},
+			} as never,
+		])
+
+		spyArgonPasswordVerify.mockResolvedValueOnce(true)
+
+		expect(
+			phonePassword.onSignIn({
+				context: { wabe: controllers } as any,
+				input: {
+					phone: 'invalidEmail@test.fr',
+					password: 'password',
+				},
+			}),
+		).rejects.toThrow('Invalid authentication credentials')
+
+		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
+	})
+
+	it('should not update authentication data if there is no user found', () => {
+		mockGetObjects.mockResolvedValue([])
+
+		spyArgonPasswordVerify.mockResolvedValueOnce(true)
+
+		expect(
+			phonePassword.onUpdateAuthenticationData?.({
+				context: { wabe: controllers } as any,
+				input: {
+					phone: 'phone@test.fr',
+					password: 'password',
+				},
+				userId: 'userId',
+			}),
+		).rejects.toThrow('User not found')
+	})
+
+	it('should update authentication data if the userId match with an user', async () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'id',
+			},
+		] as any)
+
+		spyBunPasswordHash.mockResolvedValueOnce('$argon2id$hashedPassword')
+
+		const res = await phonePassword.onUpdateAuthenticationData?.({
+			context: { wabe: controllers } as any,
+			input: {
+				phone: 'phone@test.fr',
+				password: 'password',
+			},
+			userId: 'userId',
+		})
+
+		expect(res.authenticationDataToSave.phone).toBe('phone@test.fr')
+	})
+})

package/src/authentication/providers/PhonePassword.ts

@@ -0,0 +1,129 @@
+import type {
+	AuthenticationEventsOptions,
+	AuthenticationEventsOptionsWithUserId,
+	ProviderInterface,
+} from '../interface'
+import { contextWithRoot, verifyArgon2 } from '../../utils/export'
+import type { DevWabeTypes } from '../../utils/helper'
+
+const DUMMY_PASSWORD_HASH =
+	'$argon2id$v=19$m=65536,t=2,p=1$wHZB9xRS/Mbo7L3SL9e935Ag5K+T2EuT/XgB8akwZgo$SPf8EZ4T1HYkuIll4v2hSzNCH7woX3VrZJo3yWg5u8U'
+
+type PhonePasswordInterface = {
+	password: string
+	phone: string
+	otp?: string
+}
+
+export class PhonePassword
+	implements ProviderInterface<DevWabeTypes, PhonePasswordInterface>
+{
+	async onSignIn({
+		input,
+		context,
+	}: AuthenticationEventsOptions<DevWabeTypes, PhonePasswordInterface>) {
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			where: {
+				authentication: {
+					phonePassword: {
+						phone: { equalTo: input.phone },
+					},
+				},
+			},
+			context: contextWithRoot(context),
+			select: {
+				authentication: true,
+				role: true,
+				secondFA: true,
+				email: true,
+				id: true,
+				provider: true,
+				isOauth: true,
+				createdAt: true,
+				updatedAt: true,
+			},
+			first: 1,
+		})
+
+		const user = users[0]
+		const userDatabasePassword = user?.authentication?.phonePassword?.password
+
+		const passwordHashToCheck = userDatabasePassword ?? DUMMY_PASSWORD_HASH
+
+		const isPasswordEquals = await verifyArgon2(
+			input.password,
+			passwordHashToCheck,
+		)
+
+		if (
+			!user ||
+			!isPasswordEquals ||
+			input.phone !== user.authentication?.phonePassword?.phone
+		)
+			throw new Error('Invalid authentication credentials')
+
+		return {
+			user,
+		}
+	}
+
+	async onSignUp({
+		input,
+		context,
+	}: AuthenticationEventsOptions<DevWabeTypes, PhonePasswordInterface>) {
+		const users = await context.wabe.controllers.database.count({
+			className: 'User',
+			where: {
+				authentication: {
+					phonePassword: {
+						phone: { equalTo: input.phone },
+					},
+				},
+			},
+			context: contextWithRoot(context),
+		})
+
+		if (users > 0) throw new Error('Not authorized to create user')
+
+		return {
+			authenticationDataToSave: {
+				phone: input.phone,
+				password: input.password,
+			},
+		}
+	}
+
+	async onUpdateAuthenticationData({
+		userId,
+		input,
+		context,
+	}: AuthenticationEventsOptionsWithUserId<
+		DevWabeTypes,
+		PhonePasswordInterface
+	>) {
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			where: {
+				id: {
+					equalTo: userId,
+				},
+			},
+			context,
+			select: { authentication: true },
+		})
+
+		if (users.length === 0) throw new Error('User not found')
+
+		const user = users[0]
+
+		return {
+			authenticationDataToSave: {
+				phone: input.phone ?? user?.authentication?.phonePassword?.phone,
+				password: input.password
+					? input.password
+					: user?.authentication?.phonePassword?.password,
+			},
+		}
+	}
+}

package/src/authentication/providers/QRCodeOTP.test.ts

@@ -0,0 +1,79 @@
+import { describe, expect, it, beforeAll, afterAll, afterEach } from 'bun:test'
+import type { DevWabeTypes } from '../../utils/helper'
+import { setupTests, closeTests } from '../../utils/testHelper'
+import type { Wabe } from '../..'
+import { OTP } from '../OTP'
+import { QRCodeOTP } from './QRCodeOTP'
+
+describe('QRCodeOTPProvider', () => {
+	let wabe: Wabe<DevWabeTypes>
+
+	beforeAll(async () => {
+		const setup = await setupTests()
+		wabe = setup.wabe
+	})
+
+	afterAll(async () => {
+		await closeTests(wabe)
+	})
+
+	afterEach(async () => {
+		await wabe.controllers.database.clearDatabase()
+	})
+
+	it('should return the userId if the OTP code is valid', async () => {
+		const createdUser = await wabe.controllers.database.createObject({
+			className: 'User',
+			context: {
+				wabe,
+				isRoot: true,
+			},
+			data: {
+				email: 'email@test.fr',
+			},
+			select: {
+				id: true,
+			},
+		})
+
+		if (!createdUser) throw new Error('User not created')
+
+		const otp = new OTP(wabe.config.rootKey).authenticatorGenerate(
+			createdUser.id,
+		)
+
+		const qrCodeOTP = new QRCodeOTP()
+
+		expect(
+			await qrCodeOTP.onVerifyChallenge({
+				context: {
+					wabe,
+					isRoot: false,
+				},
+				input: {
+					email: 'email@test.fr',
+					otp,
+				},
+			}),
+		).toEqual({
+			userId: createdUser.id,
+		})
+	})
+
+	it("should return null if the user doesn't exist", async () => {
+		const qrCodeOTP = new QRCodeOTP()
+
+		expect(
+			await qrCodeOTP.onVerifyChallenge({
+				context: {
+					wabe,
+					isRoot: false,
+				},
+				input: {
+					email: 'email@test.fr',
+					otp: '123456',
+				},
+			}),
+		).toEqual(null)
+	})
+})

package/src/authentication/providers/QRCodeOTP.ts

@@ -0,0 +1,65 @@
+import { contextWithRoot } from '../..'
+import type { DevWabeTypes } from '../../utils/helper'
+import type {
+	OnVerifyChallengeOptions,
+	SecondaryProviderInterface,
+} from '../interface'
+import { OTP } from '../OTP'
+
+const DUMMY_USER_ID = '00000000-0000-0000-0000-000000000000'
+
+type QRCodeOTPInterface = {
+	email: string
+	otp: string
+}
+
+export class QRCodeOTP
+	implements SecondaryProviderInterface<DevWabeTypes, QRCodeOTPInterface>
+{
+	async onSendChallenge() {
+		// The user should check the application and get the OTP code
+	}
+
+	async onVerifyChallenge({
+		context,
+		input,
+	}: OnVerifyChallengeOptions<DevWabeTypes, QRCodeOTPInterface>) {
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			where: {
+				email: {
+					equalTo: input.email,
+				},
+			},
+			select: {
+				authentication: true,
+				role: true,
+				secondFA: true,
+				email: true,
+				id: true,
+				provider: true,
+				isOauth: true,
+				createdAt: true,
+				updatedAt: true,
+			},
+			first: 1,
+			context: contextWithRoot(context),
+		})
+
+		const realUser = users.length > 0 ? users[0] : null
+		const userId = realUser?.id ?? DUMMY_USER_ID
+
+		const isDevBypass =
+			!context.wabe.config.isProduction &&
+			input.otp === '000000' &&
+			realUser !== null
+
+		const otpClass = new OTP(context.wabe.config.rootKey)
+
+		const isOtpValid = otpClass.authenticatorVerify(input.otp, userId)
+
+		if (realUser && (isOtpValid || isDevBypass)) return { userId: realUser.id }
+
+		return null
+	}
+}

package/src/authentication/providers/index.ts

@@ -0,0 +1,6 @@
+export * from './EmailPassword'
+export * from './Google'
+export * from './GitHub'
+export * from './PhonePassword'
+export * from './EmailOTP'
+export * from './QRCodeOTP'

package/src/authentication/resolvers/refreshResolver.test.ts

@@ -0,0 +1,37 @@
+import { describe, expect, it, spyOn } from 'bun:test'
+import { refreshResolver } from './refreshResolver'
+import type { WabeContext } from '../../server/interface'
+import { Session } from '../Session'
+
+const context: WabeContext<any> = {
+	sessionId: 'sessionId',
+	user: {} as any,
+	isRoot: false,
+} as WabeContext<any>
+
+describe('refreshResolver', () => {
+	it('should refresh the session', async () => {
+		const spyRefreshSession = spyOn(
+			Session.prototype,
+			'refresh',
+		).mockResolvedValue({} as any)
+
+		await refreshResolver(
+			null,
+			{
+				input: {
+					accessToken: 'accessToken',
+					refreshToken: 'refreshToken',
+				},
+			},
+			context,
+		)
+
+		expect(spyRefreshSession).toHaveBeenCalledTimes(1)
+		expect(spyRefreshSession).toHaveBeenCalledWith(
+			'accessToken',
+			'refreshToken',
+			context,
+		)
+	})
+})

package/src/authentication/resolvers/refreshResolver.ts

@@ -0,0 +1,20 @@
+import type { WabeContext } from '../../server/interface'
+import type { DevWabeTypes } from '../../utils/helper'
+import { Session } from '../Session'
+
+export const refreshResolver = async (
+	_: any,
+	args: any,
+	context: WabeContext<DevWabeTypes>,
+) => {
+	const {
+		input: { refreshToken, accessToken },
+	} = args
+
+	const session = new Session()
+
+	const { accessToken: newAccessToken, refreshToken: newRefreshToken } =
+		await session.refresh(accessToken, refreshToken, context)
+
+	return { accessToken: newAccessToken, refreshToken: newRefreshToken }
+}

package/src/authentication/resolvers/signInWithResolver.inte.test.ts

@@ -0,0 +1,59 @@
+import { describe, it, beforeAll, afterAll, expect } from 'bun:test'
+import { gql } from 'graphql-request'
+import type { Wabe } from 'src'
+import { getAdminUserClient, type DevWabeTypes } from 'src/utils/helper'
+import { setupTests, closeTests } from 'src/utils/testHelper'
+
+describe('signInWithResolver integration test', () => {
+	let wabe: Wabe<DevWabeTypes>
+
+	beforeAll(async () => {
+		const setup = await setupTests()
+		wabe = setup.wabe
+	})
+
+	afterAll(async () => {
+		await closeTests(wabe)
+	})
+
+	it('should return all fields of the user on signInWith resolver', async () => {
+		const adminClient = await getAdminUserClient(wabe.config.port, wabe, {
+			email: 'admin@wabe.dev',
+			password: 'admin',
+		})
+		const res = await adminClient.request<any>(
+			gql`
+      mutation signInWith($input: SignInWithInput!) {
+        signInWith(input: $input) {
+          user {
+            id
+            authentication {
+              emailPassword {
+                email
+              }
+            }
+            role {
+                name
+            }
+          }
+        }
+      }
+    `,
+			{
+				input: {
+					authentication: {
+						emailPassword: {
+							email: 'admin@wabe.dev',
+							password: 'admin',
+						},
+					},
+				},
+			},
+		)
+
+		expect(res.signInWith.user.role.name).toBe('Admin')
+		expect(res.signInWith.user.authentication.emailPassword).toEqual({
+			email: 'admin@wabe.dev',
+		})
+	})
+})