Machine-to-machine authentication

[mrcleanandfresh]

I want to be able to do machine-to-machine authentication with user accounts. I believe OAuth 2.0 defines this as "Authorization Code Flow." But I'm not using OAuth, it's an example of what I'm looking for: machine-to-machine authentication using a token. So I created a new class that implements AuthenticationService called AccountsToken.

I just have one method authenticate in it, and that method is almost an exact copy of the authenticate from @accounts/password's AccountPassword#authenticate method. I finished the implementation, and was able to copy most of the unit tests from AccountsPassword and modifying them slightly. So it took me about a day to do the unit testing, and implementation and now I've got a whole new service in my accounts app! I'd share it, but a better example would be looking at the authenticate and passwordAuthenticator methods from AccountsPassword that's what I used, including the way errors were handled.

Then, since I'm using the GraphQL package, I made a request to it like so:

mutation machineToMachineAuth($secret: String!, $username: String!, $token: String!) {
  authenticate(
    serviceName: "token"
    params: { secret: $secret, user: { username: $username }, token: $token }
  ) {
    tokens {
      accessToken
      refreshToken
    }
    user {
      id
    }
  }
}

One thing of note:

Even though the source code for AccountsPassword#authenticate indicates user can be either a string or an LoginUserIdentity:

export interface LoginUserPasswordService {
    user: string | LoginUserIdentity;
    password: string;
    code?: string;
}
//... elsewhere
export interface LoginUserIdentity {
  id?: string;
  username?: string;
  email?: string;
}

This is not true, since the GraphQL API expects that it be UserInput which most closely mirrors the LoginUserIdentity type, although not exactly:

input CreateUserInput {
  username: String
  email: String
  password: String
}

Thought I'd share that here, since I found that out while implementing my token service. Something to keep in mind if you're wondering why you're seeing user as a string or object in the source, then are unable to do the same in GraphQL.

I really, really enjoyed the flexibility of being able to create a new service and bolt it on to AccountsJS! It worked really well, and felt nice from an implementation standpoint. You just implement the AuthenticationService and it gives you only about 4 things to worry about: two instance vars and two methods. Pretty simple, extensible and powerful! Then, because I'm using Fastify, I created a plugin:

import { FastifyPluginCallback } from 'fastify';
import fp from 'fastify-plugin';
import { verifyPassword } from 'src/util/hash';
import { AccountsTokenAuthenticationService } from './AccountsTokenAuthenticationService';

declare module 'fastify' {
  interface FastifyInstance {
    accountsToken: AccountsTokenAuthenticationService;
  }
  interface FastifyRequest {
    accountsToken: AccountsTokenAuthenticationService;
  }
}

const customAccountsTokenServicePlugin: FastifyPluginCallback = (
  fastify,
  _,
  done
) => {
  const accountsToken = new AccountsTokenAuthenticationService({
    verifyPassword,
  });
  fastify.decorate('accountsToken', accountsToken);
  fastify.decorateRequest('accountsToken', accountsToken);
  done();
};

export default fp(customAccountsTokenServicePlugin, '3.x');

I noticed that the type augmentation will work anywhere (in Fastify), but I liked it co-located and isolated with my plugin. Unfortunately, I couldn't isolate the verifyPassword function, but I don't plan on creating a package, so it's fine. Plus, my accounts-password plugin shares that verifyPassword function.

Final step is to wire it all together in AccountsServer:

const accountsServerPlugin: FastifyPluginCallback<AccountsServerPluginOptions> =
  (fastify, opts, done) => {
    // Create accounts server that holds a lower level of all accounts operations
    const accountsServer = new AccountsServer(
      {
        //...
      },
      {
        password: fastify.accountsPassword,
        token: fastify.accountsToken,
      }
    );

    //...

    fastify.decorate('accounts', accountsServer);
    done();
  };

export default fp(accountsServerPlugin, '3.x');

Versions

"@accounts/database-manager": "^0.33.1",
"@accounts/graphql-api": "^0.33.1",
"@accounts/magic-link": "^0.1.1",
"@accounts/mongo": "^0.33.5",
"@accounts/password": "^0.32.1",
"@accounts/rest-express": "^0.33.1",
"@accounts/server": "^0.33.1",