wip

packages/auth/server/lib/errors/error-codes.ts

@@ -0,0 +1,29 @@
+export const AuthenticationErrorCode = {
+  AccountDisabled: 'ACCOUNT_DISABLED',
+  Unauthorized: 'UNAUTHORIZED',
+  InvalidCredentials: 'INVALID_CREDENTIALS',
+  SessionNotFound: 'SESSION_NOT_FOUND',
+  SessionExpired: 'SESSION_EXPIRED',
+  InvalidToken: 'INVALID_TOKEN',
+  MissingToken: 'MISSING_TOKEN',
+  InvalidRequest: 'INVALID_REQUEST',
+  UnverifiedEmail: 'UNVERIFIED_EMAIL',
+  NotFound: 'NOT_FOUND',
+  NotSetup: 'NOT_SETUP',
+
+  // InternalSeverError: 'INTERNAL_SEVER_ERROR',
+  // TwoFactorAlreadyEnabled: 'TWO_FACTOR_ALREADY_ENABLED',
+  // TwoFactorSetupRequired: 'TWO_FACTOR_SETUP_REQUIRED',
+  // TwoFactorMissingSecret: 'TWO_FACTOR_MISSING_SECRET',
+  // TwoFactorMissingCredentials: 'TWO_FACTOR_MISSING_CREDENTIALS',
+  InvalidTwoFactorCode: 'INVALID_TWO_FACTOR_CODE',
+  // IncorrectTwoFactorBackupCode: 'INCORRECT_TWO_FACTOR_BACKUP_CODE',
+  // IncorrectIdentityProvider: 'INCORRECT_IDENTITY_PROVIDER',
+  // IncorrectPassword: 'INCORRECT_PASSWORD',
+  // MissingEncryptionKey: 'MISSING_ENCRYPTION_KEY',
+  // MissingBackupCode: 'MISSING_BACKUP_CODE',
+} as const;
+
+export type AuthenticationErrorCode =
+  // eslint-disable-next-line @typescript-eslint/ban-types
+  (typeof AuthenticationErrorCode)[keyof typeof AuthenticationErrorCode] | (string & {});

packages/auth/server/lib/session/session-cookies.ts

@@ -0,0 +1,34 @@
+import type { Context } from 'hono';
+import { getSignedCookie, setSignedCookie } from 'hono/cookie';
+
+import { authDebugger } from '../utils/debugger';
+
+/**
+ * Get the session cookie attached to the request headers.
+ *
+ * @param c - The Hono context.
+ */
+export const getSessionCookie = async (c: Context) => {
+  const sessionId = await getSignedCookie(c, 'secret', 'sessionId');
+
+  return sessionId;
+};
+
+/**
+ * Set the session cookie into the Hono context.
+ *
+ * @param c - The Hono context.
+ * @param sessionToken - The session token to set.
+ */
+export const setSessionCookie = async (c: Context, sessionToken: string) => {
+  await setSignedCookie(c, 'sessionId', sessionToken, 'secret', {
+    path: '/',
+    // sameSite: '', // whats the default? we need to change this for embed right?
+    // secure: true,
+    domain: 'localhost', // todo
+  }).catch((err) => {
+    authDebugger(`Error setting signed cookie: ${err}`);
+
+    throw err;
+  });
+};

packages/auth/server/lib/session/session.ts

@@ -0,0 +1,107 @@
+import { sha256 } from '@oslojs/crypto/sha2';
+import { encodeBase32LowerCaseNoPadding, encodeHexLowerCase } from '@oslojs/encoding';
+import type { Session, User } from '@prisma/client';
+
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { prisma } from '@documenso/prisma';
+
+export type SessionValidationResult =
+  | {
+      session: Session;
+      user: Pick<
+        User,
+        'id' | 'name' | 'email' | 'emailVerified' | 'avatarImageId' | 'twoFactorEnabled' | 'roles' // Todo
+      >;
+      isAuthenticated: true;
+    }
+  | { session: null; user: null; isAuthenticated: false };
+
+export const generateSessionToken = (): string => {
+  const bytes = new Uint8Array(20);
+
+  crypto.getRandomValues(bytes);
+
+  const token = encodeBase32LowerCaseNoPadding(bytes);
+
+  return token;
+};
+
+export const createSession = async (
+  token: string,
+  userId: number,
+  metadata: RequestMetadata,
+): Promise<Session> => {
+  const hashedSessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+
+  const session: Session = {
+    id: hashedSessionId,
+    sessionToken: hashedSessionId, // todo
+    userId,
+    updatedAt: new Date(),
+    createdAt: new Date(),
+    expiresAt: new Date(Date.now() + 1000 * 60 * 60 * 24 * 30),
+    ipAddress: metadata.ipAddress ?? null,
+    userAgent: metadata.userAgent ?? null,
+  };
+
+  await prisma.session.create({
+    data: session,
+  });
+
+  return session;
+};
+
+export const validateSessionToken = async (token: string): Promise<SessionValidationResult> => {
+  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+
+  const result = await prisma.session.findUnique({
+    where: {
+      id: sessionId,
+    },
+    include: {
+      user: true,
+    },
+  });
+
+  // user: {
+  //   select: {
+  //     id: true,
+  //     name: true,
+  //     email: true,
+  //     emailVerified: true,
+  //     avatarImageId: true,
+  //     twoFactorEnabled: true,
+  //   },
+  // },
+
+  // todo; how can result.user be null?
+  if (result === null || !result.user) {
+    return { session: null, user: null, isAuthenticated: false };
+  }
+
+  const { user, ...session } = result;
+
+  if (Date.now() >= session.expiresAt.getTime()) {
+    await prisma.session.delete({ where: { id: sessionId } });
+    return { session: null, user: null, isAuthenticated: false };
+  }
+
+  if (Date.now() >= session.expiresAt.getTime() - 1000 * 60 * 60 * 24 * 15) {
+    session.expiresAt = new Date(Date.now() + 1000 * 60 * 60 * 24 * 30);
+
+    await prisma.session.update({
+      where: {
+        id: session.id,
+      },
+      data: {
+        expiresAt: session.expiresAt,
+      },
+    });
+  }
+
+  return { session, user, isAuthenticated: true };
+};
+
+export const invalidateSession = async (sessionId: string): Promise<void> => {
+  await prisma.session.delete({ where: { id: sessionId } });
+};

packages/auth/server/lib/utils/authorizer.ts

@@ -0,0 +1,22 @@
+import type { Context } from 'hono';
+
+import type { HonoAuthContext } from '../../types/context';
+import { createSession, generateSessionToken } from '../session/session';
+import { setSessionCookie } from '../session/session-cookies';
+
+type AuthorizeUser = {
+  userId: number;
+};
+
+/**
+ * Handles creating a session.
+ */
+export const onAuthorize = async (user: AuthorizeUser, c: Context<HonoAuthContext>) => {
+  const metadata = c.get('requestMetadata');
+
+  const sessionToken = generateSessionToken();
+
+  await createSession(sessionToken, user.userId, metadata);
+
+  await setSessionCookie(c, sessionToken);
+};

packages/auth/server/lib/utils/debugger.ts

@@ -0,0 +1,5 @@
+export const authDebugger = (message: string) => {
+  if (process.env.NODE_ENV === 'development') {
+    console.log(`[DEBUG]: ${message}`);
+  }
+};

packages/auth/server/lib/utils/get-session.ts

@@ -0,0 +1,57 @@
+import type { Context } from 'hono';
+
+import { AppError } from '@documenso/lib/errors/app-error';
+
+import { AuthenticationErrorCode } from '../errors/error-codes';
+import type { SessionValidationResult } from '../session/session';
+import { validateSessionToken } from '../session/session';
+import { getSessionCookie } from '../session/session-cookies';
+import { authDebugger } from './debugger';
+
+export const getSession = async (c: Context | Request): Promise<SessionValidationResult> => {
+  // Todo: Make better
+  const sessionId = await getSessionCookie(mapRequestToContextForCookie(c));
+
+  authDebugger(`Session ID: ${sessionId}`);
+
+  if (!sessionId) {
+    return {
+      isAuthenticated: false,
+      session: null,
+      user: null,
+    };
+  }
+
+  return await validateSessionToken(sessionId);
+};
+
+export const getRequiredSession = async (c: Context | Request) => {
+  const { session, user } = await getSession(mapRequestToContextForCookie(c));
+
+  if (session && user) {
+    return { session, user };
+  }
+
+  // Todo: Test if throwing errors work
+  if (c instanceof Request) {
+    throw new Error('Unauthorized');
+  }
+
+  throw new AppError(AuthenticationErrorCode.Unauthorized);
+};
+
+const mapRequestToContextForCookie = (c: Context | Request) => {
+  if (c instanceof Request) {
+    // c.req.raw.headers.
+    const partialContext = {
+      req: {
+        raw: c,
+      },
+    };
+
+    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+    return partialContext as unknown as Context;
+  }
+
+  return c;
+};