wabe 0.6.9 → 0.6.10

package/dist/server/index.d.ts

@@ -11,7 +11,6 @@ import type { Context, CorsOptions, RateLimitOptions } from "wobe";
 import type { WabeContext } from "./interface";
 import type { EmailConfig } from "../email";
 import { EmailController } from "../email/EmailController";
-import type { AIConfig } from "../ai";
 import { FileController } from "../file/FileController";
 import type { CronConfig } from "../cron";
 import type { FileConfig } from "../file";
@@ -19,9 +18,13 @@ type SecurityConfig = {
 	corsOptions?: CorsOptions;
 	rateLimit?: RateLimitOptions;
 	hideSensitiveErrorMessage?: boolean;
+	disableCSRFProtection?: boolean;
+	allowIntrospectionInProduction?: boolean;
+	maxGraphqlDepth?: number;
 };
 export * from "./interface";
 export * from "./routes";
+export declare const defaultRoles: unknown;
 export interface WabeConfig<T extends WabeTypes> {
 	port: number;
 	isProduction: boolean;
@@ -41,7 +44,6 @@ export interface WabeConfig<T extends WabeTypes> {
 	rootKey: string;
 	hooks?: Hook<T, any>[];
 	email?: EmailConfig;
-	ai?: AIConfig;
 	file?: FileConfig<T>;
 	crons?: CronConfig<T>;
 }

package/dist/utils/crypto.d.ts

@@ -9,3 +9,10 @@ export declare const hashArgon2: unknown;
 */
 export declare const verifyArgon2: unknown;
 export declare const isArgon2Hash: (value: string) => boolean;
+/**
+* Deterministic AES-256-GCM encryption for tokens.
+* IV is derived via HMAC-SHA256(key, token) to allow equality checks without storing plaintext.
+* Caller must provide a strong 32-byte key (already derived/hashed).
+*/
+export declare const encryptDeterministicToken: (token: string, key: Buffer) => string;
+export declare const decryptDeterministicToken: (encryptedToken: string | undefined, key: Buffer) => string | null;

package/dist/utils/helper.d.ts

@@ -10,7 +10,10 @@ export interface DevWabeTypes extends WabeTypes {
 export declare const firstLetterUpperCase: (str: string) => string;
 export declare const getGraphqlClient: (port: number) => GraphQLClient;
 export declare const getAnonymousClient: (port: number) => GraphQLClient;
-export declare const getUserClient: (port: number, accessToken: string) => GraphQLClient;
+export declare const getUserClient: (port: number, options: {
+	accessToken?: string;
+	csrfToken?: string;
+}) => GraphQLClient;
 export declare const getAdminUserClient: (port: number, wabe: Wabe<DevWabeTypes>, { email, password }: {
 	email: string;
 	password: string;

package/generated/schema.graphql

@@ -425,9 +425,9 @@ input PostRelationInput {
 type _Session {
   id: ID!
   user: User
-  accessToken: String!
+  accessTokenEncrypted: String!
   accessTokenExpiresAt: Date!
-  refreshToken: String
+  refreshTokenEncrypted: String!
   refreshTokenExpiresAt: Date!
   acl: _SessionACLObject
   createdAt: Date
@@ -454,9 +454,9 @@ type _SessionACLObjectRolesACL {
 
 input _SessionInput {
   user: UserPointerInput
-  accessToken: String!
+  accessTokenEncrypted: String!
   accessTokenExpiresAt: Date!
-  refreshToken: String
+  refreshTokenEncrypted: String!
   refreshTokenExpiresAt: Date!
   acl: _SessionACLObjectInput
   createdAt: Date
@@ -490,9 +490,9 @@ input _SessionPointerInput {
 
 input _SessionCreateFieldsInput {
   user: UserPointerInput
-  accessToken: String
+  accessTokenEncrypted: String
   accessTokenExpiresAt: Date
-  refreshToken: String
+  refreshTokenEncrypted: String
   refreshTokenExpiresAt: Date
   acl: _SessionACLObjectCreateFieldsInput
   createdAt: Date
@@ -937,9 +937,9 @@ input RoleACLObjectRolesACLWhereInput {
 input _SessionWhereInput {
   id: IdWhereInput
   user: UserWhereInput
-  accessToken: StringWhereInput
+  accessTokenEncrypted: StringWhereInput
   accessTokenExpiresAt: DateWhereInput
-  refreshToken: StringWhereInput
+  refreshTokenEncrypted: StringWhereInput
   refreshTokenExpiresAt: DateWhereInput
   acl: _SessionACLObjectWhereInput
   createdAt: DateWhereInput
@@ -1099,12 +1099,12 @@ enum PostOrder {
 enum _SessionOrder {
   user_ASC
   user_DESC
-  accessToken_ASC
-  accessToken_DESC
+  accessTokenEncrypted_ASC
+  accessTokenEncrypted_DESC
   accessTokenExpiresAt_ASC
   accessTokenExpiresAt_DESC
-  refreshToken_ASC
-  refreshToken_DESC
+  refreshTokenEncrypted_ASC
+  refreshTokenEncrypted_DESC
   refreshTokenExpiresAt_ASC
   refreshTokenExpiresAt_DESC
   acl_ASC
@@ -1507,9 +1507,9 @@ input Update_SessionInput {
 
 input _SessionUpdateFieldsInput {
   user: UserPointerInput
-  accessToken: String
+  accessTokenEncrypted: String
   accessTokenExpiresAt: Date
-  refreshToken: String
+  refreshTokenEncrypted: String
   refreshTokenExpiresAt: Date
   acl: _SessionACLObjectUpdateFieldsInput
   createdAt: Date
@@ -1746,6 +1746,7 @@ type SignInWithOutput {
   user: User
   accessToken: String
   refreshToken: String
+  csrfToken: String
   srp: SignInWithOutputSRPOutputSignInWith
 }
 
@@ -1797,6 +1798,7 @@ type SignUpWithOutput {
   id: String
   accessToken: String!
   refreshToken: String!
+  csrfToken: String
 }
 
 input SignUpWithInput {

package/generated/wabe.ts

@@ -116,9 +116,9 @@ export type Post = {
 export type _Session = {
 	id: string,
 	user: User,
-	accessToken: string,
+	accessTokenEncrypted: string,
 	accessTokenExpiresAt: string,
-	refreshToken?: string,
+	refreshTokenEncrypted: string,
 	refreshTokenExpiresAt: string,
 	acl?: ACLObject,
 	createdAt?: string,
@@ -181,9 +181,9 @@ export type WherePost = {
 export type Where_Session = {
 	id: string,
 	user: User,
-	accessToken: string,
+	accessTokenEncrypted: string,
 	accessTokenExpiresAt: Date,
-	refreshToken?: string,
+	refreshTokenEncrypted: string,
 	refreshTokenExpiresAt: Date,
 	acl?: ACLObject,
 	createdAt?: Date,

package/package.json

@@ -1,8 +1,8 @@
 {
 	"name": "wabe",
-	"version": "0.6.9",
-	"description": "Your backend in minutes not days",
-	"homepage": "https://wabe.dev",
+	"version": "0.6.10",
+	"description": "Your backend without vendor lock-in in Typescript",
+	"homepage": "https://palixir.github.io/wabe/",
 	"author": {
 		"name": "coratgerl",
 		"url": "https://github.com/coratgerl"
@@ -22,33 +22,33 @@
 	"scripts": {
 		"build": "bun --filter wabe-build build:package $(pwd)",
 		"check": "tsc --project $(pwd)/tsconfig.json",
-		"lint": "biome lint . --no-errors-on-unmatched --config-path=../../",
+		"lint": "biome lint . --no-errors-on-unmatched",
 		"ci": "bun generate:codegen && bun lint $(pwd) && bun check && bun test src",
-		"format": "biome format --write . --config-path=../../",
+		"format": "biome format --write .",
 		"dev": "bun run --watch dev/index.ts",
 		"generate:codegen": "touch generated/wabe.ts && CODEGEN=true bun dev/index.ts"
 	},
 	"dependencies": {
-		"@graphql-yoga/plugin-disable-introspection": "2.10.9",
 		"croner": "9.0.0",
+		"graphql": "16.12.0",
 		"js-srp6a": "1.0.2",
 		"jsonwebtoken": "9.0.2",
 		"libphonenumber-js": "1.11.18",
 		"otplib": "12.0.1",
-		"p-retry": "6.2.1",
-		"wobe": "1.1.10",
-		"wobe-graphql-yoga": "1.2.6"
+		"p-retry": "7.1.0",
+		"wobe": "1.1.14",
+		"wobe-graphql-yoga": "1.2.9"
 	},
 	"devDependencies": {
 		"@types/jsonwebtoken": "9.0.6",
 		"@types/uuid": "9.0.6",
 		"graphql-request": "6.1.0",
 		"get-port": "7.1.0",
-		"uuid": "10.0.0",
-		"wabe-mongodb-launcher": "workspace:*",
-		"wabe-pluralize": "workspace:*",
-		"wabe-build": "workspace:*",
-		"wabe-mongodb": "workspace:*",
-		"wabe": "workspace:*"
+		"uuid": "13.0.0",
+		"wabe-mongodb-launcher": "0.5.2",
+		"wabe-pluralize": "0.0.1",
+		"wabe-build": "0.5.0",
+		"wabe-mongodb": "0.5.2",
+		"wabe": "0.6.9"
 	}
 }

package/src/authentication/OTP.test.ts

@@ -0,0 +1,69 @@
+import { describe, it, expect } from 'bun:test'
+import { OTP } from './OTP'
+
+describe('OTP', () => {
+	it('should generate a valid OTP code', () => {
+		const otp = new OTP('rootKey')
+
+		const otpValue = otp.generate('userId')
+
+		expect(otpValue.length).toBe(6)
+	})
+
+	it('should verify a valid OTP code', () => {
+		const otp = new OTP('rootKey')
+
+		const otpValue = otp.generate('userId')
+
+		expect(otpValue.length).toBe(6)
+
+		expect(otp.verify(otpValue, 'userId')).toBe(true)
+	})
+
+	it('should not verify an invalid OTP code', () => {
+		const otp = new OTP('rootKey')
+
+		const otpValue = otp.generate('userId')
+
+		expect(otpValue.length).toBe(6)
+
+		expect(otp.verify('invalidOtp', 'userId')).toBe(false)
+
+		const otpValue2 = otp.generate('invalidUserId')
+
+		expect(otpValue2.length).toBe(6)
+
+		expect(otp.verify(otpValue2, 'userId')).toBe(false)
+	})
+
+	it('should not verify an invalid OTP code (more than 5 minutes)', () => {
+		// Directly test the timeout is flaky we only test that the correct value is passed to totp
+		const otp = new OTP('rootKey')
+
+		expect(otp.internalTotp.options.window).toEqual([1, 0])
+	})
+
+	it('should generate a valid keyuri', () => {
+		const otp = new OTP('rootKey')
+
+		const keyuri = otp.generateKeyuri({
+			userId: 'userId',
+			emailOrUsername: 'email@test.fr',
+			applicationName: 'Wabe',
+		})
+
+		expect(keyuri).toBe(
+			'otpauth://totp/Wabe:email%40test.fr?secret=O54OZDANWM2YFHJKJMMVMQSV7DUMUZFT3BWE4Z5NOQCAATGGHKYA&period=30&digits=6&algorithm=SHA1&issuer=Wabe',
+		)
+	})
+
+	it('should verify an OTP generated from authenticator', () => {
+		const otp = new OTP('rootKey')
+
+		const code = otp.authenticatorGenerate('userId')
+
+		const isValid = otp.authenticatorVerify(code, 'userId')
+
+		expect(isValid).toBe(true)
+	})
+})

package/src/authentication/OTP.ts

@@ -0,0 +1,66 @@
+import { totp, authenticator } from 'otplib'
+import type { TOTP } from 'otplib/core'
+import { createHash } from 'node:crypto'
+import { base32Encode } from 'src/utils'
+
+const ONE_WINDOW = 1
+
+export class OTP {
+	private secret: string
+	public internalTotp: TOTP
+
+	constructor(rootKey: string) {
+		this.secret = rootKey
+		this.internalTotp = totp.clone({
+			window: [ONE_WINDOW, 0],
+		})
+	}
+
+	deriveSecret(userId: string): string {
+		const hash = createHash('sha256')
+			.update(`${this.secret}:${userId}`)
+			.digest()
+
+		return base32Encode(hash, 'RFC4648', { padding: false })
+	}
+
+	generate(userId: string): string {
+		const secret = this.deriveSecret(userId)
+
+		return this.internalTotp.generate(secret)
+	}
+
+	verify(otp: string, userId: string): boolean {
+		const secret = this.deriveSecret(userId)
+
+		return this.internalTotp.verify({ secret, token: otp })
+	}
+
+	authenticatorGenerate(userId: string): string {
+		const secret = this.deriveSecret(userId)
+		return authenticator.generate(secret)
+	}
+
+	authenticatorVerify(otp: string, userId: string): boolean {
+		const secret = this.deriveSecret(userId)
+
+		return authenticator.verify({
+			secret,
+			token: otp,
+		})
+	}
+
+	generateKeyuri({
+		userId,
+		emailOrUsername,
+		applicationName,
+	}: {
+		userId: string
+		emailOrUsername: string
+		applicationName: string
+	}): string {
+		const secret = this.deriveSecret(userId)
+
+		return authenticator.keyuri(emailOrUsername, applicationName, secret)
+	}
+}