wabe 0.6.9 → 0.6.10

package/src/authentication/oauth/Google.ts

@@ -0,0 +1,110 @@
+import { OAuth2Client } from '.'
+import type { WabeConfig } from '../../server'
+import type { OAuth2ProviderWithPKCE, Tokens } from './utils'
+
+const authorizeEndpoint = 'https://accounts.google.com/o/oauth2/v2/auth'
+const tokenEndpoint = 'https://oauth2.googleapis.com/token'
+
+interface AuthorizationCodeResponseBody {
+	access_token: string
+	refresh_token?: string
+	expires_in: number
+	id_token: string
+}
+
+interface RefreshTokenResponseBody {
+	access_token: string
+	expires_in: number
+}
+
+export class Google implements OAuth2ProviderWithPKCE {
+	private client: OAuth2Client
+	private clientSecret: string
+
+	constructor(config: WabeConfig<any>) {
+		const googleConfig = config.authentication?.providers?.google
+
+		if (!googleConfig) throw new Error('Google config not found')
+
+		const baseUrl = `http${config.isProduction ? 's' : ''}://${config.authentication?.backDomain || '127.0.0.1:' + config.port || 3001}`
+
+		const redirectURI = `${baseUrl}/auth/oauth/callback`
+
+		this.client = new OAuth2Client(
+			googleConfig.clientId,
+			authorizeEndpoint,
+			tokenEndpoint,
+			redirectURI,
+		)
+
+		this.clientSecret = googleConfig.clientSecret
+	}
+
+	createAuthorizationURL(
+		state: string,
+		codeVerifier: string,
+		options?: {
+			scopes?: string[]
+		},
+	): URL {
+		const scopes = options?.scopes ?? []
+		const url = this.client.createAuthorizationURL({
+			state,
+			codeVerifier,
+			scopes: [...scopes, 'openid'],
+		})
+
+		url.searchParams.set('access_type', 'offline')
+		url.searchParams.set('prompt', 'select_account')
+
+		return url
+	}
+
+	async validateAuthorizationCode(
+		code: string,
+		codeVerifier: string,
+	): Promise<Tokens> {
+		const { access_token, expires_in, refresh_token, id_token } =
+			await this.client.validateAuthorizationCode<AuthorizationCodeResponseBody>(
+				code,
+				{
+					authenticateWith: 'request_body',
+					credentials: this.clientSecret,
+					codeVerifier,
+				},
+			)
+
+		return {
+			accessToken: access_token,
+			refreshToken: refresh_token,
+			accessTokenExpiresAt: new Date(Date.now() + expires_in * 1000),
+			idToken: id_token,
+		}
+	}
+
+	async refreshAccessToken(refreshToken: string): Promise<Tokens> {
+		const { access_token, expires_in } =
+			await this.client.refreshAccessToken<RefreshTokenResponseBody>(
+				refreshToken,
+				{
+					authenticateWith: 'request_body',
+					credentials: this.clientSecret,
+				},
+			)
+
+		return {
+			accessToken: access_token,
+			accessTokenExpiresAt: new Date(Date.now() + expires_in * 1000),
+		}
+	}
+
+	async getUserInfo(accessToken: string) {
+		const userInfo = await fetch(
+			`https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token=${accessToken}`,
+		)
+
+		const { email, verified_email } = await userInfo.json()
+
+		return { email, verifiedEmail: verified_email }
+	}
+}

package/src/authentication/oauth/Oauth2Client.test.ts

@@ -0,0 +1,225 @@
+import { describe, expect, it, spyOn, mock, afterAll } from 'bun:test'
+import { fail } from 'node:assert'
+import { OAuth2Client } from './Oauth2Client'
+import { base64URLencode } from './utils'
+
+const mockFetch = mock(() => {})
+
+const originalFetch = global.fetch
+
+// @ts-expect-error
+global.fetch = mockFetch
+
+describe('Oauth2Client', () => {
+	const oauthClient = new OAuth2Client(
+		'clientId',
+		'https://authorizationEndpoint',
+		'https://tokenEndpoint',
+		'https://redirectURI',
+	)
+
+	afterAll(() => {
+		global.fetch = originalFetch
+	})
+
+	it('should create authorization URl', () => {
+		const authorizationURL = oauthClient.createAuthorizationURL()
+
+		expect(authorizationURL.toString()).toEqual(
+			'https://authorizationendpoint/?response_type=code&client_id=clientId&redirect_uri=https%3A%2F%2FredirectURI',
+		)
+
+		const authorizationURLWithState = oauthClient.createAuthorizationURL({
+			state: 'state',
+		})
+
+		expect(authorizationURLWithState.toString()).toEqual(
+			'https://authorizationendpoint/?response_type=code&client_id=clientId&state=state&redirect_uri=https%3A%2F%2FredirectURI',
+		)
+
+		const authorizationURLWithScopes = oauthClient.createAuthorizationURL({
+			scopes: ['scope1', 'scope2'],
+		})
+
+		expect(authorizationURLWithScopes.toString()).toEqual(
+			'https://authorizationendpoint/?response_type=code&client_id=clientId&scope=scope1+scope2&redirect_uri=https%3A%2F%2FredirectURI',
+		)
+
+		const authorizationURLWithCodeVerifier = oauthClient.createAuthorizationURL(
+			{
+				codeVerifier: 'codeVerifier',
+			},
+		)
+
+		const codeChallenge = base64URLencode('codeVerifier')
+
+		expect(authorizationURLWithCodeVerifier.toString()).toEqual(
+			`https://authorizationendpoint/?response_type=code&client_id=clientId&redirect_uri=https%3A%2F%2FredirectURI&code_challenge_method=S256&code_challenge=${codeChallenge.replace(
+				'/',
+				'%2F',
+			)}`,
+		)
+	})
+
+	it('should validate authorization code', async () => {
+		const spySendTokenRequest = spyOn(
+			OAuth2Client.prototype,
+			'_sendTokenRequest',
+		).mockResolvedValue({} as any)
+
+		await oauthClient.validateAuthorizationCode('code')
+
+		const expectedBody = new URLSearchParams()
+		expectedBody.set('code', 'code')
+		expectedBody.set('client_id', 'clientId')
+		expectedBody.set('grant_type', 'authorization_code')
+		expectedBody.set('redirect_uri', 'https://redirectURI')
+
+		expect(spySendTokenRequest).toHaveBeenCalledTimes(1)
+		const body = spySendTokenRequest.mock.calls[0]?.[0]
+		const options = spySendTokenRequest.mock.calls[0]?.[1]
+		expect(body?.toString()).toEqual(expectedBody.toString())
+		expect(options).toBeUndefined()
+
+		await oauthClient.validateAuthorizationCode('code', {
+			codeVerifier: 'codeVerifier',
+			authenticateWith: 'http_basic_auth',
+			credentials: 'credentials',
+		})
+
+		const expectedBody2 = new URLSearchParams()
+		expectedBody2.set('code', 'code')
+		expectedBody2.set('client_id', 'clientId')
+		expectedBody2.set('grant_type', 'authorization_code')
+		expectedBody2.set('redirect_uri', 'https://redirectURI')
+		expectedBody2.set('code_verifier', 'codeVerifier')
+
+		expect(spySendTokenRequest).toHaveBeenCalledTimes(2)
+		const body2 = spySendTokenRequest.mock.calls[1]?.[0]
+		const options2 = spySendTokenRequest.mock.calls[1]?.[1]
+		expect(body2?.toString()).toEqual(expectedBody2.toString())
+		expect(options2).toEqual({
+			codeVerifier: 'codeVerifier',
+			authenticateWith: 'http_basic_auth',
+			credentials: 'credentials',
+		} as any)
+
+		spySendTokenRequest.mockRestore()
+	})
+
+	it('should refresh access token', async () => {
+		const spySendTokenRequest = spyOn(
+			OAuth2Client.prototype,
+			'_sendTokenRequest',
+		).mockResolvedValue({} as any)
+
+		await oauthClient.refreshAccessToken('refreshToken')
+
+		const expectedBody = new URLSearchParams()
+		expectedBody.set('refresh_token', 'refreshToken')
+		expectedBody.set('client_id', 'clientId')
+		expectedBody.set('grant_type', 'refresh_token')
+
+		expect(spySendTokenRequest).toHaveBeenCalledTimes(1)
+		const body = spySendTokenRequest.mock.calls[0]?.[0]
+		const options = spySendTokenRequest.mock.calls[0]?.[1]
+		expect(body?.toString()).toEqual(expectedBody.toString())
+		expect(options).toBeUndefined()
+
+		await oauthClient.refreshAccessToken('refreshToken', {
+			authenticateWith: 'http_basic_auth',
+			credentials: 'credentials',
+		})
+
+		const expectedBody2 = new URLSearchParams()
+		expectedBody2.set('refresh_token', 'refreshToken')
+		expectedBody2.set('client_id', 'clientId')
+		expectedBody2.set('grant_type', 'refresh_token')
+
+		expect(spySendTokenRequest).toHaveBeenCalledTimes(2)
+		const body2 = spySendTokenRequest.mock.calls[1]?.[0]
+		const options2 = spySendTokenRequest.mock.calls[1]?.[1]
+		expect(body2?.toString()).toEqual(expectedBody2.toString())
+		expect(options2).toEqual({
+			authenticateWith: 'http_basic_auth',
+			credentials: 'credentials',
+		})
+
+		spySendTokenRequest.mockRestore()
+	})
+
+	it('should send token request', async () => {
+		mockFetch.mockResolvedValue({
+			json: () => Promise.resolve({ access_token: 'access_token' }),
+			ok: true,
+			status: 200,
+		} as never)
+
+		await oauthClient._sendTokenRequest(new URLSearchParams(), {
+			authenticateWith: 'http_basic_auth',
+			credentials: 'credentials',
+		})
+
+		const encodeCredentials = btoa('clientId:credentials')
+
+		expect(mockFetch).toHaveBeenCalledTimes(1)
+		// @ts-expect-error
+		const receivedRequest = mockFetch.mock.calls[0][0] as any
+
+		if (!receivedRequest) fail()
+		expect(receivedRequest.url).toEqual('https://tokenendpoint/')
+		expect(receivedRequest.method).toEqual('POST')
+		expect(receivedRequest.headers.get('content-type')).toEqual(
+			'application/x-www-form-urlencoded',
+		)
+		expect(receivedRequest.headers.get('accept')).toEqual('application/json')
+		expect(receivedRequest.headers.get('user-agent')).toEqual('wabe')
+		expect(receivedRequest.headers.get('authorization')).toEqual(
+			`Basic ${encodeCredentials}`,
+		)
+
+		mockFetch.mockRestore()
+	})
+
+	it('should throw an error if the result of the request is not valid', () => {
+		mockFetch.mockResolvedValue({
+			json: () => Promise.resolve({}),
+			ok: false,
+		} as never)
+
+		expect(
+			oauthClient._sendTokenRequest(new URLSearchParams(), {
+				authenticateWith: 'http_basic_auth',
+				credentials: 'credentials',
+			}),
+		).rejects.toThrow('Error in token request')
+
+		mockFetch.mockResolvedValue({
+			json: () => Promise.resolve({}),
+			ok: true,
+			status: 400,
+		} as never)
+
+		expect(
+			oauthClient._sendTokenRequest(new URLSearchParams(), {
+				authenticateWith: 'http_basic_auth',
+				credentials: 'credentials',
+			}),
+		).rejects.toThrow('Error in token request')
+
+		mockFetch.mockResolvedValue({
+			json: () => Promise.resolve({}),
+			ok: true,
+			status: 200,
+		} as never)
+
+		expect(
+			oauthClient._sendTokenRequest(new URLSearchParams(), {
+				authenticateWith: 'http_basic_auth',
+				credentials: 'credentials',
+			}),
+		).rejects.toThrow('Error in token request')
+
+		mockFetch.mockRestore()
+	})
+})

package/src/authentication/oauth/Oauth2Client.ts

@@ -0,0 +1,140 @@
+// Code inspired by Oslo : https://github.com/pilcrowOnPaper/oslo/blob/main/src/oauth2/index.ts
+
+import { base64URLencode } from './utils'
+
+export interface TokenResponseBody {
+	access_token: string
+	token_type?: string
+	expires_in?: number
+	refresh_token?: string
+	scope?: string
+}
+
+export class OAuth2Client {
+	public clientId: string
+
+	private authorizeEndpoint: string
+	private tokenEndpoint: string
+	private redirectURI: string
+
+	constructor(
+		clientId: string,
+		authorizeEndpoint: string,
+		tokenEndpoint: string,
+		redirectURI: string,
+	) {
+		this.clientId = clientId
+		this.authorizeEndpoint = authorizeEndpoint
+		this.tokenEndpoint = tokenEndpoint
+		this.redirectURI = redirectURI
+	}
+
+	createAuthorizationURL(options?: {
+		state?: string
+		codeVerifier?: string
+		scopes?: string[]
+	}): URL {
+		const scopes = Array.from(new Set(options?.scopes || [])) // remove duplicates
+		const authorizationUrl = new URL(this.authorizeEndpoint)
+		authorizationUrl.searchParams.set('response_type', 'code')
+		authorizationUrl.searchParams.set('client_id', this.clientId)
+
+		if (options?.state !== undefined)
+			authorizationUrl.searchParams.set('state', options.state)
+
+		if (scopes.length > 0)
+			authorizationUrl.searchParams.set('scope', scopes.join(' '))
+
+		if (this.redirectURI !== null)
+			authorizationUrl.searchParams.set('redirect_uri', this.redirectURI)
+
+		if (options?.codeVerifier !== undefined) {
+			const codeChallenge = base64URLencode(options.codeVerifier)
+
+			authorizationUrl.searchParams.set('code_challenge_method', 'S256')
+			authorizationUrl.searchParams.set('code_challenge', codeChallenge)
+		}
+
+		return authorizationUrl
+	}
+
+	validateAuthorizationCode<_TokenResponseBody extends TokenResponseBody>(
+		authorizationCode: string,
+		options?: {
+			codeVerifier?: string
+			credentials?: string
+			authenticateWith?: 'http_basic_auth' | 'request_body'
+		},
+	): Promise<_TokenResponseBody> {
+		const body = new URLSearchParams()
+		body.set('code', authorizationCode)
+		body.set('client_id', this.clientId)
+		body.set('grant_type', 'authorization_code')
+
+		if (this.redirectURI !== null) body.set('redirect_uri', this.redirectURI)
+
+		if (options?.codeVerifier !== undefined)
+			body.set('code_verifier', options.codeVerifier)
+
+		return this._sendTokenRequest<_TokenResponseBody>(body, options)
+	}
+
+	async refreshAccessToken<_TokenResponseBody extends TokenResponseBody>(
+		refreshToken: string,
+		options?: {
+			credentials?: string
+			authenticateWith?: 'http_basic_auth' | 'request_body'
+			scopes?: string[]
+		},
+	): Promise<_TokenResponseBody> {
+		const body = new URLSearchParams()
+		body.set('refresh_token', refreshToken)
+		body.set('client_id', this.clientId)
+		body.set('grant_type', 'refresh_token')
+
+		const scopes = Array.from(new Set(options?.scopes ?? [])) // remove duplicates
+		if (scopes.length > 0) body.set('scope', scopes.join(' '))
+
+		return await this._sendTokenRequest<_TokenResponseBody>(body, options)
+	}
+
+	async _sendTokenRequest<_TokenResponseBody extends TokenResponseBody>(
+		body: URLSearchParams,
+		options?: {
+			credentials?: string
+			authenticateWith?: 'http_basic_auth' | 'request_body'
+		},
+	): Promise<_TokenResponseBody> {
+		const headers = new Headers()
+		headers.set('Content-Type', 'application/x-www-form-urlencoded')
+		headers.set('Accept', 'application/json')
+		headers.set('User-Agent', 'wabe')
+
+		if (options?.credentials !== undefined) {
+			const authenticateWith = options?.authenticateWith || 'http_basic_auth'
+			if (authenticateWith === 'http_basic_auth') {
+				const encodedCredentials = btoa(
+					`${this.clientId}:${options.credentials}`,
+				)
+				headers.set('Authorization', `Basic ${encodedCredentials}`)
+			} else {
+				body.set('client_secret', options.credentials)
+			}
+		}
+
+		const request = new Request(this.tokenEndpoint, {
+			method: 'POST',
+			headers,
+			body,
+		})
+
+		const response = await fetch(request)
+		const result: _TokenResponseBody = await response.json()
+
+		// providers are allowed to return non-400 status code for errors
+		if (!('access_token' in result) || response.status !== 200 || !response.ok)
+			throw new Error('Error in token request')
+
+		return result
+	}
+}

package/src/authentication/oauth/index.ts

@@ -0,0 +1,2 @@
+export * from './Oauth2Client'
+export * from './Google'

package/src/authentication/oauth/utils.test.ts

@@ -0,0 +1,35 @@
+import { describe, expect, it } from 'bun:test'
+import { base64URLencode, generateRandomValues } from './utils'
+
+describe('Oauth utils', () => {
+	it('should encode url with base64', () => {
+		const content = 'test'
+
+		// Keep Bun. here to be sure the compatibility between node and Bun implem
+		const hasher = new Bun.CryptoHasher('sha256')
+		hasher.update(new TextEncoder().encode(content))
+		const resultWithPadding = hasher.digest('base64')
+
+		const result = base64URLencode(content)
+
+		expect(resultWithPadding).toBe(
+			'n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=',
+		)
+		expect(result).toBe('n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg')
+	})
+
+	// Real use case check with oauth simulator
+	it('should encode correctly with base64', () => {
+		const content = 'bIaNJCsNzrZE7QEzYjwbl0fa1CyzF49moM6Ua4H0d5cG-l7d'
+		const result = base64URLencode(content)
+
+		expect(result).toBe('1pdL2CLvBbNBnrfBZeNYlFzpedMhUTbgyhn0CnWVYoc')
+	})
+
+	it('should generate random values for code_verifier or state', () => {
+		const randomValue = generateRandomValues()
+
+		// Google recommends an entropy between 43 and 128 characters for the code_verifier
+		expect(randomValue.length).toEqual(80)
+	})
+})

package/src/authentication/oauth/utils.ts

@@ -0,0 +1,28 @@
+import crypto from 'node:crypto'
+
+export interface Tokens {
+	accessToken: string
+	refreshToken?: string | null
+	accessTokenExpiresAt?: Date
+	refreshTokenExpiresAt?: Date | null
+	idToken?: string
+}
+
+export interface OAuth2ProviderWithPKCE {
+	createAuthorizationURL(state: string, codeVerifier: string): URL
+	validateAuthorizationCode(code: string, codeVerifier: string): Promise<Tokens>
+	refreshAccessToken?(refreshToken: string): Promise<Tokens>
+}
+
+// https://datatracker.ietf.org/doc/html/rfc7636#appendix-A
+export const base64URLencode = (content: string) => {
+	const hasher = crypto.createHash('sha256').update(content)
+
+	const result = hasher.digest('base64')
+
+	// @ts-expect-error
+	return result.split('=')[0].replaceAll('+', '-').replaceAll('/', '_')
+}
+
+export const generateRandomValues = () =>
+	crypto.randomBytes(60).toString('base64url')

package/src/authentication/providers/EmailOTP.test.ts

@@ -0,0 +1,138 @@
+import {
+	describe,
+	expect,
+	it,
+	spyOn,
+	beforeAll,
+	afterAll,
+	afterEach,
+} from 'bun:test'
+import { EmailOTP } from './EmailOTP'
+import type { DevWabeTypes } from '../../utils/helper'
+import { setupTests, closeTests } from '../../utils/testHelper'
+import { EmailDevAdapter, type Wabe } from '../..'
+import * as sendOtpCodeTemplate from '../../email/templates/sendOtpCode'
+import { OTP } from '../OTP'
+
+describe('EmailOTPProvider', () => {
+	const spyEmailSend = spyOn(EmailDevAdapter.prototype, 'send')
+	const spySendOtpCodeTemplate = spyOn(
+		sendOtpCodeTemplate,
+		'sendOtpCodeTemplate',
+	)
+
+	let wabe: Wabe<DevWabeTypes>
+
+	beforeAll(async () => {
+		const setup = await setupTests()
+		wabe = setup.wabe
+	})
+
+	afterAll(async () => {
+		await closeTests(wabe)
+	})
+
+	afterEach(async () => {
+		spyEmailSend.mockClear()
+		spySendOtpCodeTemplate.mockClear()
+
+		await wabe.controllers.database.clearDatabase()
+	})
+
+	it("should send an OTP code to the user's email", async () => {
+		const createdUser = await wabe.controllers.database.createObject({
+			className: 'User',
+			context: {
+				wabe,
+				isRoot: true,
+			},
+			data: {
+				email: 'email@test.fr',
+			},
+			select: {
+				id: true,
+				email: true,
+			},
+		})
+
+		if (!createdUser) throw new Error('User not created')
+
+		const emailOTP = new EmailOTP()
+
+		await emailOTP.onSendChallenge({
+			context: {
+				wabe,
+				isRoot: false,
+			},
+			user: createdUser,
+		})
+
+		expect(spyEmailSend).toHaveBeenCalledTimes(1)
+		expect(spyEmailSend).toHaveBeenCalledWith(
+			expect.objectContaining({
+				from: 'main.email@wabe.com',
+				to: ['email@test.fr'],
+				subject: 'Your OTP code',
+			}),
+		)
+
+		const otp = spySendOtpCodeTemplate.mock.calls[0]?.[0]
+
+		expect(spySendOtpCodeTemplate).toHaveBeenCalledTimes(1)
+		expect(otp?.length).toBe(6)
+	})
+
+	it('should return the userId if the OTP code is valid', async () => {
+		const createdUser = await wabe.controllers.database.createObject({
+			className: 'User',
+			context: {
+				wabe,
+				isRoot: true,
+			},
+			data: {
+				email: 'email@test.fr',
+			},
+			select: {
+				id: true,
+			},
+		})
+
+		if (!createdUser) throw new Error('User not created')
+
+		const otp = new OTP(wabe.config.rootKey).generate(createdUser.id)
+
+		const emailOTP = new EmailOTP()
+
+		expect(
+			await emailOTP.onVerifyChallenge({
+				context: {
+					wabe,
+					isRoot: false,
+				},
+				input: {
+					email: 'email@test.fr',
+					otp,
+				},
+			}),
+		).toEqual({
+			userId: createdUser.id,
+		})
+	})
+
+	it("should return null if the user doesn't exist", async () => {
+		const emailOTP = new EmailOTP()
+
+		expect(
+			await emailOTP.onVerifyChallenge({
+				context: {
+					wabe,
+					isRoot: false,
+				},
+				input: {
+					email: 'email@test.fr',
+					otp: '123456',
+				},
+			}),
+		).toEqual(null)
+	})
+})