mirror/fosrl.pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2025-07-31 16:14:46 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add resource whitelist auth method

Browse source
This commit is contained in:
Milo Schwartz 2024-12-16 22:40:42 -05:00
parent 998fab6d0a
commit 207a7b8a39
No known key found for this signature in database
20 changed files with 970 additions and 739 deletions
Download patch file Download diff file Expand all files Collapse all files

4
server/auth/actions.ts
View file

@ -49,9 +49,7 @@ export enum ActionsEnum {
// addUserAction = "addUserAction", // addUserAction = "addUserAction",
// removeUserAction = "removeUserAction", // removeUserAction = "removeUserAction",
// removeUserSite = "removeUserSite", // removeUserSite = "removeUserSite",
getOrgUser = "getOrgUser", getOrgUser = "getOrgUser"
setResourceAuthMethods = "setResourceAuthMethods",
getResourceAuthMethods = "getResourceAuthMethods",
} }
export async function checkUserActionPermission( export async function checkUserActionPermission(

8
server/auth/resource.ts
View file

@ -16,10 +16,10 @@ export async function createResourceSession(opts: {
resourceId: number; resourceId: number;
passwordId?: number; passwordId?: number;
pincodeId?: number; pincodeId?: number;
whitelistId: number; whitelistId?: number;
usedOtp?: boolean; usedOtp?: boolean;
}): Promise<ResourceSession> { }): Promise<ResourceSession> {
if (!opts.passwordId && !opts.pincodeId) { if (!opts.passwordId && !opts.pincodeId && !opts.whitelistId) {
throw new Error( throw new Error(
"At least one of passwordId or pincodeId must be provided" "At least one of passwordId or pincodeId must be provided"
); );
@ -35,8 +35,7 @@ export async function createResourceSession(opts: {
resourceId: opts.resourceId, resourceId: opts.resourceId,
passwordId: opts.passwordId || null, passwordId: opts.passwordId || null,
pincodeId: opts.pincodeId || null, pincodeId: opts.pincodeId || null,
whitelistId: opts.whitelistId, whitelistId: opts.whitelistId || null
usedOtp: opts.usedOtp || false
}; };
await db.insert(resourceSessions).values(session); await db.insert(resourceSessions).values(session);
@ -129,7 +128,6 @@ export async function invalidateAllSessions(
eq(resourceSessions.whitelistId, method.whitelistId) eq(resourceSessions.whitelistId, method.whitelistId)
) )
); );
} }
if (!method?.passwordId && !method?.pincodeId && !method?.whitelistId) { if (!method?.passwordId && !method?.pincodeId && !method?.whitelistId) {
await db await db

22
server/db/schema.ts
View file

@ -46,7 +46,7 @@ export const resources = sqliteTable("resources", {
.notNull() .notNull()
.default(false), .default(false),
sso: integer("sso", { mode: "boolean" }).notNull().default(true), sso: integer("sso", { mode: "boolean" }).notNull().default(true),
otpEnabled: integer("otpEnabled", { mode: "boolean" }) emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
.notNull() .notNull()
.default(false) .default(false)
}); });
@ -282,7 +282,6 @@ export const resourceSessions = sqliteTable("resourceSessions", {
resourceId: integer("resourceId") resourceId: integer("resourceId")
.notNull() .notNull()
.references(() => resources.resourceId, { onDelete: "cascade" }), .references(() => resources.resourceId, { onDelete: "cascade" }),
usedOtp: integer("usedOtp", { mode: "boolean" }).notNull().default(false),
expiresAt: integer("expiresAt").notNull(), expiresAt: integer("expiresAt").notNull(),
passwordId: integer("passwordId").references( passwordId: integer("passwordId").references(
() => resourcePassword.passwordId, () => resourcePassword.passwordId,
@ -297,23 +296,20 @@ export const resourceSessions = sqliteTable("resourceSessions", {
} }
), ),
whitelistId: integer("whitelistId").references( whitelistId: integer("whitelistId").references(
() => resourceWhitelistedEmail.whitelistId, () => resourceWhitelist.whitelistId,
{ {
onDelete: "cascade" onDelete: "cascade"
} }
) )
}); });
export const resourceWhitelistedEmail = sqliteTable( export const resourceWhitelist = sqliteTable("resourceWhitelist", {
"resourceWhitelistedEmail", whitelistId: integer("id").primaryKey({ autoIncrement: true }),
{ email: text("email").notNull(),
whitelistId: integer("id").primaryKey({ autoIncrement: true }), resourceId: integer("resourceId")
email: text("email").primaryKey(), .notNull()
resourceId: integer("resourceId") .references(() => resources.resourceId, { onDelete: "cascade" })
.notNull() });
.references(() => resources.resourceId, { onDelete: "cascade" })
}
);
export const resourceOtp = sqliteTable("resourceOtp", { export const resourceOtp = sqliteTable("resourceOtp", {
otpId: integer("otpId").primaryKey({ otpId: integer("otpId").primaryKey({

99
server/routers/external.ts
View file

@ -18,7 +18,7 @@ import {
verifyRoleAccess, verifyRoleAccess,
verifySetResourceUsers, verifySetResourceUsers,
verifyUserAccess, verifyUserAccess,
getUserOrgs, getUserOrgs
} from "@server/middlewares"; } from "@server/middlewares";
import { verifyUserHasAction } from "../middlewares/verifyUserHasAction"; import { verifyUserHasAction } from "../middlewares/verifyUserHasAction";
import { ActionsEnum } from "@server/auth/actions"; import { ActionsEnum } from "@server/auth/actions";
@ -43,51 +43,51 @@ authenticated.get(
"/org/:orgId", "/org/:orgId",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.getOrg), verifyUserHasAction(ActionsEnum.getOrg),
org.getOrg, org.getOrg
); );
authenticated.post( authenticated.post(
"/org/:orgId", "/org/:orgId",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.updateOrg), verifyUserHasAction(ActionsEnum.updateOrg),
org.updateOrg, org.updateOrg
); );
authenticated.delete( authenticated.delete(
"/org/:orgId", "/org/:orgId",
verifyOrgAccess, verifyOrgAccess,
verifyUserIsOrgOwner, verifyUserIsOrgOwner,
org.deleteOrg, org.deleteOrg
); );
authenticated.put( authenticated.put(
"/org/:orgId/site", "/org/:orgId/site",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.createSite), verifyUserHasAction(ActionsEnum.createSite),
site.createSite, site.createSite
); );
authenticated.get( authenticated.get(
"/org/:orgId/sites", "/org/:orgId/sites",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.listSites), verifyUserHasAction(ActionsEnum.listSites),
site.listSites, site.listSites
); );
authenticated.get( authenticated.get(
"/org/:orgId/site/:niceId", "/org/:orgId/site/:niceId",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.getSite), verifyUserHasAction(ActionsEnum.getSite),
site.getSite, site.getSite
); );
authenticated.get( authenticated.get(
"/org/:orgId/pick-site-defaults", "/org/:orgId/pick-site-defaults",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.createSite), verifyUserHasAction(ActionsEnum.createSite),
site.pickSiteDefaults, site.pickSiteDefaults
); );
authenticated.get( authenticated.get(
"/site/:siteId", "/site/:siteId",
verifySiteAccess, verifySiteAccess,
verifyUserHasAction(ActionsEnum.getSite), verifyUserHasAction(ActionsEnum.getSite),
site.getSite, site.getSite
); );
// authenticated.get( // authenticated.get(
// "/site/:siteId/roles", // "/site/:siteId/roles",
@ -99,38 +99,38 @@ authenticated.post(
"/site/:siteId", "/site/:siteId",
verifySiteAccess, verifySiteAccess,
verifyUserHasAction(ActionsEnum.updateSite), verifyUserHasAction(ActionsEnum.updateSite),
site.updateSite, site.updateSite
); );
authenticated.delete( authenticated.delete(
"/site/:siteId", "/site/:siteId",
verifySiteAccess, verifySiteAccess,
verifyUserHasAction(ActionsEnum.deleteSite), verifyUserHasAction(ActionsEnum.deleteSite),
site.deleteSite, site.deleteSite
); );
authenticated.put( authenticated.put(
"/org/:orgId/site/:siteId/resource", "/org/:orgId/site/:siteId/resource",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.createResource), verifyUserHasAction(ActionsEnum.createResource),
resource.createResource, resource.createResource
); );
authenticated.get( authenticated.get(
"/site/:siteId/resources", "/site/:siteId/resources",
verifyUserHasAction(ActionsEnum.listResources), verifyUserHasAction(ActionsEnum.listResources),
resource.listResources, resource.listResources
); );
authenticated.get( authenticated.get(
"/org/:orgId/resources", "/org/:orgId/resources",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.listResources), verifyUserHasAction(ActionsEnum.listResources),
resource.listResources, resource.listResources
); );
authenticated.post( authenticated.post(
"/org/:orgId/create-invite", "/org/:orgId/create-invite",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.inviteUser), verifyUserHasAction(ActionsEnum.inviteUser),
user.inviteUser, user.inviteUser
); // maybe make this /invite/create instead ); // maybe make this /invite/create instead
authenticated.post("/invite/accept", user.acceptInvite); authenticated.post("/invite/accept", user.acceptInvite);
@ -138,77 +138,77 @@ authenticated.get(
"/resource/:resourceId/roles", "/resource/:resourceId/roles",
verifyResourceAccess, verifyResourceAccess,
verifyUserHasAction(ActionsEnum.listResourceRoles), verifyUserHasAction(ActionsEnum.listResourceRoles),
resource.listResourceRoles, resource.listResourceRoles
); );
authenticated.get( authenticated.get(
"/resource/:resourceId/users", "/resource/:resourceId/users",
verifyResourceAccess, verifyResourceAccess,
verifyUserHasAction(ActionsEnum.listResourceUsers), verifyUserHasAction(ActionsEnum.listResourceUsers),
resource.listResourceUsers, resource.listResourceUsers
); );
authenticated.get( authenticated.get(
"/resource/:resourceId", "/resource/:resourceId",
verifyResourceAccess, verifyResourceAccess,
verifyUserHasAction(ActionsEnum.getResource), verifyUserHasAction(ActionsEnum.getResource),
resource.getResource, resource.getResource
); );
authenticated.post( authenticated.post(
"/resource/:resourceId", "/resource/:resourceId",
verifyResourceAccess, verifyResourceAccess,
verifyUserHasAction(ActionsEnum.updateResource), verifyUserHasAction(ActionsEnum.updateResource),
resource.updateResource, resource.updateResource
); );
authenticated.delete( authenticated.delete(
"/resource/:resourceId", "/resource/:resourceId",
verifyResourceAccess, verifyResourceAccess,
verifyUserHasAction(ActionsEnum.deleteResource), verifyUserHasAction(ActionsEnum.deleteResource),
resource.deleteResource, resource.deleteResource
); );
authenticated.put( authenticated.put(
"/resource/:resourceId/target", "/resource/:resourceId/target",
verifyResourceAccess, verifyResourceAccess,
verifyUserHasAction(ActionsEnum.createTarget), verifyUserHasAction(ActionsEnum.createTarget),
target.createTarget, target.createTarget
); );
authenticated.get( authenticated.get(
"/resource/:resourceId/targets", "/resource/:resourceId/targets",
verifyResourceAccess, verifyResourceAccess,
verifyUserHasAction(ActionsEnum.listTargets), verifyUserHasAction(ActionsEnum.listTargets),
target.listTargets, target.listTargets
); );
authenticated.get( authenticated.get(
"/target/:targetId", "/target/:targetId",
verifyTargetAccess, verifyTargetAccess,
verifyUserHasAction(ActionsEnum.getTarget), verifyUserHasAction(ActionsEnum.getTarget),
target.getTarget, target.getTarget
); );
authenticated.post( authenticated.post(
"/target/:targetId", "/target/:targetId",
verifyTargetAccess, verifyTargetAccess,
verifyUserHasAction(ActionsEnum.updateTarget), verifyUserHasAction(ActionsEnum.updateTarget),
target.updateTarget, target.updateTarget
); );
authenticated.delete( authenticated.delete(
"/target/:targetId", "/target/:targetId",
verifyTargetAccess, verifyTargetAccess,
verifyUserHasAction(ActionsEnum.deleteTarget), verifyUserHasAction(ActionsEnum.deleteTarget),
target.deleteTarget, target.deleteTarget
); );
authenticated.put( authenticated.put(
"/org/:orgId/role", "/org/:orgId/role",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.createRole), verifyUserHasAction(ActionsEnum.createRole),
role.createRole, role.createRole
); );
authenticated.get( authenticated.get(
"/org/:orgId/roles", "/org/:orgId/roles",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.listRoles), verifyUserHasAction(ActionsEnum.listRoles),
role.listRoles, role.listRoles
); );
// authenticated.get( // authenticated.get(
// "/role/:roleId", // "/role/:roleId",
@ -227,14 +227,14 @@ authenticated.delete(
"/role/:roleId", "/role/:roleId",
verifyRoleAccess, verifyRoleAccess,
verifyUserHasAction(ActionsEnum.deleteRole), verifyUserHasAction(ActionsEnum.deleteRole),
role.deleteRole, role.deleteRole
); );
authenticated.post( authenticated.post(
"/role/:roleId/add/:userId", "/role/:roleId/add/:userId",
verifyRoleAccess, verifyRoleAccess,
verifyUserAccess, verifyUserAccess,
verifyUserHasAction(ActionsEnum.addUserRole), verifyUserHasAction(ActionsEnum.addUserRole),
user.addUserRole, user.addUserRole
); );
// authenticated.put( // authenticated.put(
@ -264,7 +264,7 @@ authenticated.post(
verifyResourceAccess, verifyResourceAccess,
verifyRoleAccess, verifyRoleAccess,
verifyUserHasAction(ActionsEnum.setResourceRoles), verifyUserHasAction(ActionsEnum.setResourceRoles),
resource.setResourceRoles, resource.setResourceRoles
); );
authenticated.post( authenticated.post(
@ -272,21 +272,35 @@ authenticated.post(
verifyResourceAccess, verifyResourceAccess,
verifySetResourceUsers, verifySetResourceUsers,
verifyUserHasAction(ActionsEnum.setResourceUsers), verifyUserHasAction(ActionsEnum.setResourceUsers),
resource.setResourceUsers, resource.setResourceUsers
); );
authenticated.post( authenticated.post(
`/resource/:resourceId/password`, `/resource/:resourceId/password`,
verifyResourceAccess, verifyResourceAccess,
verifyUserHasAction(ActionsEnum.setResourceAuthMethods), verifyUserHasAction(ActionsEnum.updateResource), // REVIEW: group all resource related updates under update resource?
resource.setResourcePassword, resource.setResourcePassword
); );
authenticated.post( authenticated.post(
`/resource/:resourceId/pincode`, `/resource/:resourceId/pincode`,
verifyResourceAccess, verifyResourceAccess,
verifyUserHasAction(ActionsEnum.setResourceAuthMethods), verifyUserHasAction(ActionsEnum.updateResource),
resource.setResourcePincode, resource.setResourcePincode
);
authenticated.post(
`/resource/:resourceId/whitelist`,
verifyResourceAccess,
verifyUserHasAction(ActionsEnum.updateResource),
resource.setResourceWhitelist
);
authenticated.get(
`/resource/:resourceId/whitelist`,
verifyResourceAccess,
verifyUserHasAction(ActionsEnum.getResource),
resource.getResourceWhitelist
); );
unauthenticated.get("/resource/:resourceId/auth", resource.getResourceAuthInfo); unauthenticated.get("/resource/:resourceId/auth", resource.getResourceAuthInfo);
@ -327,14 +341,14 @@ authenticated.get(
"/org/:orgId/users", "/org/:orgId/users",
verifyOrgAccess, verifyOrgAccess,
verifyUserHasAction(ActionsEnum.listUsers), verifyUserHasAction(ActionsEnum.listUsers),
user.listUsers, user.listUsers
); );
authenticated.delete( authenticated.delete(
"/org/:orgId/user/:userId", "/org/:orgId/user/:userId",
verifyOrgAccess, verifyOrgAccess,
verifyUserAccess, verifyUserAccess,
verifyUserHasAction(ActionsEnum.removeUser), verifyUserHasAction(ActionsEnum.removeUser),
user.removeUserOrg, user.removeUserOrg
); );
// authenticated.put( // authenticated.put(
@ -375,8 +389,8 @@ authRouter.use(
rateLimitMiddleware({ rateLimitMiddleware({
windowMin: 10, windowMin: 10,
max: 75, max: 75,
type: "IP_AND_PATH", type: "IP_AND_PATH"
}), })
); );
authRouter.put("/signup", auth.signup); authRouter.put("/signup", auth.signup);
@ -388,22 +402,23 @@ authRouter.post("/2fa/enable", verifySessionUserMiddleware, auth.verifyTotp);
authRouter.post( authRouter.post(
"/2fa/request", "/2fa/request",
verifySessionUserMiddleware, verifySessionUserMiddleware,
auth.requestTotpSecret, auth.requestTotpSecret
); );
authRouter.post("/2fa/disable", verifySessionUserMiddleware, auth.disable2fa); authRouter.post("/2fa/disable", verifySessionUserMiddleware, auth.disable2fa);
authRouter.post("/verify-email", verifySessionMiddleware, auth.verifyEmail); authRouter.post("/verify-email", verifySessionMiddleware, auth.verifyEmail);
authRouter.post( authRouter.post(
"/verify-email/request", "/verify-email/request",
verifySessionMiddleware, verifySessionMiddleware,
auth.requestEmailVerificationCode, auth.requestEmailVerificationCode
); );
authRouter.post( authRouter.post(
"/change-password", "/change-password",
verifySessionUserMiddleware, verifySessionUserMiddleware,
auth.changePassword, auth.changePassword
); );
authRouter.post("/reset-password/request", auth.requestPasswordReset); authRouter.post("/reset-password/request", auth.requestPasswordReset);
authRouter.post("/reset-password/", auth.resetPassword); authRouter.post("/reset-password/", auth.resetPassword);
authRouter.post("/resource/:resourceId/password", resource.authWithPassword); authRouter.post("/resource/:resourceId/password", resource.authWithPassword);
authRouter.post("/resource/:resourceId/pincode", resource.authWithPincode); authRouter.post("/resource/:resourceId/pincode", resource.authWithPincode);
authRouter.post("/resource/:resourceId/whitelist", resource.authWithWhitelist);

74
server/routers/resource/authWithPassword.ts
View file

@ -1,10 +1,10 @@
import { verify } from "@node-rs/argon2"; import { verify } from "@node-rs/argon2";
import { generateSessionToken } from "@server/auth"; import { generateSessionToken } from "@server/auth";
import db from "@server/db"; import db from "@server/db";
import { orgs, resourceOtp, resourcePassword, resources } from "@server/db/schema"; import { orgs, resourcePassword, resources } from "@server/db/schema";
import HttpCode from "@server/types/HttpCode"; import HttpCode from "@server/types/HttpCode";
import response from "@server/utils/response"; import response from "@server/utils/response";
import { and, eq } from "drizzle-orm"; import { eq } from "drizzle-orm";
import { NextFunction, Request, Response } from "express"; import { NextFunction, Request, Response } from "express";
import createHttpError from "http-errors"; import createHttpError from "http-errors";
import { z } from "zod"; import { z } from "zod";
@ -13,14 +13,10 @@ import {
createResourceSession, createResourceSession,
serializeResourceSessionCookie serializeResourceSessionCookie
} from "@server/auth/resource"; } from "@server/auth/resource";
import logger from "@server/logger";
import config from "@server/config"; import config from "@server/config";
import { isValidOtp, sendResourceOtpEmail } from "@server/auth/resourceOtp";
export const authWithPasswordBodySchema = z.object({ export const authWithPasswordBodySchema = z.object({
password: z.string(), password: z.string()
email: z.string().email().optional(),
otp: z.string().optional()
}); });
export const authWithPasswordParamsSchema = z.object({ export const authWithPasswordParamsSchema = z.object({
@ -28,8 +24,6 @@ export const authWithPasswordParamsSchema = z.object({
}); });
export type AuthWithPasswordResponse = { export type AuthWithPasswordResponse = {
otpRequested?: boolean;
otpSent?: boolean;
session?: string; session?: string;
}; };
@ -61,7 +55,7 @@ export async function authWithPassword(
} }
const { resourceId } = parsedParams.data; const { resourceId } = parsedParams.data;
const { email, password, otp } = parsedBody.data; const { password } = parsedBody.data;
try { try {
const [result] = await db const [result] = await db
@ -119,69 +113,11 @@ export async function authWithPassword(
); );
} }
if (resource.otpEnabled) {
if (otp && email) {
const isValidCode = await isValidOtp(
email,
resource.resourceId,
otp
);
if (!isValidCode) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "Incorrect OTP")
);
}
await db
.delete(resourceOtp)
.where(
and(
eq(resourceOtp.email, email),
eq(resourceOtp.resourceId, resource.resourceId)
)
);
} else if (email) {
try {
await sendResourceOtpEmail(
email,
resource.resourceId,
resource.name,
org.name
);
return response<AuthWithPasswordResponse>(res, {
data: { otpSent: true },
success: true,
error: false,
message: "Sent one-time otp to email address",
status: HttpCode.ACCEPTED
});
} catch (e) {
logger.error(e);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to send one-time otp. Make sure the email address is correct and try again."
)
);
}
} else {
return response<AuthWithPasswordResponse>(res, {
data: { otpRequested: true },
success: true,
error: false,
message: "One-time otp required to complete authentication",
status: HttpCode.ACCEPTED
});
}
}
const token = generateSessionToken(); const token = generateSessionToken();
await createResourceSession({ await createResourceSession({
resourceId, resourceId,
token, token,
passwordId: definedPassword.passwordId, passwordId: definedPassword.passwordId
usedOtp: otp !== undefined,
email
}); });
const cookieName = `${config.server.resource_session_cookie_name}_${resource.resourceId}`; const cookieName = `${config.server.resource_session_cookie_name}_${resource.resourceId}`;
const cookie = serializeResourceSessionCookie( const cookie = serializeResourceSessionCookie(

71
server/routers/resource/authWithPincode.ts
View file

@ -5,7 +5,8 @@ import {
orgs, orgs,
resourceOtp, resourceOtp,
resourcePincode, resourcePincode,
resources resources,
resourceWhitelist
} from "@server/db/schema"; } from "@server/db/schema";
import HttpCode from "@server/types/HttpCode"; import HttpCode from "@server/types/HttpCode";
import response from "@server/utils/response"; import response from "@server/utils/response";
@ -24,9 +25,7 @@ import { AuthWithPasswordResponse } from "./authWithPassword";
import { isValidOtp, sendResourceOtpEmail } from "@server/auth/resourceOtp"; import { isValidOtp, sendResourceOtpEmail } from "@server/auth/resourceOtp";
export const authWithPincodeBodySchema = z.object({ export const authWithPincodeBodySchema = z.object({
pincode: z.string(), pincode: z.string()
email: z.string().email().optional(),
otp: z.string().optional()
}); });
export const authWithPincodeParamsSchema = z.object({ export const authWithPincodeParamsSchema = z.object({
@ -34,8 +33,6 @@ export const authWithPincodeParamsSchema = z.object({
}); });
export type AuthWithPincodeResponse = { export type AuthWithPincodeResponse = {
otpRequested?: boolean;
otpSent?: boolean;
session?: string; session?: string;
}; };
@ -67,7 +64,7 @@ export async function authWithPincode(
} }
const { resourceId } = parsedParams.data; const { resourceId } = parsedParams.data;
const { email, pincode, otp } = parsedBody.data; const { pincode } = parsedBody.data;
try { try {
const [result] = await db const [result] = await db
@ -124,69 +121,11 @@ export async function authWithPincode(
); );
} }
if (resource.otpEnabled) {
if (otp && email) {
const isValidCode = await isValidOtp(
email,
resource.resourceId,
otp
);
if (!isValidCode) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "Incorrect OTP")
);
}
await db
.delete(resourceOtp)
.where(
and(
eq(resourceOtp.email, email),
eq(resourceOtp.resourceId, resource.resourceId)
)
);
} else if (email) {
try {
await sendResourceOtpEmail(
email,
resource.resourceId,
resource.name,
org.name
);
return response<AuthWithPasswordResponse>(res, {
data: { otpSent: true },
success: true,
error: false,
message: "Sent one-time otp to email address",
status: HttpCode.ACCEPTED
});
} catch (e) {
logger.error(e);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to send one-time otp. Make sure the email address is correct and try again."
)
);
}
} else {
return response<AuthWithPasswordResponse>(res, {
data: { otpRequested: true },
success: true,
error: false,
message: "One-time otp required to complete authentication",
status: HttpCode.ACCEPTED
});
}
}
const token = generateSessionToken(); const token = generateSessionToken();
await createResourceSession({ await createResourceSession({
resourceId, resourceId,
token, token,
pincodeId: definedPincode.pincodeId, pincodeId: definedPincode.pincodeId
usedOtp: otp !== undefined,
email
}); });
const cookieName = `${config.server.resource_session_cookie_name}_${resource.resourceId}`; const cookieName = `${config.server.resource_session_cookie_name}_${resource.resourceId}`;
const cookie = serializeResourceSessionCookie( const cookie = serializeResourceSessionCookie(

200
server/routers/resource/authWithWhitelist.ts Normal file
View file

@ -0,0 +1,200 @@
import { generateSessionToken } from "@server/auth";
import db from "@server/db";
import {
orgs,
resourceOtp,
resourcePassword,
resources,
resourceWhitelist
} from "@server/db/schema";
import HttpCode from "@server/types/HttpCode";
import response from "@server/utils/response";
import { eq, and } from "drizzle-orm";
import { NextFunction, Request, Response } from "express";
import createHttpError from "http-errors";
import { z } from "zod";
import { fromError } from "zod-validation-error";
import {
createResourceSession,
serializeResourceSessionCookie
} from "@server/auth/resource";
import config from "@server/config";
import { isValidOtp, sendResourceOtpEmail } from "@server/auth/resourceOtp";
import logger from "@server/logger";
const authWithWhitelistBodySchema = z.object({
email: z.string().email(),
otp: z.string().optional()
});
const authWithWhitelistParamsSchema = z.object({
resourceId: z.string().transform(Number).pipe(z.number().int().positive())
});
export type AuthWithWhitelistResponse = {
otpSent?: boolean;
session?: string;
};
export async function authWithWhitelist(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
const parsedBody = authWithWhitelistBodySchema.safeParse(req.body);
if (!parsedBody.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString()
)
);
}
const parsedParams = authWithWhitelistParamsSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { resourceId } = parsedParams.data;
const { email, otp } = parsedBody.data;
try {
const [result] = await db
.select()
.from(resourceWhitelist)
.where(
and(
eq(resourceWhitelist.resourceId, resourceId),
eq(resourceWhitelist.email, email)
)
)
.leftJoin(
resources,
eq(resources.resourceId, resourceWhitelist.resourceId)
)
.leftJoin(orgs, eq(orgs.orgId, resources.orgId))
.limit(1);
const resource = result?.resources;
const org = result?.orgs;
const whitelistedEmail = result?.resourceWhitelist;
if (!whitelistedEmail) {
return next(
createHttpError(
HttpCode.UNAUTHORIZED,
createHttpError(
HttpCode.BAD_REQUEST,
"Email is not whitelisted"
)
)
);
}
if (!org) {
return next(
createHttpError(HttpCode.BAD_REQUEST, "Resource does not exist")
);
}
if (!resource) {
return next(
createHttpError(HttpCode.BAD_REQUEST, "Resource does not exist")
);
}
if (otp && email) {
const isValidCode = await isValidOtp(
email,
resource.resourceId,
otp
);
if (!isValidCode) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "Incorrect OTP")
);
}
await db
.delete(resourceOtp)
.where(
and(
eq(resourceOtp.email, email),
eq(resourceOtp.resourceId, resource.resourceId)
)
);
} else if (email) {
try {
await sendResourceOtpEmail(
email,
resource.resourceId,
resource.name,
org.name
);
return response<AuthWithWhitelistResponse>(res, {
data: { otpSent: true },
success: true,
error: false,
message: "Sent one-time otp to email address",
status: HttpCode.ACCEPTED
});
} catch (e) {
logger.error(e);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to send one-time otp. Make sure the email address is correct and try again."
)
);
}
} else {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Email is required for whitelist authentication"
)
);
}
const token = generateSessionToken();
await createResourceSession({
resourceId,
token,
whitelistId: whitelistedEmail.whitelistId
});
const cookieName = `${config.server.resource_session_cookie_name}_${resource.resourceId}`;
const cookie = serializeResourceSessionCookie(
cookieName,
token,
resource.fullDomain
);
res.appendHeader("Set-Cookie", cookie);
return response<AuthWithWhitelistResponse>(res, {
data: {
session: token
},
success: true,
error: false,
message: "Authenticated with resource successfully",
status: HttpCode.OK
});
} catch (e) {
throw e;
logger.error(e);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to authenticate with resource"
)
);
}
}

2
server/routers/resource/getResourceAuthInfo.ts
View file

@ -24,6 +24,7 @@ export type GetResourceAuthInfoResponse = {
sso: boolean; sso: boolean;
blockAccess: boolean; blockAccess: boolean;
url: string; url: string;
whitelist: boolean;
}; };
export async function getResourceAuthInfo( export async function getResourceAuthInfo(
@ -79,6 +80,7 @@ export async function getResourceAuthInfo(
sso: resource.sso, sso: resource.sso,
blockAccess: resource.blockAccess, blockAccess: resource.blockAccess,
url, url,
whitelist: resource.emailWhitelistEnabled
}, },
success: true, success: true,
error: false, error: false,

64
server/routers/resource/getResourceWhitelist.ts Normal file
View file

@ -0,0 +1,64 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { resourceWhitelist, users } from "@server/db/schema"; // Assuming these are the correct tables
import { eq } from "drizzle-orm";
import response from "@server/utils/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
const getResourceWhitelistSchema = z.object({
resourceId: z.string().transform(Number).pipe(z.number().int().positive())
});
async function queryWhitelist(resourceId: number) {
return await db
.select({
email: resourceWhitelist.email
})
.from(resourceWhitelist)
.where(eq(resourceWhitelist.resourceId, resourceId));
}
export type GetResourceWhitelistResponse = {
whitelist: NonNullable<Awaited<ReturnType<typeof queryWhitelist>>>;
};
export async function getResourceWhitelist(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedParams = getResourceWhitelistSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { resourceId } = parsedParams.data;
const whitelist = await queryWhitelist(resourceId);
return response<GetResourceWhitelistResponse>(res, {
data: {
whitelist
},
success: true,
error: false,
message: "Resource whitelist retrieved successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
);
}
}

3
server/routers/resource/index.ts
View file

@ -12,3 +12,6 @@ export * from "./authWithPassword";
export * from "./getResourceAuthInfo"; export * from "./getResourceAuthInfo";
export * from "./setResourcePincode"; export * from "./setResourcePincode";
export * from "./authWithPincode"; export * from "./authWithPincode";
export * from "./setResourceWhitelist";
export * from "./getResourceWhitelist";
export * from "./authWithWhitelist";

2
server/routers/resource/listResources.ts
View file

@ -62,6 +62,7 @@ function queryResources(
passwordId: resourcePassword.passwordId, passwordId: resourcePassword.passwordId,
pincodeId: resourcePincode.pincodeId, pincodeId: resourcePincode.pincodeId,
sso: resources.sso, sso: resources.sso,
whitelist: resources.emailWhitelistEnabled
}) })
.from(resources) .from(resources)
.leftJoin(sites, eq(resources.siteId, sites.siteId)) .leftJoin(sites, eq(resources.siteId, sites.siteId))
@ -91,6 +92,7 @@ function queryResources(
passwordId: resourcePassword.passwordId, passwordId: resourcePassword.passwordId,
sso: resources.sso, sso: resources.sso,
pincodeId: resourcePincode.pincodeId, pincodeId: resourcePincode.pincodeId,
whitelist: resources.emailWhitelistEnabled
}) })
.from(resources) .from(resources)
.leftJoin(sites, eq(resources.siteId, sites.siteId)) .leftJoin(sites, eq(resources.siteId, sites.siteId))

120
server/routers/resource/setResourceWhitelist.ts Normal file
View file

@ -0,0 +1,120 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { resources, resourceWhitelist } from "@server/db/schema";
import response from "@server/utils/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { and, eq } from "drizzle-orm";
const setResourceWhitelistBodySchema = z.object({
emails: z.array(z.string().email()).max(50)
});
const setResourceWhitelistParamsSchema = z.object({
resourceId: z.string().transform(Number).pipe(z.number().int().positive())
});
export async function setResourceWhitelist(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedBody = setResourceWhitelistBodySchema.safeParse(req.body);
if (!parsedBody.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString()
)
);
}
const { emails } = parsedBody.data;
const parsedParams = setResourceWhitelistParamsSchema.safeParse(
req.params
);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { resourceId } = parsedParams.data;
const [resource] = await db
.select()
.from(resources)
.where(eq(resources.resourceId, resourceId));
if (!resource) {
return next(
createHttpError(HttpCode.NOT_FOUND, "Resource not found")
);
}
if (!resource.emailWhitelistEnabled) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Email whitelist is not enabled for this resource"
)
);
}
const whitelist = await db
.select()
.from(resourceWhitelist)
.where(eq(resourceWhitelist.resourceId, resourceId));
await db.transaction(async (trx) => {
// diff the emails
const existingEmails = whitelist.map((w) => w.email);
const emailsToAdd = emails.filter(
(e) => !existingEmails.includes(e)
);
const emailsToRemove = existingEmails.filter(
(e) => !emails.includes(e)
);
for (const email of emailsToAdd) {
await trx.insert(resourceWhitelist).values({
email,
resourceId
});
}
for (const email of emailsToRemove) {
await trx
.delete(resourceWhitelist)
.where(
and(
eq(resourceWhitelist.resourceId, resourceId),
eq(resourceWhitelist.email, email)
)
);
}
return response(res, {
data: {},
success: true,
error: false,
message: "Whitelist set for resource successfully",
status: HttpCode.CREATED
});
});
} catch (error) {
logger.error(error);
return next(
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
);
}
}

1
server/routers/resource/updateResource.ts
View file

@ -21,6 +21,7 @@ const updateResourceBodySchema = z
ssl: z.boolean().optional(), ssl: z.boolean().optional(),
sso: z.boolean().optional(), sso: z.boolean().optional(),
blockAccess: z.boolean().optional(), blockAccess: z.boolean().optional(),
emailWhitelistEnabled: z.boolean().optional(),
// siteId: z.number(), // siteId: z.number(),
}) })
.strict() .strict()

164
src/app/[orgId]/settings/resources/[resourceId]/authentication/page.tsx
View file

@ -9,6 +9,7 @@ import { AxiosResponse } from "axios";
import { formatAxiosError } from "@app/lib/utils"; import { formatAxiosError } from "@app/lib/utils";
import { import {
GetResourceAuthInfoResponse, GetResourceAuthInfoResponse,
GetResourceWhitelistResponse,
ListResourceRolesResponse, ListResourceRolesResponse,
ListResourceUsersResponse ListResourceUsersResponse
} from "@server/routers/resource"; } from "@server/routers/resource";
@ -53,6 +54,15 @@ const UsersRolesFormSchema = z.object({
) )
}); });
const whitelistSchema = z.object({
emails: z.array(
z.object({
id: z.string(),
text: z.string()
})
)
});
export default function ResourceAuthenticationPage() { export default function ResourceAuthenticationPage() {
const { toast } = useToast(); const { toast } = useToast();
const { org } = useOrgContext(); const { org } = useOrgContext();
@ -76,10 +86,19 @@ export default function ResourceAuthenticationPage() {
number | null number | null
>(null); >(null);
const [activeEmailTagIndex, setActiveEmailTagIndex] = useState<
number | null
>(null);
const [ssoEnabled, setSsoEnabled] = useState(resource.sso); const [ssoEnabled, setSsoEnabled] = useState(resource.sso);
// const [blockAccess, setBlockAccess] = useState(resource.blockAccess); // const [blockAccess, setBlockAccess] = useState(resource.blockAccess);
const [whitelistEnabled, setWhitelistEnabled] = useState(
resource.emailWhitelistEnabled
);
const [loadingSaveUsersRoles, setLoadingSaveUsersRoles] = useState(false); const [loadingSaveUsersRoles, setLoadingSaveUsersRoles] = useState(false);
const [loadingSaveWhitelist, setLoadingSaveWhitelist] = useState(false);
const [loadingRemoveResourcePassword, setLoadingRemoveResourcePassword] = const [loadingRemoveResourcePassword, setLoadingRemoveResourcePassword] =
useState(false); useState(false);
const [loadingRemoveResourcePincode, setLoadingRemoveResourcePincode] = const [loadingRemoveResourcePincode, setLoadingRemoveResourcePincode] =
@ -93,6 +112,11 @@ export default function ResourceAuthenticationPage() {
defaultValues: { roles: [], users: [] } defaultValues: { roles: [], users: [] }
}); });
const whitelistForm = useForm<z.infer<typeof whitelistSchema>>({
resolver: zodResolver(whitelistSchema),
defaultValues: { emails: [] }
});
useEffect(() => { useEffect(() => {
const fetchData = async () => { const fetchData = async () => {
try { try {
@ -100,7 +124,8 @@ export default function ResourceAuthenticationPage() {
rolesResponse, rolesResponse,
resourceRolesResponse, resourceRolesResponse,
usersResponse, usersResponse,
resourceUsersResponse resourceUsersResponse,
whitelist
] = await Promise.all([ ] = await Promise.all([
api.get<AxiosResponse<ListRolesResponse>>( api.get<AxiosResponse<ListRolesResponse>>(
`/org/${org?.org.orgId}/roles` `/org/${org?.org.orgId}/roles`
@ -113,6 +138,9 @@ export default function ResourceAuthenticationPage() {
), ),
api.get<AxiosResponse<ListResourceUsersResponse>>( api.get<AxiosResponse<ListResourceUsersResponse>>(
`/resource/${resource.resourceId}/users` `/resource/${resource.resourceId}/users`
),
api.get<AxiosResponse<GetResourceWhitelistResponse>>(
`/resource/${resource.resourceId}/whitelist`
) )
]); ]);
@ -150,6 +178,14 @@ export default function ResourceAuthenticationPage() {
})) }))
); );
whitelistForm.setValue(
"emails",
whitelist.data.data.whitelist.map((w) => ({
id: w.email,
text: w.email
}))
);
setPageLoading(false); setPageLoading(false);
} catch (e) { } catch (e) {
console.error(e); console.error(e);
@ -167,6 +203,42 @@ export default function ResourceAuthenticationPage() {
fetchData(); fetchData();
}, []); }, []);
async function saveWhitelist() {
setLoadingSaveWhitelist(true);
try {
await api.post(`/resource/${resource.resourceId}`, {
emailWhitelistEnabled: whitelistEnabled
});
if (whitelistEnabled) {
await api.post(`/resource/${resource.resourceId}/whitelist`, {
emails: whitelistForm.getValues().emails.map((i) => i.text)
});
}
updateResource({
emailWhitelistEnabled: whitelistEnabled
});
toast({
title: "Saved successfully",
description: "Whitelist settings have been saved"
});
} catch (e) {
console.error(e);
toast({
variant: "destructive",
title: "Failed to save whitelist",
description: formatAxiosError(
e,
"An error occurred while saving the whitelist"
)
});
} finally {
setLoadingSaveWhitelist(false);
}
}
async function onSubmitUsersRoles( async function onSubmitUsersRoles(
data: z.infer<typeof UsersRolesFormSchema> data: z.infer<typeof UsersRolesFormSchema>
) { ) {
@ -537,6 +609,96 @@ export default function ResourceAuthenticationPage() {
)} )}
</div> </div>
</div> </div>
<Separator />
<div>
<div className="flex items-center space-x-2 mb-2">
<Switch
id="whitelist-toggle"
defaultChecked={resource.emailWhitelistEnabled}
onCheckedChange={(val) =>
setWhitelistEnabled(val)
}
/>
<Label htmlFor="whitelist-toggle">
Email Whitelist
</Label>
</div>
<span className="text-muted-foreground text-sm">
Enable resource whitelist to require email-based
authentication (one-time passwords) for resource
access.
</span>
</div>
{whitelistEnabled && (
<Form {...whitelistForm}>
<form className="space-y-8">
<FormField
control={whitelistForm.control}
name="emails"
render={({ field }) => (
<FormItem className="flex flex-col items-start">
<FormLabel>
Whitelisted Emails
</FormLabel>
<FormControl>
<TagInput
{...field}
activeTagIndex={
activeEmailTagIndex
}
validateTag={(tag) => {
return z
.string()
.email()
.safeParse(tag)
.success;
}}
setActiveTagIndex={
setActiveEmailTagIndex
}
placeholder="Enter an email"
tags={
whitelistForm.getValues()
.emails
}
setTags={(newRoles) => {
whitelistForm.setValue(
"emails",
newRoles as [
Tag,
...Tag[]
]
);
}}
allowDuplicates={false}
sortTags={true}
styleClasses={{
tag: {
body: "bg-muted hover:bg-accent text-foreground py-2 px-3 rounded-full"
},
input: "border-none bg-transparent text-inherit placeholder:text-inherit shadow-none",
inlineTagsContainer:
"bg-transparent"
}}
/>
</FormControl>
</FormItem>
)}
/>
</form>
</Form>
)}
<Button
loading={loadingSaveWhitelist}
disabled={loadingSaveWhitelist}
onClick={saveWhitelist}
>
Save Whitelist
</Button>
</section> </section>
</div> </div>
</> </>

5
src/app/[orgId]/settings/resources/[resourceId]/components/ResourceInfoBox.tsx
View file

@ -10,7 +10,7 @@ import {
CheckIcon, CheckIcon,
CopyIcon, CopyIcon,
ShieldCheck, ShieldCheck,
ShieldOff, ShieldOff
} from "lucide-react"; } from "lucide-react";
import { useOrgContext } from "@app/hooks/useOrgContext"; import { useOrgContext } from "@app/hooks/useOrgContext";
import { useResourceContext } from "@app/hooks/useResourceContext"; import { useResourceContext } from "@app/hooks/useResourceContext";
@ -49,7 +49,8 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
<div> <div>
{authInfo.password || {authInfo.password ||
authInfo.pincode || authInfo.pincode ||
authInfo.sso ? ( authInfo.sso ||
authInfo.whitelist ? (
<div className="flex items-center space-x-2 text-green-500"> <div className="flex items-center space-x-2 text-green-500">
<ShieldCheck /> <ShieldCheck />
<span> <span>

3
src/app/[orgId]/settings/resources/page.tsx
View file

@ -55,7 +55,8 @@ export default async function ResourcesPage(props: ResourcesPageProps) {
hasAuth: hasAuth:
resource.sso || resource.sso ||
resource.pincodeId !== null || resource.pincodeId !== null ||
resource.pincodeId !== null, resource.pincodeId !== null ||
resource.whitelist
}; };
}); });

853
src/app/auth/resource/[resourceId]/components/ResourceAuthPortal.tsx
View file

@ -32,7 +32,8 @@ import {
Send, Send,
ArrowLeft, ArrowLeft,
ArrowRight, ArrowRight,
Lock Lock,
AtSign
} from "lucide-react"; } from "lucide-react";
import { import {
InputOTP, InputOTP,
@ -44,50 +45,35 @@ import { Alert, AlertDescription } from "@app/components/ui/alert";
import { formatAxiosError } from "@app/lib/utils"; import { formatAxiosError } from "@app/lib/utils";
import { AxiosResponse } from "axios"; import { AxiosResponse } from "axios";
import LoginForm from "@app/components/LoginForm"; import LoginForm from "@app/components/LoginForm";
import { AuthWithPasswordResponse } from "@server/routers/resource"; import { AuthWithPasswordResponse, AuthWithWhitelistResponse } from "@server/routers/resource";
import { redirect } from "next/dist/server/api-utils"; import { redirect } from "next/dist/server/api-utils";
import ResourceAccessDenied from "./ResourceAccessDenied"; import ResourceAccessDenied from "./ResourceAccessDenied";
import { createApiClient } from "@app/api"; import { createApiClient } from "@app/api";
import { useEnvContext } from "@app/hooks/useEnvContext"; import { useEnvContext } from "@app/hooks/useEnvContext";
import { useToast } from "@app/hooks/useToast"; import { useToast } from "@app/hooks/useToast";
const pin = z
.string()
.length(6, { message: "PIN must be exactly 6 digits" })
.regex(/^\d+$/, { message: "PIN must only contain numbers" });
const pinSchema = z.object({ const pinSchema = z.object({
pin pin: z
}); .string()
.length(6, { message: "PIN must be exactly 6 digits" })
const pinRequestOtpSchema = z.object({ .regex(/^\d+$/, { message: "PIN must only contain numbers" })
pin,
email: z.string().email()
});
const pinOtpSchema = z.object({
pin,
email: z.string().email(),
otp: z.string()
});
const password = z.string().min(1, {
message: "Password must be at least 1 character long"
}); });
const passwordSchema = z.object({ const passwordSchema = z.object({
password password: z.string().min(1, {
message: "Password must be at least 1 character long"
})
}); });
const passwordRequestOtpSchema = z.object({ const requestOtpSchema = z.object({
password,
email: z.string().email() email: z.string().email()
}); });
const passwordOtpSchema = z.object({ const submitOtpSchema = z.object({
password,
email: z.string().email(), email: z.string().email(),
otp: z.string() otp: z.string().min(1, {
message: "OTP must be at least 1 character long"
})
}); });
type ResourceAuthPortalProps = { type ResourceAuthPortalProps = {
@ -95,6 +81,7 @@ type ResourceAuthPortalProps = {
password: boolean; password: boolean;
pincode: boolean; pincode: boolean;
sso: boolean; sso: boolean;
whitelist: boolean;
}; };
resource: { resource: {
name: string; name: string;
@ -112,6 +99,7 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
if (props.methods.pincode) colLength++; if (props.methods.pincode) colLength++;
if (props.methods.password) colLength++; if (props.methods.password) colLength++;
if (props.methods.sso) colLength++; if (props.methods.sso) colLength++;
if (props.methods.whitelist) colLength++;
return colLength; return colLength;
}; };
@ -119,12 +107,11 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
const [passwordError, setPasswordError] = useState<string | null>(null); const [passwordError, setPasswordError] = useState<string | null>(null);
const [pincodeError, setPincodeError] = useState<string | null>(null); const [pincodeError, setPincodeError] = useState<string | null>(null);
const [whitelistError, setWhitelistError] = useState<string | null>(null);
const [accessDenied, setAccessDenied] = useState<boolean>(false); const [accessDenied, setAccessDenied] = useState<boolean>(false);
const [loadingLogin, setLoadingLogin] = useState(false); const [loadingLogin, setLoadingLogin] = useState(false);
const [otpState, setOtpState] = useState< const [otpState, setOtpState] = useState<"idle" | "otp_sent">("idle");
"idle" | "otp_requested" | "otp_sent"
>("idle");
const api = createApiClient(useEnvContext()); const api = createApiClient(useEnvContext());
@ -140,6 +127,10 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
if (props.methods.pincode) { if (props.methods.pincode) {
return "pin"; return "pin";
} }
if (props.methods.whitelist) {
return "whitelist";
}
} }
const [activeTab, setActiveTab] = useState(getDefaultSelectedMethod()); const [activeTab, setActiveTab] = useState(getDefaultSelectedMethod());
@ -151,23 +142,6 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
} }
}); });
const pinRequestOtpForm = useForm<z.infer<typeof pinRequestOtpSchema>>({
resolver: zodResolver(pinRequestOtpSchema),
defaultValues: {
pin: "",
email: ""
}
});
const pinOtpForm = useForm<z.infer<typeof pinOtpSchema>>({
resolver: zodResolver(pinOtpSchema),
defaultValues: {
pin: "",
email: "",
otp: ""
}
});
const passwordForm = useForm<z.infer<typeof passwordSchema>>({ const passwordForm = useForm<z.infer<typeof passwordSchema>>({
resolver: zodResolver(passwordSchema), resolver: zodResolver(passwordSchema),
defaultValues: { defaultValues: {
@ -175,45 +149,37 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
} }
}); });
const passwordRequestOtpForm = useForm< const requestOtpForm = useForm<z.infer<typeof requestOtpSchema>>({
z.infer<typeof passwordRequestOtpSchema> resolver: zodResolver(requestOtpSchema),
>({
resolver: zodResolver(passwordRequestOtpSchema),
defaultValues: { defaultValues: {
password: "",
email: "" email: ""
} }
}); });
const passwordOtpForm = useForm<z.infer<typeof passwordOtpSchema>>({ const submitOtpForm = useForm<z.infer<typeof submitOtpSchema>>({
resolver: zodResolver(passwordOtpSchema), resolver: zodResolver(submitOtpSchema),
defaultValues: { defaultValues: {
password: "",
email: "", email: "",
otp: "" otp: ""
} }
}); });
const onPinSubmit = (values: any) => { const onWhitelistSubmit = (values: any) => {
setLoadingLogin(true); setLoadingLogin(true);
api.post<AxiosResponse<AuthWithPasswordResponse>>( api.post<AxiosResponse<AuthWithWhitelistResponse>>(
`/auth/resource/${props.resource.id}/pincode`, `/auth/resource/${props.resource.id}/whitelist`,
{ pincode: values.pin, email: values.email, otp: values.otp } { email: values.email, otp: values.otp }
) )
.then((res) => { .then((res) => {
setPincodeError(null); setWhitelistError(null);
if (res.data.data.otpRequested) {
setOtpState("otp_requested"); if (res.data.data.otpSent) {
pinRequestOtpForm.setValue("pin", values.pin); setOtpState("otp_sent");
return; submitOtpForm.setValue("email", values.email);
} else if (res.data.data.otpSent) {
pinOtpForm.setValue("email", values.email);
pinOtpForm.setValue("pin", values.pin);
toast({ toast({
title: "OTP Sent", title: "OTP Sent",
description: `OTP sent to ${values.email}` description: "An OTP has been sent to your email"
}); });
setOtpState("otp_sent");
return; return;
} }
@ -222,6 +188,28 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
window.location.href = props.redirect; window.location.href = props.redirect;
} }
}) })
.catch((e) => {
console.error(e);
setWhitelistError(
formatAxiosError(e, "Failed to authenticate with email")
);
})
.then(() => setLoadingLogin(false));
};
const onPinSubmit = (values: z.infer<typeof pinSchema>) => {
setLoadingLogin(true);
api.post<AxiosResponse<AuthWithPasswordResponse>>(
`/auth/resource/${props.resource.id}/pincode`,
{ pincode: values.pin }
)
.then((res) => {
setPincodeError(null);
const session = res.data.data.session;
if (session) {
window.location.href = props.redirect;
}
})
.catch((e) => { .catch((e) => {
console.error(e); console.error(e);
setPincodeError( setPincodeError(
@ -231,53 +219,17 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
.then(() => setLoadingLogin(false)); .then(() => setLoadingLogin(false));
}; };
const resetPasswordForms = () => { const onPasswordSubmit = (values: z.infer<typeof passwordSchema>) => {
passwordForm.reset();
passwordRequestOtpForm.reset();
passwordOtpForm.reset();
setOtpState("idle");
setPasswordError(null);
};
const resetPinForms = () => {
pinForm.reset();
pinRequestOtpForm.reset();
pinOtpForm.reset();
setOtpState("idle");
setPincodeError(null);
}
const onPasswordSubmit = (values: any) => {
setLoadingLogin(true); setLoadingLogin(true);
api.post<AxiosResponse<AuthWithPasswordResponse>>( api.post<AxiosResponse<AuthWithPasswordResponse>>(
`/auth/resource/${props.resource.id}/password`, `/auth/resource/${props.resource.id}/password`,
{ {
password: values.password, password: values.password
email: values.email,
otp: values.otp
} }
) )
.then((res) => { .then((res) => {
setPasswordError(null); setPasswordError(null);
if (res.data.data.otpRequested) {
setOtpState("otp_requested");
passwordRequestOtpForm.setValue(
"password",
values.password
);
return;
} else if (res.data.data.otpSent) {
passwordOtpForm.setValue("email", values.email);
passwordOtpForm.setValue("password", values.password);
toast({
title: "OTP Sent",
description: `OTP sent to ${values.email}`
});
setOtpState("otp_sent");
return;
}
const session = res.data.data.session; const session = res.data.data.session;
if (session) { if (session) {
window.location.href = props.redirect; window.location.href = props.redirect;
@ -337,7 +289,9 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
? "grid-cols-1" ? "grid-cols-1"
: numMethods === 2 : numMethods === 2
? "grid-cols-2" ? "grid-cols-2"
: "grid-cols-3" : numMethods === 3
? "grid-cols-3"
: "grid-cols-4"
}`} }`}
> >
{props.methods.pincode && ( {props.methods.pincode && (
@ -358,6 +312,12 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
User User
</TabsTrigger> </TabsTrigger>
)} )}
{props.methods.whitelist && (
<TabsTrigger value="whitelist">
<AtSign className="w-4 h-4 mr-1" />{" "}
Email
</TabsTrigger>
)}
</TabsList> </TabsList>
)} )}
{props.methods.pincode && ( {props.methods.pincode && (
@ -365,237 +325,86 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
value="pin" value="pin"
className={`${numMethods <= 1 ? "mt-0" : ""}`} className={`${numMethods <= 1 ? "mt-0" : ""}`}
> >
{otpState === "idle" && ( <Form {...pinForm}>
<Form {...pinForm}> <form
<form onSubmit={pinForm.handleSubmit(
onSubmit={pinForm.handleSubmit( onPinSubmit
onPinSubmit )}
)} className="space-y-4"
className="space-y-4" >
> <FormField
<FormField control={pinForm.control}
control={ name="pin"
pinForm.control render={({ field }) => (
} <FormItem>
name="pin" <FormLabel>
render={({ field }) => ( 6-digit PIN Code
<FormItem> </FormLabel>
<FormLabel> <FormControl>
6-digit PIN <div className="flex justify-center">
Code <InputOTP
</FormLabel> maxLength={
<FormControl> 6
<div className="flex justify-center"> }
<InputOTP
maxLength={
6
}
{...field}
>
<InputOTPGroup className="flex">
<InputOTPSlot
index={
0
}
/>
<InputOTPSlot
index={
1
}
/>
<InputOTPSlot
index={
2
}
/>
<InputOTPSlot
index={
3
}
/>
<InputOTPSlot
index={
4
}
/>
<InputOTPSlot
index={
5
}
/>
</InputOTPGroup>
</InputOTP>
</div>
</FormControl>
<FormMessage />
</FormItem>
)}
/>
{pincodeError && (
<Alert variant="destructive">
<AlertDescription>
{pincodeError}
</AlertDescription>
</Alert>
)}
<Button
type="submit"
className="w-full"
loading={loadingLogin}
disabled={loadingLogin}
>
<LockIcon className="w-4 h-4 mr-2" />
Login with PIN
</Button>
</form>
</Form>
)}
{otpState === "otp_requested" && (
<Form {...pinRequestOtpForm}>
<form
onSubmit={pinRequestOtpForm.handleSubmit(
onPinSubmit
)}
className="space-y-4"
>
<FormField
control={
pinRequestOtpForm.control
}
name="email"
render={({ field }) => (
<FormItem>
<FormLabel>
Email
</FormLabel>
<FormControl>
<Input
placeholder="Enter email"
type="email"
{...field} {...field}
/> >
</FormControl> <InputOTPGroup className="flex">
<FormDescription> <InputOTPSlot
A one-time index={
code will be 0
sent to this }
email. />
</FormDescription> <InputOTPSlot
<FormMessage /> index={
</FormItem> 1
)} }
/> />
<InputOTPSlot
{pincodeError && ( index={
<Alert variant="destructive"> 2
<AlertDescription> }
{pincodeError} />
</AlertDescription> <InputOTPSlot
</Alert> index={
3
}
/>
<InputOTPSlot
index={
4
}
/>
<InputOTPSlot
index={
5
}
/>
</InputOTPGroup>
</InputOTP>
</div>
</FormControl>
<FormMessage />
</FormItem>
)} )}
/>
<Button {pincodeError && (
type="submit" <Alert variant="destructive">
className="w-full" <AlertDescription>
loading={loadingLogin} {pincodeError}
disabled={loadingLogin} </AlertDescription>
> </Alert>
<Send className="w-4 h-4 mr-2" /> )}
Send OTP <Button
</Button> type="submit"
className="w-full"
<Button loading={loadingLogin}
type="button" disabled={loadingLogin}
className="w-full"
variant={"outline"}
onClick={() =>
resetPinForms()
}
>
Back to PIN
</Button>
</form>
</Form>
)}
{otpState === "otp_sent" && (
<Form {...pinOtpForm}>
<form
onSubmit={pinOtpForm.handleSubmit(
onPinSubmit
)}
className="space-y-4"
> >
<FormField <LockIcon className="w-4 h-4 mr-2" />
control={ Login with PIN
pinOtpForm.control </Button>
} </form>
name="otp" </Form>
render={({ field }) => (
<FormItem>
<FormLabel>
One-Time
Password
(OTP)
</FormLabel>
<FormControl>
<Input
placeholder="Enter OTP"
type="otp"
{...field}
/>
</FormControl>
<FormMessage />
</FormItem>
)}
/>
{pincodeError && (
<Alert variant="destructive">
<AlertDescription>
{pincodeError}
</AlertDescription>
</Alert>
)}
<Button
type="submit"
className="w-full"
loading={loadingLogin}
disabled={loadingLogin}
>
<LockIcon className="w-4 h-4 mr-2" />
Submit OTP
</Button>
<Button
type="button"
className="w-full"
variant={"outline"}
onClick={() => {
setOtpState(
"otp_requested"
);
pinOtpForm.reset();
}}
>
Resend OTP
</Button>
<Button
type="button"
className="w-full"
variant={"outline"}
onClick={() =>
resetPinForms()
}
>
Back to PIN
</Button>
</form>
</Form>
)}
</TabsContent> </TabsContent>
)} )}
{props.methods.password && ( {props.methods.password && (
@ -603,202 +412,54 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
value="password" value="password"
className={`${numMethods <= 1 ? "mt-0" : ""}`} className={`${numMethods <= 1 ? "mt-0" : ""}`}
> >
{otpState === "idle" && ( <Form {...passwordForm}>
<Form {...passwordForm}> <form
<form onSubmit={passwordForm.handleSubmit(
onSubmit={passwordForm.handleSubmit( onPasswordSubmit
onPasswordSubmit )}
className="space-y-4"
>
<FormField
control={
passwordForm.control
}
name="password"
render={({ field }) => (
<FormItem>
<FormLabel>
Password
</FormLabel>
<FormControl>
<Input
placeholder="Enter password"
type="password"
{...field}
/>
</FormControl>
<FormMessage />
</FormItem>
)} )}
className="space-y-4" />
{passwordError && (
<Alert variant="destructive">
<AlertDescription>
{passwordError}
</AlertDescription>
</Alert>
)}
<Button
type="submit"
className="w-full"
loading={loadingLogin}
disabled={loadingLogin}
> >
<FormField <LockIcon className="w-4 h-4 mr-2" />
control={ Login with Password
passwordForm.control </Button>
} </form>
name="password" </Form>
render={({ field }) => (
<FormItem>
<FormLabel>
Password
</FormLabel>
<FormControl>
<Input
placeholder="Enter password"
type="password"
{...field}
/>
</FormControl>
<FormMessage />
</FormItem>
)}
/>
{passwordError && (
<Alert variant="destructive">
<AlertDescription>
{passwordError}
</AlertDescription>
</Alert>
)}
<Button
type="submit"
className="w-full"
loading={loadingLogin}
disabled={loadingLogin}
>
<LockIcon className="w-4 h-4 mr-2" />
Login with Password
</Button>
</form>
</Form>
)}
{otpState === "otp_requested" && (
<Form {...passwordRequestOtpForm}>
<form
onSubmit={passwordRequestOtpForm.handleSubmit(
onPasswordSubmit
)}
className="space-y-4"
>
<FormField
control={
passwordRequestOtpForm.control
}
name="email"
render={({ field }) => (
<FormItem>
<FormLabel>
Email
</FormLabel>
<FormControl>
<Input
placeholder="Enter email"
type="email"
{...field}
/>
</FormControl>
<FormDescription>
A one-time
code will be
sent to this
email.
</FormDescription>
<FormMessage />
</FormItem>
)}
/>
{passwordError && (
<Alert variant="destructive">
<AlertDescription>
{passwordError}
</AlertDescription>
</Alert>
)}
<Button
type="submit"
className="w-full"
loading={loadingLogin}
disabled={loadingLogin}
>
<Send className="w-4 h-4 mr-2" />
Send OTP
</Button>
<Button
type="button"
className="w-full"
variant={"outline"}
onClick={() =>
resetPasswordForms()
}
>
Back to Password
</Button>
</form>
</Form>
)}
{otpState === "otp_sent" && (
<Form {...passwordOtpForm}>
<form
onSubmit={passwordOtpForm.handleSubmit(
onPasswordSubmit
)}
className="space-y-4"
>
<FormField
control={
passwordOtpForm.control
}
name="otp"
render={({ field }) => (
<FormItem>
<FormLabel>
One-Time
Password
(OTP)
</FormLabel>
<FormControl>
<Input
placeholder="Enter OTP"
type="otp"
{...field}
/>
</FormControl>
<FormMessage />
</FormItem>
)}
/>
{passwordError && (
<Alert variant="destructive">
<AlertDescription>
{passwordError}
</AlertDescription>
</Alert>
)}
<Button
type="submit"
className="w-full"
loading={loadingLogin}
disabled={loadingLogin}
>
<LockIcon className="w-4 h-4 mr-2" />
Submit OTP
</Button>
<Button
type="button"
className="w-full"
variant={"outline"}
onClick={() => {
setOtpState(
"otp_requested"
);
passwordOtpForm.reset();
}}
>
Resend OTP
</Button>
<Button
type="button"
className="w-full"
variant={"outline"}
onClick={() =>
resetPasswordForms()
}
>
Back to Password
</Button>
</form>
</Form>
)}
</TabsContent> </TabsContent>
)} )}
{props.methods.sso && ( {props.methods.sso && (
@ -818,6 +479,134 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
/> />
</TabsContent> </TabsContent>
)} )}
{props.methods.whitelist && (
<TabsContent
value="whitelist"
className={`${numMethods <= 1 ? "mt-0" : ""}`}
>
{otpState === "idle" && (
<Form {...requestOtpForm}>
<form
onSubmit={requestOtpForm.handleSubmit(
onWhitelistSubmit
)}
className="space-y-4"
>
<FormField
control={
requestOtpForm.control
}
name="email"
render={({ field }) => (
<FormItem>
<FormLabel>
Email
</FormLabel>
<FormControl>
<Input
placeholder="Enter email"
type="email"
{...field}
/>
</FormControl>
<FormDescription>
A one-time
code will be
sent to this
email.
</FormDescription>
<FormMessage />
</FormItem>
)}
/>
{whitelistError && (
<Alert variant="destructive">
<AlertDescription>
{whitelistError}
</AlertDescription>
</Alert>
)}
<Button
type="submit"
className="w-full"
loading={loadingLogin}
disabled={loadingLogin}
>
<Send className="w-4 h-4 mr-2" />
Send One-time Code
</Button>
</form>
</Form>
)}
{otpState === "otp_sent" && (
<Form {...submitOtpForm}>
<form
onSubmit={submitOtpForm.handleSubmit(
onWhitelistSubmit
)}
className="space-y-4"
>
<FormField
control={
submitOtpForm.control
}
name="otp"
render={({ field }) => (
<FormItem>
<FormLabel>
One-Time
Password
(OTP)
</FormLabel>
<FormControl>
<Input
placeholder="Enter OTP"
type="password"
{...field}
/>
</FormControl>
<FormMessage />
</FormItem>
)}
/>
{whitelistError && (
<Alert variant="destructive">
<AlertDescription>
{whitelistError}
</AlertDescription>
</Alert>
)}
<Button
type="submit"
className="w-full"
loading={loadingLogin}
disabled={loadingLogin}
>
<LockIcon className="w-4 h-4 mr-2" />
Submit OTP
</Button>
<Button
type="button"
className="w-full"
variant={"outline"}
onClick={() => {
setOtpState("idle");
submitOtpForm.reset();
}}
>
Back to Email
</Button>
</form>
</Form>
)}
</TabsContent>
)}
</Tabs> </Tabs>
</CardContent> </CardContent>
</Card> </Card>

1
src/app/auth/resource/[resourceId]/page.tsx
View file

@ -120,6 +120,7 @@ export default async function ResourceAuthPage(props: {
password: authInfo.password, password: authInfo.password,
pincode: authInfo.pincode, pincode: authInfo.pincode,
sso: authInfo.sso && !userIsUnauthorized, sso: authInfo.sso && !userIsUnauthorized,
whitelist: authInfo.whitelist
}} }}
resource={{ resource={{
name: authInfo.resourceName, name: authInfo.resourceName,

5
src/app/auth/signup/SignupForm.tsx
View file

@ -23,11 +23,12 @@ import {
} from "@/components/ui/card"; } from "@/components/ui/card";
import { Alert, AlertDescription } from "@/components/ui/alert"; import { Alert, AlertDescription } from "@/components/ui/alert";
import { SignUpResponse } from "@server/routers/auth"; import { SignUpResponse } from "@server/routers/auth";
import { api } from "@app/api";
import { useRouter } from "next/navigation"; import { useRouter } from "next/navigation";
import { passwordSchema } from "@server/auth/passwordSchema"; import { passwordSchema } from "@server/auth/passwordSchema";
import { AxiosResponse } from "axios"; import { AxiosResponse } from "axios";
import { formatAxiosError } from "@app/lib/utils"; import { formatAxiosError } from "@app/lib/utils";
import { createApiClient } from "@app/api";
import { useEnvContext } from "@app/hooks/useEnvContext";
type SignupFormProps = { type SignupFormProps = {
redirect?: string; redirect?: string;
@ -47,6 +48,8 @@ const formSchema = z
export default function SignupForm({ redirect }: SignupFormProps) { export default function SignupForm({ redirect }: SignupFormProps) {
const router = useRouter(); const router = useRouter();
const api = createApiClient(useEnvContext());
const [loading, setLoading] = useState(false); const [loading, setLoading] = useState(false);
const [error, setError] = useState<string | null>(null); const [error, setError] = useState<string | null>(null);

8
src/app/globals.css
View file

@ -8,9 +8,9 @@
--background: 0 0% 100%; --background: 0 0% 100%;
--foreground: 0 0.0% 10.0%; --foreground: 0 0.0% 10.0%;
--card: 0 0% 100%; --card: 0 0% 100%;
--card-foreground: 20 5.0% 10.0%; --card-foreground: 0 0% 100%;
--popover: 0 0% 100%; --popover: 0 0% 100%;
--popover-foreground: 20 5.0% 10.0%; --popover-foreground: 0 0% 100%;
--primary: 24.6 95% 53.1%; --primary: 24.6 95% 53.1%;
--primary-foreground: 60 9.1% 97.8%; --primary-foreground: 60 9.1% 97.8%;
--secondary: 60 4.8% 95.9%; --secondary: 60 4.8% 95.9%;
@ -35,9 +35,9 @@
.dark { .dark {
--background: 0 0.0% 10.0%; --background: 0 0.0% 10.0%;
--foreground: 60 9.1% 97.8%; --foreground: 60 9.1% 97.8%;
--card: 20 5.0% 10.0%; --card: 0 0.0% 10.0%;
--card-foreground: 60 9.1% 97.8%; --card-foreground: 60 9.1% 97.8%;
--popover: 20 5.0% 10.0%; --popover: 0 0.0% 10.0%;
--popover-foreground: 60 9.1% 97.8%; --popover-foreground: 60 9.1% 97.8%;
--primary: 20.5 90.2% 48.2%; --primary: 20.5 90.2% 48.2%;
--primary-foreground: 60 9.1% 97.8%; --primary-foreground: 60 9.1% 97.8%;