Merge pull request #133 from supabase/feat/generate-email-links

awalias · web-flow · commit 22c9152fbb7e · 2021-07-14T10:56:14.000+08:00
Feat: Generate email action links
diff --git a/README.md b/README.md
@@ -435,6 +435,35 @@ GoTrue exposes the following endpoints:
   }
   ```
 
+### **POST /admin/generate_link**
+  Returns the corresponding email action link based on the type specified.
+
+  ```json
+  headers: 
+  {
+    "Authorization": "Bearer eyJhbGciOiJI...M3A90LCkxxtX9oNP9KZO" // admin role required
+  }
+
+  body: 
+  {
+    "type": "signup" or "magiclink" or "recovery" or "invite",
+    "email": "email@example.com",
+    "password": "secret", // only if type = signup
+    "data": {
+      ...
+    }, // only if type = signup
+    "redirect_to": "https://supabase.io" // Redirect URL to send the user to after an email action. Defaults to SITE_URL. 
+
+  }
+  ```
+  Returns
+  ```json
+  {
+    "action_link": "http://localhost:9999/verify?token=TOKEN&type=TYPE&redirect_to=REDIRECT_URL",
+    ...
+  }
+  ```
+
 ### **POST /signup**
 
   Register a new user with an email and password.
diff --git a/api/admin.go b/api/admin.go
@@ -179,7 +179,7 @@ func (a *API) adminUserCreate(w http.ResponseWriter, r *http.Request) error {
 	if exists, err := models.IsDuplicatedEmail(a.db, instanceID, params.Email, aud); err != nil {
 		return internalServerError("Database error checking email").WithInternalError(err)
 	} else if exists {
-		return unprocessableEntityError("Email address already registered by another user")
+		return unprocessableEntityError(DuplicateEmailMsg)
 	}
 
 	user, err := models.NewUser(instanceID, params.Email, params.Password, aud, params.UserMetaData)
diff --git a/api/api.go b/api/api.go
@@ -158,6 +158,8 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 					r.Delete("/", api.adminUserDelete)
 				})
 			})
+
+			r.Post("/generate_link", api.GenerateLink)
 		})
 
 		r.Route("/saml", func(r *router) {
diff --git a/api/errors.go b/api/errors.go
@@ -8,6 +8,11 @@ import (
 	"runtime/debug"
 )
 
+// Common error messages during signup flow
+var (
+	DuplicateEmailMsg = "A user with this email address has already been registered"
+)
+
 var oauthErrorMap = map[int]string{
 	http.StatusBadRequest:          "invalid_request",
 	http.StatusUnauthorized:        "unauthorized_client",
diff --git a/api/invite.go b/api/invite.go
@@ -36,20 +36,23 @@ func (a *API) Invite(w http.ResponseWriter, r *http.Request) error {
 	if err != nil && !models.IsNotFoundError(err) {
 		return internalServerError("Database error finding user").WithInternalError(err)
 	}
-	if user != nil {
-		return unprocessableEntityError("Email address already registered by another user")
-	}
 
 	err = a.db.Transaction(func(tx *storage.Connection) error {
-		signupParams := SignupParams{
-			Email:    params.Email,
-			Data:     params.Data,
-			Aud:      aud,
-			Provider: "email",
-		}
-		user, err = a.signupNewUser(ctx, tx, &signupParams)
-		if err != nil {
-			return err
+		if user != nil {
+			if user.IsConfirmed() {
+				return unprocessableEntityError(DuplicateEmailMsg)
+			}
+		} else {
+			signupParams := SignupParams{
+				Email:    params.Email,
+				Data:     params.Data,
+				Aud:      aud,
+				Provider: "email",
+			}
+			user, err = a.signupNewUser(ctx, tx, &signupParams)
+			if err != nil {
+				return err
+			}
 		}
 
 		if terr := models.NewAuditLogEntry(tx, instanceID, adminUser, models.UserInvitedAction, map[string]interface{}{
diff --git a/api/mail.go b/api/mail.go
@@ -2,19 +2,170 @@ package api
 
 import (
 	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
 	"time"
 
 	"github.com/netlify/gotrue/crypto"
 	"github.com/netlify/gotrue/mailer"
 	"github.com/netlify/gotrue/models"
 	"github.com/netlify/gotrue/storage"
 	"github.com/pkg/errors"
+	"github.com/sethvargo/go-password/password"
 )
 
 var (
 	MaxFrequencyLimitError error = errors.New("Frequency limit reached")
+	configFile                   = ""
 )
 
+type GenerateLinkParams struct {
+	Type       string                 `json:"type"`
+	Email      string                 `json:"email"`
+	Password   string                 `json:"password"`
+	Data       map[string]interface{} `json:"data"`
+	RedirectTo string                 `json:"redirect_to"`
+}
+
+func (a *API) GenerateLink(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+	config := a.getConfig(ctx)
+	mailer := a.Mailer(ctx)
+	instanceID := getInstanceID(ctx)
+	adminUser := getAdminUser(ctx)
+
+	params := &GenerateLinkParams{}
+	jsonDecoder := json.NewDecoder(r.Body)
+
+	if err := jsonDecoder.Decode(params); err != nil {
+		return badRequestError("Could not read body: %v", err)
+	}
+
+	if err := a.validateEmail(ctx, params.Email); err != nil {
+		return err
+	}
+
+	aud := a.requestAud(ctx, r)
+	user, err := models.FindUserByEmailAndAudience(a.db, instanceID, params.Email, aud)
+	if err != nil {
+		if models.IsNotFoundError(err) {
+			if params.Type == "magiclink" {
+				params.Type = "signup"
+				params.Password, err = password.Generate(64, 10, 0, false, true)
+				if err != nil {
+					return internalServerError("error creating user").WithInternalError(err)
+				}
+			} else if params.Type == "recovery" {
+				return notFoundError(err.Error())
+			}
+		} else {
+			return internalServerError("Database error finding user").WithInternalError(err)
+		}
+	}
+
+	var url string
+	referrer := a.getRedirectURLOrReferrer(r, params.RedirectTo)
+	now := time.Now()
+	err = a.db.Transaction(func(tx *storage.Connection) error {
+		var terr error
+		switch params.Type {
+		case "magiclink", "recovery":
+			if terr = models.NewAuditLogEntry(tx, instanceID, user, models.UserRecoveryRequestedAction, nil); terr != nil {
+				return terr
+			}
+			user.RecoveryToken = crypto.SecureToken()
+			user.RecoverySentAt = &now
+			terr = errors.Wrap(tx.UpdateOnly(user, "recovery_token", "recovery_sent_at"), "Database error updating user for recovery")
+		case "invite":
+			if user != nil {
+				if user.IsConfirmed() {
+					return unprocessableEntityError(DuplicateEmailMsg)
+				}
+			} else {
+				signupParams := &SignupParams{
+					Email:    params.Email,
+					Data:     params.Data,
+					Provider: "email",
+					Aud:      aud,
+				}
+				user, terr = a.signupNewUser(ctx, tx, signupParams)
+				if terr != nil {
+					return terr
+				}
+			}
+			if terr = models.NewAuditLogEntry(tx, instanceID, adminUser, models.UserInvitedAction, map[string]interface{}{
+				"user_id":    user.ID,
+				"user_email": user.Email,
+			}); terr != nil {
+				return terr
+			}
+			user.ConfirmationToken = crypto.SecureToken()
+			user.ConfirmationSentAt = &now
+			user.InvitedAt = &now
+			terr = errors.Wrap(tx.UpdateOnly(user, "confirmation_token", "confirmation_sent_at", "invited_at"), "Database error updating user for invite")
+		case "signup":
+			if user != nil {
+				if user.IsConfirmed() {
+					return unprocessableEntityError(DuplicateEmailMsg)
+				}
+				if err := user.UpdateUserMetaData(tx, params.Data); err != nil {
+					return internalServerError("Database error updating user").WithInternalError(err)
+				}
+			} else {
+				if params.Password == "" {
+					return unprocessableEntityError("Signup requires a valid password")
+				}
+				if len(params.Password) < config.PasswordMinLength {
+					return unprocessableEntityError(fmt.Sprintf("Password should be at least %d characters", config.PasswordMinLength))
+				}
+				signupParams := &SignupParams{
+					Email:    params.Email,
+					Password: params.Password,
+					Data:     params.Data,
+					Provider: "email",
+					Aud:      aud,
+				}
+				user, terr = a.signupNewUser(ctx, tx, signupParams)
+				if terr != nil {
+					return terr
+				}
+			}
+			user.ConfirmationToken = crypto.SecureToken()
+			user.ConfirmationSentAt = &now
+			terr = errors.Wrap(tx.UpdateOnly(user, "confirmation_token", "confirmation_sent_at"), "Database error updating user for confirmation")
+		default:
+			return badRequestError("Invalid email action link type requested: %v", params.Type)
+		}
+
+		if terr != nil {
+			return terr
+		}
+
+		url, terr = mailer.GetEmailActionLink(user, params.Type, referrer)
+		if terr != nil {
+			return terr
+		}
+		return nil
+	})
+
+	if err != nil {
+		return err
+	}
+
+	resp := make(map[string]interface{})
+	u, err := json.Marshal(user)
+	if err != nil {
+		return internalServerError("User serialization error").WithInternalError(err)
+	}
+	if err = json.Unmarshal(u, &resp); err != nil {
+		return internalServerError("User serialization error").WithInternalError(err)
+	}
+	resp["action_link"] = url
+
+	return sendJSON(w, http.StatusOK, resp)
+}
+
 func sendConfirmation(tx *storage.Connection, u *models.User, mailer mailer.Mailer, maxFrequency time.Duration, referrerURL string) error {
 	if u.ConfirmationSentAt != nil && !u.ConfirmationSentAt.Add(maxFrequency).Before(time.Now()) {
 		return MaxFrequencyLimitError
diff --git a/api/signup.go b/api/signup.go
@@ -61,7 +61,7 @@ func (a *API) Signup(w http.ResponseWriter, r *http.Request) error {
 		var terr error
 		if user != nil {
 			if user.IsConfirmed() {
-				return badRequestError("A user with this email address has already been registered")
+				return unprocessableEntityError(DuplicateEmailMsg)
 			}
 
 			if err := user.UpdateUserMetaData(tx, params.Data); err != nil {
diff --git a/api/user.go b/api/user.go
@@ -125,7 +125,7 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 			if exists, terr = models.IsDuplicatedEmail(tx, instanceID, params.Email, user.Aud); terr != nil {
 				return internalServerError("Database error checking email").WithInternalError(terr)
 			} else if exists {
-				return unprocessableEntityError("Email address already registered by another user")
+				return unprocessableEntityError(DuplicateEmailMsg)
 			}
 
 			mailer := a.Mailer(ctx)
diff --git a/mailer/mailer.go b/mailer/mailer.go
@@ -20,6 +20,7 @@ type Mailer interface {
 	MagicLinkMail(user *models.User, referrerURL string) error
 	EmailChangeMail(user *models.User, referrerURL string) error
 	ValidateEmail(email string) error
+	GetEmailActionLink(user *models.User, actionType, referrerURL string) (string, error)
 }
 
 // NewMailer returns a new gotrue mailer
diff --git a/mailer/noop.go b/mailer/noop.go
@@ -32,3 +32,7 @@ func (m *noopMailer) EmailChangeMail(user *models.User, referrerURL string) erro
 func (m noopMailer) Send(user *models.User, subject, body string, data map[string]interface{}) error {
 	return nil
 }
+
+func (m noopMailer) GetEmailActionLink(user *models.User, actionType, referrerURL string) (string, error) {
+	return "", nil
+}
diff --git a/mailer/template.go b/mailer/template.go
@@ -1,6 +1,8 @@
 package mailer
 
 import (
+	"fmt"
+
 	"github.com/badoux/checkmail"
 	"github.com/netlify/gotrue/conf"
 	"github.com/netlify/gotrue/models"
@@ -206,3 +208,33 @@ func (m TemplateMailer) Send(user *models.User, subject, body string, data map[s
 		data,
 	)
 }
+
+// GetEmailActionLink returns a magiclink, recovery or invite link based on the actionType passed.
+func (m TemplateMailer) GetEmailActionLink(user *models.User, actionType, referrerURL string) (string, error) {
+	globalConfig, err := conf.LoadGlobal(configFile)
+
+	redirectParam := ""
+	if len(referrerURL) > 0 {
+		redirectParam = "&redirect_to=" + referrerURL
+	}
+
+	var url string
+	switch actionType {
+	case "magiclink":
+		url, err = getSiteURL(referrerURL, globalConfig.API.ExternalURL, m.Config.Mailer.URLPaths.Recovery, "token="+user.RecoveryToken+"&type=magiclink"+redirectParam)
+	case "recovery":
+		url, err = getSiteURL(referrerURL, globalConfig.API.ExternalURL, m.Config.Mailer.URLPaths.Recovery, "token="+user.RecoveryToken+"&type=recovery"+redirectParam)
+	case "invite":
+		url, err = getSiteURL(referrerURL, globalConfig.API.ExternalURL, m.Config.Mailer.URLPaths.Invite, "token="+user.ConfirmationToken+"&type=invite"+redirectParam)
+	case "signup":
+		url, err = getSiteURL(referrerURL, globalConfig.API.ExternalURL, m.Config.Mailer.URLPaths.Confirmation, "token="+user.ConfirmationToken+"&type=signup"+redirectParam)
+	default:
+		return "", fmt.Errorf("Invalid email action link type: %s", actionType)
+	}
+
+	if err != nil {
+		return "", err
+	}
+
+	return url, nil
+}

Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,7 @@ func (a API) adminUserCreate(w http.ResponseWriter, r http.Request) error {`
`179`	`179`	`if exists, err := models.IsDuplicatedEmail(a.db, instanceID, params.Email, aud); err != nil {`
`180`	`180`	`return internalServerError("Database error checking email").WithInternalError(err)`
`181`	`181`	`} else if exists {`
`182`		`- return unprocessableEntityError("Email address already registered by another user")`
	`182`	`+ return unprocessableEntityError(DuplicateEmailMsg)`
`183`	`183`	`}`
`184`	`184`
`185`	`185`	`user, err := models.NewUser(instanceID, params.Email, params.Password, aud, params.UserMetaData)`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ func (a API) Signup(w http.ResponseWriter, r http.Request) error {`
`61`	`61`	`var terr error`
`62`	`62`	`if user != nil {`
`63`	`63`	`if user.IsConfirmed() {`
`64`		`- return badRequestError("A user with this email address has already been registered")`
	`64`	`+ return unprocessableEntityError(DuplicateEmailMsg)`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`if err := user.UpdateUserMetaData(tx, params.Data); err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,7 @@ func (a API) UserUpdate(w http.ResponseWriter, r http.Request) error {`
`125`	`125`	`if exists, terr = models.IsDuplicatedEmail(tx, instanceID, params.Email, user.Aud); terr != nil {`
`126`	`126`	`return internalServerError("Database error checking email").WithInternalError(terr)`
`127`	`127`	`} else if exists {`
`128`		`- return unprocessableEntityError("Email address already registered by another user")`
	`128`	`+ return unprocessableEntityError(DuplicateEmailMsg)`
`129`	`129`	`}`
`130`	`130`
`131`	`131`	`mailer := a.Mailer(ctx)`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ type Mailer interface {`
`20`	`20`	`MagicLinkMail(user *models.User, referrerURL string) error`
`21`	`21`	`EmailChangeMail(user *models.User, referrerURL string) error`
`22`	`22`	`ValidateEmail(email string) error`
	`23`	`+ GetEmailActionLink(user *models.User, actionType, referrerURL string) (string, error)`
`23`	`24`	`}`
`24`	`25`
`25`	`26`	`// NewMailer returns a new gotrue mailer`
Original file line number	Diff line number	Diff line change
`@@ -32,3 +32,7 @@ func (m noopMailer) EmailChangeMail(user models.User, referrerURL string) erro`
`32`	`32`	`func (m noopMailer) Send(user *models.User, subject, body string, data map[string]interface{}) error {`
`33`	`33`	`return nil`
`34`	`34`	`}`
	`35`	`+`
	`36`	`+func (m noopMailer) GetEmailActionLink(user *models.User, actionType, referrerURL string) (string, error) {`
	`37`	`+ return "", nil`
	`38`	`+}`