feat(user): enforce session check (#646)

packages/user/src/mercurius-auth/authPlugin.ts

@@ -1,7 +1,7 @@
 import FastifyPlugin from "fastify-plugin";
 import mercurius from "mercurius";
 import mercuriusAuth from "mercurius-auth";
-import emailVerificaiton from "supertokens-node/recipe/emailverification";
+import emailVerification from "supertokens-node/recipe/emailverification";
 
 import type { FastifyInstance } from "fastify";
 
@@ -18,7 +18,7 @@ const plugin = FastifyPlugin(async (fastify: FastifyInstance) => {
 
       if (
         fastify.config.user.features?.signUp?.emailVerification &&
-        !(await emailVerificaiton.isEmailVerified(context.user.id))
+        !(await emailVerification.isEmailVerified(context.user.id))
       ) {
         // Added the claim validation errors to match with rest endpoint
         // response for email verification

packages/user/src/model/users/handlers/changePassword.ts

@@ -1,3 +1,5 @@
+import { createNewSession } from "supertokens-node/recipe/session";
+
 import getUserService from "../../../lib/getUserService";
 
 import type { ChangePasswordInput } from "../../../types";
@@ -23,9 +25,17 @@ const changePassword = async (request: SessionRequest, reply: FastifyReply) => {
       request.dbSchema
     );
 
-    const data = await service.changePassword(userId, oldPassword, newPassword);
+    const response = await service.changePassword(
+      userId,
+      oldPassword,
+      newPassword
+    );
+
+    if (response.status === "OK") {
+      await createNewSession(request, reply, userId);
+    }
 
-    reply.send(data);
+    reply.send(response);
   } catch (error) {
     request.log.error(error);
     reply.status(500);

packages/user/src/model/users/resolver.ts

@@ -180,26 +180,32 @@ const Mutation = {
     },
     context: MercuriusContext
   ) => {
-    const service = getUserService(
-      context.config,
-      context.database,
-      context.dbSchema
-    );
+    const { app, config, database, dbSchema, reply, user } = context;
+
+    const service = getUserService(config, database, dbSchema);
 
     try {
-      return context.user?.id
-        ? await service.changePassword(
-            context.user.id,
-            arguments_.oldPassword,
-            arguments_.newPassword
-          )
-        : {
-            status: "NOT_FOUND",
-            message: "User not found",
-          };
+      if (user) {
+        const response = await service.changePassword(
+          user.id,
+          arguments_.oldPassword,
+          arguments_.newPassword
+        );
+
+        if (response.status === "OK") {
+          await createNewSession(reply.request, reply, user.id);
+        }
+
+        return response;
+      } else {
+        return {
+          status: "NOT_FOUND",
+          message: "User not found",
+        };
+      }
     } catch (error) {
       // FIXME [OP 28 SEP 2022]
-      context.app.log.error(error);
+      app.log.error(error);
 
       const mercuriusError = new mercurius.ErrorWithProps(
         "Oops, Something went wrong"

packages/user/src/model/users/service.ts

@@ -18,30 +18,6 @@ class UserService<
   // eslint-disable-next-line prettier/prettier
   implements Service<User, UserCreateInput, UserUpdateInput> {
 
-  get table() {
-    return this.config.user?.table?.name || TABLE_USERS;
-  }
-
-  get factory() {
-    if (!this.table) {
-      throw new Error(`Service table is not defined`);
-    }
-
-    if (!this._factory) {
-      this._factory = new UserSqlFactory<
-        User,
-        UserCreateInput,
-        UserUpdateInput
-      >(this);
-    }
-
-    return this._factory as UserSqlFactory<
-      User,
-      UserCreateInput,
-      UserUpdateInput
-    >;
-  }
-
   changePassword = async (
     userId: string,
     oldPassword: string,
@@ -104,6 +80,30 @@ class UserService<
       };
     }
   };
+
+  get table() {
+    return this.config.user?.table?.name || TABLE_USERS;
+  }
+
+  get factory() {
+    if (!this.table) {
+      throw new Error(`Service table is not defined`);
+    }
+
+    if (!this._factory) {
+      this._factory = new UserSqlFactory<
+        User,
+        UserCreateInput,
+        UserUpdateInput
+      >(this);
+    }
+
+    return this._factory as UserSqlFactory<
+      User,
+      UserCreateInput,
+      UserUpdateInput
+    >;
+  }
 }
 
 export default UserService;

packages/user/src/supertokens/recipes/config/session/getSession.ts

@@ -0,0 +1,26 @@
+import type { FastifyInstance } from "fastify";
+import type { RecipeInterface } from "supertokens-node/recipe/session/types";
+
+const getSession = (
+  originalImplementation: RecipeInterface,
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  fastify: FastifyInstance
+): RecipeInterface["getSession"] => {
+  return async (input) => {
+    if (originalImplementation.createNewSession === undefined) {
+      throw new Error("Should never come here");
+    }
+
+    input.options = {
+      checkDatabase:
+        fastify.config.user.supertokens.checkSessionInDatabase ?? true,
+      ...input.options,
+    };
+
+    const originalResponse = await originalImplementation.getSession(input);
+
+    return originalResponse;
+  };
+};
+
+export default getSession;

packages/user/src/supertokens/recipes/config/session/verifySession.ts

@@ -14,6 +14,12 @@ const verifySession = (
       throw new Error("Should never come here");
     }
 
+    input.verifySessionOptions = {
+      checkDatabase:
+        fastify.config.user.supertokens.checkSessionInDatabase ?? true,
+      ...input.verifySessionOptions,
+    };
+
     const originalResponse = await originalImplementation.verifySession(input);
 
     if (originalResponse) {

packages/user/src/supertokens/recipes/config/sessionRecipeConfig.ts

@@ -1,4 +1,5 @@
 import createNewSession from "./session/createNewSession";
+import getSession from "./session/getSession";
 import verifySession from "./session/verifySession";
 
 import type { SessionRecipe } from "../../types/sessionRecipe";
@@ -79,6 +80,7 @@ const getSessionRecipeConfig = (
           ...originalImplementation,
           createNewSession: createNewSession(originalImplementation, fastify),
           ...recipeInterface,
+          getSession: getSession(originalImplementation, fastify),
         };
       },
       openIdFeature: session.override?.openIdFeature,

packages/user/src/supertokens/types/index.ts

@@ -32,6 +32,10 @@ interface SupertokensThirdPartyProvider {
 }
 
 interface SupertokensConfig {
+  /**
+   * @default true
+   */
+  checkSessionInDatabase?: boolean;
   connectionUri: string;
   providers?: SupertokensThirdPartyProvider;
   recipes?: SupertokensRecipes;

packages/user/src/userContext.ts

@@ -1,4 +1,3 @@
-import mercurius from "mercurius";
 import { wrapResponse } from "supertokens-node/framework/fastify";
 import { EmailVerificationClaim } from "supertokens-node/recipe/emailverification";
 import Session from "supertokens-node/recipe/session";
@@ -31,20 +30,9 @@ const userContext = async (
 
     userId = session === undefined ? undefined : session.getUserId();
   } catch (error) {
-    if (Session.Error.isErrorFromSuperTokens(error)) {
-      throw new mercurius.ErrorWithProps(
-        "Session related error",
-        {
-          code: "UNAUTHENTICATED",
-          http: {
-            status: error.type === Session.Error.INVALID_CLAIMS ? 403 : 401,
-          },
-        },
-        error.type === Session.Error.INVALID_CLAIMS ? 403 : 401
-      );
+    if (!Session.Error.isErrorFromSuperTokens(error)) {
+      throw error;
     }
-
-    throw error;
   }
 
   if (userId && !context.user) {