wabe 0.6.9 → 0.6.10

package/src/authentication/resolvers/signInWithResolver.test.ts

@@ -0,0 +1,307 @@
+import { describe, expect, it, mock, spyOn, afterEach } from 'bun:test'
+import { signInWithResolver } from './signInWithResolver'
+import { Session } from '../Session'
+import { SecondaryFactor } from '../interface'
+
+describe('SignInWith', () => {
+	const mockOnLogin = mock(() =>
+		Promise.resolve({
+			user: {
+				id: 'id',
+			},
+		}),
+	)
+	const mockOnSignUp = mock(() =>
+		Promise.resolve({
+			authenticationDataToSave: {
+				id: 'id',
+			},
+		}),
+	)
+
+	const mockCreateObject = mock(() => Promise.resolve({}))
+
+	const mockOnSendChallenge = mock(() => Promise.resolve())
+	const mockOnVerifyChallenge = mock(() => Promise.resolve(true))
+
+	const context = {
+		wabe: {
+			config: {
+				authentication: {
+					session: {
+						cookieSession: true,
+					},
+					customAuthenticationMethods: [
+						{
+							name: 'emailPassword',
+							input: {
+								email: { type: 'Email', required: true },
+								password: { type: 'String', required: true },
+							},
+							provider: {
+								onSignUp: mockOnSignUp,
+								onSignIn: mockOnLogin,
+							},
+						},
+						{
+							name: 'emailOTP',
+							input: {
+								email: {
+									type: 'Email',
+									required: true,
+								},
+								code: {
+									type: 'String',
+									required: true,
+								},
+							},
+							provider: {
+								onSendChallenge: mockOnSendChallenge,
+								onVerifyChallenge: mockOnVerifyChallenge,
+							},
+						},
+					],
+				},
+			},
+		},
+	}
+
+	afterEach(() => {
+		mockCreateObject.mockClear()
+		mockOnLogin.mockClear()
+		mockOnSignUp.mockClear()
+	})
+
+	it('should call the secondary factor authentication on signIn', async () => {
+		mockOnLogin.mockResolvedValueOnce({
+			user: {
+				id: 'id',
+				// @ts-expect-error
+				email: 'email@test.fr',
+				secondFA: {
+					enabled: true,
+					provider: SecondaryFactor.EmailOTP,
+				},
+			},
+		})
+
+		const res = await signInWithResolver(
+			{},
+			{
+				input: {
+					authentication: {
+						emailPassword: {
+							email: 'email@test.fr',
+							password: 'password',
+						},
+					},
+				},
+			},
+			// @ts-expect-error
+			context,
+		)
+
+		expect(mockOnLogin).toHaveBeenCalledTimes(1)
+		expect(mockOnLogin).toHaveBeenCalledWith({
+			input: {
+				email: 'email@test.fr',
+				password: 'password',
+			},
+			context: expect.any(Object),
+		})
+
+		expect(mockOnSendChallenge).toHaveBeenCalledTimes(1)
+		expect(mockOnSendChallenge).toHaveBeenCalledWith({
+			context: expect.any(Object),
+			user: expect.objectContaining({
+				email: 'email@test.fr',
+			}),
+		})
+
+		expect(res).toEqual({
+			accessToken: null,
+			refreshToken: null,
+			user: {
+				id: 'id',
+				email: 'email@test.fr',
+				secondFA: {
+					enabled: true,
+					// @ts-expect-error
+					provider: SecondaryFactor.EmailOTP,
+				},
+			},
+		})
+	})
+
+	it('should throw an error if no custom authentication configuration is provided', () => {
+		expect(
+			signInWithResolver(
+				{},
+				{
+					input: {
+						authentication: {
+							emailPassword: {
+								email: 'email@test.fr',
+								password: 'password',
+							},
+						},
+					},
+				},
+				{ wabe: { config: { authentication: undefined } } } as any,
+			),
+		).rejects.toThrow('No custom authentication methods found')
+	})
+
+	it('should throw an error if a custom authentication is provided but not in the custom authentication config', () => {
+		expect(
+			signInWithResolver(
+				{},
+				{
+					input: {
+						authentication: {
+							emailPassword: {
+								email: 'email@test.fr',
+								password: 'password',
+							},
+						},
+					},
+				},
+				{
+					wabe: {
+						config: {
+							authentication: {
+								customAuthenticationMethods: [
+									{
+										name: 'phonePassword',
+										input: {
+											email: {
+												type: 'Email',
+												required: true,
+											},
+											password: {
+												type: 'String',
+												required: true,
+											},
+										},
+										provider: {
+											onSignUp: mockOnSignUp,
+											onSignIn: mockOnLogin,
+										},
+									},
+								],
+							},
+						},
+					},
+				} as any,
+			),
+		).rejects.toThrow('No available custom authentication methods found')
+	})
+
+	it('should signInWith email and password when the user already exist (on cookieSession)', async () => {
+		const mockCreateSession = spyOn(
+			Session.prototype,
+			'create',
+		).mockResolvedValue({
+			refreshToken: 'refreshToken',
+			accessToken: 'accessToken',
+			csrfToken: 'csrfToken',
+		} as any)
+
+		const mockSetCookie = mock(() => {})
+
+		const mockResponse = {
+			setCookie: mockSetCookie,
+		}
+
+		const res = await signInWithResolver(
+			{},
+			{
+				input: {
+					authentication: {
+						emailPassword: {
+							email: 'email@test.fr',
+							password: 'password',
+						},
+					},
+				},
+			},
+			{
+				...context,
+				response: mockResponse,
+			} as any,
+		)
+
+		expect(res).toEqual({
+			accessToken: 'accessToken',
+			refreshToken: 'refreshToken',
+			csrfToken: 'csrfToken',
+			user: {
+				id: 'id',
+			},
+			srp: undefined,
+		})
+		expect(mockOnLogin).toHaveBeenCalledTimes(1)
+		expect(mockOnLogin).toHaveBeenCalledWith({
+			input: {
+				email: 'email@test.fr',
+				password: 'password',
+			},
+			context: expect.any(Object),
+		})
+
+		expect(mockSetCookie).toHaveBeenCalledTimes(3)
+		expect(mockSetCookie).toHaveBeenNthCalledWith(
+			1,
+			'refreshToken',
+			'refreshToken',
+			{
+				httpOnly: true,
+				path: '/',
+				secure: true,
+				sameSite: 'Strict',
+				expires: expect.any(Date),
+			},
+		)
+
+		expect(mockSetCookie).toHaveBeenNthCalledWith(
+			2,
+			'accessToken',
+			'accessToken',
+			{
+				httpOnly: true,
+				path: '/',
+				secure: true,
+				sameSite: 'Strict',
+				expires: expect.any(Date),
+			},
+		)
+
+		expect(mockSetCookie).toHaveBeenNthCalledWith(3, 'csrfToken', 'csrfToken', {
+			httpOnly: true,
+			path: '/',
+			secure: true,
+			sameSite: 'Strict',
+			expires: expect.any(Date),
+		})
+
+		// @ts-expect-error
+		const refreshTokenExpiresIn = mockSetCookie.mock.calls[0][2].expires
+		// @ts-expect-error
+		const accessTokenExpiresIn = mockSetCookie.mock.calls[1][2].expires
+
+		// - 1000 to avoid flaky
+		expect(refreshTokenExpiresIn.getTime() - Date.now()).toBeGreaterThanOrEqual(
+			1000 * 7 * 24 * 60 * 60 - 1000,
+		)
+		expect(accessTokenExpiresIn.getTime() - Date.now()).toBeGreaterThanOrEqual(
+			1000 * 15 * 60 - 1000,
+		)
+
+		expect(mockCreateSession).toHaveBeenCalledTimes(1)
+		expect(mockCreateSession).toHaveBeenCalledWith('id', expect.anything())
+
+		expect(mockOnSignUp).toHaveBeenCalledTimes(0)
+
+		mockCreateSession.mockRestore()
+	})
+})

package/src/authentication/resolvers/signInWithResolver.ts

@@ -0,0 +1,102 @@
+import type { SignInWithInput } from '../../../generated/wabe'
+import type { WabeContext } from '../../server/interface'
+import type { DevWabeTypes } from '../../utils/helper'
+import { Session } from '../Session'
+import type {
+	ProviderInterface,
+	SecondaryProviderInterface,
+} from '../interface'
+import { getAuthenticationMethod } from '../utils'
+
+// 0 - Get the authentication method
+// 1 - We check if the signIn is possible (call onSign)
+// 2 - If secondaryFactor is present, we call the onSendChallenge method of the provider
+// 3 - We create session
+export const signInWithResolver = async (
+	_: any,
+	{
+		input,
+	}: {
+		input: SignInWithInput
+	},
+	context: WabeContext<DevWabeTypes>,
+) => {
+	const { provider, name } = getAuthenticationMethod<
+		DevWabeTypes,
+		ProviderInterface<DevWabeTypes>
+	>(Object.keys(input.authentication || {}), context)
+
+	const inputOfTheGoodAuthenticationMethod =
+		// @ts-expect-error
+		input.authentication[name]
+
+	// 1 - We call the onSignIn method of the provider
+	const { user, srp } = await provider.onSignIn({
+		input: inputOfTheGoodAuthenticationMethod,
+		context,
+	})
+
+	const userId = user.id
+
+	if (!userId) throw new Error('Authentication failed')
+
+	const secondFAObject = user.secondFA
+
+	// 2 - We call the onSendChallenge method of the provider
+	if (secondFAObject?.enabled) {
+		const secondaryProvider = getAuthenticationMethod<
+			DevWabeTypes,
+			SecondaryProviderInterface<DevWabeTypes>
+		>([secondFAObject.provider], context)
+
+		await secondaryProvider.provider.onSendChallenge?.({
+			context,
+			// @ts-expect-error
+			user,
+		})
+
+		return { accessToken: null, refreshToken: null, user }
+	}
+
+	const session = new Session()
+
+	const { refreshToken, accessToken, csrfToken } = await session.create(
+		userId,
+		context,
+	)
+
+	if (context.wabe.config.authentication?.session?.cookieSession) {
+		const accessTokenExpiresAt = session.getAccessTokenExpireAt(
+			context.wabe.config,
+		)
+		const refreshTokenExpiresAt = session.getRefreshTokenExpireAt(
+			context.wabe.config,
+		)
+
+		context.response?.setCookie('refreshToken', refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'Strict',
+			secure: true,
+			expires: refreshTokenExpiresAt,
+		})
+
+		context.response?.setCookie('accessToken', accessToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'Strict',
+			secure: true,
+			expires: accessTokenExpiresAt,
+		})
+
+		context.response?.setCookie('csrfToken', csrfToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'Strict',
+			secure: true,
+			expires: accessTokenExpiresAt,
+		})
+	}
+
+	return { accessToken, refreshToken, csrfToken, user, srp }
+}

package/src/authentication/resolvers/signOutResolver.test.ts

@@ -0,0 +1,41 @@
+import { describe, expect, it, mock, spyOn } from 'bun:test'
+import { signOutResolver } from './signOutResolver'
+import { Session } from '../Session'
+
+describe('signOut', () => {
+	const mockDeleteCookie = mock(() => {})
+
+	const context = {
+		sessionId: 'sessionId',
+		wabe: {
+			config: {
+				authentication: {
+					session: {
+						cookieSession: true,
+					},
+				},
+			},
+		},
+		response: {
+			deleteCookie: mockDeleteCookie,
+		},
+	} as any
+
+	it('should sign out the current user', async () => {
+		const spyDeleteSession = spyOn(
+			Session.prototype,
+			'delete',
+		).mockResolvedValue(undefined)
+
+		const res = await signOutResolver(undefined, {}, context)
+
+		expect(res).toBe(true)
+
+		expect(spyDeleteSession).toHaveBeenCalledTimes(1)
+		expect(spyDeleteSession).toHaveBeenCalledWith(context)
+
+		expect(mockDeleteCookie).toHaveBeenCalledTimes(2)
+		expect(mockDeleteCookie).toHaveBeenNthCalledWith(1, 'accessToken')
+		expect(mockDeleteCookie).toHaveBeenNthCalledWith(2, 'refreshToken')
+	})
+})

package/src/authentication/resolvers/signOutResolver.ts

@@ -0,0 +1,22 @@
+import type { WabeContext } from '../../server/interface'
+import type { DevWabeTypes } from '../../utils/helper'
+import { Session } from '../Session'
+
+export const signOutResolver = async (
+	_: any,
+	__: any,
+	context: WabeContext<DevWabeTypes>,
+) => {
+	const session = new Session()
+
+	// For the moment we only delete the session because we suppose the token
+	// are used with headers. We will need to delete the cookies in the future.
+	await session.delete(context)
+
+	if (context.wabe.config.authentication?.session?.cookieSession) {
+		context.response?.deleteCookie('accessToken')
+		context.response?.deleteCookie('refreshToken')
+	}
+
+	return true
+}

package/src/authentication/resolvers/signUpWithResolver.test.ts

@@ -0,0 +1,186 @@
+import { beforeAll, afterAll, describe, expect, it, beforeEach } from 'bun:test'
+import { type DevWabeTypes, getAnonymousClient } from '../../utils/helper'
+import type { Wabe } from '../../server'
+import { gql } from 'graphql-request'
+import { setupTests, closeTests } from '../../utils/testHelper'
+
+describe('SignUpWith', () => {
+	let wabe: Wabe<DevWabeTypes>
+
+	beforeAll(async () => {
+		const setup = await setupTests()
+		wabe = setup.wabe
+	})
+
+	beforeEach(async () => {
+		await wabe.controllers.database.clearDatabase()
+	})
+
+	afterAll(async () => {
+		await closeTests(wabe)
+	})
+
+	it('should throw an error if user already exist with emailPassword', async () => {
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+
+		await anonymousClient.request<any>(
+			gql`
+      mutation signUpWith($input: SignUpWithInput!) {
+          signUpWith(input: $input) {
+              id
+          }
+      }
+    `,
+			{
+				input: {
+					authentication: {
+						emailPassword: {
+							email: 'test@gmail.com',
+							password: 'password',
+						},
+					},
+				},
+			},
+		)
+
+		expect(
+			anonymousClient.request<any>(
+				gql`
+      mutation signUpWith($input: SignUpWithInput!) {
+          signUpWith(input: $input) {
+              id
+          }
+      }
+    `,
+				{
+					input: {
+						authentication: {
+							emailPassword: {
+								email: 'test@gmail.com',
+								password: 'password',
+							},
+						},
+					},
+				},
+			),
+		).rejects.toThrow('Not authorized to create user')
+	})
+
+	it('should throw an error if the signUp is disabled', () => {
+		if (wabe.config) {
+			wabe.config.authentication = {
+				...wabe.config.authentication,
+				disableSignUp: true,
+			}
+		}
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+
+		const userSchema = wabe.config.schema?.classes?.find(
+			(classItem) => classItem.name === 'User',
+		)
+
+		if (!userSchema) throw new Error('Failed to find user schema')
+
+		// @ts-expect-error
+		userSchema.permissions.create.requireAuthentication = true
+
+		expect(
+			anonymousClient.request<any>(
+				gql`
+      mutation signUpWith($input: SignUpWithInput!) {
+        signUpWith(input: $input) {
+          id
+        }
+      }
+      `,
+				{
+					input: {
+						authentication: {
+							emailPassword: {
+								email: 'email@test.fr',
+								password: 'password',
+							},
+						},
+					},
+				},
+			),
+		).rejects.toThrow('SignUp is disabled')
+
+		if (wabe.config) {
+			wabe.config.authentication = {
+				...wabe.config.authentication,
+				disableSignUp: false,
+			}
+		}
+	})
+
+	it('should block the signUpWith if the user creation is blocked for anonymous (the creation is done with root to avoid ACL issues)', () => {
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+
+		const userSchema = wabe.config.schema?.classes?.find(
+			(classItem) => classItem.name === 'User',
+		)
+
+		if (!userSchema) throw new Error('Failed to find user schema')
+
+		// @ts-expect-error
+		userSchema.permissions.create.requireAuthentication = true
+
+		expect(
+			anonymousClient.request<any>(
+				gql`
+      mutation signUpWith($input: SignUpWithInput!) {
+        signUpWith(input: $input) {
+          id
+        }
+      }
+      `,
+				{
+					input: {
+						authentication: {
+							emailPassword: {
+								email: 'email@test.fr',
+								password: 'password',
+							},
+						},
+					},
+				},
+			),
+		).rejects.toThrow('Permission denied to create class User')
+
+		// @ts-expect-error
+		userSchema.permissions.create.requireAuthentication = false
+	})
+
+	it('should signUpWith email and password when the user not exist', async () => {
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+
+		const res = await anonymousClient.request<any>(
+			gql`
+      mutation signUpWith($input: SignUpWithInput!) {
+          signUpWith(input: $input) {
+              id
+			  accessToken
+			  refreshToken
+			  csrfToken
+          }
+      }
+    `,
+			{
+				input: {
+					authentication: {
+						emailPassword: {
+							email: 'test@gmail.com',
+							password: 'password',
+						},
+					},
+				},
+			},
+		)
+
+		expect(res.signUpWith.id).toEqual(expect.any(String))
+		expect(res.signUpWith.accessToken).toEqual(expect.any(String))
+		expect(res.signUpWith.refreshToken).toEqual(expect.any(String))
+		expect(res.signUpWith.csrfToken).toEqual(expect.any(String))
+	})
+})