Skip to content

Commit

Permalink
Register unregistered users & update obtain new token
Browse files Browse the repository at this point in the history
Signed-off-by: Fon E. Noel NFEBE <[email protected]>
  • Loading branch information
nfebe committed Sep 18, 2023
1 parent b9ab43c commit 4df4750
Show file tree
Hide file tree
Showing 8 changed files with 596 additions and 422 deletions.
4 changes: 3 additions & 1 deletion .env.example
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,6 @@ PERMANENT_API_BASE_PATH=${LOCAL_TEMPORARY_AUTH_TOKEN}
# See https://fusionauth.io/docs/v1/tech/apis/api-keys
FUSION_AUTH_HOST=${FUSION_AUTH_HOST}
FUSION_AUTH_KEY=${FUSION_AUTH_KEY}
FUSION_AUTH_APP_ID=${FUSION_AUTH_APP_ID}
FUSION_AUTH_SFTP_APP_ID=${FUSION_AUTH_SFTP_APP_ID}
FUSION_AUTH_SFTP_CLIENT_ID=${FUSION_AUTH_SFTP_CLIENT_ID}
FUSION_AUTH_SFTP_CLIENT_SECRET=${FUSION_AUTH_SFTP_CLIENT_SECRET}
11 changes: 11 additions & 0 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
"dotenv": "^16.3.1",
"logform": "^2.3.2",
"node-fetch": "^2.7.0",
"require-env-variable": "^4.0.1",
"ssh2": "^1.14.0",
"tmp": "^0.2.1",
"uuid": "^9.0.0",
Expand Down
174 changes: 131 additions & 43 deletions src/classes/AuthenticationSession.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,55 +13,92 @@ enum FusionAuthStatusCode {
}

export class AuthenticationSession {
public authToken = '';
private authToken = '';

public refreshToken = '';

public readonly authContext;

private authTokenExpiresAt = 0;
private authTokenExpiresAt = new Date();

private readonly fusionAuthClient;

private readonly fusionAuthAppId = process.env.FUSION_AUTH_APP_ID ?? '';

private twoFactorId = '';

private twoFactorMethods: TwoFactorMethod[] = [];

public constructor(authContext: KeyboardAuthContext) {
private fusionAuthSftpAppId = '';

private fusionAuthSftpClientId = '';

private fusionAuthSftpClientSecret = '';

public constructor(
authContext: KeyboardAuthContext,
fusionAuthSftpAppId: string,
fusionAuthSftpClientId: string,
fusionAuthSftpClientSecret: string,
) {
this.authContext = authContext;
this.fusionAuthSftpAppId = fusionAuthSftpAppId;
this.fusionAuthSftpClientId = fusionAuthSftpClientId;
this.fusionAuthSftpClientSecret = fusionAuthSftpClientSecret;
this.fusionAuthClient = getFusionAuthClient();
}

public invokeAuthenticationFlow(): void {
this.promptForPassword();
}

public obtainNewAuthTokenUsingRefreshToken(): void {
this.fusionAuthClient.exchangeRefreshTokenForAccessToken(this.refreshToken, '', '', '', '')
.then((clientResponse) => {
this.authToken = clientResponse.response.access_token ?? '';
})
.catch((clientResponse: unknown) => {
const message = isPartialClientResponse(clientResponse)
? clientResponse.exception.message
: '';
logger.warn(`Error obtaining refresh token : ${message}`);
this.authContext.reject();
});
public async getToken() {
if (this.tokenWouldExpireSoon()) {
await this.getAuthTokenUsingRefreshToken();
}
return this.authToken;
}

public tokenExpired(): boolean {
const expirationDate = new Date(this.authTokenExpiresAt);
return expirationDate <= new Date();
private async getAuthTokenUsingRefreshToken(): Promise<void> {
try {
const clientResponse = await this.fusionAuthClient.exchangeRefreshTokenForAccessToken(
this.refreshToken,
this.fusionAuthSftpClientId,
this.fusionAuthSftpClientSecret,
'',
'',
);

if (clientResponse.response.access_token) {
this.authToken = clientResponse.response.access_token;
// The exchange refresh token for access token endpoint does not return a timestamp,
// it returns expires_in in seconds.
// So we need to create the timestamp to be consistent with what is first
// returned upon initial authentication
this.authTokenExpiresAt = new Date(
Date.now() + (clientResponse.response.expires_in ?? 1 * 1000),
);
logger.info('New access token obtained :', clientResponse.response);
} else {
logger.warn('No refresh token in response :', clientResponse.response);
this.authContext.reject();
}
} catch (error: unknown) {
let message: string;
if (isPartialClientResponse(error)) {
message = error.exception.message;
} else {
message = error instanceof Error ? error.message : JSON.stringify(error);
}
logger.warn(`Error obtaining refresh token: ${message}`);
this.authContext.reject();
}
}

public tokenWouldExpireSoon(minutes = 5): boolean {
const expirationDate = new Date(this.authTokenExpiresAt);
private tokenWouldExpireSoon(seconds = 300): boolean {
const currentTime = new Date();
const timeDifferenceMinutes = (expirationDate.getTime() - currentTime.getTime()) / (1000 * 60);
return timeDifferenceMinutes <= minutes;
const timeDifferenceSeconds = (
(this.authTokenExpiresAt.getTime() - currentTime.getTime()) / (1000 * 60 * 60)
);
return timeDifferenceSeconds <= seconds;
}

private promptForPassword(): void {
Expand All @@ -78,53 +115,101 @@ export class AuthenticationSession {

private processPasswordResponse([password]: string[]): void {
this.fusionAuthClient.login({
applicationId: this.fusionAuthAppId,
applicationId: this.fusionAuthSftpAppId,
loginId: this.authContext.username,
password,
}).then((clientResponse) => {
switch (clientResponse.statusCode) {
case FusionAuthStatusCode.Success:
case FusionAuthStatusCode.SuccessButUnregisteredInApp:
case FusionAuthStatusCode.Success: {
if (clientResponse.response.token !== undefined) {
logger.verbose('Successful password authentication attempt.', {
username: this.authContext.username,
});
this.authToken = clientResponse.response.token;
this.authTokenExpiresAt = clientResponse.response.tokenExpirationInstant ?? 0;
this.refreshToken = clientResponse.response.refreshToken ?? '';
if (clientResponse.response.refreshToken) {
this.refreshToken = clientResponse.response.refreshToken;
this.authTokenExpiresAt = new Date(
clientResponse.response.tokenExpirationInstant ?? 0,
);
} else {
logger.warn('No refresh token in response :', clientResponse.response);
this.authContext.reject();
}
this.authContext.accept();
return;
} else {
logger.warn('No auth token in response', clientResponse.response);
this.authContext.reject();
}
this.authContext.reject();
return;
case FusionAuthStatusCode.SuccessNeedsTwoFactorAuth:
}
case FusionAuthStatusCode.SuccessButUnregisteredInApp: {
const userId: string = clientResponse.response.user?.id ?? '';
this.registerUserInApp(userId)
.then(() => { this.processPasswordResponse([password]); })
.catch((error) => {
logger.warn('Error during registration and authentication:', error);
this.authContext.reject();
});
return;
}
case FusionAuthStatusCode.SuccessNeedsTwoFactorAuth: {
if (clientResponse.response.twoFactorId !== undefined) {
logger.verbose('Successful password authentication attempt; MFA required.', {
username: this.authContext.username,
});
this.twoFactorId = clientResponse.response.twoFactorId;
this.twoFactorMethods = clientResponse.response.methods ?? [];
this.promptForTwoFactorMethod();
return;
} else {
this.authContext.reject();
}
this.authContext.reject();
return;
default:
}
default: {
logger.verbose('Failed password authentication attempt.', {
username: this.authContext.username,
response: clientResponse.response,
});
this.authContext.reject();
}
}
}).catch((error) => {
let message: string;
if (isPartialClientResponse(error)) {
message = error.exception.message;
} else {
message = error instanceof Error ? error.message : JSON.stringify(error);
}
}).catch((clientResponse: unknown) => {
const message = isPartialClientResponse(clientResponse)
? clientResponse.exception.message
: '';
logger.warn(`Unexpected exception with FusionAuth password login: ${message}`);
this.authContext.reject();
});
}

private async registerUserInApp(userId: string): Promise<void> {
try {
const clientResponse = await this.fusionAuthClient.register(userId, {
registration: {
applicationId: this.fusionAuthSftpAppId,
},
});

switch (clientResponse.statusCode) {
case FusionAuthStatusCode.Success:
logger.verbose('User registered successfully after authentication.', {
userId,
});
break;
default:
logger.verbose('User registration after authentication failed.', {
userId,
response: clientResponse.response,
});
}
} catch (error) {
logger.warn('Error during user registration after authentication:', error);
}
}

private promptForTwoFactorMethod(): void {
const promptOptions = this.twoFactorMethods.map(
(method, index) => `[${index + 1}] ${method.method ?? ''}`,
Expand Down Expand Up @@ -205,10 +290,13 @@ export class AuthenticationSession {
});
this.authContext.reject();
}
}).catch((clientResponse: unknown) => {
const message = isPartialClientResponse(clientResponse)
? clientResponse.exception.message
: '';
}).catch((error) => {
let message: string;
if (isPartialClientResponse(error)) {
message = error.exception.message;
} else {
message = error instanceof Error ? error.message : JSON.stringify(error);
}
logger.warn(`Unexpected exception with FusionAuth 2FA login: ${message}`);
this.authContext.reject();
});
Expand Down
Loading

0 comments on commit 4df4750

Please sign in to comment.