Fastify (#9106)

* wip * wip * wip * wip * wip * wip * wip * wip * wip * wip * fix * Update SignupApiService.ts * wip * wip * Update ClientServerService.ts * wip * wip * wip * Update WellKnownServerService.ts * wip * wip * update des * wip * Update ApiServerService.ts * wip * update deps * Update WellKnownServerService.ts * wip * update deps * Update ApiCallService.ts * Update ApiCallService.ts * Update ApiServerService.ts
2022-12-03 19:42:05 +09:00 · 2022-12-03 19:42:05 +09:00 · 3a7182bfb5
commit 3a7182bfb5
parent 2db9f6efe7
40 changed files with 1651 additions and 1977 deletions
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@ -3,6 +3,7 @@ import { Inject, Injectable } from '@nestjs/common';
 import bcrypt from 'bcryptjs';
 import * as speakeasy from 'speakeasy';
 import { IsNull } from 'typeorm';
+import { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
 import { DI } from '@/di-symbols.js';
 import type { UserSecurityKeysRepository, SigninsRepository, UserProfilesRepository, AttestationChallengesRepository, UsersRepository } from '@/models/index.js';
 import type { Config } from '@/config.js';
@ -12,7 +13,6 @@ import { IdService } from '@/core/IdService.js';
 import { TwoFactorAuthenticationService } from '@/core/TwoFactorAuthenticationService.js';
 import { RateLimiterService } from './RateLimiterService.js';
 import { SigninService } from './SigninService.js';
-import type Koa from 'koa';

@Injectable()
 export class SigninApiService {
@ -42,47 +42,60 @@ export class SigninApiService {
 	) {
 	}

-	public async signin(ctx: Koa.Context) {
-		ctx.set('Access-Control-Allow-Origin', this.config.url);
-		ctx.set('Access-Control-Allow-Credentials', 'true');
+	public async signin(
+		request: FastifyRequest<{
+			Body: {
+				username: string;
+				password: string;
+				token?: string;
+				signature?: string;
+				authenticatorData?: string;
+				clientDataJSON?: string;
+				credentialId?: string;
+				challengeId?: string;
+			};
+		}>,
+		reply: FastifyReply,
+	) {
+		reply.header('Access-Control-Allow-Origin', this.config.url);
+		reply.header('Access-Control-Allow-Credentials', 'true');

-		const body = ctx.request.body as any;
+		const body = request.body;
 		const username = body['username'];
 		const password = body['password'];
 		const token = body['token'];

 		function error(status: number, error: { id: string }) {
-			ctx.status = status;
-			ctx.body = { error };
+			reply.code(status);
+			return { error };
 		}

 		try {
 		// not more than 1 attempt per second and not more than 10 attempts per hour
-			await this.rateLimiterService.limit({ key: 'signin', duration: 60 * 60 * 1000, max: 10, minInterval: 1000 }, getIpHash(ctx.ip));
+			await this.rateLimiterService.limit({ key: 'signin', duration: 60 * 60 * 1000, max: 10, minInterval: 1000 }, getIpHash(request.ip));
 		} catch (err) {
-			ctx.status = 429;
-			ctx.body = {
+			reply.code(429);
+			return {
 				error: {
 					message: 'Too many failed attempts to sign in. Try again later.',
 					code: 'TOO_MANY_AUTHENTICATION_FAILURES',
 					id: '22d05606-fbcf-421a-a2db-b32610dcfd1b',
 				},
 			};
-			return;
 		}

 		if (typeof username !== 'string') {
-			ctx.status = 400;
+			reply.code(400);
 			return;
 		}

 		if (typeof password !== 'string') {
-			ctx.status = 400;
+			reply.code(400);
 			return;
 		}

 		if (token != null && typeof token !== 'string') {
-			ctx.status = 400;
+			reply.code(400);
 			return;
 		}

@ -93,17 +106,15 @@ export class SigninApiService {
 		}) as ILocalUser;

 		if (user == null) {
-			error(404, {
+			return error(404, {
 				id: '6cc579cc-885d-43d8-95c2-b8c7fc963280',
 			});
-			return;
 		}

 		if (user.isSuspended) {
-			error(403, {
+			return error(403, {
 				id: 'e03a5f46-d309-4865-9b69-56282d94e1eb',
 			});
-			return;
 		}

 		const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id });
@ -117,32 +128,29 @@ export class SigninApiService {
 				id: this.idService.genId(),
 				createdAt: new Date(),
 				userId: user.id,
-				ip: ctx.ip,
-				headers: ctx.headers,
+				ip: request.ip,
+				headers: request.headers,
 				success: false,
 			});

-			error(status ?? 500, failure ?? { id: '4e30e80c-e338-45a0-8c8f-44455efa3b76' });
+			return error(status ?? 500, failure ?? { id: '4e30e80c-e338-45a0-8c8f-44455efa3b76' });
 		};

 		if (!profile.twoFactorEnabled) {
 			if (same) {
-				this.signinService.signin(ctx, user);
-				return;
+				return this.signinService.signin(request, reply, user);
 			} else {
-				await fail(403, {
+				return await fail(403, {
 					id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
 				});
-				return;
 			}
 		}

 		if (token) {
 			if (!same) {
-				await fail(403, {
+				return await fail(403, {
 					id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
 				});
-				return;
 			}

 			const verified = (speakeasy as any).totp.verify({
@ -153,20 +161,17 @@ export class SigninApiService {
 			});

 			if (verified) {
-				this.signinService.signin(ctx, user);
-				return;
+				return this.signinService.signin(request, reply, user);
 			} else {
-				await fail(403, {
+				return await fail(403, {
 					id: 'cdf1235b-ac71-46d4-a3a6-84ccce48df6f',
 				});
-				return;
 			}
-		} else if (body.credentialId) {
+		} else if (body.credentialId && body.clientDataJSON && body.authenticatorData && body.signature) {
 			if (!same && !profile.usePasswordLessLogin) {
-				await fail(403, {
+				return await fail(403, {
 					id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
 				});
-				return;
 			}

 			const clientDataJSON = Buffer.from(body.clientDataJSON, 'hex');
@ -179,10 +184,9 @@ export class SigninApiService {
 			});

 			if (!challenge) {
-				await fail(403, {
+				return await fail(403, {
 					id: '2715a88a-2125-4013-932f-aa6fe72792da',
 				});
-				return;
 			}

 			await this.attestationChallengesRepository.delete({
@ -191,10 +195,9 @@ export class SigninApiService {
 			});

 			if (new Date().getTime() - challenge.createdAt.getTime() >= 5 * 60 * 1000) {
-				await fail(403, {
+				return await fail(403, {
 					id: '2715a88a-2125-4013-932f-aa6fe72792da',
 				});
-				return;
 			}

 			const securityKey = await this.userSecurityKeysRepository.findOneBy({
@ -207,10 +210,9 @@ export class SigninApiService {
 			});

 			if (!securityKey) {
-				await fail(403, {
+				return await fail(403, {
 					id: '66269679-aeaf-4474-862b-eb761197e046',
 				});
-				return;
 			}

 			const isValid = this.twoFactorAuthenticationService.verifySignin({
@ -223,20 +225,17 @@ export class SigninApiService {
 			});

 			if (isValid) {
-				this.signinService.signin(ctx, user);
-				return;
+				return this.signinService.signin(request, reply, user);
 			} else {
-				await fail(403, {
+				return await fail(403, {
 					id: '93b86c4b-72f9-40eb-9815-798928603d1e',
 				});
-				return;
 			}
 		} else {
 			if (!same && !profile.usePasswordLessLogin) {
-				await fail(403, {
+				return await fail(403, {
 					id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
 				});
-				return;
 			}

 			const keys = await this.userSecurityKeysRepository.findBy({
@ -244,10 +243,9 @@ export class SigninApiService {
 			});

 			if (keys.length === 0) {
-				await fail(403, {
+				return await fail(403, {
 					id: 'f27fd449-9af4-4841-9249-1f989b9fa4a4',
 				});
-				return;
 			}

 			// 32 byte challenge
@ -266,15 +264,14 @@ export class SigninApiService {
 				registrationChallenge: false,
 			});

-			ctx.body = {
+			reply.code(200);
+			return {
 				challenge,
 				challengeId,
 				securityKeys: keys.map(key => ({
 					id: key.id,
 				})),
 			};
-			ctx.status = 200;
-			return;
 		}
 	// never get here
 	}