feat: Create an OAuth2 module for authenticating users

Author: Blckbrry-Pi

modules/auth_email/config.ts

@@ -0,0 +1,9 @@
+export interface Config {
+	enable: {
+		passwordless?: boolean;
+		withPassword?: boolean;
+		linking?: boolean;
+	};
+	fromEmail?: string;
+	fromName?: string;
+}

modules/auth_email/db/migrations/20240807214202_/migration.sql

@@ -0,0 +1,20 @@
+-- CreateTable
+CREATE TABLE "Verifications" (
+    "id" UUID NOT NULL,
+    "email" TEXT NOT NULL,
+    "code" TEXT NOT NULL,
+    "token" TEXT NOT NULL,
+    "attemptCount" INTEGER NOT NULL DEFAULT 0,
+    "maxAttemptCount" INTEGER NOT NULL,
+    "createdAt" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expireAt" TIMESTAMP NOT NULL,
+    "completedAt" TIMESTAMP,
+
+    CONSTRAINT "Verifications_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Verifications_code_key" ON "Verifications"("code");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Verifications_token_key" ON "Verifications"("token");

modules/auth_email/db/migrations/migration_lock.toml

@@ -0,0 +1,3 @@
+# Please do not edit this file manually
+# It should be added in your version-control system (i.e. Git)
+provider = "postgresql"

modules/auth_email/db/schema.prisma

@@ -0,0 +1,21 @@
+datasource db {
+    provider = "postgresql"
+    url      = env("DATABASE_URL")
+}
+
+model Verifications {
+    id String @id @default(uuid()) @db.Uuid
+
+    email String
+
+    // Code the user has to input to verify the email
+    code String @unique
+    token String @unique
+
+    attemptCount    Int @default(0)
+    maxAttemptCount Int
+
+    createdAt   DateTime  @default(now()) @db.Timestamp
+    expireAt    DateTime  @db.Timestamp
+    completedAt DateTime? @db.Timestamp
+}

modules/auth_email/module.json

@@ -0,0 +1,91 @@
+{
+	"name": "Auth Email",
+	"description": "Authenticate users with email only or an email/password combination.",
+	"icon": "key",
+	"tags": [
+		"core",
+		"auth",
+		"user"
+	],
+	"authors": [
+		"rivet-gg",
+		"NathanFlurry",
+		"Blckbrry-Pi"
+	],
+	"status": "stable",
+	"dependencies": {
+		"email": {},
+        "identities": {},
+        "users": {},
+		"tokens": {},
+		"user_passwords": {},
+		"rate_limit": {}
+	},
+	"defaultConfig": {
+		"enable": {
+			"withPassword": true,
+			"passwordless": true,
+			"linking": true
+		},
+		"fromEmail": "hello@test.com",
+		"fromName": "Authentication Code"
+	},
+	"scripts": {
+		"send_verification": {
+			"name": "Send Email Verification (No Password)",
+			"description": "Send a one-time verification code to an email address to verify ownership. Does not require a password.",
+			"public": true
+		},
+		"verify_add_no_pass": {
+			"name": "Verify and Add Email to Existing User (No Password)",
+			"description": "Verify a user's email address and register it with an existing account. Does not require a password.",
+			"public": true
+		},
+		"verify_login_or_create_no_pass": {
+			"name": "Verify and Login as (or Create) User (No Password)",
+			"description": "Verify the email address code and return a userToken to AN account (creates a new account if one doesn't exist). Does not require a password.",
+			"public": true
+		},
+		"verify_link_email": {
+			"name": "Verify and Link Email Address to User",
+			"description": "Verify a user's email address and link it to an existing account without allowing login passwordless.",
+			"public": true
+		},
+
+		"sign_up_email_pass": {
+			"name": "Verify and Sign Up with Email and Password",
+			"description": "Sign up a new user with an email and password.",
+			"public": true
+		},
+		"sign_in_email_pass": {
+			"name": "Sign In with Email and Password",
+			"description": "Sign in a user with an email and password.",
+			"public": true
+		},
+		"verify_add_email_pass": {
+			"name": "Verify and Add Email and Password to existing user",
+			"description": "Verify a user's email address and register it with an existing account. Requires a password.",
+			"public": true
+		}
+	},
+	"errors": {
+		"provider_disabled": {
+			"name": "Provider Disabled"
+		},
+		"verification_code_invalid": {
+			"name": "Verification Code Invalid"
+		},
+		"verification_code_attempt_limit": {
+			"name": "Verification Code Attempt Limit"
+		},
+		"verification_code_expired": {
+			"name": "Verification Code Expired"
+		},
+		"verification_code_already_used": {
+			"name": "Verification Code Already Used"
+		},
+		"email_already_used": {
+			"name": "Email Already Used"
+		}
+	}
+}

modules/auth_email/scripts/send_verification.ts

@@ -0,0 +1,38 @@
+import { ScriptContext } from "../module.gen.ts";
+import { createVerification } from "../utils/code_management.ts";
+import { Verification } from "../utils/types.ts";
+
+export interface Request {
+	email: string;
+	userToken?: string;
+}
+
+export interface Response {
+	verification: Verification;
+}
+
+export async function run(
+	ctx: ScriptContext,
+	req: Request,
+): Promise<Response> {
+	await ctx.modules.rateLimit.throttlePublic({});
+
+	const { code, verification } = await createVerification(
+		ctx,
+		req.email,
+	);
+
+	// Send email
+	await ctx.modules.email.sendEmail({
+		from: {
+			email: ctx.config.fromEmail ?? "hello@test.com",
+			name: ctx.config.fromName ?? "Authentication Code",
+		},
+		to: [{ email: req.email }],
+		subject: "Your verification code",
+		text: `Your verification code is: ${code}`,
+		html: `Your verification code is: <b>${code}</b>`,
+	});
+
+	return { verification };
+}

modules/auth_email/scripts/sign_in_email_pass.ts

@@ -0,0 +1,38 @@
+import { RuntimeError, ScriptContext } from "../module.gen.ts";
+import { IDENTITY_INFO_PASSWORD } from "../utils/provider.ts";
+
+export interface Request {
+	email: string;
+	password: string;
+}
+
+export interface Response {
+	userToken: string;
+	userId: string;
+}
+
+export async function run(
+	ctx: ScriptContext,
+	req: Request,
+): Promise<Response> {
+	await ctx.modules.rateLimit.throttlePublic({});
+	if (!ctx.config.enable.withPassword) {
+		throw new RuntimeError("provider_disabled");
+	}
+
+	// Try signing in with the email
+	const { userToken, userId } = await ctx.modules.identities.signIn({
+		info: IDENTITY_INFO_PASSWORD,
+		uniqueData: {
+			identifier: req.email,
+		},
+	});
+
+	// Verify the password
+	await ctx.modules.userPasswords.verify({
+		userId,
+		password: req.password,
+	});
+
+	return { userToken, userId };
+}

modules/auth_email/scripts/sign_up_email_pass.ts

@@ -0,0 +1,59 @@
+import { RuntimeError, ScriptContext } from "../module.gen.ts";
+import { verifyCode } from "../utils/code_management.ts";
+import { IDENTITY_INFO_PASSWORD } from "../utils/provider.ts";
+import { ensureNotAssociatedAll } from "../utils/link_assertions.ts";
+
+export interface Request {
+	email: string;
+	password: string;
+
+	verificationToken: string;
+	code: string;
+}
+
+export interface Response {
+	userToken: string;
+}
+
+export async function run(
+	ctx: ScriptContext,
+	req: Request,
+): Promise<Response> {
+	await ctx.modules.rateLimit.throttlePublic({});
+	if (!ctx.config.enable.withPassword) {
+		throw new RuntimeError("provider_disabled");
+	}
+
+	// Check the verification code. If it is valid, but for the wrong email, say
+	// the verification failed.
+	const { email } = await verifyCode(ctx, req.verificationToken, req.code);
+	if (!compareConstantTime(req.email, email)) {
+		throw new RuntimeError("verification_failed");
+	}
+
+	// Ensure that the email is not associated with ANY accounts in ANY way.
+	await ensureNotAssociatedAll(ctx, email, new Set());
+
+	// Sign up the user with the passwordless email identity
+	const { userToken, userId } = await ctx.modules.identities.signUp({
+		info: IDENTITY_INFO_PASSWORD,
+		uniqueData: {
+			identifier: email,
+		},
+		additionalData: {},
+	});
+
+	await ctx.modules.userPasswords.add({ userId, password: req.password });
+
+	return { userToken };
+}
+
+function compareConstantTime(aConstant: string, b: string) {
+	let isEq = 1;
+	for (let i = 0; i < aConstant.length; i++) {
+		isEq &= Number(aConstant[i] === b[i]);
+	}
+	isEq &= Number(aConstant.length === b.length);
+
+	return Boolean(isEq);
+}

modules/auth_email/scripts/verify_add_email_pass.ts

@@ -0,0 +1,80 @@
+import { Empty, RuntimeError, ScriptContext } from "../module.gen.ts";
+import { verifyCode } from "../utils/code_management.ts";
+import { IDENTITY_INFO_PASSWORD } from "../utils/provider.ts";
+import { ensureNotAssociatedAll } from "../utils/link_assertions.ts";
+
+export interface Request {
+	userToken: string;
+
+	email: string;
+	password: string;
+	oldPassword: string | null;
+
+	verificationToken: string;
+	code: string;
+}
+
+export type Response = Empty;
+
+export async function run(
+	ctx: ScriptContext,
+	req: Request,
+): Promise<Response> {
+	await ctx.modules.rateLimit.throttlePublic({});
+	if (!ctx.config.enable.withPassword) {
+		throw new RuntimeError("provider_disabled");
+	}
+
+	// Check the verification code. If it is valid, but for the wrong email, say
+	// the verification failed.
+	const { email } = await verifyCode(ctx, req.verificationToken, req.code);
+	if (!compareConstantTime(req.email, email)) {
+		throw new RuntimeError("verification_failed");
+	}
+
+	// Ensure that the email is not associated with ANY accounts in ANY way.
+	const providedUser = await ctx.modules.users.authenticateToken({
+		userToken: req.userToken,
+	});
+	await ensureNotAssociatedAll(ctx, email, new Set([providedUser.userId]));
+
+	// If an old password was provided, ensure it was correct and update it.
+	// If one was not, register the user with the `userPasswords` module.
+	if (req.oldPassword) {
+		await ctx.modules.userPasswords.verify({
+			userId: providedUser.userId,
+			password: req.oldPassword,
+		});
+		await ctx.modules.userPasswords.update({
+			userId: providedUser.userId,
+			newPassword: req.password,
+		});
+	} else {
+		await ctx.modules.userPasswords.add({
+			userId: providedUser.userId,
+			password: req.password,
+		});
+	}
+
+	// Sign up the user with the passwordless email identity
+	await ctx.modules.identities.link({
+		userToken: req.userToken,
+		info: IDENTITY_INFO_PASSWORD,
+		uniqueData: {
+			identifier: email,
+		},
+		additionalData: {},
+	});
+
+	return {};
+}
+
+function compareConstantTime(aConstant: string, b: string) {
+	let isEq = 1;
+	for (let i = 0; i < aConstant.length; i++) {
+		isEq &= Number(aConstant[i] === b[i]);
+	}
+	isEq &= Number(aConstant.length === b.length);
+
+	return Boolean(isEq);
+}