Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: hydra POC #2707

Closed
wants to merge 7 commits into from
Closed

chore: hydra POC #2707

wants to merge 7 commits into from

Conversation

nicolasburtey
Copy link
Member

No description provided.

@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch from 84b72ff to 1a3b540 Compare June 2, 2023 20:28
@nicolasburtey nicolasburtey changed the base branch from main to feat--spikes-at-login-with-bearer-token June 2, 2023 20:28
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch from 1a3b540 to 7340bbf Compare June 2, 2023 20:30
@ntheile ntheile force-pushed the feat--spikes-at-login-with-bearer-token branch from f82fd53 to 73add5e Compare June 3, 2023 03:57
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch from 7340bbf to cc16259 Compare June 4, 2023 04:24
@ntheile ntheile force-pushed the feat--spikes-at-login-with-bearer-token branch 4 times, most recently from f06cb68 to d082cf8 Compare June 8, 2023 14:53
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch from cc16259 to 11020ba Compare June 27, 2023 10:27
@nicolasburtey nicolasburtey changed the base branch from feat--spikes-at-login-with-bearer-token to main June 27, 2023 10:27
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch 2 times, most recently from 02d83b5 to f59254b Compare July 23, 2023 10:55
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch 3 times, most recently from 158dee0 to 12d7fc3 Compare August 26, 2023 20:30
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch 9 times, most recently from 720ff5f to 866adfb Compare September 11, 2023 13:03
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch 5 times, most recently from 3c31d9e to 697af28 Compare September 14, 2023 10:33
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch from 747337c to 7423e5d Compare September 14, 2023 11:03
@nicolasburtey
Copy link
Member Author

/Users/n/Code/galoy/lib/servers/middlewares/session.js:22

const scope = tokenPayload?.scope.split(" ");

^

TypeError: Cannot read properties of undefined (reading 'split')

@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch 2 times, most recently from bcdb6f7 to 1f97547 Compare September 18, 2023 17:54
@nicolasburtey nicolasburtey marked this pull request as ready for review September 25, 2023 12:41
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch 2 times, most recently from 332c624 to 9e6edb2 Compare September 25, 2023 12:44
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 25, 2023
View reviewed changes
apps/login-consent/src/routes/consent.ts Fixed Show fixed Hide fixed
apps/login-consent/src/routes/login.ts Fixed Show fixed Hide fixed
apps/login-consent/src/routes/logout.ts Fixed Show fixed Hide fixed
apps/login-consent/src/routes/login.ts Fixed Show fixed Hide fixed
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch from 9e6edb2 to b18c782 Compare September 25, 2023 19:30
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 25, 2023
View reviewed changes
apps/consent/src/routes/consent.ts Dismissed Show dismissed Hide dismissed
apps/consent/src/routes/consent.ts Dismissed Show dismissed Hide dismissed
apps/consent/src/routes/logout.ts Dismissed Show dismissed Hide dismissed
apps/consent/src/routes/login.ts Dismissed Show dismissed Hide dismissed
apps/consent/src/routes/login.ts Dismissed Show dismissed Hide dismissed
apps/consent/src/routes/login.ts Dismissed Show dismissed Hide dismissed
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch 6 times, most recently from bbcde1c to 4f55f26 Compare October 1, 2023 07:17
@siddhart1o1
Copy link
Member

#3288
consent next.js

@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch from 4f55f26 to 0fb2130 Compare October 2, 2023 08:37
Nicolas Burtey added 7 commits October 2, 2023 18:54
feat: hydra integration
c0577b7 
chore: renaming folder

chore: moving some of the change to the rest layer instead of graphql

chore: some iteration on hydra

feat: adding scope middleware

chore: testing client credentials

chore: adding appId to know whether a request comes from hydra or kratos

chore: update docs

fix: test?
chore: adding oauth2 login and consent code to main repo
5078539
chore: rewrite app in async/await fashion
1d36e68
chore: update docs
b9616b6
chore: poc on replacing the hydra demo app to a real dashboard
3b85519
chore: add TODO
8a38aec
chore: some iteration on admin-api
b84468d
@nicolasburtey nicolasburtey force-pushed the chore--hydra-test-integration branch from 0fb2130 to b84468d Compare October 2, 2023 17:54
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 2, 2023
View reviewed changes
src/servers/authentication/index.ts
Comment on lines +85 to +133
authRouter.post("/login", async (req: Request, res: Response) => {
const ip = req.originalIp
const code = req.body.authCode
const phone = checkedToPhoneNumber(req.body.phoneNumber)
if (phone instanceof Error) return res.status(400).send("invalid phone")
const loginResp = await Authentication.loginWithPhoneCookie({
phone,
code,
ip,
})
if (loginResp instanceof Error) {
return res.status(500).send({ error: mapError(loginResp).message })
}

try {
const kratosCookies = parseKratosCookies(loginResp.cookiesToSendBackToClient)
const kratosUserId: UserId | undefined = loginResp.kratosUserId
const csrfCookie = kratosCookies.csrf()
const kratosSessionCookie = kratosCookies.kratosSession()
if (!csrfCookie || !kratosSessionCookie) {
return res.status(500).send({ error: "Missing csrf or ory_kratos_session cookie" })
}
const kratosCookieStr = kratosCookies.kratosSessionAsString()
const result = await validateKratosCookie(kratosCookieStr)
if (result instanceof Error) {
return res.status(500).send({ error: result.message })
}
res.cookie(
kratosSessionCookie.name,
kratosSessionCookie.value,
kratosCookies.formatCookieOptions(kratosSessionCookie),
)
res.cookie(
csrfCookie.name,
csrfCookie.value,
kratosCookies.formatCookieOptions(csrfCookie),
)
return res.send({
identity: {
id: kratosUserId,
uid: kratosUserId,
phoneNumber: phone,
},
})
} catch (error) {
recordExceptionInCurrentSpan({ error })
return res.status(500).send({ result: "Error parsing cookies" })
}
})

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
Loading
, but is not rate-limited.
src/servers/authentication/index.ts
Comment on lines +182 to +213
authRouter.post("/create/device-account", async (req: Request, res: Response) => {
const ip = req.originalIp
const user = basicAuth(req)

if (!user?.name || !user?.pass) {
return res.status(422).send({ error: "Bad input" })
}

const username = user.name
const password = user.pass
const deviceId = username

try {
const authToken = await Authentication.loginWithDevice({
username,
password,
ip,
deviceId,
})
if (authToken instanceof Error) {
recordExceptionInCurrentSpan({ error: authToken })
return res.status(500).send({ error: authToken.message })
}
addAttributesToCurrentSpan({ "login.deviceAccount": deviceId })
return res.status(200).send({
result: authToken,
})
} catch (err) {
recordExceptionInCurrentSpan({ error: err })
return res.status(500).send({ error: parseErrorMessageFromUnknown(err) })
}
})

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
Loading
, but is not rate-limited.
This route handler performs
authorization
Loading
, but is not rate-limited.
src/servers/authentication/index.ts
Comment on lines +246 to +294
authRouter.post("/email/login", async (req: Request, res: Response) => {
const ip = req.originalIp

const emailLoginIdRaw = req.body.emailLoginId
if (!emailLoginIdRaw) {
return res.status(422).send({ error: "Missing input" })
}

const emailLoginId = checkedToEmailLoginId(emailLoginIdRaw)
if (emailLoginId instanceof Error) {
return res.status(422).send({ error: emailLoginId.message })
}

const codeRaw = req.body.code
if (!codeRaw) {
return res.status(422).send({ error: "Missing input" })
}

const code = checkedToEmailCode(codeRaw)
if (code instanceof Error) {
return res.status(422).send({ error: code.message })
}

try {
const result = await loginWithEmailToken({ ip, emailFlowId: emailLoginId, code })
if (result instanceof EmailCodeInvalidError) {
recordExceptionInCurrentSpan({ error: result })
return res.status(401).send({ error: "invalid code" })
}
if (
result instanceof EmailValidationSubmittedTooOftenError ||
result instanceof UserLoginIpRateLimiterExceededError
) {
recordExceptionInCurrentSpan({ error: result })
return res.status(429).send({ error: "too many requests" })
}
if (result instanceof Error) {
recordExceptionInCurrentSpan({ error: result })
return res.status(500).send({ error: result.message })
}
const { authToken, totpRequired, id } = result
return res.status(200).send({
result: { authToken, totpRequired, id },
})
} catch (err) {
recordExceptionInCurrentSpan({ error: err })
return res.status(500).send({ error: parseErrorMessageFromUnknown(err) })
}
})

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
Loading
, but is not rate-limited.
This route handler performs
authorization
Loading
, but is not rate-limited.
src/servers/authentication/index.ts
Comment on lines +296 to +344
authRouter.post("/totp/validate", async (req: Request, res: Response) => {
const totpCodeRaw = req.body.totpCode
if (!totpCodeRaw) {
return res.status(422).send({ error: "Missing input" })
}

const totpCode = checkedToTotpCode(totpCodeRaw)
if (totpCode instanceof Error) {
return res.status(422).send({ error: totpCode.message })
}

const authTokenRaw = req.body.authToken
if (!authTokenRaw) {
return res.status(422).send({ error: "Missing input" })
}

const authToken = checkedToAuthToken(authTokenRaw)

// FIXME return string currently when there is an error
if (authToken === "Invalid value for AuthToken") {
return res.status(422).send({ error: "Invalid value for AuthToken" })
}

try {
const result = await elevatingSessionWithTotp({
totpCode,
authToken,
})
if (result instanceof EmailCodeInvalidError) {
recordExceptionInCurrentSpan({ error: result })
return res.status(401).send({ error: "invalid code" })
}
if (
result instanceof EmailValidationSubmittedTooOftenError ||
result instanceof UserLoginIpRateLimiterExceededError
) {
recordExceptionInCurrentSpan({ error: result })
return res.status(429).send({ error: "too many requests" })
}
if (result instanceof Error) {
recordExceptionInCurrentSpan({ error: result })
return res.status(500).send({ error: result.message })
}
return res.status(200).send()
} catch (err) {
recordExceptionInCurrentSpan({ error: err })
return res.status(500).send({ error: parseErrorMessageFromUnknown(err) })
}
})

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
Loading
, but is not rate-limited.
src/servers/authentication/index.ts
Comment on lines +346 to +421
authRouter.post("/email/login/cookie", async (req: Request, res: Response) => {
const ip = req.originalIp

const emailLoginIdRaw = req.body.emailLoginId
if (!emailLoginIdRaw) {
return res.status(422).send({ error: "Missing input" })
}

const emailLoginId = checkedToEmailLoginId(emailLoginIdRaw)
if (emailLoginId instanceof Error) {
return res.status(422).send({ error: emailLoginId.message })
}

const codeRaw = req.body.code
if (!codeRaw) {
return res.status(422).send({ error: "Missing input" })
}

const code = checkedToEmailCode(codeRaw)
if (code instanceof Error) {
return res.status(422).send({ error: code.message })
}

let loginResult: LoginWithEmailCookieResult | ApplicationError
try {
loginResult = await loginWithEmailCookie({ ip, emailFlowId: emailLoginId, code })
if (loginResult instanceof EmailCodeInvalidError) {
recordExceptionInCurrentSpan({ error: loginResult })
return res.status(401).send({ error: "invalid code" })
}
if (
loginResult instanceof EmailValidationSubmittedTooOftenError ||
loginResult instanceof UserLoginIpRateLimiterExceededError
) {
recordExceptionInCurrentSpan({ error: loginResult })
return res.status(429).send({ error: "too many requests" })
}
if (loginResult instanceof Error) {
recordExceptionInCurrentSpan({ error: loginResult })
return res.status(500).send({ error: loginResult.message })
}
} catch (err) {
recordExceptionInCurrentSpan({ error: err })
return res.status(500).send({ error: parseErrorMessageFromUnknown(err) })
}

const { cookiesToSendBackToClient, kratosUserId, totpRequired } = loginResult
let kratosCookies: KratosCookie
try {
kratosCookies = parseKratosCookies(cookiesToSendBackToClient)
} catch (error) {
recordExceptionInCurrentSpan({ error })
return res.status(500).send({ result: "Error parsing cookies" })
}
const csrfCookie = kratosCookies.csrf()
const kratosSessionCookie = kratosCookies.kratosSession()
if (!csrfCookie || !kratosSessionCookie) {
return res.status(500).send({ error: "Missing csrf or ory_kratos_session cookie" })
}
res.cookie(
kratosSessionCookie.name,
kratosSessionCookie.value,
kratosCookies.formatCookieOptions(kratosSessionCookie),
)
res.cookie(
csrfCookie.name,
csrfCookie.value,
kratosCookies.formatCookieOptions(csrfCookie),
)
return res.status(200).send({
identity: {
kratosUserId,
totpRequired,
},
})
})

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
Loading
, but is not rate-limited.
This route handler performs
authorization
Loading
, but is not rate-limited.
src/servers/authentication/index.ts
Comment on lines +474 to +502
authRouter.post("/phone/login", async (req: Request, res: Response) => {
const ip = req.originalIp

const codeRaw = req.body.code
const phoneRaw = req.body.phone
if (!codeRaw || !phoneRaw) {
return res.status(400).send({ error: "missing inputs" })
}
const code = validOneTimeAuthCodeValue(codeRaw)
if (code instanceof Error) return res.status(400).send("invalid code")
const phone = checkedToPhoneNumber(phoneRaw)
if (phone instanceof Error) return res.status(400).send("invalid phone")

const loginResp = await Authentication.loginWithPhoneToken({
phone,
code,
ip,
})
if (loginResp instanceof Error) {
return res.status(500).send({ error: mapError(loginResp).message })
}

const { authToken, totpRequired } = loginResp

return res.send({
authToken,
totpRequired,
})
})

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
Loading
, but is not rate-limited.
This route handler performs
authorization
Loading
, but is not rate-limited.
@siddhart1o1 siddhart1o1 mentioned this pull request Oct 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nicolasburtey @siddhart1o1