added support for pin code auth

server/routers/external.ts

@@ -43,51 +43,51 @@ authenticated.get(
     "/org/:orgId",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.getOrg),
-    org.getOrg
+    org.getOrg,
 );
 authenticated.post(
     "/org/:orgId",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.updateOrg),
-    org.updateOrg
+    org.updateOrg,
 );
 authenticated.delete(
     "/org/:orgId",
     verifyOrgAccess,
     verifyUserIsOrgOwner,
-    org.deleteOrg
+    org.deleteOrg,
 );
 
 authenticated.put(
     "/org/:orgId/site",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.createSite),
-    site.createSite
+    site.createSite,
 );
 authenticated.get(
     "/org/:orgId/sites",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.listSites),
-    site.listSites
+    site.listSites,
 );
 authenticated.get(
     "/org/:orgId/site/:niceId",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.getSite),
-    site.getSite
+    site.getSite,
 );
 
 authenticated.get(
     "/org/:orgId/pick-site-defaults",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.createSite),
-    site.pickSiteDefaults
+    site.pickSiteDefaults,
 );
 authenticated.get(
     "/site/:siteId",
     verifySiteAccess,
     verifyUserHasAction(ActionsEnum.getSite),
-    site.getSite
+    site.getSite,
 );
 // authenticated.get(
 //     "/site/:siteId/roles",
@@ -99,38 +99,38 @@ authenticated.post(
     "/site/:siteId",
     verifySiteAccess,
     verifyUserHasAction(ActionsEnum.updateSite),
-    site.updateSite
+    site.updateSite,
 );
 authenticated.delete(
     "/site/:siteId",
     verifySiteAccess,
     verifyUserHasAction(ActionsEnum.deleteSite),
-    site.deleteSite
+    site.deleteSite,
 );
 
 authenticated.put(
     "/org/:orgId/site/:siteId/resource",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.createResource),
-    resource.createResource
+    resource.createResource,
 );
 authenticated.get(
     "/site/:siteId/resources",
     verifyUserHasAction(ActionsEnum.listResources),
-    resource.listResources
+    resource.listResources,
 );
 authenticated.get(
     "/org/:orgId/resources",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.listResources),
-    resource.listResources
+    resource.listResources,
 );
 
 authenticated.post(
     "/org/:orgId/create-invite",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.inviteUser),
-    user.inviteUser
+    user.inviteUser,
 ); // maybe make this /invite/create instead
 authenticated.post("/invite/accept", user.acceptInvite);
 
@@ -138,77 +138,77 @@ authenticated.get(
     "/resource/:resourceId/roles",
     verifyResourceAccess,
     verifyUserHasAction(ActionsEnum.listResourceRoles),
-    resource.listResourceRoles
+    resource.listResourceRoles,
 );
 
 authenticated.get(
     "/resource/:resourceId/users",
     verifyResourceAccess,
     verifyUserHasAction(ActionsEnum.listResourceUsers),
-    resource.listResourceUsers
+    resource.listResourceUsers,
 );
 
 authenticated.get(
     "/resource/:resourceId",
     verifyResourceAccess,
     verifyUserHasAction(ActionsEnum.getResource),
-    resource.getResource
+    resource.getResource,
 );
 authenticated.post(
     "/resource/:resourceId",
     verifyResourceAccess,
     verifyUserHasAction(ActionsEnum.updateResource),
-    resource.updateResource
+    resource.updateResource,
 );
 authenticated.delete(
     "/resource/:resourceId",
     verifyResourceAccess,
     verifyUserHasAction(ActionsEnum.deleteResource),
-    resource.deleteResource
+    resource.deleteResource,
 );
 
 authenticated.put(
     "/resource/:resourceId/target",
     verifyResourceAccess,
     verifyUserHasAction(ActionsEnum.createTarget),
-    target.createTarget
+    target.createTarget,
 );
 authenticated.get(
     "/resource/:resourceId/targets",
     verifyResourceAccess,
     verifyUserHasAction(ActionsEnum.listTargets),
-    target.listTargets
+    target.listTargets,
 );
 authenticated.get(
     "/target/:targetId",
     verifyTargetAccess,
     verifyUserHasAction(ActionsEnum.getTarget),
-    target.getTarget
+    target.getTarget,
 );
 authenticated.post(
     "/target/:targetId",
     verifyTargetAccess,
     verifyUserHasAction(ActionsEnum.updateTarget),
-    target.updateTarget
+    target.updateTarget,
 );
 authenticated.delete(
     "/target/:targetId",
     verifyTargetAccess,
     verifyUserHasAction(ActionsEnum.deleteTarget),
-    target.deleteTarget
+    target.deleteTarget,
 );
 
 authenticated.put(
     "/org/:orgId/role",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.createRole),
-    role.createRole
+    role.createRole,
 );
 authenticated.get(
     "/org/:orgId/roles",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.listRoles),
-    role.listRoles
+    role.listRoles,
 );
 // authenticated.get(
 //     "/role/:roleId",
@@ -227,14 +227,14 @@ authenticated.delete(
     "/role/:roleId",
     verifyRoleAccess,
     verifyUserHasAction(ActionsEnum.deleteRole),
-    role.deleteRole
+    role.deleteRole,
 );
 authenticated.post(
     "/role/:roleId/add/:userId",
     verifyRoleAccess,
     verifyUserAccess,
     verifyUserHasAction(ActionsEnum.addUserRole),
-    user.addUserRole
+    user.addUserRole,
 );
 
 // authenticated.put(
@@ -264,7 +264,7 @@ authenticated.post(
     verifyResourceAccess,
     verifyRoleAccess,
     verifyUserHasAction(ActionsEnum.setResourceRoles),
-    resource.setResourceRoles
+    resource.setResourceRoles,
 );
 
 authenticated.post(
@@ -272,19 +272,29 @@ authenticated.post(
     verifyResourceAccess,
     verifySetResourceUsers,
     verifyUserHasAction(ActionsEnum.setResourceUsers),
-    resource.setResourceUsers
+    resource.setResourceUsers,
 );
 
 authenticated.post(
     `/resource/:resourceId/password`,
     verifyResourceAccess,
     verifyUserHasAction(ActionsEnum.setResourceAuthMethods),
-    resource.setResourcePassword
+    resource.setResourcePassword,
 );
-
 unauthenticated.post(
     "/resource/:resourceId/auth/password",
-    resource.authWithPassword
+    resource.authWithPassword,
+);
+
+authenticated.post(
+    `/resource/:resourceId/pincode`,
+    verifyResourceAccess,
+    verifyUserHasAction(ActionsEnum.setResourceAuthMethods),
+    resource.setResourcePincode,
+);
+unauthenticated.post(
+    "/resource/:resourceId/auth/pincode",
+    resource.authWithPincode,
 );
 
 unauthenticated.get("/resource/:resourceId/auth", resource.getResourceAuthInfo);
@@ -325,14 +335,14 @@ authenticated.get(
     "/org/:orgId/users",
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.listUsers),
-    user.listUsers
+    user.listUsers,
 );
 authenticated.delete(
     "/org/:orgId/user/:userId",
     verifyOrgAccess,
     verifyUserAccess,
     verifyUserHasAction(ActionsEnum.removeUser),
-    user.removeUserOrg
+    user.removeUserOrg,
 );
 
 // authenticated.put(
@@ -374,7 +384,7 @@ authRouter.use(
         windowMin: 10,
         max: 15,
         type: "IP_AND_PATH",
-    })
+    }),
 );
 
 authRouter.put("/signup", auth.signup);
@@ -386,19 +396,19 @@ authRouter.post("/2fa/enable", verifySessionUserMiddleware, auth.verifyTotp);
 authRouter.post(
     "/2fa/request",
     verifySessionUserMiddleware,
-    auth.requestTotpSecret
+    auth.requestTotpSecret,
 );
 authRouter.post("/2fa/disable", verifySessionUserMiddleware, auth.disable2fa);
 authRouter.post("/verify-email", verifySessionMiddleware, auth.verifyEmail);
 authRouter.post(
     "/verify-email/request",
     verifySessionMiddleware,
-    auth.requestEmailVerificationCode
+    auth.requestEmailVerificationCode,
 );
 authRouter.post(
     "/change-password",
     verifySessionUserMiddleware,
-    auth.changePassword
+    auth.changePassword,
 );
 authRouter.post("/reset-password/request", auth.requestPasswordReset);
 authRouter.post("/reset-password/", auth.resetPassword);

server/routers/resource/authWithPincode.ts

@@ -0,0 +1,154 @@
+import { verify } from "@node-rs/argon2";
+import { generateSessionToken } from "@server/auth";
+import db from "@server/db";
+import { resourcePincode, resources } from "@server/db/schema";
+import HttpCode from "@server/types/HttpCode";
+import response from "@server/utils/response";
+import { eq } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import {
+    createResourceSession,
+    serializeResourceSessionCookie,
+} from "@server/auth/resource";
+import logger from "@server/logger";
+
+export const authWithPincodeBodySchema = z.object({
+    pincode: z.string(),
+    email: z.string().email().optional(),
+    code: z.string().optional(),
+});
+
+export const authWithPincodeParamsSchema = z.object({
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive()),
+});
+
+export type AuthWithPincodeResponse = {
+    codeRequested?: boolean;
+};
+
+export async function authWithPincode(
+    req: Request,
+    res: Response,
+    next: NextFunction,
+): Promise<any> {
+    const parsedBody = authWithPincodeBodySchema.safeParse(req.body);
+
+    if (!parsedBody.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedBody.error).toString(),
+            ),
+        );
+    }
+
+    const parsedParams = authWithPincodeParamsSchema.safeParse(req.params);
+
+    if (!parsedParams.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedParams.error).toString(),
+            ),
+        );
+    }
+
+    const { resourceId } = parsedParams.data;
+    const { email, pincode, code } = parsedBody.data;
+
+    try {
+        const [result] = await db
+            .select()
+            .from(resources)
+            .leftJoin(
+                resourcePincode,
+                eq(resourcePincode.resourceId, resources.resourceId),
+            )
+            .where(eq(resources.resourceId, resourceId))
+            .limit(1);
+
+        const resource = result?.resources;
+        const definedPincode = result?.resourcePincode;
+
+        if (!resource) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Resource does not exist",
+                ),
+            );
+        }
+
+        if (!definedPincode) {
+            return next(
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Resource has no pincode protection",
+                    ),
+                ),
+            );
+        }
+
+        const validPincode = await verify(definedPincode.pincodeHash, pincode, {
+            memoryCost: 19456,
+            timeCost: 2,
+            outputLen: 32,
+            parallelism: 1,
+        });
+        if (!validPincode) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Incorrect PIN code"),
+            );
+        }
+
+        if (resource.twoFactorEnabled) {
+            if (!code) {
+                return response<AuthWithPincodeResponse>(res, {
+                    data: { codeRequested: true },
+                    success: true,
+                    error: false,
+                    message: "Two-factor authentication required",
+                    status: HttpCode.ACCEPTED,
+                });
+            }
+
+            // TODO: Implement email OTP for resource 2fa
+        }
+
+        const token = generateSessionToken();
+        await createResourceSession({
+            resourceId,
+            token,
+            pincodeId: definedPincode.pincodeId,
+        });
+        const secureCookie = resource.ssl;
+        const cookie = serializeResourceSessionCookie(
+            token,
+            resource.fullDomain,
+            secureCookie,
+        );
+        res.appendHeader("Set-Cookie", cookie);
+
+        logger.debug(cookie); // remove after testing
+
+        return response<null>(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Authenticated with resource successfully",
+            status: HttpCode.OK,
+        });
+    } catch (e) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to authenticate with resource",
+            ),
+        );
+    }
+}

server/routers/resource/index.ts

@@ -10,3 +10,5 @@ export * from "./listResourceUsers";
 export * from "./setResourcePassword";
 export * from "./authWithPassword";
 export * from "./getResourceAuthInfo";
+export * from "./setResourcePincode";
+export * from "./authWithPincode";

server/routers/resource/setResourcePincode.ts

@@ -0,0 +1,91 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { resourcePincode } from "@server/db/schema";
+import { eq } from "drizzle-orm";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { fromError } from "zod-validation-error";
+import { hash } from "@node-rs/argon2";
+import { response } from "@server/utils";
+import stoi from "@server/utils/stoi";
+
+const setResourceAuthMethodsParamsSchema = z.object({
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive()),
+});
+
+const setResourceAuthMethodsBodySchema = z
+    .object({
+        pincode: z
+            .string()
+            .regex(/^\d{6}$/)
+            .or(z.null()),
+    })
+    .strict();
+
+export async function setResourcePincode(
+    req: Request,
+    res: Response,
+    next: NextFunction,
+): Promise<any> {
+    try {
+        const parsedParams = setResourceAuthMethodsParamsSchema.safeParse(
+            req.params,
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString(),
+                ),
+            );
+        }
+
+        const parsedBody = setResourceAuthMethodsBodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString(),
+                ),
+            );
+        }
+
+        const { resourceId } = parsedParams.data;
+        const { pincode } = parsedBody.data;
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(resourcePincode)
+                .where(eq(resourcePincode.resourceId, resourceId));
+
+            if (pincode) {
+                const pincodeHash = await hash(pincode, {
+                    memoryCost: 19456,
+                    timeCost: 2,
+                    outputLen: 32,
+                    parallelism: 1,
+                });
+
+                await trx
+                    .insert(resourcePincode)
+                    .values({ resourceId, pincodeHash, digitLength: 6 });
+            }
+        });
+
+        return response(res, {
+            data: {},
+            success: true,
+            error: false,
+            message: "Resource PIN code set successfully",
+            status: HttpCode.CREATED,
+        });
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "An error occurred",
+            ),
+        );
+    }
+}