Skip to content

Commit

Permalink
docs: add mfa example with recovery codes
Browse files Browse the repository at this point in the history
  • Loading branch information
porcellus committed Dec 15, 2023
1 parent f75c9b3 commit fe49eb2
Show file tree
Hide file tree
Showing 75 changed files with 3,404 additions and 0 deletions.
65 changes: 65 additions & 0 deletions examples/with-multifactorauth-recovery-codes/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
![SuperTokens banner](https://raw.githubusercontent.com/supertokens/supertokens-logo/master/images/Artboard%20%E2%80%93%2027%402x.png)

# SuperTokens Google one tap Demo app

This demo app demonstrates the following use cases:

- Thirdparty Login / Sign-up
- Email Password Login / Sign-up
- Logout
- Session management & Calling APIs
- Account linking

## Project setup

Clone the repo, enter the directory, and use `npm` to install the project dependencies:

```bash
git clone https://github.com/supertokens/supertokens-auth-react
cd supertokens-auth-react/examples/with-account-linking
npm install
cd frontend && npm install && cd ../
cd backend && npm install && cd ../
```

## Run the demo app

This compiles and serves the React app and starts the backend API server on port 3001.

```bash
npm run start
```

The app will start on `http://localhost:3000`

## How it works

We are adding a new (`/link`) page where the user can add new login methods to their current user, plus enabling automatic account linking.

### On the frontend

The demo uses the pre-built UI, but you can always build your own UI instead.

- We do not need any extra configuration to enable account linking
- To enable manual linking through a custom callback page, we add `getRedirectURL` to the configuration of the social login providers.
- We add a custom page (`/link`) that will:
- Get and show the login methods belonging to the current user
- Show a password form (if available) that calls `/addPassword` to add an email+password login method to the current user.
- Show a phone number form (if available) that calls `/addPhoneNumber` to associate a phone number with the current user.
- Show an "Add Google account" that start a login process through Google
- We add a custom page (`/link/tpcallback/:thirdPartyId`) that will:
- Call `/addThirdPartyUser` through a customized `ThirdPartyEmailPassword.thirdPartySignInAndUp` call

### On the backend

- We enable account linking by initializing the recipe and providing a `shouldDoAutomaticAccountLinking` implementation
- We add `/addPassword`, `/addPhoneNumber` and `/addThirdPartyUser` to enable manual linking from the frontend
- We add `/userInfo` so the frontend can list/show the login methods belonging to the current user.

## Author

Created with :heart: by the folks at supertokens.com.

## License

This project is licensed under the Apache 2.0 license.
115 changes: 115 additions & 0 deletions examples/with-multifactorauth-recovery-codes/backend/config.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
import ThirdPartyEmailPassword from "supertokens-node/recipe/thirdpartyemailpassword";
import Session from "supertokens-node/recipe/session";
import Passwordless from "supertokens-node/recipe/passwordless";
import UserMetadata from "supertokens-node/recipe/usermetadata";
import EmailVerification from "supertokens-node/recipe/emailverification";
import { TypeInput } from "supertokens-node/types";
import MultiFactorAuth from "supertokens-node/recipe/multifactorauth";
import TOTP from "supertokens-node/recipe/totp";
import Dashboard from "supertokens-node/recipe/dashboard";

export function getApiDomain() {
const apiPort = process.env.REACT_APP_API_PORT || 3001;
const apiUrl = process.env.REACT_APP_API_URL || `http://localhost:${apiPort}`;
return apiUrl;
}

export function getWebsiteDomain() {
const websitePort = process.env.REACT_APP_WEBSITE_PORT || 3000;
const websiteUrl = process.env.REACT_APP_WEBSITE_URL || `http://localhost:${websitePort}`;
return websiteUrl;
}

export const SuperTokensConfig: TypeInput = {
supertokens: {
// this is the location of the SuperTokens core.
// connectionURI: "https://try.supertokens.com",
connectionURI: "http://localhost:3567",
},
appInfo: {
appName: "SuperTokens Demo App",
apiDomain: getApiDomain(),
websiteDomain: getWebsiteDomain(),
},
// recipeList contains all the modules that you want to
// use from SuperTokens. See the full list here: https://supertokens.com/docs/guides
recipeList: [
UserMetadata.init(),
EmailVerification.init({
mode: "REQUIRED",
}),
TOTP.init({
override: {
apis: (oI) => ({
...oI,
verifyDevicePOST: async (input) => {
const resp = await oI.verifyDevicePOST(input);
if (resp.status === "OK") {
const payload = input.session.getAccessTokenPayload();
const recoveryCodeHash = payload.recoveryCodeHash;
if (recoveryCodeHash) {
// await input.session.mergeIntoAccessTokenPayload({ recoveryCodeHash: null });
await UserMetadata.updateUserMetadata(input.session.getUserId(), {
recoveryCodeHash: null,
});
}
}
return resp;
},
}),
},
}),
MultiFactorAuth.init({
firstFactors: ["thirdparty", "emailpassword"], // This is basically disallows using passwordless to sign in
override: {
functions: (oI) => ({
...oI,
getMFARequirementsForAuth: async () => ["totp"],
isAllowedToSetupFactor: async (input) => {
const resp = await oI.isAllowedToSetupFactor(input);

if (resp) {
return resp;
}

const payload = input.session.getAccessTokenPayload();
const recoveryCodeHash = payload.recoveryCodeHash;
const userId = input.session.getUserId();
const { metadata } = await UserMetadata.getUserMetadata(userId);
return metadata.recoveryCodeHash === recoveryCodeHash;
},
}),
},
}),
ThirdPartyEmailPassword.init({
providers: [
// We have provided you with development keys which you can use for testing.
// IMPORTANT: Please replace them with your own OAuth keys for production use.
{
config: {
thirdPartyId: "google",
clients: [
{
clientId: "1060725074195-kmeum4crr01uirfl2op9kd5acmi9jutn.apps.googleusercontent.com",
clientSecret: "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",
},
],
},
},
{
config: {
thirdPartyId: "github",
clients: [
{
clientId: "467101b197249757c71f",
clientSecret: "e97051221f4b6426e8fe8d51486396703012f5bd",
},
],
},
},
],
}),
Session.init(),
Dashboard.init(),
],
};
94 changes: 94 additions & 0 deletions examples/with-multifactorauth-recovery-codes/backend/index.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
import express from "express";
import cors from "cors";
import crypto from "crypto";
import supertokens, { getUser } from "supertokens-node";
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { middleware, errorHandler, SessionRequest } from "supertokens-node/framework/express";
import { getWebsiteDomain, SuperTokensConfig } from "./config";
import Session from "supertokens-node/recipe/session";
import { getUserMetadata, updateUserMetadata } from "supertokens-node/recipe/usermetadata";

supertokens.init(SuperTokensConfig);

const app = express();

app.use(
cors({
origin: getWebsiteDomain(),
allowedHeaders: ["content-type", ...supertokens.getAllCORSHeaders()],
methods: ["GET", "PUT", "POST", "DELETE"],
credentials: true,
})
);

// This exposes all the APIs from SuperTokens to the client.
app.use(middleware());
app.use(express.json());

// An example API that requires session verification
app.get("/sessioninfo", verifySession(), async (req: SessionRequest, res) => {
let session = req.session;
res.send({
sessionHandle: session!.getHandle(),
userId: session!.getUserId(),
accessTokenPayload: session!.getAccessTokenPayload(),
});
});

app.get("/userInfo", verifySession(), async (req: SessionRequest, res) => {
const session = req.session!;
const user = await getUser(session.getRecipeUserId().getAsString());
if (!user) {
throw new Session.Error({ type: Session.Error.UNAUTHORISED, message: "user removed" });
}
const metadata = await getUserMetadata(user.id);

res.json({
user: user.toJson(),
metadata: metadata.metadata,
});
});

app.post("/createRecoveryCode", verifySession(), async (req: SessionRequest, res) => {
const session = req.session!;

const recoveryCode = crypto.randomUUID();

const updateRes = await updateUserMetadata(session.getUserId(), {
recoveryCodeHash: hash(recoveryCode),
});

return res.json({ status: updateRes.status, recoveryCode });
});

app.post(
"/useRecoveryCode",
verifySession({ overrideGlobalClaimValidators: () => [] }),
async (req: SessionRequest, res) => {
const session = req.session!;
const userId = session.getUserId();

const recoveryCode = req.body.recoveryCode;
const recoveryCodeHash = hash(recoveryCode);

const metadata = await getUserMetadata(userId);

if (metadata.metadata.recoveryCodeHash === recoveryCodeHash) {
await session.mergeIntoAccessTokenPayload({ recoveryCodeHash });

return res.json({ status: "OK" });
}

return res.json({ status: "ERROR" });
}
);

// In case of session related errors, this error handler
// returns 401 to the client.
app.use(errorHandler());

app.listen(3001, () => console.log(`API Server listening on port 3001`));

function hash(recoveryCode: string) {
return crypto.createHash("sha256").update(recoveryCode).digest("base64");
}
30 changes: 30 additions & 0 deletions examples/with-multifactorauth-recovery-codes/backend/package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"name": "supertokens-node",
"version": "0.0.1",
"private": true,
"description": "",
"main": "index.js",
"scripts": {
"start": "npx ts-node-dev --project ./tsconfig.json ./index.ts"
},
"dependencies": {
"cors": "^2.8.5",
"express": "^4.18.1",
"helmet": "^5.1.0",
"morgan": "^1.10.0",
"npm-run-all": "^4.1.5",
"supertokens-node": "github:supertokens/supertokens-node#mfa-impl",
"ts-node-dev": "^2.0.0",
"typescript": "^4.7.2"
},
"devDependencies": {
"@types/cors": "^2.8.12",
"@types/express": "^4.17.17",
"@types/morgan": "^1.9.3",
"@types/node": "^16.11.38",
"nodemon": "^2.0.16"
},
"keywords": [],
"author": "",
"license": "ISC"
}
62 changes: 62 additions & 0 deletions examples/with-multifactorauth-recovery-codes/backend/tsconfig.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
{
"compilerOptions": {
/* Visit https://aka.ms/tsconfig.json to read more about this file */
/* Basic Options */
// "incremental": true, /* Enable incremental compilation */
"target": "es5" /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019', 'ES2020', or 'ESNEXT'. */,
"module": "commonjs" /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', 'es2020', or 'ESNext'. */,
// "lib": [], /* Specify library files to be included in the compilation. */
// "allowJs": true, /* Allow javascript files to be compiled. */
// "checkJs": true, /* Report errors in .js files. */
// "jsx": "preserve", /* Specify JSX code generation: 'preserve', 'react-native', or 'react'. */
// "declaration": true, /* Generates corresponding '.d.ts' file. */
// "declarationMap": true, /* Generates a sourcemap for each corresponding '.d.ts' file. */
// "sourceMap": true, /* Generates corresponding '.map' file. */
// "outFile": "./", /* Concatenate and emit output to single file. */
// "outDir": "./", /* Redirect output structure to the directory. */
// "rootDir": "./", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
// "composite": true, /* Enable project compilation */
// "tsBuildInfoFile": "./", /* Specify file to store incremental compilation information */
// "removeComments": true, /* Do not emit comments to output. */
// "noEmit": true, /* Do not emit outputs. */
// "importHelpers": true, /* Import emit helpers from 'tslib'. */
// "downlevelIteration": true, /* Provide full support for iterables in 'for-of', spread, and destructuring when targeting 'ES5' or 'ES3'. */
// "isolatedModules": true, /* Transpile each file as a separate module (similar to 'ts.transpileModule'). */
/* Strict Type-Checking Options */
"strict": true /* Enable all strict type-checking options. */,
// "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */
// "strictNullChecks": true, /* Enable strict null checks. */
// "strictFunctionTypes": true, /* Enable strict checking of function types. */
// "strictBindCallApply": true, /* Enable strict 'bind', 'call', and 'apply' methods on functions. */
// "strictPropertyInitialization": true, /* Enable strict checking of property initialization in classes. */
// "noImplicitThis": true, /* Raise error on 'this' expressions with an implied 'any' type. */
// "alwaysStrict": true, /* Parse in strict mode and emit "use strict" for each source file. */
/* Additional Checks */
// "noUnusedLocals": true, /* Report errors on unused locals. */
// "noUnusedParameters": true, /* Report errors on unused parameters. */
// "noImplicitReturns": true, /* Report error when not all code paths in function return a value. */
// "noFallthroughCasesInSwitch": true, /* Report errors for fallthrough cases in switch statement. */
/* Module Resolution Options */
// "moduleResolution": "node", /* Specify module resolution strategy: 'node' (Node.js) or 'classic' (TypeScript pre-1.6). */
// "baseUrl": "./", /* Base directory to resolve non-absolute module names. */
// "paths": {}, /* A series of entries which re-map imports to lookup locations relative to the 'baseUrl'. */
// "rootDirs": [], /* List of root folders whose combined content represents the structure of the project at runtime. */
// "typeRoots": [], /* List of folders to include type definitions from. */
// "types": [], /* Type declaration files to be included in compilation. */
// "allowSyntheticDefaultImports": true, /* Allow default imports from modules with no default export. This does not affect code emit, just typechecking. */
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */,
// "preserveSymlinks": true, /* Do not resolve the real path of symlinks. */
// "allowUmdGlobalAccess": true, /* Allow accessing UMD globals from modules. */
/* Source Map Options */
// "sourceRoot": "", /* Specify the location where debugger should locate TypeScript files instead of source locations. */
// "mapRoot": "", /* Specify the location where debugger should locate map files instead of generated locations. */
// "inlineSourceMap": true, /* Emit a single file with source maps instead of having a separate file. */
// "inlineSources": true, /* Emit the source alongside the sourcemaps within a single file; requires '--inlineSourceMap' or '--sourceMap' to be set. */
/* Experimental Options */
// "experimentalDecorators": true, /* Enables experimental support for ES7 decorators. */
// "emitDecoratorMetadata": true, /* Enables experimental support for emitting type metadata for decorators. */
/* Advanced Options */
"skipLibCheck": true /* Skip type checking of declaration files. */,
"forceConsistentCasingInFileNames": true /* Disallow inconsistently-cased references to the same file. */
}
}
1 change: 1 addition & 0 deletions examples/with-multifactorauth-recovery-codes/frontend/.env
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
SKIP_PREFLIGHT_CHECK=true
23 changes: 23 additions & 0 deletions examples/with-multifactorauth-recovery-codes/frontend/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.

# dependencies
/node_modules
/.pnp
.pnp.js

# testing
/coverage

# production
/build

# misc
.DS_Store
.env.local
.env.development.local
.env.test.local
.env.production.local

npm-debug.log*
yarn-debug.log*
yarn-error.log*
Loading

0 comments on commit fe49eb2

Please sign in to comment.