-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathprotected-create-encryption-session.ts
More file actions
86 lines (75 loc) · 2.99 KB
/
Copy pathprotected-create-encryption-session.ts
File metadata and controls
86 lines (75 loc) · 2.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
import type { NextApiRequest, NextApiResponse } from 'next'
import cors, { runMiddleware } from '@/utils/cors'
import { shieldUrl } from '@/utils/openfortConfig'
import openfort from '../../utils/openfortAdminConfig'
export default async function handler(req: NextApiRequest, res: NextApiResponse) {
try {
await runMiddleware(req, res, cors)
const shieldProjectResponse = await fetch(`${shieldUrl}/project`, {
headers: {
'Content-Type': 'application/json',
'x-api-key': process.env.NEXT_PUBLIC_SHIELD_PUBLISHABLE_KEY!,
'x-api-secret': process.env.NEXTAUTH_SHIELD_SECRET_KEY!,
},
})
if (!shieldProjectResponse.ok) {
throw new Error('Failed to fetch Shield project details')
}
const shieldProjectData = await shieldProjectResponse.json()
console.log('shieldProjectData', shieldProjectData)
if (shieldProjectData.enabled_2fa) {
console.log('OTP is enabled for the project')
// check if user has no accounts with automatic recover
const accounts = await openfort.accounts.list({ user: req.body.user_id })
if (accounts.data.every((account) => account.recoveryMethod !== 'project')) {
console.log("Requesting OTP since user doesn't have automatic recovery method")
const res = await fetch(`${shieldUrl}/project/otp`, {
headers: {
'Content-Type': 'application/json',
'x-api-key': process.env.NEXT_PUBLIC_SHIELD_PUBLISHABLE_KEY!,
'x-api-secret': process.env.NEXTAUTH_SHIELD_SECRET_KEY!,
},
method: 'POST',
body: JSON.stringify({
user_id: req.body.user_id,
dangerously_skip_verification: true,
}),
})
console.log('OTP response: ', res)
}
}
const response = await fetch(`${shieldUrl}/project/encryption-session`, {
headers: {
'Content-Type': 'application/json',
'x-api-key': process.env.NEXT_PUBLIC_SHIELD_PUBLISHABLE_KEY!,
'x-api-secret': process.env.NEXTAUTH_SHIELD_SECRET_KEY!,
},
method: 'POST',
body: JSON.stringify({
encryption_part: process.env.NEXTAUTH_SHIELD_ENCRYPTION_SHARE!,
user_id: req.body.user_id,
otp_code: req.body.otp_code,
}),
})
const jsonResponse = await response.json()
// console.log('encryption session response', response, jsonResponse)
// 428 or 400 may be thrown if there is no OTP found for user,
// that's why we throw 428 to client understand that he needs to request an OTP
if (response.status === 428 || response.status === 400) {
console.log(response, jsonResponse)
res.status(428).send({ error: 'OTP_REQUIRED' })
} else {
if (!response.ok) {
throw new Error('Failed to authorize user')
}
res.status(200).send({
session: jsonResponse.session_id,
})
}
} catch (e) {
console.error(`Internal Next.js API server error: ${e}`)
res.status(500).send({
error: 'Internal server error',
})
}
}