fix: email verification and UX

fix: remove annotations fix: styles fix: move directives from schema chore: rework auth routes feat: start graphql schema modularization feat: start directives rework fix: directive cycle fix: directive resolve fix: schema auth directive feat: migrate auth routes to gql fix: apollo client fix: migrate forms to formik refactor: user resolver chore: final touches on auth components fix: routes
2020-12-14 17:33:47 +00:00 · 2020-12-14 17:33:47 +00:00 · d295acc261
commit d295acc261
parent fded22f39a
33 changed files with 1319 additions and 1139 deletions
--- a/lib/new-admin/graphql/directives/auth.js
+++ b/lib/new-admin/graphql/directives/auth.js
@ -0,0 +1,40 @@
+const _ = require('lodash/fp')
+
+const { SchemaDirectiveVisitor, AuthenticationError } = require('apollo-server-express')
+const { defaultFieldResolver } = require('graphql')
+
+class AuthDirective extends SchemaDirectiveVisitor {
+  visitObject (type) {
+    this.ensureFieldsWrapped(type)
+    type._requiredAuthRole = this.args.requires
+  }
+
+  visitFieldDefinition (field, details) {
+    this.ensureFieldsWrapped(details.objectType)
+    field._requiredAuthRole = this.args.requires
+  }
+
+  ensureFieldsWrapped (objectType) {
+    if (objectType._authFieldsWrapped) return
+    objectType._authFieldsWrapped = true
+
+    const fields = objectType.getFields()
+
+    _.forEach(fieldName => {
+      const field = fields[fieldName]
+      const { resolve = defaultFieldResolver } = field
+
+      field.resolve = function (root, args, context, info) {
+        const requiredRoles = field._requiredAuthRole ? field._requiredAuthRole : objectType._requiredAuthRole
+        if (!requiredRoles) return resolve.apply(this, [root, args, context, info])
+
+        const user = context.req.session.user
+        if (!user || !_.includes(_.upperCase(user.role), requiredRoles)) throw new AuthenticationError('You do not have permission to access this resource!')
+
+        return resolve.apply(this, [root, args, context, info])
+      }
+    }, _.keys(fields))
+  }
+}
+
+module.exports = AuthDirective
--- a/lib/new-admin/graphql/directives/index.js
+++ b/lib/new-admin/graphql/directives/index.js
@ -0,0 +1,3 @@
+const AuthDirective = require('./auth')
+
+module.exports = { AuthDirective }
--- a/lib/new-admin/graphql/modules/authentication.js
+++ b/lib/new-admin/graphql/modules/authentication.js
@ -0,0 +1,220 @@
+const otplib = require('otplib')
+const bcrypt = require('bcrypt')
+
+const loginHelper = require('../../services/login')
+const T = require('../../../time')
+const users = require('../../../users')
+const sessionManager = require('../../../session-manager')
+
+const REMEMBER_ME_AGE = 90 * T.day
+
+async function authenticateUser (username, password) {
+  const hashedPassword = await loginHelper.checkUser(username)
+  if (!hashedPassword) return null
+
+  const isMatch = await bcrypt.compare(password, hashedPassword)
+  if (!isMatch) return null
+
+  const user = await loginHelper.validateUser(username, hashedPassword)
+  if (!user) return null
+  return user
+}
+
+const getUserData = context => {
+  const lidCookie = context.req.cookies && context.req.cookies.lid
+  if (!lidCookie) return null
+
+  const user = context.req.session.user
+  return user
+}
+
+const get2FASecret = (username, password) => {
+  return authenticateUser(username, password).then(user => {
+    if (!user) return null
+
+    const secret = otplib.authenticator.generateSecret()
+    const otpauth = otplib.authenticator.keyuri(username, 'Lamassu Industries', secret)
+    return { secret, otpauth }
+  })
+}
+
+const confirm2FA = (codeArg, context) => {
+  const code = codeArg
+  const requestingUser = context.req.session.user
+
+  if (!requestingUser) return false
+
+  return users.get2FASecret(requestingUser.id).then(user => {
+    const secret = user.twofa_code
+    const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
+
+    if (!isCodeValid) return false
+    return true
+  })
+}
+
+const validateRegisterLink = token => {
+  if (!token) return null
+  return users.validateUserRegistrationToken(token)
+    .then(r => {
+      if (!r.success) return null
+      return { username: r.username, role: r.role }
+    })
+    .catch(err => console.error(err))
+}
+
+const validateResetPasswordLink = token => {
+  if (!token) return null
+  return users.validatePasswordResetToken(token)
+    .then(r => {
+      if (!r.success) return null
+      return { id: r.userID }
+    })
+    .catch(err => console.error(err))
+}
+
+const validateReset2FALink = token => {
+  if (!token) return null
+  return users.validate2FAResetToken(token)
+    .then(r => {
+      if (!r.success) return null
+      return users.findById(r.userID)
+    })
+    .then(user => {
+      const secret = otplib.authenticator.generateSecret()
+      const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret)
+      return { user_id: user.id, secret, otpauth }
+    })
+    .catch(err => console.error(err))
+}
+
+const deleteSession = (sessionID, context) => {
+  if (sessionID === context.req.session.id) {
+    context.req.session.destroy()
+  }
+  return sessionManager.deleteSession(sessionID)
+}
+
+const login = (username, password) => {
+  return authenticateUser(username, password).then(user => {
+    if (!user) return 'FAILED'
+    return users.get2FASecret(user.id).then(user => {
+      const twoFASecret = user.twofa_code
+      return twoFASecret ? 'INPUT2FA' : 'SETUP2FA'
+    })
+  })
+}
+
+const input2FA = (username, password, rememberMe, code, context) => {
+  return authenticateUser(username, password).then(user => {
+    if (!user) return false
+
+    return users.get2FASecret(user.id).then(user => {
+      const secret = user.twofa_code
+      const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
+      if (!isCodeValid) return false
+
+      const finalUser = { id: user.id, username: user.username, role: user.role }
+      context.req.session.user = finalUser
+      if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
+
+      return true
+    })
+  })
+}
+
+const setup2FA = (username, password, secret, codeConfirmation) => {
+  return authenticateUser(username, password).then(user => {
+    if (!user || !secret) return false
+
+    const isCodeValid = otplib.authenticator.verify({ token: codeConfirmation, secret: secret })
+    if (!isCodeValid) return false
+
+    users.save2FASecret(user.id, secret)
+    return true
+  })
+}
+
+const createResetPasswordToken = userID => {
+  return users.findById(userID)
+    .then(user => {
+      if (!user) return null
+      return users.createResetPasswordToken(user.id)
+    })
+    .then(token => {
+      return token
+    })
+    .catch(err => console.error(err))
+}
+
+const createReset2FAToken = userID => {
+  return users.findById(userID)
+    .then(user => {
+      if (!user) return null
+      return users.createReset2FAToken(user.id)
+    })
+    .then(token => {
+      return token
+    })
+    .catch(err => console.error(err))
+}
+
+const createRegisterToken = (username, role) => {
+  return users.getByName(username)
+    .then(user => {
+      if (user) return null
+
+      return users.createUserRegistrationToken(username, role).then(token => {
+        return token
+      })
+    })
+    .catch(err => console.error(err))
+}
+
+const register = (username, password, role) => {
+  return users.getByName(username)
+    .then(user => {
+      if (user) return false
+
+      users.createUser(username, password, role)
+      return true
+    })
+    .catch(err => console.error(err))
+}
+
+const resetPassword = (userID, newPassword, context) => {
+  return users.findById(userID).then(user => {
+    if (!user) return false
+    if (context.req.session.user && user.id === context.req.session.user.id) context.req.session.destroy()
+    return users.updatePassword(user.id, newPassword)
+  }).then(() => { return true }).catch(err => console.error(err))
+}
+
+const reset2FA = (userID, code, secret, context) => {
+  return users.findById(userID).then(user => {
+    const isCodeValid = otplib.authenticator.verify({ token: code, secret: secret })
+    if (!isCodeValid) return false
+
+    if (context.req.session.user && user.id === context.req.session.user.id) context.req.session.destroy()
+    return users.save2FASecret(user.id, secret).then(() => { return true })
+  }).catch(err => console.error(err))
+}
+
+module.exports = {
+  getUserData,
+  get2FASecret,
+  confirm2FA,
+  validateRegisterLink,
+  validateResetPasswordLink,
+  validateReset2FALink,
+  deleteSession,
+  login,
+  input2FA,
+  setup2FA,
+  createResetPasswordToken,
+  createReset2FAToken,
+  createRegisterToken,
+  register,
+  resetPassword,
+  reset2FA
+}
--- a/lib/new-admin/graphql/resolvers/index.js
+++ b/lib/new-admin/graphql/resolvers/index.js
@ -16,6 +16,7 @@ const scalar = require('./scalar.resolver')
 const settings = require('./settings.resolver')
 const status = require('./status.resolver')
 const transaction = require('./transaction.resolver')
+const user = require('./users.resolver')
 const version = require('./version.resolver')

 const resolvers = [
@ -35,6 +36,7 @@ const resolvers = [
  settings,
  status,
  transaction,
+  user,
  version
 ]

--- a/lib/new-admin/graphql/resolvers/users.resolver.js
+++ b/lib/new-admin/graphql/resolvers/users.resolver.js
@ -0,0 +1,35 @@
+const authentication = require('../modules/authentication')
+const users = require('../../../users')
+const sessionManager = require('../../../session-manager')
+
+const resolver = {
+  Query: {
+    users: () => users.getUsers(),
+    sessions: () => sessionManager.getSessionList(),
+    userSessions: (...[, { username }]) => sessionManager.getUserSessions(username),
+    userData: (root, args, context, info) => authentication.getUserData(context),
+    get2FASecret: (...[, { username, password }]) => authentication.get2FASecret(username, password),
+    confirm2FA: (root, args, context, info) => authentication.confirm2FA(args.code, context),
+    validateRegisterLink: (...[, { token }]) => authentication.validateRegisterLink(token),
+    validateResetPasswordLink: (...[, { token }]) => authentication.validateResetPasswordLink(token),
+    validateReset2FALink: (...[, { token }]) => authentication.validateReset2FALink(token)
+  },
+  Mutation: {
+    deleteUser: (...[, { id }]) => users.deleteUser(id),
+    deleteSession: (root, args, context, info) => authentication.deleteSession(args.sid, context),
+    deleteUserSessions: (...[, { username }]) => sessionManager.deleteUserSessions(username),
+    changeUserRole: (...[, { id, newRole }]) => users.changeUserRole(id, newRole),
+    toggleUserEnable: (...[, { id }]) => users.toggleUserEnable(id),
+    login: (...[, { username, password }]) => authentication.login(username, password),
+    input2FA: (root, args, context, info) => authentication.input2FA(args.username, args.password, args.rememberMe, args.code, context),
+    setup2FA: (...[, { username, password, secret, codeConfirmation }]) => authentication.setup2FA(username, password, secret, codeConfirmation),
+    createResetPasswordToken: (...[, { userID }]) => authentication.createResetPasswordToken(userID),
+    createReset2FAToken: (...[, { userID }]) => authentication.createReset2FAToken(userID),
+    createRegisterToken: (...[, { username, role }]) => authentication.createRegisterToken(username, role),
+    register: (...[, { username, password, role }]) => authentication.register(username, password, role),
+    resetPassword: (root, args, context, info) => authentication.resetPassword(args.userID, args.newPassword, context),
+    reset2FA: (root, args, context, info) => authentication.reset2FA(args.userID, args.code, args.secret, context)
+  }
+}
+
+module.exports = resolver
--- a/lib/new-admin/graphql/types/index.js
+++ b/lib/new-admin/graphql/types/index.js
@ -16,6 +16,7 @@ const scalar = require('./scalar.type')
 const settings = require('./settings.type')
 const status = require('./status.type')
 const transaction = require('./transaction.type')
+const user = require('./users.type')
 const version = require('./version.type')

 const types = [
@ -35,6 +36,7 @@ const types = [
  settings,
  status,
  transaction,
+  user,
  version
 ]

--- a/lib/new-admin/graphql/types/users.type.js
+++ b/lib/new-admin/graphql/types/users.type.js
@ -0,0 +1,77 @@
+const typeDef = `
+  directive @auth(
+    requires: [Role] = [USER, SUPERUSER]
+  ) on OBJECT | FIELD_DEFINITION
+
+  enum Role {
+    SUPERUSER
+    USER
+  }
+
+  type UserSession {
+    sid: String!
+    sess: JSONObject!
+    expire: Date!
+  }
+
+  type User {
+    id: ID
+    username: String
+    role: String
+    enabled: Boolean
+    created: Date
+    last_accessed: Date
+    last_accessed_from: String
+    last_accessed_address: String
+  }
+
+  type TwoFactorSecret {
+    user_id: ID
+    secret: String!
+    otpauth: String!
+  }
+
+  type ResetToken {
+    token: String
+    user_id: ID
+    expire: Date
+  }
+
+  type RegistrationToken {
+    token: String
+    username: String
+    role: String
+    expire: Date
+  }
+
+  type Query {
+    users: [User] @auth(requires: [SUPERUSER])
+    sessions: [UserSession] @auth(requires: [SUPERUSER])
+    userSessions(username: String!): [UserSession] @auth(requires: [SUPERUSER])
+    userData: User
+    get2FASecret(username: String!, password: String!): TwoFactorSecret
+    confirm2FA(code: String!): Boolean @auth(requires: [SUPERUSER])
+    validateRegisterLink(token: String!): User
+    validateResetPasswordLink(token: String!): User
+    validateReset2FALink(token: String!): TwoFactorSecret
+  }
+
+  type Mutation {
+    deleteUser(id: ID!): User @auth(requires: [SUPERUSER])
+    deleteSession(sid: String!): UserSession @auth(requires: [SUPERUSER])
+    deleteUserSessions(username: String!): [UserSession] @auth(requires: [SUPERUSER])
+    changeUserRole(id: ID!, newRole: String!): User @auth(requires: [SUPERUSER])
+    toggleUserEnable(id: ID!): User @auth(requires: [SUPERUSER])
+    login(username: String!, password: String!): String
+    input2FA(username: String!, password: String!, code: String!, rememberMe: Boolean!): Boolean
+    setup2FA(username: String!, password: String!, secret: String!, codeConfirmation: String!): Boolean
+    createResetPasswordToken(userID: ID!): ResetToken @auth(requires: [SUPERUSER])
+    createReset2FAToken(userID: ID!): ResetToken @auth(requires: [SUPERUSER])
+    createRegisterToken(username: String!, role: String!): RegistrationToken @auth(requires: [SUPERUSER])
+    register(username: String!, password: String!, role: String!): Boolean
+    resetPassword(userID: ID!, newPassword: String!): Boolean
+    reset2FA(userID: ID!, secret: String!, code: String!): Boolean
+  }
+`
+
+module.exports = typeDef