authorizer/server/resolvers/verify_otp.go

package resolvers

import (
	"context"
	"fmt"
	"strings"
	"time"

	"github.com/authorizerdev/authorizer/server/constants"
	"github.com/authorizerdev/authorizer/server/cookie"
	"github.com/authorizerdev/authorizer/server/db"
	"github.com/authorizerdev/authorizer/server/db/models"
	"github.com/authorizerdev/authorizer/server/graph/model"
	"github.com/authorizerdev/authorizer/server/memorystore"
	"github.com/authorizerdev/authorizer/server/refs"
	"github.com/authorizerdev/authorizer/server/token"
	"github.com/authorizerdev/authorizer/server/utils"
	"github.com/google/uuid"
	log "github.com/sirupsen/logrus"
)

// VerifyOtpResolver resolver for verify otp mutation
func VerifyOtpResolver(ctx context.Context, params model.VerifyOTPRequest) (*model.AuthResponse, error) {
	var res *model.AuthResponse
	gc, err := utils.GinContextFromContext(ctx)
	if err != nil {
		log.Debug("Failed to get GinContext: ", err)
		return res, err
	}

	mfaSession, err := cookie.GetMfaSession(gc)
	if err != nil {
		log.Debug("Failed to get otp request by email: ", err)
		// // Ignore mfa session error in test env
		// // dont trigger email sending in case of test
		// envKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyEnv)
		// if err != nil {
		// 	envKey = ""
		// }
		// if envKey != constants.TestEnv {
		//
		// }
		return res, fmt.Errorf(`invalid session: %s`, err.Error())
	}

	if refs.StringValue(params.Email) == "" && refs.StringValue(params.PhoneNumber) == "" {
		log.Debug("Email or phone number is required")
		return res, fmt.Errorf(`email or phone_number is required`)
	}

	currentField := models.FieldNameEmail
	if refs.StringValue(params.Email) == "" {
		currentField = models.FieldNamePhoneNumber
	}
	var otp *models.OTP
	if currentField == models.FieldNameEmail {
		otp, err = db.Provider.GetOTPByEmail(ctx, refs.StringValue(params.Email))
	} else {
		otp, err = db.Provider.GetOTPByPhoneNumber(ctx, refs.StringValue(params.PhoneNumber))
	}
	if otp == nil && err != nil {
		log.Debugf("Failed to get otp request for %s: %s", currentField, err.Error())
		return res, fmt.Errorf(`invalid %s: %s`, currentField, err.Error())
	}
	if params.Otp != otp.Otp {
		log.Debug("Failed to verify otp request: Incorrect value")
		return res, fmt.Errorf(`invalid otp`)
	}
	expiresIn := otp.ExpiresAt - time.Now().Unix()
	if expiresIn < 0 {
		log.Debug("Failed to verify otp request: Timeout")
		return res, fmt.Errorf("otp expired")
	}
	var user *models.User
	if currentField == models.FieldNameEmail {
		user, err = db.Provider.GetUserByEmail(ctx, refs.StringValue(params.Email))
	} else {
		user, err = db.Provider.GetUserByPhoneNumber(ctx, refs.StringValue(params.PhoneNumber))
	}
	if user == nil || err != nil {
		fmt.Println("=> failing here....", err)
		log.Debug("Failed to get user by email or phone number: ", err)
		return res, err
	}

	if _, err := memorystore.Provider.GetMfaSession(user.ID, mfaSession); err != nil {
		log.Debug("Failed to get mfa session: ", err)
		// Ignore mfa session error in test env
		// dont trigger email sending in case of test
		// envKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyEnv)
		// if err != nil {
		// 	envKey = ""
		// }
		// if envKey != constants.TestEnv {
		//
		// }
		return res, fmt.Errorf(`invalid session: %s`, err.Error())
	}

	isSignUp := user.EmailVerifiedAt == nil && user.PhoneNumberVerifiedAt == nil
	// TODO - Add Login method in DB when we introduce OTP for social media login
	loginMethod := constants.AuthRecipeMethodBasicAuth
	if currentField == models.FieldNamePhoneNumber {
		loginMethod = constants.AuthRecipeMethodMobileOTP
	}
	roles := strings.Split(user.Roles, ",")
	scope := []string{"openid", "email", "profile"}
	code := ""
	codeChallenge := ""
	nonce := ""
	if params.State != nil {
		// Get state from store
		authorizeState, _ := memorystore.Provider.GetState(refs.StringValue(params.State))
		if authorizeState != "" {
			authorizeStateSplit := strings.Split(authorizeState, "@@")
			if len(authorizeStateSplit) > 1 {
				code = authorizeStateSplit[0]
				codeChallenge = authorizeStateSplit[1]
			} else {
				nonce = authorizeState
			}
			go memorystore.Provider.RemoveState(refs.StringValue(params.State))
		}
	}
	if nonce == "" {
		nonce = uuid.New().String()
	}
	authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, code)
	if err != nil {
		log.Debug("Failed to create auth token: ", err)
		return res, err
	}

	// Code challenge could be optional if PKCE flow is not used
	if code != "" {
		if err := memorystore.Provider.SetState(code, codeChallenge+"@@"+authToken.FingerPrintHash); err != nil {
			log.Debug("Failed to set code state: ", err)
			return res, err
		}
	}

	go func() {
		db.Provider.DeleteOTP(gc, otp)
		if isSignUp {
			utils.RegisterEvent(ctx, constants.UserSignUpWebhookEvent, loginMethod, user)
			// User is also logged in with signup
			utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, loginMethod, user)
		} else {
			utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, loginMethod, user)
		}

		db.Provider.AddSession(ctx, &models.Session{
			UserID:    user.ID,
			UserAgent: utils.GetUserAgent(gc.Request),
			IP:        utils.GetIP(gc.Request),
		})
	}()

	authTokenExpiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
	if authTokenExpiresIn <= 0 {
		authTokenExpiresIn = 1
	}

	res = &model.AuthResponse{
		Message:     `OTP verified successfully.`,
		AccessToken: &authToken.AccessToken.Token,
		IDToken:     &authToken.IDToken.Token,
		ExpiresIn:   &authTokenExpiresIn,
		User:        user.AsAPIUser(),
	}

	sessionKey := loginMethod + ":" + user.ID
	cookie.SetSession(gc, authToken.FingerPrintHash)
	memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash, authToken.SessionTokenExpiresAt)
	memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token, authToken.AccessToken.ExpiresAt)

	if authToken.RefreshToken != nil {
		res.RefreshToken = &authToken.RefreshToken.Token
		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
	}
	return res, nil
}
feat: add resolver for verify_otp 2022-07-23 11:14:39 +00:00			`package resolvers`

			`import (`
			`"context"`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`"fmt"`
			`"strings"`
			`"time"`
feat: add resolver for verify_otp 2022-07-23 11:14:39 +00:00
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`"github.com/authorizerdev/authorizer/server/constants"`
			`"github.com/authorizerdev/authorizer/server/cookie"`
			`"github.com/authorizerdev/authorizer/server/db"`
			`"github.com/authorizerdev/authorizer/server/db/models"`
feat: add resolver for verify_otp 2022-07-23 11:14:39 +00:00			`"github.com/authorizerdev/authorizer/server/graph/model"`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`"github.com/authorizerdev/authorizer/server/memorystore"`
fix: other auth recipes for oidc idp + remove logs 2022-11-15 16:15:08 +00:00			`"github.com/authorizerdev/authorizer/server/refs"`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`"github.com/authorizerdev/authorizer/server/token"`
			`"github.com/authorizerdev/authorizer/server/utils"`
feat: add nonce variable to create auth token 2022-10-23 15:38:08 +00:00			`"github.com/google/uuid"`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`log "github.com/sirupsen/logrus"`
feat: add resolver for verify_otp 2022-07-23 11:14:39 +00:00			`)`

			`// VerifyOtpResolver resolver for verify otp mutation`
			`func VerifyOtpResolver(ctx context.Context, params model.VerifyOTPRequest) (*model.AuthResponse, error) {`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`var res *model.AuthResponse`
			`gc, err := utils.GinContextFromContext(ctx)`
			`if err != nil {`
			`log.Debug("Failed to get GinContext: ", err)`
			`return res, err`
			`}`
userid ass mfa session key 2023-07-24 03:58:36 +00:00
			`mfaSession, err := cookie.GetMfaSession(gc)`
			`if err != nil {`
			`log.Debug("Failed to get otp request by email: ", err)`
Fix tests for verifying otp using mfa session 2023-08-14 08:45:52 +00:00			`// // Ignore mfa session error in test env`
			`// // dont trigger email sending in case of test`
			`// envKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyEnv)`
			`// if err != nil {`
			`// envKey = ""`
			`// }`
			`// if envKey != constants.TestEnv {`
			`//`
			`// }`
userid ass mfa session key 2023-07-24 03:58:36 +00:00			return res, fmt.Errorf(`invalid session: %s`, err.Error())
			`}`

Refactor code for otp 2023-07-13 06:09:22 +00:00			`if refs.StringValue(params.Email) == "" && refs.StringValue(params.PhoneNumber) == "" {`
			`log.Debug("Email or phone number is required")`
			return res, fmt.Errorf(`email or phone_number is required`)
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`}`

Refactor code for otp 2023-07-13 06:09:22 +00:00			`currentField := models.FieldNameEmail`
			`if refs.StringValue(params.Email) == "" {`
			`currentField = models.FieldNamePhoneNumber`
			`}`
			`var otp *models.OTP`
			`if currentField == models.FieldNameEmail {`
			`otp, err = db.Provider.GetOTPByEmail(ctx, refs.StringValue(params.Email))`
			`} else {`
			`otp, err = db.Provider.GetOTPByPhoneNumber(ctx, refs.StringValue(params.PhoneNumber))`
			`}`
			`if otp == nil && err != nil {`
			`log.Debugf("Failed to get otp request for %s: %s", currentField, err.Error())`
			return res, fmt.Errorf(`invalid %s: %s`, currentField, err.Error())
			`}`
feat: otp resolvers updated 2022-07-29 08:19:46 +00:00			`if params.Otp != otp.Otp {`
			`log.Debug("Failed to verify otp request: Incorrect value")`
			return res, fmt.Errorf(`invalid otp`)
			`}`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`expiresIn := otp.ExpiresAt - time.Now().Unix()`
feat: otp resolvers updated 2022-07-29 08:19:46 +00:00			`if expiresIn < 0 {`
			`log.Debug("Failed to verify otp request: Timeout")`
			`return res, fmt.Errorf("otp expired")`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`}`
fix: refs for db provider and few utils 2023-07-31 11:12:11 +00:00			`var user *models.User`
Refactor code for otp 2023-07-13 06:09:22 +00:00			`if currentField == models.FieldNameEmail {`
			`user, err = db.Provider.GetUserByEmail(ctx, refs.StringValue(params.Email))`
			`} else {`
fix: refs for db provider and few utils 2023-07-31 11:12:11 +00:00			`user, err = db.Provider.GetUserByPhoneNumber(ctx, refs.StringValue(params.PhoneNumber))`
Refactor code for otp 2023-07-13 06:09:22 +00:00			`}`
fix: refs for cassandra db 2023-08-01 10:39:17 +00:00			`if user == nil \|\| err != nil {`
			`fmt.Println("=> failing here....", err)`
			`log.Debug("Failed to get user by email or phone number: ", err)`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`return res, err`
			`}`
userid ass mfa session key 2023-07-24 03:58:36 +00:00
			`if _, err := memorystore.Provider.GetMfaSession(user.ID, mfaSession); err != nil {`
			`log.Debug("Failed to get mfa session: ", err)`
Fix tests for verifying otp using mfa session 2023-08-14 08:45:52 +00:00			`// Ignore mfa session error in test env`
			`// dont trigger email sending in case of test`
			`// envKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyEnv)`
			`// if err != nil {`
			`// envKey = ""`
			`// }`
			`// if envKey != constants.TestEnv {`
			`//`
			`// }`
userid ass mfa session key 2023-07-24 03:58:36 +00:00			return res, fmt.Errorf(`invalid session: %s`, err.Error())
			`}`

Refactor code for otp 2023-07-13 06:09:22 +00:00			`isSignUp := user.EmailVerifiedAt == nil && user.PhoneNumberVerifiedAt == nil`
feat: add sending otp 2022-07-29 14:19:50 +00:00			`// TODO - Add Login method in DB when we introduce OTP for social media login`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`loginMethod := constants.AuthRecipeMethodBasicAuth`
Refactor code for otp 2023-07-13 06:09:22 +00:00			`if currentField == models.FieldNamePhoneNumber {`
			`loginMethod = constants.AuthRecipeMethodMobileOTP`
			`}`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`roles := strings.Split(user.Roles, ",")`
			`scope := []string{"openid", "email", "profile"}`
fix: other auth recipes for oidc idp + remove logs 2022-11-15 16:15:08 +00:00			`code := ""`
			`codeChallenge := ""`
			`nonce := ""`
			`if params.State != nil {`
			`// Get state from store`
			`authorizeState, _ := memorystore.Provider.GetState(refs.StringValue(params.State))`
			`if authorizeState != "" {`
			`authorizeStateSplit := strings.Split(authorizeState, "@@")`
			`if len(authorizeStateSplit) > 1 {`
			`code = authorizeStateSplit[0]`
			`codeChallenge = authorizeStateSplit[1]`
			`} else {`
			`nonce = authorizeState`
			`}`
			`go memorystore.Provider.RemoveState(refs.StringValue(params.State))`
			`}`
			`}`
			`if nonce == "" {`
			`nonce = uuid.New().String()`
			`}`
			`authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, code)`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`if err != nil {`
			`log.Debug("Failed to create auth token: ", err)`
			`return res, err`
			`}`

fix: other auth recipes for oidc idp + remove logs 2022-11-15 16:15:08 +00:00			`// Code challenge could be optional if PKCE flow is not used`
			`if code != "" {`
			`if err := memorystore.Provider.SetState(code, codeChallenge+"@@"+authToken.FingerPrintHash); err != nil {`
			`log.Debug("Failed to set code state: ", err)`
			`return res, err`
			`}`
			`}`

update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`go func() {`
feat: add sending otp 2022-07-29 14:19:50 +00:00			`db.Provider.DeleteOTP(gc, otp)`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`if isSignUp {`
			`utils.RegisterEvent(ctx, constants.UserSignUpWebhookEvent, loginMethod, user)`
fix: add events for signup 2023-08-02 04:32:41 +00:00			`// User is also logged in with signup`
			`utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, loginMethod, user)`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`} else {`
			`utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, loginMethod, user)`
			`}`

fix: refs for db provider and few utils 2023-07-31 11:12:11 +00:00			`db.Provider.AddSession(ctx, &models.Session{`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`UserID: user.ID,`
			`UserAgent: utils.GetUserAgent(gc.Request),`
			`IP: utils.GetIP(gc.Request),`
			`})`
			`}()`

			`authTokenExpiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()`
			`if authTokenExpiresIn <= 0 {`
			`authTokenExpiresIn = 1`
			`}`

			`res = &model.AuthResponse{`
			Message: `OTP verified successfully.`,
			`AccessToken: &authToken.AccessToken.Token,`
			`IDToken: &authToken.IDToken.Token,`
			`ExpiresIn: &authTokenExpiresIn,`
			`User: user.AsAPIUser(),`
			`}`

			`sessionKey := loginMethod + ":" + user.ID`
			`cookie.SetSession(gc, authToken.FingerPrintHash)`
fix: session storage 2023-04-08 07:36:15 +00:00			`memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash, authToken.SessionTokenExpiresAt)`
			`memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token, authToken.AccessToken.ExpiresAt)`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00
			`if authToken.RefreshToken != nil {`
			`res.RefreshToken = &authToken.RefreshToken.Token`
fix: session storage 2023-04-08 07:36:15 +00:00			`memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)`
update: verify otp resolver and test added 2022-07-23 13:02:31 +00:00			`}`
			`return res, nil`
feat: add resolver for verify_otp 2022-07-23 11:14:39 +00:00			`}`