fix microsoft active directory config

Add app_data

server/constants/cookie.go

@@ -5,4 +5,6 @@ const (
 	AppCookieName = "cookie"
 	// AdminCookieName is the name of the cookie that is used to store the admin token
 	AdminCookieName = "authorizer-admin"
+	// MfaCookieName is the name of the cookie that is used to store the mfa session
+	MfaCookieName = "mfa"
 )

server/cookie/mfa_session.go

@@ -0,0 +1,89 @@
+package cookie
+
+import (
+	"net/http"
+	"net/url"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/memorystore"
+	"github.com/authorizerdev/authorizer/server/parsers"
+	"github.com/gin-gonic/gin"
+)
+
+// SetMfaSession sets the mfa session cookie in the response
+func SetMfaSession(gc *gin.Context, sessionID string) {
+	appCookieSecure, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyAppCookieSecure)
+	if err != nil {
+		log.Debug("Error while getting app cookie secure from env variable: %v", err)
+		appCookieSecure = true
+	}
+
+	secure := appCookieSecure
+	httpOnly := appCookieSecure
+	hostname := parsers.GetHost(gc)
+	host, _ := parsers.GetHostParts(hostname)
+	domain := parsers.GetDomainName(hostname)
+	if domain != "localhost" {
+		domain = "." + domain
+	}
+
+	// Since app cookie can come from cross site it becomes important to set this in lax mode when insecure.
+	// Example person using custom UI on their app domain and making request to authorizer domain.
+	// For more information check:
+	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+	// https://github.com/gin-gonic/gin/blob/master/context.go#L86
+	// TODO add ability to sameSite = none / strict from dashboard
+	if !appCookieSecure {
+		gc.SetSameSite(http.SameSiteLaxMode)
+	} else {
+		gc.SetSameSite(http.SameSiteNoneMode)
+	}
+	// TODO allow configuring from dashboard
+	age := 60
+
+	gc.SetCookie(constants.MfaCookieName+"_session", sessionID, age, "/", host, secure, httpOnly)
+	gc.SetCookie(constants.MfaCookieName+"_session_domain", sessionID, age, "/", domain, secure, httpOnly)
+}
+
+// DeleteMfaSession deletes the mfa session cookies to expire
+func DeleteMfaSession(gc *gin.Context) {
+	appCookieSecure, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyAppCookieSecure)
+	if err != nil {
+		log.Debug("Error while getting app cookie secure from env variable: %v", err)
+		appCookieSecure = true
+	}
+
+	secure := appCookieSecure
+	httpOnly := appCookieSecure
+	hostname := parsers.GetHost(gc)
+	host, _ := parsers.GetHostParts(hostname)
+	domain := parsers.GetDomainName(hostname)
+	if domain != "localhost" {
+		domain = "." + domain
+	}
+
+	gc.SetSameSite(http.SameSiteNoneMode)
+	gc.SetCookie(constants.MfaCookieName+"_session", "", -1, "/", host, secure, httpOnly)
+	gc.SetCookie(constants.MfaCookieName+"_session_domain", "", -1, "/", domain, secure, httpOnly)
+}
+
+// GetMfaSession gets the mfa session cookie from context
+func GetMfaSession(gc *gin.Context) (string, error) {
+	var cookie *http.Cookie
+	var err error
+	cookie, err = gc.Request.Cookie(constants.MfaCookieName + "_session")
+	if err != nil {
+		cookie, err = gc.Request.Cookie(constants.MfaCookieName + "_session_domain")
+		if err != nil {
+			return "", err
+		}
+	}
+
+	decodedValue, err := url.PathUnescape(cookie.Value)
+	if err != nil {
+		return "", err
+	}
+	return decodedValue, nil
+}

server/db/models/user.go

@@ -33,12 +33,14 @@ type User struct {
 	IsMultiFactorAuthEnabled *bool   `json:"is_multi_factor_auth_enabled" bson:"is_multi_factor_auth_enabled" cql:"is_multi_factor_auth_enabled" dynamo:"is_multi_factor_auth_enabled"`
 	UpdatedAt                int64   `json:"updated_at" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
 	CreatedAt                int64   `json:"created_at" bson:"created_at" cql:"created_at" dynamo:"created_at"`
+	AppData                  *string `json:"app_data" bson:"app_data" cql:"app_data" dynamo:"app_data"`
 }
 
 func (user *User) AsAPIUser() *model.User {
 	isEmailVerified := user.EmailVerifiedAt != nil
 	isPhoneVerified := user.PhoneNumberVerifiedAt != nil
-
+	appDataMap := make(map[string]interface{})
+	json.Unmarshal([]byte(refs.StringValue(user.AppData)), &appDataMap)
 	// id := user.ID
 	// if strings.Contains(id, Collections.User+"/") {
 	// 	id = strings.TrimPrefix(id, Collections.User+"/")
@@ -63,6 +65,7 @@ func (user *User) AsAPIUser() *model.User {
 		IsMultiFactorAuthEnabled: user.IsMultiFactorAuthEnabled,
 		CreatedAt:                refs.NewInt64Ref(user.CreatedAt),
 		UpdatedAt:                refs.NewInt64Ref(user.UpdatedAt),
+		AppData:                  appDataMap,
 	}
 }
 

server/db/providers/cassandradb/verification_requests.go

@@ -74,7 +74,6 @@ func (p *provider) ListVerificationRequests(ctx context.Context, pagination *mod
 			var verificationRequest models.VerificationRequest
 			err := scanner.Scan(&verificationRequest.ID, &verificationRequest.Token, &verificationRequest.Identifier, &verificationRequest.ExpiresAt, &verificationRequest.Email, &verificationRequest.Nonce, &verificationRequest.RedirectURI, &verificationRequest.CreatedAt, &verificationRequest.UpdatedAt)
 			if err != nil {
-				fmt.Println("=> getting error here...", err)
 				return nil, err
 			}
 			verificationRequests = append(verificationRequests, verificationRequest.AsAPIVerificationRequest())

server/email/email.go

@@ -72,7 +72,6 @@ func getEmailTemplate(event string, data map[string]interface{}) (*model.EmailTe
 		return nil, err
 	}
 	subjectString := buf.String()
-
 	return &model.EmailTemplate{
 		Template: templateString,
 		Subject:  subjectString,

server/go.mod

@@ -30,7 +30,7 @@ require (
 	go.mongodb.org/mongo-driver v1.8.1
 	golang.org/x/crypto v0.4.0
 	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914
-	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/appengine v1.6.7
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/mail.v2 v2.3.1

server/graph/generated/generated.go

@@ -245,6 +245,7 @@ type ComplexityRoot struct {
 	}
 
 	User struct {
+		AppData                  func(childComplexity int) int
 		Birthdate                func(childComplexity int) int
 		CreatedAt                func(childComplexity int) int
 		Email                    func(childComplexity int) int
@@ -1695,6 +1696,13 @@ func (e *executableSchema) Complexity(typeName, field string, childComplexity in
 
 		return e.complexity.TestEndpointResponse.Response(childComplexity), true
 
+	case "User.app_data":
+		if e.complexity.User.AppData == nil {
+			break
+		}
+
+		return e.complexity.User.AppData(childComplexity), true
+
 	case "User.birthdate":
 		if e.complexity.User.Birthdate == nil {
 			break
@@ -2229,6 +2237,7 @@ type User {
   updated_at: Int64
   revoked_timestamp: Int64
   is_multi_factor_auth_enabled: Boolean
+  app_data: Map
 }
 
 type Users {
@@ -2500,6 +2509,7 @@ input MobileSignUpInput {
   # it is used to get code for an on-going auth process during login
   # and use that code for setting ` + "`" + `c_hash` + "`" + ` in id_token
   state: String
+  app_data: Map
 }
 
 input SignUpInput {
@@ -2522,6 +2532,7 @@ input SignUpInput {
   # it is used to get code for an on-going auth process during login
   # and use that code for setting ` + "`" + `c_hash` + "`" + ` in id_token
   state: String
+  app_data: Map
 }
 
 input LoginInput {
@@ -2577,6 +2588,7 @@ input UpdateProfileInput {
   phone_number: String
   picture: String
   is_multi_factor_auth_enabled: Boolean
+  app_data: Map
 }
 
 input UpdateUserInput {
@@ -2593,6 +2605,7 @@ input UpdateUserInput {
   picture: String
   roles: [String]
   is_multi_factor_auth_enabled: Boolean
+  app_data: Map
 }
 
 input ForgotPasswordInput {
@@ -3804,6 +3817,8 @@ func (ec *executionContext) fieldContext_AuthResponse_user(ctx context.Context,
 				return ec.fieldContext_User_revoked_timestamp(ctx, field)
 			case "is_multi_factor_auth_enabled":
 				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
@@ -7099,6 +7114,8 @@ func (ec *executionContext) fieldContext_InviteMembersResponse_Users(ctx context
 				return ec.fieldContext_User_revoked_timestamp(ctx, field)
 			case "is_multi_factor_auth_enabled":
 				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
@@ -8801,6 +8818,8 @@ func (ec *executionContext) fieldContext_Mutation__update_user(ctx context.Conte
 				return ec.fieldContext_User_revoked_timestamp(ctx, field)
 			case "is_multi_factor_auth_enabled":
 				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
@@ -10103,6 +10122,8 @@ func (ec *executionContext) fieldContext_Query_profile(ctx context.Context, fiel
 				return ec.fieldContext_User_revoked_timestamp(ctx, field)
 			case "is_multi_factor_auth_enabled":
 				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
@@ -10368,6 +10389,8 @@ func (ec *executionContext) fieldContext_Query__user(ctx context.Context, field
 				return ec.fieldContext_User_revoked_timestamp(ctx, field)
 			case "is_multi_factor_auth_enabled":
 				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
@@ -12229,6 +12252,47 @@ func (ec *executionContext) fieldContext_User_is_multi_factor_auth_enabled(ctx c
 	return fc, nil
 }
 
+func (ec *executionContext) _User_app_data(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_app_data(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.AppData, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(map[string]interface{})
+	fc.Result = res
+	return ec.marshalOMap2map(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_User_app_data(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "User",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Map does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _Users_pagination(ctx context.Context, field graphql.CollectedField, obj *model.Users) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_Users_pagination(ctx, field)
 	if err != nil {
@@ -12360,6 +12424,8 @@ func (ec *executionContext) fieldContext_Users_users(ctx context.Context, field
 				return ec.fieldContext_User_revoked_timestamp(ctx, field)
 			case "is_multi_factor_auth_enabled":
 				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
@@ -16201,7 +16267,7 @@ func (ec *executionContext) unmarshalInputMobileSignUpInput(ctx context.Context,
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "password", "confirm_password", "roles", "scope", "redirect_uri", "is_multi_factor_auth_enabled", "state"}
+	fieldsInOrder := [...]string{"email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "password", "confirm_password", "roles", "scope", "redirect_uri", "is_multi_factor_auth_enabled", "state", "app_data"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
@@ -16336,6 +16402,14 @@ func (ec *executionContext) unmarshalInputMobileSignUpInput(ctx context.Context,
 			if err != nil {
 				return it, err
 			}
+		case "app_data":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
+			it.AppData, err = ec.unmarshalOMap2map(ctx, v)
+			if err != nil {
+				return it, err
+			}
 		}
 	}
 
@@ -16609,7 +16683,7 @@ func (ec *executionContext) unmarshalInputSignUpInput(ctx context.Context, obj i
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "password", "confirm_password", "roles", "scope", "redirect_uri", "is_multi_factor_auth_enabled", "state"}
+	fieldsInOrder := [...]string{"email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "password", "confirm_password", "roles", "scope", "redirect_uri", "is_multi_factor_auth_enabled", "state", "app_data"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
@@ -16744,6 +16818,14 @@ func (ec *executionContext) unmarshalInputSignUpInput(ctx context.Context, obj i
 			if err != nil {
 				return it, err
 			}
+		case "app_data":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
+			it.AppData, err = ec.unmarshalOMap2map(ctx, v)
+			if err != nil {
+				return it, err
+			}
 		}
 	}
 
@@ -17333,7 +17415,7 @@ func (ec *executionContext) unmarshalInputUpdateProfileInput(ctx context.Context
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"old_password", "new_password", "confirm_new_password", "email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "is_multi_factor_auth_enabled"}
+	fieldsInOrder := [...]string{"old_password", "new_password", "confirm_new_password", "email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "is_multi_factor_auth_enabled", "app_data"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
@@ -17444,6 +17526,14 @@ func (ec *executionContext) unmarshalInputUpdateProfileInput(ctx context.Context
 			if err != nil {
 				return it, err
 			}
+		case "app_data":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
+			it.AppData, err = ec.unmarshalOMap2map(ctx, v)
+			if err != nil {
+				return it, err
+			}
 		}
 	}
 
@@ -17457,7 +17547,7 @@ func (ec *executionContext) unmarshalInputUpdateUserInput(ctx context.Context, o
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"id", "email", "email_verified", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "roles", "is_multi_factor_auth_enabled"}
+	fieldsInOrder := [...]string{"id", "email", "email_verified", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "roles", "is_multi_factor_auth_enabled", "app_data"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
@@ -17568,6 +17658,14 @@ func (ec *executionContext) unmarshalInputUpdateUserInput(ctx context.Context, o
 			if err != nil {
 				return it, err
 			}
+		case "app_data":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
+			it.AppData, err = ec.unmarshalOMap2map(ctx, v)
+			if err != nil {
+				return it, err
+			}
 		}
 	}
 
@@ -19474,6 +19572,10 @@ func (ec *executionContext) _User(ctx context.Context, sel ast.SelectionSet, obj
 
 			out.Values[i] = ec._User_is_multi_factor_auth_enabled(ctx, field, obj)
 
+		case "app_data":
+
+			out.Values[i] = ec._User_app_data(ctx, field, obj)
+
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}

server/graph/model/models_gen.go

@@ -207,22 +207,23 @@ type MobileLoginInput struct {
 }
 
 type MobileSignUpInput struct {
-	Email                    *string  `json:"email"`
-	GivenName                *string  `json:"given_name"`
-	FamilyName               *string  `json:"family_name"`
-	MiddleName               *string  `json:"middle_name"`
-	Nickname                 *string  `json:"nickname"`
-	Gender                   *string  `json:"gender"`
-	Birthdate                *string  `json:"birthdate"`
-	PhoneNumber              string   `json:"phone_number"`
-	Picture                  *string  `json:"picture"`
-	Password                 string   `json:"password"`
-	ConfirmPassword          string   `json:"confirm_password"`
-	Roles                    []string `json:"roles"`
-	Scope                    []string `json:"scope"`
-	RedirectURI              *string  `json:"redirect_uri"`
-	IsMultiFactorAuthEnabled *bool    `json:"is_multi_factor_auth_enabled"`
-	State                    *string  `json:"state"`
+	Email                    *string                `json:"email"`
+	GivenName                *string                `json:"given_name"`
+	FamilyName               *string                `json:"family_name"`
+	MiddleName               *string                `json:"middle_name"`
+	Nickname                 *string                `json:"nickname"`
+	Gender                   *string                `json:"gender"`
+	Birthdate                *string                `json:"birthdate"`
+	PhoneNumber              string                 `json:"phone_number"`
+	Picture                  *string                `json:"picture"`
+	Password                 string                 `json:"password"`
+	ConfirmPassword          string                 `json:"confirm_password"`
+	Roles                    []string               `json:"roles"`
+	Scope                    []string               `json:"scope"`
+	RedirectURI              *string                `json:"redirect_uri"`
+	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled"`
+	State                    *string                `json:"state"`
+	AppData                  map[string]interface{} `json:"app_data"`
 }
 
 type OAuthRevokeInput struct {
@@ -282,22 +283,23 @@ type SessionQueryInput struct {
 }
 
 type SignUpInput struct {
-	Email                    string   `json:"email"`
-	GivenName                *string  `json:"given_name"`
-	FamilyName               *string  `json:"family_name"`
-	MiddleName               *string  `json:"middle_name"`
-	Nickname                 *string  `json:"nickname"`
-	Gender                   *string  `json:"gender"`
-	Birthdate                *string  `json:"birthdate"`
-	PhoneNumber              *string  `json:"phone_number"`
-	Picture                  *string  `json:"picture"`
-	Password                 string   `json:"password"`
-	ConfirmPassword          string   `json:"confirm_password"`
-	Roles                    []string `json:"roles"`
-	Scope                    []string `json:"scope"`
-	RedirectURI              *string  `json:"redirect_uri"`
-	IsMultiFactorAuthEnabled *bool    `json:"is_multi_factor_auth_enabled"`
-	State                    *string  `json:"state"`
+	Email                    string                 `json:"email"`
+	GivenName                *string                `json:"given_name"`
+	FamilyName               *string                `json:"family_name"`
+	MiddleName               *string                `json:"middle_name"`
+	Nickname                 *string                `json:"nickname"`
+	Gender                   *string                `json:"gender"`
+	Birthdate                *string                `json:"birthdate"`
+	PhoneNumber              *string                `json:"phone_number"`
+	Picture                  *string                `json:"picture"`
+	Password                 string                 `json:"password"`
+	ConfirmPassword          string                 `json:"confirm_password"`
+	Roles                    []string               `json:"roles"`
+	Scope                    []string               `json:"scope"`
+	RedirectURI              *string                `json:"redirect_uri"`
+	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled"`
+	State                    *string                `json:"state"`
+	AppData                  map[string]interface{} `json:"app_data"`
 }
 
 type TestEndpointRequest struct {
@@ -380,35 +382,37 @@ type UpdateEnvInput struct {
 }
 
 type UpdateProfileInput struct {
-	OldPassword              *string `json:"old_password"`
-	NewPassword              *string `json:"new_password"`
-	ConfirmNewPassword       *string `json:"confirm_new_password"`
-	Email                    *string `json:"email"`
-	GivenName                *string `json:"given_name"`
-	FamilyName               *string `json:"family_name"`
-	MiddleName               *string `json:"middle_name"`
-	Nickname                 *string `json:"nickname"`
-	Gender                   *string `json:"gender"`
-	Birthdate                *string `json:"birthdate"`
-	PhoneNumber              *string `json:"phone_number"`
-	Picture                  *string `json:"picture"`
-	IsMultiFactorAuthEnabled *bool   `json:"is_multi_factor_auth_enabled"`
+	OldPassword              *string                `json:"old_password"`
+	NewPassword              *string                `json:"new_password"`
+	ConfirmNewPassword       *string                `json:"confirm_new_password"`
+	Email                    *string                `json:"email"`
+	GivenName                *string                `json:"given_name"`
+	FamilyName               *string                `json:"family_name"`
+	MiddleName               *string                `json:"middle_name"`
+	Nickname                 *string                `json:"nickname"`
+	Gender                   *string                `json:"gender"`
+	Birthdate                *string                `json:"birthdate"`
+	PhoneNumber              *string                `json:"phone_number"`
+	Picture                  *string                `json:"picture"`
+	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled"`
+	AppData                  map[string]interface{} `json:"app_data"`
 }
 
 type UpdateUserInput struct {
-	ID                       string    `json:"id"`
-	Email                    *string   `json:"email"`
-	EmailVerified            *bool     `json:"email_verified"`
-	GivenName                *string   `json:"given_name"`
-	FamilyName               *string   `json:"family_name"`
-	MiddleName               *string   `json:"middle_name"`
-	Nickname                 *string   `json:"nickname"`
-	Gender                   *string   `json:"gender"`
-	Birthdate                *string   `json:"birthdate"`
-	PhoneNumber              *string   `json:"phone_number"`
-	Picture                  *string   `json:"picture"`
-	Roles                    []*string `json:"roles"`
-	IsMultiFactorAuthEnabled *bool     `json:"is_multi_factor_auth_enabled"`
+	ID                       string                 `json:"id"`
+	Email                    *string                `json:"email"`
+	EmailVerified            *bool                  `json:"email_verified"`
+	GivenName                *string                `json:"given_name"`
+	FamilyName               *string                `json:"family_name"`
+	MiddleName               *string                `json:"middle_name"`
+	Nickname                 *string                `json:"nickname"`
+	Gender                   *string                `json:"gender"`
+	Birthdate                *string                `json:"birthdate"`
+	PhoneNumber              *string                `json:"phone_number"`
+	Picture                  *string                `json:"picture"`
+	Roles                    []*string              `json:"roles"`
+	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled"`
+	AppData                  map[string]interface{} `json:"app_data"`
 }
 
 type UpdateWebhookRequest struct {
@@ -421,25 +425,26 @@ type UpdateWebhookRequest struct {
 }
 
 type User struct {
-	ID                       string   `json:"id"`
-	Email                    string   `json:"email"`
-	EmailVerified            bool     `json:"email_verified"`
-	SignupMethods            string   `json:"signup_methods"`
-	GivenName                *string  `json:"given_name"`
-	FamilyName               *string  `json:"family_name"`
-	MiddleName               *string  `json:"middle_name"`
-	Nickname                 *string  `json:"nickname"`
-	PreferredUsername        *string  `json:"preferred_username"`
-	Gender                   *string  `json:"gender"`
-	Birthdate                *string  `json:"birthdate"`
-	PhoneNumber              *string  `json:"phone_number"`
-	PhoneNumberVerified      *bool    `json:"phone_number_verified"`
-	Picture                  *string  `json:"picture"`
-	Roles                    []string `json:"roles"`
-	CreatedAt                *int64   `json:"created_at"`
-	UpdatedAt                *int64   `json:"updated_at"`
-	RevokedTimestamp         *int64   `json:"revoked_timestamp"`
-	IsMultiFactorAuthEnabled *bool    `json:"is_multi_factor_auth_enabled"`
+	ID                       string                 `json:"id"`
+	Email                    string                 `json:"email"`
+	EmailVerified            bool                   `json:"email_verified"`
+	SignupMethods            string                 `json:"signup_methods"`
+	GivenName                *string                `json:"given_name"`
+	FamilyName               *string                `json:"family_name"`
+	MiddleName               *string                `json:"middle_name"`
+	Nickname                 *string                `json:"nickname"`
+	PreferredUsername        *string                `json:"preferred_username"`
+	Gender                   *string                `json:"gender"`
+	Birthdate                *string                `json:"birthdate"`
+	PhoneNumber              *string                `json:"phone_number"`
+	PhoneNumberVerified      *bool                  `json:"phone_number_verified"`
+	Picture                  *string                `json:"picture"`
+	Roles                    []string               `json:"roles"`
+	CreatedAt                *int64                 `json:"created_at"`
+	UpdatedAt                *int64                 `json:"updated_at"`
+	RevokedTimestamp         *int64                 `json:"revoked_timestamp"`
+	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled"`
+	AppData                  map[string]interface{} `json:"app_data"`
 }
 
 type Users struct {

server/graph/schema.graphqls

@@ -51,6 +51,7 @@ type User {
   updated_at: Int64
   revoked_timestamp: Int64
   is_multi_factor_auth_enabled: Boolean
+  app_data: Map
 }
 
 type Users {
@@ -322,6 +323,7 @@ input MobileSignUpInput {
   # it is used to get code for an on-going auth process during login
   # and use that code for setting `c_hash` in id_token
   state: String
+  app_data: Map
 }
 
 input SignUpInput {
@@ -344,6 +346,7 @@ input SignUpInput {
   # it is used to get code for an on-going auth process during login
   # and use that code for setting `c_hash` in id_token
   state: String
+  app_data: Map
 }
 
 input LoginInput {
@@ -399,6 +402,7 @@ input UpdateProfileInput {
   phone_number: String
   picture: String
   is_multi_factor_auth_enabled: Boolean
+  app_data: Map
 }
 
 input UpdateUserInput {
@@ -415,6 +419,7 @@ input UpdateUserInput {
   picture: String
   roles: [String]
   is_multi_factor_auth_enabled: Boolean
+  app_data: Map
 }
 
 input ForgotPasswordInput {

server/handlers/oauth_callback.go

@@ -32,11 +32,11 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 	return func(ctx *gin.Context) {
 		provider := ctx.Param("oauth_provider")
 		state := ctx.Request.FormValue("state")
-
 		sessionState, err := memorystore.Provider.GetState(state)
 		if sessionState == "" || err != nil {
 			log.Debug("Invalid oauth state: ", state)
 			ctx.JSON(400, gin.H{"error": "invalid oauth state"})
+			return
 		}
 		// contains random token, redirect url, role
 		sessionSplit := strings.Split(state, "___")
@@ -46,32 +46,34 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			ctx.JSON(400, gin.H{"error": "invalid redirect url"})
 			return
 		}
-
 		// remove state from store
 		go memorystore.Provider.RemoveState(state)
-
 		stateValue := sessionSplit[0]
 		redirectURL := sessionSplit[1]
 		inputRoles := strings.Split(sessionSplit[2], ",")
 		scopes := strings.Split(sessionSplit[3], ",")
-
 		var user *models.User
 		oauthCode := ctx.Request.FormValue("code")
+		if oauthCode == "" {
+			log.Debug("Invalid oauth code: ", oauthCode)
+			ctx.JSON(400, gin.H{"error": "invalid oauth code"})
+			return
+		}
 		switch provider {
 		case constants.AuthRecipeMethodGoogle:
-			user, err = processGoogleUserInfo(oauthCode)
+			user, err = processGoogleUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodGithub:
-			user, err = processGithubUserInfo(oauthCode)
+			user, err = processGithubUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodFacebook:
-			user, err = processFacebookUserInfo(oauthCode)
+			user, err = processFacebookUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodLinkedIn:
-			user, err = processLinkedInUserInfo(oauthCode)
+			user, err = processLinkedInUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodApple:
-			user, err = processAppleUserInfo(oauthCode)
+			user, err = processAppleUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodTwitter:
-			user, err = processTwitterUserInfo(oauthCode, sessionState)
+			user, err = processTwitterUserInfo(ctx, oauthCode, sessionState)
 		case constants.AuthRecipeMethodMicrosoft:
-			user, err = processMicrosoftUserInfo(oauthCode)
+			user, err = processMicrosoftUserInfo(ctx, oauthCode)
 		default:
 			log.Info("Invalid oauth provider")
 			err = fmt.Errorf(`invalid oauth provider`)
@@ -281,9 +283,8 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 	}
 }
 
-func processGoogleUserInfo(code string) (*models.User, error) {
+func processGoogleUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	ctx := context.Background()
 	oauth2Token, err := oauth.OAuthProviders.GoogleConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
@@ -313,9 +314,9 @@ func processGoogleUserInfo(code string) (*models.User, error) {
 	return user, nil
 }
 
-func processGithubUserInfo(code string) (*models.User, error) {
+func processGithubUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	oauth2Token, err := oauth.OAuthProviders.GithubConfig.Exchange(context.TODO(), code)
+	oauth2Token, err := oauth.OAuthProviders.GithubConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
 		return user, fmt.Errorf("invalid github exchange code: %s", err.Error())
@@ -420,9 +421,9 @@ func processGithubUserInfo(code string) (*models.User, error) {
 	return user, nil
 }
 
-func processFacebookUserInfo(code string) (*models.User, error) {
+func processFacebookUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	oauth2Token, err := oauth.OAuthProviders.FacebookConfig.Exchange(context.TODO(), code)
+	oauth2Token, err := oauth.OAuthProviders.FacebookConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Invalid facebook exchange code: ", err)
 		return user, fmt.Errorf("invalid facebook exchange code: %s", err.Error())
@@ -471,9 +472,9 @@ func processFacebookUserInfo(code string) (*models.User, error) {
 	return user, nil
 }
 
-func processLinkedInUserInfo(code string) (*models.User, error) {
+func processLinkedInUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	oauth2Token, err := oauth.OAuthProviders.LinkedInConfig.Exchange(context.TODO(), code)
+	oauth2Token, err := oauth.OAuthProviders.LinkedInConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
 		return user, fmt.Errorf("invalid linkedin exchange code: %s", err.Error())
@@ -553,9 +554,9 @@ func processLinkedInUserInfo(code string) (*models.User, error) {
 	return user, nil
 }
 
-func processAppleUserInfo(code string) (*models.User, error) {
+func processAppleUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	oauth2Token, err := oauth.OAuthProviders.AppleConfig.Exchange(context.TODO(), code)
+	oauth2Token, err := oauth.OAuthProviders.AppleConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
 		return user, fmt.Errorf("invalid apple exchange code: %s", err.Error())
@@ -606,9 +607,9 @@ func processAppleUserInfo(code string) (*models.User, error) {
 	return user, err
 }
 
-func processTwitterUserInfo(code, verifier string) (*models.User, error) {
+func processTwitterUserInfo(ctx context.Context, code, verifier string) (*models.User, error) {
 	var user *models.User
-	oauth2Token, err := oauth.OAuthProviders.TwitterConfig.Exchange(context.TODO(), code, oauth2.SetAuthURLParam("code_verifier", verifier))
+	oauth2Token, err := oauth.OAuthProviders.TwitterConfig.Exchange(ctx, code, oauth2.SetAuthURLParam("code_verifier", verifier))
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
 		return user, fmt.Errorf("invalid twitter exchange code: %s", err.Error())
@@ -674,24 +675,24 @@ func processTwitterUserInfo(code, verifier string) (*models.User, error) {
 }
 
 // process microsoft user information
-func processMicrosoftUserInfo(code string) (*models.User, error) {
+func processMicrosoftUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	ctx := context.Background()
 	oauth2Token, err := oauth.OAuthProviders.MicrosoftConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
-		return user, fmt.Errorf("invalid google exchange code: %s", err.Error())
+		return user, fmt.Errorf("invalid microsoft exchange code: %s", err.Error())
 	}
-
-	verifier := oauth.OIDCProviders.MicrosoftOIDC.Verifier(&oidc.Config{ClientID: oauth.OAuthProviders.MicrosoftConfig.ClientID})
-
+	// we need to skip issuer check because for common tenant it will return internal issuer which does not match
+	verifier := oauth.OIDCProviders.MicrosoftOIDC.Verifier(&oidc.Config{
+		ClientID:        oauth.OAuthProviders.MicrosoftConfig.ClientID,
+		SkipIssuerCheck: true,
+	})
 	// Extract the ID Token from OAuth2 token.
 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
 	if !ok {
 		log.Debug("Failed to extract ID Token from OAuth2 token")
 		return user, fmt.Errorf("unable to extract id_token")
 	}
-
 	// Parse and verify ID Token payload.
 	idToken, err := verifier.Verify(ctx, rawIDToken)
 	if err != nil {

server/memorystore/providers/inmemory/provider.go

@@ -7,18 +7,20 @@ import (
 )
 
 type provider struct {
-	mutex        sync.Mutex
-	sessionStore *stores.SessionStore
-	stateStore   *stores.StateStore
-	envStore     *stores.EnvStore
+	mutex           sync.Mutex
+	sessionStore    *stores.SessionStore
+	mfasessionStore *stores.SessionStore
+	stateStore      *stores.StateStore
+	envStore        *stores.EnvStore
 }
 
 // NewInMemoryStore returns a new in-memory store.
 func NewInMemoryProvider() (*provider, error) {
 	return &provider{
-		mutex:        sync.Mutex{},
-		envStore:     stores.NewEnvStore(),
-		sessionStore: stores.NewSessionStore(),
-		stateStore:   stores.NewStateStore(),
+		mutex:           sync.Mutex{},
+		envStore:        stores.NewEnvStore(),
+		sessionStore:    stores.NewSessionStore(),
+		mfasessionStore: stores.NewSessionStore(),
+		stateStore:      stores.NewStateStore(),
 	}, nil
 }

server/memorystore/providers/inmemory/store.go

@@ -42,6 +42,27 @@ func (c *provider) DeleteSessionForNamespace(namespace string) error {
 	return nil
 }
 
+// SetMfaSession sets the mfa session with key and value of userId
+func (c *provider) SetMfaSession(userId, key string, expiration int64) error {
+	c.mfasessionStore.Set(userId, key, userId, expiration)
+	return nil
+}
+
+// GetMfaSession returns value of given mfa session
+func (c *provider) GetMfaSession(userId, key string) (string, error) {
+	val := c.mfasessionStore.Get(userId, key)
+	if val == "" {
+		return "", fmt.Errorf("Not found")
+	}
+	return val, nil
+}
+
+// DeleteMfaSession deletes given mfa session from in-memory store.
+func (c *provider) DeleteMfaSession(userId, key string) error {
+	c.mfasessionStore.Remove(userId, key)
+	return nil
+}
+
 // SetState sets the state in the in-memory store.
 func (c *provider) SetState(key, state string) error {
 	if os.Getenv("ENV") != constants.TestEnv {

server/memorystore/providers/provider_tests.go

@@ -112,4 +112,15 @@ func ProviderTests(t *testing.T, p Provider) {
 	key, err = p.GetUserSession("auth_provider1:124", "access_token_key")
 	assert.Empty(t, key)
 	assert.Error(t, err)
+
+	err = p.SetMfaSession("auth_provider:123", "session123", time.Now().Add(60*time.Second).Unix())
+	assert.NoError(t, err)
+	key, err = p.GetMfaSession("auth_provider:123", "session123")
+	assert.NoError(t, err)
+	assert.Equal(t, "auth_provider:123", key)
+	err = p.DeleteMfaSession("auth_provider:123", "session123")
+	assert.NoError(t, err)
+	key, err = p.GetMfaSession("auth_provider:123", "session123")
+	assert.Error(t, err)
+	assert.Empty(t, key)
 }

server/memorystore/providers/providers.go

@@ -12,6 +12,12 @@ type Provider interface {
 	DeleteAllUserSessions(userId string) error
 	// DeleteSessionForNamespace deletes the session for a given namespace
 	DeleteSessionForNamespace(namespace string) error
+	// SetMfaSession sets the mfa session with key and value of userId
+	SetMfaSession(userId, key string, expiration int64) error
+	// GetMfaSession returns value of given mfa session
+	GetMfaSession(userId, key string) (string, error)
+	// DeleteMfaSession deletes given mfa session from in-memory store.
+	DeleteMfaSession(userId, key string) error
 
 	// SetState sets the login state (key, value form) in the session store
 	SetState(key, state string) error

server/memorystore/providers/redis/store.go

@@ -16,6 +16,8 @@ var (
 	envStorePrefix = "authorizer_env"
 )
 
+const mfaSessionPrefix = "mfa_sess_"
+
 // SetUserSession sets the user session for given user identifier in form recipe:user_id
 func (c *provider) SetUserSession(userId, key, token string, expiration int64) error {
 	currentTime := time.Now()
@@ -91,6 +93,37 @@ func (c *provider) DeleteSessionForNamespace(namespace string) error {
 	return nil
 }
 
+// SetMfaSession sets the mfa session with key and value of userId
+func (c *provider) SetMfaSession(userId, key string, expiration int64) error {
+	currentTime := time.Now()
+	expireTime := time.Unix(expiration, 0)
+	duration := expireTime.Sub(currentTime)
+	err := c.store.Set(c.ctx, fmt.Sprintf("%s%s:%s", mfaSessionPrefix, userId, key), userId, duration).Err()
+	if err != nil {
+		log.Debug("Error saving user session to redis: ", err)
+		return err
+	}
+	return nil
+}
+
+// GetMfaSession returns value of given mfa session
+func (c *provider) GetMfaSession(userId, key string) (string, error) {
+	data, err := c.store.Get(c.ctx, fmt.Sprintf("%s%s:%s", mfaSessionPrefix, userId, key)).Result()
+	if err != nil {
+		return "", err
+	}
+	return data, nil
+}
+
+// DeleteMfaSession deletes given mfa session from in-memory store.
+func (c *provider) DeleteMfaSession(userId, key string) error {
+	if err := c.store.Del(c.ctx, fmt.Sprintf("%s%s:%s", mfaSessionPrefix, userId, key)).Err(); err != nil {
+		log.Debug("Error deleting user session from redis: ", err)
+		// continue
+	}
+	return nil
+}
+
 // SetState sets the state in redis store.
 func (c *provider) SetState(key, value string) error {
 	err := c.store.Set(c.ctx, stateStorePrefix+key, value, 0).Err()

server/oauth/oauth.go

@@ -10,11 +10,16 @@ import (
 	githubOAuth2 "golang.org/x/oauth2/github"
 	linkedInOAuth2 "golang.org/x/oauth2/linkedin"
 	microsoftOAuth2 "golang.org/x/oauth2/microsoft"
+	"google.golang.org/appengine/log"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 )
 
+const (
+	microsoftCommonTenant = "common"
+)
+
 // OAuthProviders is a struct that contains reference all the OAuth providers
 type OAuthProvider struct {
 	GoogleConfig    *oauth2.Config
@@ -172,11 +177,15 @@ func InitOAuth() error {
 	}
 	microsoftActiveDirTenantID, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyMicrosoftActiveDirectoryTenantID)
 	if err != nil || microsoftActiveDirTenantID == "" {
-		microsoftActiveDirTenantID = "common"
+		microsoftActiveDirTenantID = microsoftCommonTenant
 	}
-	if microsoftClientID != "" && microsoftClientSecret != "" && microsoftActiveDirTenantID != "" {
+	if microsoftClientID != "" && microsoftClientSecret != "" {
+		if microsoftActiveDirTenantID == microsoftCommonTenant {
+			ctx = oidc.InsecureIssuerURLContext(ctx, fmt.Sprintf("https://login.microsoftonline.com/%s/v2.0", microsoftActiveDirTenantID))
+		}
 		p, err := oidc.NewProvider(ctx, fmt.Sprintf("https://login.microsoftonline.com/%s/v2.0", microsoftActiveDirTenantID))
 		if err != nil {
+			log.Debugf(ctx, "Error while creating OIDC provider for Microsoft: %v", err)
 			return err
 		}
 		OIDCProviders.MicrosoftOIDC = p

server/resolvers/login.go

@@ -113,16 +113,25 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 	// If email service is not enabled continue the process in any way
 	if refs.BoolValue(user.IsMultiFactorAuthEnabled) && isEmailServiceEnabled && !isMFADisabled {
 		otp := utils.GenerateOTP()
+		expires := time.Now().Add(1 * time.Minute).Unix()
 		otpData, err := db.Provider.UpsertOTP(ctx, &models.OTP{
 			Email:     user.Email,
 			Otp:       otp,
-			ExpiresAt: time.Now().Add(1 * time.Minute).Unix(),
+			ExpiresAt: expires,
 		})
 		if err != nil {
 			log.Debug("Failed to add otp: ", err)
 			return nil, err
 		}
 
+		mfaSession := uuid.NewString()
+		err = memorystore.Provider.SetMfaSession(user.ID, mfaSession, expires)
+		if err != nil {
+			log.Debug("Failed to add mfasession: ", err)
+			return nil, err
+		}
+		cookie.SetMfaSession(gc, mfaSession)
+
 		go func() {
 			// exec it as go routine so that we can reduce the api latency
 			go email.SendEmail([]string{params.Email}, constants.VerificationTypeOTP, map[string]interface{}{
@@ -162,7 +171,6 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 	if nonce == "" {
 		nonce = uuid.New().String()
 	}
-
 	authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, code)
 	if err != nil {
 		log.Debug("Failed to create auth token", err)

server/resolvers/mobile_login.go

@@ -122,15 +122,25 @@ func MobileLoginResolver(ctx context.Context, params model.MobileLoginInput) (*m
 		smsBody := strings.Builder{}
 		smsBody.WriteString("Your verification code is: ")
 		smsBody.WriteString(smsCode)
+		expires := time.Now().Add(duration).Unix()
 		_, err := db.Provider.UpsertOTP(ctx, &models.OTP{
 			PhoneNumber: params.PhoneNumber,
 			Otp:         smsCode,
-			ExpiresAt:   time.Now().Add(duration).Unix(),
+			ExpiresAt:   expires,
 		})
 		if err != nil {
 			log.Debug("error while upserting OTP: ", err.Error())
 			return nil, err
 		}
+
+		mfaSession := uuid.NewString()
+		err = memorystore.Provider.SetMfaSession(user.ID, mfaSession, expires)
+		if err != nil {
+			log.Debug("Failed to add mfasession: ", err)
+			return nil, err
+		}
+		cookie.SetMfaSession(gc, mfaSession)
+
 		go func() {
 			utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, constants.AuthRecipeMethodMobileBasicAuth, user)
 			smsproviders.SendSMS(params.PhoneNumber, smsBody.String())

server/resolvers/signup.go

@@ -2,6 +2,8 @@ package resolvers
 
 import (
 	"context"
+	"encoding/json"
+	"errors"
 	"fmt"
 	"strings"
 	"time"
@@ -171,6 +173,17 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 		user.IsMultiFactorAuthEnabled = refs.NewBoolRef(true)
 	}
 
+	if params.AppData != nil {
+		appDataString := ""
+		appDataBytes, err := json.Marshal(params.AppData)
+		if err != nil {
+			log.Debug("failed to marshall source app_data: ", err)
+			return nil, errors.New("malformed app_data")
+		}
+		appDataString = string(appDataBytes)
+		user.AppData = &appDataString
+	}
+
 	user.SignupMethods = constants.AuthRecipeMethodBasicAuth
 	isEmailVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification)
 	if err != nil {

server/resolvers/update_profile.go

@@ -2,6 +2,7 @@ package resolvers
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"strings"
@@ -47,7 +48,7 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 	}
 
 	// validate if all params are not empty
-	if params.GivenName == nil && params.FamilyName == nil && params.Picture == nil && params.MiddleName == nil && params.Nickname == nil && params.OldPassword == nil && params.Email == nil && params.Birthdate == nil && params.Gender == nil && params.PhoneNumber == nil && params.NewPassword == nil && params.ConfirmNewPassword == nil && params.IsMultiFactorAuthEnabled == nil {
+	if params.GivenName == nil && params.FamilyName == nil && params.Picture == nil && params.MiddleName == nil && params.Nickname == nil && params.OldPassword == nil && params.Email == nil && params.Birthdate == nil && params.Gender == nil && params.PhoneNumber == nil && params.NewPassword == nil && params.ConfirmNewPassword == nil && params.IsMultiFactorAuthEnabled == nil && params.AppData == nil {
 		log.Debug("All params are empty")
 		return res, fmt.Errorf("please enter at least one param to update")
 	}
@@ -56,7 +57,6 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 	log := log.WithFields(log.Fields{
 		"user_id": userID,
 	})
-
 	user, err := db.Provider.GetUserByID(ctx, userID)
 	if err != nil {
 		log.Debug("Failed to get user by id: ", err)
@@ -99,7 +99,16 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 	if params.Picture != nil && refs.StringValue(user.Picture) != refs.StringValue(params.Picture) {
 		user.Picture = params.Picture
 	}
-
+	if params.AppData != nil {
+		appDataString := ""
+		appDataBytes, err := json.Marshal(params.AppData)
+		if err != nil {
+			log.Debug("failed to marshall source app_data: ", err)
+			return nil, errors.New("malformed app_data")
+		}
+		appDataString = string(appDataBytes)
+		user.AppData = &appDataString
+	}
 	if params.IsMultiFactorAuthEnabled != nil && refs.BoolValue(user.IsMultiFactorAuthEnabled) != refs.BoolValue(params.IsMultiFactorAuthEnabled) {
 		if refs.BoolValue(params.IsMultiFactorAuthEnabled) {
 			isEnvServiceEnabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyIsEmailServiceEnabled)

server/resolvers/update_user.go

@@ -2,6 +2,7 @@ package resolvers
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"strings"
@@ -95,6 +96,17 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 		user.Picture = params.Picture
 	}
 
+	if params.AppData != nil {
+		appDataString := ""
+		appDataBytes, err := json.Marshal(params.AppData)
+		if err != nil {
+			log.Debug("failed to marshall source app_data: ", err)
+			return nil, errors.New("malformed app_data")
+		}
+		appDataString = string(appDataBytes)
+		user.AppData = &appDataString
+	}
+
 	if params.IsMultiFactorAuthEnabled != nil && refs.BoolValue(user.IsMultiFactorAuthEnabled) != refs.BoolValue(params.IsMultiFactorAuthEnabled) {
 		user.IsMultiFactorAuthEnabled = params.IsMultiFactorAuthEnabled
 		if refs.BoolValue(params.IsMultiFactorAuthEnabled) {

server/resolvers/verify_otp.go

@@ -27,6 +27,13 @@ func VerifyOtpResolver(ctx context.Context, params model.VerifyOTPRequest) (*mod
 		log.Debug("Failed to get GinContext: ", err)
 		return res, err
 	}
+
+	mfaSession, err := cookie.GetMfaSession(gc)
+	if err != nil {
+		log.Debug("Failed to get otp request by email: ", err)
+		return res, fmt.Errorf(`invalid session: %s`, err.Error())
+	}
+
 	if refs.StringValue(params.Email) == "" && refs.StringValue(params.PhoneNumber) == "" {
 		log.Debug("Email or phone number is required")
 		return res, fmt.Errorf(`email or phone_number is required`)
@@ -62,10 +69,15 @@ func VerifyOtpResolver(ctx context.Context, params model.VerifyOTPRequest) (*mod
 		user, err = db.Provider.GetUserByPhoneNumber(ctx, refs.StringValue(params.PhoneNumber))
 	}
 	if user == nil || err != nil {
-		fmt.Println("=> failing here....", err)
 		log.Debug("Failed to get user by email or phone number: ", err)
 		return res, err
 	}
+
+	if _, err := memorystore.Provider.GetMfaSession(user.ID, mfaSession); err != nil {
+		log.Debug("Failed to get mfa session: ", err)
+		return res, fmt.Errorf(`invalid session: %s`, err.Error())
+	}
+
 	isSignUp := user.EmailVerifiedAt == nil && user.PhoneNumberVerifiedAt == nil
 	// TODO - Add Login method in DB when we introduce OTP for social media login
 	loginMethod := constants.AuthRecipeMethodBasicAuth

server/test/mobile_login_test.go

@@ -1,12 +1,18 @@
 package test
 
 import (
+	"fmt"
+	"strings"
 	"testing"
+	"time"
 
+	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -48,6 +54,17 @@ func mobileLoginTests(t *testing.T, s TestSetup) {
 		smsRequest, err := db.Provider.GetOTPByPhoneNumber(ctx, phoneNumber)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, smsRequest.Otp)
+		// Get user by phone number
+		user, err := db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
+		assert.NoError(t, err)
+		assert.NotNil(t, user)
+		// Set mfa cookie session
+		mfaSession := uuid.NewString()
+		memorystore.Provider.SetMfaSession(user.ID, mfaSession, time.Now().Add(1*time.Minute).Unix())
+		cookie := fmt.Sprintf("%s=%s;", constants.MfaCookieName+"_session", mfaSession)
+		cookie = strings.TrimSuffix(cookie, ";")
+		req, ctx := createContext(s)
+		req.Header.Set("Cookie", cookie)
 		verifySMSRequest, err := resolvers.VerifyOtpResolver(ctx, model.VerifyOTPRequest{
 			PhoneNumber: &phoneNumber,
 			Otp:         smsRequest.Otp,

server/test/mobile_signup_test.go

@@ -1,7 +1,10 @@
 package test
 
 import (
+	"fmt"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
@@ -9,6 +12,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -79,6 +83,17 @@ func mobileSingupTest(t *testing.T, s TestSetup) {
 		otp, err := db.Provider.GetOTPByPhoneNumber(ctx, phoneNumber)
 		assert.Nil(t, err)
 		assert.NotEmpty(t, otp.Otp)
+		// Get user by phone number
+		user, err := db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
+		assert.NoError(t, err)
+		assert.NotNil(t, user)
+		// Set mfa cookie session
+		mfaSession := uuid.NewString()
+		memorystore.Provider.SetMfaSession(user.ID, mfaSession, time.Now().Add(1*time.Minute).Unix())
+		cookie := fmt.Sprintf("%s=%s;", constants.MfaCookieName+"_session", mfaSession)
+		cookie = strings.TrimSuffix(cookie, ";")
+		req, ctx := createContext(s)
+		req.Header.Set("Cookie", cookie)
 		otpRes, err := resolvers.VerifyOtpResolver(ctx, model.VerifyOTPRequest{
 			PhoneNumber: &phoneNumber,
 			Otp:         otp.Otp,

server/test/resend_otp_test.go

@@ -2,13 +2,18 @@ package test
 
 import (
 	"context"
+	"fmt"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -89,6 +94,16 @@ func resendOTPTest(t *testing.T, s TestSetup) {
 		})
 		assert.Error(t, err)
 		assert.Nil(t, verifyOtpRes)
+		// Get user by email
+		user, err := db.Provider.GetUserByEmail(ctx, email)
+		assert.NoError(t, err)
+		assert.NotNil(t, user)
+		// Set mfa cookie session
+		mfaSession := uuid.NewString()
+		memorystore.Provider.SetMfaSession(user.ID, mfaSession, time.Now().Add(1*time.Minute).Unix())
+		cookie := fmt.Sprintf("%s=%s;", constants.MfaCookieName+"_session", mfaSession)
+		cookie = strings.TrimSuffix(cookie, ";")
+		req.Header.Set("Cookie", cookie)
 		verifyOtpRes, err = resolvers.VerifyOtpResolver(ctx, model.VerifyOTPRequest{
 			Email: &email,
 			Otp:   newOtp.Otp,

server/test/verify_otp_test.go

@@ -2,13 +2,18 @@ package test
 
 import (
 	"context"
+	"fmt"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -63,7 +68,16 @@ func verifyOTPTest(t *testing.T, s TestSetup) {
 		otp, err := db.Provider.GetOTPByEmail(ctx, email)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, otp.Otp)
-
+		// Get user by email
+		user, err := db.Provider.GetUserByEmail(ctx, email)
+		assert.NoError(t, err)
+		assert.NotNil(t, user)
+		// Set mfa cookie session
+		mfaSession := uuid.NewString()
+		memorystore.Provider.SetMfaSession(user.ID, mfaSession, time.Now().Add(1*time.Minute).Unix())
+		cookie := fmt.Sprintf("%s=%s;", constants.MfaCookieName+"_session", mfaSession)
+		cookie = strings.TrimSuffix(cookie, ";")
+		req.Header.Set("Cookie", cookie)
 		verifyOtpRes, err := resolvers.VerifyOtpResolver(ctx, model.VerifyOTPRequest{
 			Email: &email,
 			Otp:   otp.Otp,