fe4c693324
* fix: * removed hasReversedValue in playground * feat: * added totp methods in db's providers * adding totp in login method * feat: * added toggle in dashboard * fixing issue with env set * feat: * integrated totp * feat: * encrypted userid * added totp_verified column in user table * started test for totp * feat: * test cases totp * test-cases: * completed test cases * tested for all dbs * fixes: * return variable to snake case * import refactoring * feat: * created seperate folder for authenticator with totp subfolder * refactored code * created new table for authenticators * added recovery code for totp * feat: * adding functions to different db providers * feat: * added authenticators method for all db * feat: * added logic for updating mfa in user_profile update * fix: * merge conflict * fix: * resolved mongodb, dynamodb and arangodb test case bug * added new condition for checking first time totp user or not * feat: * changes in all respective db with authenticator * fix: * PR suggested changes * fix(cassandra): list users * Update verify otp * fix totp login api --------- Co-authored-by: lemonScaletech <anand.panigrahi@scaletech.xyz>
160 lines
5.8 KiB
Go
160 lines
5.8 KiB
Go
package test
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/authorizerdev/authorizer/server/authenticators"
|
|
"github.com/authorizerdev/authorizer/server/constants"
|
|
"github.com/authorizerdev/authorizer/server/db"
|
|
"github.com/authorizerdev/authorizer/server/graph/model"
|
|
"github.com/authorizerdev/authorizer/server/memorystore"
|
|
"github.com/authorizerdev/authorizer/server/refs"
|
|
"github.com/authorizerdev/authorizer/server/resolvers"
|
|
"github.com/authorizerdev/authorizer/server/token"
|
|
"github.com/gokyle/twofactor"
|
|
"github.com/google/uuid"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/tuotoo/qrcode"
|
|
)
|
|
|
|
func totpLoginTest(t *testing.T, s TestSetup) {
|
|
t.Helper()
|
|
t.Run(`should verify totp`, func(t *testing.T) {
|
|
req, ctx := createContext(s)
|
|
email := "verify_totp." + s.TestInfo.Email
|
|
cleanData(email)
|
|
res, err := resolvers.SignupResolver(ctx, model.SignUpInput{
|
|
Email: &email,
|
|
Password: s.TestInfo.Password,
|
|
ConfirmPassword: s.TestInfo.Password,
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, res)
|
|
|
|
// Login should fail as email is not verified
|
|
loginRes, err := resolvers.LoginResolver(ctx, model.LoginInput{
|
|
Email: &email,
|
|
Password: s.TestInfo.Password,
|
|
})
|
|
assert.Error(t, err)
|
|
assert.Nil(t, loginRes)
|
|
verificationRequest, err := db.Provider.GetVerificationRequestByEmail(ctx, email, constants.VerificationTypeBasicAuthSignup)
|
|
assert.Nil(t, err)
|
|
assert.Equal(t, email, verificationRequest.Email)
|
|
verifyRes, err := resolvers.VerifyEmailResolver(ctx, model.VerifyEmailInput{
|
|
Token: verificationRequest.Token,
|
|
})
|
|
assert.Nil(t, err)
|
|
assert.NotEqual(t, verifyRes.AccessToken, "", "access token should not be empty")
|
|
|
|
// Using access token update profile
|
|
s.GinContext.Request.Header.Set("Authorization", "Bearer "+refs.StringValue(verifyRes.AccessToken))
|
|
ctx = context.WithValue(req.Context(), "GinContextKey", s.GinContext)
|
|
memorystore.Provider.UpdateEnvVariable(constants.EnvKeyDisableTOTPLogin, false)
|
|
memorystore.Provider.UpdateEnvVariable(constants.EnvKeyDisableMailOTPLogin, true)
|
|
memorystore.Provider.UpdateEnvVariable(constants.EnvKeyDisablePhoneVerification, true)
|
|
updateProfileRes, err := resolvers.UpdateProfileResolver(ctx, model.UpdateProfileInput{
|
|
IsMultiFactorAuthEnabled: refs.NewBoolRef(true),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, updateProfileRes.Message)
|
|
|
|
authenticators.InitTOTPStore()
|
|
// Login should not return error but access token should be empty
|
|
loginRes, err = resolvers.LoginResolver(ctx, model.LoginInput{
|
|
Email: &email,
|
|
Password: s.TestInfo.Password,
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, loginRes)
|
|
assert.True(t, *loginRes.ShouldShowTotpScreen)
|
|
assert.NotNil(t, *loginRes.AuthenticatorScannerImage)
|
|
assert.NotNil(t, *loginRes.AuthenticatorSecret)
|
|
assert.NotNil(t, loginRes.AuthenticatorRecoveryCodes)
|
|
assert.Nil(t, loginRes.AccessToken)
|
|
assert.NotEmpty(t, loginRes.Message)
|
|
|
|
// get totp url for validation
|
|
pngBytes, err := base64.StdEncoding.DecodeString(*loginRes.AuthenticatorScannerImage)
|
|
assert.NoError(t, err)
|
|
qrmatrix, err := qrcode.Decode(bytes.NewReader(pngBytes))
|
|
assert.NoError(t, err)
|
|
tf, label, err := twofactor.FromURL(qrmatrix.Content)
|
|
data := strings.Split(label, ":")
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, email, data[1])
|
|
assert.NotNil(t, tf)
|
|
code := tf.OTP()
|
|
assert.NotEmpty(t, code)
|
|
// Set mfa cookie session
|
|
mfaSession := uuid.NewString()
|
|
memorystore.Provider.SetMfaSession(verifyRes.User.ID, mfaSession, time.Now().Add(1*time.Minute).Unix())
|
|
cookie := fmt.Sprintf("%s=%s;", constants.MfaCookieName+"_session", mfaSession)
|
|
cookie = strings.TrimSuffix(cookie, ";")
|
|
req.Header.Set("Cookie", cookie)
|
|
valid, err := resolvers.VerifyOtpResolver(ctx, model.VerifyOTPRequest{
|
|
Email: &email,
|
|
Totp: refs.NewBoolRef(true),
|
|
Otp: code,
|
|
})
|
|
accessToken := valid.AccessToken
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, accessToken)
|
|
assert.NotEmpty(t, valid.Message)
|
|
assert.NotEmpty(t, accessToken)
|
|
claims, err := token.ParseJWTToken(*accessToken)
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, claims)
|
|
loginMethod := claims["login_method"]
|
|
sessionKey := verifyRes.User.ID
|
|
if loginMethod != nil && loginMethod != "" {
|
|
sessionKey = loginMethod.(string) + ":" + verifyRes.User.ID
|
|
}
|
|
sessionToken, err := memorystore.Provider.GetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+claims["nonce"].(string))
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, sessionToken)
|
|
cookie = fmt.Sprintf("%s=%s;", constants.AppCookieName+"_session", sessionToken)
|
|
cookie = strings.TrimSuffix(cookie, ";")
|
|
req.Header.Set("Cookie", cookie)
|
|
//logged out
|
|
logout, err := resolvers.LogoutResolver(ctx)
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, logout.Message)
|
|
loginRes, err = resolvers.LoginResolver(ctx, model.LoginInput{
|
|
Email: &email,
|
|
Password: s.TestInfo.Password,
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, loginRes)
|
|
assert.Nil(t, loginRes.AuthenticatorRecoveryCodes)
|
|
assert.Nil(t, loginRes.AccessToken)
|
|
assert.Nil(t, loginRes.AuthenticatorScannerImage)
|
|
assert.Nil(t, loginRes.AuthenticatorSecret)
|
|
assert.True(t, *loginRes.ShouldShowTotpScreen)
|
|
assert.NotEmpty(t, loginRes.Message)
|
|
code = tf.OTP()
|
|
assert.NotEmpty(t, code)
|
|
// Set mfa cookie session
|
|
mfaSession = uuid.NewString()
|
|
memorystore.Provider.SetMfaSession(verifyRes.User.ID, mfaSession, time.Now().Add(1*time.Minute).Unix())
|
|
cookie = fmt.Sprintf("%s=%s;", constants.MfaCookieName+"_session", mfaSession)
|
|
cookie = strings.TrimSuffix(cookie, ";")
|
|
req.Header.Set("Cookie", cookie)
|
|
valid, err = resolvers.VerifyOtpResolver(ctx, model.VerifyOTPRequest{
|
|
Otp: code,
|
|
Email: &email,
|
|
Totp: refs.NewBoolRef(true),
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, *valid.AccessToken)
|
|
assert.NotEmpty(t, valid.Message)
|
|
cleanData(email)
|
|
})
|
|
}
|