Merge branch 'main' of https://github.com/authorizerdev/authorizer

2023-12-26 21:10:58 +05:30
parent 59ed4e273f 5fac440205
commit ef2a590608
14 changed files with 554 additions and 164 deletions
--- a/server/resolvers/forgot_password.go
+++ b/server/resolvers/forgot_password.go
@@ -6,29 +6,29 @@ import (
 	"strings"
 	"time"

+	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"

 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
-	"github.com/authorizerdev/authorizer/server/email"
+	mailService "github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
 	"github.com/authorizerdev/authorizer/server/refs"
+	"github.com/authorizerdev/authorizer/server/smsproviders"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
-	"github.com/authorizerdev/authorizer/server/validators"
 )

 // ForgotPasswordResolver is a resolver for forgot password mutation
-func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInput) (*model.Response, error) {
-	var res *model.Response
-
+func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInput) (*model.ForgotPasswordResponse, error) {
 	gc, err := utils.GinContextFromContext(ctx)
 	if err != nil {
 		log.Debug("Failed to get GinContext: ", err)
-		return res, err
+		return nil, err
 	}

 	isBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication)
@@ -36,74 +36,134 @@ func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInpu
 		log.Debug("Error getting basic auth disabled: ", err)
 		isBasicAuthDisabled = true
 	}
-	if isBasicAuthDisabled {
-		log.Debug("Basic authentication is disabled")
-		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
-	}
-	params.Email = strings.ToLower(params.Email)
-
-	if !validators.IsValidEmail(params.Email) {
-		log.Debug("Invalid email address: ", params.Email)
-		return res, fmt.Errorf("invalid email")
-	}
-
-	log := log.WithFields(log.Fields{
-		"email": params.Email,
-	})
-	user, err := db.Provider.GetUserByEmail(ctx, params.Email)
+	isEmailVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification)
 	if err != nil {
-		log.Debug("User not found: ", err)
-		return res, fmt.Errorf(`user with this email not found`)
+		log.Debug("Error getting email verification disabled: ", err)
+		isEmailVerificationDisabled = true
 	}

+	isMobileBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMobileBasicAuthentication)
+	if err != nil {
+		log.Debug("Error getting mobile basic auth disabled: ", err)
+		isMobileBasicAuthDisabled = true
+	}
+	isMobileVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisablePhoneVerification)
+	if err != nil {
+		log.Debug("Error getting mobile verification disabled: ", err)
+		isMobileVerificationDisabled = true
+	}
+
+	email := refs.StringValue(params.Email)
+	phoneNumber := refs.StringValue(params.PhoneNumber)
+	if email == "" && phoneNumber == "" {
+		log.Debug("Email or phone number is required")
+		return nil, fmt.Errorf(`email or phone number is required`)
+	}
+	log := log.WithFields(log.Fields{
+		"email":        refs.StringValue(params.Email),
+		"phone_number": refs.StringValue(params.PhoneNumber),
+	})
+	isEmailLogin := email != ""
+	isMobileLogin := phoneNumber != ""
+	if isBasicAuthDisabled && isEmailLogin && !isEmailVerificationDisabled {
+		log.Debug("Basic authentication is disabled.")
+		return nil, fmt.Errorf(`basic authentication is disabled for this instance`)
+	}
+	if isMobileBasicAuthDisabled && isMobileLogin && !isMobileVerificationDisabled {
+		log.Debug("Mobile basic authentication is disabled.")
+		return nil, fmt.Errorf(`mobile basic authentication is disabled for this instance`)
+	}
+	var user *models.User
+	if isEmailLogin {
+		user, err = db.Provider.GetUserByEmail(ctx, email)
+	} else {
+		user, err = db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
+	}
+	if err != nil {
+		log.Debug("Failed to get user: ", err)
+		return nil, fmt.Errorf(`bad user credentials`)
+	}
 	hostname := parsers.GetHost(gc)
 	_, nonceHash, err := utils.GenerateNonce()
 	if err != nil {
 		log.Debug("Failed to generate nonce: ", err)
-		return res, err
+		return nil, err
 	}
-
-	redirectURI := ""
-	// give higher preference to params redirect uri
-	if strings.TrimSpace(refs.StringValue(params.RedirectURI)) != "" {
-		redirectURI = refs.StringValue(params.RedirectURI)
-	} else {
-		redirectURI, err = memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyResetPasswordURL)
-		if err != nil {
-			log.Debug("ResetPasswordURL not found using default app url: ", err)
-			redirectURI = hostname + "/app/reset-password"
-			memorystore.Provider.UpdateEnvVariable(constants.EnvKeyResetPasswordURL, redirectURI)
+	if user.RevokedTimestamp != nil {
+		log.Debug("User access is revoked")
+		return nil, fmt.Errorf(`user access has been revoked`)
+	}
+	if isEmailLogin {
+		redirectURI := ""
+		// give higher preference to params redirect uri
+		if strings.TrimSpace(refs.StringValue(params.RedirectURI)) != "" {
+			redirectURI = refs.StringValue(params.RedirectURI)
+		} else {
+			redirectURI, err = memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyResetPasswordURL)
+			if err != nil {
+				log.Debug("ResetPasswordURL not found using default app url: ", err)
+				redirectURI = hostname + "/app/reset-password"
+				memorystore.Provider.UpdateEnvVariable(constants.EnvKeyResetPasswordURL, redirectURI)
+			}
 		}
+		verificationToken, err := token.CreateVerificationToken(email, constants.VerificationTypeForgotPassword, hostname, nonceHash, redirectURI)
+		if err != nil {
+			log.Debug("Failed to create verification token", err)
+			return nil, err
+		}
+		_, err = db.Provider.AddVerificationRequest(ctx, &models.VerificationRequest{
+			Token:       verificationToken,
+			Identifier:  constants.VerificationTypeForgotPassword,
+			ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
+			Email:       email,
+			Nonce:       nonceHash,
+			RedirectURI: redirectURI,
+		})
+		if err != nil {
+			log.Debug("Failed to add verification request", err)
+			return nil, err
+		}
+		// execute it as go routine so that we can reduce the api latency
+		go mailService.SendEmail([]string{email}, constants.VerificationTypeForgotPassword, map[string]interface{}{
+			"user":             user.ToMap(),
+			"organization":     utils.GetOrganization(),
+			"verification_url": utils.GetForgotPasswordURL(verificationToken, redirectURI),
+		})
+		return &model.ForgotPasswordResponse{
+			Message: `Please check your inbox! We have sent a password reset link.`,
+		}, nil
 	}
-
-	verificationToken, err := token.CreateVerificationToken(params.Email, constants.VerificationTypeForgotPassword, hostname, nonceHash, redirectURI)
-	if err != nil {
-		log.Debug("Failed to create verification token", err)
-		return res, err
+	if isMobileLogin {
+		expiresAt := time.Now().Add(1 * time.Minute).Unix()
+		otp := utils.GenerateOTP()
+		otpData, err := db.Provider.UpsertOTP(ctx, &models.OTP{
+			Email:       refs.StringValue(user.Email),
+			PhoneNumber: refs.StringValue(user.PhoneNumber),
+			Otp:         otp,
+			ExpiresAt:   expiresAt,
+		})
+		if err != nil {
+			log.Debug("Failed to add otp: ", err)
+			return nil, err
+		}
+		mfaSession := uuid.NewString()
+		err = memorystore.Provider.SetMfaSession(user.ID, mfaSession, expiresAt)
+		if err != nil {
+			log.Debug("Failed to add mfasession: ", err)
+			return nil, err
+		}
+		cookie.SetMfaSession(gc, mfaSession)
+		smsBody := strings.Builder{}
+		smsBody.WriteString("Your verification code is: ")
+		smsBody.WriteString(otpData.Otp)
+		if err := smsproviders.SendSMS(phoneNumber, smsBody.String()); err != nil {
+			log.Debug("Failed to send sms: ", err)
+			// continue
+		}
+		return &model.ForgotPasswordResponse{
+			Message:                   "Please enter the OTP sent to your phone number and change your password.",
+			ShouldShowMobileOtpScreen: refs.NewBoolRef(true),
+		}, nil
 	}
-	_, err = db.Provider.AddVerificationRequest(ctx, &models.VerificationRequest{
-		Token:       verificationToken,
-		Identifier:  constants.VerificationTypeForgotPassword,
-		ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
-		Email:       params.Email,
-		Nonce:       nonceHash,
-		RedirectURI: redirectURI,
-	})
-	if err != nil {
-		log.Debug("Failed to add verification request", err)
-		return res, err
-	}
-
-	// execute it as go routine so that we can reduce the api latency
-	go email.SendEmail([]string{params.Email}, constants.VerificationTypeForgotPassword, map[string]interface{}{
-		"user":             user.ToMap(),
-		"organization":     utils.GetOrganization(),
-		"verification_url": utils.GetForgotPasswordURL(verificationToken, redirectURI),
-	})
-
-	res = &model.Response{
-		Message: `Please check your inbox! We have sent a password reset link.`,
-	}
-
-	return res, nil
+	return nil, fmt.Errorf(`email or phone number verification needs to be enabled`)
 }
--- a/server/resolvers/login.go
+++ b/server/resolvers/login.go
@@ -16,6 +16,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
+	mailService "github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/refs"
@@ -23,8 +24,6 @@ import (
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/authorizerdev/authorizer/server/validators"
-
-	mailService "github.com/authorizerdev/authorizer/server/email"
 )

 // LoginResolver is a resolver for login mutation
@@ -172,9 +171,10 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 	generateOTP := func(expiresAt int64) (*models.OTP, error) {
 		otp := utils.GenerateOTP()
 		otpData, err := db.Provider.UpsertOTP(ctx, &models.OTP{
-			Email:     refs.StringValue(user.Email),
-			Otp:       otp,
-			ExpiresAt: expiresAt,
+			Email:       refs.StringValue(user.Email),
+			PhoneNumber: refs.StringValue(user.PhoneNumber),
+			Otp:         otp,
+			ExpiresAt:   expiresAt,
 		})
 		if err != nil {
 			log.Debug("Failed to add otp: ", err)
--- a/server/resolvers/reset_password.go
+++ b/server/resolvers/reset_password.go
@@ -9,8 +9,10 @@ import (
 	log "github.com/sirupsen/logrus"

 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
@@ -29,97 +31,155 @@ func ResetPasswordResolver(ctx context.Context, params model.ResetPasswordInput)
 		log.Debug("Failed to get GinContext: ", err)
 		return res, err
 	}
-
+	verifyingToken := refs.StringValue(params.Token)
+	otp := refs.StringValue(params.Otp)
+	if verifyingToken == "" && otp == "" {
+		log.Debug("Token or OTP is required")
+		return res, fmt.Errorf(`token or otp is required`)
+	}
+	isTokenVerification := verifyingToken != ""
+	isOtpVerification := otp != ""
+	if isOtpVerification && refs.StringValue(params.PhoneNumber) == "" {
+		log.Debug("Phone number is required")
+		return res, fmt.Errorf(`phone number is required`)
+	}
 	isBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication)
 	if err != nil {
 		log.Debug("Error getting basic auth disabled: ", err)
 		isBasicAuthDisabled = true
 	}
-	if isBasicAuthDisabled {
+	isMobileBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMobileBasicAuthentication)
+	if err != nil {
+		log.Debug("Error getting mobile basic auth disabled: ", err)
+		isBasicAuthDisabled = true
+	}
+	if isTokenVerification && isBasicAuthDisabled {
 		log.Debug("Basic authentication is disabled")
 		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
 	}
-
-	verificationRequest, err := db.Provider.GetVerificationRequestByToken(ctx, params.Token)
-	if err != nil {
-		log.Debug("Failed to get verification request: ", err)
-		return res, fmt.Errorf(`invalid token`)
+	if isOtpVerification && isMobileBasicAuthDisabled {
+		log.Debug("Mobile basic authentication is disabled")
+		return res, fmt.Errorf(`mobile basic authentication is disabled for this instance`)
 	}
+	email := ""
+	phoneNumber := refs.StringValue(params.PhoneNumber)
+	var user *models.User
+	var verificationRequest *models.VerificationRequest
+	var otpRequest *models.OTP
+	if isTokenVerification {
+		verificationRequest, err = db.Provider.GetVerificationRequestByToken(ctx, verifyingToken)
+		if err != nil {
+			log.Debug("Failed to get verification request: ", err)
+			return res, fmt.Errorf(`invalid token`)
+		}
+		// verify if token exists in db
+		hostname := parsers.GetHost(gc)
+		claim, err := token.ParseJWTToken(verifyingToken)
+		if err != nil {
+			log.Debug("Failed to parse token: ", err)
+			return res, fmt.Errorf(`invalid token`)
+		}

+		if ok, err := token.ValidateJWTClaims(claim, hostname, verificationRequest.Nonce, verificationRequest.Email); !ok || err != nil {
+			log.Debug("Failed to validate jwt claims: ", err)
+			return res, fmt.Errorf(`invalid token`)
+		}
+		email = claim["sub"].(string)
+		user, err = db.Provider.GetUserByEmail(ctx, email)
+		if err != nil {
+			log.Debug("Failed to get user: ", err)
+			return res, err
+		}
+	}
+	if isOtpVerification {
+		mfaSession, err := cookie.GetMfaSession(gc)
+		if err != nil {
+			log.Debug("Failed to get otp request by email: ", err)
+			return res, fmt.Errorf(`invalid session: %s`, err.Error())
+		}
+		// Get user by phone number
+		user, err = db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
+		if err != nil {
+			log.Debug("Failed to get user by phone number: ", err)
+			return res, fmt.Errorf(`user not found`)
+		}
+		if _, err := memorystore.Provider.GetMfaSession(user.ID, mfaSession); err != nil {
+			log.Debug("Failed to get mfa session: ", err)
+			return res, fmt.Errorf(`invalid session: %s`, err.Error())
+		}
+		otpRequest, err = db.Provider.GetOTPByPhoneNumber(ctx, phoneNumber)
+		if err != nil {
+			log.Debug("Failed to get otp request by phone number: ", err)
+			return res, fmt.Errorf(`invalid otp`)
+		}
+		if otpRequest.Otp != otp {
+			log.Debug("Failed to verify otp request: Incorrect value")
+			return res, fmt.Errorf(`invalid otp`)
+		}
+	}
 	if params.Password != params.ConfirmPassword {
 		log.Debug("Passwords do not match")
 		return res, fmt.Errorf(`passwords don't match`)
 	}
-
 	if err := validators.IsValidPassword(params.Password); err != nil {
 		log.Debug("Invalid password")
 		return res, err
 	}
-
-	// verify if token exists in db
-	hostname := parsers.GetHost(gc)
-	claim, err := token.ParseJWTToken(params.Token)
-	if err != nil {
-		log.Debug("Failed to parse token: ", err)
-		return res, fmt.Errorf(`invalid token`)
-	}
-
-	if ok, err := token.ValidateJWTClaims(claim, hostname, verificationRequest.Nonce, verificationRequest.Email); !ok || err != nil {
-		log.Debug("Failed to validate jwt claims: ", err)
-		return res, fmt.Errorf(`invalid token`)
-	}
-
-	email := claim["sub"].(string)
 	log := log.WithFields(log.Fields{
 		"email": email,
+		"phone": phoneNumber,
 	})
-	user, err := db.Provider.GetUserByEmail(ctx, email)
-	if err != nil {
-		log.Debug("Failed to get user: ", err)
-		return res, err
-	}
-
 	password, _ := crypto.EncryptPassword(params.Password)
 	user.Password = &password
-
 	signupMethod := user.SignupMethods
-	if !strings.Contains(signupMethod, constants.AuthRecipeMethodBasicAuth) {
+	if !strings.Contains(signupMethod, constants.AuthRecipeMethodBasicAuth) && isTokenVerification {
 		signupMethod = signupMethod + "," + constants.AuthRecipeMethodBasicAuth
-
-		isMFAEnforced, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyEnforceMultiFactorAuthentication)
-		if err != nil {
-			log.Debug("MFA service not enabled: ", err)
-			isMFAEnforced = false
+		// helpful if user has not signed up with basic auth
+		if user.EmailVerifiedAt == nil {
+			now := time.Now().Unix()
+			user.EmailVerifiedAt = &now
 		}
-
-		if isMFAEnforced {
-			user.IsMultiFactorAuthEnabled = refs.NewBoolRef(true)
+	}
+	if !strings.Contains(signupMethod, constants.AuthRecipeMethodMobileOTP) && isOtpVerification {
+		signupMethod = signupMethod + "," + constants.AuthRecipeMethodMobileOTP
+		// helpful if user has not signed up with basic auth
+		if user.PhoneNumberVerifiedAt == nil {
+			now := time.Now().Unix()
+			user.PhoneNumberVerifiedAt = &now
 		}
 	}
 	user.SignupMethods = signupMethod
-
-	// helpful if user has not signed up with basic auth
-	if user.EmailVerifiedAt == nil {
-		now := time.Now().Unix()
-		user.EmailVerifiedAt = &now
-	}
-
-	// delete from verification table
-	err = db.Provider.DeleteVerificationRequest(ctx, verificationRequest)
+	isMFAEnforced, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyEnforceMultiFactorAuthentication)
 	if err != nil {
-		log.Debug("Failed to delete verification request: ", err)
-		return res, err
+		log.Debug("MFA service not enabled: ", err)
+		isMFAEnforced = false
+	}
+	if isMFAEnforced {
+		user.IsMultiFactorAuthEnabled = refs.NewBoolRef(true)
 	}
-
 	_, err = db.Provider.UpdateUser(ctx, user)
 	if err != nil {
 		log.Debug("Failed to update user: ", err)
 		return res, err
 	}
-
+	if isTokenVerification {
+		// delete from verification table
+		err = db.Provider.DeleteVerificationRequest(ctx, verificationRequest)
+		if err != nil {
+			log.Debug("Failed to delete verification request: ", err)
+			return res, err
+		}
+	}
+	if isOtpVerification {
+		// delete from otp table
+		err = db.Provider.DeleteOTP(ctx, otpRequest)
+		if err != nil {
+			log.Debug("Failed to delete otp request: ", err)
+			return res, err
+		}
+	}
 	res = &model.Response{
 		Message: `Password updated successfully.`,
 	}
-
 	return res, nil
 }