feat(authentication): implement username-based authentication (#1327)

* feat(authentication): add register,login functionality via username and checks for email based flows

* chore: reduce code complexity so that codefactor checks pass

* chore: remove probably unnecessary code so that codefactor checks pass

* refactor: introduce new username auth handler instead of modifying existing local auth handler

* fix: address code review feedback

* fix: address code review feedback

Author: krigol14

libraries/grpc-sdk/src/modules/authentication/index.ts

@@ -37,6 +37,14 @@ export class Authentication extends ConduitModule<typeof AuthenticationDefinitio
     return this.client!.userCreate({ email, verify, password, anonymousId });
   }
 
+  userCreateByUsername(
+    username: string,
+    password?: string,
+    anonymousId?: string,
+  ): Promise<UserCreateResponse> {
+    return this.client!.userCreateByUsername({ username, password, anonymousId });
+  }
+
   anonymousUserCreate(clientId: string): Promise<UserLoginResponse> {
     return this.client!.anonymousUserCreate({ clientId });
   }

modules/authentication/src/Authentication.ts

@@ -24,6 +24,7 @@ import {
   TeamDeleteRequest,
   TeamDeleteResponse,
   UserChangePass,
+  UserCreateByUsernameRequest,
   UserCreateRequest,
   UserCreateResponse,
   UserDeleteRequest,
@@ -354,6 +355,61 @@ export default class Authentication extends ManagedModule<Config> {
     }
   }
 
+  async userCreateByUsername(
+    call: GrpcRequest<UserCreateByUsernameRequest>,
+    callback: GrpcCallback<UserCreateResponse>,
+  ) {
+    const username = call.request.username.toLowerCase();
+    let password = call.request.password;
+
+    if (isNil(password) || password.length === 0) {
+      password = AuthUtils.randomToken(8);
+    }
+    try {
+      let user = await models.User.getInstance().findOne({ username });
+      if (user) {
+        return callback({ code: status.ALREADY_EXISTS, message: 'User already exists' });
+      }
+      const hashedPassword = await AuthUtils.hashPassword(password);
+      const anonymousUserId = call.request.anonymousId;
+      if (!anonymousUserId) {
+        user = await models.User.getInstance().create({
+          username,
+          hashedPassword,
+          isVerified: true,
+        });
+        await TeamsHandler.getInstance()
+          .addUserToDefault(user)
+          .catch(err => {
+            ConduitGrpcSdk.Logger.error(err);
+          });
+      } else {
+        const config = ConfigController.getInstance().config;
+        if (!config.anonymousUsers.enabled) {
+          return callback({
+            code: status.FAILED_PRECONDITION,
+            message: 'Anonymous users configuration is disabled',
+          });
+        }
+        user = await models.User.getInstance().findByIdAndUpdate(anonymousUserId, {
+          username,
+          hashedPassword,
+          isAnonymous: false,
+          isVerified: true,
+        });
+        if (!user) {
+          return callback({
+            code: status.NOT_FOUND,
+            message: 'Anonymous user not found',
+          });
+        }
+      }
+      return callback(null, { password });
+    } catch (e) {
+      return callback({ code: status.INTERNAL, message: (e as Error).message });
+    }
+  }
+
   async anonymousUserCreate(
     call: GrpcRequest<AnonymousUserCreateRequest>,
     callback: GrpcCallback<UserLoginResponse>,

modules/authentication/src/admin/index.ts

@@ -62,9 +62,10 @@ export class AdminHandlers {
       {
         path: '/users',
         action: ConduitRouteActions.POST,
-        description: `Creates a new user using email/password.`,
+        description: `Creates a new user using email/username and password.`,
         bodyParams: {
-          email: ConduitString.Required,
+          email: ConduitString.Optional,
+          username: ConduitString.Optional,
           password: ConduitString.Required,
         },
       },

modules/authentication/src/admin/user.ts

@@ -55,22 +55,18 @@ export class UserAdmin {
   }
 
   async createUser(call: ParsedRouterRequest): Promise<UnparsedRouterResponse> {
-    const email = call.request.params.email.toLowerCase();
-    const password = call.request.params.password;
-    if (AuthUtils.invalidEmailAddress(email)) {
-      throw new GrpcError(status.INVALID_ARGUMENT, 'Invalid email address provided');
-    }
+    const { email, username, password } = call.request.params;
 
-    let user: User | null = await User.getInstance().findOne({
-      email: email,
-    });
+    const query = AuthUtils.validateAndNormalizeIdentifier(email, username);
+
+    let user: User | null = await User.getInstance().findOne(query);
     if (!isNil(user)) {
       throw new GrpcError(status.ALREADY_EXISTS, 'User already exists');
     }
 
     const hashedPassword = await AuthUtils.hashPassword(password);
     user = await User.getInstance().create({
-      email: email,
+      ...query,
       hashedPassword,
       isVerified: true,
     });

modules/authentication/src/authentication.proto

@@ -14,6 +14,12 @@ message UserCreateRequest {
   optional string anonymousId = 4;
 }
 
+message UserCreateByUsernameRequest {
+  string username = 1;
+  optional string password = 2;
+  optional string anonymousId = 3;
+}
+
 message UserChangePass {
   string email = 1;
   optional string password = 2;
@@ -98,6 +104,7 @@ message UserModifyStatusResponse {
 service Authentication {
   rpc UserLogin(UserLoginRequest) returns (UserLoginResponse);
   rpc UserCreate(UserCreateRequest) returns (UserCreateResponse);
+  rpc UserCreateByUsername(UserCreateByUsernameRequest) returns (UserCreateResponse);
   rpc UserModifyStatus(UserModifyStatusRequest) returns (UserModifyStatusResponse);
   rpc AnonymousUserCreate(AnonymousUserCreateRequest) returns (UserLoginResponse);
   rpc ChangePass(UserChangePass) returns (UserCreateResponse);

modules/authentication/src/config/local.config.ts

@@ -38,5 +38,10 @@ export default {
       format: 'String',
       default: '',
     },
+    username_auth_enabled: {
+      doc: 'Defines if username authentication strategy is enabled',
+      format: 'Boolean',
+      default: false,
+    },
   },
 };

modules/authentication/src/handlers/local.ts

@@ -2,7 +2,6 @@ import { isNil } from 'lodash-es';
 import { AuthUtils } from '../utils/index.js';
 import { TokenType } from '../constants/index.js';
 import { v4 as uuid } from 'uuid';
-import { Config } from '../config/index.js';
 import {
   ConduitGrpcSdk,
   ConduitRouteActions,
@@ -26,6 +25,7 @@ import {
 } from '@conduitplatform/module-tools';
 import { createHash } from 'crypto';
 import { merge } from 'lodash-es';
+import { authenticateChecks, changePassword } from './utils.js';
 
 export class LocalHandlers implements IAuthenticationStrategy {
   private emailModule: Email;
@@ -156,7 +156,7 @@ export class LocalHandlers implements IAuthenticationStrategy {
         middlewares: ['authMiddleware', 'denyAnonymousMiddleware'],
       },
       new ConduitRouteReturnDefinition('ChangePasswordResponse', 'String'),
-      this.changePassword.bind(this),
+      changePassword.bind(this),
     );
 
     routingManager.route(
@@ -387,7 +387,7 @@ export class LocalHandlers implements IAuthenticationStrategy {
     );
     if (isNil(user))
       throw new GrpcError(status.UNAUTHENTICATED, 'Invalid login credentials');
-    await this._authenticateChecks(password, config, user);
+    await authenticateChecks(password, config, user);
     ConduitGrpcSdk.Metrics?.increment('logged_in_users_total');
     return TokenProvider.getInstance().provideUserTokens({
       user,
@@ -503,20 +503,6 @@ export class LocalHandlers implements IAuthenticationStrategy {
     return 'Password reset successful';
   }
 
-  async changePassword(call: ParsedRouterRequest): Promise<UnparsedRouterResponse> {
-    if (!call.request.context.jwtPayload.sudo) {
-      throw new GrpcError(
-        status.PERMISSION_DENIED,
-        'Re-login required to enter sudo mode',
-      );
-    }
-    const { user } = call.request.context;
-    const { newPassword } = call.request.bodyParams;
-    const hashedPassword = await AuthUtils.hashPassword(newPassword);
-    await User.getInstance().findByIdAndUpdate(user._id, { hashedPassword });
-    return 'Password changed successfully';
-  }
-
   async changeEmail(call: ParsedRouterRequest): Promise<UnparsedRouterResponse> {
     if (!call.request.context.jwtPayload.sudo) {
       throw new GrpcError(
@@ -723,25 +709,6 @@ export class LocalHandlers implements IAuthenticationStrategy {
     return 'OK';
   }
 
-  private async _authenticateChecks(password: string, config: Config, user: User) {
-    if (!user.active) throw new GrpcError(status.PERMISSION_DENIED, 'Inactive user');
-    if (!user.hashedPassword)
-      throw new GrpcError(
-        status.PERMISSION_DENIED,
-        'User does not use password authentication',
-      );
-    const passwordsMatch = await AuthUtils.checkPassword(password, user.hashedPassword);
-    if (!passwordsMatch)
-      throw new GrpcError(status.UNAUTHENTICATED, 'Invalid login credentials');
-
-    if (config.local.verification.required && !user.isVerified) {
-      throw new GrpcError(
-        status.PERMISSION_DENIED,
-        'You must verify your account to login',
-      );
-    }
-  }
-
   private async initDbAndEmail() {
     const config = ConfigController.getInstance().config;
 

modules/authentication/src/handlers/username.ts

@@ -0,0 +1,108 @@
+import { isNil } from 'lodash-es';
+import {
+  ConduitGrpcSdk,
+  ConduitRouteActions,
+  ConduitRouteReturnDefinition,
+  GrpcError,
+  ParsedRouterRequest,
+  UnparsedRouterResponse,
+} from '@conduitplatform/grpc-sdk';
+import { User } from '../models/index.js';
+import { status } from '@grpc/grpc-js';
+import { IAuthenticationStrategy } from '../interfaces/index.js';
+import { TokenProvider } from './tokenProvider.js';
+import {
+  ConduitString,
+  ConfigController,
+  RoutingManager,
+} from '@conduitplatform/module-tools';
+import { authenticateChecks, changePassword } from './utils.js';
+
+export class UsernameHandlers implements IAuthenticationStrategy {
+  constructor(private readonly grpcSdk: ConduitGrpcSdk) {}
+
+  async declareRoutes(routingManager: RoutingManager): Promise<void> {
+    const config = ConfigController.getInstance().config;
+    const captchaConfig = config.captcha;
+
+    routingManager.route(
+      {
+        path: '/username',
+        action: ConduitRouteActions.POST,
+        description: `Login endpoint that can be used to authenticate.
+         Tokens are returned according to configuration.`,
+        bodyParams: {
+          username: ConduitString.Required,
+          password: ConduitString.Required,
+          captchaToken: ConduitString.Optional,
+        },
+        middlewares:
+          captchaConfig.enabled && captchaConfig.routes.login
+            ? ['captchaMiddleware']
+            : undefined,
+      },
+      new ConduitRouteReturnDefinition('LoginResponse', {
+        accessToken: ConduitString.Optional,
+        refreshToken: ConduitString.Optional,
+      }),
+      this.authenticate.bind(this),
+    );
+
+    routingManager.route(
+      {
+        path: '/username/change-password',
+        action: ConduitRouteActions.POST,
+        description: `Changes the user's password (requires sudo access).`,
+        bodyParams: {
+          newPassword: ConduitString.Required,
+        },
+        middlewares: ['authMiddleware', 'denyAnonymousMiddleware'],
+      },
+      new ConduitRouteReturnDefinition('ChangePasswordResponse', 'String'),
+      changePassword.bind(this),
+    );
+  }
+
+  async validate(): Promise<boolean> {
+    const config = ConfigController.getInstance().config;
+    if (config.local.username.enabled) {
+      return Promise.resolve(true);
+    } else {
+      ConduitGrpcSdk.Logger.log('Username authentication not available');
+      return Promise.resolve(false);
+    }
+  }
+
+  async authenticate(call: ParsedRouterRequest): Promise<UnparsedRouterResponse> {
+    ConduitGrpcSdk.Metrics?.increment('login_requests_total');
+
+    const { username, password } = call.request.params;
+    const context = call.request.context;
+
+    if (isNil(context)) {
+      throw new GrpcError(status.UNAUTHENTICATED, 'No headers provided');
+    }
+
+    const clientId = context.clientId;
+    const config = ConfigController.getInstance().config;
+
+    const user: User | null = await User.getInstance().findOne(
+      { username },
+      '+hashedPassword',
+    );
+
+    if (isNil(user)) {
+      throw new GrpcError(status.UNAUTHENTICATED, 'Invalid login credentials');
+    }
+
+    await authenticateChecks(password, config, user);
+
+    ConduitGrpcSdk.Metrics?.increment('logged_in_users_total');
+
+    return TokenProvider.getInstance().provideUserTokens({
+      user,
+      clientId,
+      config,
+    });
+  }
+}

modules/authentication/src/handlers/utils.ts

@@ -0,0 +1,41 @@
+import {
+  GrpcError,
+  ParsedRouterRequest,
+  UnparsedRouterResponse,
+} from '@conduitplatform/grpc-sdk';
+import { status } from '@grpc/grpc-js';
+import { User } from '../models/index.js';
+import { Config } from '../config/index.js';
+import { AuthUtils } from '../utils/index.js';
+
+export async function changePassword(
+  call: ParsedRouterRequest,
+): Promise<UnparsedRouterResponse> {
+  if (!call.request.context.jwtPayload.sudo) {
+    throw new GrpcError(status.PERMISSION_DENIED, 'Re-login required to enter sudo mode');
+  }
+  const { user } = call.request.context;
+  const { newPassword } = call.request.bodyParams;
+  const hashedPassword = await AuthUtils.hashPassword(newPassword);
+  await User.getInstance().findByIdAndUpdate(user._id, { hashedPassword });
+  return 'Password changed successfully';
+}
+
+export async function authenticateChecks(password: string, config: Config, user: User) {
+  if (!user.active) throw new GrpcError(status.PERMISSION_DENIED, 'Inactive user');
+  if (!user.hashedPassword)
+    throw new GrpcError(
+      status.PERMISSION_DENIED,
+      'User does not use password authentication',
+    );
+  const passwordsMatch = await AuthUtils.checkPassword(password, user.hashedPassword);
+  if (!passwordsMatch)
+    throw new GrpcError(status.UNAUTHENTICATED, 'Invalid login credentials');
+
+  if (config.local.verification.required && !user.isVerified) {
+    throw new GrpcError(
+      status.PERMISSION_DENIED,
+      'You must verify your account to login',
+    );
+  }
+}