wabe 0.6.9 → 0.6.10

package/src/authentication/defaultAuthentication.ts

@@ -0,0 +1,214 @@
+import type { WabeTypes } from '..'
+import type {
+	CustomAuthenticationMethods,
+	ProviderInterface,
+} from './interface'
+import { GitHub, QRCodeOTP } from './providers'
+import { Google } from './providers'
+import { EmailOTP } from './providers/EmailOTP'
+import { EmailPassword } from './providers/EmailPassword'
+import {
+	EmailPasswordSRPChallenge,
+	EmailPasswordSRP,
+} from './providers/EmailPasswordSRP'
+import { PhonePassword } from './providers/PhonePassword'
+
+export const defaultAuthenticationMethods = <
+	T extends WabeTypes,
+>(): CustomAuthenticationMethods<T, ProviderInterface<T>>[] => [
+	{
+		name: 'emailPasswordSRPChallenge',
+		input: {
+			email: {
+				type: 'Email',
+				required: true,
+			},
+			clientPublic: {
+				type: 'String',
+				required: true,
+			},
+			clientSessionProof: {
+				type: 'String',
+				required: true,
+			},
+		},
+		// @ts-expect-error
+		provider: new EmailPasswordSRPChallenge(),
+		isSecondaryFactor: true,
+	},
+	{
+		name: 'emailPasswordSRP',
+		input: {
+			email: {
+				type: 'Email',
+				required: true,
+			},
+			clientPublic: {
+				type: 'String',
+			},
+			salt: {
+				type: 'String',
+			},
+			verifier: {
+				type: 'String',
+			},
+		},
+		dataToStore: {
+			email: {
+				type: 'Email',
+				required: true,
+			},
+			salt: {
+				type: 'String',
+				required: true,
+			},
+			verifier: {
+				type: 'String',
+				required: true,
+			},
+			serverSecret: {
+				type: 'String',
+			},
+		},
+		// @ts-expect-error
+		provider: new EmailPasswordSRP(),
+	},
+	{
+		name: 'emailOTP',
+		input: {
+			email: {
+				type: 'Email',
+				required: true,
+			},
+			otp: {
+				type: 'String',
+				required: true,
+			},
+		},
+		// @ts-expect-error
+		provider: new EmailOTP(),
+		isSecondaryFactor: true,
+	},
+	{
+		name: 'qrCodeOTP',
+		input: {
+			email: {
+				type: 'Email',
+				required: true,
+			},
+			otp: {
+				type: 'String',
+				required: true,
+			},
+		},
+		// @ts-expect-error
+		provider: new QRCodeOTP(),
+		isSecondaryFactor: true,
+	},
+	{
+		name: 'phonePassword',
+		input: {
+			phone: {
+				type: 'Phone',
+				required: true,
+			},
+			password: {
+				type: 'Hash',
+				required: true,
+			},
+		},
+		dataToStore: {
+			phone: {
+				type: 'Phone',
+				required: true,
+			},
+			password: {
+				type: 'Hash',
+				required: true,
+			},
+		},
+		// @ts-expect-error
+		provider: new PhonePassword(),
+	},
+	{
+		name: 'emailPassword',
+		input: {
+			email: {
+				type: 'Email',
+				required: true,
+			},
+			password: {
+				type: 'Hash',
+				required: true,
+			},
+		},
+		dataToStore: {
+			email: {
+				type: 'Email',
+				required: true,
+			},
+			password: {
+				type: 'Hash',
+				required: true,
+			},
+		},
+		// @ts-expect-error
+		provider: new EmailPassword(),
+	},
+	{
+		name: 'google',
+		input: {
+			authorizationCode: {
+				type: 'String',
+				required: true,
+			},
+			codeVerifier: {
+				type: 'String',
+				required: true,
+			},
+		},
+		dataToStore: {
+			email: {
+				type: 'Email',
+				required: true,
+			},
+			verifiedEmail: {
+				type: 'Boolean',
+				required: true,
+			},
+		},
+		// There is no signUp method for Google provider
+		// @ts-expect-error
+		provider: new Google(),
+	},
+	{
+		name: 'github',
+		input: {
+			authorizationCode: {
+				type: 'String',
+				required: true,
+			},
+			codeVerifier: {
+				type: 'String',
+				required: true,
+			},
+		},
+		dataToStore: {
+			email: {
+				type: 'Email',
+				required: true,
+			},
+			avatarUrl: {
+				type: 'String',
+				required: true,
+			},
+			username: {
+				type: 'String',
+				required: true,
+			},
+		},
+		// There is no signUp method for Google provider
+		// @ts-expect-error
+		provider: new GitHub(),
+	},
+]

package/src/authentication/index.ts

@@ -0,0 +1,3 @@
+export * from './interface'
+export * from './oauth'
+export * from './OTP'

package/src/authentication/interface.ts

@@ -0,0 +1,157 @@
+import type { User } from '../../generated/wabe'
+import type { WabeContext } from '../server/interface'
+import type { SchemaFields } from '../schema'
+import type { WabeTypes, WobeCustomContext } from '../server'
+import type { SelectType } from '../database/interface'
+
+export enum ProviderEnum {
+	google = 'google',
+	github = 'github',
+}
+
+export interface ProviderConfig {
+	clientId: string
+	clientSecret: string
+}
+
+export type AuthenticationEventsOptions<T extends WabeTypes, K> = {
+	context: WabeContext<T>
+	input: K
+}
+
+export type AuthenticationEventsOptionsWithUserId<
+	T extends WabeTypes,
+	K,
+> = AuthenticationEventsOptions<T, K> & {
+	userId: string
+}
+
+export type OnSendChallengeOptions<T extends WabeTypes> = {
+	context: WabeContext<T>
+	user: T['types']['User']
+}
+
+export type OnVerifyChallengeOptions<T extends WabeTypes, K> = {
+	context: WabeContext<T>
+	input: K
+}
+
+export type ProviderInterface<T extends WabeTypes, K = any> = {
+	onSignIn: (options: AuthenticationEventsOptions<T, K>) => Promise<{
+		user: Partial<User>
+		srp?: {
+			salt: string
+			serverPublic: string
+		}
+	}>
+	onSignUp: (
+		options: AuthenticationEventsOptions<T, K>,
+	) => Promise<{ authenticationDataToSave: any }>
+	onUpdateAuthenticationData?: (
+		options: AuthenticationEventsOptionsWithUserId<T, K>,
+	) => Promise<{ authenticationDataToSave: any }>
+}
+
+export type SecondaryProviderInterface<T extends WabeTypes, K = any> = {
+	onSendChallenge?: (options: OnSendChallengeOptions<T>) => Promise<void> | void
+	onVerifyChallenge: (options: OnVerifyChallengeOptions<T, K>) =>
+		| Promise<{
+				userId: string
+				srp?: { serverSessionProof: string }
+		  } | null>
+		| ({ userId: string; srp?: { serverSessionProof: string } } | null)
+}
+
+export type CustomAuthenticationMethods<
+	T extends WabeTypes,
+	U = ProviderInterface<T> | SecondaryProviderInterface<T>,
+	K = SchemaFields<T>,
+	W = SchemaFields<T>,
+> = {
+	name: string
+	input: K
+	dataToStore?: W
+	provider: U
+	isSecondaryFactor?: boolean
+}
+
+export type RoleConfig = Array<string>
+
+export interface SessionConfig<T extends WabeTypes> {
+	/**
+	 * The time in milliseconds that the access token will expire
+	 */
+	accessTokenExpiresInMs?: number
+	/**
+	 * The time in milliseconds that the refresh token will expire
+	 */
+	refreshTokenExpiresInMs?: number
+	/**
+	 * Set to true to automatically store the session tokens in cookies
+	 */
+	cookieSession?: boolean
+	/**
+	 * The JWT secret used to sign the session tokens
+	 */
+	jwtSecret: string
+	/**
+	 * Optional audience to embed and verify in JWTs
+	 */
+	jwtAudience?: string
+	/**
+	 * Optional issuer to embed and verify in JWTs
+	 */
+	jwtIssuer?: string
+	/**
+	 * Secret dedicated to CSRF token HMAC (defaults to jwtSecret)
+	 */
+	csrfSecret?: string
+	/**
+	 * Secret used to encrypt session tokens at rest (defaults to jwtSecret)
+	 */
+	tokenSecret?: string
+	/**
+	 * A selection of fields to include in the JWT token in the "user" fields
+	 */
+	jwtTokenFields?: SelectType<T, 'User', keyof T['types']['User']>
+}
+
+export interface AuthenticationConfig<T extends WabeTypes> {
+	session?: SessionConfig<T>
+	roles?: RoleConfig
+	successRedirectPath?: string
+	failureRedirectPath?: string
+	frontDomain?: string
+	backDomain?: string
+	providers?: Partial<Record<ProviderEnum, ProviderConfig>>
+	customAuthenticationMethods?: CustomAuthenticationMethods<T>[]
+	sessionHandler?: (context: WobeCustomContext<T>) => void | Promise<void>
+	disableSignUp?: boolean
+}
+
+export interface CreateTokenFromAuthorizationCodeOptions {
+	code: string
+}
+
+export interface refreshTokenOptions {
+	refreshToken: string
+}
+
+export interface Provider {
+	createTokenFromAuthorizationCode(
+		options: CreateTokenFromAuthorizationCodeOptions,
+	): Promise<void>
+	refreshToken(options: refreshTokenOptions): Promise<void>
+}
+
+export enum AuthenticationProvider {
+	GitHub = 'github',
+	Google = 'google',
+	EmailPassword = 'emailPassword',
+	PhonePassword = 'phonePassword',
+}
+
+export enum SecondaryFactor {
+	EmailOTP = 'emailOTP',
+	QRCodeOTP = 'qrcodeOTP',
+}

package/src/authentication/oauth/GitHub.test.ts

@@ -0,0 +1,105 @@
+import { describe, expect, it, spyOn } from 'bun:test'
+import { GitHub } from './GitHub'
+import { OAuth2Client } from './Oauth2Client'
+
+describe('GitHub oauth', () => {
+	const config = {
+		port: 3001,
+		authentication: {
+			backDomain: 'api.wabe.dev',
+			providers: {
+				github: {
+					clientId: 'clientId',
+					clientSecret: 'clientSecret',
+				},
+			},
+		},
+	} as any
+
+	const githubOauth = new GitHub(config)
+
+	it('should create authorization url', () => {
+		const spyOauth2ClientCreateAuthorizationUrl = spyOn(
+			OAuth2Client.prototype,
+			'createAuthorizationURL',
+		).mockReturnValue(new URL('https://url') as never)
+
+		const authorizationUrl = githubOauth.createAuthorizationURL(
+			'state',
+			'codeVerifier',
+		)
+
+		expect(authorizationUrl.toString()).toBe(
+			'https://url/?access_type=offline&prompt=select_account',
+		)
+		expect(spyOauth2ClientCreateAuthorizationUrl).toHaveBeenCalledTimes(1)
+		expect(spyOauth2ClientCreateAuthorizationUrl).toHaveBeenCalledWith({
+			state: 'state',
+			codeVerifier: 'codeVerifier',
+			scopes: ['read:user', 'user:email'],
+		})
+
+		spyOauth2ClientCreateAuthorizationUrl.mockRestore()
+	})
+
+	it('should validate authorization code', async () => {
+		const spyOauth2ClientValidateAuthorizationCode = spyOn(
+			OAuth2Client.prototype,
+			'validateAuthorizationCode',
+		).mockResolvedValue({
+			access_token: 'access_token',
+			refresh_token: 'refresh_token',
+			expires_in: 3600,
+		})
+
+		const res = await githubOauth.validateAuthorizationCode(
+			'code',
+			'codeVerifier',
+		)
+
+		expect(spyOauth2ClientValidateAuthorizationCode).toHaveBeenCalledTimes(1)
+		expect(spyOauth2ClientValidateAuthorizationCode).toHaveBeenCalledWith(
+			'code',
+			{
+				authenticateWith: 'request_body',
+				credentials: 'clientSecret',
+				codeVerifier: 'codeVerifier',
+			},
+		)
+
+		// +100 to avoid flaky
+		expect(
+			(res.accessTokenExpiresAt?.getTime() || 0) + 100,
+		).toBeGreaterThanOrEqual(Date.now() + 3600 * 1000)
+
+		spyOauth2ClientValidateAuthorizationCode.mockRestore()
+	})
+
+	it('should refresh access token', async () => {
+		const spyOauth2ClientRefreshAccessToken = spyOn(
+			OAuth2Client.prototype,
+			'refreshAccessToken',
+		).mockResolvedValue({
+			access_token: 'access_token',
+			expires_in: 3600,
+		})
+
+		const res = await githubOauth.refreshAccessToken('refresh_token')
+
+		expect(spyOauth2ClientRefreshAccessToken).toHaveBeenCalledTimes(1)
+		expect(spyOauth2ClientRefreshAccessToken).toHaveBeenCalledWith(
+			'refresh_token',
+			{
+				authenticateWith: 'request_body',
+				credentials: 'clientSecret',
+			},
+		)
+
+		expect(res.accessToken).toBe('access_token')
+		expect(res.accessTokenExpiresAt?.getTime()).toBeGreaterThanOrEqual(
+			Date.now() + 3600 * 1000,
+		)
+
+		spyOauth2ClientRefreshAccessToken.mockRestore()
+	})
+})

package/src/authentication/oauth/GitHub.ts

@@ -0,0 +1,133 @@
+import { OAuth2Client } from '.'
+import type { WabeConfig } from '../../server'
+import type { OAuth2ProviderWithPKCE, Tokens } from './utils'
+
+const authorizeEndpoint = 'https://github.com/login/oauth/authorize'
+const tokenEndpoint = 'https://github.com/login/oauth/access_token'
+
+interface AuthorizationCodeResponseBody {
+	access_token: string
+	refresh_token?: string
+	expires_in: number
+	id_token: string
+}
+
+interface RefreshTokenResponseBody {
+	access_token: string
+	expires_in: number
+}
+
+export class GitHub implements OAuth2ProviderWithPKCE {
+	private client: OAuth2Client
+	private clientSecret: string
+
+	constructor(config: WabeConfig<any>) {
+		const githubConfig = config.authentication?.providers?.github
+
+		if (!githubConfig) throw new Error('GitHub config not found')
+
+		const baseUrl = `http${config.isProduction ? 's' : ''}://${config.authentication?.backDomain || '127.0.0.1:' + config.port || 3001}`
+
+		const redirectURI = `${baseUrl}/auth/oauth/callback`
+
+		this.client = new OAuth2Client(
+			githubConfig.clientId,
+			authorizeEndpoint,
+			tokenEndpoint,
+			redirectURI,
+		)
+
+		this.clientSecret = githubConfig.clientSecret
+	}
+
+	createAuthorizationURL(
+		state: string,
+		codeVerifier: string,
+		options?: {
+			scopes?: string[]
+		},
+	): URL {
+		const scopes = options?.scopes ?? []
+		const url = this.client.createAuthorizationURL({
+			state,
+			codeVerifier,
+			scopes: [...scopes, 'read:user', 'user:email'],
+		})
+
+		url.searchParams.set('access_type', 'offline')
+		url.searchParams.set('prompt', 'select_account')
+
+		return url
+	}
+
+	async validateAuthorizationCode(
+		code: string,
+		codeVerifier: string,
+	): Promise<Tokens> {
+		const { access_token, expires_in, refresh_token, id_token } =
+			await this.client.validateAuthorizationCode<AuthorizationCodeResponseBody>(
+				code,
+				{
+					authenticateWith: 'request_body',
+					codeVerifier,
+					credentials: this.clientSecret,
+				},
+			)
+
+		return {
+			accessToken: access_token,
+			refreshToken: refresh_token,
+			accessTokenExpiresAt: new Date(Date.now() + expires_in * 1000),
+			idToken: id_token,
+		}
+	}
+
+	async refreshAccessToken(refreshToken: string): Promise<Tokens> {
+		const { access_token, expires_in } =
+			await this.client.refreshAccessToken<RefreshTokenResponseBody>(
+				refreshToken,
+				{
+					authenticateWith: 'request_body',
+					credentials: this.clientSecret,
+				},
+			)
+
+		return {
+			accessToken: access_token,
+			accessTokenExpiresAt: new Date(Date.now() + expires_in * 1000),
+		}
+	}
+
+	async getUserInfo(accessToken: string) {
+		const userInfoResponse = await fetch('https://api.github.com/user', {
+			headers: {
+				Authorization: `Bearer ${accessToken}`,
+				Accept: 'application/vnd.github.v3+json',
+			},
+		})
+
+		const userEmailResponse = await fetch(
+			'https://api.github.com/user/emails',
+			{
+				headers: {
+					Authorization: `Bearer ${accessToken}`,
+					Accept: 'application/vnd.github.v3+json',
+				},
+			},
+		)
+
+		if (!userInfoResponse.ok || !userEmailResponse.ok)
+			throw new Error('Failed to fetch user information from GitHub')
+
+		const userInfo = await userInfoResponse.json()
+		const userEmails = await userEmailResponse.json()
+
+		const primaryEmail = userEmails.find((email: any) => email.primary)?.email
+
+		return {
+			email: primaryEmail || null,
+			username: userInfo.login,
+			avatarUrl: userInfo.avatar_url,
+		}
+	}
+}

package/src/authentication/oauth/Google.test.ts

@@ -0,0 +1,105 @@
+import { describe, expect, it, spyOn } from 'bun:test'
+import { Google } from './Google'
+import { OAuth2Client } from './Oauth2Client'
+
+describe('Google oauth', () => {
+	const config = {
+		port: 3001,
+		authentication: {
+			backDomain: 'api.wabe.com',
+			providers: {
+				google: {
+					clientId: 'clientId',
+					clientSecret: 'clientSecret',
+				},
+			},
+		},
+	} as any
+
+	const googleOauth = new Google(config)
+
+	it('should create authorization url', () => {
+		const spyOauth2ClientCreateAuthorizationUrl = spyOn(
+			OAuth2Client.prototype,
+			'createAuthorizationURL',
+		).mockReturnValue(new URL('https://url') as never)
+
+		const authorizationUrl = googleOauth.createAuthorizationURL(
+			'state',
+			'codeVerifier',
+		)
+
+		expect(authorizationUrl.toString()).toBe(
+			'https://url/?access_type=offline&prompt=select_account',
+		)
+		expect(spyOauth2ClientCreateAuthorizationUrl).toHaveBeenCalledTimes(1)
+		expect(spyOauth2ClientCreateAuthorizationUrl).toHaveBeenCalledWith({
+			state: 'state',
+			codeVerifier: 'codeVerifier',
+			scopes: ['openid'],
+		})
+
+		spyOauth2ClientCreateAuthorizationUrl.mockRestore()
+	})
+
+	it('should validate authorization code', async () => {
+		const spyOauth2ClientValidateAuthorizationCode = spyOn(
+			OAuth2Client.prototype,
+			'validateAuthorizationCode',
+		).mockResolvedValue({
+			access_token: 'access_token',
+			refresh_token: 'refresh_token',
+			expires_in: 3600,
+		})
+
+		const res = await googleOauth.validateAuthorizationCode(
+			'code',
+			'codeVerifier',
+		)
+
+		expect(spyOauth2ClientValidateAuthorizationCode).toHaveBeenCalledTimes(1)
+		expect(spyOauth2ClientValidateAuthorizationCode).toHaveBeenCalledWith(
+			'code',
+			{
+				authenticateWith: 'request_body',
+				credentials: 'clientSecret',
+				codeVerifier: 'codeVerifier',
+			},
+		)
+
+		// +100 to avoid flaky
+		expect(
+			(res.accessTokenExpiresAt?.getTime() || 0) + 100,
+		).toBeGreaterThanOrEqual(Date.now() + 3600 * 1000)
+
+		spyOauth2ClientValidateAuthorizationCode.mockRestore()
+	})
+
+	it('should refresh access token', async () => {
+		const spyOauth2ClientRefreshAccessToken = spyOn(
+			OAuth2Client.prototype,
+			'refreshAccessToken',
+		).mockResolvedValue({
+			access_token: 'access_token',
+			expires_in: 3600,
+		})
+
+		const res = await googleOauth.refreshAccessToken('refresh_token')
+
+		expect(spyOauth2ClientRefreshAccessToken).toHaveBeenCalledTimes(1)
+		expect(spyOauth2ClientRefreshAccessToken).toHaveBeenCalledWith(
+			'refresh_token',
+			{
+				authenticateWith: 'request_body',
+				credentials: 'clientSecret',
+			},
+		)
+
+		expect(res.accessToken).toBe('access_token')
+		expect(res.accessTokenExpiresAt?.getTime()).toBeGreaterThanOrEqual(
+			Date.now() + 3600 * 1000,
+		)
+
+		spyOauth2ClientRefreshAccessToken.mockRestore()
+	})
+})