wabe 0.6.9 → 0.6.11

package/src/authentication/providers/EmailPassword.test.ts

@@ -0,0 +1,176 @@
+import { describe, expect, it, mock, spyOn, afterEach, afterAll } from 'bun:test'
+import * as crypto from '../../utils/crypto'
+
+import { EmailPassword } from './EmailPassword'
+
+describe('Email password', () => {
+	const mockGetObjects = mock(() => Promise.resolve([]))
+	const mockCount = mock(() => Promise.resolve(0)) as any
+	const mockCreateObject = mock(() => Promise.resolve({ id: 'userId' })) as any
+
+	const spyArgonPasswordVerify = spyOn(crypto, 'verifyArgon2')
+	const spyBunPasswordHash = spyOn(crypto, 'hashArgon2')
+
+	const controllers = {
+		controllers: {
+			database: {
+				getObjects: mockGetObjects,
+				createObject: mockCreateObject,
+				count: mockCount,
+			},
+		},
+	} as any
+
+	afterEach(() => {
+		mockGetObjects.mockClear()
+		mockCreateObject.mockClear()
+		spyArgonPasswordVerify.mockClear()
+		spyBunPasswordHash.mockClear()
+	})
+
+	afterAll(() => {
+		spyArgonPasswordVerify.mockRestore()
+		spyBunPasswordHash.mockRestore()
+	})
+
+	const emailPassword = new EmailPassword()
+
+	it('should signUp with email password', async () => {
+		spyBunPasswordHash.mockResolvedValueOnce('$argon2id$hashedPassword')
+
+		const {
+			authenticationDataToSave: { email },
+		} = await emailPassword.onSignUp({
+			context: { wabe: controllers } as any,
+			input: { email: 'email@test.fr', password: 'password' },
+		})
+
+		expect(email).toBe('email@test.fr')
+	})
+
+	it('should signIn with email password', async () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'userId',
+				authentication: {
+					emailPassword: {
+						email: 'email@test.fr',
+						password: 'hashedPassword',
+					},
+				},
+			} as never,
+		])
+
+		spyArgonPasswordVerify.mockResolvedValueOnce(true)
+
+		const { user } = await emailPassword.onSignIn({
+			context: { wabe: controllers } as any,
+			input: { email: 'email@test.fr', password: 'password' },
+		})
+
+		expect(user).toEqual({
+			id: 'userId',
+			authentication: {
+				emailPassword: {
+					email: 'email@test.fr',
+					password: 'hashedPassword',
+				},
+			},
+		})
+
+		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
+		expect(spyArgonPasswordVerify).toHaveBeenCalledWith('password', 'hashedPassword')
+	})
+
+	it('should not signIn with email password if password is undefined', () => {
+		spyArgonPasswordVerify.mockResolvedValueOnce(false)
+
+		expect(
+			emailPassword.onSignIn({
+				context: { wabe: controllers } as any,
+				// @ts-expect-error
+				input: { email: 'email@test.fr' },
+			}),
+		).rejects.toThrow('Invalid authentication credentials')
+	})
+
+	it('should not signIn with email password if there is no user found', () => {
+		mockGetObjects.mockResolvedValue([])
+
+		expect(
+			emailPassword.onSignIn({
+				context: { wabe: controllers } as any,
+				input: {
+					email: 'invalidEmail@test.fr',
+					password: 'password',
+				},
+			}),
+		).rejects.toThrow('Invalid authentication credentials')
+
+		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
+	})
+
+	it('should not signIn with email password if there is email is invalid', () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				authentication: {
+					emailPassword: {
+						password: 'hashedPassword',
+					},
+				},
+			} as never,
+		])
+
+		spyArgonPasswordVerify.mockResolvedValueOnce(true)
+
+		expect(
+			emailPassword.onSignIn({
+				context: { wabe: controllers } as any,
+				input: {
+					email: 'invalidEmail@test.fr',
+					password: 'password',
+				},
+			}),
+		).rejects.toThrow('Invalid authentication credentials')
+
+		expect(spyArgonPasswordVerify).toHaveBeenCalledTimes(1)
+	})
+
+	it('should not update authentication data if there is no user found', () => {
+		mockGetObjects.mockResolvedValue([])
+
+		spyArgonPasswordVerify.mockResolvedValueOnce(true)
+
+		expect(
+			emailPassword.onUpdateAuthenticationData?.({
+				context: { wabe: controllers } as any,
+				input: {
+					email: 'email@test.fr',
+					password: 'password',
+				},
+				userId: 'userId',
+			}),
+		).rejects.toThrow('User not found')
+	})
+
+	it('should update authentication data if the userId match with an user', async () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'id',
+			},
+		] as any)
+
+		spyBunPasswordHash.mockResolvedValueOnce('$argon2id$hashedPassword')
+
+		const res = await emailPassword.onUpdateAuthenticationData?.({
+			context: { wabe: controllers } as any,
+			input: {
+				email: 'email@test.fr',
+				password: 'password',
+			},
+			userId: 'userId',
+		})
+
+		expect(res.authenticationDataToSave.email).toBe('email@test.fr')
+	})
+})

package/src/authentication/providers/EmailPassword.ts

@@ -0,0 +1,116 @@
+import type {
+	AuthenticationEventsOptions,
+	AuthenticationEventsOptionsWithUserId,
+	ProviderInterface,
+} from '../interface'
+import { contextWithRoot, verifyArgon2 } from '../../utils/export'
+import type { DevWabeTypes } from '../../utils/helper'
+
+type EmailPasswordInterface = {
+	password: string
+	email: string
+	otp?: string
+}
+
+const DUMMY_PASSWORD_HASH =
+	'$argon2id$v=19$m=65536,t=2,p=1$wHZB9xRS/Mbo7L3SL9e935Ag5K+T2EuT/XgB8akwZgo$SPf8EZ4T1HYkuIll4v2hSzNCH7woX3VrZJo3yWg5u8U'
+
+export class EmailPassword implements ProviderInterface<DevWabeTypes, EmailPasswordInterface> {
+	async onSignIn({
+		input,
+		context,
+	}: AuthenticationEventsOptions<DevWabeTypes, EmailPasswordInterface>) {
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			where: {
+				authentication: {
+					emailPassword: {
+						email: { equalTo: input.email },
+					},
+				},
+			},
+			context: contextWithRoot(context),
+			select: {
+				authentication: true,
+				role: true,
+				secondFA: true,
+				email: true,
+				id: true,
+				provider: true,
+				isOauth: true,
+				createdAt: true,
+				updatedAt: true,
+			},
+			first: 1,
+		})
+
+		const user = users[0]
+		const userDatabasePassword = user?.authentication?.emailPassword?.password
+
+		const passwordHashToCheck = userDatabasePassword ?? DUMMY_PASSWORD_HASH
+
+		const isPasswordEquals = await verifyArgon2(input.password, passwordHashToCheck)
+
+		if (!user || !isPasswordEquals || input.email !== user.authentication?.emailPassword?.email)
+			throw new Error('Invalid authentication credentials')
+
+		return {
+			user,
+		}
+	}
+
+	async onSignUp({
+		input,
+		context,
+	}: AuthenticationEventsOptions<DevWabeTypes, EmailPasswordInterface>) {
+		const users = await context.wabe.controllers.database.count({
+			className: 'User',
+			where: {
+				authentication: {
+					emailPassword: {
+						email: { equalTo: input.email },
+					},
+				},
+			},
+			context: contextWithRoot(context),
+		})
+
+		// Hide real message
+		if (users > 0) throw new Error('Not authorized to create user')
+
+		return {
+			authenticationDataToSave: {
+				email: input.email,
+				password: input.password,
+			},
+		}
+	}
+
+	async onUpdateAuthenticationData({
+		userId,
+		input,
+		context,
+	}: AuthenticationEventsOptionsWithUserId<DevWabeTypes, EmailPasswordInterface>) {
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			where: {
+				id: {
+					equalTo: userId,
+				},
+			},
+			context,
+			select: { authentication: true },
+		})
+
+		if (users.length === 0) throw new Error('User not found')
+
+		const user = users[0]
+
+		return {
+			authenticationDataToSave: {
+				email: input.email ?? user?.authentication?.emailPassword?.email,
+				password: input.password ? input.password : user?.authentication?.emailPassword?.password,
+			},
+		}
+	}
+}

package/src/authentication/providers/EmailPasswordSRP.test.ts

@@ -0,0 +1,208 @@
+import { afterAll, beforeAll, describe, it, expect } from 'bun:test'
+import { createSRPClient } from 'js-srp6a'
+import type { Wabe } from '../../server'
+import { type DevWabeTypes, getAnonymousClient } from '../../utils/helper'
+import { setupTests, closeTests } from '../../utils/testHelper'
+import { gql } from 'graphql-request'
+
+describe('EmailPasswordSRP', () => {
+	let wabe: Wabe<DevWabeTypes>
+
+	beforeAll(async () => {
+		const setup = await setupTests()
+		wabe = setup.wabe
+	})
+
+	afterAll(async () => {
+		await closeTests(wabe)
+	})
+
+	it('should authenticate an user with SRP', async () => {
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+		const email = 'test@gmail.com'
+		const password = 'password'
+
+		const client = createSRPClient('SHA-256', 3072)
+
+		// Sign up
+		const salt = client.generateSalt()
+		const privateKey = await client.deriveSafePrivateKey(salt, password)
+		const verifier = client.deriveVerifier(privateKey)
+
+		await anonymousClient.request<any>(
+			gql`
+				mutation signUpWith($input: SignUpWithInput!) {
+					signUpWith(input: $input) {
+						accessToken
+					}
+				}
+			`,
+			{
+				input: {
+					authentication: {
+						emailPasswordSRP: {
+							email,
+							salt,
+							verifier,
+						},
+					},
+				},
+			},
+		)
+
+		// Sign in
+		const clientEphemeral = client.generateEphemeral()
+
+		const { signInWith } = await anonymousClient.request<any>(
+			gql`
+				mutation signInWith($input: SignInWithInput!) {
+					signInWith(input: $input) {
+						srp {
+							salt
+							serverPublic
+						}
+					}
+				}
+			`,
+			{
+				input: {
+					authentication: {
+						emailPasswordSRP: {
+							email,
+							clientPublic: clientEphemeral.public,
+						},
+					},
+				},
+			},
+		)
+
+		const clientSession = await client.deriveSession(
+			clientEphemeral.secret,
+			signInWith.srp.serverPublic,
+			salt,
+			'', // Because we don't hash the username
+			privateKey,
+		)
+
+		const { verifyChallenge } = await anonymousClient.request<any>(
+			gql`
+				mutation verifyChallenge($input: VerifyChallengeInput!) {
+					verifyChallenge(input: $input) {
+						srp {
+							serverSessionProof
+						}
+					}
+				}
+			`,
+			{
+				input: {
+					secondFA: {
+						emailPasswordSRPChallenge: {
+							email,
+							clientPublic: clientEphemeral.public,
+							clientSessionProof: clientSession.proof,
+						},
+					},
+				},
+			},
+		)
+
+		expect(
+			client.verifySession(
+				clientEphemeral.public,
+				clientSession,
+				verifyChallenge.srp.serverSessionProof,
+			),
+		).resolves.toBeUndefined()
+	})
+
+	it('should not authenticate with invalid password', async () => {
+		const anonymousClient = getAnonymousClient(wabe.config.port)
+		const email = 'invalid@test.com'
+		const correctPassword = 'correct_password'
+		const wrongPassword = 'wrong_password'
+
+		const client = createSRPClient('SHA-256', 3072)
+
+		const salt = client.generateSalt()
+		const privateKey = await client.deriveSafePrivateKey(salt, correctPassword)
+		const verifier = client.deriveVerifier(privateKey)
+
+		await anonymousClient.request<any>(
+			gql`
+				mutation signUpWith($input: SignUpWithInput!) {
+					signUpWith(input: $input) {
+						accessToken
+					}
+				}
+			`,
+			{
+				input: {
+					authentication: {
+						emailPasswordSRP: { email, salt, verifier },
+					},
+				},
+			},
+		)
+
+		const clientEphemeral = client.generateEphemeral()
+
+		const { signInWith } = await anonymousClient.request<any>(
+			gql`
+				mutation signInWith($input: SignInWithInput!) {
+					signInWith(input: $input) {
+						srp {
+							salt
+							serverPublic
+						}
+					}
+				}
+			`,
+			{
+				input: {
+					authentication: {
+						emailPasswordSRP: {
+							email,
+							clientPublic: clientEphemeral.public,
+						},
+					},
+				},
+			},
+		)
+
+		// Derive with wrong password
+		const wrongPrivateKey = await client.deriveSafePrivateKey(salt, wrongPassword)
+		const wrongClientSession = await client.deriveSession(
+			clientEphemeral.secret,
+			signInWith.srp.serverPublic,
+			salt,
+			'',
+			wrongPrivateKey,
+		)
+
+		expect(
+			anonymousClient.request<any>(
+				gql`
+					mutation verifyChallenge($input: VerifyChallengeInput!) {
+						verifyChallenge(input: $input) {
+							srp {
+								serverSessionProof
+							}
+						}
+					}
+				`,
+				{
+					input: {
+						secondFA: {
+							emailPasswordSRPChallenge: {
+								email,
+								clientPublic: clientEphemeral.public,
+								clientSessionProof: wrongClientSession.proof,
+							},
+						},
+					},
+				},
+			),
+		).rejects.toThrow('Invalid authentication credentials')
+	})
+})

package/src/authentication/providers/EmailPasswordSRP.ts

@@ -0,0 +1,179 @@
+import type {
+	AuthenticationEventsOptions,
+	OnVerifyChallengeOptions,
+	ProviderInterface,
+	SecondaryProviderInterface,
+} from '../interface'
+import { contextWithRoot } from '../../utils/export'
+import type { DevWabeTypes } from '../../utils/helper'
+import { createSRPServer, type Ephemeral, type Session } from 'js-srp6a'
+
+// 🛡 Valeurs factices pour mitigation des timing attacks
+const DUMMY_SALT = 'deadbeefdeadbeefdeadbeefdeadbeef'
+const DUMMY_VERIFIER =
+	'94c8f9b69f44fa0453a8a65129a7865ea2d70b21e645cf185d6fd42a679e524c394d4f02bba2032b10517be8c80f0f58e94302cb57cce7ce1e0a21906b6d22020b84a473d8ef58ea1f53e5204f8b83f05dc334b781fda309ad7cb8fa5c91dc81f64c114b671688b22e0f693a9c97ad2f43e6f1954c83d73e81e3dc8a963b7cbce'
+
+type EmailPasswordSRPInterface = {
+	clientPublic: string
+	email: string
+	salt?: string
+	verifier?: string
+}
+
+export class EmailPasswordSRP implements ProviderInterface<
+	DevWabeTypes,
+	EmailPasswordSRPInterface
+> {
+	async onSignIn({
+		input,
+		context,
+	}: AuthenticationEventsOptions<DevWabeTypes, EmailPasswordSRPInterface>) {
+		const server = createSRPServer('SHA-256', 3072)
+
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			context: contextWithRoot(context),
+			where: {
+				email: { equalTo: input.email },
+			},
+			select: {
+				authentication: true,
+				role: true,
+				secondFA: true,
+				email: true,
+				id: true,
+				provider: true,
+				isOauth: true,
+				createdAt: true,
+				updatedAt: true,
+			},
+			first: 1,
+		})
+
+		const user = users[0]
+
+		const salt = user?.authentication?.emailPasswordSRP?.salt ?? DUMMY_SALT
+		const verifier = user?.authentication?.emailPasswordSRP?.verifier ?? DUMMY_VERIFIER
+
+		let ephemeral: Ephemeral
+		try {
+			ephemeral = await server.generateEphemeral(verifier)
+		} catch {
+			throw new Error('Invalid authentication credentials')
+		}
+
+		if (!user || !user?.id) {
+			// Simulation d'opération pour garder le même temps
+			await new Promise((resolve) => setTimeout(resolve, 10))
+			throw new Error('Invalid authentication credentials')
+		}
+
+		await context.wabe.controllers.database.updateObject({
+			className: 'User',
+			context: contextWithRoot(context),
+			id: user.id,
+			data: {
+				authentication: {
+					emailPasswordSRP: {
+						...user.authentication?.emailPasswordSRP,
+						serverSecret: ephemeral.secret,
+					},
+				},
+			},
+			select: {},
+		})
+
+		return { srp: { salt, serverPublic: ephemeral.public }, user }
+	}
+
+	async onSignUp({
+		input,
+		context,
+	}: AuthenticationEventsOptions<DevWabeTypes, EmailPasswordSRPInterface>) {
+		const users = await context.wabe.controllers.database.count({
+			className: 'User',
+			where: {
+				email: { equalTo: input.email },
+			},
+			context: contextWithRoot(context),
+		})
+
+		if (users > 0) throw new Error('Not authorized to create user')
+
+		return {
+			authenticationDataToSave: {
+				salt: input.salt,
+				verifier: input.verifier,
+				email: input.email,
+				serverSecret: null,
+			},
+		}
+	}
+}
+
+export interface EmailPasswordSRPChallengeInterface {
+	email: string
+	clientPublic: string
+	clientSessionProof: string
+}
+
+export class EmailPasswordSRPChallenge implements SecondaryProviderInterface<
+	DevWabeTypes,
+	EmailPasswordSRPChallengeInterface
+> {
+	async onVerifyChallenge({
+		context,
+		input,
+	}: OnVerifyChallengeOptions<DevWabeTypes, EmailPasswordSRPChallengeInterface>) {
+		const server = createSRPServer('SHA-256', 3072)
+
+		const users = await context.wabe.controllers.database.getObjects({
+			className: 'User',
+			context: contextWithRoot(context),
+			where: {
+				authentication: {
+					emailPasswordSRP: {
+						email: { equalTo: input.email },
+					},
+				},
+			},
+			select: {
+				id: true,
+				authentication: true,
+			},
+		})
+
+		const user = users[0]
+
+		const salt = user?.authentication?.emailPasswordSRP?.salt ?? DUMMY_SALT
+		const verifier = user?.authentication?.emailPasswordSRP?.verifier ?? DUMMY_VERIFIER
+		const serverSecret = user?.authentication?.emailPasswordSRP?.serverSecret ?? 'deadbeef'
+
+		let serverSession: Session
+		try {
+			serverSession = await server.deriveSession(
+				serverSecret,
+				input.clientPublic,
+				salt,
+				'', // no username
+				verifier,
+				input.clientSessionProof,
+			)
+		} catch {
+			throw new Error('Invalid authentication credentials')
+		}
+
+		if (!user || !user?.id) {
+			// Simulation pour garder un timing constant
+			await new Promise((resolve) => setTimeout(resolve, 10))
+			throw new Error('Invalid authentication credentials')
+		}
+
+		return {
+			userId: user.id,
+			srp: {
+				serverSessionProof: serverSession.proof,
+			},
+		}
+	}
+}

package/src/authentication/providers/GitHub.ts

@@ -0,0 +1,24 @@
+import type { DevWabeTypes } from '../../utils/helper'
+import {
+	AuthenticationProvider,
+	type AuthenticationEventsOptions,
+	type ProviderInterface,
+} from '../interface'
+import { oAuthAuthentication } from './OAuth'
+
+type GitHubInterface = {
+	authorizationCode: string
+	codeVerifier: string
+}
+
+export class GitHub implements ProviderInterface<DevWabeTypes, GitHubInterface> {
+	name = 'github'
+	onSignIn(options: AuthenticationEventsOptions<DevWabeTypes, GitHubInterface>) {
+		return oAuthAuthentication(AuthenticationProvider.GitHub)(options)
+	}
+
+	// @ts-expect-error
+	onSignUp() {
+		throw new Error('SignUp is not implemented for Oauth provider, you should use signIn instead.')
+	}
+}