wabe 0.6.9 → 0.6.10

package/src/authentication/providers/EmailOTP.ts

@@ -0,0 +1,93 @@
+import { contextWithRoot } from '../..'
+import { sendOtpCodeTemplate } from '../../email/templates/sendOtpCode'
+import type { DevWabeTypes } from '../../utils/helper'
+import type {
+	OnSendChallengeOptions,
+	OnVerifyChallengeOptions,
+	SecondaryProviderInterface,
+} from '../interface'
+import { OTP } from '../OTP'
+
+const DUMMY_USER_ID = '00000000-0000-0000-0000-000000000000'
+
+type EmailOTPInterface = {
+	email: string
+	otp: string
+}
+
+export class EmailOTP
+	implements SecondaryProviderInterface<DevWabeTypes, EmailOTPInterface>
+{
+	async onSendChallenge({
+		context,
+		user,
+	}: OnSendChallengeOptions<DevWabeTypes>) {
+		const emailController = context.wabe.controllers.email
+
+		if (!emailController) throw new Error('Email controller not found')
+
+		const mainEmail = context.wabe.config.email?.mainEmail
+
+		if (!mainEmail) throw new Error('No main email found')
+
+		if (!user.email) throw new Error('No user email found')
+
+		const otpClass = new OTP(context.wabe.config.rootKey)
+
+		const otp = otpClass.generate(user.id)
+
+		const template = context.wabe.config.email?.htmlTemplates?.sendOTPCode
+
+		await emailController.send({
+			from: mainEmail,
+			to: [user.email],
+			subject: template?.subject || 'Your OTP code',
+			html: template?.fn
+				? await template.fn({ otp })
+				: sendOtpCodeTemplate(otp),
+		})
+	}
+
+	async onVerifyChallenge({
+		context,
+		input,
+	}: OnVerifyChallengeOptions<DevWabeTypes, EmailOTPInterface>) {
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			where: {
+				email: {
+					equalTo: input.email,
+				},
+			},
+			select: {
+				authentication: true,
+				role: true,
+				secondFA: true,
+				email: true,
+				id: true,
+				provider: true,
+				isOauth: true,
+				createdAt: true,
+				updatedAt: true,
+			},
+			first: 1,
+			context: contextWithRoot(context),
+		})
+
+		const realUser = users.length > 0 ? users[0] : null
+		const userId = realUser?.id ?? DUMMY_USER_ID
+
+		const isDevBypass =
+			!context.wabe.config.isProduction &&
+			input.otp === '000000' &&
+			realUser !== null
+
+		const otpClass = new OTP(context.wabe.config.rootKey)
+
+		const isOtpValid = otpClass.verify(input.otp, userId)
+
+		if (realUser && (isOtpValid || isDevBypass)) return { userId: realUser.id }
+
+		return null
+	}
+}

package/src/authentication/providers/EmailPassword.test.ts

@@ -0,0 +1,187 @@
+import {
+	describe,
+	expect,
+	it,
+	mock,
+	spyOn,
+	afterEach,
+	afterAll,
+} from 'bun:test'
+import * as crypto from '../../utils/crypto'
+
+import { EmailPassword } from './EmailPassword'
+
+describe('Email password', () => {
+	const mockGetObjects = mock(() => Promise.resolve([]))
+	const mockCount = mock(() => Promise.resolve(0)) as any
+	const mockCreateObject = mock(() => Promise.resolve({ id: 'userId' })) as any
+
+	const spyArgonPasswordVerify = spyOn(crypto, 'verifyArgon2')
+	const spyBunPasswordHash = spyOn(crypto, 'hashArgon2')
+
+	const controllers = {
+		controllers: {
+			database: {
+				getObjects: mockGetObjects,
+				createObject: mockCreateObject,
+				count: mockCount,
+			},
+		},
+	} as any
+
+	afterEach(() => {
+		mockGetObjects.mockClear()
+		mockCreateObject.mockClear()
+		spyArgonPasswordVerify.mockClear()
+		spyBunPasswordHash.mockClear()
+	})
+
+	afterAll(() => {
+		spyArgonPasswordVerify.mockRestore()
+		spyBunPasswordHash.mockRestore()
+	})
+
+	const emailPassword = new EmailPassword()
+
+	it('should signUp with email password', async () => {
+		spyBunPasswordHash.mockResolvedValueOnce('$argon2id$hashedPassword')
+
+		const {
+			authenticationDataToSave: { email },
+		} = await emailPassword.onSignUp({
+			context: { wabe: controllers } as any,
+			input: { email: 'email@test.fr', password: 'password' },
+		})
+
+		expect(email).toBe('email@test.fr')
+	})
+
+	it('should signIn with email password', async () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'userId',
+				authentication: {
+					emailPassword: {
+						email: 'email@test.fr',
+						password: 'hashedPassword',
+					},
+				},
+			} as never,
+		])
+
+		spyArgonPasswordVerify.mockResolvedValueOnce(true)
+
+		const { user } = await emailPassword.onSignIn({
+			context: { wabe: controllers } as any,
+			input: { email: 'email@test.fr', password: 'password' },
+		})
+
+		expect(user).toEqual({
+			id: 'userId',
+			authentication: {
+				emailPassword: {
+					email: 'email@test.fr',
+					password: 'hashedPassword',
+				},
+			},
+		})
+
+		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
+		expect(spyArgonPasswordVerify).toHaveBeenCalledWith(
+			'password',
+			'hashedPassword',
+		)
+	})
+
+	it('should not signIn with email password if password is undefined', () => {
+		spyArgonPasswordVerify.mockResolvedValueOnce(false)
+
+		expect(
+			emailPassword.onSignIn({
+				context: { wabe: controllers } as any,
+				// @ts-expect-error
+				input: { email: 'email@test.fr' },
+			}),
+		).rejects.toThrow('Invalid authentication credentials')
+	})
+
+	it('should not signIn with email password if there is no user found', () => {
+		mockGetObjects.mockResolvedValue([])
+
+		expect(
+			emailPassword.onSignIn({
+				context: { wabe: controllers } as any,
+				input: {
+					email: 'invalidEmail@test.fr',
+					password: 'password',
+				},
+			}),
+		).rejects.toThrow('Invalid authentication credentials')
+
+		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
+	})
+
+	it('should not signIn with email password if there is email is invalid', () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				authentication: {
+					emailPassword: {
+						password: 'hashedPassword',
+					},
+				},
+			} as never,
+		])
+
+		spyArgonPasswordVerify.mockResolvedValueOnce(true)
+
+		expect(
+			emailPassword.onSignIn({
+				context: { wabe: controllers } as any,
+				input: {
+					email: 'invalidEmail@test.fr',
+					password: 'password',
+				},
+			}),
+		).rejects.toThrow('Invalid authentication credentials')
+
+		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
+	})
+
+	it('should not update authentication data if there is no user found', () => {
+		mockGetObjects.mockResolvedValue([])
+
+		spyArgonPasswordVerify.mockResolvedValueOnce(true)
+
+		expect(
+			emailPassword.onUpdateAuthenticationData?.({
+				context: { wabe: controllers } as any,
+				input: {
+					email: 'email@test.fr',
+					password: 'password',
+				},
+				userId: 'userId',
+			}),
+		).rejects.toThrow('User not found')
+	})
+
+	it('should update authentication data if the userId match with an user', async () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'id',
+			},
+		] as any)
+
+		spyBunPasswordHash.mockResolvedValueOnce('$argon2id$hashedPassword')
+
+		const res = await emailPassword.onUpdateAuthenticationData?.({
+			context: { wabe: controllers } as any,
+			input: {
+				email: 'email@test.fr',
+				password: 'password',
+			},
+			userId: 'userId',
+		})
+
+		expect(res.authenticationDataToSave.email).toBe('email@test.fr')
+	})
+})

package/src/authentication/providers/EmailPassword.ts

@@ -0,0 +1,130 @@
+import type {
+	AuthenticationEventsOptions,
+	AuthenticationEventsOptionsWithUserId,
+	ProviderInterface,
+} from '../interface'
+import { contextWithRoot, verifyArgon2 } from '../../utils/export'
+import type { DevWabeTypes } from '../../utils/helper'
+
+type EmailPasswordInterface = {
+	password: string
+	email: string
+	otp?: string
+}
+
+const DUMMY_PASSWORD_HASH =
+	'$argon2id$v=19$m=65536,t=2,p=1$wHZB9xRS/Mbo7L3SL9e935Ag5K+T2EuT/XgB8akwZgo$SPf8EZ4T1HYkuIll4v2hSzNCH7woX3VrZJo3yWg5u8U'
+
+export class EmailPassword
+	implements ProviderInterface<DevWabeTypes, EmailPasswordInterface>
+{
+	async onSignIn({
+		input,
+		context,
+	}: AuthenticationEventsOptions<DevWabeTypes, EmailPasswordInterface>) {
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			where: {
+				authentication: {
+					emailPassword: {
+						email: { equalTo: input.email },
+					},
+				},
+			},
+			context: contextWithRoot(context),
+			select: {
+				authentication: true,
+				role: true,
+				secondFA: true,
+				email: true,
+				id: true,
+				provider: true,
+				isOauth: true,
+				createdAt: true,
+				updatedAt: true,
+			},
+			first: 1,
+		})
+
+		const user = users[0]
+		const userDatabasePassword = user?.authentication?.emailPassword?.password
+
+		const passwordHashToCheck = userDatabasePassword ?? DUMMY_PASSWORD_HASH
+
+		const isPasswordEquals = await verifyArgon2(
+			input.password,
+			passwordHashToCheck,
+		)
+
+		if (
+			!user ||
+			!isPasswordEquals ||
+			input.email !== user.authentication?.emailPassword?.email
+		)
+			throw new Error('Invalid authentication credentials')
+
+		return {
+			user,
+		}
+	}
+
+	async onSignUp({
+		input,
+		context,
+	}: AuthenticationEventsOptions<DevWabeTypes, EmailPasswordInterface>) {
+		const users = await context.wabe.controllers.database.count({
+			className: 'User',
+			where: {
+				authentication: {
+					emailPassword: {
+						email: { equalTo: input.email },
+					},
+				},
+			},
+			context: contextWithRoot(context),
+		})
+
+		// Hide real message
+		if (users > 0) throw new Error('Not authorized to create user')
+
+		return {
+			authenticationDataToSave: {
+				email: input.email,
+				password: input.password,
+			},
+		}
+	}
+
+	async onUpdateAuthenticationData({
+		userId,
+		input,
+		context,
+	}: AuthenticationEventsOptionsWithUserId<
+		DevWabeTypes,
+		EmailPasswordInterface
+	>) {
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			where: {
+				id: {
+					equalTo: userId,
+				},
+			},
+			context,
+			select: { authentication: true },
+		})
+
+		if (users.length === 0) throw new Error('User not found')
+
+		const user = users[0]
+
+		return {
+			authenticationDataToSave: {
+				email: input.email ?? user?.authentication?.emailPassword?.email,
+				password: input.password
+					? input.password
+					: user?.authentication?.emailPassword?.password,
+			},
+		}
+	}
+}

package/src/authentication/providers/EmailPasswordSRP.test.ts

@@ -0,0 +1,206 @@
+import { afterAll, beforeAll, describe, it, expect } from 'bun:test'
+import { createSRPClient } from 'js-srp6a'
+import type { Wabe } from '../../server'
+import { type DevWabeTypes, getAnonymousClient } from '../../utils/helper'
+import { setupTests, closeTests } from '../../utils/testHelper'
+import { gql } from 'graphql-request'
+
+describe('EmailPasswordSRP', () => {
+	let wabe: Wabe<DevWabeTypes>
+
+	beforeAll(async () => {
+		const setup = await setupTests()
+		wabe = setup.wabe
+	})
+
+	afterAll(async () => {
+		await closeTests(wabe)
+	})
+
+	it('should authenticate an user with SRP', async () => {
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+		const email = 'test@gmail.com'
+		const password = 'password'
+
+		const client = createSRPClient('SHA-256', 3072)
+
+		// Sign up
+		const salt = client.generateSalt()
+		const privateKey = await client.deriveSafePrivateKey(salt, password)
+		const verifier = client.deriveVerifier(privateKey)
+
+		await anonymousClient.request<any>(
+			gql`
+        mutation signUpWith($input: SignUpWithInput!) {
+          signUpWith(input: $input) {
+            accessToken
+          }
+        }
+      `,
+			{
+				input: {
+					authentication: {
+						emailPasswordSRP: {
+							email,
+							salt,
+							verifier,
+						},
+					},
+				},
+			},
+		)
+
+		// Sign in
+		const clientEphemeral = client.generateEphemeral()
+
+		const { signInWith } = await anonymousClient.request<any>(
+			gql`
+      mutation signInWith($input: SignInWithInput!) {
+        signInWith(input: $input) {
+          srp {
+            salt
+            serverPublic
+          }
+        }
+      }
+    `,
+			{
+				input: {
+					authentication: {
+						emailPasswordSRP: {
+							email,
+							clientPublic: clientEphemeral.public,
+						},
+					},
+				},
+			},
+		)
+
+		const clientSession = await client.deriveSession(
+			clientEphemeral.secret,
+			signInWith.srp.serverPublic,
+			salt,
+			'', // Because we don't hash the username
+			privateKey,
+		)
+
+		const { verifyChallenge } = await anonymousClient.request<any>(
+			gql`
+        mutation verifyChallenge($input: VerifyChallengeInput!) {
+            verifyChallenge(input: $input) {
+            srp {
+              serverSessionProof
+            }
+          }
+        }
+      `,
+			{
+				input: {
+					secondFA: {
+						emailPasswordSRPChallenge: {
+							email,
+							clientPublic: clientEphemeral.public,
+							clientSessionProof: clientSession.proof,
+						},
+					},
+				},
+			},
+		)
+
+		expect(
+			client.verifySession(
+				clientEphemeral.public,
+				clientSession,
+				verifyChallenge.srp.serverSessionProof,
+			),
+		).resolves.toBeUndefined()
+	})
+
+	it('should not authenticate with invalid password', async () => {
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+		const email = 'invalid@test.com'
+		const correctPassword = 'correct_password'
+		const wrongPassword = 'wrong_password'
+
+		const client = createSRPClient('SHA-256', 3072)
+
+		const salt = client.generateSalt()
+		const privateKey = await client.deriveSafePrivateKey(salt, correctPassword)
+		const verifier = client.deriveVerifier(privateKey)
+
+		await anonymousClient.request<any>(
+			gql`
+         mutation signUpWith($input: SignUpWithInput!) {
+           signUpWith(input: $input) {
+             accessToken
+           }
+         }
+       `,
+			{
+				input: {
+					authentication: {
+						emailPasswordSRP: { email, salt, verifier },
+					},
+				},
+			},
+		)
+
+		const clientEphemeral = client.generateEphemeral()
+
+		const { signInWith } = await anonymousClient.request<any>(
+			gql`
+         mutation signInWith($input: SignInWithInput!) {
+           signInWith(input: $input) {
+             srp { salt serverPublic }
+           }
+         }
+       `,
+			{
+				input: {
+					authentication: {
+						emailPasswordSRP: {
+							email,
+							clientPublic: clientEphemeral.public,
+						},
+					},
+				},
+			},
+		)
+
+		// Derive with wrong password
+		const wrongPrivateKey = await client.deriveSafePrivateKey(
+			salt,
+			wrongPassword,
+		)
+		const wrongClientSession = await client.deriveSession(
+			clientEphemeral.secret,
+			signInWith.srp.serverPublic,
+			salt,
+			'',
+			wrongPrivateKey,
+		)
+
+		expect(
+			anonymousClient.request<any>(
+				gql`
+           mutation verifyChallenge($input: VerifyChallengeInput!) {
+             verifyChallenge(input: $input) {
+               srp { serverSessionProof }
+             }
+           }
+         `,
+				{
+					input: {
+						secondFA: {
+							emailPasswordSRPChallenge: {
+								email,
+								clientPublic: clientEphemeral.public,
+								clientSessionProof: wrongClientSession.proof,
+							},
+						},
+					},
+				},
+			),
+		).rejects.toThrow('Invalid authentication credentials')
+	})
+})