feat(graphql-api): create mfa operations (#1048)

Author: pradel

packages/graphql-api/__tests__/modules/accounts-mfa/resolvers/mutations.ts

@@ -0,0 +1,79 @@
+import { AccountsMfa } from '@accounts/mfa';
+import { Mutation } from '../../../../src/modules/accounts-mfa/resolvers/mutation';
+
+describe('accounts-mfa resolvers mutations', () => {
+  const accountsMfaMock = {
+    challenge: jest.fn(),
+    associate: jest.fn(),
+    associateByMfaToken: jest.fn(),
+  };
+  const injector = {
+    get: jest.fn(() => accountsMfaMock),
+  };
+  const user = { id: 'idTest' };
+  const infos = {
+    ip: 'ipTest',
+    userAgent: 'userAgentTest',
+  };
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('challenge', () => {
+    it('should call associateByMfaToken', async () => {
+      const mfaToken = 'mfaTokenTest';
+      const authenticatorId = 'authenticatorIdTest';
+      await Mutation.challenge!(
+        {},
+        { mfaToken, authenticatorId },
+        { injector, infos } as any,
+        {} as any
+      );
+      expect(injector.get).toHaveBeenCalledWith(AccountsMfa);
+      expect(accountsMfaMock.challenge).toHaveBeenCalledWith(mfaToken, authenticatorId, infos);
+    });
+  });
+
+  describe('associate', () => {
+    it('should throw if no user in context', async () => {
+      await expect(Mutation.associate!({}, {} as any, {} as any, {} as any)).rejects.toThrowError(
+        'Unauthorized'
+      );
+    });
+
+    it('should call associate', async () => {
+      const type = 'typeTest';
+      const params = 'paramsTest';
+      await Mutation.associate!(
+        {},
+        { type, params: params as any },
+        { user, injector, infos } as any,
+        {} as any
+      );
+      expect(injector.get).toHaveBeenCalledWith(AccountsMfa);
+      expect(accountsMfaMock.associate).toHaveBeenCalledWith(user.id, type, params, infos);
+    });
+  });
+
+  describe('associateByMfaToken', () => {
+    it('should call associateByMfaToken', async () => {
+      const mfaToken = 'mfaTokenTest';
+      const type = 'typeTest';
+      const params = 'paramsTest';
+      await Mutation.associateByMfaToken!(
+        {},
+        { mfaToken, type, params: params as any },
+        { injector, infos } as any,
+        {} as any
+      );
+      expect(injector.get).toHaveBeenCalledWith(AccountsMfa);
+      expect(accountsMfaMock.associateByMfaToken).toHaveBeenCalledWith(
+        mfaToken,
+        type,
+        params,
+        infos
+      );
+    });
+  });
+});

packages/graphql-api/__tests__/modules/accounts-mfa/resolvers/query.ts

@@ -0,0 +1,40 @@
+import { AccountsMfa } from '@accounts/mfa';
+import { Query } from '../../../../src/modules/accounts-mfa/resolvers/query';
+
+describe('accounts-mfa resolvers query', () => {
+  const accountsMfaMock = {
+    findUserAuthenticators: jest.fn(),
+    findUserAuthenticatorsByMfaToken: jest.fn(),
+  };
+  const injector = {
+    get: jest.fn(() => accountsMfaMock),
+  };
+  const user = { id: 'idTest' };
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('authenticators', () => {
+    it('should throw if no user in context', async () => {
+      await expect(Query.authenticators!({}, {}, {} as any, {} as any)).rejects.toThrowError(
+        'Unauthorized'
+      );
+    });
+
+    it('should call findUserAuthenticators', async () => {
+      await Query.authenticators!({}, {}, { injector, user } as any, {} as any);
+      expect(injector.get).toHaveBeenCalledWith(AccountsMfa);
+      expect(accountsMfaMock.findUserAuthenticators).toHaveBeenCalledWith(user.id);
+    });
+  });
+
+  describe('authenticatorsByMfaToken', () => {
+    it('should call findUserAuthenticators', async () => {
+      const mfaToken = 'mfaTokenTest';
+      await Query.authenticatorsByMfaToken!({}, { mfaToken }, { injector } as any, {} as any);
+      expect(injector.get).toHaveBeenCalledWith(AccountsMfa);
+      expect(accountsMfaMock.findUserAuthenticatorsByMfaToken).toHaveBeenCalledWith(mfaToken);
+    });
+  });
+});

packages/graphql-api/__tests__/modules/accounts/index.ts

@@ -2,9 +2,7 @@ import { print } from 'graphql';
 import { AccountsModule } from '../../../src/modules/accounts/index';
 
 const accountsServer = {
-  getServices: () => ({
-    password: {},
-  }),
+  getService: () => ({}),
 };
 
 describe('AccountsModule', () => {

packages/graphql-api/introspection.json

@@ -33,9 +33,10 @@
   },
   "homepage": "https://github.com/js-accounts/graphql-api",
   "peerDependencies": {
-    "@accounts/password": "^0.28.0",
-    "@accounts/server": "^0.28.0",
-    "@accounts/types": "^0.28.0",
+    "@accounts/mfa": "^0.29.0",
+    "@accounts/password": "^0.29.0",
+    "@accounts/server": "^0.29.0",
+    "@accounts/types": "^0.29.0",
     "@graphql-modules/core": "0.7.17",
     "graphql-tag": "^2.10.0",
     "graphql-tools": "^5.0.0"
@@ -46,6 +47,7 @@
     "tslib": "2.0.1"
   },
   "devDependencies": {
+    "@accounts/mfa": "^0.29.0",
     "@accounts/password": "^0.29.0",
     "@accounts/server": "^0.29.0",
     "@accounts/types": "^0.29.0",

packages/graphql-api/package.json

@@ -14,6 +14,12 @@ export type Scalars = {
 };
 
 
+export type AssociateParamsInput = {
+  _?: Maybe<Scalars['String']>;
+};
+
+export type AssociationResult = OtpAssociationResult;
+
 export type AuthenticateParamsInput = {
   access_token?: Maybe<Scalars['String']>;
   access_token_secret?: Maybe<Scalars['String']>;
@@ -25,6 +31,16 @@ export type AuthenticateParamsInput = {
 
 export type AuthenticationResult = LoginResult | MultiFactorResult;
 
+export type Authenticator = {
+  __typename?: 'Authenticator';
+  id?: Maybe<Scalars['ID']>;
+  type?: Maybe<Scalars['String']>;
+  active?: Maybe<Scalars['Boolean']>;
+  activatedAt?: Maybe<Scalars['String']>;
+};
+
+export type ChallengeResult = DefaultChallengeResult;
+
 export type CreateUserInput = {
   username?: Maybe<Scalars['String']>;
   email?: Maybe<Scalars['String']>;
@@ -37,6 +53,12 @@ export type CreateUserResult = {
   loginResult?: Maybe<LoginResult>;
 };
 
+export type DefaultChallengeResult = {
+  __typename?: 'DefaultChallengeResult';
+  mfaToken?: Maybe<Scalars['String']>;
+  authenticatorId?: Maybe<Scalars['String']>;
+};
+
 export type EmailRecord = {
   __typename?: 'EmailRecord';
   address?: Maybe<Scalars['String']>;
@@ -79,6 +101,9 @@ export type Mutation = {
   changePassword?: Maybe<Scalars['Boolean']>;
   twoFactorSet?: Maybe<Scalars['Boolean']>;
   twoFactorUnset?: Maybe<Scalars['Boolean']>;
+  challenge?: Maybe<ChallengeResult>;
+  associate?: Maybe<AssociationResult>;
+  associateByMfaToken?: Maybe<AssociationResult>;
   impersonate?: Maybe<ImpersonateReturn>;
   refreshTokens?: Maybe<LoginResult>;
   logout?: Maybe<Scalars['Boolean']>;
@@ -135,6 +160,25 @@ export type MutationTwoFactorUnsetArgs = {
 };
 
 
+export type MutationChallengeArgs = {
+  mfaToken: Scalars['String'];
+  authenticatorId: Scalars['String'];
+};
+
+
+export type MutationAssociateArgs = {
+  type: Scalars['String'];
+  params?: Maybe<AssociateParamsInput>;
+};
+
+
+export type MutationAssociateByMfaTokenArgs = {
+  mfaToken: Scalars['String'];
+  type: Scalars['String'];
+  params?: Maybe<AssociateParamsInput>;
+};
+
+
 export type MutationImpersonateArgs = {
   accessToken: Scalars['String'];
   impersonated: ImpersonationUserIdentityInput;
@@ -158,12 +202,25 @@ export type MutationVerifyAuthenticationArgs = {
   params: AuthenticateParamsInput;
 };
 
+export type OtpAssociationResult = {
+  __typename?: 'OTPAssociationResult';
+  mfaToken?: Maybe<Scalars['String']>;
+  authenticatorId?: Maybe<Scalars['String']>;
+};
+
 export type Query = {
   __typename?: 'Query';
   twoFactorSecret?: Maybe<TwoFactorSecretKey>;
+  authenticators?: Maybe<Array<Maybe<Authenticator>>>;
+  authenticatorsByMfaToken?: Maybe<Array<Maybe<Authenticator>>>;
   getUser?: Maybe<User>;
 };
 
+
+export type QueryAuthenticatorsByMfaTokenArgs = {
+  mfaToken: Scalars['String'];
+};
+
 export type Tokens = {
   __typename?: 'Tokens';
   refreshToken?: Maybe<Scalars['String']>;
@@ -274,16 +331,22 @@ export type ResolversTypes = {
   Query: ResolverTypeWrapper<{}>;
   TwoFactorSecretKey: ResolverTypeWrapper<TwoFactorSecretKey>;
   String: ResolverTypeWrapper<Scalars['String']>;
-  User: ResolverTypeWrapper<User>;
+  Authenticator: ResolverTypeWrapper<Authenticator>;
   ID: ResolverTypeWrapper<Scalars['ID']>;
-  EmailRecord: ResolverTypeWrapper<EmailRecord>;
   Boolean: ResolverTypeWrapper<Scalars['Boolean']>;
+  User: ResolverTypeWrapper<User>;
+  EmailRecord: ResolverTypeWrapper<EmailRecord>;
   Mutation: ResolverTypeWrapper<{}>;
   CreateUserInput: CreateUserInput;
   CreateUserResult: ResolverTypeWrapper<CreateUserResult>;
   LoginResult: ResolverTypeWrapper<LoginResult>;
   Tokens: ResolverTypeWrapper<Tokens>;
   TwoFactorSecretKeyInput: TwoFactorSecretKeyInput;
+  ChallengeResult: ResolversTypes['DefaultChallengeResult'];
+  DefaultChallengeResult: ResolverTypeWrapper<DefaultChallengeResult>;
+  AssociateParamsInput: AssociateParamsInput;
+  AssociationResult: ResolversTypes['OTPAssociationResult'];
+  OTPAssociationResult: ResolverTypeWrapper<OtpAssociationResult>;
   ImpersonationUserIdentityInput: ImpersonationUserIdentityInput;
   ImpersonateReturn: ResolverTypeWrapper<ImpersonateReturn>;
   AuthenticateParamsInput: AuthenticateParamsInput;
@@ -297,16 +360,22 @@ export type ResolversParentTypes = {
   Query: {};
   TwoFactorSecretKey: TwoFactorSecretKey;
   String: Scalars['String'];
-  User: User;
+  Authenticator: Authenticator;
   ID: Scalars['ID'];
-  EmailRecord: EmailRecord;
   Boolean: Scalars['Boolean'];
+  User: User;
+  EmailRecord: EmailRecord;
   Mutation: {};
   CreateUserInput: CreateUserInput;
   CreateUserResult: CreateUserResult;
   LoginResult: LoginResult;
   Tokens: Tokens;
   TwoFactorSecretKeyInput: TwoFactorSecretKeyInput;
+  ChallengeResult: ResolversParentTypes['DefaultChallengeResult'];
+  DefaultChallengeResult: DefaultChallengeResult;
+  AssociateParamsInput: AssociateParamsInput;
+  AssociationResult: ResolversParentTypes['OTPAssociationResult'];
+  OTPAssociationResult: OtpAssociationResult;
   ImpersonationUserIdentityInput: ImpersonationUserIdentityInput;
   ImpersonateReturn: ImpersonateReturn;
   AuthenticateParamsInput: AuthenticateParamsInput;
@@ -319,16 +388,38 @@ export type AuthDirectiveArgs = {  };
 
 export type AuthDirectiveResolver<Result, Parent, ContextType = any, Args = AuthDirectiveArgs> = DirectiveResolverFn<Result, Parent, ContextType, Args>;
 
+export type AssociationResultResolvers<ContextType = any, ParentType extends ResolversParentTypes['AssociationResult'] = ResolversParentTypes['AssociationResult']> = {
+  __resolveType: TypeResolveFn<'OTPAssociationResult', ParentType, ContextType>;
+};
+
 export type AuthenticationResultResolvers<ContextType = any, ParentType extends ResolversParentTypes['AuthenticationResult'] = ResolversParentTypes['AuthenticationResult']> = {
   __resolveType: TypeResolveFn<'LoginResult' | 'MultiFactorResult', ParentType, ContextType>;
 };
 
+export type AuthenticatorResolvers<ContextType = any, ParentType extends ResolversParentTypes['Authenticator'] = ResolversParentTypes['Authenticator']> = {
+  id?: Resolver<Maybe<ResolversTypes['ID']>, ParentType, ContextType>;
+  type?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
+  active?: Resolver<Maybe<ResolversTypes['Boolean']>, ParentType, ContextType>;
+  activatedAt?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
+  __isTypeOf?: IsTypeOfResolverFn<ParentType>;
+};
+
+export type ChallengeResultResolvers<ContextType = any, ParentType extends ResolversParentTypes['ChallengeResult'] = ResolversParentTypes['ChallengeResult']> = {
+  __resolveType: TypeResolveFn<'DefaultChallengeResult', ParentType, ContextType>;
+};
+
 export type CreateUserResultResolvers<ContextType = any, ParentType extends ResolversParentTypes['CreateUserResult'] = ResolversParentTypes['CreateUserResult']> = {
   userId?: Resolver<Maybe<ResolversTypes['ID']>, ParentType, ContextType>;
   loginResult?: Resolver<Maybe<ResolversTypes['LoginResult']>, ParentType, ContextType>;
   __isTypeOf?: IsTypeOfResolverFn<ParentType>;
 };
 
+export type DefaultChallengeResultResolvers<ContextType = any, ParentType extends ResolversParentTypes['DefaultChallengeResult'] = ResolversParentTypes['DefaultChallengeResult']> = {
+  mfaToken?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
+  authenticatorId?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
+  __isTypeOf?: IsTypeOfResolverFn<ParentType>;
+};
+
 export type EmailRecordResolvers<ContextType = any, ParentType extends ResolversParentTypes['EmailRecord'] = ResolversParentTypes['EmailRecord']> = {
   address?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
   verified?: Resolver<Maybe<ResolversTypes['Boolean']>, ParentType, ContextType>;
@@ -364,15 +455,26 @@ export type MutationResolvers<ContextType = any, ParentType extends ResolversPar
   changePassword?: Resolver<Maybe<ResolversTypes['Boolean']>, ParentType, ContextType, RequireFields<MutationChangePasswordArgs, 'oldPassword' | 'newPassword'>>;
   twoFactorSet?: Resolver<Maybe<ResolversTypes['Boolean']>, ParentType, ContextType, RequireFields<MutationTwoFactorSetArgs, 'secret' | 'code'>>;
   twoFactorUnset?: Resolver<Maybe<ResolversTypes['Boolean']>, ParentType, ContextType, RequireFields<MutationTwoFactorUnsetArgs, 'code'>>;
+  challenge?: Resolver<Maybe<ResolversTypes['ChallengeResult']>, ParentType, ContextType, RequireFields<MutationChallengeArgs, 'mfaToken' | 'authenticatorId'>>;
+  associate?: Resolver<Maybe<ResolversTypes['AssociationResult']>, ParentType, ContextType, RequireFields<MutationAssociateArgs, 'type'>>;
+  associateByMfaToken?: Resolver<Maybe<ResolversTypes['AssociationResult']>, ParentType, ContextType, RequireFields<MutationAssociateByMfaTokenArgs, 'mfaToken' | 'type'>>;
   impersonate?: Resolver<Maybe<ResolversTypes['ImpersonateReturn']>, ParentType, ContextType, RequireFields<MutationImpersonateArgs, 'accessToken' | 'impersonated'>>;
   refreshTokens?: Resolver<Maybe<ResolversTypes['LoginResult']>, ParentType, ContextType, RequireFields<MutationRefreshTokensArgs, 'accessToken' | 'refreshToken'>>;
   logout?: Resolver<Maybe<ResolversTypes['Boolean']>, ParentType, ContextType>;
   authenticate?: Resolver<Maybe<ResolversTypes['AuthenticationResult']>, ParentType, ContextType, RequireFields<MutationAuthenticateArgs, 'serviceName' | 'params'>>;
   verifyAuthentication?: Resolver<Maybe<ResolversTypes['Boolean']>, ParentType, ContextType, RequireFields<MutationVerifyAuthenticationArgs, 'serviceName' | 'params'>>;
 };
 
+export type OtpAssociationResultResolvers<ContextType = any, ParentType extends ResolversParentTypes['OTPAssociationResult'] = ResolversParentTypes['OTPAssociationResult']> = {
+  mfaToken?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
+  authenticatorId?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
+  __isTypeOf?: IsTypeOfResolverFn<ParentType>;
+};
+
 export type QueryResolvers<ContextType = any, ParentType extends ResolversParentTypes['Query'] = ResolversParentTypes['Query']> = {
   twoFactorSecret?: Resolver<Maybe<ResolversTypes['TwoFactorSecretKey']>, ParentType, ContextType>;
+  authenticators?: Resolver<Maybe<Array<Maybe<ResolversTypes['Authenticator']>>>, ParentType, ContextType>;
+  authenticatorsByMfaToken?: Resolver<Maybe<Array<Maybe<ResolversTypes['Authenticator']>>>, ParentType, ContextType, RequireFields<QueryAuthenticatorsByMfaTokenArgs, 'mfaToken'>>;
   getUser?: Resolver<Maybe<ResolversTypes['User']>, ParentType, ContextType>;
 };
 
@@ -402,13 +504,18 @@ export type UserResolvers<ContextType = any, ParentType extends ResolversParentT
 };
 
 export type Resolvers<ContextType = any> = {
+  AssociationResult?: AssociationResultResolvers<ContextType>;
   AuthenticationResult?: AuthenticationResultResolvers<ContextType>;
+  Authenticator?: AuthenticatorResolvers<ContextType>;
+  ChallengeResult?: ChallengeResultResolvers<ContextType>;
   CreateUserResult?: CreateUserResultResolvers<ContextType>;
+  DefaultChallengeResult?: DefaultChallengeResultResolvers<ContextType>;
   EmailRecord?: EmailRecordResolvers<ContextType>;
   ImpersonateReturn?: ImpersonateReturnResolvers<ContextType>;
   LoginResult?: LoginResultResolvers<ContextType>;
   MultiFactorResult?: MultiFactorResultResolvers<ContextType>;
   Mutation?: MutationResolvers<ContextType>;
+  OTPAssociationResult?: OtpAssociationResultResolvers<ContextType>;
   Query?: QueryResolvers<ContextType>;
   Tokens?: TokensResolvers<ContextType>;
   TwoFactorSecretKey?: TwoFactorSecretKeyResolvers<ContextType>;