authorizer/server/resolvers/magic_link_login.go

package resolvers

import (
	"context"
	"fmt"
	"strings"
	"time"

	log "github.com/sirupsen/logrus"

	"github.com/authorizerdev/authorizer/server/constants"
	"github.com/authorizerdev/authorizer/server/db"
	"github.com/authorizerdev/authorizer/server/db/models"
	"github.com/authorizerdev/authorizer/server/email"
	"github.com/authorizerdev/authorizer/server/graph/model"
	"github.com/authorizerdev/authorizer/server/memorystore"
	"github.com/authorizerdev/authorizer/server/parsers"
	"github.com/authorizerdev/authorizer/server/token"
	"github.com/authorizerdev/authorizer/server/utils"
	"github.com/authorizerdev/authorizer/server/validators"
)

// MagicLinkLoginResolver is a resolver for magic link login mutation
func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInput) (*model.Response, error) {
	var res *model.Response

	gc, err := utils.GinContextFromContext(ctx)
	if err != nil {
		log.Debug("Failed to get GinContext: ", err)
		return res, err
	}

	isMagicLinkLoginDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMagicLinkLogin)
	if err != nil {
		log.Debug("Error getting magic link login disabled: ", err)
		isMagicLinkLoginDisabled = true
	}

	if isMagicLinkLoginDisabled {
		log.Debug("Magic link login is disabled.")
		return res, fmt.Errorf(`magic link login is disabled for this instance`)
	}

	params.Email = strings.ToLower(params.Email)

	if !validators.IsValidEmail(params.Email) {
		log.Debug("Invalid email")
		return res, fmt.Errorf(`invalid email address`)
	}

	log := log.WithFields(log.Fields{
		"email": params.Email,
	})

	inputRoles := []string{}

	user := models.User{
		Email: params.Email,
	}

	// find user with email
	existingUser, err := db.Provider.GetUserByEmail(params.Email)
	if err != nil {
		isSignupDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableSignUp)
		if err != nil {
			log.Debug("Error getting signup disabled: ", err)
		}
		if isSignupDisabled {
			log.Debug("Signup is disabled.")
			return res, fmt.Errorf(`signup is disabled for this instance`)
		}

		user.SignupMethods = constants.SignupMethodMagicLinkLogin
		// define roles for new user
		if len(params.Roles) > 0 {
			// check if roles exists
			roles, err := memorystore.Provider.GetSliceStoreEnvVariable(constants.EnvKeyRoles)
			if err != nil {
				log.Debug("Error getting roles: ", err)
				return res, err
			}
			if !validators.IsValidRoles(params.Roles, roles) {
				log.Debug("Invalid roles: ", params.Roles)
				return res, fmt.Errorf(`invalid roles`)
			} else {
				inputRoles = params.Roles
			}
		} else {
			inputRoles, err = memorystore.Provider.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)
			if err != nil {
				log.Debug("Error getting default roles: ", err)
				return res, fmt.Errorf(`invalid roles`)
			}

		}

		user.Roles = strings.Join(inputRoles, ",")
		user, _ = db.Provider.AddUser(user)
	} else {
		user = existingUser
		// There multiple scenarios with roles here in magic link login
		// 1. user has access to protected roles + roles and trying to login
		// 2. user has not signed up for one of the available role but trying to signup.
		// 		Need to modify roles in this case

		if user.RevokedTimestamp != nil {
			log.Debug("User access is revoked at: ", user.RevokedTimestamp)
			return res, fmt.Errorf(`user access has been revoked`)
		}

		// find the unassigned roles
		if len(params.Roles) <= 0 {
			inputRoles, err = memorystore.Provider.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)
			if err != nil {
				log.Debug("Error getting default roles: ", err)
				return res, fmt.Errorf(`invalid default roles`)
			}
		}
		existingRoles := strings.Split(existingUser.Roles, ",")
		unasignedRoles := []string{}
		for _, ir := range inputRoles {
			if !utils.StringSliceContains(existingRoles, ir) {
				unasignedRoles = append(unasignedRoles, ir)
			}
		}

		if len(unasignedRoles) > 0 {
			// check if it contains protected unassigned role
			hasProtectedRole := false
			protectedRoles, err := memorystore.Provider.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles)
			if err != nil {
				log.Debug("Error getting protected roles: ", err)
				return res, err
			}
			for _, ur := range unasignedRoles {
				if utils.StringSliceContains(protectedRoles, ur) {
					hasProtectedRole = true
				}
			}

			if hasProtectedRole {
				log.Debug("User is not assigned one of the protected roles", unasignedRoles)
				return res, fmt.Errorf(`invalid roles`)
			} else {
				user.Roles = existingUser.Roles + "," + strings.Join(unasignedRoles, ",")
			}
		} else {
			user.Roles = existingUser.Roles
		}

		signupMethod := existingUser.SignupMethods
		if !strings.Contains(signupMethod, constants.SignupMethodMagicLinkLogin) {
			signupMethod = signupMethod + "," + constants.SignupMethodMagicLinkLogin
		}

		user.SignupMethods = signupMethod
		user, _ = db.Provider.UpdateUser(user)
		if err != nil {
			log.Debug("Failed to update user: ", err)
		}
	}

	hostname := parsers.GetHost(gc)
	isEmailVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification)
	if err != nil {
		log.Debug("Error getting email verification disabled: ", err)
		isEmailVerificationDisabled = true
	}
	if !isEmailVerificationDisabled {
		// insert verification request
		_, nonceHash, err := utils.GenerateNonce()
		if err != nil {
			log.Debug("Failed to generate nonce: ", err)
			return res, err
		}
		redirectURLParams := "&roles=" + strings.Join(inputRoles, ",")
		if params.State != nil {
			redirectURLParams = redirectURLParams + "&state=" + *params.State
		}
		if params.Scope != nil && len(params.Scope) > 0 {
			redirectURLParams = redirectURLParams + "&scope=" + strings.Join(params.Scope, " ")
		}
		redirectURL := parsers.GetAppURL(gc)
		if params.RedirectURI != nil {
			redirectURL = *params.RedirectURI
		}

		if strings.Contains(redirectURL, "?") {
			redirectURL = redirectURL + "&" + redirectURLParams
		} else {
			redirectURL = redirectURL + "?" + redirectURLParams
		}

		verificationType := constants.VerificationTypeMagicLinkLogin
		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType, hostname, nonceHash, redirectURL)
		if err != nil {
			log.Debug("Failed to create verification token: ", err)
		}
		_, err = db.Provider.AddVerificationRequest(models.VerificationRequest{
			Token:       verificationToken,
			Identifier:  verificationType,
			ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
			Email:       params.Email,
			Nonce:       nonceHash,
			RedirectURI: redirectURL,
		})
		if err != nil {
			log.Debug("Failed to add verification request in db: ", err)
			return res, err
		}

		// exec it as go routing so that we can reduce the api latency
		go email.SendVerificationMail(params.Email, verificationToken, hostname)
	}

	res = &model.Response{
		Message: `Magic Link has been sent to your email. Please check your inbox!`,
	}

	return res, nil
}
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`package resolvers`

			`import (`
			`"context"`
			`"fmt"`
			`"strings"`
			`"time"`

feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log "github.com/sirupsen/logrus"`

feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`"github.com/authorizerdev/authorizer/server/constants"`
			`"github.com/authorizerdev/authorizer/server/db"`
fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`"github.com/authorizerdev/authorizer/server/db/models"`
Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`"github.com/authorizerdev/authorizer/server/email"`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`"github.com/authorizerdev/authorizer/server/graph/model"`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`"github.com/authorizerdev/authorizer/server/memorystore"`
fix: import cycle issues 2022-05-30 06:24:16 +00:00			`"github.com/authorizerdev/authorizer/server/parsers"`
Implement refresh token logic with fingerprint + rotation 2022-01-22 19:54:41 +00:00			`"github.com/authorizerdev/authorizer/server/token"`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`"github.com/authorizerdev/authorizer/server/utils"`
fix: import cycle issues 2022-05-30 06:24:16 +00:00			`"github.com/authorizerdev/authorizer/server/validators"`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`)`

Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`// MagicLinkLoginResolver is a resolver for magic link login mutation`
			`func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInput) (*model.Response, error) {`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`var res *model.Response`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00
fix: bug with authorizer url 2022-01-31 06:05:24 +00:00			`gc, err := utils.GinContextFromContext(ctx)`
			`if err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to get GinContext: ", err)`
fix: bug with authorizer url 2022-01-31 06:05:24 +00:00			`return res, err`
			`}`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`isMagicLinkLoginDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMagicLinkLogin)`
			`if err != nil {`
			`log.Debug("Error getting magic link login disabled: ", err)`
			`isMagicLinkLoginDisabled = true`
			`}`

			`if isMagicLinkLoginDisabled {`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log.Debug("Magic link login is disabled.")`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			return res, fmt.Errorf(`magic link login is disabled for this instance`)
			`}`

			`params.Email = strings.ToLower(params.Email)`

fix: import cycle issues 2022-05-30 06:24:16 +00:00			`if !validators.IsValidEmail(params.Email) {`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log.Debug("Invalid email")`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			return res, fmt.Errorf(`invalid email address`)
			`}`

feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log := log.WithFields(log.Fields{`
			`"email": params.Email,`
			`})`

feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`inputRoles := []string{}`

fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`user := models.User{`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`Email: params.Email,`
			`}`

			`// find user with email`
fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`existingUser, err := db.Provider.GetUserByEmail(params.Email)`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`if err != nil {`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`isSignupDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableSignUp)`
			`if err != nil {`
			`log.Debug("Error getting signup disabled: ", err)`
			`}`
			`if isSignupDisabled {`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log.Debug("Signup is disabled.")`
feat: disable user signup 2022-03-16 17:19:18 +00:00			return res, fmt.Errorf(`signup is disabled for this instance`)
			`}`

Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`user.SignupMethods = constants.SignupMethodMagicLinkLogin`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`// define roles for new user`
			`if len(params.Roles) > 0 {`
			`// check if roles exists`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`roles, err := memorystore.Provider.GetSliceStoreEnvVariable(constants.EnvKeyRoles)`
			`if err != nil {`
			`log.Debug("Error getting roles: ", err)`
			`return res, err`
			`}`
fix: import cycle issues 2022-05-30 06:24:16 +00:00			`if !validators.IsValidRoles(params.Roles, roles) {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Invalid roles: ", params.Roles)`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			return res, fmt.Errorf(`invalid roles`)
			`} else {`
			`inputRoles = params.Roles`
			`}`
			`} else {`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`inputRoles, err = memorystore.Provider.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)`
			`if err != nil {`
			`log.Debug("Error getting default roles: ", err)`
			return res, fmt.Errorf(`invalid roles`)
			`}`

feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`}`

			`user.Roles = strings.Join(inputRoles, ",")`
fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`user, _ = db.Provider.AddUser(user)`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`} else {`
			`user = existingUser`
			`// There multiple scenarios with roles here in magic link login`
			`// 1. user has access to protected roles + roles and trying to login`
			`// 2. user has not signed up for one of the available role but trying to signup.`
			`// Need to modify roles in this case`

feat: update user access (#151) * feat: update user access * revoked timestamp field updated * updates * updates * updates 2022-03-24 08:43:55 +00:00			`if user.RevokedTimestamp != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("User access is revoked at: ", user.RevokedTimestamp)`
feat: update user access (#151) * feat: update user access * revoked timestamp field updated * updates * updates * updates 2022-03-24 08:43:55 +00:00			return res, fmt.Errorf(`user access has been revoked`)
			`}`

feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`// find the unassigned roles`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`if len(params.Roles) <= 0 {`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`inputRoles, err = memorystore.Provider.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)`
			`if err != nil {`
			`log.Debug("Error getting default roles: ", err)`
			return res, fmt.Errorf(`invalid default roles`)
			`}`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`}`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`existingRoles := strings.Split(existingUser.Roles, ",")`
			`unasignedRoles := []string{}`
			`for _, ir := range inputRoles {`
			`if !utils.StringSliceContains(existingRoles, ir) {`
			`unasignedRoles = append(unasignedRoles, ir)`
			`}`
			`}`

			`if len(unasignedRoles) > 0 {`
			`// check if it contains protected unassigned role`
			`hasProtectedRole := false`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`protectedRoles, err := memorystore.Provider.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles)`
			`if err != nil {`
			`log.Debug("Error getting protected roles: ", err)`
			`return res, err`
			`}`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`for _, ur := range unasignedRoles {`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`if utils.StringSliceContains(protectedRoles, ur) {`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`hasProtectedRole = true`
			`}`
			`}`

			`if hasProtectedRole {`
feat: add loggging to all resolvers 2022-05-24 07:12:29 +00:00			`log.Debug("User is not assigned one of the protected roles", unasignedRoles)`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			return res, fmt.Errorf(`invalid roles`)
			`} else {`
			`user.Roles = existingUser.Roles + "," + strings.Join(unasignedRoles, ",")`
			`}`
			`} else {`
			`user.Roles = existingUser.Roles`
			`}`

fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`signupMethod := existingUser.SignupMethods`
Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`if !strings.Contains(signupMethod, constants.SignupMethodMagicLinkLogin) {`
			`signupMethod = signupMethod + "," + constants.SignupMethodMagicLinkLogin`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`}`

fix: refactor schema for open id claim standards 2021-12-22 05:21:12 +00:00			`user.SignupMethods = signupMethod`
fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`user, _ = db.Provider.UpdateUser(user)`
feat/add arangodb support (#80) feat: add arangodb init fix: dao for sql + arangodb * fix: update error logs * fix: use db name dynamically 2021-12-17 15:55:07 +00:00			`if err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to update user: ", err)`
feat/add arangodb support (#80) feat: add arangodb init fix: dao for sql + arangodb * fix: update error logs * fix: use db name dynamically 2021-12-17 15:55:07 +00:00			`}`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`}`

fix: import cycle issues 2022-05-30 06:24:16 +00:00			`hostname := parsers.GetHost(gc)`
fix: memory store upgrade in resolvers 2022-05-30 03:49:55 +00:00			`isEmailVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification)`
			`if err != nil {`
			`log.Debug("Error getting email verification disabled: ", err)`
			`isEmailVerificationDisabled = true`
			`}`
			`if !isEmailVerificationDisabled {`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`// insert verification request`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`_, nonceHash, err := utils.GenerateNonce()`
fix: auth flow 2022-03-02 12:12:31 +00:00			`if err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to generate nonce: ", err)`
fix: auth flow 2022-03-02 12:12:31 +00:00			`return res, err`
			`}`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`redirectURLParams := "&roles=" + strings.Join(inputRoles, ",")`
			`if params.State != nil {`
			`redirectURLParams = redirectURLParams + "&state=" + *params.State`
			`}`
			`if params.Scope != nil && len(params.Scope) > 0 {`
			`redirectURLParams = redirectURLParams + "&scope=" + strings.Join(params.Scope, " ")`
			`}`
fix: import cycle issues 2022-05-30 06:24:16 +00:00			`redirectURL := parsers.GetAppURL(gc)`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`if params.RedirectURI != nil {`
			`redirectURL = *params.RedirectURI`
			`}`

			`if strings.Contains(redirectURL, "?") {`
			`redirectURL = redirectURL + "&" + redirectURLParams`
			`} else {`
			`redirectURL = redirectURL + "?" + redirectURLParams`
			`}`

Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`verificationType := constants.VerificationTypeMagicLinkLogin`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`verificationToken, err := token.CreateVerificationToken(params.Email, verificationType, hostname, nonceHash, redirectURL)`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`if err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to create verification token: ", err)`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`}`
fix: verification request model 2022-03-09 01:40:07 +00:00			`_, err = db.Provider.AddVerificationRequest(models.VerificationRequest{`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`Token: verificationToken,`
			`Identifier: verificationType,`
			`ExpiresAt: time.Now().Add(time.Minute * 30).Unix(),`
			`Email: params.Email,`
			`Nonce: nonceHash,`
			`RedirectURI: redirectURL,`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`})`
fix: verification request model 2022-03-09 01:40:07 +00:00			`if err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to add verification request in db: ", err)`
fix: verification request model 2022-03-09 01:40:07 +00:00			`return res, err`
			`}`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00
fix: verification request model 2022-03-09 01:40:07 +00:00			`// exec it as go routing so that we can reduce the api latency`
fix: auth flow 2022-03-02 12:12:31 +00:00			`go email.SendVerificationMail(params.Email, verificationToken, hostname)`
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`}`

			`res = &model.Response{`
feat: update app dependencies 2021-11-14 22:42:28 +00:00			Message: `Magic Link has been sent to your email. Please check your inbox!`,
feat: add support for magic link login (#65) * feat: add support for magic link login * update readme 2021-11-11 23:52:03 +00:00			`}`

			`return res, nil`
			`}`