mirror of
https://github.com/fosrl/pangolin.git
synced 2026-02-24 13:56:39 +00:00
add resource whitelist auth method
This commit is contained in:
Milo Schwartz
@@ -1,10 +1,10 @@
|
||||
import { verify } from "@node-rs/argon2";
|
||||
import { generateSessionToken } from "@server/auth";
|
||||
import db from "@server/db";
|
||||
import { orgs, resourceOtp, resourcePassword, resources } from "@server/db/schema";
|
||||
import { orgs, resourcePassword, resources } from "@server/db/schema";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import response from "@server/utils/response";
|
||||
import { and, eq } from "drizzle-orm";
|
||||
import { eq } from "drizzle-orm";
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import createHttpError from "http-errors";
|
||||
import { z } from "zod";
|
||||
@@ -13,14 +13,10 @@ import {
|
||||
createResourceSession,
|
||||
serializeResourceSessionCookie
|
||||
} from "@server/auth/resource";
|
||||
import logger from "@server/logger";
|
||||
import config from "@server/config";
|
||||
import { isValidOtp, sendResourceOtpEmail } from "@server/auth/resourceOtp";
|
||||
|
||||
export const authWithPasswordBodySchema = z.object({
|
||||
password: z.string(),
|
||||
email: z.string().email().optional(),
|
||||
otp: z.string().optional()
|
||||
password: z.string()
|
||||
});
|
||||
|
||||
export const authWithPasswordParamsSchema = z.object({
|
||||
@@ -28,8 +24,6 @@ export const authWithPasswordParamsSchema = z.object({
|
||||
});
|
||||
|
||||
export type AuthWithPasswordResponse = {
|
||||
otpRequested?: boolean;
|
||||
otpSent?: boolean;
|
||||
session?: string;
|
||||
};
|
||||
|
||||
@@ -61,7 +55,7 @@ export async function authWithPassword(
|
||||
}
|
||||
|
||||
const { resourceId } = parsedParams.data;
|
||||
const { email, password, otp } = parsedBody.data;
|
||||
const { password } = parsedBody.data;
|
||||
|
||||
try {
|
||||
const [result] = await db
|
||||
@@ -119,69 +113,11 @@ export async function authWithPassword(
|
||||
);
|
||||
}
|
||||
|
||||
if (resource.otpEnabled) {
|
||||
if (otp && email) {
|
||||
const isValidCode = await isValidOtp(
|
||||
email,
|
||||
resource.resourceId,
|
||||
otp
|
||||
);
|
||||
if (!isValidCode) {
|
||||
return next(
|
||||
createHttpError(HttpCode.UNAUTHORIZED, "Incorrect OTP")
|
||||
);
|
||||
}
|
||||
|
||||
await db
|
||||
.delete(resourceOtp)
|
||||
.where(
|
||||
and(
|
||||
eq(resourceOtp.email, email),
|
||||
eq(resourceOtp.resourceId, resource.resourceId)
|
||||
)
|
||||
);
|
||||
} else if (email) {
|
||||
try {
|
||||
await sendResourceOtpEmail(
|
||||
email,
|
||||
resource.resourceId,
|
||||
resource.name,
|
||||
org.name
|
||||
);
|
||||
return response<AuthWithPasswordResponse>(res, {
|
||||
data: { otpSent: true },
|
||||
success: true,
|
||||
error: false,
|
||||
message: "Sent one-time otp to email address",
|
||||
status: HttpCode.ACCEPTED
|
||||
});
|
||||
} catch (e) {
|
||||
logger.error(e);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"Failed to send one-time otp. Make sure the email address is correct and try again."
|
||||
)
|
||||
);
|
||||
}
|
||||
} else {
|
||||
return response<AuthWithPasswordResponse>(res, {
|
||||
data: { otpRequested: true },
|
||||
success: true,
|
||||
error: false,
|
||||
message: "One-time otp required to complete authentication",
|
||||
status: HttpCode.ACCEPTED
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
const token = generateSessionToken();
|
||||
await createResourceSession({
|
||||
resourceId,
|
||||
token,
|
||||
passwordId: definedPassword.passwordId,
|
||||
usedOtp: otp !== undefined,
|
||||
email
|
||||
passwordId: definedPassword.passwordId
|
||||
});
|
||||
const cookieName = `${config.server.resource_session_cookie_name}_${resource.resourceId}`;
|
||||
const cookie = serializeResourceSessionCookie(
|
||||
|
||||
Reference in New Issue
Block a user