chore: merge branch '2022_40_MFA' into 'main'

2022 40 mfa

See merge request team-backend/orestes/orestes-js!41

Author: fbuecklers

lib/EntityManager.ts

@@ -1,36 +1,25 @@
 import * as messages from './message';
 import {
-  FileFactory,
-  UserFactory,
+  DeviceFactory,
   Entity,
-  ManagedFactory,
   EntityFactory,
-  DeviceFactory,
-  LoginOption, OAuthOptions,
+  FileFactory,
+  LoginOption,
+  ManagedFactory,
+  OAuthOptions,
+  UserFactory,
 } from './binding';
-import {
-  atob,
-  Class, deprecated,
-  isNode,
-  JsonMap,
-  Lockable,
-  uuid,
-  openWindow,
-} from './util';
-import {
-  Message, StatusCode, Connector, OAuthMessage,
-} from './connector';
+import { atob, Class, deprecated, isNode, JsonMap, Lockable, openWindow, uuid, } from './util';
+import { Connector, Message, OAuthMessage, RestSpecification, StatusCode } from './connector';
 import { BloomFilter } from './caching';
 import { GeoPoint } from './GeoPoint';
 import type { ConnectData, EntityManagerFactory } from './EntityManagerFactory';
 import * as model from './model';
 import type { Metamodel } from './metamodel';
+import { EntityType, ManagedType, MapAttribute, PluralAttribute, } from './metamodel';
 
 import { Builder } from './query';
 import { EntityExistsError, IllegalEntityError, PersistentError } from './error';
-import {
-  MapAttribute, EntityType, ManagedType, PluralAttribute,
-} from './metamodel';
 
 import {
   Code,
@@ -43,6 +32,9 @@ import {
   Validator,
 } from './intersection';
 import { appendQueryParams, CACHE_REPLACEMENT_SUPPORTED } from './connector/Message';
+import { MFAError } from './error/MFAError';
+import { Base64 } from './util/Base64';
+import { MFAResponse } from './util/Mfa';
 
 const DB_PREFIX = '/db/';
 
@@ -958,6 +950,79 @@ export class EntityManager extends Lockable {
     return this.withLock(() => this.send(new messages.Logout()).then(this._logout.bind(this)));
   }
 
+  /**
+   * Starts the MFA initiate process - note you must be logged in, to start the mfa setup process
+   *
+   * @returns A promise that resolves to an object with the following properties:
+   * - qrCode: A Base64 representation of the QR code for MFA setup.
+   * - keyUri: The URI for the MFA secret key.
+   * @example
+   * const { qrCode, keyUri } = await db.initMFA();
+   * const code = await setupMFADevice(qrCode, keyUri);
+   * const user = await db.finishMFA(code);
+   */
+  async initMFA(): Promise<MFAResponse> {
+    return this.send(new messages.MFAInitChallenge()).then((resp) => {
+      return {
+        qrCode: resp.entity.qrCode as Base64<'png'>,
+        keyUri: resp.entity.keyUri as string
+      };
+    });
+  }
+
+  /**
+   * Finishes the MFA (Multi-Factor Authentication) initiation process.
+   *
+   * @param code - The verification code for MFA.
+   * @returns A promise that resolves with the user object of the logged-in user.
+   */
+  public finishMFA(code: number): Promise<model.User> {
+    return this.send(new messages.MFAInitFinish({ code })).then((resp) => {
+      return this.User.me!; // to be here user is already logged in;
+    });
+  }
+
+  /**
+   * Submit a verification code after a login
+   *
+   * @param code - A 6 digit verification code
+   * @param token - An MFA token obtained during the login process
+   * @return The logged-in user object
+   */
+  async submitMFACode(code: number, token: string): Promise<model.User > {
+    const loginType = this.tokenStorage.temporary ? LoginOption.SESSION_LOGIN : LoginOption.PERSIST_LOGIN;
+    const msg = new messages.MFAToken({
+      authToken: token,
+      code,
+      global: loginType === LoginOption.PERSIST_LOGIN,
+    });
+    return this.withLock(() => this._userRequest(msg, loginType)) as Promise< model.User>;
+  }
+
+  /**
+   * Disables Multi-Factor Authentication for the currently logged in user.
+   *
+   * @throws {PersistentError} - Thrown when the user is not logged in.
+   * @return A promise that resolves when Multi-Factor Authentication is successfully disabled.
+   */
+  disableMFA(): Promise<any> {
+    if (!this.User.me)
+      throw new PersistentError('User not Logged in');
+
+    return this.send(new messages.MFADelete());
+  }
+
+  /**
+   * Returns the current MFA status of the user
+   *
+   * @returns A promise that resolves to the MFA status of the user.
+   * Possible values are 'ENABLED' if MFA is enabled, 'DISABLED' if MFA is
+   * disabled, or 'PENDING' if MFA status is pending.
+   */
+  getMFAStatus(): Promise<'ENABLED' | 'DISABLED' | 'PENDING'> {
+    return this.send(new messages.MFAStatus()).then((resp) => resp.entity);
+  }
+
   loginWithOAuth(provider: string, options: OAuthOptions): any | string | Promise<model.User | null> {
     if (!this.connection) {
       throw new Error('This EntityManager is not connected.');
@@ -1028,7 +1093,7 @@ export class EntityManager extends Lockable {
   private _loginOAuthDevice(provider: string, opt: OAuthOptions): Promise<model.User | null> {
     return this._userRequest(new messages.OAuth2(provider, opt.deviceCode), opt.loginOption)
       .catch(() => new Promise((resolve) => setTimeout(resolve, 5000))
-        .then(() => this._loginOAuthDevice(provider, opt)));
+        .then(() => this._loginOAuthDevice(provider, opt))) as Promise<model.User | null>;
   }
 
   renew(loginOption?: LoginOption | boolean) {
@@ -1092,7 +1157,9 @@ export class EntityManager extends Lockable {
 
     return this.send(msg, !login)
       .then(
-        (response) => (response.entity ? this._updateUser(response.entity, login) : null),
+        (response) => {
+          return response.entity ? this._updateUser(response.entity, login) : null;
+        },
         (e) => {
           if (e.status === StatusCode.OBJECT_NOT_FOUND) {
             if (login) {
@@ -1101,6 +1168,11 @@ export class EntityManager extends Lockable {
             return null;
           }
 
+          if (e.status === StatusCode.FORBIDDEN) {
+            const { data } = e;
+            throw new MFAError(data['baqend-mfa-auth-token']); // If MFA is required: throw an error containing the auth token
+          }
+
           throw e;
         },
       );

lib/connector/Connector.ts

@@ -33,6 +33,7 @@ export abstract class Connector {
     'last-modified',
     'baqend-created-at',
     'baqend-custom-headers',
+    'Baqend-MFA-Auth-Token',
   ];
 
   /**

lib/connector/Message.ts

@@ -43,6 +43,7 @@ export const StatusCode = {
   BUCKET_NOT_FOUND: 461,
   INVALID_PERMISSION_MODIFICATION: 462,
   INVALID_TYPE_VALUE: 463,
+  FORBIDDEN: 403,
   OBJECT_NOT_FOUND: 404,
   OBJECT_OUT_OF_DATE: 412,
   PERMISSION_DENIED: 466,

lib/error/MFAError.ts

@@ -0,0 +1,13 @@
+import { PersistentError } from './PersistentError';
+
+export class MFAError extends PersistentError {
+  /**
+  * The Verification Token for the MFA Message
+  */
+  public readonly token: string;
+
+  constructor(token: string) {
+    super('MFA Required');
+    this.token = token;
+  }
+}

lib/message.ts

@@ -905,6 +905,72 @@ export const RevokeUserToken = Message.create<RevokeUserToken>({
   status: [204],
 });
 
+interface MFAInitChallenge {
+  /**
+   * Starts MFA initialization
+   * Method to create a MFA
+   */
+  new(): Message;
+}
+export const MFAInitChallenge = Message.create<MFAInitChallenge>({
+  method: 'GET',
+  path: '/db/User/mfa/init',
+  status: [200],
+});
+
+interface MFAInitFinish {
+  /**
+   * Finishes MFA initialization
+   * Method to create a MFA
+   *
+   * @param body The massage Content
+   */
+  new(body?: json): Message;
+}
+export const MFAInitFinish = Message.create<MFAInitFinish>({
+  method: 'POST',
+  path: '/db/User/mfa/init',
+  status: [200],
+});
+
+interface MFAToken {
+  /**
+   * Finalize the generation of the shared secret for MFA
+   *
+   * @param body The massage Content
+   */
+  new(body?: json): Message;
+}
+export const MFAToken = Message.create<MFAToken>({
+  method: 'POST',
+  path: '/db/User/mfa/token',
+  status: [200],
+});
+
+interface MFADelete {
+  /**
+   * Deletes the users mfaSecret and mfaService
+   */
+  new(): Message;
+}
+export const MFADelete = Message.create<MFADelete>({
+  method: 'DELETE',
+  path: '/db/User/mfa',
+  status: [204],
+});
+
+interface MFAStatus {
+  /**
+   * Returns the current state of MFA
+   */
+  new(): Message;
+}
+export const MFAStatus = Message.create<MFAStatus>({
+  method: 'GET',
+  path: '/db/User/mfa/status',
+  status: [200],
+});
+
 interface AssumeRole {
   /**
    * Assumes a role

lib/model/index.ts

@@ -14,3 +14,4 @@ export interface Role extends binding.Role {}
  * Devices are connected to the app to be contactable.
  */
 export interface Device extends binding.Entity {}
+

lib/util/Base64.ts

@@ -0,0 +1 @@
+export type Base64<ImageType extends string> = `data:image/${ImageType};base64${string}`;

lib/util/Mfa.ts

@@ -0,0 +1,6 @@
+import { Base64 } from './Base64';
+
+export type MFAResponse = {
+  qrCode: Base64<'png'>
+  keyUri: string
+};

lib/util/index.ts

@@ -10,3 +10,5 @@ export { Class } from './Class';
 export { deprecated } from './deprecated';
 export { trailingSlashIt } from './trailingSlashIt';
 export { openWindow, OpenWindowHandler } from './openWindow';
+export { Base64 } from './Base64';
+export { MFAResponse } from './Mfa';