feat: document 2fa

packages/lib/server-only/2fa/send-email-verification.ts

@@ -0,0 +1,120 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/core/macro';
+import { randomInt } from 'crypto';
+
+import { AuthenticationErrorCode } from '@documenso/auth/server/lib/errors/error-codes';
+import { mailer } from '@documenso/email/mailer';
+import { VerificationCodeTemplate } from '@documenso/email/templates/verification-code';
+import { AppError } from '@documenso/lib/errors/app-error';
+import { prisma } from '@documenso/prisma';
+
+import { getI18nInstance } from '../../client-only/providers/i18n-server';
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+import { FROM_ADDRESS, FROM_NAME } from '../../constants/email';
+import { renderEmailWithI18N } from '../../utils/render-email-with-i18n';
+
+const ExtendedAuthErrorCode = {
+  ...AuthenticationErrorCode,
+  InternalError: 'INTERNAL_ERROR',
+  VerificationNotFound: 'VERIFICATION_NOT_FOUND',
+  VerificationExpired: 'VERIFICATION_EXPIRED',
+};
+
+const VERIFICATION_CODE_EXPIRY = 10 * 60 * 1000;
+
+export type SendEmailVerificationOptions = {
+  userId: number;
+  email: string;
+};
+
+export const sendEmailVerification = async ({ userId, email }: SendEmailVerificationOptions) => {
+  try {
+    const verificationCode = randomInt(100000, 1000000).toString();
+    const i18n = await getI18nInstance();
+
+    await prisma.userTwoFactorEmailVerification.upsert({
+      where: {
+        userId,
+      },
+      create: {
+        userId,
+        verificationCode,
+        expiresAt: new Date(Date.now() + VERIFICATION_CODE_EXPIRY),
+      },
+      update: {
+        verificationCode,
+        expiresAt: new Date(Date.now() + VERIFICATION_CODE_EXPIRY),
+      },
+    });
+
+    const template = createElement(VerificationCodeTemplate, {
+      verificationCode,
+      assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
+    });
+
+    const [html, text] = await Promise.all([
+      renderEmailWithI18N(template, { lang: 'en' }),
+      renderEmailWithI18N(template, { lang: 'en', plainText: true }),
+    ]);
+
+    await mailer.sendMail({
+      to: email,
+      from: {
+        name: FROM_NAME,
+        address: FROM_ADDRESS,
+      },
+      subject: i18n._(msg`Your verification code for document signing`),
+      html,
+      text,
+    });
+
+    return { success: true };
+  } catch (error) {
+    console.error('Error sending email verification', error);
+    throw new AppError(ExtendedAuthErrorCode.InternalError);
+  }
+};
+
+export type VerifyEmailCodeOptions = {
+  userId: number;
+  code: string;
+};
+
+export const verifyEmailCode = async ({ userId, code }: VerifyEmailCodeOptions) => {
+  try {
+    const verification = await prisma.userTwoFactorEmailVerification.findUnique({
+      where: {
+        userId,
+      },
+    });
+
+    if (!verification) {
+      throw new AppError(ExtendedAuthErrorCode.VerificationNotFound);
+    }
+
+    if (verification.expiresAt < new Date()) {
+      throw new AppError(ExtendedAuthErrorCode.VerificationExpired);
+    }
+
+    if (verification.verificationCode !== code) {
+      throw new AppError(AuthenticationErrorCode.InvalidTwoFactorCode);
+    }
+
+    await prisma.userTwoFactorEmailVerification.delete({
+      where: {
+        userId,
+      },
+    });
+
+    return { success: true };
+  } catch (error) {
+    console.error('Error verifying email code', error);
+
+    if (error instanceof AppError) {
+      throw error;
+    }
+
+    throw new AppError(ExtendedAuthErrorCode.InternalError);
+  }
+};

packages/lib/server-only/document/update-document.ts

@@ -1,5 +1,4 @@
-import { DocumentVisibility } from '@prisma/client';
-import { DocumentStatus, TeamMemberRole } from '@prisma/client';
+import { DocumentStatus, DocumentVisibility, TeamMemberRole } from '@prisma/client';
 import { match } from 'ts-pattern';
 
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
@@ -118,13 +117,6 @@ export const updateDocument = async ({
   const newGlobalActionAuth =
     data?.globalActionAuth === undefined ? documentGlobalActionAuth : data.globalActionAuth;
 
-  // Check if user has permission to set the global action auth.
-  if (newGlobalActionAuth.length > 0 && !document.team.organisation.organisationClaim.flags.cfr21) {
-    throw new AppError(AppErrorCode.UNAUTHORIZED, {
-      message: 'You do not have permission to set the action auth',
-    });
-  }
-
   const isTitleSame = data.title === undefined || data.title === document.title;
   const isExternalIdSame = data.externalId === undefined || data.externalId === document.externalId;
   const isGlobalAccessSame =

packages/lib/server-only/field/sign-field-with-token.ts

@@ -15,7 +15,7 @@ import { AUTO_SIGNABLE_FIELD_TYPES } from '../../constants/autosign';
 import { DEFAULT_DOCUMENT_DATE_FORMAT } from '../../constants/date-formats';
 import { DEFAULT_DOCUMENT_TIME_ZONE } from '../../constants/time-zones';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
-import type { TRecipientActionAuth } from '../../types/document-auth';
+import type { TRecipientActionAuth, TRecipientActionAuthTypes } from '../../types/document-auth';
 import {
   ZCheckboxFieldMeta,
   ZDropdownFieldMeta,
@@ -25,7 +25,9 @@ import {
 } from '../../types/field-meta';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
+import { extractDocumentAuthMethods } from '../../utils/document-auth';
 import { validateFieldAuth } from '../document/validate-field-auth';
+import { isUserEnterprise } from '../user/is-user-enterprise';
 
 export type SignFieldWithTokenOptions = {
   token: string;
@@ -171,13 +173,25 @@ export const signFieldWithToken = async ({
     }
   }
 
-  const derivedRecipientActionAuth = await validateFieldAuth({
-    documentAuthOptions: document.authOptions,
-    recipient,
-    field,
-    userId,
-    authOptions,
-  });
+  const isEnterprise = userId ? await isUserEnterprise({ userId }) : false;
+  let requiredAuthType: TRecipientActionAuthTypes | null = null;
+
+  if (isEnterprise) {
+    const authType = await validateFieldAuth({
+      documentAuthOptions: document.authOptions,
+      recipient,
+      field,
+      userId,
+      authOptions,
+    });
+    requiredAuthType = authType ?? null;
+  } else {
+    const { derivedRecipientActionAuth } = extractDocumentAuthMethods({
+      documentAuth: document.authOptions,
+      recipientAuth: recipient.authOptions,
+    });
+    requiredAuthType = derivedRecipientActionAuth.length > 0 ? derivedRecipientActionAuth[0] : null;
+  }
 
   const documentMeta = await prisma.documentMeta.findFirst({
     where: {
@@ -311,9 +325,9 @@ export const signFieldWithToken = async ({
               }),
             )
             .exhaustive(),
-          fieldSecurity: derivedRecipientActionAuth
+          fieldSecurity: requiredAuthType
             ? {
-                type: derivedRecipientActionAuth,
+                type: requiredAuthType,
               }
             : undefined,
         },

packages/lib/server-only/organisation/get-organisation-claims.ts

@@ -37,3 +37,23 @@ export const getOrganisationClaimByTeamId = async ({ teamId }: { teamId: number
 
   return organisationClaim;
 };
+
+export const getOrganisationClaimByUserId = async ({ userId }: { userId: number }) => {
+  const organisationClaim = await prisma.organisationClaim.findFirst({
+    where: {
+      organisation: {
+        members: {
+          some: {
+            userId: userId,
+          },
+        },
+      },
+    },
+  });
+
+  if (!organisationClaim) {
+    throw new AppError(AppErrorCode.NOT_FOUND);
+  }
+
+  return organisationClaim;
+};

packages/lib/server-only/template/update-template.ts

@@ -4,8 +4,10 @@ import { prisma } from '@documenso/prisma';
 
 import { AppError, AppErrorCode } from '../../errors/app-error';
 import type { TDocumentAccessAuthTypes, TDocumentActionAuthTypes } from '../../types/document-auth';
+import { DocumentAuth } from '../../types/document-auth';
 import { createDocumentAuthOptions, extractDocumentAuthMethods } from '../../utils/document-auth';
 import { buildTeamWhereQuery } from '../../utils/teams';
+import { isUserEnterprise } from '../user/is-user-enterprise';
 
 export type UpdateTemplateOptions = {
   userId: number;
@@ -75,10 +77,21 @@ export const updateTemplate = async ({
     data?.globalActionAuth === undefined ? documentGlobalActionAuth : data.globalActionAuth;
 
   // Check if user has permission to set the global action auth.
-  if (newGlobalActionAuth.length > 0 && !template.team.organisation.organisationClaim.flags.cfr21) {
-    throw new AppError(AppErrorCode.UNAUTHORIZED, {
-      message: 'You do not have permission to set the action auth',
+  // Only ACCOUNT and PASSKEY require enterprise permissions
+  if (
+    newGlobalActionAuth &&
+    (newGlobalActionAuth.includes(DocumentAuth.ACCOUNT) ||
+      newGlobalActionAuth.includes(DocumentAuth.PASSKEY))
+  ) {
+    const isDocumentEnterprise = await isUserEnterprise({
+      userId,
     });
+
+    if (!isDocumentEnterprise) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, {
+        message: 'You do not have permission to set this action auth type',
+      });
+    }
   }
 
   const authOptions = createDocumentAuthOptions({

packages/lib/server-only/user/is-user-enterprise.ts

@@ -0,0 +1,14 @@
+import { getOrganisationClaimByUserId } from '../organisation/get-organisation-claims';
+
+/**
+ * Check if a user has enterprise features enabled (cfr21 flag).
+ */
+export const isUserEnterprise = async ({ userId }: { userId: number }): Promise<boolean> => {
+  try {
+    const organisationClaim = await getOrganisationClaimByUserId({ userId });
+    return Boolean(organisationClaim.flags.cfr21);
+  } catch {
+    // If we can't find the organisation claim, assume non-enterprise
+    return false;
+  }
+};