wabe 0.6.9 → 0.6.11

package/src/authentication/resolvers/signUpWithResolver.test.ts

@@ -0,0 +1,180 @@
+import { beforeAll, afterAll, describe, expect, it, beforeEach } from 'bun:test'
+import { type DevWabeTypes, getAnonymousClient } from '../../utils/helper'
+import type { Wabe } from '../../server'
+import { gql } from 'graphql-request'
+import { setupTests, closeTests } from '../../utils/testHelper'
+
+describe('SignUpWith', () => {
+	let wabe: Wabe<DevWabeTypes>
+
+	beforeAll(async () => {
+		const setup = await setupTests()
+		wabe = setup.wabe
+	})
+
+	beforeEach(async () => {
+		await wabe.controllers.database.clearDatabase()
+	})
+
+	afterAll(async () => {
+		await closeTests(wabe)
+	})
+
+	it('should throw an error if user already exist with emailPassword', async () => {
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+
+		await anonymousClient.request<any>(
+			gql`
+				mutation signUpWith($input: SignUpWithInput!) {
+					signUpWith(input: $input) {
+						id
+					}
+				}
+			`,
+			{
+				input: {
+					authentication: {
+						emailPassword: {
+							email: 'test@gmail.com',
+							password: 'password',
+						},
+					},
+				},
+			},
+		)
+
+		expect(
+			anonymousClient.request<any>(
+				gql`
+					mutation signUpWith($input: SignUpWithInput!) {
+						signUpWith(input: $input) {
+							id
+						}
+					}
+				`,
+				{
+					input: {
+						authentication: {
+							emailPassword: {
+								email: 'test@gmail.com',
+								password: 'password',
+							},
+						},
+					},
+				},
+			),
+		).rejects.toThrow('Not authorized to create user')
+	})
+
+	it('should throw an error if the signUp is disabled', () => {
+		if (wabe.config) {
+			wabe.config.authentication = {
+				...wabe.config.authentication,
+				disableSignUp: true,
+			}
+		}
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+
+		const userSchema = wabe.config.schema?.classes?.find((classItem) => classItem.name === 'User')
+
+		if (!userSchema) throw new Error('Failed to find user schema')
+
+		// @ts-expect-error
+		userSchema.permissions.create.requireAuthentication = true
+
+		expect(
+			anonymousClient.request<any>(
+				gql`
+					mutation signUpWith($input: SignUpWithInput!) {
+						signUpWith(input: $input) {
+							id
+						}
+					}
+				`,
+				{
+					input: {
+						authentication: {
+							emailPassword: {
+								email: 'email@test.fr',
+								password: 'password',
+							},
+						},
+					},
+				},
+			),
+		).rejects.toThrow('SignUp is disabled')
+
+		if (wabe.config) {
+			wabe.config.authentication = {
+				...wabe.config.authentication,
+				disableSignUp: false,
+			}
+		}
+	})
+
+	it('should block the signUpWith if the user creation is blocked for anonymous (the creation is done with root to avoid ACL issues)', () => {
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+
+		const userSchema = wabe.config.schema?.classes?.find((classItem) => classItem.name === 'User')
+
+		if (!userSchema) throw new Error('Failed to find user schema')
+
+		// @ts-expect-error
+		userSchema.permissions.create.requireAuthentication = true
+
+		expect(
+			anonymousClient.request<any>(
+				gql`
+					mutation signUpWith($input: SignUpWithInput!) {
+						signUpWith(input: $input) {
+							id
+						}
+					}
+				`,
+				{
+					input: {
+						authentication: {
+							emailPassword: {
+								email: 'email@test.fr',
+								password: 'password',
+							},
+						},
+					},
+				},
+			),
+		).rejects.toThrow('Permission denied to create class User')
+
+		// @ts-expect-error
+		userSchema.permissions.create.requireAuthentication = false
+	})
+
+	it('should signUpWith email and password when the user not exist', async () => {
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+
+		const res = await anonymousClient.request<any>(
+			gql`
+				mutation signUpWith($input: SignUpWithInput!) {
+					signUpWith(input: $input) {
+						id
+						accessToken
+						refreshToken
+					}
+				}
+			`,
+			{
+				input: {
+					authentication: {
+						emailPassword: {
+							email: 'test@gmail.com',
+							password: 'password',
+						},
+					},
+				},
+			},
+		)
+
+		expect(res.signUpWith.id).toEqual(expect.any(String))
+		expect(res.signUpWith.accessToken).toEqual(expect.any(String))
+		expect(res.signUpWith.refreshToken).toEqual(expect.any(String))
+	})
+})

package/src/authentication/resolvers/signUpWithResolver.ts

@@ -0,0 +1,65 @@
+import type { SignUpWithInput } from '../../../generated/wabe'
+import type { WabeContext } from '../../server/interface'
+import { Session } from '../Session'
+
+// 0 - Get the authentication method
+// 1 - We check if the signUp is possible (call onSign)
+// 2 - We create the user
+// 3 - We create session
+export const signUpWithResolver = async (
+	_: any,
+	{
+		input,
+	}: {
+		input: SignUpWithInput
+	},
+	context: WabeContext<any>,
+) => {
+	if (context.wabe.config.authentication?.disableSignUp) throw new Error('SignUp is disabled')
+
+	// Create object call the provider signUp
+	const res = await context.wabe.controllers.database.createObject({
+		className: 'User',
+		data: {
+			authentication: input.authentication,
+		},
+		context,
+		select: { id: true },
+	})
+
+	const createdUserId = res?.id
+
+	const session = new Session()
+
+	if (!createdUserId) throw new Error('User not created')
+
+	const { accessToken, refreshToken, csrfToken } = await session.create(createdUserId, context)
+
+	if (context.wabe.config.authentication?.session?.cookieSession) {
+		context.response?.setCookie('refreshToken', refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'Strict',
+			secure: true,
+			expires: session.getRefreshTokenExpireAt(context.wabe.config),
+		})
+
+		context.response?.setCookie('accessToken', accessToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'Strict',
+			secure: true,
+			expires: session.getAccessTokenExpireAt(context.wabe.config),
+		})
+
+		context.response?.setCookie('csrfToken', csrfToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'Strict',
+			secure: true,
+			expires: session.getAccessTokenExpireAt(context.wabe.config),
+		})
+	}
+
+	return { accessToken, refreshToken, id: createdUserId }
+}

package/src/authentication/resolvers/verifyChallenge.test.ts

@@ -0,0 +1,133 @@
+import { describe, expect, it, beforeEach, mock, spyOn } from 'bun:test'
+import { verifyChallengeResolver } from './verifyChallenge'
+import type { WabeContext } from '../../server/interface'
+import { Session } from '../Session'
+
+describe('verifyChallenge', () => {
+	const mockOnVerifyChallenge = mock(() => Promise.resolve(true))
+
+	const context: WabeContext<any> = {
+		sessionId: 'sessionId',
+		user: {
+			id: 'userId',
+		} as any,
+		wabe: {
+			config: {
+				authentication: {
+					customAuthenticationMethods: [
+						{
+							name: 'fakeOtp',
+							input: {
+								code: {
+									type: 'String',
+									required: true,
+								},
+							},
+							provider: {
+								onVerifyChallenge: mockOnVerifyChallenge,
+								onSendChallenge: () => Promise.resolve(),
+							},
+						},
+					],
+				},
+			},
+		},
+	} as any
+
+	beforeEach(() => {
+		mockOnVerifyChallenge.mockClear()
+	})
+
+	it('should throw an error if no one factor is provided', () => {
+		expect(
+			verifyChallengeResolver(
+				undefined,
+				{
+					input: {},
+				},
+				context,
+			),
+		).rejects.toThrow('One factor is required')
+	})
+
+	it('should throw an error if more than one factor is provided', () => {
+		expect(
+			verifyChallengeResolver(
+				undefined,
+				{
+					input: {
+						secondFA: {
+							// @ts-expect-error
+							factor1: {},
+							factor2: {},
+						},
+					},
+				},
+				context,
+			),
+		).rejects.toThrow('Only one factor is allowed')
+	})
+
+	it('should throw an error if the onVerifyChallenge failed', () => {
+		mockOnVerifyChallenge.mockResolvedValue(false as never)
+
+		expect(
+			verifyChallengeResolver(
+				undefined,
+				{
+					input: {
+						secondFA: {
+							// @ts-expect-error
+							fakeOtp: {
+								code: '123456',
+							},
+						},
+					},
+				},
+				context,
+			),
+		).rejects.toThrow('Invalid challenge')
+	})
+
+	it('should return userId if the verifyChallenge is correct', async () => {
+		const spyCreateSession = spyOn(Session.prototype, 'create').mockResolvedValue({
+			accessToken: 'accessToken',
+			refreshToken: 'refreshToken',
+			sessionId: 'sessionId',
+			csrfToken: 'csrfToken',
+		})
+
+		mockOnVerifyChallenge.mockResolvedValue({ userId: 'userId' } as never)
+
+		expect(
+			await verifyChallengeResolver(
+				undefined,
+				{
+					input: {
+						secondFA: {
+							// @ts-expect-error
+							fakeOtp: {
+								code: '123456',
+							},
+						},
+					},
+				},
+				context,
+			),
+		).toEqual({
+			accessToken: 'accessToken',
+			srp: undefined,
+		})
+
+		expect(mockOnVerifyChallenge).toHaveBeenCalledTimes(1)
+		expect(mockOnVerifyChallenge).toHaveBeenCalledWith({
+			input: { code: '123456' },
+			context: expect.any(Object),
+		})
+
+		expect(spyCreateSession).toHaveBeenCalledTimes(1)
+		expect(spyCreateSession).toHaveBeenCalledWith('userId', context)
+
+		spyCreateSession.mockRestore()
+	})
+})

package/src/authentication/resolvers/verifyChallenge.ts

@@ -0,0 +1,62 @@
+import type { VerifyChallengeInput } from '../../../generated/wabe'
+import type { WabeContext } from '../../server/interface'
+import type { DevWabeTypes } from '../../utils/helper'
+import { Session } from '../Session'
+import type { SecondaryProviderInterface } from '../interface'
+import { getAuthenticationMethod } from '../utils'
+
+export const verifyChallengeResolver = async (
+	_: any,
+	{
+		input,
+	}: {
+		input: VerifyChallengeInput
+	},
+	context: WabeContext<DevWabeTypes>,
+) => {
+	if (!input.secondFA) throw new Error('One factor is required')
+
+	const listOfFactor = Object.keys(input.secondFA)
+
+	if (listOfFactor.length > 1) throw new Error('Only one factor is allowed')
+
+	const { provider, name } = getAuthenticationMethod<any, SecondaryProviderInterface<DevWabeTypes>>(
+		listOfFactor,
+		context,
+	)
+
+	const result = await provider.onVerifyChallenge({
+		context,
+		// @ts-expect-error
+		input: input.secondFA[name],
+	})
+
+	if (!result?.userId) throw new Error('Invalid challenge')
+
+	const session = new Session()
+
+	const { accessToken, refreshToken } = await session.create(result.userId, context)
+
+	if (context.wabe.config.authentication?.session?.cookieSession) {
+		const accessTokenExpiresAt = session.getAccessTokenExpireAt(context.wabe.config)
+		const refreshTokenExpiresAt = session.getRefreshTokenExpireAt(context.wabe.config)
+
+		context.response?.setCookie('refreshToken', refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'None',
+			secure: true,
+			expires: refreshTokenExpiresAt,
+		})
+
+		context.response?.setCookie('accessToken', accessToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'None',
+			secure: true,
+			expires: accessTokenExpiresAt,
+		})
+	}
+
+	return { accessToken, srp: result.srp }
+}

package/src/authentication/roles.test.ts

@@ -0,0 +1,49 @@
+import { afterAll, beforeAll, describe, it, expect } from 'bun:test'
+import type { Wabe } from '../server'
+import type { DevWabeTypes } from '../utils/helper'
+import { initializeRoles } from './roles'
+import { setupTests, closeTests } from '../utils/testHelper'
+
+describe('roles', () => {
+	let wabe: Wabe<DevWabeTypes>
+
+	beforeAll(async () => {
+		const setup = await setupTests()
+		wabe = setup.wabe
+	})
+
+	afterAll(async () => {
+		await closeTests(wabe)
+	})
+
+	it('should create all roles', async () => {
+		await wabe.controllers.database.clearDatabase()
+
+		await initializeRoles(wabe)
+
+		const res = await wabe.controllers.database.getObjects({
+			className: 'Role',
+			context: { isRoot: true, wabe: wabe },
+			select: { name: true },
+		})
+
+		expect(res.length).toEqual(4)
+		expect(res.map((role) => role?.name)).toEqual(['Client', 'Client2', 'Client3', 'Admin'])
+	})
+
+	it('should not create all roles if there already exist', async () => {
+		await wabe.controllers.database.clearDatabase()
+
+		await initializeRoles(wabe)
+		await initializeRoles(wabe)
+
+		const res = await wabe.controllers.database.getObjects({
+			className: 'Role',
+			context: { isRoot: true, wabe: wabe },
+			select: { name: true },
+		})
+
+		expect(res.length).toEqual(4)
+		expect(res.map((role) => role?.name)).toEqual(['Client', 'Client2', 'Client3', 'Admin'])
+	})
+})

package/src/authentication/roles.ts

@@ -0,0 +1,40 @@
+import { notEmpty, type Wabe } from '..'
+import type { DevWabeTypes } from '../utils/helper'
+
+export const initializeRoles = async (wabe: Wabe<DevWabeTypes>) => {
+	const roles = wabe.config?.authentication?.roles || []
+
+	if (roles.length === 0) return
+
+	const res = await wabe.controllers.database.getObjects({
+		className: 'Role',
+		context: {
+			isRoot: true,
+			wabe,
+		},
+		select: { name: true },
+		where: {
+			name: {
+				in: roles,
+			},
+		},
+	})
+
+	const alreadyCreatedRoles = res.map((role) => role?.name).filter(notEmpty)
+
+	const objectsToCreate = roles
+		.filter((role) => !alreadyCreatedRoles.includes(role))
+		.map((role) => ({ name: role }))
+
+	if (objectsToCreate.length === 0) return
+
+	await wabe.controllers.database.createObjects({
+		className: 'Role',
+		context: {
+			isRoot: true,
+			wabe,
+		},
+		data: objectsToCreate,
+		select: {},
+	})
+}

package/src/authentication/utils.test.ts

@@ -0,0 +1,97 @@
+import { describe, expect, it, mock } from 'bun:test'
+import { getAuthenticationMethod } from './utils'
+
+describe('Authentication utils', () => {
+	const mockOnSignIn = mock(() => Promise.resolve({}))
+	const mockOnSignUp = mock(() => Promise.resolve({}))
+
+	const mockOnSendChallenge = mock(() => Promise.resolve())
+	const mockOnVerifyChallenge = mock(() => Promise.resolve(true))
+
+	const config = {
+		authentication: {
+			customAuthenticationMethods: [
+				{
+					name: 'otp',
+					input: {
+						code: {
+							type: 'String',
+							required: true,
+						},
+					},
+					provider: {
+						name: 'otp',
+						onSendChallenge: mockOnSendChallenge as any,
+						onVerifyChallenge: mockOnVerifyChallenge as any,
+					},
+					isSecondaryFactor: true,
+					dataToStore: {},
+				},
+				{
+					name: 'emailPassword',
+					input: {
+						email: {
+							type: 'Email',
+							required: true,
+						},
+						password: {
+							type: 'String',
+							required: true,
+						},
+					},
+					provider: {
+						name: 'emailPassword',
+						onSignUp: mockOnSignIn as any,
+						onSignIn: mockOnSignUp as any,
+					},
+					dataToStore: {},
+				},
+			],
+		},
+	} as any
+
+	it('should throw an error if we provided two authentication methods', () => {
+		expect(() =>
+			getAuthenticationMethod(['emailPassword', 'otherAuthenticationMethod'], {
+				wabe: { config },
+			} as any),
+		).toThrow('One authentication method is required at the time')
+	})
+
+	it('should throw an error if no authentication methods is provided', () => {
+		expect(() => getAuthenticationMethod([], { wabe: { config } } as any)).toThrow(
+			'One authentication method is required at the time',
+		)
+	})
+
+	it('should throw an error if no one authentication method is found', () => {
+		expect(() =>
+			getAuthenticationMethod(['otherAuthenticationMethod'], {
+				wabe: { config },
+			} as any),
+		).toThrow('No available custom authentication methods found')
+	})
+
+	it('should find a secondary factor method', () => {
+		expect(getAuthenticationMethod(['otp'], { wabe: { config } } as any)).toEqual({
+			name: 'otp',
+			input: expect.any(Object),
+			provider: expect.any(Object),
+			isSecondaryFactor: true,
+			dataToStore: {},
+		})
+	})
+
+	it('should return the valid authentication method', () => {
+		expect(
+			getAuthenticationMethod(['emailPassword'], {
+				wabe: { config },
+			} as any),
+		).toEqual({
+			name: 'emailPassword',
+			input: expect.any(Object),
+			provider: expect.any(Object),
+			dataToStore: {},
+		})
+	})
+})

package/src/authentication/utils.ts

@@ -0,0 +1,39 @@
+import type { WabeTypes } from '../server'
+import type { WabeContext } from '../server/interface'
+import type {
+	CustomAuthenticationMethods,
+	ProviderInterface,
+	SecondaryProviderInterface,
+} from './interface'
+
+export const getAuthenticationMethod = <
+	T extends WabeTypes,
+	U = ProviderInterface<T> | SecondaryProviderInterface<T>,
+>(
+	listOfMethods: string[],
+	context: WabeContext<any>,
+): CustomAuthenticationMethods<T, U> => {
+	const customAuthenticationConfig =
+		context.wabe.config?.authentication?.customAuthenticationMethods
+
+	if (!customAuthenticationConfig) throw new Error('No custom authentication methods found')
+
+	// We remove the secondary factor to only get all authentication methods
+	const authenticationMethods = listOfMethods.filter((method) => method !== 'secondaryFactor')
+
+	// We check if the client don't use multiple authentication methods at the same time
+	if (authenticationMethods.length > 1 || authenticationMethods.length === 0)
+		throw new Error('One authentication method is required at the time')
+
+	const authenticationMethod = authenticationMethods[0]
+
+	// We check if the authentication method is valid
+	const validAuthenticationMethod = customAuthenticationConfig.find(
+		(method) => method.name.toLowerCase() === authenticationMethod?.toLowerCase(),
+	)
+
+	if (!validAuthenticationMethod)
+		throw new Error('No available custom authentication methods found')
+
+	return validAuthenticationMethod as CustomAuthenticationMethods<T, U>
+}