Complete core auth; pending tests and session handling

Author: MukeshAbhi

packages/app/.env.docker

@@ -22,3 +22,4 @@ CLOUD_FRONT_KEYPAIR_ID=Q8A4T7ZMUYRW3Z
 CLOUD_FRONT_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----RSA KEY FOR CLOUDFRONT=-----END RSA PRIVATE KEY-----
 BUCKET_KEY=s3_bucket_folder_name_can_customise_as_per_your_likings
 ADMINSEMAILS=admin_Email@gmail.com
+CRYPTO_KEY=your-32-byte-key-hex-encoded

packages/app/.env.example

@@ -22,4 +22,5 @@ CLOUD_FRONT_KEYPAIR_ID=Q8A4T7ZMUYRW3Z
 CLOUD_FRONT_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----RSA KEY FOR CLOUDFRONT=-----END RSA PRIVATE KEY-----
 BUCKET_KEY=s3_bucket_folder_name_can_customise_as_per_your_likings
 ADMINSEMAILS=admin_Email@gmail.com
+CRYPTO_KEY=your-32-byte-key-hex-encoded
 

packages/app/__mocks__/otplib.js

@@ -0,0 +1,31 @@
+/* eslint-disable no-unused-vars */
+// Mock for otplib to avoid ES module issues in Jest
+class OTP {
+  constructor() {
+    this.options = {};
+  }
+
+  generate(secret) {
+    return "123456";
+  }
+
+  verify({ token, secret }) {
+    return true;
+  }
+}
+
+const authenticator = {
+  generate: jest.fn(() => "123456"),
+  verify: jest.fn(() => true),
+  generateSecret: jest.fn(() => "JBSWY3DPEHPK3PXP"),
+  keyuri: jest.fn(
+    (user, service, secret) =>
+      `otpauth://totp/${service}:${user}?secret=${secret}&issuer=${service}`
+  ),
+  options: {},
+};
+
+module.exports = {
+  OTP,
+  authenticator,
+};

packages/app/controllers/auth.js

@@ -498,6 +498,193 @@ async function resetPasswordController(req, res, next) {
   }
 }
 
+async function siginWithMFAController(req, res, next) {
+  try {
+    const userService = new UserService();
+    const { token } = req.body;
+    const mfaSessionToken = req.cookies.mfaToken;
+    if (!mfaSessionToken) {
+      return res.status(401).json({
+        error: STATUS_CODES[401],
+        message: "MFA token not found",
+        statusCode: 401,
+      });
+    }
+
+    // check if mfaSessionToken is valid
+
+    const user = await userService.getUserById(mfaSessionToken.userId);
+    if (!user) {
+      return res.status(404).json({
+        error: STATUS_CODES[404],
+        message: Messages.USER_NOT_FOUND,
+        statusCode: 404,
+      });
+    }
+
+    const isVerified = await userService.mfaLogin(user, token);
+    if (!isVerified) {
+      return res.status(400).json({
+        error: STATUS_CODES[400],
+        message: "Invalid token",
+        statusCode: 400,
+      });
+    }
+
+    // set session
+
+    return res.status(200).json({ statusCode: 200 });
+  } catch (error) {
+    next(error);
+  }
+}
+
+async function enableMFAController(req, res, next) {
+  try {
+    const userService = new UserService();
+    const { userId } = req.userData;
+    const user = await userService.getUserById(userId);
+    if (!user) {
+      return res.status(404).json({
+        error: STATUS_CODES[404],
+        message: Messages.USER_NOT_FOUND,
+        statusCode: 404,
+      });
+    }
+
+    const { qrCode } = await userService.enableMfa(user);
+    if (!qrCode) {
+      return res.status(500).json({
+        error: STATUS_CODES[500],
+        message: "Failed to enable MFA",
+        statusCode: 500,
+      });
+    }
+
+    return res.status(200).json({
+      statusCode: 200,
+      data: { qrCode },
+    });
+  } catch (error) {
+    res.status(error.statusCode || 500).json({
+      error: STATUS_CODES[error.statusCode] || STATUS_CODES[500],
+      message: error.message,
+      statusCode: error.statusCode || 500,
+    });
+    next(error);
+  }
+}
+
+async function verifyMFAController(req, res, next) {
+  try {
+    const userService = new UserService();
+    const { token } = req.body;
+    const { userId } = req.userData;
+    const user = await userService.getUserById(userId);
+    if (!user) {
+      return res.status(404).json({
+        error: STATUS_CODES[404],
+        message: Messages.USER_NOT_FOUND,
+        statusCode: 404,
+      });
+    }
+
+    const isVerified = await userService.verifyMfa(user, token);
+    if (!isVerified) {
+      return res.status(400).json({
+        error: STATUS_CODES[400],
+        message: "Invalid token",
+        statusCode: 400,
+      });
+    }
+
+    return res.status(200).json({ statusCode: 200 });
+  } catch (error) {
+    res.status(error.statusCode || 500).json({
+      error: STATUS_CODES[error.statusCode] || STATUS_CODES[500],
+      message: error.message,
+      statusCode: error.statusCode || 500,
+    });
+    next(error);
+  }
+}
+
+async function cancelMFAController(req, res, next) {
+  try {
+    const userService = new UserService();
+    const { userId } = req.userData;
+    const user = await userService.getUserById(userId);
+    if (!user) {
+      return res.status(404).json({
+        error: STATUS_CODES[404],
+        message: Messages.USER_NOT_FOUND,
+        statusCode: 404,
+      });
+    }
+
+    const isDisabled = await userService.disableMfa(user);
+    if (!isDisabled) {
+      return res.status(500).json({
+        error: STATUS_CODES[500],
+        message: "Failed to disable MFA",
+        statusCode: 500,
+      });
+    }
+
+    return res.status(200).json({ statusCode: 200 });
+  } catch (error) {
+    res.status(error.statusCode || 500).json({
+      error: STATUS_CODES[error.statusCode] || STATUS_CODES[500],
+      message: error.message,
+      statusCode: error.statusCode || 500,
+    });
+    next(error);
+  }
+}
+
+async function disableMFAController(req, res, next) {
+  try {
+    const userService = new UserService();
+    const { password } = req.body;
+    const { userId } = req.userData;
+    const user = await userService.getUserById(userId);
+    if (!user) {
+      return res.status(404).json({
+        error: STATUS_CODES[404],
+        message: Messages.USER_NOT_FOUND,
+        statusCode: 404,
+      });
+    }
+
+    const matchPassword = await user.matchPassword(password);
+    if (!matchPassword) {
+      return res.status(404).json({
+        error: STATUS_CODES[404],
+        message: Messages.INCORRECT_EMAIL_PASS,
+        statusCode: 404,
+      });
+    }
+
+    const isDisabled = await userService.disableMfa(user);
+    if (!isDisabled) {
+      return res.status(500).json({
+        error: STATUS_CODES[500],
+        message: "Failed to disable MFA",
+        statusCode: 500,
+      });
+    }
+
+    return res.status(200).json({ statusCode: 200 });
+  } catch (error) {
+    res.status(error.statusCode || 500).json({
+      error: STATUS_CODES[error.statusCode] || STATUS_CODES[500],
+      message: error.message,
+      statusCode: error.statusCode || 500,
+    });
+    next(error);
+  }
+}
+
 function validateSessionController(req, res) {
   return res.status(200).json({ statusCode: 200, userData: req.userData });
 }
@@ -511,4 +698,9 @@ module.exports = {
   resetPasswordSessionController,
   resetPasswordController,
   validateSessionController,
+  siginWithMFAController,
+  enableMFAController,
+  verifyMFAController,
+  cancelMFAController,
+  disableMFAController,
 };

packages/app/jest.config.js

@@ -1,4 +1,8 @@
 module.exports = {
   preset: "@shelf/jest-mongodb",
   watchPathIgnorePatterns: ["globalConfig"],
+  moduleNameMapper: {
+    // Mock otplib to avoid ES module issues
+    "^otplib$": "<rootDir>/__mocks__/otplib.js",
+  },
 };

packages/app/models/keys.js

@@ -44,12 +44,12 @@ keySchema.pre("save", async function (next) {
 
 keySchema.methods.data = function () {
   return {
-   _id: this._id,
+    _id: this._id,
     key_description: this.key_description,
     subscription_id: this.subscription_id,
     expires_at: this.expires_at,
     created_at: this._id.getTimestamp(),
-    updated_at: this.updated_at
+    updated_at: this.updated_at,
   };
 };
 

packages/app/models/users.js

@@ -63,6 +63,23 @@ const userSchema = new mongoose.Schema({
     type: Date,
     default: null,
   },
+  mfaEnabled: {
+    type: Boolean,
+    default: false,
+  },
+  mfaSecret: {
+    encrypted: { type: String, default: null },
+    iv: { type: String, default: null },
+    tag: { type: String, default: null },
+  },
+  mfaTempSecret: {
+    type: String,
+    default: null,
+  },
+  mfaTempSecretExpiresAt: {
+    type: Date,
+    default: null,
+  },
 });
 
 userSchema.methods.matchPassword = async function (password) {

packages/app/package.json

@@ -33,7 +33,9 @@
     "jsonwebtoken": "^9.0.2",
     "mongoose": "^8.5.1",
     "multer": "^1.4.5-lts.1",
+    "otplib": "^13.3.0",
     "puppeteer-core": "^24.34.0",
+    "qrcode": "^1.5.4",
     "swagger-jsdoc": "^6.2.8",
     "swagger-ui-express": "^5.0.1",
     "uuid": "^9.0.1",

packages/app/routes/auth.js

@@ -10,6 +10,11 @@ const {
   resetPasswordSessionController,
   resetPasswordController,
   validateSessionController,
+  siginWithMFAController,
+  enableMFAController,
+  verifyMFAController,
+  cancelMFAController,
+  disableMFAController,
 } = require("../controllers/auth");
 
 router.post("/signup", signupController);
@@ -20,5 +25,10 @@ router.post("/password/forgot", forgotPasswordController);
 router.get("/password/forgot/:token?", resetPasswordSessionController);
 router.patch("/password/reset", resetPasswordController);
 router.get("/validate-session", authMiddleware(), validateSessionController);
+router.post("/mfa/signin", siginWithMFAController);
+router.post("/mfa/enable", authMiddleware(), enableMFAController);
+router.post("/mfa/verify", authMiddleware(), verifyMFAController);
+router.post("/mfa/cancel", authMiddleware(), cancelMFAController);
+router.post("/mfa/disable", authMiddleware(), disableMFAController);
 
 module.exports = router;