wabe 0.6.9 → 0.6.11

package/src/authentication/oauth/Oauth2Client.test.ts

@@ -0,0 +1,219 @@
+import { describe, expect, it, spyOn, mock, afterAll } from 'bun:test'
+import { fail } from 'node:assert'
+import { OAuth2Client } from './Oauth2Client'
+import { base64URLencode } from './utils'
+
+const mockFetch = mock(() => {})
+
+const originalFetch = global.fetch
+
+// @ts-expect-error
+global.fetch = mockFetch
+
+describe('Oauth2Client', () => {
+	const oauthClient = new OAuth2Client(
+		'clientId',
+		'https://authorizationEndpoint',
+		'https://tokenEndpoint',
+		'https://redirectURI',
+	)
+
+	afterAll(() => {
+		global.fetch = originalFetch
+	})
+
+	it('should create authorization URl', () => {
+		const authorizationURL = oauthClient.createAuthorizationURL()
+
+		expect(authorizationURL.toString()).toEqual(
+			'https://authorizationendpoint/?response_type=code&client_id=clientId&redirect_uri=https%3A%2F%2FredirectURI',
+		)
+
+		const authorizationURLWithState = oauthClient.createAuthorizationURL({
+			state: 'state',
+		})
+
+		expect(authorizationURLWithState.toString()).toEqual(
+			'https://authorizationendpoint/?response_type=code&client_id=clientId&state=state&redirect_uri=https%3A%2F%2FredirectURI',
+		)
+
+		const authorizationURLWithScopes = oauthClient.createAuthorizationURL({
+			scopes: ['scope1', 'scope2'],
+		})
+
+		expect(authorizationURLWithScopes.toString()).toEqual(
+			'https://authorizationendpoint/?response_type=code&client_id=clientId&scope=scope1+scope2&redirect_uri=https%3A%2F%2FredirectURI',
+		)
+
+		const authorizationURLWithCodeVerifier = oauthClient.createAuthorizationURL({
+			codeVerifier: 'codeVerifier',
+		})
+
+		const codeChallenge = base64URLencode('codeVerifier')
+
+		expect(authorizationURLWithCodeVerifier.toString()).toEqual(
+			`https://authorizationendpoint/?response_type=code&client_id=clientId&redirect_uri=https%3A%2F%2FredirectURI&code_challenge_method=S256&code_challenge=${codeChallenge.replace(
+				'/',
+				'%2F',
+			)}`,
+		)
+	})
+
+	it('should validate authorization code', async () => {
+		const spySendTokenRequest = spyOn(
+			OAuth2Client.prototype,
+			'_sendTokenRequest',
+		).mockResolvedValue({} as any)
+
+		await oauthClient.validateAuthorizationCode('code')
+
+		const expectedBody = new URLSearchParams()
+		expectedBody.set('code', 'code')
+		expectedBody.set('client_id', 'clientId')
+		expectedBody.set('grant_type', 'authorization_code')
+		expectedBody.set('redirect_uri', 'https://redirectURI')
+
+		expect(spySendTokenRequest).toHaveBeenCalledTimes(1)
+		const body = spySendTokenRequest.mock.calls[0]?.[0]
+		const options = spySendTokenRequest.mock.calls[0]?.[1]
+		expect(body?.toString()).toEqual(expectedBody.toString())
+		expect(options).toBeUndefined()
+
+		await oauthClient.validateAuthorizationCode('code', {
+			codeVerifier: 'codeVerifier',
+			authenticateWith: 'http_basic_auth',
+			credentials: 'credentials',
+		})
+
+		const expectedBody2 = new URLSearchParams()
+		expectedBody2.set('code', 'code')
+		expectedBody2.set('client_id', 'clientId')
+		expectedBody2.set('grant_type', 'authorization_code')
+		expectedBody2.set('redirect_uri', 'https://redirectURI')
+		expectedBody2.set('code_verifier', 'codeVerifier')
+
+		expect(spySendTokenRequest).toHaveBeenCalledTimes(2)
+		const body2 = spySendTokenRequest.mock.calls[1]?.[0]
+		const options2 = spySendTokenRequest.mock.calls[1]?.[1]
+		expect(body2?.toString()).toEqual(expectedBody2.toString())
+		expect(options2).toEqual({
+			codeVerifier: 'codeVerifier',
+			authenticateWith: 'http_basic_auth',
+			credentials: 'credentials',
+		} as any)
+
+		spySendTokenRequest.mockRestore()
+	})
+
+	it('should refresh access token', async () => {
+		const spySendTokenRequest = spyOn(
+			OAuth2Client.prototype,
+			'_sendTokenRequest',
+		).mockResolvedValue({} as any)
+
+		await oauthClient.refreshAccessToken('refreshToken')
+
+		const expectedBody = new URLSearchParams()
+		expectedBody.set('refresh_token', 'refreshToken')
+		expectedBody.set('client_id', 'clientId')
+		expectedBody.set('grant_type', 'refresh_token')
+
+		expect(spySendTokenRequest).toHaveBeenCalledTimes(1)
+		const body = spySendTokenRequest.mock.calls[0]?.[0]
+		const options = spySendTokenRequest.mock.calls[0]?.[1]
+		expect(body?.toString()).toEqual(expectedBody.toString())
+		expect(options).toBeUndefined()
+
+		await oauthClient.refreshAccessToken('refreshToken', {
+			authenticateWith: 'http_basic_auth',
+			credentials: 'credentials',
+		})
+
+		const expectedBody2 = new URLSearchParams()
+		expectedBody2.set('refresh_token', 'refreshToken')
+		expectedBody2.set('client_id', 'clientId')
+		expectedBody2.set('grant_type', 'refresh_token')
+
+		expect(spySendTokenRequest).toHaveBeenCalledTimes(2)
+		const body2 = spySendTokenRequest.mock.calls[1]?.[0]
+		const options2 = spySendTokenRequest.mock.calls[1]?.[1]
+		expect(body2?.toString()).toEqual(expectedBody2.toString())
+		expect(options2).toEqual({
+			authenticateWith: 'http_basic_auth',
+			credentials: 'credentials',
+		})
+
+		spySendTokenRequest.mockRestore()
+	})
+
+	it('should send token request', async () => {
+		mockFetch.mockResolvedValue({
+			json: () => Promise.resolve({ access_token: 'access_token' }),
+			ok: true,
+			status: 200,
+		} as never)
+
+		await oauthClient._sendTokenRequest(new URLSearchParams(), {
+			authenticateWith: 'http_basic_auth',
+			credentials: 'credentials',
+		})
+
+		const encodeCredentials = btoa('clientId:credentials')
+
+		expect(mockFetch).toHaveBeenCalledTimes(1)
+		// @ts-expect-error
+		const receivedRequest = mockFetch.mock.calls[0][0] as any
+
+		if (!receivedRequest) fail()
+		expect(receivedRequest.url).toEqual('https://tokenendpoint/')
+		expect(receivedRequest.method).toEqual('POST')
+		expect(receivedRequest.headers.get('content-type')).toEqual('application/x-www-form-urlencoded')
+		expect(receivedRequest.headers.get('accept')).toEqual('application/json')
+		expect(receivedRequest.headers.get('user-agent')).toEqual('wabe')
+		expect(receivedRequest.headers.get('authorization')).toEqual(`Basic ${encodeCredentials}`)
+
+		mockFetch.mockRestore()
+	})
+
+	it('should throw an error if the result of the request is not valid', () => {
+		mockFetch.mockResolvedValue({
+			json: () => Promise.resolve({}),
+			ok: false,
+		} as never)
+
+		expect(
+			oauthClient._sendTokenRequest(new URLSearchParams(), {
+				authenticateWith: 'http_basic_auth',
+				credentials: 'credentials',
+			}),
+		).rejects.toThrow('Error in token request')
+
+		mockFetch.mockResolvedValue({
+			json: () => Promise.resolve({}),
+			ok: true,
+			status: 400,
+		} as never)
+
+		expect(
+			oauthClient._sendTokenRequest(new URLSearchParams(), {
+				authenticateWith: 'http_basic_auth',
+				credentials: 'credentials',
+			}),
+		).rejects.toThrow('Error in token request')
+
+		mockFetch.mockResolvedValue({
+			json: () => Promise.resolve({}),
+			ok: true,
+			status: 200,
+		} as never)
+
+		expect(
+			oauthClient._sendTokenRequest(new URLSearchParams(), {
+				authenticateWith: 'http_basic_auth',
+				credentials: 'credentials',
+			}),
+		).rejects.toThrow('Error in token request')
+
+		mockFetch.mockRestore()
+	})
+})

package/src/authentication/oauth/Oauth2Client.ts

@@ -0,0 +1,135 @@
+// Code inspired by Oslo : https://github.com/pilcrowOnPaper/oslo/blob/main/src/oauth2/index.ts
+
+import { base64URLencode } from './utils'
+
+export interface TokenResponseBody {
+	access_token: string
+	token_type?: string
+	expires_in?: number
+	refresh_token?: string
+	scope?: string
+}
+
+export class OAuth2Client {
+	public clientId: string
+
+	private authorizeEndpoint: string
+	private tokenEndpoint: string
+	private redirectURI: string
+
+	constructor(
+		clientId: string,
+		authorizeEndpoint: string,
+		tokenEndpoint: string,
+		redirectURI: string,
+	) {
+		this.clientId = clientId
+		this.authorizeEndpoint = authorizeEndpoint
+		this.tokenEndpoint = tokenEndpoint
+		this.redirectURI = redirectURI
+	}
+
+	createAuthorizationURL(options?: {
+		state?: string
+		codeVerifier?: string
+		scopes?: string[]
+	}): URL {
+		const scopes = Array.from(new Set(options?.scopes || [])) // remove duplicates
+		const authorizationUrl = new URL(this.authorizeEndpoint)
+		authorizationUrl.searchParams.set('response_type', 'code')
+		authorizationUrl.searchParams.set('client_id', this.clientId)
+
+		if (options?.state !== undefined) authorizationUrl.searchParams.set('state', options.state)
+
+		if (scopes.length > 0) authorizationUrl.searchParams.set('scope', scopes.join(' '))
+
+		if (this.redirectURI !== null)
+			authorizationUrl.searchParams.set('redirect_uri', this.redirectURI)
+
+		if (options?.codeVerifier !== undefined) {
+			const codeChallenge = base64URLencode(options.codeVerifier)
+
+			authorizationUrl.searchParams.set('code_challenge_method', 'S256')
+			authorizationUrl.searchParams.set('code_challenge', codeChallenge)
+		}
+
+		return authorizationUrl
+	}
+
+	validateAuthorizationCode<_TokenResponseBody extends TokenResponseBody>(
+		authorizationCode: string,
+		options?: {
+			codeVerifier?: string
+			credentials?: string
+			authenticateWith?: 'http_basic_auth' | 'request_body'
+		},
+	): Promise<_TokenResponseBody> {
+		const body = new URLSearchParams()
+		body.set('code', authorizationCode)
+		body.set('client_id', this.clientId)
+		body.set('grant_type', 'authorization_code')
+
+		if (this.redirectURI !== null) body.set('redirect_uri', this.redirectURI)
+
+		if (options?.codeVerifier !== undefined) body.set('code_verifier', options.codeVerifier)
+
+		return this._sendTokenRequest<_TokenResponseBody>(body, options)
+	}
+
+	async refreshAccessToken<_TokenResponseBody extends TokenResponseBody>(
+		refreshToken: string,
+		options?: {
+			credentials?: string
+			authenticateWith?: 'http_basic_auth' | 'request_body'
+			scopes?: string[]
+		},
+	): Promise<_TokenResponseBody> {
+		const body = new URLSearchParams()
+		body.set('refresh_token', refreshToken)
+		body.set('client_id', this.clientId)
+		body.set('grant_type', 'refresh_token')
+
+		const scopes = Array.from(new Set(options?.scopes ?? [])) // remove duplicates
+		if (scopes.length > 0) body.set('scope', scopes.join(' '))
+
+		return await this._sendTokenRequest<_TokenResponseBody>(body, options)
+	}
+
+	async _sendTokenRequest<_TokenResponseBody extends TokenResponseBody>(
+		body: URLSearchParams,
+		options?: {
+			credentials?: string
+			authenticateWith?: 'http_basic_auth' | 'request_body'
+		},
+	): Promise<_TokenResponseBody> {
+		const headers = new Headers()
+		headers.set('Content-Type', 'application/x-www-form-urlencoded')
+		headers.set('Accept', 'application/json')
+		headers.set('User-Agent', 'wabe')
+
+		if (options?.credentials !== undefined) {
+			const authenticateWith = options?.authenticateWith || 'http_basic_auth'
+			if (authenticateWith === 'http_basic_auth') {
+				const encodedCredentials = btoa(`${this.clientId}:${options.credentials}`)
+				headers.set('Authorization', `Basic ${encodedCredentials}`)
+			} else {
+				body.set('client_secret', options.credentials)
+			}
+		}
+
+		const request = new Request(this.tokenEndpoint, {
+			method: 'POST',
+			headers,
+			body,
+		})
+
+		const response = await fetch(request)
+		const result: _TokenResponseBody = await response.json()
+
+		// providers are allowed to return non-400 status code for errors
+		if (!('access_token' in result) || response.status !== 200 || !response.ok)
+			throw new Error('Error in token request')
+
+		return result
+	}
+}

package/src/authentication/oauth/index.ts

@@ -0,0 +1,2 @@
+export * from './Oauth2Client'
+export * from './Google'

package/src/authentication/oauth/utils.test.ts

@@ -0,0 +1,33 @@
+import { describe, expect, it } from 'bun:test'
+import { base64URLencode, generateRandomValues } from './utils'
+
+describe('Oauth utils', () => {
+	it('should encode url with base64', () => {
+		const content = 'test'
+
+		// Keep Bun. here to be sure the compatibility between node and Bun implem
+		const hasher = new Bun.CryptoHasher('sha256')
+		hasher.update(new TextEncoder().encode(content))
+		const resultWithPadding = hasher.digest('base64')
+
+		const result = base64URLencode(content)
+
+		expect(resultWithPadding).toBe('n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=')
+		expect(result).toBe('n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg')
+	})
+
+	// Real use case check with oauth simulator
+	it('should encode correctly with base64', () => {
+		const content = 'bIaNJCsNzrZE7QEzYjwbl0fa1CyzF49moM6Ua4H0d5cG-l7d'
+		const result = base64URLencode(content)
+
+		expect(result).toBe('1pdL2CLvBbNBnrfBZeNYlFzpedMhUTbgyhn0CnWVYoc')
+	})
+
+	it('should generate random values for code_verifier or state', () => {
+		const randomValue = generateRandomValues()
+
+		// Google recommends an entropy between 43 and 128 characters for the code_verifier
+		expect(randomValue.length).toEqual(80)
+	})
+})

package/src/authentication/oauth/utils.ts

@@ -0,0 +1,27 @@
+import crypto from 'node:crypto'
+
+export interface Tokens {
+	accessToken: string
+	refreshToken?: string | null
+	accessTokenExpiresAt?: Date
+	refreshTokenExpiresAt?: Date | null
+	idToken?: string
+}
+
+export interface OAuth2ProviderWithPKCE {
+	createAuthorizationURL(state: string, codeVerifier: string): URL
+	validateAuthorizationCode(code: string, codeVerifier: string): Promise<Tokens>
+	refreshAccessToken?(refreshToken: string): Promise<Tokens>
+}
+
+// https://datatracker.ietf.org/doc/html/rfc7636#appendix-A
+export const base64URLencode = (content: string) => {
+	const hasher = crypto.createHash('sha256').update(content)
+
+	const result = hasher.digest('base64')
+
+	// @ts-expect-error
+	return result.split('=')[0].replaceAll('+', '-').replaceAll('/', '_')
+}
+
+export const generateRandomValues = () => crypto.randomBytes(60).toString('base64url')

package/src/authentication/providers/EmailOTP.test.ts

@@ -0,0 +1,127 @@
+import { describe, expect, it, spyOn, beforeAll, afterAll, afterEach } from 'bun:test'
+import { EmailOTP } from './EmailOTP'
+import type { DevWabeTypes } from '../../utils/helper'
+import { setupTests, closeTests } from '../../utils/testHelper'
+import { EmailDevAdapter, type Wabe } from '../..'
+import * as sendOtpCodeTemplate from '../../email/templates/sendOtpCode'
+import { OTP } from '../OTP'
+
+describe('EmailOTPProvider', () => {
+	const spyEmailSend = spyOn(EmailDevAdapter.prototype, 'send')
+	const spySendOtpCodeTemplate = spyOn(sendOtpCodeTemplate, 'sendOtpCodeTemplate')
+
+	let wabe: Wabe<DevWabeTypes>
+
+	beforeAll(async () => {
+		const setup = await setupTests()
+		wabe = setup.wabe
+	})
+
+	afterAll(async () => {
+		await closeTests(wabe)
+	})
+
+	afterEach(async () => {
+		spyEmailSend.mockClear()
+		spySendOtpCodeTemplate.mockClear()
+
+		await wabe.controllers.database.clearDatabase()
+	})
+
+	it("should send an OTP code to the user's email", async () => {
+		const createdUser = await wabe.controllers.database.createObject({
+			className: 'User',
+			context: {
+				wabe,
+				isRoot: true,
+			},
+			data: {
+				email: 'email@test.fr',
+			},
+			select: {
+				id: true,
+				email: true,
+			},
+		})
+
+		if (!createdUser) throw new Error('User not created')
+
+		const emailOTP = new EmailOTP()
+
+		await emailOTP.onSendChallenge({
+			context: {
+				wabe,
+				isRoot: false,
+			},
+			user: createdUser,
+		})
+
+		expect(spyEmailSend).toHaveBeenCalledTimes(1)
+		expect(spyEmailSend).toHaveBeenCalledWith(
+			expect.objectContaining({
+				from: 'main.email@wabe.com',
+				to: ['email@test.fr'],
+				subject: 'Your OTP code',
+			}),
+		)
+
+		const otp = spySendOtpCodeTemplate.mock.calls[0]?.[0]
+
+		expect(spySendOtpCodeTemplate).toHaveBeenCalledTimes(1)
+		expect(otp?.length).toBe(6)
+	})
+
+	it('should return the userId if the OTP code is valid', async () => {
+		const createdUser = await wabe.controllers.database.createObject({
+			className: 'User',
+			context: {
+				wabe,
+				isRoot: true,
+			},
+			data: {
+				email: 'email@test.fr',
+			},
+			select: {
+				id: true,
+			},
+		})
+
+		if (!createdUser) throw new Error('User not created')
+
+		const otp = new OTP(wabe.config.rootKey).generate(createdUser.id)
+
+		const emailOTP = new EmailOTP()
+
+		expect(
+			await emailOTP.onVerifyChallenge({
+				context: {
+					wabe,
+					isRoot: false,
+				},
+				input: {
+					email: 'email@test.fr',
+					otp,
+				},
+			}),
+		).toEqual({
+			userId: createdUser.id,
+		})
+	})
+
+	it("should return null if the user doesn't exist", async () => {
+		const emailOTP = new EmailOTP()
+
+		expect(
+			await emailOTP.onVerifyChallenge({
+				context: {
+					wabe,
+					isRoot: false,
+				},
+				input: {
+					email: 'email@test.fr',
+					otp: '123456',
+				},
+			}),
+		).toEqual(null)
+	})
+})

package/src/authentication/providers/EmailOTP.ts

@@ -0,0 +1,84 @@
+import { contextWithRoot } from '../..'
+import { sendOtpCodeTemplate } from '../../email/templates/sendOtpCode'
+import type { DevWabeTypes } from '../../utils/helper'
+import type {
+	OnSendChallengeOptions,
+	OnVerifyChallengeOptions,
+	SecondaryProviderInterface,
+} from '../interface'
+import { OTP } from '../OTP'
+
+const DUMMY_USER_ID = '00000000-0000-0000-0000-000000000000'
+
+type EmailOTPInterface = {
+	email: string
+	otp: string
+}
+
+export class EmailOTP implements SecondaryProviderInterface<DevWabeTypes, EmailOTPInterface> {
+	async onSendChallenge({ context, user }: OnSendChallengeOptions<DevWabeTypes>) {
+		const emailController = context.wabe.controllers.email
+
+		if (!emailController) throw new Error('Email controller not found')
+
+		const mainEmail = context.wabe.config.email?.mainEmail
+
+		if (!mainEmail) throw new Error('No main email found')
+
+		if (!user.email) throw new Error('No user email found')
+
+		const otpClass = new OTP(context.wabe.config.rootKey)
+
+		const otp = otpClass.generate(user.id)
+
+		const template = context.wabe.config.email?.htmlTemplates?.sendOTPCode
+
+		await emailController.send({
+			from: mainEmail,
+			to: [user.email],
+			subject: template?.subject || 'Your OTP code',
+			html: template?.fn ? await template.fn({ otp }) : sendOtpCodeTemplate(otp),
+		})
+	}
+
+	async onVerifyChallenge({
+		context,
+		input,
+	}: OnVerifyChallengeOptions<DevWabeTypes, EmailOTPInterface>) {
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			where: {
+				email: {
+					equalTo: input.email,
+				},
+			},
+			select: {
+				authentication: true,
+				role: true,
+				secondFA: true,
+				email: true,
+				id: true,
+				provider: true,
+				isOauth: true,
+				createdAt: true,
+				updatedAt: true,
+			},
+			first: 1,
+			context: contextWithRoot(context),
+		})
+
+		const realUser = users.length > 0 ? users[0] : null
+		const userId = realUser?.id ?? DUMMY_USER_ID
+
+		const isDevBypass =
+			!context.wabe.config.isProduction && input.otp === '000000' && realUser !== null
+
+		const otpClass = new OTP(context.wabe.config.rootKey)
+
+		const isOtpValid = otpClass.verify(input.otp, userId)
+
+		if (realUser && (isOtpValid || isDevBypass)) return { userId: realUser.id }
+
+		return null
+	}
+}