refactor: privileged actions

lib/new-admin/graphql/modules/authentication.js

@@ -52,6 +52,18 @@ const initializeSession = (context, user, rememberMe) => {
   if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
 }
 
+const executeProtectedAction = (code, id, context, action) => {
+  return users.getUserById(id)
+    .then(user => {
+      if (user.role !== 'superuser') {
+        return action()
+      }
+    
+      return confirm2FA(code, context)
+        .then(() => action())
+    })
+}
+
 const getUserData = context => {
   const lidCookie = getLamassuCookie(context)
   if (!lidCookie) return
@@ -93,7 +105,6 @@ const validateRegisterLink = token => {
       if (!r.success) throw new authErrors.InvalidUrlError()
       return { username: r.username, role: r.role }
     })
-    .catch(err => console.error(err))
 }
 
 const validateResetPasswordLink = token => {
@@ -103,7 +114,6 @@ const validateResetPasswordLink = token => {
       if (!r.success) throw new authErrors.InvalidUrlError()
       return { id: r.userID }
     })
-    .catch(err => console.error(err))
 }
 
 const validateReset2FALink = token => {
@@ -121,7 +131,6 @@ const validateReset2FALink = token => {
     .then(([_, user, secret, otpauth]) => {
       return { user_id: user.id, secret, otpauth }
     })
-    .catch(err => console.error(err))
 }
 
 const deleteSession = (sessionID, context) => {
@@ -148,92 +157,41 @@ const input2FA = (username, password, rememberMe, code, context) => {
     })
 }
 
-const setup2FA = (username, password, rememberMe, secret, codeConfirmation, context) => {
-  if (!secret) throw new authErrors.InvalidTwoFactorError()
-
-  const isCodeValid = otplib.authenticator.verify({ token: codeConfirmation, secret: secret })
-  if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
-
+const setup2FA = (username, password, rememberMe, codeConfirmation, context) => {
   return authenticateUser(username, password)
     .then(user => {
-      if (user.temp_twofa_code !== secret) {
-        throw new authErrors.InvalidTwoFactorError()
-      }
+      const isCodeValid = otplib.authenticator.verify({ token: codeConfirmation, secret: user.temp_twofa_code })
+      if (!isCodeValid) throw new authErrors.InvalidTwoFactorError()
 
       initializeSession(context, user, rememberMe)
-      return users.save2FASecret(user.id, secret)
+      return users.save2FASecret(user.id, user.temp_twofa_code)
     })
     .then(() => true)
 }
 
 const changeUserRole = (code, id, newRole, context) => {
-  const action = (id, newRole) => users.changeUserRole(id, newRole)
-
-  return users.getUserById(id)
-    .then(user => {
-      if (user.role !== 'superuser') {
-        return action(id, newRole)
-      }
-    
-      return confirm2FA(code, context)
-    })
-    .then(() => action(id, newRole))
+  const action = () => users.changeUserRole(id, newRole)
+  return executeProtectedAction(code, id, context, action)
 }
 
 const enableUser = (code, id, context) => {
-  const action = id => users.enableUser(id)
-
-  return users.getUserById(id)
-    .then(user => {
-      if (user.role !== 'superuser') {
-        return action(id)
-      }
-    
-      return confirm2FA(code, context)
-    })
-    .then(() => action(id))
+  const action = () => users.enableUser(id)
+  return executeProtectedAction(code, id, context, action)
 }
 
 const disableUser = (code, id, context) => {
-  const action = id => users.disableUser(id)
-
-  return users.getUserById(id)
-    .then(user => {
-      if (user.role !== 'superuser') {
-        return action(id)
-      }
-    
-      return confirm2FA(code, context)
-    })
-    .then(() => action(id))
+  const action = () => users.disableUser(id)
+  return executeProtectedAction(code, id, context, action)
 }
 
 const createResetPasswordToken = (code, userID, context) => {
-  const action = user => users.createAuthToken(user.id, 'reset_password')
-
-  return users.getUserById(userID)
-    .then(user => {
-      if (user.role !== 'superuser') {
-        return action(user.id)
-      }
-    
-      return confirm2FA(code, context)
-        .then(() => action(user))
-    })
+  const action = () => users.createAuthToken(userID, 'reset_password')
+  return executeProtectedAction(code, id, context, action)
 }
 
 const createReset2FAToken = (code, userID, context) => {
-  const action = user => users.createAuthToken(user.id, 'reset_twofa')
-
-  return users.getUserById(userID)
-    .then(user => {
-      if (user.role !== 'superuser') {
-        return action(user)
-      }
-    
-      return confirm2FA(code, context)
-        .then(() => action(user))
-    })
+  const action = () => users.createAuthToken(userID, 'reset_twofa')
+  return executeProtectedAction(code, id, context, action)
 }
 
 const createRegisterToken = (username, role) => {
@@ -243,7 +201,6 @@ const createRegisterToken = (username, role) => {
 
       return users.createUserRegistrationToken(username, role)
     })
-    .catch(err => console.error(err))
 }
 
 const register = (token, username, password, role) => {
@@ -252,7 +209,6 @@ const register = (token, username, password, role) => {
       if (user) throw new authErrors.UserAlreadyExistsError()
       return users.register(token, username, password, role).then(() => true)
     })
-    .catch(err => console.error(err))
 }
 
 const resetPassword = (token, userID, newPassword, context) => {
@@ -262,7 +218,6 @@ const resetPassword = (token, userID, newPassword, context) => {
       return users.updatePassword(token, user.id, newPassword)
     })
     .then(() => true)
-    .catch(err => console.error(err))
 }
 
 const reset2FA = (token, userID, code, secret, context) => {
@@ -278,7 +233,6 @@ const reset2FA = (token, userID, code, secret, context) => {
       return users.reset2FASecret(token, user.id, secret)
     })
     .then(() => true)
-    .catch(err => console.error(err))
 }
 
 module.exports = {

lib/new-admin/graphql/resolvers/users.resolver.js

@@ -22,7 +22,7 @@ const resolver = {
     changeUserRole: (...[, { confirmationCode, id, newRole }, context]) => authentication.changeUserRole(confirmationCode, id, newRole, context),
     login: (...[, { username, password }]) => authentication.login(username, password),
     input2FA: (...[, { username, password, rememberMe, code }, context]) => authentication.input2FA(username, password, rememberMe, code, context),
-    setup2FA: (...[, { username, password, rememberMe, secret, codeConfirmation }, context]) => authentication.setup2FA(username, password, rememberMe, secret, codeConfirmation, context),
+    setup2FA: (...[, { username, password, rememberMe, codeConfirmation }, context]) => authentication.setup2FA(username, password, rememberMe, codeConfirmation, context),
     createResetPasswordToken: (...[, { confirmationCode, userID }, context]) => authentication.createResetPasswordToken(confirmationCode, userID, context),
     createReset2FAToken: (...[, { confirmationCode, userID }, context]) => authentication.createReset2FAToken(confirmationCode, userID, context),
     createRegisterToken: (...[, { username, role }]) => authentication.createRegisterToken(username, role),

lib/new-admin/graphql/types/users.type.js

@@ -65,7 +65,7 @@ const typeDef = `
     toggleUserEnable(id: ID!): User @auth(requires: [SUPERUSER])
     login(username: String!, password: String!): String
     input2FA(username: String!, password: String!, code: String!, rememberMe: Boolean!): Boolean
-    setup2FA(username: String!, password: String!, rememberMe: Boolean!, secret: String!, codeConfirmation: String!): Boolean
+    setup2FA(username: String!, password: String!, rememberMe: Boolean!, codeConfirmation: String!): Boolean
     createResetPasswordToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER])
     createReset2FAToken(confirmationCode: String, userID: ID!): ResetToken @auth(requires: [SUPERUSER])
     createRegisterToken(username: String!, role: String!): RegistrationToken @auth(requires: [SUPERUSER])