-
Notifications
You must be signed in to change notification settings - Fork 657
Expand file tree
/
Copy pathreauthenticate.go
More file actions
99 lines (86 loc) · 3.47 KB
/
reauthenticate.go
File metadata and controls
99 lines (86 loc) · 3.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
package api
import (
"net/http"
"github.com/supabase/auth/internal/api/apierrors"
"github.com/supabase/auth/internal/api/sms_provider"
"github.com/supabase/auth/internal/conf"
"github.com/supabase/auth/internal/crypto"
"github.com/supabase/auth/internal/models"
"github.com/supabase/auth/internal/storage"
)
const InvalidNonceMessage = "Nonce has expired or is invalid"
// Reauthenticate sends a reauthentication otp to either the user's email or phone
func (a *API) Reauthenticate(w http.ResponseWriter, r *http.Request) error {
ctx := r.Context()
config := a.config
db := a.db.WithContext(ctx)
user := getUser(ctx)
email, phone := user.GetEmail(), user.GetPhone()
if email == "" && phone == "" {
return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Reauthentication requires the user to have an email or a phone number")
}
if email != "" {
if !user.IsConfirmed() {
return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeEmailNotConfirmed, "Please verify your email first.")
}
} else if phone != "" {
if !user.IsPhoneConfirmed() {
return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodePhoneNotConfirmed, "Please verify your phone first.")
}
}
messageID := ""
err := db.Transaction(func(tx *storage.Connection) error {
if terr := models.NewAuditLogEntry(config.AuditLog, r, tx, user, models.UserReauthenticateAction, nil); terr != nil {
return terr
}
if email != "" {
return a.sendReauthenticationOtp(r, tx, user)
} else if phone != "" {
mID, err := a.sendPhoneConfirmation(r, tx, user, phone, phoneReauthenticationOtp, sms_provider.SMSProvider)
if err != nil {
return err
}
messageID = mID
}
return nil
})
if err != nil {
return err
}
ret := map[string]any{}
if messageID != "" {
ret["message_id"] = messageID
}
return sendJSON(w, http.StatusOK, ret)
}
// verifyReauthentication checks if the nonce provided is valid
func (a *API) verifyReauthentication(nonce string, tx *storage.Connection, config *conf.GlobalConfiguration, user *models.User) error {
if user.ReauthenticationToken == "" || user.ReauthenticationSentAt == nil {
return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeReauthenticationNotValid, InvalidNonceMessage)
}
var isValid bool
if user.GetEmail() != "" {
tokenHash := crypto.GenerateTokenHash(user.GetEmail(), nonce)
isValid = isOtpValid(tokenHash, user.ReauthenticationToken, user.ReauthenticationSentAt, config.Mailer.OtpExp)
} else if user.GetPhone() != "" {
if config.Sms.IsTwilioVerifyProvider() {
smsProvider, _ := sms_provider.GetSmsProvider(*config)
if err := smsProvider.(*sms_provider.TwilioVerifyProvider).VerifyOTP(string(user.Phone), nonce); err != nil {
return apierrors.NewForbiddenError(apierrors.ErrorCodeOTPExpired, "Token has expired or is invalid").WithInternalError(err)
}
return nil
} else {
tokenHash := crypto.GenerateTokenHash(user.GetPhone(), nonce)
isValid = isOtpValid(tokenHash, user.ReauthenticationToken, user.ReauthenticationSentAt, config.Sms.OtpExp)
}
} else {
return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeReauthenticationNotValid, "Reauthentication requires an email or a phone number")
}
if !isValid {
return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeReauthenticationNotValid, InvalidNonceMessage)
}
if err := user.ConfirmReauthentication(tx); err != nil {
return apierrors.NewInternalServerError("Error during reauthentication").WithInternalError(err)
}
return nil
}