Merge pull request #206 from authorizerdev/feat/2fa

feat: add mutifactor authentication

Author: lakhansamani

Makefile

@@ -11,14 +11,26 @@ clean:
 	rm -rf build
 test:
 	rm -rf server/test/test.db && rm -rf test.db && cd server && go clean --testcache && TEST_DBS="sqlite" go test -p 1 -v ./test
+test-mongodb:
+	docker run -d --name authorizer_mongodb_db -p 27017:27017 mongo:4.4.15
+	cd server && go clean --testcache && TEST_DBS="mongodb" go test -p 1 -v ./test
+	docker rm -vf authorizer_mongodb_db
+test-scylladb:
+	docker run -d --name authorizer_scylla_db -p 9042:9042 scylladb/scylla
+	cd server && go clean --testcache && TEST_DBS="scylladb" go test -p 1 -v ./test
+	docker rm -vf authorizer_scylla_db
+test-arangodb:
+	docker run -d --name authorizer_arangodb -p 8529:8529 -e ARANGO_NO_AUTH=1 arangodb/arangodb:3.8.4
+	cd server && go clean --testcache && TEST_DBS="arangodb" go test -p 1 -v ./test
+	docker rm -vf authorizer_arangodb
 test-all-db:
 	rm -rf server/test/test.db && rm -rf test.db
 	docker run -d --name authorizer_scylla_db -p 9042:9042 scylladb/scylla
 	docker run -d --name authorizer_mongodb_db -p 27017:27017 mongo:4.4.15
 	docker run -d --name authorizer_arangodb -p 8529:8529 -e ARANGO_NO_AUTH=1 arangodb/arangodb:3.8.4
 	cd server && go clean --testcache && TEST_DBS="sqlite,mongodb,arangodb,scylladb" go test -p 1 -v ./test
-	docker rm -vf authorizer_mongodb_db
 	docker rm -vf authorizer_scylla_db
+	docker rm -vf authorizer_mongodb_db
 	docker rm -vf authorizer_arangodb
 generate:
 	cd server && go get github.com/99designs/gqlgen/[email protected] && go run github.com/99designs/gqlgen generate

app/package-lock.json

@@ -11,7 +11,7 @@
 	"author": "Lakhan Samani",
 	"license": "ISC",
 	"dependencies": {
-		"@authorizerdev/authorizer-react": "^0.25.0",
+		"@authorizerdev/authorizer-react": "^0.26.0-beta.0",
 		"@types/react": "^17.0.15",
 		"@types/react-dom": "^17.0.9",
 		"esbuild": "^0.12.17",

app/package.json

@@ -108,7 +108,7 @@ const OAuthConfig = ({
 								fieldVisibility={fieldVisibility}
 								setFieldVisibility={setFieldVisibility}
 								inputType={HiddenInputType.GOOGLE_CLIENT_SECRET}
-								placeholder="Google Secret"
+								placeholder="Google Client Secret"
 							/>
 						</Center>
 					</Flex>
@@ -146,7 +146,7 @@ const OAuthConfig = ({
 								fieldVisibility={fieldVisibility}
 								setFieldVisibility={setFieldVisibility}
 								inputType={HiddenInputType.GITHUB_CLIENT_SECRET}
-								placeholder="Github Secret"
+								placeholder="Github Client Secret"
 							/>
 						</Center>
 					</Flex>
@@ -184,7 +184,7 @@ const OAuthConfig = ({
 								fieldVisibility={fieldVisibility}
 								setFieldVisibility={setFieldVisibility}
 								inputType={HiddenInputType.FACEBOOK_CLIENT_SECRET}
-								placeholder="Facebook Secret"
+								placeholder="Facebook Client Secret"
 							/>
 						</Center>
 					</Flex>
@@ -260,7 +260,7 @@ const OAuthConfig = ({
 								fieldVisibility={fieldVisibility}
 								setFieldVisibility={setFieldVisibility}
 								inputType={HiddenInputType.APPLE_CLIENT_SECRET}
-								placeholder="Apple CLient Secret"
+								placeholder="Apple Client Secret"
 							/>
 						</Center>
 					</Flex>

dashboard/src/components/EnvComponents/OAuthConfig.tsx

@@ -89,6 +89,7 @@ export const UserDetailsQuery = `
         roles
         created_at
         revoked_timestamp
+        is_multi_factor_auth_enabled
       }
     }
   }

dashboard/src/graphql/queries/index.ts

@@ -68,6 +68,7 @@ interface userDataTypes {
 	roles: [string];
 	created_at: number;
 	revoked_timestamp: number;
+	is_multi_factor_auth_enabled?: boolean;
 }
 
 const enum updateAccessActions {
@@ -250,6 +251,34 @@ export default function Users() {
 				break;
 		}
 	};
+	const multiFactorAuthUpdateHandler = async (user: userDataTypes) => {
+		const res = await client
+			.mutation(UpdateUser, {
+				params: {
+					id: user.id,
+					is_multi_factor_auth_enabled: !user.is_multi_factor_auth_enabled,
+				},
+			})
+			.toPromise();
+		if (res.data?._update_user?.id) {
+			toast({
+				title: `Multi factor authentication ${
+					user.is_multi_factor_auth_enabled ? 'disabled' : 'enabled'
+				} for user`,
+				isClosable: true,
+				status: 'success',
+				position: 'bottom-right',
+			});
+			updateUserList();
+			return;
+		}
+		toast({
+			title: 'Multi factor authentication update failed for user',
+			isClosable: true,
+			status: 'error',
+			position: 'bottom-right',
+		});
+	};
 
 	return (
 		<Box m="5" py="5" px="10" bg="white" rounded="md">
@@ -273,6 +302,7 @@ export default function Users() {
 								<Th>Roles</Th>
 								<Th>Verified</Th>
 								<Th>Access</Th>
+								<Th>MFA</Th>
 								<Th>Actions</Th>
 							</Tr>
 						</Thead>
@@ -305,6 +335,19 @@ export default function Users() {
 												{user.revoked_timestamp ? 'Revoked' : 'Enabled'}
 											</Tag>
 										</Td>
+										<Td>
+											<Tag
+												size="sm"
+												variant="outline"
+												colorScheme={
+													user.is_multi_factor_auth_enabled ? 'green' : 'red'
+												}
+											>
+												{user.is_multi_factor_auth_enabled
+													? 'Enabled'
+													: 'Disabled'}
+											</Tag>
+										</Td>
 										<Td>
 											<Menu>
 												<MenuButton as={Button} variant="unstyled" size="sm">
@@ -357,6 +400,19 @@ export default function Users() {
 															Revoke Access
 														</MenuItem>
 													)}
+													{user.is_multi_factor_auth_enabled ? (
+														<MenuItem
+															onClick={() => multiFactorAuthUpdateHandler(user)}
+														>
+															Disable MFA
+														</MenuItem>
+													) : (
+														<MenuItem
+															onClick={() => multiFactorAuthUpdateHandler(user)}
+														>
+															Enable MFA
+														</MenuItem>
+													)}
 												</MenuList>
 											</Menu>
 										</Td>

dashboard/src/pages/Users.tsx

@@ -47,6 +47,8 @@ const (
 	EnvKeySmtpPassword = "SMTP_PASSWORD"
 	// EnvKeySenderEmail key for env variable SENDER_EMAIL
 	EnvKeySenderEmail = "SENDER_EMAIL"
+	// EnvKeyIsEmailServiceEnabled key for env variable IS_EMAIL_SERVICE_ENABLED
+	EnvKeyIsEmailServiceEnabled = "IS_EMAIL_SERVICE_ENABLED"
 	// EnvKeyJwtType key for env variable JWT_TYPE
 	EnvKeyJwtType = "JWT_TYPE"
 	// EnvKeyJwtSecret key for env variable JWT_SECRET
@@ -117,6 +119,12 @@ const (
 	EnvKeyDisableRedisForEnv = "DISABLE_REDIS_FOR_ENV"
 	// EnvKeyDisableStrongPassword key for env variable DISABLE_STRONG_PASSWORD
 	EnvKeyDisableStrongPassword = "DISABLE_STRONG_PASSWORD"
+	// EnvKeyEnforceMultiFactorAuthentication is key for env variable ENFORCE_MULTI_FACTOR_AUTHENTICATION
+	// If enforced and changed later on, existing user will have MFA but new user will not have MFA
+	EnvKeyEnforceMultiFactorAuthentication = "ENFORCE_MULTI_FACTOR_AUTHENTICATION"
+	// EnvKeyDisableMultiFactorAuthentication is key for env variable DISABLE_MULTI_FACTOR_AUTHENTICATION
+	// this variable is used to completely disable multi factor authentication. It will have no effect on profile preference
+	EnvKeyDisableMultiFactorAuthentication = "DISABLE_MULTI_FACTOR_AUTHENTICATION"
 
 	// Slice variables
 	// EnvKeyRoles key for env variable ROLES

server/constants/env.go

@@ -9,6 +9,7 @@ type CollectionList struct {
 	Webhook             string
 	WebhookLog          string
 	EmailTemplate       string
+	OTP                 string
 }
 
 var (
@@ -23,5 +24,6 @@ var (
 		Webhook:             Prefix + "webhooks",
 		WebhookLog:          Prefix + "webhook_logs",
 		EmailTemplate:       Prefix + "email_templates",
+		OTP:                 Prefix + "otps",
 	}
 )

server/db/models/model.go

@@ -0,0 +1,12 @@
+package models
+
+// OTP model for database
+type OTP struct {
+	Key       string `json:"_key,omitempty" bson:"_key,omitempty" cql:"_key,omitempty"` // for arangodb
+	ID        string `gorm:"primaryKey;type:char(36)" json:"_id" bson:"_id" cql:"id"`
+	Email     string `gorm:"unique" json:"email" bson:"email" cql:"email"`
+	Otp       string `json:"otp" bson:"otp" cql:"otp"`
+	ExpiresAt int64  `json:"expires_at" bson:"expires_at" cql:"expires_at"`
+	CreatedAt int64  `json:"created_at" bson:"created_at" cql:"created_at"`
+	UpdatedAt int64  `json:"updated_at" bson:"updated_at" cql:"updated_at"`
+}

server/db/models/otp.go

@@ -14,51 +14,53 @@ type User struct {
 	Key string `json:"_key,omitempty" bson:"_key,omitempty" cql:"_key,omitempty"` // for arangodb
 	ID  string `gorm:"primaryKey;type:char(36)" json:"_id" bson:"_id" cql:"id"`
 
-	Email                 string  `gorm:"unique" json:"email" bson:"email" cql:"email"`
-	EmailVerifiedAt       *int64  `json:"email_verified_at" bson:"email_verified_at" cql:"email_verified_at"`
-	Password              *string `gorm:"type:text" json:"password" bson:"password" cql:"password"`
-	SignupMethods         string  `json:"signup_methods" bson:"signup_methods" cql:"signup_methods"`
-	GivenName             *string `json:"given_name" bson:"given_name" cql:"given_name"`
-	FamilyName            *string `json:"family_name" bson:"family_name" cql:"family_name"`
-	MiddleName            *string `json:"middle_name" bson:"middle_name" cql:"middle_name"`
-	Nickname              *string `json:"nickname" bson:"nickname" cql:"nickname"`
-	Gender                *string `json:"gender" bson:"gender" cql:"gender"`
-	Birthdate             *string `json:"birthdate" bson:"birthdate" cql:"birthdate"`
-	PhoneNumber           *string `gorm:"unique" json:"phone_number" bson:"phone_number" cql:"phone_number"`
-	PhoneNumberVerifiedAt *int64  `json:"phone_number_verified_at" bson:"phone_number_verified_at" cql:"phone_number_verified_at"`
-	Picture               *string `gorm:"type:text" json:"picture" bson:"picture" cql:"picture"`
-	Roles                 string  `json:"roles" bson:"roles" cql:"roles"`
-	RevokedTimestamp      *int64  `json:"revoked_timestamp" bson:"revoked_timestamp" cql:"revoked_timestamp"`
-	UpdatedAt             int64   `json:"updated_at" bson:"updated_at" cql:"updated_at"`
-	CreatedAt             int64   `json:"created_at" bson:"created_at" cql:"created_at"`
+	Email                    string  `gorm:"unique" json:"email" bson:"email" cql:"email"`
+	EmailVerifiedAt          *int64  `json:"email_verified_at" bson:"email_verified_at" cql:"email_verified_at"`
+	Password                 *string `gorm:"type:text" json:"password" bson:"password" cql:"password"`
+	SignupMethods            string  `json:"signup_methods" bson:"signup_methods" cql:"signup_methods"`
+	GivenName                *string `json:"given_name" bson:"given_name" cql:"given_name"`
+	FamilyName               *string `json:"family_name" bson:"family_name" cql:"family_name"`
+	MiddleName               *string `json:"middle_name" bson:"middle_name" cql:"middle_name"`
+	Nickname                 *string `json:"nickname" bson:"nickname" cql:"nickname"`
+	Gender                   *string `json:"gender" bson:"gender" cql:"gender"`
+	Birthdate                *string `json:"birthdate" bson:"birthdate" cql:"birthdate"`
+	PhoneNumber              *string `gorm:"unique" json:"phone_number" bson:"phone_number" cql:"phone_number"`
+	PhoneNumberVerifiedAt    *int64  `json:"phone_number_verified_at" bson:"phone_number_verified_at" cql:"phone_number_verified_at"`
+	Picture                  *string `gorm:"type:text" json:"picture" bson:"picture" cql:"picture"`
+	Roles                    string  `json:"roles" bson:"roles" cql:"roles"`
+	RevokedTimestamp         *int64  `json:"revoked_timestamp" bson:"revoked_timestamp" cql:"revoked_timestamp"`
+	IsMultiFactorAuthEnabled *bool   `json:"is_multi_factor_auth_enabled" bson:"is_multi_factor_auth_enabled" cql:"is_multi_factor_auth_enabled"`
+	UpdatedAt                int64   `json:"updated_at" bson:"updated_at" cql:"updated_at"`
+	CreatedAt                int64   `json:"created_at" bson:"created_at" cql:"created_at"`
 }
 
 func (user *User) AsAPIUser() *model.User {
 	isEmailVerified := user.EmailVerifiedAt != nil
 	isPhoneVerified := user.PhoneNumberVerifiedAt != nil
 
-	id := user.ID
-	if strings.Contains(id, Collections.WebhookLog+"/") {
-		id = strings.TrimPrefix(id, Collections.WebhookLog+"/")
-	}
+	// id := user.ID
+	// if strings.Contains(id, Collections.User+"/") {
+	// 	id = strings.TrimPrefix(id, Collections.User+"/")
+	// }
 	return &model.User{
-		ID:                  id,
-		Email:               user.Email,
-		EmailVerified:       isEmailVerified,
-		SignupMethods:       user.SignupMethods,
-		GivenName:           user.GivenName,
-		FamilyName:          user.FamilyName,
-		MiddleName:          user.MiddleName,
-		Nickname:            user.Nickname,
-		PreferredUsername:   refs.NewStringRef(user.Email),
-		Gender:              user.Gender,
-		Birthdate:           user.Birthdate,
-		PhoneNumber:         user.PhoneNumber,
-		PhoneNumberVerified: &isPhoneVerified,
-		Picture:             user.Picture,
-		Roles:               strings.Split(user.Roles, ","),
-		RevokedTimestamp:    user.RevokedTimestamp,
-		CreatedAt:           refs.NewInt64Ref(user.CreatedAt),
-		UpdatedAt:           refs.NewInt64Ref(user.UpdatedAt),
+		ID:                       user.ID,
+		Email:                    user.Email,
+		EmailVerified:            isEmailVerified,
+		SignupMethods:            user.SignupMethods,
+		GivenName:                user.GivenName,
+		FamilyName:               user.FamilyName,
+		MiddleName:               user.MiddleName,
+		Nickname:                 user.Nickname,
+		PreferredUsername:        refs.NewStringRef(user.Email),
+		Gender:                   user.Gender,
+		Birthdate:                user.Birthdate,
+		PhoneNumber:              user.PhoneNumber,
+		PhoneNumberVerified:      &isPhoneVerified,
+		Picture:                  user.Picture,
+		Roles:                    strings.Split(user.Roles, ","),
+		RevokedTimestamp:         user.RevokedTimestamp,
+		IsMultiFactorAuthEnabled: user.IsMultiFactorAuthEnabled,
+		CreatedAt:                refs.NewInt64Ref(user.CreatedAt),
+		UpdatedAt:                refs.NewInt64Ref(user.UpdatedAt),
 	}
 }