wabe 0.6.9 → 0.6.11

package/src/schema/resolvers/sendOtpCode.test.ts

@@ -0,0 +1,141 @@
+import { describe, afterAll, beforeAll, it, spyOn, expect, beforeEach } from 'bun:test'
+import { gql, type GraphQLClient } from 'graphql-request'
+import type { Wabe } from '../../server'
+import { type DevWabeTypes, getGraphqlClient, getAnonymousClient } from '../../utils/helper'
+import { setupTests, closeTests } from '../../utils/testHelper'
+import { EmailDevAdapter } from '../../email/DevAdapter'
+
+describe('sendOtpCodeResolver', () => {
+	let wabe: Wabe<DevWabeTypes>
+	let port: number
+	let client: GraphQLClient
+
+	const spySend = spyOn(EmailDevAdapter.prototype, 'send')
+
+	beforeAll(async () => {
+		const setup = await setupTests()
+		wabe = setup.wabe
+		port = setup.port
+		client = getGraphqlClient(port)
+	})
+
+	afterAll(async () => {
+		await closeTests(wabe)
+	})
+
+	beforeEach(() => {
+		spySend.mockClear()
+	})
+
+	it('should use the provided email template if provided', async () => {
+		const previous = wabe.config.email
+		// @ts-expect-error
+		wabe.config.email = {
+			...wabe.config.email,
+			htmlTemplates: {
+				sendOTPCode: {
+					fn: () => 'toto',
+					subject: 'Confirmation code',
+				},
+			},
+		}
+
+		await client.request<any>(graphql.createUser, {
+			input: {
+				fields: {
+					authentication: {
+						emailPassword: {
+							email: 'tata@toto.fr',
+							password: 'totototo',
+						},
+					},
+				},
+			},
+		})
+
+		await client.request<any>(graphql.sendOtpCode, {
+			input: {
+				email: 'tata@toto.fr',
+			},
+		})
+
+		expect(spySend).toHaveBeenCalledTimes(1)
+		expect(spySend).toHaveBeenCalledWith({
+			from: 'main.email@wabe.com',
+			to: ['tata@toto.fr'],
+			subject: 'Confirmation code',
+			html: 'toto',
+		})
+
+		wabe.config.email = previous
+	})
+
+	it("should send an OTP code to the user's email as anonymous client", async () => {
+		const anonymousClient = getAnonymousClient(port)
+
+		await anonymousClient.request<any>(graphql.createUserWithAnonymous, {
+			input: {
+				fields: {
+					authentication: {
+						emailPassword: {
+							email: 'toto@toto.fr',
+							password: 'totototo',
+						},
+					},
+				},
+			},
+		})
+
+		await anonymousClient.request<any>(graphql.sendOtpCode, {
+			input: {
+				email: 'toto@toto.fr',
+			},
+		})
+
+		expect(spySend).toHaveBeenCalledTimes(1)
+		expect(spySend).toHaveBeenCalledWith({
+			from: 'main.email@wabe.com',
+			to: ['toto@toto.fr'],
+			subject: 'Your OTP code',
+			html: expect.any(String),
+		})
+	})
+
+	it("should return true if the user doesn't exist (hide sensitive data)", async () => {
+		const spySend = spyOn(EmailDevAdapter.prototype, 'send')
+
+		const res = await client.request<any>(graphql.sendOtpCode, {
+			input: {
+				email: 'invalidUser@toto.fr',
+			},
+		})
+
+		expect(res.sendOtpCode).toEqual(true)
+
+		expect(spySend).toHaveBeenCalledTimes(0)
+	})
+})
+
+const graphql = {
+	createUser: gql`
+		mutation createUser($input: CreateUserInput!) {
+			createUser(input: $input) {
+				user {
+					id
+				}
+			}
+		}
+	`,
+	createUserWithAnonymous: gql`
+		mutation createUser($input: CreateUserInput!) {
+			createUser(input: $input) {
+				ok
+			}
+		}
+	`,
+	sendOtpCode: gql`
+		mutation sendOtpCode($input: SendOtpCodeInput!) {
+			sendOtpCode(input: $input)
+		}
+	`,
+}

package/src/schema/resolvers/sendOtpCode.ts

@@ -0,0 +1,52 @@
+import type { MutationSendOtpCodeArgs } from '../../../generated/wabe'
+import type { WabeContext } from '../../server/interface'
+import type { DevWabeTypes } from '../../utils/helper'
+import { sendOtpCodeTemplate } from '../../email/templates/sendOtpCode'
+import { OTP } from '../../authentication/OTP'
+import { contextWithRoot } from '../../utils/export'
+
+export const sendOtpCodeResolver = async (
+	_: any,
+	{ input }: MutationSendOtpCodeArgs,
+	context: WabeContext<DevWabeTypes>,
+) => {
+	const emailController = context.wabe.controllers.email
+
+	if (!emailController) throw new Error('Email adapter not defined')
+
+	const user = await context.wabe.controllers.database.getObjects({
+		className: 'User',
+		where: {
+			email: {
+				equalTo: input.email,
+			},
+		},
+		select: { id: true },
+		first: 1,
+		context: contextWithRoot(context),
+	})
+
+	// We return true if the user doesn't exist to avoid leaking that the user exists or not
+	if (user.length === 0) return true
+
+	const userId = user[0]?.id
+
+	if (!userId) return false
+
+	const otpClass = new OTP(context.wabe.config.rootKey)
+
+	const otp = otpClass.generate(userId)
+
+	const mainEmail = context.wabe.config.email?.mainEmail || 'noreply@wabe.com'
+
+	const template = context.wabe.config.email?.htmlTemplates?.sendOTPCode
+
+	await emailController.send({
+		from: mainEmail,
+		to: [input.email],
+		subject: template?.subject || 'Your OTP code',
+		html: template?.fn ? await template.fn({ otp }) : sendOtpCodeTemplate(otp),
+	})
+
+	return true
+}