Multi-Token Authentication & 2FA

.env.example

@@ -62,6 +62,10 @@ AUTH_MAIL_TEMPLATE_NAME=cf_signin
 # optional:
 #BASIC_AUTH_REALM=
 
+# enforce user to consent to policies when trying to authorize a session
+# comma separated list of values
+#ENFORCE_CONSENTS=PRIVACY
+
 #############
 # mail
 #############
@@ -88,7 +92,7 @@ DEFAULT_MAIL_FROM_NAME="Republik"
 
 ASSETS_SERVER_BASE_URL=http://localhost:5020
 
-# shared secret which which publikator-backend authenticates urls to assets-backend
+# shared secret with which publikator-backend authenticates urls to assets-backend
 # min 32bit
 ASSETS_HMAC_KEY=RANDOM
 

.travis.yml

@@ -15,6 +15,7 @@ services:
 branches:
   only:
   - master
+  - gdpr
 matrix:
   include:
     - env:

docker-compose.yml

@@ -0,0 +1,50 @@
+version: "3.4"
+services:
+  republik-backend:
+    build:
+      context: ./servers/republik
+    image: republik-backend:latest
+    links:
+      - redis
+      - postgres
+    environment:
+      - DATABASE_URL=postgres://postgres@postgres:5432/republik
+      - REDIS_URL=redis:6379
+      - PUBLIC_URL=http://localhost:8080
+      - PUBLIC_WS_URL_BASE=ws://localhost:8080
+      - FRONTEND_BASE_URL
+      - PUBLIC_WS_URL_PATH
+      - SESSION_SECRET
+      - CORS_WHITELIST_URL
+      - SEND_MAILS
+      - MANDRILL_API_KEY
+      - DEFAULT_MAIL_FROM_NAME
+      - DEFAULT_MAIL_FROM_ADDRESS
+      - AUTH_MAIL_FROM_ADDRESS
+      - DISPLAY_AUTHOR_SECRET
+      - EXO_KEY
+      - EXO_SECRET
+      - S3BUCKET
+      - ASSETS_BASE_URL
+      - KEYCDN_API_KEY
+      - KEYCDN_ZONE_ID
+      - KEYCDN_ZONE_URL
+      - PHANTOMJSCLOUD_API_KEY
+    ports:
+        - 8080:3020
+
+  redis:
+    image: redis:4-alpine
+    ports:
+        - 6379:6379
+
+  postgres:
+    image: postgres:10-alpine
+    volumes:
+      - postgres-data:/var/lib/postgresql
+    ports:
+        - 5432:5432
+
+
+volumes:
+  postgres-data:

packages/auth/README.md

@@ -1,13 +1,43 @@
 # @orbiting/backend-modules-auth
 
-Passwordless email authentication and basic user type for graphql. Sessions based on cookies by [express-session](https://github.com/expressjs/session). Simple [Role](lib/Roles.js) system.
+GraphQL and [express-session](https://github.com/expressjs/session) based authentication module with basic user type and Simple [Role](lib/Roles.js) system. Currently supports the following authentication strategies:
+
+- Passwordless email authentication
+- SMS Code challenge
+- TOTP Code challenge
+
+Supports 2FA and allows SMS & TOTP to be used as second factor authentication providers.
 
 Checkout the [schema](graphql/schema.js) and [schema-types](graphql/schema-types.js).
 
 used by:
 - [publikator-backend](https://github.com/orbiting/publikator-backend)
 - [republik-backend](https://github.com/orbiting/republik-backend)
 
+## 2-Factor-Auhentication Flow
+
+Before 2FA can be enabled on a user, at least one of the SMS or TOTP providers need to get setup.
+
+SMS:
+1. updateMe (not part of the auth package) to store the user's phone number in the database, the phone number will get tagged as unverified and a code to verify the phone number is sent as short message to the new phone number.
+2. sendPhoneNumberVerificationCode to have Twilio send a code to the number stored on the user.
+3. verifyPhoneNumber to verify the phone number through the code that got sent by short message, will tag the user's phone number as verified
+
+TOTP:
+1. initTOTPSharedSecret will generate a new random shared secret, store it in the database and return it via mutation response
+2. validateTOTPSharedSecret will succeed if the client was able to generate the correct TOTP for the current time and shared secret and tag the shared secret as verified.
+
+Activate 2FA:
+- updateTwoFactorAuthentication enabled=true will activate 2FA for a specific type of challenge if prerequisits are met, the call will fail if there is no verified TOTP shared secret and no verified phone number stored in the database at that point.
+
+Login with 2FA:
+- signIn starts the login process with the email authentication provider in place which in turn sends a token via e-mail to the user.
+- unauthorizedSession will get called with the e-mail address and the token sent through e-mail to retrieve information about the session. This Session object can have multiple tokenTypes as result. If that's the case, the user can only authorize the session with a second factor.
+- startChallenge starts backend processes needed to login with a certain tokenType, for SMS, the short message with the code needed to authorize the second factor will be sent only after calling this mutation.
+- authorizeSession authenticates the session if first and second factor payloads are validated by the auth system. The session will now get linked to the user, the user is now finally logged in.
+
+As soon as 2FA is enabled, updatePhoneNumber and updateEmail calls will fail until 2FA is disabled again, so users cannot lock out themselves from logging in.
+
 ## ENV
 ```
 # where to send auth mails from

packages/auth/graphql/resolvers/Session.js

@@ -2,36 +2,39 @@ const { flag, code } = require('country-emoji')
 const useragent = require('useragent')
 
 module.exports = {
-  id (session, args) {
+  id (session) {
     return session.id
   },
-  ipAddress (session, args) {
+  ipAddress (session) {
     return session.sess.ip
   },
-  userAgent (session, args) {
+  userAgent (session) {
     return session.sess.ua &&
       useragent.parse(session.sess.ua).toString()
   },
-  email (session, args) {
+  email (session) {
     return session.sess.email
   },
-  country (session, args) {
+  country (session) {
     const { geo = {} } = session.sess
     return geo.country
   },
-  countryFlag (session, args) {
+  countryFlag (session) {
     const { geo = {} } = session.sess
     const countryCode = geo.countryEN ? code(geo.countryEN) : null
     return countryCode ? flag(countryCode) : '🏴'
   },
-  city (session, args) {
+  city (session) {
     const { geo = {} } = session.sess
     return geo.city
   },
-  expiresAt (session, args) {
+  expiresAt (session) {
     return session.expire
   },
   isCurrent (session, args, { req }) {
     return session.sid === req.sessionID
+  },
+  phrase (session) {
+    return session.sess.phrase
   }
 }

packages/auth/graphql/resolvers/SharedSecretResponse.js

@@ -0,0 +1,22 @@
+const ISSUER = 'Republik'
+
+// https://github.com/google/google-authenticator/wiki/Key-Uri-Format
+const buildOTPUrl = (email, code) =>
+  `otpauth://totp/${ISSUER}:${email}?secret=${code}&issuer=${ISSUER}`
+
+const Response = {
+  otpAuthUrl ({ secret }, args, { pgdb, user }) {
+    return buildOTPUrl(user.email, secret)
+  },
+  svg ({ secret }, args, { pgdb, user }) {
+    const { errorCorrectionLevel } = args
+    const url = buildOTPUrl(user.email, secret)
+    const qr = require('qr-image')
+    return qr.imageSync(url, {
+      ec_level: errorCorrectionLevel,
+      type: 'svg'
+    })
+  }
+}
+
+module.exports = Response

packages/auth/graphql/resolvers/User.js

@@ -33,9 +33,17 @@ module.exports = {
     Roles.ensureUserIsMeOrInRoles(user, me, userAccessRoles)
     return user._raw.createdAt
   },
-  updatedAt (user, args, { user: me }) {
+  updatedAt (user) {
     return user._raw.updatedAt
   },
+  enabledSecondFactors (user, args, { user: me }) {
+    if (
+      Roles.userIsMeOrInRoles(user, me, ['supporter'])
+    ) {
+      return user._raw.enabledSecondFactors
+    }
+    return []
+  },
   async eventLog (user, args, { pgdb, user: me }) {
     Roles.ensureUserIsMeOrInRoles(user, me, userAccessRoles)
     return pgdb.query(`

packages/auth/graphql/resolvers/_mutations/addUserToRole.js

@@ -1,4 +1,6 @@
 const t = require('../../../lib/t')
+const transformUser = require('../../../lib/transformUser')
+
 const {
   ensureUserHasRole,
   userHasRole,
@@ -16,9 +18,6 @@ module.exports = async (_, args, { pgdb, req, signInHooks }) => {
     throw new Error(t('api/users/404'))
   }
 
-  if (userHasRole(user, role)) {
-    return user
-  } else {
-    return addUserToRole(userId, role, pgdb)
-  }
+  const returnedUser = userHasRole(user, role) ? user : (await addUserToRole(userId, role, pgdb))
+  return transformUser(returnedUser)
 }

packages/auth/graphql/resolvers/_mutations/authorizeSession.js

@@ -1,29 +1,20 @@
-const { QueryEmailMismatchError, NoSessionError } = require('../../../lib/errors')
-const t = require('../../../lib/t')
-const { authorizeSession } = require('../../../lib/Sessions')
+const { authorizeSession } = require('../../../lib/Users')
 
 module.exports = async (_, args, { pgdb, req, signInHooks }) => {
   const {
     email,
-    token
+    tokens = [],
+    consents
   } = args
-  try {
-    const user = await authorizeSession({
-      pgdb,
-      token,
-      emailFromQuery: email,
-      signInHooks
-    })
-    return !!user
-  } catch (e) {
-    if (e instanceof QueryEmailMismatchError) {
-      console.info("authorizeSession: session.email and query.email don't match: %O", { req: req._log(), ...e.meta })
-    } else if (e instanceof NoSessionError) {
-      console.info('authorizeSession: no session %O', { req: req._log(), ...e.meta })
-    } else {
-      const util = require('util')
-      console.error('authorizeSession: exception', util.inspect({ req: req._log(), emailFromQuery: email, e }, {depth: null}))
-    }
-    throw new Error(t('api/token/invalid'))
-  }
+
+  const user = await authorizeSession({
+    pgdb,
+    tokens,
+    email,
+    signInHooks,
+    consents,
+    req
+  })
+
+  return !!user
 }

packages/auth/graphql/resolvers/_mutations/clearSession.js

@@ -1,8 +1,7 @@
-const t = require('../../../lib/t')
 const Roles = require('../../../lib/Roles')
-const { DestroySessionError } = require('../../../lib/errors')
 const ensureSignedIn = require('../../../lib/ensureSignedIn')
 const { clearUserSession, destroySession } = require('../../../lib/Sessions')
+const { resolveUser } = require('../../../lib/Users')
 const userAccessRoles = ['admin', 'supporter']
 
 module.exports = async (_, args, { pgdb, user: me, req }) => {
@@ -13,28 +12,16 @@ module.exports = async (_, args, { pgdb, user: me, req }) => {
     sessionId
   } = args
 
-  const user = foreignUserId
-    ? (await pgdb.public.users.findOne({ id: foreignUserId }))
-    : me
+  const user = await resolveUser({ slug: foreignUserId, pgdb, userId: me.id })
 
-  try {
-    const session = pgdb.public.sessions.findOne({ sid: req.sessionID, email: user.email })
-    if (session.id === sessionId) {
-      // current session, normal logout
-      await destroySession(req)
-      return true
-    }
-    if (Roles.userIsMeOrInRoles(user, me, userAccessRoles)) {
-      return await clearUserSession({ pgdb, userId: user.id, sessionId })
-    }
-    return false
-  } catch (e) {
-    if (e instanceof DestroySessionError) {
-      console.error('clearSession: exception %O', { req: req._log(), userId: user.id, sessionId, ...e.meta })
-    } else {
-      const util = require('util')
-      console.error('clearSession: exception', util.inspect({ req: req._log(), userId: user.id, sessionId, e }, {depth: null}))
-    }
-    throw new Error(t('api/auth/errorDestroyingSession'))
+  const session = pgdb.public.sessions.findOne({ sid: req.sessionID, email: user.email })
+  if (session.id === sessionId) {
+    // current session, normal logout
+    await destroySession(req)
+    return true
   }
+  if (Roles.userIsMeOrInRoles(user, me, userAccessRoles)) {
+    return clearUserSession({ pgdb, userId: user.id, sessionId })
+  }
+  return false
 }

packages/auth/graphql/resolvers/_mutations/clearSessions.js

@@ -1,7 +1,6 @@
-const t = require('../../../lib/t')
 const Roles = require('../../../lib/Roles')
-const { DestroySessionError } = require('../../../lib/errors')
 const ensureSignedIn = require('../../../lib/ensureSignedIn')
+const { resolveUser } = require('../../../lib/Users')
 const { clearAllUserSessions, destroySession } = require('../../../lib/Sessions')
 const userAccessRoles = ['admin', 'supporter']
 
@@ -12,30 +11,18 @@ module.exports = async (_, args, { pgdb, user: me, req }) => {
     userId: foreignUserId
   } = args
 
-  const user = foreignUserId
-    ? (await pgdb.public.users.findOne({ id: foreignUserId }))
-    : me
+  const user = await resolveUser({ slug: foreignUserId, pgdb, userId: me.id })
 
-  try {
-    let isSessionsCleared = false
-    if (me.id === user.id) {
-      // current user targeted, so we
-      // destroy the current session safely via express
-      if (await destroySession(req)) isSessionsCleared = true
-    }
-    if (Roles.userIsMeOrInRoles(user, me, userAccessRoles)) {
-      if (await clearAllUserSessions({ pgdb, userId: user.id })) {
-        isSessionsCleared = true
-      }
-    }
-    return isSessionsCleared
-  } catch (e) {
-    if (e instanceof DestroySessionError) {
-      console.error('clearSessions: exception %O', { req: req._log(), userId: user.id, ...e.meta })
-    } else {
-      const util = require('util')
-      console.error('clearSessions: exception', util.inspect({ req: req._log(), userId: user.id, e }, {depth: null}))
+  let isSessionsCleared = false
+  if (me.id === user.id) {
+    // current user targeted, so we
+    // destroy the current session safely via express
+    if (await destroySession(req)) isSessionsCleared = true
+  }
+  if (Roles.userIsMeOrInRoles(user, me, userAccessRoles)) {
+    if (await clearAllUserSessions({ pgdb, userId: user.id })) {
+      isSessionsCleared = true
     }
-    throw new Error(t('api/auth/errorDestroyingSession'))
   }
+  return isSessionsCleared
 }

packages/auth/graphql/resolvers/_mutations/denySession.js

@@ -0,0 +1,17 @@
+const {
+  denySession } = require('../../../lib/Users')
+
+module.exports = async (_, args, { pgdb, req, signInHooks }) => {
+  const {
+    token,
+    email
+  } = args
+
+  const user = await denySession({
+    pgdb,
+    token,
+    email
+  })
+
+  return !!user
+}