Skip to content

Commit

Permalink
Register unregistered users & update obtain new token
Browse files Browse the repository at this point in the history 
Signed-off-by: Fon E. Noel NFEBE <[email protected]>
  • Loading branch information
@nfebe
nfebe committed Sep 27, 2023
1 parent b9ab43c commit 1c6f999
Show file tree
Hide file tree
Showing 9 changed files with 609 additions and 421 deletions.
4 changes: 3 additions & 1 deletion .env.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,6 @@ PERMANENT_API_BASE_PATH=${LOCAL_TEMPORARY_AUTH_TOKEN}
# See https://fusionauth.io/docs/v1/tech/apis/api-keys
FUSION_AUTH_HOST=${FUSION_AUTH_HOST}
FUSION_AUTH_KEY=${FUSION_AUTH_KEY}
FUSION_AUTH_APP_ID=${FUSION_AUTH_APP_ID}
FUSION_AUTH_SFTP_APP_ID=${FUSION_AUTH_SFTP_APP_ID}
FUSION_AUTH_SFTP_CLIENT_ID=${FUSION_AUTH_SFTP_CLIENT_ID}
FUSION_AUTH_SFTP_CLIENT_SECRET=${FUSION_AUTH_SFTP_CLIENT_SECRET}
11 changes: 11 additions & 0 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
"dotenv": "^16.3.1",
"logform": "^2.3.2",
"node-fetch": "^2.7.0",
"require-env-variable": "^4.0.1",
"ssh2": "^1.14.0",
"tmp": "^0.2.1",
"uuid": "^9.0.0",
Expand Down
185 changes: 143 additions & 42 deletions src/classes/AuthenticationSession.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import {
getFusionAuthClient,
isPartialClientResponse,
} from '../fusionAuth';
import { AuthTokenRefreshError } from '../errors/AuthTokenRefreshError';
import type { KeyboardAuthContext } from 'ssh2';
import type { TwoFactorMethod } from '@fusionauth/typescript-client';

Expand All @@ -13,55 +14,104 @@ enum FusionAuthStatusCode {
}

export class AuthenticationSession {
public authToken = '';
private authToken = '';

public refreshToken = '';

public readonly authContext;

private authTokenExpiresAt = 0;
private authTokenExpiresAt = new Date();

private readonly fusionAuthClient;

private readonly fusionAuthAppId = process.env.FUSION_AUTH_APP_ID ?? '';

private twoFactorId = '';

private twoFactorMethods: TwoFactorMethod[] = [];

public constructor(authContext: KeyboardAuthContext) {
private fusionAuthAppId = '';

private fusionAuthClientId = '';

private fusionAuthClientSecret = '';

public constructor(
authContext: KeyboardAuthContext,
fusionAuthAppId: string,
fusionAuthClientId: string,
fusionAuthClientSecret: string,
) {
this.authContext = authContext;
this.fusionAuthAppId = fusionAuthAppId;
this.fusionAuthClientId = fusionAuthClientId;
this.fusionAuthClientSecret = fusionAuthClientSecret;
this.fusionAuthClient = getFusionAuthClient();
}

public invokeAuthenticationFlow(): void {
this.promptForPassword();
}

public obtainNewAuthTokenUsingRefreshToken(): void {
this.fusionAuthClient.exchangeRefreshTokenForAccessToken(this.refreshToken, '', '', '', '')
.then((clientResponse) => {
this.authToken = clientResponse.response.access_token ?? '';
})
.catch((clientResponse: unknown) => {
const message = isPartialClientResponse(clientResponse)
? clientResponse.exception.message
: '';
logger.warn(`Error obtaining refresh token : ${message}`);
this.authContext.reject();
});
public async getAuthToken() {
if (this.tokenWouldExpireSoon()) {
await this.getAuthTokenUsingRefreshToken();
}
return this.authToken;
}

public tokenExpired(): boolean {
const expirationDate = new Date(this.authTokenExpiresAt);
return expirationDate <= new Date();
private async getAuthTokenUsingRefreshToken(): Promise<void> {
try {
/**
* Fusion auth sdk wrongly mandates last two params (scope, user_code)
* hence the need to pass two empty strings here.
* See: https://github.com/FusionAuth/fusionauth-typescript-client/issues/42
*/
const clientResponse = await this.fusionAuthClient.exchangeRefreshTokenForAccessToken(
this.refreshToken,
this.fusionAuthClientId,
this.fusionAuthClientSecret,
'',
'',
);

if (clientResponse.response.access_token) {
this.authToken = clientResponse.response.access_token;
/**
* The exchange refresh token for access token endpoint does not return a timestamp,
* it returns expires_in in seconds.
* So we need to create the timestamp to be consistent with what is first
* returned upon initial authentication
*/
if (clientResponse.response.expires_in) {
this.authTokenExpiresAt = new Date(
Date.now() + (clientResponse.response.expires_in * 1000),
);
logger.info('New access token obtained :', clientResponse.response);
} else {
logger.error('Response lacking token TTL (expires_in)');
throw new AuthTokenRefreshError('Response lacking token TTL (expires_in)');
}
} else {
logger.error('No refresh token in response :', clientResponse.response);
throw new AuthTokenRefreshError('No refresh token in response');
}
} catch (error: unknown) {
let message: string;
if (isPartialClientResponse(error)) {
message = error.exception.message;
} else {
message = error instanceof Error ? error.message : JSON.stringify(error);
}
logger.error(`Error obtaining refresh token: ${message}`);
throw new AuthTokenRefreshError(`Error obtaining refresh token: ${message}`);
}
}

public tokenWouldExpireSoon(minutes = 5): boolean {
const expirationDate = new Date(this.authTokenExpiresAt);
private tokenWouldExpireSoon(expirationThresholdInSeconds = 300): boolean {
const currentTime = new Date();
const timeDifferenceMinutes = (expirationDate.getTime() - currentTime.getTime()) / (1000 * 60);
return timeDifferenceMinutes <= minutes;
const timeDifferenceSeconds = (
(this.authTokenExpiresAt.getTime() - currentTime.getTime()) / 1000
);
return timeDifferenceSeconds <= expirationThresholdInSeconds;
}

private promptForPassword(): void {
Expand All @@ -83,48 +133,96 @@ export class AuthenticationSession {
password,
}).then((clientResponse) => {
switch (clientResponse.statusCode) {
case FusionAuthStatusCode.Success:
case FusionAuthStatusCode.SuccessButUnregisteredInApp:
case FusionAuthStatusCode.Success: {
if (clientResponse.response.token !== undefined) {
logger.verbose('Successful password authentication attempt.', {
username: this.authContext.username,
});
this.authToken = clientResponse.response.token;
this.authTokenExpiresAt = clientResponse.response.tokenExpirationInstant ?? 0;
this.refreshToken = clientResponse.response.refreshToken ?? '';
if (clientResponse.response.refreshToken) {
this.refreshToken = clientResponse.response.refreshToken;
this.authTokenExpiresAt = new Date(
clientResponse.response.tokenExpirationInstant ?? 0,
);
} else {
logger.warn('No refresh token in response :', clientResponse.response);
this.authContext.reject();
}
this.authContext.accept();
return;
} else {
logger.warn('No auth token in response', clientResponse.response);
this.authContext.reject();
}
this.authContext.reject();
return;
case FusionAuthStatusCode.SuccessNeedsTwoFactorAuth:
}
case FusionAuthStatusCode.SuccessButUnregisteredInApp: {
const userId: string = clientResponse.response.user?.id ?? '';
this.registerUserInApp(userId)
.then(() => { this.processPasswordResponse([password]); })
.catch((error) => {
logger.warn('Error during registration and authentication:', error);
this.authContext.reject();
});
return;
}
case FusionAuthStatusCode.SuccessNeedsTwoFactorAuth: {
if (clientResponse.response.twoFactorId !== undefined) {
logger.verbose('Successful password authentication attempt; MFA required.', {
username: this.authContext.username,
});
this.twoFactorId = clientResponse.response.twoFactorId;
this.twoFactorMethods = clientResponse.response.methods ?? [];
this.promptForTwoFactorMethod();
return;
} else {
this.authContext.reject();
}
this.authContext.reject();
return;
default:
}
default: {
logger.verbose('Failed password authentication attempt.', {
username: this.authContext.username,
response: clientResponse.response,
});
this.authContext.reject();
}
}
}).catch((error) => {
let message: string;
if (isPartialClientResponse(error)) {
message = error.exception.message;
} else {
message = error instanceof Error ? error.message : JSON.stringify(error);
}
}).catch((clientResponse: unknown) => {
const message = isPartialClientResponse(clientResponse)
? clientResponse.exception.message
: '';
logger.warn(`Unexpected exception with FusionAuth password login: ${message}`);
this.authContext.reject();
});
}

private async registerUserInApp(userId: string): Promise<void> {
try {
const clientResponse = await this.fusionAuthClient.register(userId, {
registration: {
applicationId: this.fusionAuthAppId,
},
});

switch (clientResponse.statusCode) {
case FusionAuthStatusCode.Success:
logger.verbose('User registered successfully after authentication.', {
userId,
});
break;
default:
logger.verbose('User registration after authentication failed.', {
userId,
response: clientResponse.response,
});
}
} catch (error) {
logger.warn('Error during user registration after authentication:', error);
}
}

private promptForTwoFactorMethod(): void {
const promptOptions = this.twoFactorMethods.map(
(method, index) => `[${index + 1}] ${method.method ?? ''}`,
Expand Down Expand Up @@ -205,10 +303,13 @@ export class AuthenticationSession {
});
this.authContext.reject();
}
}).catch((clientResponse: unknown) => {
const message = isPartialClientResponse(clientResponse)
? clientResponse.exception.message
: '';
}).catch((error) => {
let message: string;
if (isPartialClientResponse(error)) {
message = error.exception.message;
} else {
message = error instanceof Error ? error.message : JSON.stringify(error);
}
logger.warn(`Unexpected exception with FusionAuth 2FA login: ${message}`);
this.authContext.reject();
});
Expand Down
Loading

0 comments on commit 1c6f999

Please sign in to comment.