Feature 2fa

.yarnrc.yml

@@ -0,0 +1 @@
+nodeLinker: node-modules

apps/api/src/auth/auth.controller.ts

@@ -16,11 +16,12 @@ import { AuthService } from './auth.service'
 import {
   ConfirmationCodeDto,
   ForgotPasswordResetRequestDto,
+  Recovery2FADto,
   ResetPasswordRequestDto,
   SignInWithEmailCredentialsDto,
-  SignUpWithEmailCredentialsDto
+  SignUpWithEmailCredentialsDto,
+  TurnOn2FADto
 } from '@isomera/dtos'
-import { JWTAuthGuard } from './guards/jwt-auth.guard'
 import { LocalAuthGuard } from './guards/local-auth.guard'
 import { SessionAuthGuard } from './guards/session-auth.guard'
 import { TokenInterceptor } from './interceptors/token.interceptor'
@@ -34,6 +35,8 @@ import {
   StatusType
 } from '@isomera/interfaces'
 import { JwtRefreshTokenGuard } from './guards/jwt-refresh-token'
+import { Jwt2faAuthGuard } from './guards/jwt-2fa-auth.guard'
+import { JWTAuthGuard } from './guards/jwt-auth.guard'
 
 @Controller('auth')
 export class AuthController {
@@ -75,7 +78,7 @@ export class AuthController {
   }
 
   @Get('/me')
-  @UseGuards(SessionAuthGuard, JWTAuthGuard)
+  @UseGuards(SessionAuthGuard, Jwt2faAuthGuard)
   me(@AuthUser() user: Pure<SignInWithEmailCredentialsDto>): UserEntity {
     return user as UserEntity
   }
@@ -102,9 +105,15 @@ export class AuthController {
   @Post('/refresh')
   @HttpCode(HttpStatus.OK)
   async refreshToken(
-    @AuthUser() user: Pure<UserEntity>
+    @AuthUser() user: Pure<UserEntity> & { isTwoFactorAuthenticated: boolean }
   ): Promise<RefreshTokenResponseInterface> {
-    const { refresh_token, access_token } = this.authService.signToken(user)
+    const payload = {
+      email: user.email,
+      isTwoFactorAuthenticationEnabled: !!user.isTwoFAEnabled,
+      isTwoFactorAuthenticated: !!user.isTwoFactorAuthenticated
+    }
+
+    const { refresh_token, access_token } = this.authService.signToken(payload)
 
     await this.authService.storeRefreshToken(user, refresh_token)
     return {
@@ -115,7 +124,7 @@ export class AuthController {
   }
 
   @Post('/logout')
-  @UseGuards(SessionAuthGuard, JWTAuthGuard)
+  @UseGuards(SessionAuthGuard, Jwt2faAuthGuard)
   @HttpCode(HttpStatus.OK)
   async logout(
     @AuthUser() user: Pure<UserEntity>
@@ -125,4 +134,71 @@ export class AuthController {
       status: StatusType.OK
     }
   }
+
+  @Post('2fa/generate')
+  @UseGuards(SessionAuthGuard, Jwt2faAuthGuard)
+  @HttpCode(HttpStatus.OK)
+  async register2FA(@AuthUser() user: Pure<UserEntity>) {
+    const { otpAuthUrl } =
+      await this.authService.generateTwoFactorAuthenticationSecret(user)
+
+    return {
+      status: StatusType.OK,
+      image: await this.authService.generateQrCodeDataURL(otpAuthUrl)
+    }
+  }
+
+  @Post('2fa/request-recovery')
+  @HttpCode(HttpStatus.OK)
+  async requestRecovery2FA(@Body() { code }: Pure<Recovery2FADto>) {
+    await this.authService.requestRecovery2FA(code)
+    return {
+      status: StatusType.OK
+    }
+  }
+
+  @Post('2fa/confirm-recovery')
+  @HttpCode(HttpStatus.OK)
+  async confirmRecovery2FACode(
+    @Body() { code, email }: Pure<ConfirmationCodeDto>
+  ) {
+    await this.authService.confirmRecovery2FACode({ code, email })
+    return {
+      status: StatusType.OK
+    }
+  }
+
+  @Post('2fa/turn-on')
+  @UseGuards(SessionAuthGuard, Jwt2faAuthGuard)
+  @HttpCode(HttpStatus.OK)
+  async turnOnTwoFactorAuthentication(
+    @AuthUser() user: Pure<UserEntity>,
+    @Body() { code }: Pure<TurnOn2FADto>
+  ) {
+    await this.authService.turnOn2FA(user, code)
+    const data = await this.authService.loginWith2fa(user, code)
+    delete data.password
+
+    const { access_token, refresh_token } = data
+
+    return {
+      status: StatusType.OK,
+      secret: user.twoFASecret,
+      access_token,
+      refresh_token
+    }
+  }
+
+  @Post('2fa/authenticate')
+  @HttpCode(200)
+  @UseGuards(SessionAuthGuard, JWTAuthGuard)
+  async authenticate(
+    @AuthUser() user: Pure<UserEntity>,
+    @Body() { code }: Pure<TurnOn2FADto>
+  ) {
+    const data = await this.authService.loginWith2fa(user, code)
+    delete data.password
+
+    return data
+  }
 }

apps/api/src/auth/auth.module.ts

@@ -12,6 +12,7 @@ import { MailerModule } from '../mailer/mailer.module'
 import { ConfirmCodeModule } from '../user/confirm-code.module'
 import { OrganizationModule } from '../organization/organization.module'
 import { JwtRefreshTokenStrategy } from './strategies/jwt-refresh-token.strategy'
+import { Jwt2faStrategy } from './strategies/jwt-2fa.strategy'
 
 @Module({
   imports: [
@@ -37,7 +38,8 @@ import { JwtRefreshTokenStrategy } from './strategies/jwt-refresh-token.strategy
     LocalStrategy,
     JwtStrategy,
     SessionSerializer,
-    JwtRefreshTokenStrategy
+    JwtRefreshTokenStrategy,
+    Jwt2faStrategy
   ]
 })
 export class AuthModule {}

apps/api/src/auth/auth.service.ts

@@ -22,8 +22,9 @@ import { generateRandomStringUtil } from '@isomera/utils'
 import { OrganizationService } from '../organization/organization.service'
 import { ConfigService } from '@nestjs/config'
 import * as bcrypt from 'bcrypt'
-import { pages } from '@isomera/impl'
 import { HandlebarsTemplate } from '../mailer/types/mailer.types'
+import { authenticator } from 'otplib'
+import { toDataURL } from 'qrcode'
 
 @Injectable()
 export class AuthService {
@@ -88,7 +89,10 @@ export class AuthService {
 
     console.log('xxx', user)
 
-    const { refresh_token, access_token } = this.signToken(user)
+    const payload = {
+      email: user.email
+    }
+    const { refresh_token, access_token } = this.signToken(payload)
 
     await this.storeRefreshToken(user, refresh_token)
 
@@ -112,30 +116,25 @@ export class AuthService {
     return user
   }
 
-  signToken(user: UserEntity): { refresh_token: string; access_token: string } {
+  signToken(payload: object): {
+    refresh_token: string
+    access_token: string
+  } {
     return {
-      refresh_token: this.generateRefreshToken(user.email),
-      access_token: this.generateAccessToken(user.email)
+      refresh_token: this.generateRefreshToken(payload),
+      access_token: this.generateAccessToken(payload)
     }
   }
 
-  public generateAccessToken(email: string): string {
-    const payload = {
-      sub: email
-    }
-
+  public generateAccessToken(payload: object): string {
     return this.jwtService.sign(payload, {
       expiresIn: `${this.configService.get<string>(
         'JWT_ACCESS_TOKEN_EXPIRATION_TIME'
       )}s`
     })
   }
 
-  public generateRefreshToken(email: string): string {
-    const payload = {
-      sub: email
-    }
-
+  public generateRefreshToken(payload: object): string {
     return this.jwtService.sign(payload, {
       expiresIn: `${this.configService.get<string>(
         'JWT_REFRESH_TOKEN_EXPIRATION_TIME'
@@ -262,4 +261,128 @@ export class AuthService {
   async logout(user: UserEntity) {
     return this.userService.storeRefreshToken(user, null)
   }
+
+  // for 2FA
+  async generateTwoFactorAuthenticationSecret(user: UserEntity) {
+    const secret = authenticator.generateSecret()
+
+    const otpAuthUrl = authenticator.keyuri(
+      user.email,
+      this.configService.get<string>('AUTH_APP_NAME'),
+      secret
+    )
+
+    await this.userService.setTwoFactorAuthenticationSecret(user, secret)
+
+    return {
+      secret,
+      otpAuthUrl
+    }
+  }
+
+  // for 2FA
+  isTwoFactorAuthenticationCodeValid(user: UserEntity, code: string): boolean {
+    return authenticator.verify({
+      token: code,
+      secret: user.twoFASecret
+    })
+  }
+
+  /**
+   * Generate QR code
+   * @param otpAuthUrl
+   * @returns
+   */
+  async generateQrCodeDataURL(otpAuthUrl: string) {
+    return toDataURL(otpAuthUrl)
+  }
+
+  /**
+   * Turn on 2FA
+   * @param user
+   * @param code
+   */
+  async turnOn2FA(user: UserEntity, code: string) {
+    const isCodeValid = this.isTwoFactorAuthenticationCodeValid(user, code)
+
+    if (!isCodeValid) {
+      throw new UnauthorizedException('Code is incorrect.')
+    }
+
+    await this.userService.setupTwoFactorAuthentication(user, true)
+  }
+
+  /**
+   * Login with 2FA
+   * @param user
+   * @param code
+   * @returns
+   */
+  async loginWith2fa(
+    user: UserEntity,
+    code: string
+  ): Promise<LoginResponseInterface> {
+    const isCodeValid = this.isTwoFactorAuthenticationCodeValid(user, code)
+
+    if (!isCodeValid) {
+      throw new UnauthorizedException('Code is incorrect.')
+    }
+
+    const payload = {
+      email: user.email,
+      isTwoFactorAuthenticationEnabled: !!user.isTwoFAEnabled,
+      isTwoFactorAuthenticated: true
+    }
+
+    const { refresh_token, access_token } = this.signToken(payload)
+
+    await this.storeRefreshToken(user, refresh_token)
+
+    return {
+      ...user,
+      access_token: access_token,
+      refresh_token: refresh_token
+    }
+  }
+
+  async requestRecovery2FA(secret: string) {
+    const user = await this.userService.findOne({
+      where: { twoFASecret: secret }
+    })
+    if (!user) {
+      throw new UnauthorizedException(`There isn't any user with this code`)
+    }
+
+    if (process.env.NODE_ENV !== 'test') {
+      const code = await this.confirmCode.genNewCode(user)
+      if (code.code) {
+        await this.mailerService.sendEmail(
+          user,
+          'Two Factor Authentication Recovery',
+          HandlebarsTemplate.CONFIRM_RECOVERY,
+          {
+            name: user.firstName,
+            code: code.code,
+            email: user.email,
+            baseUrl: process.env.PLATFORM_URL
+          }
+        )
+        return user
+      }
+      throw new HttpException(
+        "Couldn't generate the code",
+        HttpStatus.INTERNAL_SERVER_ERROR
+      )
+    } else {
+      return user
+    }
+  }
+
+  async confirmRecovery2FACode({
+    code,
+    email
+  }: Pure<ConfirmationCodeDto>): Promise<UserEntity> {
+    const user = await this.confirmCode.verifyCode(code, email)
+    return this.userService.turnOfTwoFactorAuthentication(user)
+  }
 }

apps/api/src/auth/guards/jwt-2fa-auth.guard.ts

@@ -0,0 +1,5 @@
+import { Injectable } from '@nestjs/common'
+import { AuthGuard } from '@nestjs/passport'
+
+@Injectable()
+export class Jwt2faAuthGuard extends AuthGuard('jwt-2fa') {}

apps/api/src/auth/strategies/jwt-2fa.strategy.ts

@@ -0,0 +1,32 @@
+import { ExtractJwt, Strategy } from 'passport-jwt'
+import { PassportStrategy } from '@nestjs/passport'
+import { Injectable } from '@nestjs/common'
+import { UserService } from '../../user/user.service'
+import { LoginWith2FAPayload } from '@isomera/interfaces'
+
+@Injectable()
+export class Jwt2faStrategy extends PassportStrategy(Strategy, 'jwt-2fa') {
+  constructor(private readonly userService: UserService) {
+    super({
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      secretOrKey: process.env.APP_SECRET
+    })
+  }
+
+  async validate(payload: LoginWith2FAPayload) {
+    const user = await this.userService.findOne({
+      where: { email: payload.email }
+    })
+
+    if (!user.isTwoFAEnabled) {
+      return user
+    }
+
+    if (payload.isTwoFactorAuthenticated) {
+      return {
+        ...user,
+        isTwoFactorAuthenticated: payload.isTwoFactorAuthenticated
+      }
+    }
+  }
+}