mirror of
https://github.com/fosrl/pangolin.git
synced 2025-07-31 16:14:46 +02:00
add resource whitelist auth method
This commit is contained in:
parent
998fab6d0a
commit
207a7b8a39
20 changed files with 970 additions and 739 deletions
|
@ -49,9 +49,7 @@ export enum ActionsEnum {
|
|||
// addUserAction = "addUserAction",
|
||||
// removeUserAction = "removeUserAction",
|
||||
// removeUserSite = "removeUserSite",
|
||||
getOrgUser = "getOrgUser",
|
||||
setResourceAuthMethods = "setResourceAuthMethods",
|
||||
getResourceAuthMethods = "getResourceAuthMethods",
|
||||
getOrgUser = "getOrgUser"
|
||||
}
|
||||
|
||||
export async function checkUserActionPermission(
|
||||
|
|
|
@ -16,10 +16,10 @@ export async function createResourceSession(opts: {
|
|||
resourceId: number;
|
||||
passwordId?: number;
|
||||
pincodeId?: number;
|
||||
whitelistId: number;
|
||||
whitelistId?: number;
|
||||
usedOtp?: boolean;
|
||||
}): Promise<ResourceSession> {
|
||||
if (!opts.passwordId && !opts.pincodeId) {
|
||||
if (!opts.passwordId && !opts.pincodeId && !opts.whitelistId) {
|
||||
throw new Error(
|
||||
"At least one of passwordId or pincodeId must be provided"
|
||||
);
|
||||
|
@ -35,8 +35,7 @@ export async function createResourceSession(opts: {
|
|||
resourceId: opts.resourceId,
|
||||
passwordId: opts.passwordId || null,
|
||||
pincodeId: opts.pincodeId || null,
|
||||
whitelistId: opts.whitelistId,
|
||||
usedOtp: opts.usedOtp || false
|
||||
whitelistId: opts.whitelistId || null
|
||||
};
|
||||
|
||||
await db.insert(resourceSessions).values(session);
|
||||
|
@ -129,7 +128,6 @@ export async function invalidateAllSessions(
|
|||
eq(resourceSessions.whitelistId, method.whitelistId)
|
||||
)
|
||||
);
|
||||
|
||||
}
|
||||
if (!method?.passwordId && !method?.pincodeId && !method?.whitelistId) {
|
||||
await db
|
||||
|
|
|
@ -46,7 +46,7 @@ export const resources = sqliteTable("resources", {
|
|||
.notNull()
|
||||
.default(false),
|
||||
sso: integer("sso", { mode: "boolean" }).notNull().default(true),
|
||||
otpEnabled: integer("otpEnabled", { mode: "boolean" })
|
||||
emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
|
||||
.notNull()
|
||||
.default(false)
|
||||
});
|
||||
|
@ -282,7 +282,6 @@ export const resourceSessions = sqliteTable("resourceSessions", {
|
|||
resourceId: integer("resourceId")
|
||||
.notNull()
|
||||
.references(() => resources.resourceId, { onDelete: "cascade" }),
|
||||
usedOtp: integer("usedOtp", { mode: "boolean" }).notNull().default(false),
|
||||
expiresAt: integer("expiresAt").notNull(),
|
||||
passwordId: integer("passwordId").references(
|
||||
() => resourcePassword.passwordId,
|
||||
|
@ -297,23 +296,20 @@ export const resourceSessions = sqliteTable("resourceSessions", {
|
|||
}
|
||||
),
|
||||
whitelistId: integer("whitelistId").references(
|
||||
() => resourceWhitelistedEmail.whitelistId,
|
||||
() => resourceWhitelist.whitelistId,
|
||||
{
|
||||
onDelete: "cascade"
|
||||
}
|
||||
)
|
||||
});
|
||||
|
||||
export const resourceWhitelistedEmail = sqliteTable(
|
||||
"resourceWhitelistedEmail",
|
||||
{
|
||||
whitelistId: integer("id").primaryKey({ autoIncrement: true }),
|
||||
email: text("email").primaryKey(),
|
||||
resourceId: integer("resourceId")
|
||||
.notNull()
|
||||
.references(() => resources.resourceId, { onDelete: "cascade" })
|
||||
}
|
||||
);
|
||||
export const resourceWhitelist = sqliteTable("resourceWhitelist", {
|
||||
whitelistId: integer("id").primaryKey({ autoIncrement: true }),
|
||||
email: text("email").notNull(),
|
||||
resourceId: integer("resourceId")
|
||||
.notNull()
|
||||
.references(() => resources.resourceId, { onDelete: "cascade" })
|
||||
});
|
||||
|
||||
export const resourceOtp = sqliteTable("resourceOtp", {
|
||||
otpId: integer("otpId").primaryKey({
|
||||
|
|
|
@ -18,7 +18,7 @@ import {
|
|||
verifyRoleAccess,
|
||||
verifySetResourceUsers,
|
||||
verifyUserAccess,
|
||||
getUserOrgs,
|
||||
getUserOrgs
|
||||
} from "@server/middlewares";
|
||||
import { verifyUserHasAction } from "../middlewares/verifyUserHasAction";
|
||||
import { ActionsEnum } from "@server/auth/actions";
|
||||
|
@ -43,51 +43,51 @@ authenticated.get(
|
|||
"/org/:orgId",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.getOrg),
|
||||
org.getOrg,
|
||||
org.getOrg
|
||||
);
|
||||
authenticated.post(
|
||||
"/org/:orgId",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.updateOrg),
|
||||
org.updateOrg,
|
||||
org.updateOrg
|
||||
);
|
||||
authenticated.delete(
|
||||
"/org/:orgId",
|
||||
verifyOrgAccess,
|
||||
verifyUserIsOrgOwner,
|
||||
org.deleteOrg,
|
||||
org.deleteOrg
|
||||
);
|
||||
|
||||
authenticated.put(
|
||||
"/org/:orgId/site",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.createSite),
|
||||
site.createSite,
|
||||
site.createSite
|
||||
);
|
||||
authenticated.get(
|
||||
"/org/:orgId/sites",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.listSites),
|
||||
site.listSites,
|
||||
site.listSites
|
||||
);
|
||||
authenticated.get(
|
||||
"/org/:orgId/site/:niceId",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.getSite),
|
||||
site.getSite,
|
||||
site.getSite
|
||||
);
|
||||
|
||||
authenticated.get(
|
||||
"/org/:orgId/pick-site-defaults",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.createSite),
|
||||
site.pickSiteDefaults,
|
||||
site.pickSiteDefaults
|
||||
);
|
||||
authenticated.get(
|
||||
"/site/:siteId",
|
||||
verifySiteAccess,
|
||||
verifyUserHasAction(ActionsEnum.getSite),
|
||||
site.getSite,
|
||||
site.getSite
|
||||
);
|
||||
// authenticated.get(
|
||||
// "/site/:siteId/roles",
|
||||
|
@ -99,38 +99,38 @@ authenticated.post(
|
|||
"/site/:siteId",
|
||||
verifySiteAccess,
|
||||
verifyUserHasAction(ActionsEnum.updateSite),
|
||||
site.updateSite,
|
||||
site.updateSite
|
||||
);
|
||||
authenticated.delete(
|
||||
"/site/:siteId",
|
||||
verifySiteAccess,
|
||||
verifyUserHasAction(ActionsEnum.deleteSite),
|
||||
site.deleteSite,
|
||||
site.deleteSite
|
||||
);
|
||||
|
||||
authenticated.put(
|
||||
"/org/:orgId/site/:siteId/resource",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.createResource),
|
||||
resource.createResource,
|
||||
resource.createResource
|
||||
);
|
||||
authenticated.get(
|
||||
"/site/:siteId/resources",
|
||||
verifyUserHasAction(ActionsEnum.listResources),
|
||||
resource.listResources,
|
||||
resource.listResources
|
||||
);
|
||||
authenticated.get(
|
||||
"/org/:orgId/resources",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.listResources),
|
||||
resource.listResources,
|
||||
resource.listResources
|
||||
);
|
||||
|
||||
authenticated.post(
|
||||
"/org/:orgId/create-invite",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.inviteUser),
|
||||
user.inviteUser,
|
||||
user.inviteUser
|
||||
); // maybe make this /invite/create instead
|
||||
authenticated.post("/invite/accept", user.acceptInvite);
|
||||
|
||||
|
@ -138,77 +138,77 @@ authenticated.get(
|
|||
"/resource/:resourceId/roles",
|
||||
verifyResourceAccess,
|
||||
verifyUserHasAction(ActionsEnum.listResourceRoles),
|
||||
resource.listResourceRoles,
|
||||
resource.listResourceRoles
|
||||
);
|
||||
|
||||
authenticated.get(
|
||||
"/resource/:resourceId/users",
|
||||
verifyResourceAccess,
|
||||
verifyUserHasAction(ActionsEnum.listResourceUsers),
|
||||
resource.listResourceUsers,
|
||||
resource.listResourceUsers
|
||||
);
|
||||
|
||||
authenticated.get(
|
||||
"/resource/:resourceId",
|
||||
verifyResourceAccess,
|
||||
verifyUserHasAction(ActionsEnum.getResource),
|
||||
resource.getResource,
|
||||
resource.getResource
|
||||
);
|
||||
authenticated.post(
|
||||
"/resource/:resourceId",
|
||||
verifyResourceAccess,
|
||||
verifyUserHasAction(ActionsEnum.updateResource),
|
||||
resource.updateResource,
|
||||
resource.updateResource
|
||||
);
|
||||
authenticated.delete(
|
||||
"/resource/:resourceId",
|
||||
verifyResourceAccess,
|
||||
verifyUserHasAction(ActionsEnum.deleteResource),
|
||||
resource.deleteResource,
|
||||
resource.deleteResource
|
||||
);
|
||||
|
||||
authenticated.put(
|
||||
"/resource/:resourceId/target",
|
||||
verifyResourceAccess,
|
||||
verifyUserHasAction(ActionsEnum.createTarget),
|
||||
target.createTarget,
|
||||
target.createTarget
|
||||
);
|
||||
authenticated.get(
|
||||
"/resource/:resourceId/targets",
|
||||
verifyResourceAccess,
|
||||
verifyUserHasAction(ActionsEnum.listTargets),
|
||||
target.listTargets,
|
||||
target.listTargets
|
||||
);
|
||||
authenticated.get(
|
||||
"/target/:targetId",
|
||||
verifyTargetAccess,
|
||||
verifyUserHasAction(ActionsEnum.getTarget),
|
||||
target.getTarget,
|
||||
target.getTarget
|
||||
);
|
||||
authenticated.post(
|
||||
"/target/:targetId",
|
||||
verifyTargetAccess,
|
||||
verifyUserHasAction(ActionsEnum.updateTarget),
|
||||
target.updateTarget,
|
||||
target.updateTarget
|
||||
);
|
||||
authenticated.delete(
|
||||
"/target/:targetId",
|
||||
verifyTargetAccess,
|
||||
verifyUserHasAction(ActionsEnum.deleteTarget),
|
||||
target.deleteTarget,
|
||||
target.deleteTarget
|
||||
);
|
||||
|
||||
authenticated.put(
|
||||
"/org/:orgId/role",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.createRole),
|
||||
role.createRole,
|
||||
role.createRole
|
||||
);
|
||||
authenticated.get(
|
||||
"/org/:orgId/roles",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.listRoles),
|
||||
role.listRoles,
|
||||
role.listRoles
|
||||
);
|
||||
// authenticated.get(
|
||||
// "/role/:roleId",
|
||||
|
@ -227,14 +227,14 @@ authenticated.delete(
|
|||
"/role/:roleId",
|
||||
verifyRoleAccess,
|
||||
verifyUserHasAction(ActionsEnum.deleteRole),
|
||||
role.deleteRole,
|
||||
role.deleteRole
|
||||
);
|
||||
authenticated.post(
|
||||
"/role/:roleId/add/:userId",
|
||||
verifyRoleAccess,
|
||||
verifyUserAccess,
|
||||
verifyUserHasAction(ActionsEnum.addUserRole),
|
||||
user.addUserRole,
|
||||
user.addUserRole
|
||||
);
|
||||
|
||||
// authenticated.put(
|
||||
|
@ -264,7 +264,7 @@ authenticated.post(
|
|||
verifyResourceAccess,
|
||||
verifyRoleAccess,
|
||||
verifyUserHasAction(ActionsEnum.setResourceRoles),
|
||||
resource.setResourceRoles,
|
||||
resource.setResourceRoles
|
||||
);
|
||||
|
||||
authenticated.post(
|
||||
|
@ -272,21 +272,35 @@ authenticated.post(
|
|||
verifyResourceAccess,
|
||||
verifySetResourceUsers,
|
||||
verifyUserHasAction(ActionsEnum.setResourceUsers),
|
||||
resource.setResourceUsers,
|
||||
resource.setResourceUsers
|
||||
);
|
||||
|
||||
authenticated.post(
|
||||
`/resource/:resourceId/password`,
|
||||
verifyResourceAccess,
|
||||
verifyUserHasAction(ActionsEnum.setResourceAuthMethods),
|
||||
resource.setResourcePassword,
|
||||
verifyUserHasAction(ActionsEnum.updateResource), // REVIEW: group all resource related updates under update resource?
|
||||
resource.setResourcePassword
|
||||
);
|
||||
|
||||
authenticated.post(
|
||||
`/resource/:resourceId/pincode`,
|
||||
verifyResourceAccess,
|
||||
verifyUserHasAction(ActionsEnum.setResourceAuthMethods),
|
||||
resource.setResourcePincode,
|
||||
verifyUserHasAction(ActionsEnum.updateResource),
|
||||
resource.setResourcePincode
|
||||
);
|
||||
|
||||
authenticated.post(
|
||||
`/resource/:resourceId/whitelist`,
|
||||
verifyResourceAccess,
|
||||
verifyUserHasAction(ActionsEnum.updateResource),
|
||||
resource.setResourceWhitelist
|
||||
);
|
||||
|
||||
authenticated.get(
|
||||
`/resource/:resourceId/whitelist`,
|
||||
verifyResourceAccess,
|
||||
verifyUserHasAction(ActionsEnum.getResource),
|
||||
resource.getResourceWhitelist
|
||||
);
|
||||
|
||||
unauthenticated.get("/resource/:resourceId/auth", resource.getResourceAuthInfo);
|
||||
|
@ -327,14 +341,14 @@ authenticated.get(
|
|||
"/org/:orgId/users",
|
||||
verifyOrgAccess,
|
||||
verifyUserHasAction(ActionsEnum.listUsers),
|
||||
user.listUsers,
|
||||
user.listUsers
|
||||
);
|
||||
authenticated.delete(
|
||||
"/org/:orgId/user/:userId",
|
||||
verifyOrgAccess,
|
||||
verifyUserAccess,
|
||||
verifyUserHasAction(ActionsEnum.removeUser),
|
||||
user.removeUserOrg,
|
||||
user.removeUserOrg
|
||||
);
|
||||
|
||||
// authenticated.put(
|
||||
|
@ -375,8 +389,8 @@ authRouter.use(
|
|||
rateLimitMiddleware({
|
||||
windowMin: 10,
|
||||
max: 75,
|
||||
type: "IP_AND_PATH",
|
||||
}),
|
||||
type: "IP_AND_PATH"
|
||||
})
|
||||
);
|
||||
|
||||
authRouter.put("/signup", auth.signup);
|
||||
|
@ -388,22 +402,23 @@ authRouter.post("/2fa/enable", verifySessionUserMiddleware, auth.verifyTotp);
|
|||
authRouter.post(
|
||||
"/2fa/request",
|
||||
verifySessionUserMiddleware,
|
||||
auth.requestTotpSecret,
|
||||
auth.requestTotpSecret
|
||||
);
|
||||
authRouter.post("/2fa/disable", verifySessionUserMiddleware, auth.disable2fa);
|
||||
authRouter.post("/verify-email", verifySessionMiddleware, auth.verifyEmail);
|
||||
authRouter.post(
|
||||
"/verify-email/request",
|
||||
verifySessionMiddleware,
|
||||
auth.requestEmailVerificationCode,
|
||||
auth.requestEmailVerificationCode
|
||||
);
|
||||
authRouter.post(
|
||||
"/change-password",
|
||||
verifySessionUserMiddleware,
|
||||
auth.changePassword,
|
||||
auth.changePassword
|
||||
);
|
||||
authRouter.post("/reset-password/request", auth.requestPasswordReset);
|
||||
authRouter.post("/reset-password/", auth.resetPassword);
|
||||
|
||||
authRouter.post("/resource/:resourceId/password", resource.authWithPassword);
|
||||
authRouter.post("/resource/:resourceId/pincode", resource.authWithPincode);
|
||||
authRouter.post("/resource/:resourceId/whitelist", resource.authWithWhitelist);
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
import { verify } from "@node-rs/argon2";
|
||||
import { generateSessionToken } from "@server/auth";
|
||||
import db from "@server/db";
|
||||
import { orgs, resourceOtp, resourcePassword, resources } from "@server/db/schema";
|
||||
import { orgs, resourcePassword, resources } from "@server/db/schema";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import response from "@server/utils/response";
|
||||
import { and, eq } from "drizzle-orm";
|
||||
import { eq } from "drizzle-orm";
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import createHttpError from "http-errors";
|
||||
import { z } from "zod";
|
||||
|
@ -13,14 +13,10 @@ import {
|
|||
createResourceSession,
|
||||
serializeResourceSessionCookie
|
||||
} from "@server/auth/resource";
|
||||
import logger from "@server/logger";
|
||||
import config from "@server/config";
|
||||
import { isValidOtp, sendResourceOtpEmail } from "@server/auth/resourceOtp";
|
||||
|
||||
export const authWithPasswordBodySchema = z.object({
|
||||
password: z.string(),
|
||||
email: z.string().email().optional(),
|
||||
otp: z.string().optional()
|
||||
password: z.string()
|
||||
});
|
||||
|
||||
export const authWithPasswordParamsSchema = z.object({
|
||||
|
@ -28,8 +24,6 @@ export const authWithPasswordParamsSchema = z.object({
|
|||
});
|
||||
|
||||
export type AuthWithPasswordResponse = {
|
||||
otpRequested?: boolean;
|
||||
otpSent?: boolean;
|
||||
session?: string;
|
||||
};
|
||||
|
||||
|
@ -61,7 +55,7 @@ export async function authWithPassword(
|
|||
}
|
||||
|
||||
const { resourceId } = parsedParams.data;
|
||||
const { email, password, otp } = parsedBody.data;
|
||||
const { password } = parsedBody.data;
|
||||
|
||||
try {
|
||||
const [result] = await db
|
||||
|
@ -119,69 +113,11 @@ export async function authWithPassword(
|
|||
);
|
||||
}
|
||||
|
||||
if (resource.otpEnabled) {
|
||||
if (otp && email) {
|
||||
const isValidCode = await isValidOtp(
|
||||
email,
|
||||
resource.resourceId,
|
||||
otp
|
||||
);
|
||||
if (!isValidCode) {
|
||||
return next(
|
||||
createHttpError(HttpCode.UNAUTHORIZED, "Incorrect OTP")
|
||||
);
|
||||
}
|
||||
|
||||
await db
|
||||
.delete(resourceOtp)
|
||||
.where(
|
||||
and(
|
||||
eq(resourceOtp.email, email),
|
||||
eq(resourceOtp.resourceId, resource.resourceId)
|
||||
)
|
||||
);
|
||||
} else if (email) {
|
||||
try {
|
||||
await sendResourceOtpEmail(
|
||||
email,
|
||||
resource.resourceId,
|
||||
resource.name,
|
||||
org.name
|
||||
);
|
||||
return response<AuthWithPasswordResponse>(res, {
|
||||
data: { otpSent: true },
|
||||
success: true,
|
||||
error: false,
|
||||
message: "Sent one-time otp to email address",
|
||||
status: HttpCode.ACCEPTED
|
||||
});
|
||||
} catch (e) {
|
||||
logger.error(e);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"Failed to send one-time otp. Make sure the email address is correct and try again."
|
||||
)
|
||||
);
|
||||
}
|
||||
} else {
|
||||
return response<AuthWithPasswordResponse>(res, {
|
||||
data: { otpRequested: true },
|
||||
success: true,
|
||||
error: false,
|
||||
message: "One-time otp required to complete authentication",
|
||||
status: HttpCode.ACCEPTED
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
const token = generateSessionToken();
|
||||
await createResourceSession({
|
||||
resourceId,
|
||||
token,
|
||||
passwordId: definedPassword.passwordId,
|
||||
usedOtp: otp !== undefined,
|
||||
email
|
||||
passwordId: definedPassword.passwordId
|
||||
});
|
||||
const cookieName = `${config.server.resource_session_cookie_name}_${resource.resourceId}`;
|
||||
const cookie = serializeResourceSessionCookie(
|
||||
|
|
|
@ -5,7 +5,8 @@ import {
|
|||
orgs,
|
||||
resourceOtp,
|
||||
resourcePincode,
|
||||
resources
|
||||
resources,
|
||||
resourceWhitelist
|
||||
} from "@server/db/schema";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import response from "@server/utils/response";
|
||||
|
@ -24,9 +25,7 @@ import { AuthWithPasswordResponse } from "./authWithPassword";
|
|||
import { isValidOtp, sendResourceOtpEmail } from "@server/auth/resourceOtp";
|
||||
|
||||
export const authWithPincodeBodySchema = z.object({
|
||||
pincode: z.string(),
|
||||
email: z.string().email().optional(),
|
||||
otp: z.string().optional()
|
||||
pincode: z.string()
|
||||
});
|
||||
|
||||
export const authWithPincodeParamsSchema = z.object({
|
||||
|
@ -34,8 +33,6 @@ export const authWithPincodeParamsSchema = z.object({
|
|||
});
|
||||
|
||||
export type AuthWithPincodeResponse = {
|
||||
otpRequested?: boolean;
|
||||
otpSent?: boolean;
|
||||
session?: string;
|
||||
};
|
||||
|
||||
|
@ -67,7 +64,7 @@ export async function authWithPincode(
|
|||
}
|
||||
|
||||
const { resourceId } = parsedParams.data;
|
||||
const { email, pincode, otp } = parsedBody.data;
|
||||
const { pincode } = parsedBody.data;
|
||||
|
||||
try {
|
||||
const [result] = await db
|
||||
|
@ -124,69 +121,11 @@ export async function authWithPincode(
|
|||
);
|
||||
}
|
||||
|
||||
if (resource.otpEnabled) {
|
||||
if (otp && email) {
|
||||
const isValidCode = await isValidOtp(
|
||||
email,
|
||||
resource.resourceId,
|
||||
otp
|
||||
);
|
||||
if (!isValidCode) {
|
||||
return next(
|
||||
createHttpError(HttpCode.UNAUTHORIZED, "Incorrect OTP")
|
||||
);
|
||||
}
|
||||
|
||||
await db
|
||||
.delete(resourceOtp)
|
||||
.where(
|
||||
and(
|
||||
eq(resourceOtp.email, email),
|
||||
eq(resourceOtp.resourceId, resource.resourceId)
|
||||
)
|
||||
);
|
||||
} else if (email) {
|
||||
try {
|
||||
await sendResourceOtpEmail(
|
||||
email,
|
||||
resource.resourceId,
|
||||
resource.name,
|
||||
org.name
|
||||
);
|
||||
return response<AuthWithPasswordResponse>(res, {
|
||||
data: { otpSent: true },
|
||||
success: true,
|
||||
error: false,
|
||||
message: "Sent one-time otp to email address",
|
||||
status: HttpCode.ACCEPTED
|
||||
});
|
||||
} catch (e) {
|
||||
logger.error(e);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"Failed to send one-time otp. Make sure the email address is correct and try again."
|
||||
)
|
||||
);
|
||||
}
|
||||
} else {
|
||||
return response<AuthWithPasswordResponse>(res, {
|
||||
data: { otpRequested: true },
|
||||
success: true,
|
||||
error: false,
|
||||
message: "One-time otp required to complete authentication",
|
||||
status: HttpCode.ACCEPTED
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
const token = generateSessionToken();
|
||||
await createResourceSession({
|
||||
resourceId,
|
||||
token,
|
||||
pincodeId: definedPincode.pincodeId,
|
||||
usedOtp: otp !== undefined,
|
||||
email
|
||||
pincodeId: definedPincode.pincodeId
|
||||
});
|
||||
const cookieName = `${config.server.resource_session_cookie_name}_${resource.resourceId}`;
|
||||
const cookie = serializeResourceSessionCookie(
|
||||
|
|
200
server/routers/resource/authWithWhitelist.ts
Normal file
200
server/routers/resource/authWithWhitelist.ts
Normal file
|
@ -0,0 +1,200 @@
|
|||
import { generateSessionToken } from "@server/auth";
|
||||
import db from "@server/db";
|
||||
import {
|
||||
orgs,
|
||||
resourceOtp,
|
||||
resourcePassword,
|
||||
resources,
|
||||
resourceWhitelist
|
||||
} from "@server/db/schema";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import response from "@server/utils/response";
|
||||
import { eq, and } from "drizzle-orm";
|
||||
import { NextFunction, Request, Response } from "express";
|
||||
import createHttpError from "http-errors";
|
||||
import { z } from "zod";
|
||||
import { fromError } from "zod-validation-error";
|
||||
import {
|
||||
createResourceSession,
|
||||
serializeResourceSessionCookie
|
||||
} from "@server/auth/resource";
|
||||
import config from "@server/config";
|
||||
import { isValidOtp, sendResourceOtpEmail } from "@server/auth/resourceOtp";
|
||||
import logger from "@server/logger";
|
||||
|
||||
const authWithWhitelistBodySchema = z.object({
|
||||
email: z.string().email(),
|
||||
otp: z.string().optional()
|
||||
});
|
||||
|
||||
const authWithWhitelistParamsSchema = z.object({
|
||||
resourceId: z.string().transform(Number).pipe(z.number().int().positive())
|
||||
});
|
||||
|
||||
export type AuthWithWhitelistResponse = {
|
||||
otpSent?: boolean;
|
||||
session?: string;
|
||||
};
|
||||
|
||||
export async function authWithWhitelist(
|
||||
req: Request,
|
||||
res: Response,
|
||||
next: NextFunction
|
||||
): Promise<any> {
|
||||
const parsedBody = authWithWhitelistBodySchema.safeParse(req.body);
|
||||
|
||||
if (!parsedBody.success) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
fromError(parsedBody.error).toString()
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const parsedParams = authWithWhitelistParamsSchema.safeParse(req.params);
|
||||
|
||||
if (!parsedParams.success) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
fromError(parsedParams.error).toString()
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const { resourceId } = parsedParams.data;
|
||||
const { email, otp } = parsedBody.data;
|
||||
|
||||
try {
|
||||
const [result] = await db
|
||||
.select()
|
||||
.from(resourceWhitelist)
|
||||
.where(
|
||||
and(
|
||||
eq(resourceWhitelist.resourceId, resourceId),
|
||||
eq(resourceWhitelist.email, email)
|
||||
)
|
||||
)
|
||||
.leftJoin(
|
||||
resources,
|
||||
eq(resources.resourceId, resourceWhitelist.resourceId)
|
||||
)
|
||||
.leftJoin(orgs, eq(orgs.orgId, resources.orgId))
|
||||
.limit(1);
|
||||
|
||||
const resource = result?.resources;
|
||||
const org = result?.orgs;
|
||||
const whitelistedEmail = result?.resourceWhitelist;
|
||||
|
||||
if (!whitelistedEmail) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.UNAUTHORIZED,
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
"Email is not whitelisted"
|
||||
)
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
if (!org) {
|
||||
return next(
|
||||
createHttpError(HttpCode.BAD_REQUEST, "Resource does not exist")
|
||||
);
|
||||
}
|
||||
|
||||
if (!resource) {
|
||||
return next(
|
||||
createHttpError(HttpCode.BAD_REQUEST, "Resource does not exist")
|
||||
);
|
||||
}
|
||||
|
||||
if (otp && email) {
|
||||
const isValidCode = await isValidOtp(
|
||||
email,
|
||||
resource.resourceId,
|
||||
otp
|
||||
);
|
||||
if (!isValidCode) {
|
||||
return next(
|
||||
createHttpError(HttpCode.UNAUTHORIZED, "Incorrect OTP")
|
||||
);
|
||||
}
|
||||
|
||||
await db
|
||||
.delete(resourceOtp)
|
||||
.where(
|
||||
and(
|
||||
eq(resourceOtp.email, email),
|
||||
eq(resourceOtp.resourceId, resource.resourceId)
|
||||
)
|
||||
);
|
||||
} else if (email) {
|
||||
try {
|
||||
await sendResourceOtpEmail(
|
||||
email,
|
||||
resource.resourceId,
|
||||
resource.name,
|
||||
org.name
|
||||
);
|
||||
return response<AuthWithWhitelistResponse>(res, {
|
||||
data: { otpSent: true },
|
||||
success: true,
|
||||
error: false,
|
||||
message: "Sent one-time otp to email address",
|
||||
status: HttpCode.ACCEPTED
|
||||
});
|
||||
} catch (e) {
|
||||
logger.error(e);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"Failed to send one-time otp. Make sure the email address is correct and try again."
|
||||
)
|
||||
);
|
||||
}
|
||||
} else {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
"Email is required for whitelist authentication"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const token = generateSessionToken();
|
||||
await createResourceSession({
|
||||
resourceId,
|
||||
token,
|
||||
whitelistId: whitelistedEmail.whitelistId
|
||||
});
|
||||
const cookieName = `${config.server.resource_session_cookie_name}_${resource.resourceId}`;
|
||||
const cookie = serializeResourceSessionCookie(
|
||||
cookieName,
|
||||
token,
|
||||
resource.fullDomain
|
||||
);
|
||||
res.appendHeader("Set-Cookie", cookie);
|
||||
|
||||
return response<AuthWithWhitelistResponse>(res, {
|
||||
data: {
|
||||
session: token
|
||||
},
|
||||
success: true,
|
||||
error: false,
|
||||
message: "Authenticated with resource successfully",
|
||||
status: HttpCode.OK
|
||||
});
|
||||
} catch (e) {
|
||||
throw e;
|
||||
logger.error(e);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"Failed to authenticate with resource"
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
|
@ -24,6 +24,7 @@ export type GetResourceAuthInfoResponse = {
|
|||
sso: boolean;
|
||||
blockAccess: boolean;
|
||||
url: string;
|
||||
whitelist: boolean;
|
||||
};
|
||||
|
||||
export async function getResourceAuthInfo(
|
||||
|
@ -79,6 +80,7 @@ export async function getResourceAuthInfo(
|
|||
sso: resource.sso,
|
||||
blockAccess: resource.blockAccess,
|
||||
url,
|
||||
whitelist: resource.emailWhitelistEnabled
|
||||
},
|
||||
success: true,
|
||||
error: false,
|
||||
|
|
64
server/routers/resource/getResourceWhitelist.ts
Normal file
64
server/routers/resource/getResourceWhitelist.ts
Normal file
|
@ -0,0 +1,64 @@
|
|||
import { Request, Response, NextFunction } from "express";
|
||||
import { z } from "zod";
|
||||
import { db } from "@server/db";
|
||||
import { resourceWhitelist, users } from "@server/db/schema"; // Assuming these are the correct tables
|
||||
import { eq } from "drizzle-orm";
|
||||
import response from "@server/utils/response";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import logger from "@server/logger";
|
||||
import { fromError } from "zod-validation-error";
|
||||
|
||||
const getResourceWhitelistSchema = z.object({
|
||||
resourceId: z.string().transform(Number).pipe(z.number().int().positive())
|
||||
});
|
||||
|
||||
async function queryWhitelist(resourceId: number) {
|
||||
return await db
|
||||
.select({
|
||||
email: resourceWhitelist.email
|
||||
})
|
||||
.from(resourceWhitelist)
|
||||
.where(eq(resourceWhitelist.resourceId, resourceId));
|
||||
}
|
||||
|
||||
export type GetResourceWhitelistResponse = {
|
||||
whitelist: NonNullable<Awaited<ReturnType<typeof queryWhitelist>>>;
|
||||
};
|
||||
|
||||
export async function getResourceWhitelist(
|
||||
req: Request,
|
||||
res: Response,
|
||||
next: NextFunction
|
||||
): Promise<any> {
|
||||
try {
|
||||
const parsedParams = getResourceWhitelistSchema.safeParse(req.params);
|
||||
if (!parsedParams.success) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
fromError(parsedParams.error).toString()
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const { resourceId } = parsedParams.data;
|
||||
|
||||
const whitelist = await queryWhitelist(resourceId);
|
||||
|
||||
return response<GetResourceWhitelistResponse>(res, {
|
||||
data: {
|
||||
whitelist
|
||||
},
|
||||
success: true,
|
||||
error: false,
|
||||
message: "Resource whitelist retrieved successfully",
|
||||
status: HttpCode.OK
|
||||
});
|
||||
} catch (error) {
|
||||
logger.error(error);
|
||||
return next(
|
||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||
);
|
||||
}
|
||||
}
|
|
@ -12,3 +12,6 @@ export * from "./authWithPassword";
|
|||
export * from "./getResourceAuthInfo";
|
||||
export * from "./setResourcePincode";
|
||||
export * from "./authWithPincode";
|
||||
export * from "./setResourceWhitelist";
|
||||
export * from "./getResourceWhitelist";
|
||||
export * from "./authWithWhitelist";
|
||||
|
|
|
@ -62,6 +62,7 @@ function queryResources(
|
|||
passwordId: resourcePassword.passwordId,
|
||||
pincodeId: resourcePincode.pincodeId,
|
||||
sso: resources.sso,
|
||||
whitelist: resources.emailWhitelistEnabled
|
||||
})
|
||||
.from(resources)
|
||||
.leftJoin(sites, eq(resources.siteId, sites.siteId))
|
||||
|
@ -91,6 +92,7 @@ function queryResources(
|
|||
passwordId: resourcePassword.passwordId,
|
||||
sso: resources.sso,
|
||||
pincodeId: resourcePincode.pincodeId,
|
||||
whitelist: resources.emailWhitelistEnabled
|
||||
})
|
||||
.from(resources)
|
||||
.leftJoin(sites, eq(resources.siteId, sites.siteId))
|
||||
|
|
120
server/routers/resource/setResourceWhitelist.ts
Normal file
120
server/routers/resource/setResourceWhitelist.ts
Normal file
|
@ -0,0 +1,120 @@
|
|||
import { Request, Response, NextFunction } from "express";
|
||||
import { z } from "zod";
|
||||
import { db } from "@server/db";
|
||||
import { resources, resourceWhitelist } from "@server/db/schema";
|
||||
import response from "@server/utils/response";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import logger from "@server/logger";
|
||||
import { fromError } from "zod-validation-error";
|
||||
import { and, eq } from "drizzle-orm";
|
||||
|
||||
const setResourceWhitelistBodySchema = z.object({
|
||||
emails: z.array(z.string().email()).max(50)
|
||||
});
|
||||
|
||||
const setResourceWhitelistParamsSchema = z.object({
|
||||
resourceId: z.string().transform(Number).pipe(z.number().int().positive())
|
||||
});
|
||||
|
||||
export async function setResourceWhitelist(
|
||||
req: Request,
|
||||
res: Response,
|
||||
next: NextFunction
|
||||
): Promise<any> {
|
||||
try {
|
||||
const parsedBody = setResourceWhitelistBodySchema.safeParse(req.body);
|
||||
if (!parsedBody.success) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
fromError(parsedBody.error).toString()
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const { emails } = parsedBody.data;
|
||||
|
||||
const parsedParams = setResourceWhitelistParamsSchema.safeParse(
|
||||
req.params
|
||||
);
|
||||
if (!parsedParams.success) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
fromError(parsedParams.error).toString()
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const { resourceId } = parsedParams.data;
|
||||
|
||||
const [resource] = await db
|
||||
.select()
|
||||
.from(resources)
|
||||
.where(eq(resources.resourceId, resourceId));
|
||||
|
||||
if (!resource) {
|
||||
return next(
|
||||
createHttpError(HttpCode.NOT_FOUND, "Resource not found")
|
||||
);
|
||||
}
|
||||
|
||||
if (!resource.emailWhitelistEnabled) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
"Email whitelist is not enabled for this resource"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const whitelist = await db
|
||||
.select()
|
||||
.from(resourceWhitelist)
|
||||
.where(eq(resourceWhitelist.resourceId, resourceId));
|
||||
|
||||
await db.transaction(async (trx) => {
|
||||
// diff the emails
|
||||
const existingEmails = whitelist.map((w) => w.email);
|
||||
|
||||
const emailsToAdd = emails.filter(
|
||||
(e) => !existingEmails.includes(e)
|
||||
);
|
||||
const emailsToRemove = existingEmails.filter(
|
||||
(e) => !emails.includes(e)
|
||||
);
|
||||
|
||||
for (const email of emailsToAdd) {
|
||||
await trx.insert(resourceWhitelist).values({
|
||||
email,
|
||||
resourceId
|
||||
});
|
||||
}
|
||||
|
||||
for (const email of emailsToRemove) {
|
||||
await trx
|
||||
.delete(resourceWhitelist)
|
||||
.where(
|
||||
and(
|
||||
eq(resourceWhitelist.resourceId, resourceId),
|
||||
eq(resourceWhitelist.email, email)
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
return response(res, {
|
||||
data: {},
|
||||
success: true,
|
||||
error: false,
|
||||
message: "Whitelist set for resource successfully",
|
||||
status: HttpCode.CREATED
|
||||
});
|
||||
});
|
||||
} catch (error) {
|
||||
logger.error(error);
|
||||
return next(
|
||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||
);
|
||||
}
|
||||
}
|
|
@ -21,6 +21,7 @@ const updateResourceBodySchema = z
|
|||
ssl: z.boolean().optional(),
|
||||
sso: z.boolean().optional(),
|
||||
blockAccess: z.boolean().optional(),
|
||||
emailWhitelistEnabled: z.boolean().optional(),
|
||||
// siteId: z.number(),
|
||||
})
|
||||
.strict()
|
||||
|
|
|
@ -9,6 +9,7 @@ import { AxiosResponse } from "axios";
|
|||
import { formatAxiosError } from "@app/lib/utils";
|
||||
import {
|
||||
GetResourceAuthInfoResponse,
|
||||
GetResourceWhitelistResponse,
|
||||
ListResourceRolesResponse,
|
||||
ListResourceUsersResponse
|
||||
} from "@server/routers/resource";
|
||||
|
@ -53,6 +54,15 @@ const UsersRolesFormSchema = z.object({
|
|||
)
|
||||
});
|
||||
|
||||
const whitelistSchema = z.object({
|
||||
emails: z.array(
|
||||
z.object({
|
||||
id: z.string(),
|
||||
text: z.string()
|
||||
})
|
||||
)
|
||||
});
|
||||
|
||||
export default function ResourceAuthenticationPage() {
|
||||
const { toast } = useToast();
|
||||
const { org } = useOrgContext();
|
||||
|
@ -76,10 +86,19 @@ export default function ResourceAuthenticationPage() {
|
|||
number | null
|
||||
>(null);
|
||||
|
||||
const [activeEmailTagIndex, setActiveEmailTagIndex] = useState<
|
||||
number | null
|
||||
>(null);
|
||||
|
||||
const [ssoEnabled, setSsoEnabled] = useState(resource.sso);
|
||||
// const [blockAccess, setBlockAccess] = useState(resource.blockAccess);
|
||||
const [whitelistEnabled, setWhitelistEnabled] = useState(
|
||||
resource.emailWhitelistEnabled
|
||||
);
|
||||
|
||||
const [loadingSaveUsersRoles, setLoadingSaveUsersRoles] = useState(false);
|
||||
const [loadingSaveWhitelist, setLoadingSaveWhitelist] = useState(false);
|
||||
|
||||
const [loadingRemoveResourcePassword, setLoadingRemoveResourcePassword] =
|
||||
useState(false);
|
||||
const [loadingRemoveResourcePincode, setLoadingRemoveResourcePincode] =
|
||||
|
@ -93,6 +112,11 @@ export default function ResourceAuthenticationPage() {
|
|||
defaultValues: { roles: [], users: [] }
|
||||
});
|
||||
|
||||
const whitelistForm = useForm<z.infer<typeof whitelistSchema>>({
|
||||
resolver: zodResolver(whitelistSchema),
|
||||
defaultValues: { emails: [] }
|
||||
});
|
||||
|
||||
useEffect(() => {
|
||||
const fetchData = async () => {
|
||||
try {
|
||||
|
@ -100,7 +124,8 @@ export default function ResourceAuthenticationPage() {
|
|||
rolesResponse,
|
||||
resourceRolesResponse,
|
||||
usersResponse,
|
||||
resourceUsersResponse
|
||||
resourceUsersResponse,
|
||||
whitelist
|
||||
] = await Promise.all([
|
||||
api.get<AxiosResponse<ListRolesResponse>>(
|
||||
`/org/${org?.org.orgId}/roles`
|
||||
|
@ -113,6 +138,9 @@ export default function ResourceAuthenticationPage() {
|
|||
),
|
||||
api.get<AxiosResponse<ListResourceUsersResponse>>(
|
||||
`/resource/${resource.resourceId}/users`
|
||||
),
|
||||
api.get<AxiosResponse<GetResourceWhitelistResponse>>(
|
||||
`/resource/${resource.resourceId}/whitelist`
|
||||
)
|
||||
]);
|
||||
|
||||
|
@ -150,6 +178,14 @@ export default function ResourceAuthenticationPage() {
|
|||
}))
|
||||
);
|
||||
|
||||
whitelistForm.setValue(
|
||||
"emails",
|
||||
whitelist.data.data.whitelist.map((w) => ({
|
||||
id: w.email,
|
||||
text: w.email
|
||||
}))
|
||||
);
|
||||
|
||||
setPageLoading(false);
|
||||
} catch (e) {
|
||||
console.error(e);
|
||||
|
@ -167,6 +203,42 @@ export default function ResourceAuthenticationPage() {
|
|||
fetchData();
|
||||
}, []);
|
||||
|
||||
async function saveWhitelist() {
|
||||
setLoadingSaveWhitelist(true);
|
||||
try {
|
||||
await api.post(`/resource/${resource.resourceId}`, {
|
||||
emailWhitelistEnabled: whitelistEnabled
|
||||
});
|
||||
|
||||
if (whitelistEnabled) {
|
||||
await api.post(`/resource/${resource.resourceId}/whitelist`, {
|
||||
emails: whitelistForm.getValues().emails.map((i) => i.text)
|
||||
});
|
||||
}
|
||||
|
||||
updateResource({
|
||||
emailWhitelistEnabled: whitelistEnabled
|
||||
});
|
||||
|
||||
toast({
|
||||
title: "Saved successfully",
|
||||
description: "Whitelist settings have been saved"
|
||||
});
|
||||
} catch (e) {
|
||||
console.error(e);
|
||||
toast({
|
||||
variant: "destructive",
|
||||
title: "Failed to save whitelist",
|
||||
description: formatAxiosError(
|
||||
e,
|
||||
"An error occurred while saving the whitelist"
|
||||
)
|
||||
});
|
||||
} finally {
|
||||
setLoadingSaveWhitelist(false);
|
||||
}
|
||||
}
|
||||
|
||||
async function onSubmitUsersRoles(
|
||||
data: z.infer<typeof UsersRolesFormSchema>
|
||||
) {
|
||||
|
@ -537,6 +609,96 @@ export default function ResourceAuthenticationPage() {
|
|||
)}
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<Separator />
|
||||
|
||||
<div>
|
||||
<div className="flex items-center space-x-2 mb-2">
|
||||
<Switch
|
||||
id="whitelist-toggle"
|
||||
defaultChecked={resource.emailWhitelistEnabled}
|
||||
onCheckedChange={(val) =>
|
||||
setWhitelistEnabled(val)
|
||||
}
|
||||
/>
|
||||
<Label htmlFor="whitelist-toggle">
|
||||
Email Whitelist
|
||||
</Label>
|
||||
</div>
|
||||
<span className="text-muted-foreground text-sm">
|
||||
Enable resource whitelist to require email-based
|
||||
authentication (one-time passwords) for resource
|
||||
access.
|
||||
</span>
|
||||
</div>
|
||||
|
||||
{whitelistEnabled && (
|
||||
<Form {...whitelistForm}>
|
||||
<form className="space-y-8">
|
||||
<FormField
|
||||
control={whitelistForm.control}
|
||||
name="emails"
|
||||
render={({ field }) => (
|
||||
<FormItem className="flex flex-col items-start">
|
||||
<FormLabel>
|
||||
Whitelisted Emails
|
||||
</FormLabel>
|
||||
<FormControl>
|
||||
<TagInput
|
||||
{...field}
|
||||
activeTagIndex={
|
||||
activeEmailTagIndex
|
||||
}
|
||||
validateTag={(tag) => {
|
||||
return z
|
||||
.string()
|
||||
.email()
|
||||
.safeParse(tag)
|
||||
.success;
|
||||
}}
|
||||
setActiveTagIndex={
|
||||
setActiveEmailTagIndex
|
||||
}
|
||||
placeholder="Enter an email"
|
||||
tags={
|
||||
whitelistForm.getValues()
|
||||
.emails
|
||||
}
|
||||
setTags={(newRoles) => {
|
||||
whitelistForm.setValue(
|
||||
"emails",
|
||||
newRoles as [
|
||||
Tag,
|
||||
...Tag[]
|
||||
]
|
||||
);
|
||||
}}
|
||||
allowDuplicates={false}
|
||||
sortTags={true}
|
||||
styleClasses={{
|
||||
tag: {
|
||||
body: "bg-muted hover:bg-accent text-foreground py-2 px-3 rounded-full"
|
||||
},
|
||||
input: "border-none bg-transparent text-inherit placeholder:text-inherit shadow-none",
|
||||
inlineTagsContainer:
|
||||
"bg-transparent"
|
||||
}}
|
||||
/>
|
||||
</FormControl>
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
</form>
|
||||
</Form>
|
||||
)}
|
||||
|
||||
<Button
|
||||
loading={loadingSaveWhitelist}
|
||||
disabled={loadingSaveWhitelist}
|
||||
onClick={saveWhitelist}
|
||||
>
|
||||
Save Whitelist
|
||||
</Button>
|
||||
</section>
|
||||
</div>
|
||||
</>
|
||||
|
|
|
@ -10,7 +10,7 @@ import {
|
|||
CheckIcon,
|
||||
CopyIcon,
|
||||
ShieldCheck,
|
||||
ShieldOff,
|
||||
ShieldOff
|
||||
} from "lucide-react";
|
||||
import { useOrgContext } from "@app/hooks/useOrgContext";
|
||||
import { useResourceContext } from "@app/hooks/useResourceContext";
|
||||
|
@ -49,7 +49,8 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
|
|||
<div>
|
||||
{authInfo.password ||
|
||||
authInfo.pincode ||
|
||||
authInfo.sso ? (
|
||||
authInfo.sso ||
|
||||
authInfo.whitelist ? (
|
||||
<div className="flex items-center space-x-2 text-green-500">
|
||||
<ShieldCheck />
|
||||
<span>
|
||||
|
|
|
@ -55,7 +55,8 @@ export default async function ResourcesPage(props: ResourcesPageProps) {
|
|||
hasAuth:
|
||||
resource.sso ||
|
||||
resource.pincodeId !== null ||
|
||||
resource.pincodeId !== null,
|
||||
resource.pincodeId !== null ||
|
||||
resource.whitelist
|
||||
};
|
||||
});
|
||||
|
||||
|
|
|
@ -32,7 +32,8 @@ import {
|
|||
Send,
|
||||
ArrowLeft,
|
||||
ArrowRight,
|
||||
Lock
|
||||
Lock,
|
||||
AtSign
|
||||
} from "lucide-react";
|
||||
import {
|
||||
InputOTP,
|
||||
|
@ -44,50 +45,35 @@ import { Alert, AlertDescription } from "@app/components/ui/alert";
|
|||
import { formatAxiosError } from "@app/lib/utils";
|
||||
import { AxiosResponse } from "axios";
|
||||
import LoginForm from "@app/components/LoginForm";
|
||||
import { AuthWithPasswordResponse } from "@server/routers/resource";
|
||||
import { AuthWithPasswordResponse, AuthWithWhitelistResponse } from "@server/routers/resource";
|
||||
import { redirect } from "next/dist/server/api-utils";
|
||||
import ResourceAccessDenied from "./ResourceAccessDenied";
|
||||
import { createApiClient } from "@app/api";
|
||||
import { useEnvContext } from "@app/hooks/useEnvContext";
|
||||
import { useToast } from "@app/hooks/useToast";
|
||||
|
||||
const pin = z
|
||||
.string()
|
||||
.length(6, { message: "PIN must be exactly 6 digits" })
|
||||
.regex(/^\d+$/, { message: "PIN must only contain numbers" });
|
||||
|
||||
const pinSchema = z.object({
|
||||
pin
|
||||
});
|
||||
|
||||
const pinRequestOtpSchema = z.object({
|
||||
pin,
|
||||
email: z.string().email()
|
||||
});
|
||||
|
||||
const pinOtpSchema = z.object({
|
||||
pin,
|
||||
email: z.string().email(),
|
||||
otp: z.string()
|
||||
});
|
||||
|
||||
const password = z.string().min(1, {
|
||||
message: "Password must be at least 1 character long"
|
||||
pin: z
|
||||
.string()
|
||||
.length(6, { message: "PIN must be exactly 6 digits" })
|
||||
.regex(/^\d+$/, { message: "PIN must only contain numbers" })
|
||||
});
|
||||
|
||||
const passwordSchema = z.object({
|
||||
password
|
||||
password: z.string().min(1, {
|
||||
message: "Password must be at least 1 character long"
|
||||
})
|
||||
});
|
||||
|
||||
const passwordRequestOtpSchema = z.object({
|
||||
password,
|
||||
const requestOtpSchema = z.object({
|
||||
email: z.string().email()
|
||||
});
|
||||
|
||||
const passwordOtpSchema = z.object({
|
||||
password,
|
||||
const submitOtpSchema = z.object({
|
||||
email: z.string().email(),
|
||||
otp: z.string()
|
||||
otp: z.string().min(1, {
|
||||
message: "OTP must be at least 1 character long"
|
||||
})
|
||||
});
|
||||
|
||||
type ResourceAuthPortalProps = {
|
||||
|
@ -95,6 +81,7 @@ type ResourceAuthPortalProps = {
|
|||
password: boolean;
|
||||
pincode: boolean;
|
||||
sso: boolean;
|
||||
whitelist: boolean;
|
||||
};
|
||||
resource: {
|
||||
name: string;
|
||||
|
@ -112,6 +99,7 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
if (props.methods.pincode) colLength++;
|
||||
if (props.methods.password) colLength++;
|
||||
if (props.methods.sso) colLength++;
|
||||
if (props.methods.whitelist) colLength++;
|
||||
return colLength;
|
||||
};
|
||||
|
||||
|
@ -119,12 +107,11 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
|
||||
const [passwordError, setPasswordError] = useState<string | null>(null);
|
||||
const [pincodeError, setPincodeError] = useState<string | null>(null);
|
||||
const [whitelistError, setWhitelistError] = useState<string | null>(null);
|
||||
const [accessDenied, setAccessDenied] = useState<boolean>(false);
|
||||
const [loadingLogin, setLoadingLogin] = useState(false);
|
||||
|
||||
const [otpState, setOtpState] = useState<
|
||||
"idle" | "otp_requested" | "otp_sent"
|
||||
>("idle");
|
||||
const [otpState, setOtpState] = useState<"idle" | "otp_sent">("idle");
|
||||
|
||||
const api = createApiClient(useEnvContext());
|
||||
|
||||
|
@ -140,6 +127,10 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
if (props.methods.pincode) {
|
||||
return "pin";
|
||||
}
|
||||
|
||||
if (props.methods.whitelist) {
|
||||
return "whitelist";
|
||||
}
|
||||
}
|
||||
|
||||
const [activeTab, setActiveTab] = useState(getDefaultSelectedMethod());
|
||||
|
@ -151,23 +142,6 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
}
|
||||
});
|
||||
|
||||
const pinRequestOtpForm = useForm<z.infer<typeof pinRequestOtpSchema>>({
|
||||
resolver: zodResolver(pinRequestOtpSchema),
|
||||
defaultValues: {
|
||||
pin: "",
|
||||
email: ""
|
||||
}
|
||||
});
|
||||
|
||||
const pinOtpForm = useForm<z.infer<typeof pinOtpSchema>>({
|
||||
resolver: zodResolver(pinOtpSchema),
|
||||
defaultValues: {
|
||||
pin: "",
|
||||
email: "",
|
||||
otp: ""
|
||||
}
|
||||
});
|
||||
|
||||
const passwordForm = useForm<z.infer<typeof passwordSchema>>({
|
||||
resolver: zodResolver(passwordSchema),
|
||||
defaultValues: {
|
||||
|
@ -175,45 +149,37 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
}
|
||||
});
|
||||
|
||||
const passwordRequestOtpForm = useForm<
|
||||
z.infer<typeof passwordRequestOtpSchema>
|
||||
>({
|
||||
resolver: zodResolver(passwordRequestOtpSchema),
|
||||
const requestOtpForm = useForm<z.infer<typeof requestOtpSchema>>({
|
||||
resolver: zodResolver(requestOtpSchema),
|
||||
defaultValues: {
|
||||
password: "",
|
||||
email: ""
|
||||
}
|
||||
});
|
||||
|
||||
const passwordOtpForm = useForm<z.infer<typeof passwordOtpSchema>>({
|
||||
resolver: zodResolver(passwordOtpSchema),
|
||||
const submitOtpForm = useForm<z.infer<typeof submitOtpSchema>>({
|
||||
resolver: zodResolver(submitOtpSchema),
|
||||
defaultValues: {
|
||||
password: "",
|
||||
email: "",
|
||||
otp: ""
|
||||
}
|
||||
});
|
||||
|
||||
const onPinSubmit = (values: any) => {
|
||||
const onWhitelistSubmit = (values: any) => {
|
||||
setLoadingLogin(true);
|
||||
api.post<AxiosResponse<AuthWithPasswordResponse>>(
|
||||
`/auth/resource/${props.resource.id}/pincode`,
|
||||
{ pincode: values.pin, email: values.email, otp: values.otp }
|
||||
api.post<AxiosResponse<AuthWithWhitelistResponse>>(
|
||||
`/auth/resource/${props.resource.id}/whitelist`,
|
||||
{ email: values.email, otp: values.otp }
|
||||
)
|
||||
.then((res) => {
|
||||
setPincodeError(null);
|
||||
if (res.data.data.otpRequested) {
|
||||
setOtpState("otp_requested");
|
||||
pinRequestOtpForm.setValue("pin", values.pin);
|
||||
return;
|
||||
} else if (res.data.data.otpSent) {
|
||||
pinOtpForm.setValue("email", values.email);
|
||||
pinOtpForm.setValue("pin", values.pin);
|
||||
setWhitelistError(null);
|
||||
|
||||
if (res.data.data.otpSent) {
|
||||
setOtpState("otp_sent");
|
||||
submitOtpForm.setValue("email", values.email);
|
||||
toast({
|
||||
title: "OTP Sent",
|
||||
description: `OTP sent to ${values.email}`
|
||||
description: "An OTP has been sent to your email"
|
||||
});
|
||||
setOtpState("otp_sent");
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -222,6 +188,28 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
window.location.href = props.redirect;
|
||||
}
|
||||
})
|
||||
.catch((e) => {
|
||||
console.error(e);
|
||||
setWhitelistError(
|
||||
formatAxiosError(e, "Failed to authenticate with email")
|
||||
);
|
||||
})
|
||||
.then(() => setLoadingLogin(false));
|
||||
};
|
||||
|
||||
const onPinSubmit = (values: z.infer<typeof pinSchema>) => {
|
||||
setLoadingLogin(true);
|
||||
api.post<AxiosResponse<AuthWithPasswordResponse>>(
|
||||
`/auth/resource/${props.resource.id}/pincode`,
|
||||
{ pincode: values.pin }
|
||||
)
|
||||
.then((res) => {
|
||||
setPincodeError(null);
|
||||
const session = res.data.data.session;
|
||||
if (session) {
|
||||
window.location.href = props.redirect;
|
||||
}
|
||||
})
|
||||
.catch((e) => {
|
||||
console.error(e);
|
||||
setPincodeError(
|
||||
|
@ -231,53 +219,17 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
.then(() => setLoadingLogin(false));
|
||||
};
|
||||
|
||||
const resetPasswordForms = () => {
|
||||
passwordForm.reset();
|
||||
passwordRequestOtpForm.reset();
|
||||
passwordOtpForm.reset();
|
||||
setOtpState("idle");
|
||||
setPasswordError(null);
|
||||
};
|
||||
|
||||
const resetPinForms = () => {
|
||||
pinForm.reset();
|
||||
pinRequestOtpForm.reset();
|
||||
pinOtpForm.reset();
|
||||
setOtpState("idle");
|
||||
setPincodeError(null);
|
||||
}
|
||||
|
||||
const onPasswordSubmit = (values: any) => {
|
||||
const onPasswordSubmit = (values: z.infer<typeof passwordSchema>) => {
|
||||
setLoadingLogin(true);
|
||||
|
||||
api.post<AxiosResponse<AuthWithPasswordResponse>>(
|
||||
`/auth/resource/${props.resource.id}/password`,
|
||||
{
|
||||
password: values.password,
|
||||
email: values.email,
|
||||
otp: values.otp
|
||||
password: values.password
|
||||
}
|
||||
)
|
||||
.then((res) => {
|
||||
setPasswordError(null);
|
||||
if (res.data.data.otpRequested) {
|
||||
setOtpState("otp_requested");
|
||||
passwordRequestOtpForm.setValue(
|
||||
"password",
|
||||
values.password
|
||||
);
|
||||
return;
|
||||
} else if (res.data.data.otpSent) {
|
||||
passwordOtpForm.setValue("email", values.email);
|
||||
passwordOtpForm.setValue("password", values.password);
|
||||
toast({
|
||||
title: "OTP Sent",
|
||||
description: `OTP sent to ${values.email}`
|
||||
});
|
||||
setOtpState("otp_sent");
|
||||
return;
|
||||
}
|
||||
|
||||
const session = res.data.data.session;
|
||||
if (session) {
|
||||
window.location.href = props.redirect;
|
||||
|
@ -337,7 +289,9 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
? "grid-cols-1"
|
||||
: numMethods === 2
|
||||
? "grid-cols-2"
|
||||
: "grid-cols-3"
|
||||
: numMethods === 3
|
||||
? "grid-cols-3"
|
||||
: "grid-cols-4"
|
||||
}`}
|
||||
>
|
||||
{props.methods.pincode && (
|
||||
|
@ -358,6 +312,12 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
User
|
||||
</TabsTrigger>
|
||||
)}
|
||||
{props.methods.whitelist && (
|
||||
<TabsTrigger value="whitelist">
|
||||
<AtSign className="w-4 h-4 mr-1" />{" "}
|
||||
Email
|
||||
</TabsTrigger>
|
||||
)}
|
||||
</TabsList>
|
||||
)}
|
||||
{props.methods.pincode && (
|
||||
|
@ -365,237 +325,86 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
value="pin"
|
||||
className={`${numMethods <= 1 ? "mt-0" : ""}`}
|
||||
>
|
||||
{otpState === "idle" && (
|
||||
<Form {...pinForm}>
|
||||
<form
|
||||
onSubmit={pinForm.handleSubmit(
|
||||
onPinSubmit
|
||||
)}
|
||||
className="space-y-4"
|
||||
>
|
||||
<FormField
|
||||
control={
|
||||
pinForm.control
|
||||
}
|
||||
name="pin"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
6-digit PIN
|
||||
Code
|
||||
</FormLabel>
|
||||
<FormControl>
|
||||
<div className="flex justify-center">
|
||||
<InputOTP
|
||||
maxLength={
|
||||
6
|
||||
}
|
||||
{...field}
|
||||
>
|
||||
<InputOTPGroup className="flex">
|
||||
<InputOTPSlot
|
||||
index={
|
||||
0
|
||||
}
|
||||
/>
|
||||
<InputOTPSlot
|
||||
index={
|
||||
1
|
||||
}
|
||||
/>
|
||||
<InputOTPSlot
|
||||
index={
|
||||
2
|
||||
}
|
||||
/>
|
||||
<InputOTPSlot
|
||||
index={
|
||||
3
|
||||
}
|
||||
/>
|
||||
<InputOTPSlot
|
||||
index={
|
||||
4
|
||||
}
|
||||
/>
|
||||
<InputOTPSlot
|
||||
index={
|
||||
5
|
||||
}
|
||||
/>
|
||||
</InputOTPGroup>
|
||||
</InputOTP>
|
||||
</div>
|
||||
</FormControl>
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
{pincodeError && (
|
||||
<Alert variant="destructive">
|
||||
<AlertDescription>
|
||||
{pincodeError}
|
||||
</AlertDescription>
|
||||
</Alert>
|
||||
)}
|
||||
<Button
|
||||
type="submit"
|
||||
className="w-full"
|
||||
loading={loadingLogin}
|
||||
disabled={loadingLogin}
|
||||
>
|
||||
<LockIcon className="w-4 h-4 mr-2" />
|
||||
Login with PIN
|
||||
</Button>
|
||||
</form>
|
||||
</Form>
|
||||
)}
|
||||
|
||||
{otpState === "otp_requested" && (
|
||||
<Form {...pinRequestOtpForm}>
|
||||
<form
|
||||
onSubmit={pinRequestOtpForm.handleSubmit(
|
||||
onPinSubmit
|
||||
)}
|
||||
className="space-y-4"
|
||||
>
|
||||
<FormField
|
||||
control={
|
||||
pinRequestOtpForm.control
|
||||
}
|
||||
name="email"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
Email
|
||||
</FormLabel>
|
||||
<FormControl>
|
||||
<Input
|
||||
placeholder="Enter email"
|
||||
type="email"
|
||||
<Form {...pinForm}>
|
||||
<form
|
||||
onSubmit={pinForm.handleSubmit(
|
||||
onPinSubmit
|
||||
)}
|
||||
className="space-y-4"
|
||||
>
|
||||
<FormField
|
||||
control={pinForm.control}
|
||||
name="pin"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
6-digit PIN Code
|
||||
</FormLabel>
|
||||
<FormControl>
|
||||
<div className="flex justify-center">
|
||||
<InputOTP
|
||||
maxLength={
|
||||
6
|
||||
}
|
||||
{...field}
|
||||
/>
|
||||
</FormControl>
|
||||
<FormDescription>
|
||||
A one-time
|
||||
code will be
|
||||
sent to this
|
||||
email.
|
||||
</FormDescription>
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
|
||||
{pincodeError && (
|
||||
<Alert variant="destructive">
|
||||
<AlertDescription>
|
||||
{pincodeError}
|
||||
</AlertDescription>
|
||||
</Alert>
|
||||
>
|
||||
<InputOTPGroup className="flex">
|
||||
<InputOTPSlot
|
||||
index={
|
||||
0
|
||||
}
|
||||
/>
|
||||
<InputOTPSlot
|
||||
index={
|
||||
1
|
||||
}
|
||||
/>
|
||||
<InputOTPSlot
|
||||
index={
|
||||
2
|
||||
}
|
||||
/>
|
||||
<InputOTPSlot
|
||||
index={
|
||||
3
|
||||
}
|
||||
/>
|
||||
<InputOTPSlot
|
||||
index={
|
||||
4
|
||||
}
|
||||
/>
|
||||
<InputOTPSlot
|
||||
index={
|
||||
5
|
||||
}
|
||||
/>
|
||||
</InputOTPGroup>
|
||||
</InputOTP>
|
||||
</div>
|
||||
</FormControl>
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
|
||||
<Button
|
||||
type="submit"
|
||||
className="w-full"
|
||||
loading={loadingLogin}
|
||||
disabled={loadingLogin}
|
||||
>
|
||||
<Send className="w-4 h-4 mr-2" />
|
||||
Send OTP
|
||||
</Button>
|
||||
|
||||
<Button
|
||||
type="button"
|
||||
className="w-full"
|
||||
variant={"outline"}
|
||||
onClick={() =>
|
||||
resetPinForms()
|
||||
}
|
||||
>
|
||||
Back to PIN
|
||||
</Button>
|
||||
</form>
|
||||
</Form>
|
||||
)}
|
||||
|
||||
{otpState === "otp_sent" && (
|
||||
<Form {...pinOtpForm}>
|
||||
<form
|
||||
onSubmit={pinOtpForm.handleSubmit(
|
||||
onPinSubmit
|
||||
)}
|
||||
className="space-y-4"
|
||||
/>
|
||||
{pincodeError && (
|
||||
<Alert variant="destructive">
|
||||
<AlertDescription>
|
||||
{pincodeError}
|
||||
</AlertDescription>
|
||||
</Alert>
|
||||
)}
|
||||
<Button
|
||||
type="submit"
|
||||
className="w-full"
|
||||
loading={loadingLogin}
|
||||
disabled={loadingLogin}
|
||||
>
|
||||
<FormField
|
||||
control={
|
||||
pinOtpForm.control
|
||||
}
|
||||
name="otp"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
One-Time
|
||||
Password
|
||||
(OTP)
|
||||
</FormLabel>
|
||||
<FormControl>
|
||||
<Input
|
||||
placeholder="Enter OTP"
|
||||
type="otp"
|
||||
{...field}
|
||||
/>
|
||||
</FormControl>
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
|
||||
{pincodeError && (
|
||||
<Alert variant="destructive">
|
||||
<AlertDescription>
|
||||
{pincodeError}
|
||||
</AlertDescription>
|
||||
</Alert>
|
||||
)}
|
||||
|
||||
<Button
|
||||
type="submit"
|
||||
className="w-full"
|
||||
loading={loadingLogin}
|
||||
disabled={loadingLogin}
|
||||
>
|
||||
<LockIcon className="w-4 h-4 mr-2" />
|
||||
Submit OTP
|
||||
</Button>
|
||||
|
||||
<Button
|
||||
type="button"
|
||||
className="w-full"
|
||||
variant={"outline"}
|
||||
onClick={() => {
|
||||
setOtpState(
|
||||
"otp_requested"
|
||||
);
|
||||
pinOtpForm.reset();
|
||||
}}
|
||||
>
|
||||
Resend OTP
|
||||
</Button>
|
||||
|
||||
<Button
|
||||
type="button"
|
||||
className="w-full"
|
||||
variant={"outline"}
|
||||
onClick={() =>
|
||||
resetPinForms()
|
||||
}
|
||||
>
|
||||
Back to PIN
|
||||
</Button>
|
||||
</form>
|
||||
</Form>
|
||||
)}
|
||||
<LockIcon className="w-4 h-4 mr-2" />
|
||||
Login with PIN
|
||||
</Button>
|
||||
</form>
|
||||
</Form>
|
||||
</TabsContent>
|
||||
)}
|
||||
{props.methods.password && (
|
||||
|
@ -603,202 +412,54 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
value="password"
|
||||
className={`${numMethods <= 1 ? "mt-0" : ""}`}
|
||||
>
|
||||
{otpState === "idle" && (
|
||||
<Form {...passwordForm}>
|
||||
<form
|
||||
onSubmit={passwordForm.handleSubmit(
|
||||
onPasswordSubmit
|
||||
<Form {...passwordForm}>
|
||||
<form
|
||||
onSubmit={passwordForm.handleSubmit(
|
||||
onPasswordSubmit
|
||||
)}
|
||||
className="space-y-4"
|
||||
>
|
||||
<FormField
|
||||
control={
|
||||
passwordForm.control
|
||||
}
|
||||
name="password"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
Password
|
||||
</FormLabel>
|
||||
<FormControl>
|
||||
<Input
|
||||
placeholder="Enter password"
|
||||
type="password"
|
||||
{...field}
|
||||
/>
|
||||
</FormControl>
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
className="space-y-4"
|
||||
/>
|
||||
|
||||
{passwordError && (
|
||||
<Alert variant="destructive">
|
||||
<AlertDescription>
|
||||
{passwordError}
|
||||
</AlertDescription>
|
||||
</Alert>
|
||||
)}
|
||||
|
||||
<Button
|
||||
type="submit"
|
||||
className="w-full"
|
||||
loading={loadingLogin}
|
||||
disabled={loadingLogin}
|
||||
>
|
||||
<FormField
|
||||
control={
|
||||
passwordForm.control
|
||||
}
|
||||
name="password"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
Password
|
||||
</FormLabel>
|
||||
<FormControl>
|
||||
<Input
|
||||
placeholder="Enter password"
|
||||
type="password"
|
||||
{...field}
|
||||
/>
|
||||
</FormControl>
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
|
||||
{passwordError && (
|
||||
<Alert variant="destructive">
|
||||
<AlertDescription>
|
||||
{passwordError}
|
||||
</AlertDescription>
|
||||
</Alert>
|
||||
)}
|
||||
|
||||
<Button
|
||||
type="submit"
|
||||
className="w-full"
|
||||
loading={loadingLogin}
|
||||
disabled={loadingLogin}
|
||||
>
|
||||
<LockIcon className="w-4 h-4 mr-2" />
|
||||
Login with Password
|
||||
</Button>
|
||||
</form>
|
||||
</Form>
|
||||
)}
|
||||
|
||||
{otpState === "otp_requested" && (
|
||||
<Form {...passwordRequestOtpForm}>
|
||||
<form
|
||||
onSubmit={passwordRequestOtpForm.handleSubmit(
|
||||
onPasswordSubmit
|
||||
)}
|
||||
className="space-y-4"
|
||||
>
|
||||
<FormField
|
||||
control={
|
||||
passwordRequestOtpForm.control
|
||||
}
|
||||
name="email"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
Email
|
||||
</FormLabel>
|
||||
<FormControl>
|
||||
<Input
|
||||
placeholder="Enter email"
|
||||
type="email"
|
||||
{...field}
|
||||
/>
|
||||
</FormControl>
|
||||
<FormDescription>
|
||||
A one-time
|
||||
code will be
|
||||
sent to this
|
||||
email.
|
||||
</FormDescription>
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
|
||||
{passwordError && (
|
||||
<Alert variant="destructive">
|
||||
<AlertDescription>
|
||||
{passwordError}
|
||||
</AlertDescription>
|
||||
</Alert>
|
||||
)}
|
||||
|
||||
<Button
|
||||
type="submit"
|
||||
className="w-full"
|
||||
loading={loadingLogin}
|
||||
disabled={loadingLogin}
|
||||
>
|
||||
<Send className="w-4 h-4 mr-2" />
|
||||
Send OTP
|
||||
</Button>
|
||||
|
||||
<Button
|
||||
type="button"
|
||||
className="w-full"
|
||||
variant={"outline"}
|
||||
onClick={() =>
|
||||
resetPasswordForms()
|
||||
}
|
||||
>
|
||||
Back to Password
|
||||
</Button>
|
||||
</form>
|
||||
</Form>
|
||||
)}
|
||||
|
||||
{otpState === "otp_sent" && (
|
||||
<Form {...passwordOtpForm}>
|
||||
<form
|
||||
onSubmit={passwordOtpForm.handleSubmit(
|
||||
onPasswordSubmit
|
||||
)}
|
||||
className="space-y-4"
|
||||
>
|
||||
<FormField
|
||||
control={
|
||||
passwordOtpForm.control
|
||||
}
|
||||
name="otp"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
One-Time
|
||||
Password
|
||||
(OTP)
|
||||
</FormLabel>
|
||||
<FormControl>
|
||||
<Input
|
||||
placeholder="Enter OTP"
|
||||
type="otp"
|
||||
{...field}
|
||||
/>
|
||||
</FormControl>
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
|
||||
{passwordError && (
|
||||
<Alert variant="destructive">
|
||||
<AlertDescription>
|
||||
{passwordError}
|
||||
</AlertDescription>
|
||||
</Alert>
|
||||
)}
|
||||
|
||||
<Button
|
||||
type="submit"
|
||||
className="w-full"
|
||||
loading={loadingLogin}
|
||||
disabled={loadingLogin}
|
||||
>
|
||||
<LockIcon className="w-4 h-4 mr-2" />
|
||||
Submit OTP
|
||||
</Button>
|
||||
|
||||
<Button
|
||||
type="button"
|
||||
className="w-full"
|
||||
variant={"outline"}
|
||||
onClick={() => {
|
||||
setOtpState(
|
||||
"otp_requested"
|
||||
);
|
||||
passwordOtpForm.reset();
|
||||
}}
|
||||
>
|
||||
Resend OTP
|
||||
</Button>
|
||||
|
||||
<Button
|
||||
type="button"
|
||||
className="w-full"
|
||||
variant={"outline"}
|
||||
onClick={() =>
|
||||
resetPasswordForms()
|
||||
}
|
||||
>
|
||||
Back to Password
|
||||
</Button>
|
||||
</form>
|
||||
</Form>
|
||||
)}
|
||||
<LockIcon className="w-4 h-4 mr-2" />
|
||||
Login with Password
|
||||
</Button>
|
||||
</form>
|
||||
</Form>
|
||||
</TabsContent>
|
||||
)}
|
||||
{props.methods.sso && (
|
||||
|
@ -818,6 +479,134 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||
/>
|
||||
</TabsContent>
|
||||
)}
|
||||
{props.methods.whitelist && (
|
||||
<TabsContent
|
||||
value="whitelist"
|
||||
className={`${numMethods <= 1 ? "mt-0" : ""}`}
|
||||
>
|
||||
{otpState === "idle" && (
|
||||
<Form {...requestOtpForm}>
|
||||
<form
|
||||
onSubmit={requestOtpForm.handleSubmit(
|
||||
onWhitelistSubmit
|
||||
)}
|
||||
className="space-y-4"
|
||||
>
|
||||
<FormField
|
||||
control={
|
||||
requestOtpForm.control
|
||||
}
|
||||
name="email"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
Email
|
||||
</FormLabel>
|
||||
<FormControl>
|
||||
<Input
|
||||
placeholder="Enter email"
|
||||
type="email"
|
||||
{...field}
|
||||
/>
|
||||
</FormControl>
|
||||
<FormDescription>
|
||||
A one-time
|
||||
code will be
|
||||
sent to this
|
||||
email.
|
||||
</FormDescription>
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
|
||||
{whitelistError && (
|
||||
<Alert variant="destructive">
|
||||
<AlertDescription>
|
||||
{whitelistError}
|
||||
</AlertDescription>
|
||||
</Alert>
|
||||
)}
|
||||
|
||||
<Button
|
||||
type="submit"
|
||||
className="w-full"
|
||||
loading={loadingLogin}
|
||||
disabled={loadingLogin}
|
||||
>
|
||||
<Send className="w-4 h-4 mr-2" />
|
||||
Send One-time Code
|
||||
</Button>
|
||||
</form>
|
||||
</Form>
|
||||
)}
|
||||
|
||||
{otpState === "otp_sent" && (
|
||||
<Form {...submitOtpForm}>
|
||||
<form
|
||||
onSubmit={submitOtpForm.handleSubmit(
|
||||
onWhitelistSubmit
|
||||
)}
|
||||
className="space-y-4"
|
||||
>
|
||||
<FormField
|
||||
control={
|
||||
submitOtpForm.control
|
||||
}
|
||||
name="otp"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
One-Time
|
||||
Password
|
||||
(OTP)
|
||||
</FormLabel>
|
||||
<FormControl>
|
||||
<Input
|
||||
placeholder="Enter OTP"
|
||||
type="password"
|
||||
{...field}
|
||||
/>
|
||||
</FormControl>
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
|
||||
{whitelistError && (
|
||||
<Alert variant="destructive">
|
||||
<AlertDescription>
|
||||
{whitelistError}
|
||||
</AlertDescription>
|
||||
</Alert>
|
||||
)}
|
||||
|
||||
<Button
|
||||
type="submit"
|
||||
className="w-full"
|
||||
loading={loadingLogin}
|
||||
disabled={loadingLogin}
|
||||
>
|
||||
<LockIcon className="w-4 h-4 mr-2" />
|
||||
Submit OTP
|
||||
</Button>
|
||||
|
||||
<Button
|
||||
type="button"
|
||||
className="w-full"
|
||||
variant={"outline"}
|
||||
onClick={() => {
|
||||
setOtpState("idle");
|
||||
submitOtpForm.reset();
|
||||
}}
|
||||
>
|
||||
Back to Email
|
||||
</Button>
|
||||
</form>
|
||||
</Form>
|
||||
)}
|
||||
</TabsContent>
|
||||
)}
|
||||
</Tabs>
|
||||
</CardContent>
|
||||
</Card>
|
||||
|
|
|
@ -120,6 +120,7 @@ export default async function ResourceAuthPage(props: {
|
|||
password: authInfo.password,
|
||||
pincode: authInfo.pincode,
|
||||
sso: authInfo.sso && !userIsUnauthorized,
|
||||
whitelist: authInfo.whitelist
|
||||
}}
|
||||
resource={{
|
||||
name: authInfo.resourceName,
|
||||
|
|
|
@ -23,11 +23,12 @@ import {
|
|||
} from "@/components/ui/card";
|
||||
import { Alert, AlertDescription } from "@/components/ui/alert";
|
||||
import { SignUpResponse } from "@server/routers/auth";
|
||||
import { api } from "@app/api";
|
||||
import { useRouter } from "next/navigation";
|
||||
import { passwordSchema } from "@server/auth/passwordSchema";
|
||||
import { AxiosResponse } from "axios";
|
||||
import { formatAxiosError } from "@app/lib/utils";
|
||||
import { createApiClient } from "@app/api";
|
||||
import { useEnvContext } from "@app/hooks/useEnvContext";
|
||||
|
||||
type SignupFormProps = {
|
||||
redirect?: string;
|
||||
|
@ -47,6 +48,8 @@ const formSchema = z
|
|||
export default function SignupForm({ redirect }: SignupFormProps) {
|
||||
const router = useRouter();
|
||||
|
||||
const api = createApiClient(useEnvContext());
|
||||
|
||||
const [loading, setLoading] = useState(false);
|
||||
const [error, setError] = useState<string | null>(null);
|
||||
|
||||
|
|
|
@ -8,9 +8,9 @@
|
|||
--background: 0 0% 100%;
|
||||
--foreground: 0 0.0% 10.0%;
|
||||
--card: 0 0% 100%;
|
||||
--card-foreground: 20 5.0% 10.0%;
|
||||
--card-foreground: 0 0% 100%;
|
||||
--popover: 0 0% 100%;
|
||||
--popover-foreground: 20 5.0% 10.0%;
|
||||
--popover-foreground: 0 0% 100%;
|
||||
--primary: 24.6 95% 53.1%;
|
||||
--primary-foreground: 60 9.1% 97.8%;
|
||||
--secondary: 60 4.8% 95.9%;
|
||||
|
@ -35,9 +35,9 @@
|
|||
.dark {
|
||||
--background: 0 0.0% 10.0%;
|
||||
--foreground: 60 9.1% 97.8%;
|
||||
--card: 20 5.0% 10.0%;
|
||||
--card: 0 0.0% 10.0%;
|
||||
--card-foreground: 60 9.1% 97.8%;
|
||||
--popover: 20 5.0% 10.0%;
|
||||
--popover: 0 0.0% 10.0%;
|
||||
--popover-foreground: 60 9.1% 97.8%;
|
||||
--primary: 20.5 90.2% 48.2%;
|
||||
--primary-foreground: 60 9.1% 97.8%;
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue