2023-09-06 13:19:54 +00:00
|
|
|
package test
|
|
|
|
|
|
|
|
|
|
import (
|
2023-09-12 13:39:37 +00:00
|
|
|
"bytes"
|
|
|
|
|
"context"
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"fmt"
|
2023-09-13 08:44:56 +00:00
|
|
|
"strings"
|
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
|
|
"github.com/gokyle/twofactor"
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
|
"github.com/tuotoo/qrcode"
|
|
|
|
|
|
2023-09-12 13:39:37 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/constants"
|
2023-09-11 06:15:32 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/db"
|
|
|
|
|
"github.com/authorizerdev/authorizer/server/graph/model"
|
2023-09-12 13:39:37 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/memorystore"
|
|
|
|
|
"github.com/authorizerdev/authorizer/server/refs"
|
2023-09-11 06:15:32 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/resolvers"
|
2023-09-12 13:39:37 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/token"
|
2023-09-06 13:19:54 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func verifyTOTPTest(t *testing.T, s TestSetup) {
|
2023-09-11 06:15:32 +00:00
|
|
|
t.Helper()
|
|
|
|
|
t.Run(`should verify totp`, func(t *testing.T) {
|
2023-09-12 13:39:37 +00:00
|
|
|
req, ctx := createContext(s)
|
|
|
|
|
email := "verify_totp." + s.TestInfo.Email
|
|
|
|
|
cleanData(email)
|
2023-09-11 06:15:32 +00:00
|
|
|
res, err := resolvers.SignupResolver(ctx, model.SignUpInput{
|
|
|
|
|
Email: email,
|
|
|
|
|
Password: s.TestInfo.Password,
|
|
|
|
|
ConfirmPassword: s.TestInfo.Password,
|
|
|
|
|
})
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.NotNil(t, res)
|
|
|
|
|
|
|
|
|
|
// Login should fail as email is not verified
|
|
|
|
|
loginRes, err := resolvers.LoginResolver(ctx, model.LoginInput{
|
|
|
|
|
Email: email,
|
|
|
|
|
Password: s.TestInfo.Password,
|
|
|
|
|
})
|
|
|
|
|
assert.Error(t, err)
|
|
|
|
|
assert.Nil(t, loginRes)
|
2023-09-12 13:39:37 +00:00
|
|
|
verificationRequest, err := db.Provider.GetVerificationRequestByEmail(ctx, email, constants.VerificationTypeBasicAuthSignup)
|
2023-09-11 06:15:32 +00:00
|
|
|
assert.Nil(t, err)
|
2023-09-12 13:39:37 +00:00
|
|
|
assert.Equal(t, email, verificationRequest.Email)
|
|
|
|
|
verifyRes, err := resolvers.VerifyEmailResolver(ctx, model.VerifyEmailInput{
|
|
|
|
|
Token: verificationRequest.Token,
|
|
|
|
|
})
|
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
assert.NotEqual(t, verifyRes.AccessToken, "", "access token should not be empty")
|
|
|
|
|
|
|
|
|
|
// Using access token update profile
|
|
|
|
|
s.GinContext.Request.Header.Set("Authorization", "Bearer "+refs.StringValue(verifyRes.AccessToken))
|
|
|
|
|
ctx = context.WithValue(req.Context(), "GinContextKey", s.GinContext)
|
|
|
|
|
updateProfileRes, err := resolvers.UpdateProfileResolver(ctx, model.UpdateProfileInput{
|
|
|
|
|
IsMultiFactorAuthEnabled: refs.NewBoolRef(true),
|
|
|
|
|
})
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.NotEmpty(t, updateProfileRes.Message)
|
|
|
|
|
memorystore.Provider.UpdateEnvVariable(constants.EnvKeyDisableTOTPLogin, false)
|
|
|
|
|
memorystore.Provider.UpdateEnvVariable(constants.EnvKeyDisableMailOTPLogin, true)
|
|
|
|
|
|
|
|
|
|
// Login should not return error but access token should be empty
|
|
|
|
|
loginRes, err = resolvers.LoginResolver(ctx, model.LoginInput{
|
|
|
|
|
Email: email,
|
|
|
|
|
Password: s.TestInfo.Password,
|
|
|
|
|
})
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.NotNil(t, loginRes)
|
2023-09-13 08:44:56 +00:00
|
|
|
assert.NotNil(t, loginRes.TotpBase64URL)
|
|
|
|
|
assert.NotNil(t, loginRes.TotpToken)
|
2023-09-12 13:39:37 +00:00
|
|
|
assert.Nil(t, loginRes.AccessToken)
|
|
|
|
|
assert.Equal(t, loginRes.Message, `Proceed to totp screen`)
|
|
|
|
|
|
|
|
|
|
// get totp url for validation
|
2023-09-13 08:44:56 +00:00
|
|
|
pngBytes, err := base64.StdEncoding.DecodeString(*loginRes.TotpBase64URL)
|
2023-09-12 13:39:37 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
|
qrmatrix, err := qrcode.Decode(bytes.NewReader(pngBytes))
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
tf, label, err := twofactor.FromURL(qrmatrix.Content)
|
|
|
|
|
data := strings.Split(label, ":")
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, email, data[1])
|
|
|
|
|
assert.NotNil(t, tf)
|
|
|
|
|
|
|
|
|
|
code := tf.OTP()
|
|
|
|
|
|
|
|
|
|
assert.NotEmpty(t, code)
|
|
|
|
|
|
|
|
|
|
valid, err := resolvers.VerifyTotpResolver(ctx, model.VerifyTOTPRequest{
|
|
|
|
|
Otp: code,
|
2023-09-13 08:44:56 +00:00
|
|
|
Token: *loginRes.TotpToken,
|
2023-09-12 13:39:37 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
accessToken := *valid.AccessToken
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.NotNil(t, accessToken)
|
|
|
|
|
assert.Equal(t, `Logged in successfully`, valid.Message)
|
|
|
|
|
|
|
|
|
|
assert.NotEmpty(t, accessToken)
|
|
|
|
|
claims, err := token.ParseJWTToken(accessToken)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.NotEmpty(t, claims)
|
|
|
|
|
loginMethod := claims["login_method"]
|
|
|
|
|
sessionKey := verifyRes.User.ID
|
|
|
|
|
if loginMethod != nil && loginMethod != "" {
|
|
|
|
|
sessionKey = loginMethod.(string) + ":" + verifyRes.User.ID
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sessionToken, err := memorystore.Provider.GetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+claims["nonce"].(string))
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.NotEmpty(t, sessionToken)
|
|
|
|
|
|
|
|
|
|
cookie := fmt.Sprintf("%s=%s;", constants.AppCookieName+"_session", sessionToken)
|
|
|
|
|
cookie = strings.TrimSuffix(cookie, ";")
|
|
|
|
|
|
|
|
|
|
req.Header.Set("Cookie", cookie)
|
|
|
|
|
//logged out
|
|
|
|
|
logout, err := resolvers.LogoutResolver(ctx)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, logout.Message, `Logged out successfully`)
|
|
|
|
|
|
|
|
|
|
loginRes, err = resolvers.LoginResolver(ctx, model.LoginInput{
|
|
|
|
|
Email: email,
|
|
|
|
|
Password: s.TestInfo.Password,
|
|
|
|
|
})
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.NotNil(t, loginRes)
|
2023-09-13 08:44:56 +00:00
|
|
|
assert.NotNil(t, loginRes.TotpToken)
|
|
|
|
|
assert.Nil(t, loginRes.TotpBase64URL)
|
2023-09-12 13:39:37 +00:00
|
|
|
assert.Nil(t, loginRes.AccessToken)
|
|
|
|
|
assert.Equal(t, loginRes.Message, `Proceed to totp screen`)
|
|
|
|
|
|
|
|
|
|
code = tf.OTP()
|
|
|
|
|
assert.NotEmpty(t, code)
|
|
|
|
|
|
|
|
|
|
valid, err = resolvers.VerifyTotpResolver(ctx, model.VerifyTOTPRequest{
|
|
|
|
|
Otp: code,
|
2023-09-13 08:44:56 +00:00
|
|
|
Token: *loginRes.TotpToken,
|
2023-09-12 13:39:37 +00:00
|
|
|
})
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.NotNil(t, *valid.AccessToken)
|
|
|
|
|
assert.Equal(t, `Logged in successfully`, valid.Message)
|
|
|
|
|
|
|
|
|
|
cleanData(email)
|
2023-09-11 06:15:32 +00:00
|
|
|
})
|
2023-09-06 13:19:54 +00:00
|
|
|
}
|
