feat(password): set login session in password login (#1944)

* feat(password): scope session login management in password login

* refactor: remove redirection link for login with password

* refactor: use post for logout, apply PR requested changes

---------

Co-authored-by: kim <kim.phanhoang@epfl.ch>

Author: pyphilia

src/services/auth/plugins/magicLink/magicLink.controller.test.ts

@@ -220,10 +220,10 @@ describe('Auth routes tests', () => {
     });
   });
 
-  describe('GET /logout', () => {
+  describe('POST /logout', () => {
     it('Authenticate successfully', async () => {
       const response = await app.inject({
-        method: HttpMethod.Get,
+        method: HttpMethod.Post,
         url: '/logout',
       });
       expect(response.statusCode).toEqual(StatusCodes.NO_CONTENT);

src/services/auth/plugins/magicLink/magicLink.controller.ts

@@ -18,7 +18,7 @@ import { getRedirectionLink } from '../../utils';
 import captchaPreHandler from '../captcha/captcha';
 import { PassportStrategy } from '../passport/strategies';
 import type { PassportInfo } from '../passport/types';
-import { auth, login, register } from './magicLink.schemas';
+import { auth, login, register, signOut } from './magicLink.schemas';
 import { MagicLinkService } from './magicLink.service';
 
 const ERROR_SEARCH_PARAM = 'error';
@@ -119,7 +119,7 @@ const plugin: FastifyPluginAsyncTypebox = async (fastify) => {
   );
 
   // logout
-  fastify.get('/logout', async (request, reply) => {
+  fastify.post('/logout', { schema: signOut }, async (request, reply) => {
     // logout user, so subsequent calls can not make use of the current user.
     request.logout();
     // remove session so the cookie is removed by the browser

src/services/auth/plugins/magicLink/magicLink.schemas.ts

@@ -63,3 +63,15 @@ export const auth = {
     '4xx': errorSchemaRef,
   },
 } as const satisfies FastifySchema;
+
+export const signOut = {
+  operationId: 'signOut',
+  tags: ['authentication'],
+  summary: 'Log out',
+  description: 'Log out from current session',
+
+  response: {
+    [StatusCodes.NO_CONTENT]: Type.Null({ description: 'Successful Response' }),
+    '4xx': errorSchemaRef,
+  },
+} as const satisfies FastifySchema;

src/services/auth/plugins/password/password.controller.test.ts

@@ -1,5 +1,6 @@
 import { faker } from '@faker-js/faker';
 import { compare } from 'bcrypt';
+import { compareAsc } from 'date-fns';
 import { eq } from 'drizzle-orm';
 import { ReasonPhrases, StatusCodes } from 'http-status-codes';
 import { Redis } from 'ioredis';
@@ -24,7 +25,7 @@ import { REDIS_CONNECTION } from '../../../../config/redis';
 import { PASSWORD_RESET_JWT_EXPIRATION_IN_MINUTES } from '../../../../config/secrets';
 import { resolveDependency } from '../../../../di/utils';
 import { db } from '../../../../drizzle/db';
-import { memberPasswordsTable } from '../../../../drizzle/schema';
+import { accountsTable, memberPasswordsTable } from '../../../../drizzle/schema';
 import type { MemberRaw } from '../../../../drizzle/types';
 import { MailerService } from '../../../../plugins/mailer/mailer.service';
 import { assertIsDefined } from '../../../../utils/assertions';
@@ -94,8 +95,17 @@ describe('Password', () => {
           captcha: MOCK_CAPTCHA,
         },
       });
-      expect(response.statusCode).toEqual(StatusCodes.SEE_OTHER);
-      expect(response.json()).toHaveProperty('resource');
+      expect(response.statusCode).toEqual(StatusCodes.NO_CONTENT);
+      expect(response.headers['set-cookie']).toContain('session=');
+
+      // last authenticated at should be updated
+      const m = await db.query.accountsTable.findFirst({
+        where: eq(accountsTable.email, actor.email!),
+      });
+      assertIsDefined(m);
+      expect(
+        compareAsc(new Date(m.lastAuthenticatedAt!), new Date(actor.lastAuthenticatedAt!)),
+      ).toEqual(1);
     });
 
     it('Sign In successfully with weak password', async () => {
@@ -114,8 +124,7 @@ describe('Password', () => {
           captcha: MOCK_CAPTCHA,
         },
       });
-      expect(response.statusCode).toEqual(StatusCodes.SEE_OTHER);
-      expect(response.json()).toHaveProperty('resource');
+      expect(response.statusCode).toEqual(StatusCodes.NO_CONTENT);
     });
 
     it('Sign In successfully with captcha score = 0', async () => {
@@ -139,8 +148,7 @@ describe('Password', () => {
           captcha: MOCK_CAPTCHA,
         },
       });
-      expect(response.statusCode).toEqual(StatusCodes.SEE_OTHER);
-      expect(response.json()).toHaveProperty('resource');
+      expect(response.statusCode).toEqual(StatusCodes.NO_CONTENT);
     });
 
     it('Sign In successfully with captcha score < 0.5', async () => {
@@ -164,8 +172,7 @@ describe('Password', () => {
           captcha: MOCK_CAPTCHA,
         },
       });
-      expect(response.statusCode).toEqual(StatusCodes.SEE_OTHER);
-      expect(response.json()).toHaveProperty('resource');
+      expect(response.statusCode).toEqual(StatusCodes.NO_CONTENT);
     });
 
     it('Sign In does send unauthorized error for wrong password', async () => {
@@ -365,7 +372,7 @@ describe('Password', () => {
 
           // Try to login with the new password
           const responseLogin = await login(app, member.email, newPassword);
-          expect(responseLogin.statusCode).toBe(StatusCodes.SEE_OTHER);
+          expect(responseLogin.statusCode).toBe(StatusCodes.NO_CONTENT);
 
           // Try to login with the old password
           const responseLoginOld = await login(app, member.email, password);
@@ -389,7 +396,7 @@ describe('Password', () => {
           assertIsDefined(anotherMember);
           assertIsMemberForTest(anotherMember);
           const responseLoginDifferent = await login(app, anotherMember.email, anotherPassword);
-          expect(responseLoginDifferent.statusCode).toBe(StatusCodes.SEE_OTHER);
+          expect(responseLoginDifferent.statusCode).toBe(StatusCodes.NO_CONTENT);
 
           // token should be single use
           const responseSecondReset = await app.inject({
@@ -729,16 +736,8 @@ describe('Password', () => {
         url: '/login-password',
         payload: { email: actor.email, password: pwd, captcha: MOCK_CAPTCHA },
       });
-
-      expect(loginResponse.statusCode).toEqual(StatusCodes.SEE_OTHER);
-
-      const response = await app.inject({
-        method: HttpMethod.Get,
-        url: loginResponse.json().resource,
-      });
-
-      expect(response.statusCode).toEqual(StatusCodes.SEE_OTHER);
-      expect(response.headers['set-cookie']).toContain('session=');
+      expect(loginResponse.statusCode).toEqual(StatusCodes.NO_CONTENT);
+      expect(loginResponse.headers['set-cookie']).toContain('session=');
     });
   });
 });

src/services/auth/plugins/password/password.controller.ts

@@ -4,19 +4,16 @@ import type { FastifyPluginAsyncTypebox } from '@fastify/type-provider-typebox';
 
 import { ActionTriggers, Context, RecaptchaAction } from '@graasp/sdk';
 
-import { LOGIN_TOKEN_EXPIRATION_IN_MINUTES } from '../../../../config/secrets';
 import { resolveDependency } from '../../../../di/utils';
 import { db } from '../../../../drizzle/db';
 import type { ActionInsertDTO } from '../../../../drizzle/types';
 import { asDefined } from '../../../../utils/assertions';
-import { PUBLIC_URL } from '../../../../utils/config';
 import { ActionService } from '../../../action/action.service';
 import { View } from '../../../item/plugins/action/itemAction.schemas';
+import { MemberService } from '../../../member/member.service';
 import { validatedMemberAccountRole } from '../../../member/strategies/validatedMemberAccountRole';
-import { getRedirectionLink } from '../../utils';
 import captchaPreHandler from '../captcha/captcha';
 import {
-  SHORT_TOKEN_PARAM,
   authenticatePassword,
   authenticatePasswordReset,
   isAuthenticated,
@@ -32,11 +29,9 @@ import {
 } from './password.schemas';
 import { MemberPasswordService } from './password.service';
 
-const REDIRECTION_URL_PARAM = 'url';
-const AUTHENTICATION_FALLBACK_ROUTE = '/auth';
-
 const plugin: FastifyPluginAsyncTypebox = async (fastify) => {
   const actionService = resolveDependency(ActionService);
+  const memberService = resolveDependency(MemberService);
   const memberPasswordService = resolveDependency(MemberPasswordService);
 
   // login with password
@@ -52,23 +47,16 @@ const plugin: FastifyPluginAsyncTypebox = async (fastify) => {
       ],
     },
     async (request, reply) => {
-      const { body, log, user } = request;
-      const { url } = body;
-      const member = asDefined(user?.account);
-
-      const token = memberPasswordService.generateToken(
-        { sub: member.id },
-        `${LOGIN_TOKEN_EXPIRATION_IN_MINUTES}m`,
-      );
-      const redirectionUrl = getRedirectionLink(log, url);
+      const { user } = request;
+      request.logIn(user, { session: true });
 
-      const target = new URL(AUTHENTICATION_FALLBACK_ROUTE, PUBLIC_URL);
-      target.searchParams.set(SHORT_TOKEN_PARAM, token);
-      target.searchParams.set(REDIRECTION_URL_PARAM, redirectionUrl);
-      const resource = target.toString();
+      // update last authenticated date
+      const member = asDefined(user?.account);
+      await db.transaction(async (tx) => {
+        await memberService.refreshLastAuthenticatedAt(tx, member.id);
+      });
 
-      reply.status(StatusCodes.SEE_OTHER);
-      return { resource };
+      reply.status(StatusCodes.NO_CONTENT);
     },
   );
 

src/services/auth/plugins/password/password.schemas.ts

@@ -16,15 +16,12 @@ export const signInWithPassword = {
     email: Type.String({ format: 'email' }),
     password: Type.String(),
     captcha: Type.String(),
-    url: Type.Optional(Type.String({ format: 'uri' })),
   }),
   querystring: customType.StrictObject({
     lang: Type.Optional(Type.String()),
   }),
   response: {
-    [StatusCodes.OK]: customType.StrictObject({
-      resource: Type.String({ description: 'Redirection link' }),
-    }),
+    [StatusCodes.NO_CONTENT]: Type.Null({ description: 'Successful Response' }),
     '4xx': errorSchemaRef,
     '5xx': errorSchemaRef,
   },