Skip to content
This repository was archived by the owner on Apr 6, 2022. It is now read-only.

Multi-Token Authentication & 2FA #2

Merged
merged 120 commits into from
May 19, 2018
Merged

Multi-Token Authentication & 2FA #2

merged 120 commits into from
May 19, 2018

Conversation

pozylon
Copy link
Contributor

@pozylon pozylon commented Feb 6, 2018
edited
Loading

  • Refactor the auth module to allow for token challenge type abstraction
  • DB: Entangle sessions from tokens
  • Add TOTP Challenge Type
  • Adjust the GraphQL API to allow multiple token challenge validation for 2FA
  • DB: Add Flag and Secret to User for 2FA
  • Add GraphQL Operations to manage 2FA activation (store shared secret, toggle 2fa login, ...)
  • Add token expiration logic & extend the error reporting so a UI can behave differently on "token expired", "2fa required", "token not found", "token burned" errors.
  • Verify Phone number
  • Twilio
  • Translations
  • Update Birdsview Documentation with current schema
  • add user.enabledSecondFactorTokenTypes + expose on user instead of isTwoFactorEnabled, allow supporters to read it too
  • change unauthorizedSession to unauthorizedSigninRequest(email: String!, tokenChallenge: SignInTokenChallenge!): unauthorizedSignInResponse!
    unauthorizedSignInResponse contains "availableSecondFactors" (better naming), unauthorizedSession: Session!
  • change authorizeSession(email: String!, tokenChallenge: SignInTokenChallenge!, secondFactor: SignInTokenChallenge): Boolean!
    to: authorizeSession(email: String!, tokens: [SignInToken!]!
  • updateTwoFactorAuthentication(enabled: Boolean!): Boolean! -> updateTwoFactorAuthentication(tokenType: SignInTokenChallenge!, enabled: Boolean!): Boolean!
  • atomically restrict updates based on enabledSecondFactorTokenTypes: avoid changing phoneNumber if phoneNumber is enabled for twoFactor
  • Tests (90%)
  • BONUS: expose API for admins and supporters, which token (types) have been used to authorize a session
  • BONUS: E-Mail on lose of two factor mode (if user.enabledSecondFactorTokenTypes gets empty)
  • Translations
  • Tests: authorizeSession

pozylon and others added 30 commits January 23, 2018 10:40
@pozylon
feat(mail): adds method to move newsletter settings from one to anoth…
1012139 
…er email address

affects: @orbiting/backend-modules-mail
@pozylon
Revert "fix(auth): remove changeEmail, belongs to republik-backend"
31a3660 
This reverts commit dab95c2.
@pozylon
fix(auth): use the new moveNewsletterSubscriptions from mail
a63bfa7 
affects: @orbiting/backend-modules-auth, @orbiting/backend-modules-mail
@pozylon
fix(auth): fix clearSession
8226d14 
affects: @orbiting/backend-modules-auth
@pozylon
fix(auth): fix updateUserEmail
df5277a 
affects: @orbiting/backend-modules-auth, @orbiting/backend-modules-mail
@pozylon
style(auth): cleanup
4b4a23b 
affects: @orbiting/backend-modules-auth, @orbiting/backend-modules-base
@pozylon
feat(auth): 2fa
3f5a866 
affects: @orbiting/backend-modules-auth, @orbiting/backend-modules-base,
@orbiting/backend-modules-mail

BREAKING CHANGE:
mail, auth, base
@pozylon
fix(auth): typo
1ea42c8
@pozylon
feat(auth): add tokens to db
303d0e0
@pozylon
fix(auth): 2fa (wip)
8aa0fe1
@pozylon
fix(auth): 2fa (wip)
8edf028
@pozylon
Merge branch 'master' into totp
17c7ac4 
* master: (30 commits)
  chore(release): releasing component
  fix(assets): remove unnecessary await
  chore(release): releasing component
  feat(assets): buffer instead of stream for content-length
  chore(release): releasing component
  fix(base): clear cf cookie
  chore(release): releasing component
  fix(documents): webp cap. check
  chore(release): releasing component
  chore(release): releasing component
  chore(release): releasing component
  feat(assets): repo.uploadImages: transfers images from github to AWS S3
  feat(documents): add webp suffix to image urls in Document resolvers
  feat(assets): add lib webp url suffixer
  fix(documents): devide processRepoImageUrls in processRepoImageUrlsInContent and -InMeta
  feat(documents): add lib processImageUrls (migrate from publikator-backend)
  feat(assets): add size=WxH to portraitUrl in uploadPortrait
  feat(assets): upload lib, cleanup convertImage
  chore(assets): readme
  fix(assets): readme
  ...
@pozylon
fix(auth): 2fa
22d45dd
@pozylon
Merge branch 'fix-session-clear' into totp
aefee2b 
* fix-session-clear:
  fix(auth): fix clearSession
@pozylon
Merge branch 'move-interests' into totp
4aff619 
* move-interests:
  fix(auth): fix updateUserEmail
  fix(auth): use the new moveNewsletterSubscriptions from mail
  Revert "fix(auth): remove changeEmail, belongs to republik-backend"
  feat(mail): adds method to move newsletter settings from one to another email address
@pozylon
fix(auth): updateEmail
1fd936b
@pozylon
feat(auth): add totp setup functions
30a68d0
@pozylon
fix(auth): totp setup validation
24a241e
@pozylon
feat(auth): enable/disable 2fa
2bbeac8
@pozylon
fix(auth): don’t delete tokens if initiateSession is called
7232c21
@pozylon
feat(auth): added denySession mutation
60efe27 
allows to cancel a session request, will invalidate assigned tokens but no login
@pozylon
Merge remote-tracking branch 'origin/master' into totp
9b823d5
@pozylon
feat(translate): Translated Error
a249ada
@pozylon
fix(base): refactored error reporting
233b01c
@pozylon
refactor(auth): new error codes
b1f11f0
@pozylon
fix(auth): 2fa mapped translated errors
db0a032
@patte
remove everything expect packages for monorepo
f4f42c8
@patte
Merge branch 'totp' of /Users/patte/republik/src/republik-backends-al…
cd6063c 
…l-merged/backend-modules into totp
@patte
Merge branch 'heroku' into totp
da6270c
@pozylon
fix(auth): reintroduce updateEmail in auth package
1628b86
patte and others added 26 commits May 18, 2018 16:49
@patte
feat(auth): expose phrase on Session
4ae5946
@patte
feat(auth): supply consents on signIn mutation
5251bee
@patte
fix(newsletters): remove obsolete fixMailchimp script
9c41fa4
@patrickvenetz
test(auth): Add initial series of 2fa authorizeSession tests
471ab9c
@patte
fix(submitPledge): use transaction for consents actions
256eb98
@patte
Merge branch 'gdpr' of github.com:orbiting/backends into gdpr
f5f0a34
@patte
feat(republik): add script reconstructConsents
aa175c1
@patrickvenetz
test(auth): Test checks if first sign in attempt can be claimed
57665ff
@patrickvenetz
test(auth): Test checks if 2 factors need to be present to authorize
a9350f6
@patte
fix(auth): better translations
7a02ded
@patrickvenetz
test(auth): Rename to clearify
8d487ad
@patrickvenetz
test(auth): Test if multiple 2fa challenge starts still succeed
e102532
@patte
fix(consents): honour frontend hmac format
5c57d91
@patte
Merge branch 'gdpr' of github.com:orbiting/backends into gdpr
9c604b3
@patrickvenetz
test(auth): Update to __tests__/auth to restore previous sigature
aa00e9c
@patte
fix(consents): limit consents on updateNewsletterSubscription
bbd127a
@patte
Merge branch 'gdpr' of github.com:orbiting/backends into gdpr
59da23a
@patrickvenetz
test(auth): Sign out to prevent session spilling into other tests
b5294c3
@patte
feat(consent): GRANT and REVOKE consents in an immutable fashion
64b0d63
@patte
Merge branch 'gdpr' of github.com:orbiting/backends into gdpr
88f8db9
@patte
fix(republik): remove unnecessary base64u.decode from updateNewslette…
b2ed978 
…rSubscription
@patte
fix(consent): normalize pledge detection, only set SUB_URL if not use…
cb12d0a 
…rHasPledgeOrMembership
@patte
fix(newsletters): missing await
e8f5a58
@patte
fix(auth): newUser no user or user but not verified
fc0de81
@patte
fix(republik): enforceSubscriptions on reclaimPledge
da22c9e
@patte
Merge pull request #43 from orbiting/gdpr
1af4fdd 
GDPR and auth tests
@patte patte removed the needs tests label May 19, 2018
@patte patte merged commit 2f587d9 into master May 19, 2018
@patte patte deleted the totp branch May 19, 2018 02:33
patrickvenetz added a commit that referenced this pull request Dec 25, 2018
@patrickvenetz
fix(republik): Update translations
9effa92 
Fixes access invitation email subject line take #2
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lukasbuenger lukasbuenger Awaiting requested review from lukasbuenger

2 more reviewers

@tpreusse tpreusse tpreusse left review comments

@patte patte patte requested changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pozylon @coveralls @patte @tpreusse @patrickvenetz