wabe 0.6.9 → 0.6.11

package/src/authentication/providers/QRCodeOTP.ts

@@ -0,0 +1,58 @@
+import { contextWithRoot } from '../..'
+import type { DevWabeTypes } from '../../utils/helper'
+import type { OnVerifyChallengeOptions, SecondaryProviderInterface } from '../interface'
+import { OTP } from '../OTP'
+
+const DUMMY_USER_ID = '00000000-0000-0000-0000-000000000000'
+
+type QRCodeOTPInterface = {
+	email: string
+	otp: string
+}
+
+export class QRCodeOTP implements SecondaryProviderInterface<DevWabeTypes, QRCodeOTPInterface> {
+	async onSendChallenge() {
+		// The user should check the application and get the OTP code
+	}
+
+	async onVerifyChallenge({
+		context,
+		input,
+	}: OnVerifyChallengeOptions<DevWabeTypes, QRCodeOTPInterface>) {
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			where: {
+				email: {
+					equalTo: input.email,
+				},
+			},
+			select: {
+				authentication: true,
+				role: true,
+				secondFA: true,
+				email: true,
+				id: true,
+				provider: true,
+				isOauth: true,
+				createdAt: true,
+				updatedAt: true,
+			},
+			first: 1,
+			context: contextWithRoot(context),
+		})
+
+		const realUser = users.length > 0 ? users[0] : null
+		const userId = realUser?.id ?? DUMMY_USER_ID
+
+		const isDevBypass =
+			!context.wabe.config.isProduction && input.otp === '000000' && realUser !== null
+
+		const otpClass = new OTP(context.wabe.config.rootKey)
+
+		const isOtpValid = otpClass.authenticatorVerify(input.otp, userId)
+
+		if (realUser && (isOtpValid || isDevBypass)) return { userId: realUser.id }
+
+		return null
+	}
+}

package/src/authentication/providers/index.ts

@@ -0,0 +1,6 @@
+export * from './EmailPassword'
+export * from './Google'
+export * from './GitHub'
+export * from './PhonePassword'
+export * from './EmailOTP'
+export * from './QRCodeOTP'

package/src/authentication/resolvers/refreshResolver.test.ts

@@ -0,0 +1,30 @@
+import { describe, expect, it, spyOn } from 'bun:test'
+import { refreshResolver } from './refreshResolver'
+import type { WabeContext } from '../../server/interface'
+import { Session } from '../Session'
+
+const context: WabeContext<any> = {
+	sessionId: 'sessionId',
+	user: {} as any,
+	isRoot: false,
+} as WabeContext<any>
+
+describe('refreshResolver', () => {
+	it('should refresh the session', async () => {
+		const spyRefreshSession = spyOn(Session.prototype, 'refresh').mockResolvedValue({} as any)
+
+		await refreshResolver(
+			null,
+			{
+				input: {
+					accessToken: 'accessToken',
+					refreshToken: 'refreshToken',
+				},
+			},
+			context,
+		)
+
+		expect(spyRefreshSession).toHaveBeenCalledTimes(1)
+		expect(spyRefreshSession).toHaveBeenCalledWith('accessToken', 'refreshToken', context)
+	})
+})

package/src/authentication/resolvers/refreshResolver.ts

@@ -0,0 +1,19 @@
+import type { WabeContext } from '../../server/interface'
+import type { DevWabeTypes } from '../../utils/helper'
+import { Session } from '../Session'
+
+export const refreshResolver = async (_: any, args: any, context: WabeContext<DevWabeTypes>) => {
+	const {
+		input: { refreshToken, accessToken },
+	} = args
+
+	const session = new Session()
+
+	const { accessToken: newAccessToken, refreshToken: newRefreshToken } = await session.refresh(
+		accessToken,
+		refreshToken,
+		context,
+	)
+
+	return { accessToken: newAccessToken, refreshToken: newRefreshToken }
+}

package/src/authentication/resolvers/signInWithResolver.inte.test.ts

@@ -0,0 +1,59 @@
+import { describe, it, beforeAll, afterAll, expect } from 'bun:test'
+import { gql } from 'graphql-request'
+import type { Wabe } from 'src'
+import { getAdminUserClient, type DevWabeTypes } from 'src/utils/helper'
+import { setupTests, closeTests } from 'src/utils/testHelper'
+
+describe('signInWithResolver integration test', () => {
+	let wabe: Wabe<DevWabeTypes>
+
+	beforeAll(async () => {
+		const setup = await setupTests()
+		wabe = setup.wabe
+	})
+
+	afterAll(async () => {
+		await closeTests(wabe)
+	})
+
+	it('should return all fields of the user on signInWith resolver', async () => {
+		const adminClient = await getAdminUserClient(wabe.config.port, wabe, {
+			email: 'admin@wabe.dev',
+			password: 'admin',
+		})
+		const res = await adminClient.request<any>(
+			gql`
+				mutation signInWith($input: SignInWithInput!) {
+					signInWith(input: $input) {
+						user {
+							id
+							authentication {
+								emailPassword {
+									email
+								}
+							}
+							role {
+								name
+							}
+						}
+					}
+				}
+			`,
+			{
+				input: {
+					authentication: {
+						emailPassword: {
+							email: 'admin@wabe.dev',
+							password: 'admin',
+						},
+					},
+				},
+			},
+		)
+
+		expect(res.signInWith.user.role.name).toBe('Admin')
+		expect(res.signInWith.user.authentication.emailPassword).toEqual({
+			email: 'admin@wabe.dev',
+		})
+	})
+})

package/src/authentication/resolvers/signInWithResolver.test.ts

@@ -0,0 +1,293 @@
+import { describe, expect, it, mock, spyOn, afterEach } from 'bun:test'
+import { signInWithResolver } from './signInWithResolver'
+import { Session } from '../Session'
+import { SecondaryFactor } from '../interface'
+
+describe('SignInWith', () => {
+	const mockOnLogin = mock(() =>
+		Promise.resolve({
+			user: {
+				id: 'id',
+			},
+		}),
+	)
+	const mockOnSignUp = mock(() =>
+		Promise.resolve({
+			authenticationDataToSave: {
+				id: 'id',
+			},
+		}),
+	)
+
+	const mockCreateObject = mock(() => Promise.resolve({}))
+
+	const mockOnSendChallenge = mock(() => Promise.resolve())
+	const mockOnVerifyChallenge = mock(() => Promise.resolve(true))
+
+	const context = {
+		wabe: {
+			config: {
+				authentication: {
+					session: {
+						cookieSession: true,
+					},
+					customAuthenticationMethods: [
+						{
+							name: 'emailPassword',
+							input: {
+								email: { type: 'Email', required: true },
+								password: { type: 'String', required: true },
+							},
+							provider: {
+								onSignUp: mockOnSignUp,
+								onSignIn: mockOnLogin,
+							},
+						},
+						{
+							name: 'emailOTP',
+							input: {
+								email: {
+									type: 'Email',
+									required: true,
+								},
+								code: {
+									type: 'String',
+									required: true,
+								},
+							},
+							provider: {
+								onSendChallenge: mockOnSendChallenge,
+								onVerifyChallenge: mockOnVerifyChallenge,
+							},
+						},
+					],
+				},
+			},
+		},
+	}
+
+	afterEach(() => {
+		mockCreateObject.mockClear()
+		mockOnLogin.mockClear()
+		mockOnSignUp.mockClear()
+	})
+
+	it('should call the secondary factor authentication on signIn', async () => {
+		mockOnLogin.mockResolvedValueOnce({
+			user: {
+				id: 'id',
+				// @ts-expect-error
+				email: 'email@test.fr',
+				secondFA: {
+					enabled: true,
+					provider: SecondaryFactor.EmailOTP,
+				},
+			},
+		})
+
+		const res = await signInWithResolver(
+			{},
+			{
+				input: {
+					authentication: {
+						emailPassword: {
+							email: 'email@test.fr',
+							password: 'password',
+						},
+					},
+				},
+			},
+			// @ts-expect-error
+			context,
+		)
+
+		expect(mockOnLogin).toHaveBeenCalledTimes(1)
+		expect(mockOnLogin).toHaveBeenCalledWith({
+			input: {
+				email: 'email@test.fr',
+				password: 'password',
+			},
+			context: expect.any(Object),
+		})
+
+		expect(mockOnSendChallenge).toHaveBeenCalledTimes(1)
+		expect(mockOnSendChallenge).toHaveBeenCalledWith({
+			context: expect.any(Object),
+			user: expect.objectContaining({
+				email: 'email@test.fr',
+			}),
+		})
+
+		expect(res).toEqual({
+			accessToken: null,
+			refreshToken: null,
+			user: {
+				id: 'id',
+				email: 'email@test.fr',
+				secondFA: {
+					enabled: true,
+					// @ts-expect-error
+					provider: SecondaryFactor.EmailOTP,
+				},
+			},
+		})
+	})
+
+	it('should throw an error if no custom authentication configuration is provided', () => {
+		expect(
+			signInWithResolver(
+				{},
+				{
+					input: {
+						authentication: {
+							emailPassword: {
+								email: 'email@test.fr',
+								password: 'password',
+							},
+						},
+					},
+				},
+				{ wabe: { config: { authentication: undefined } } } as any,
+			),
+		).rejects.toThrow('No custom authentication methods found')
+	})
+
+	it('should throw an error if a custom authentication is provided but not in the custom authentication config', () => {
+		expect(
+			signInWithResolver(
+				{},
+				{
+					input: {
+						authentication: {
+							emailPassword: {
+								email: 'email@test.fr',
+								password: 'password',
+							},
+						},
+					},
+				},
+				{
+					wabe: {
+						config: {
+							authentication: {
+								customAuthenticationMethods: [
+									{
+										name: 'phonePassword',
+										input: {
+											email: {
+												type: 'Email',
+												required: true,
+											},
+											password: {
+												type: 'String',
+												required: true,
+											},
+										},
+										provider: {
+											onSignUp: mockOnSignUp,
+											onSignIn: mockOnLogin,
+										},
+									},
+								],
+							},
+						},
+					},
+				} as any,
+			),
+		).rejects.toThrow('No available custom authentication methods found')
+	})
+
+	it('should signInWith email and password when the user already exist (on cookieSession)', async () => {
+		const mockCreateSession = spyOn(Session.prototype, 'create').mockResolvedValue({
+			refreshToken: 'refreshToken',
+			accessToken: 'accessToken',
+			csrfToken: 'csrfToken',
+		} as any)
+
+		const mockSetCookie = mock(() => {})
+
+		const mockResponse = {
+			setCookie: mockSetCookie,
+		}
+
+		const res = await signInWithResolver(
+			{},
+			{
+				input: {
+					authentication: {
+						emailPassword: {
+							email: 'email@test.fr',
+							password: 'password',
+						},
+					},
+				},
+			},
+			{
+				...context,
+				response: mockResponse,
+			} as any,
+		)
+
+		expect(res).toEqual({
+			accessToken: 'accessToken',
+			refreshToken: 'refreshToken',
+			user: {
+				id: 'id',
+			},
+			srp: undefined,
+		})
+		expect(mockOnLogin).toHaveBeenCalledTimes(1)
+		expect(mockOnLogin).toHaveBeenCalledWith({
+			input: {
+				email: 'email@test.fr',
+				password: 'password',
+			},
+			context: expect.any(Object),
+		})
+
+		expect(mockSetCookie).toHaveBeenCalledTimes(3)
+		expect(mockSetCookie).toHaveBeenNthCalledWith(1, 'refreshToken', 'refreshToken', {
+			httpOnly: true,
+			path: '/',
+			secure: true,
+			sameSite: 'Strict',
+			expires: expect.any(Date),
+		})
+
+		expect(mockSetCookie).toHaveBeenNthCalledWith(2, 'accessToken', 'accessToken', {
+			httpOnly: true,
+			path: '/',
+			secure: true,
+			sameSite: 'Strict',
+			expires: expect.any(Date),
+		})
+
+		expect(mockSetCookie).toHaveBeenNthCalledWith(3, 'csrfToken', 'csrfToken', {
+			httpOnly: true,
+			path: '/',
+			secure: true,
+			sameSite: 'Strict',
+			expires: expect.any(Date),
+		})
+
+		// @ts-expect-error
+		const refreshTokenExpiresIn = mockSetCookie.mock.calls[0][2].expires
+		// @ts-expect-error
+		const accessTokenExpiresIn = mockSetCookie.mock.calls[1][2].expires
+
+		// - 1000 to avoid flaky
+		expect(refreshTokenExpiresIn.getTime() - Date.now()).toBeGreaterThanOrEqual(
+			1000 * 7 * 24 * 60 * 60 - 1000,
+		)
+		expect(accessTokenExpiresIn.getTime() - Date.now()).toBeGreaterThanOrEqual(
+			1000 * 15 * 60 - 1000,
+		)
+
+		expect(mockCreateSession).toHaveBeenCalledTimes(1)
+		expect(mockCreateSession).toHaveBeenCalledWith('id', expect.anything())
+
+		expect(mockOnSignUp).toHaveBeenCalledTimes(0)
+
+		mockCreateSession.mockRestore()
+	})
+})

package/src/authentication/resolvers/signInWithResolver.ts

@@ -0,0 +1,92 @@
+import type { SignInWithInput } from '../../../generated/wabe'
+import type { WabeContext } from '../../server/interface'
+import type { DevWabeTypes } from '../../utils/helper'
+import { Session } from '../Session'
+import type { ProviderInterface, SecondaryProviderInterface } from '../interface'
+import { getAuthenticationMethod } from '../utils'
+
+// 0 - Get the authentication method
+// 1 - We check if the signIn is possible (call onSign)
+// 2 - If secondaryFactor is present, we call the onSendChallenge method of the provider
+// 3 - We create session
+export const signInWithResolver = async (
+	_: any,
+	{
+		input,
+	}: {
+		input: SignInWithInput
+	},
+	context: WabeContext<DevWabeTypes>,
+) => {
+	const { provider, name } = getAuthenticationMethod<DevWabeTypes, ProviderInterface<DevWabeTypes>>(
+		Object.keys(input.authentication || {}),
+		context,
+	)
+
+	const inputOfTheGoodAuthenticationMethod =
+		// @ts-expect-error
+		input.authentication[name]
+
+	// 1 - We call the onSignIn method of the provider
+	const { user, srp } = await provider.onSignIn({
+		input: inputOfTheGoodAuthenticationMethod,
+		context,
+	})
+
+	const userId = user.id
+
+	if (!userId) throw new Error('Authentication failed')
+
+	const secondFAObject = user.secondFA
+
+	// 2 - We call the onSendChallenge method of the provider
+	if (secondFAObject?.enabled) {
+		const secondaryProvider = getAuthenticationMethod<
+			DevWabeTypes,
+			SecondaryProviderInterface<DevWabeTypes>
+		>([secondFAObject.provider], context)
+
+		await secondaryProvider.provider.onSendChallenge?.({
+			context,
+			// @ts-expect-error
+			user,
+		})
+
+		return { accessToken: null, refreshToken: null, user }
+	}
+
+	const session = new Session()
+
+	const { refreshToken, accessToken, csrfToken } = await session.create(userId, context)
+
+	if (context.wabe.config.authentication?.session?.cookieSession) {
+		const accessTokenExpiresAt = session.getAccessTokenExpireAt(context.wabe.config)
+		const refreshTokenExpiresAt = session.getRefreshTokenExpireAt(context.wabe.config)
+
+		context.response?.setCookie('refreshToken', refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'Strict',
+			secure: true,
+			expires: refreshTokenExpiresAt,
+		})
+
+		context.response?.setCookie('accessToken', accessToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'Strict',
+			secure: true,
+			expires: accessTokenExpiresAt,
+		})
+
+		context.response?.setCookie('csrfToken', csrfToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'Strict',
+			secure: true,
+			expires: accessTokenExpiresAt,
+		})
+	}
+
+	return { accessToken, refreshToken, user, srp }
+}

package/src/authentication/resolvers/signOutResolver.test.ts

@@ -0,0 +1,38 @@
+import { describe, expect, it, mock, spyOn } from 'bun:test'
+import { signOutResolver } from './signOutResolver'
+import { Session } from '../Session'
+
+describe('signOut', () => {
+	const mockDeleteCookie = mock(() => {})
+
+	const context = {
+		sessionId: 'sessionId',
+		wabe: {
+			config: {
+				authentication: {
+					session: {
+						cookieSession: true,
+					},
+				},
+			},
+		},
+		response: {
+			deleteCookie: mockDeleteCookie,
+		},
+	} as any
+
+	it('should sign out the current user', async () => {
+		const spyDeleteSession = spyOn(Session.prototype, 'delete').mockResolvedValue(undefined)
+
+		const res = await signOutResolver(undefined, {}, context)
+
+		expect(res).toBe(true)
+
+		expect(spyDeleteSession).toHaveBeenCalledTimes(1)
+		expect(spyDeleteSession).toHaveBeenCalledWith(context)
+
+		expect(mockDeleteCookie).toHaveBeenCalledTimes(2)
+		expect(mockDeleteCookie).toHaveBeenNthCalledWith(1, 'accessToken')
+		expect(mockDeleteCookie).toHaveBeenNthCalledWith(2, 'refreshToken')
+	})
+})

package/src/authentication/resolvers/signOutResolver.ts

@@ -0,0 +1,18 @@
+import type { WabeContext } from '../../server/interface'
+import type { DevWabeTypes } from '../../utils/helper'
+import { Session } from '../Session'
+
+export const signOutResolver = async (_: any, __: any, context: WabeContext<DevWabeTypes>) => {
+	const session = new Session()
+
+	// For the moment we only delete the session because we suppose the token
+	// are used with headers. We will need to delete the cookies in the future.
+	await session.delete(context)
+
+	if (context.wabe.config.authentication?.session?.cookieSession) {
+		context.response?.deleteCookie('accessToken')
+		context.response?.deleteCookie('refreshToken')
+	}
+
+	return true
+}