From 0ca0096d0d0abc425179634a4c9043754ec6bfbd Mon Sep 17 00:00:00 2001 From: wangsijie Date: Fri, 16 Sep 2022 17:01:34 +0800 Subject: [PATCH] =?UTF-8?q?chore:=20revert=20"Merge=20pull=20request=20#19?= =?UTF-8?q?27=20from=20logto-io/sijie-log-4160-=E2=80=A6=20(#1939)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: revert "Merge pull request #1927 from logto-io/sijie-log-4160-protected-access" This reverts commit 0567fc63470e983e1b699e3278e37b4be8153f81, reversing changes made to c01384141dd293468121a86c7fb95049945c5761. * chore: revert "feat(core): add ts to interaction result (#1917)" This reverts commit e01042cbcd77c486afa1ee9fc2fa5c1d2df92542. --- packages/core/src/lib/session.ts | 51 ++----------------- .../src/routes/session/passwordless.test.ts | 12 ++--- .../core/src/routes/session/social.test.ts | 9 ++-- .../routes/session/username-password.test.ts | 6 +-- packages/core/src/utils/format.ts | 12 +---- packages/phrases/src/locales/en/errors.ts | 1 - packages/phrases/src/locales/fr/errors.ts | 1 - packages/phrases/src/locales/ko-kr/errors.ts | 1 - packages/phrases/src/locales/pt-pt/errors.ts | 1 - packages/phrases/src/locales/tr-tr/errors.ts | 1 - packages/phrases/src/locales/zh-cn/errors.ts | 1 - 11 files changed, 14 insertions(+), 82 deletions(-) diff --git a/packages/core/src/lib/session.ts b/packages/core/src/lib/session.ts index 33c60f4d8..d08a684ac 100644 --- a/packages/core/src/lib/session.ts +++ b/packages/core/src/lib/session.ts @@ -1,11 +1,7 @@ -import { conditional } from '@silverhand/essentials'; -import dayjs from 'dayjs'; import { Context } from 'koa'; import { InteractionResults, Provider } from 'oidc-provider'; -import RequestError from '@/errors/RequestError'; import { findUserById, updateUserById } from '@/queries/user'; -import { maskUserInfo } from '@/utils/format'; export const assignInteractionResults = async ( ctx: Context, @@ -18,59 +14,20 @@ export const assignInteractionResults = async ( // have to do it manually // refer to: https://github.com/panva/node-oidc-provider/blob/c243bf6b6663c41ff3e75c09b95fb978eba87381/lib/actions/authorization/interactions.js#L106 const details = merge ? await provider.interactionDetails(ctx.req, ctx.res) : undefined; - const ts = dayjs().unix(); - const mergedResult = { - // Merge with current result - ...details?.result, - ...result, - }; const redirectTo = await provider.interactionResult( ctx.req, ctx.res, { - ...mergedResult, - login: mergedResult.login - ? { - ...mergedResult.login, - // Update ts(timestamp) if the accountId is been set in result - ts: result.login?.accountId ? ts : mergedResult.login.ts, - } - : undefined, + // Merge with current result + ...details?.result, + ...result, }, { mergeWithLastSubmission: merge, } ); - ctx.body = { redirectTo, ts }; -}; - -export const checkProtectedAccess = async ( - ctx: Context, - provider: Provider, - lifetime = 10 * 60 -) => { - const { result } = await provider.interactionDetails(ctx.req, ctx.res); - - if (!result?.login?.accountId) { - throw new RequestError('auth.unauthorized'); - } - - if (!result.login.ts || result.login.ts < dayjs().unix() - lifetime) { - const user = await findUserById(result.login.accountId); - - throw new RequestError('auth.require_re_authentication', { - username: conditional( - user.username && maskUserInfo({ type: 'username', value: user.username }) - ), - phone: conditional( - user.primaryPhone && maskUserInfo({ type: 'phone', value: user.primaryPhone }) - ), - email: conditional( - user.primaryEmail && maskUserInfo({ type: 'email', value: user.primaryEmail }) - ), - }); - } + ctx.body = { redirectTo }; }; export const saveUserFirstConsentedAppId = async (userId: string, applicationId: string) => { diff --git a/packages/core/src/routes/session/passwordless.test.ts b/packages/core/src/routes/session/passwordless.test.ts index f8019d5f6..a2cedc0c8 100644 --- a/packages/core/src/routes/session/passwordless.test.ts +++ b/packages/core/src/routes/session/passwordless.test.ts @@ -97,8 +97,7 @@ describe('session -> passwordlessRoutes', () => { expect(interactionResult).toHaveBeenCalledWith( expect.anything(), expect.anything(), - // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment - expect.objectContaining({ login: expect.objectContaining({ accountId: 'id' }) }), + expect.objectContaining({ login: { accountId: 'id' } }), expect.anything() ); }); @@ -147,8 +146,7 @@ describe('session -> passwordlessRoutes', () => { expect(interactionResult).toHaveBeenCalledWith( expect.anything(), expect.anything(), - // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment - expect.objectContaining({ login: expect.objectContaining({ accountId: 'id' }) }), + expect.objectContaining({ login: { accountId: 'id' } }), expect.anything() ); }); @@ -216,8 +214,7 @@ describe('session -> passwordlessRoutes', () => { expect(interactionResult).toHaveBeenCalledWith( expect.anything(), expect.anything(), - // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment - expect.objectContaining({ login: expect.objectContaining({ accountId: 'user1' }) }), + expect.objectContaining({ login: { accountId: 'user1' } }), expect.anything() ); }); @@ -294,8 +291,7 @@ describe('session -> passwordlessRoutes', () => { expect(interactionResult).toHaveBeenCalledWith( expect.anything(), expect.anything(), - // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment - expect.objectContaining({ login: expect.objectContaining({ accountId: 'user1' }) }), + expect.objectContaining({ login: { accountId: 'user1' } }), expect.anything() ); }); diff --git a/packages/core/src/routes/session/social.test.ts b/packages/core/src/routes/session/social.test.ts index 84a52a5db..98ca8cdcf 100644 --- a/packages/core/src/routes/session/social.test.ts +++ b/packages/core/src/routes/session/social.test.ts @@ -223,8 +223,7 @@ describe('session -> socialRoutes', () => { expect(interactionResult).toHaveBeenCalledWith( expect.anything(), expect.anything(), - // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment - expect.objectContaining({ login: expect.objectContaining({ accountId: 'id' }) }), + expect.objectContaining({ login: { accountId: 'id' } }), expect.anything() ); }); @@ -310,8 +309,7 @@ describe('session -> socialRoutes', () => { expect(interactionResult).toHaveBeenCalledWith( expect.anything(), expect.anything(), - // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment - expect.objectContaining({ login: expect.objectContaining({ accountId: 'user1' }) }), + expect.objectContaining({ login: { accountId: 'user1' } }), expect.anything() ); }); @@ -348,8 +346,7 @@ describe('session -> socialRoutes', () => { expect(interactionResult).toHaveBeenCalledWith( expect.anything(), expect.anything(), - // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment - expect.objectContaining({ login: expect.objectContaining({ accountId: 'user1' }) }), + expect.objectContaining({ login: { accountId: 'user1' } }), expect.anything() ); }); diff --git a/packages/core/src/routes/session/username-password.test.ts b/packages/core/src/routes/session/username-password.test.ts index faf480a5e..d241ac5a9 100644 --- a/packages/core/src/routes/session/username-password.test.ts +++ b/packages/core/src/routes/session/username-password.test.ts @@ -111,8 +111,7 @@ describe('sessionRoutes', () => { expect(interactionResult).toHaveBeenCalledWith( expect.anything(), expect.anything(), - // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment - expect.objectContaining({ login: expect.objectContaining({ accountId: 'user1' }) }), + expect.objectContaining({ login: { accountId: 'user1' } }), expect.anything() ); }); @@ -181,8 +180,7 @@ describe('sessionRoutes', () => { expect(interactionResult).toHaveBeenCalledWith( expect.anything(), expect.anything(), - // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment - expect.objectContaining({ login: expect.objectContaining({ accountId: 'user1' }) }), + expect.objectContaining({ login: { accountId: 'user1' } }), expect.anything() ); }); diff --git a/packages/core/src/utils/format.ts b/packages/core/src/utils/format.ts index c05a648d0..c6524ce00 100644 --- a/packages/core/src/utils/format.ts +++ b/packages/core/src/utils/format.ts @@ -1,10 +1,4 @@ -export const maskUserInfo = ({ - type, - value, -}: { - type: 'email' | 'phone' | 'username'; - value: string; -}) => { +export const maskUserInfo = ({ type, value }: { type: 'email' | 'phone'; value: string }) => { if (!value) { return value; } @@ -13,10 +7,6 @@ export const maskUserInfo = ({ return `****${value.slice(-4)}`; } - if (type === 'username') { - return `****${value.slice(-2)}`; - } - const [name = '', domain = ''] = value.split('@'); const preview = name.length > 4 ? `${name.slice(0, 4)}` : ''; diff --git a/packages/phrases/src/locales/en/errors.ts b/packages/phrases/src/locales/en/errors.ts index f762f40f6..7e389d60f 100644 --- a/packages/phrases/src/locales/en/errors.ts +++ b/packages/phrases/src/locales/en/errors.ts @@ -7,7 +7,6 @@ const errors = { expected_role_not_found: 'Expected role not found. Please check your user roles and permissions.', jwt_sub_missing: 'Missing `sub` in JWT.', - require_re_authentication: 'Re-authentication is required to perform a protected action.', }, guard: { invalid_input: 'The request {{type}} is invalid.', diff --git a/packages/phrases/src/locales/fr/errors.ts b/packages/phrases/src/locales/fr/errors.ts index d9706e59c..44e23847d 100644 --- a/packages/phrases/src/locales/fr/errors.ts +++ b/packages/phrases/src/locales/fr/errors.ts @@ -8,7 +8,6 @@ const errors = { expected_role_not_found: 'Expected role not found. Please check your user roles and permissions.', jwt_sub_missing: '`sub` manquant dans JWT.', - require_re_authentication: 'Re-authentication is required to perform a protected action.', // UNTRANSLATED }, guard: { invalid_input: "La requête {{type}} n'est pas valide.", diff --git a/packages/phrases/src/locales/ko-kr/errors.ts b/packages/phrases/src/locales/ko-kr/errors.ts index eae1fb3dd..72f6153c7 100644 --- a/packages/phrases/src/locales/ko-kr/errors.ts +++ b/packages/phrases/src/locales/ko-kr/errors.ts @@ -7,7 +7,6 @@ const errors = { expected_role_not_found: 'Expected role not found. Please check your user roles and permissions.', jwt_sub_missing: 'JWT에서 `sub`를 찾을 수 없어요.', - require_re_authentication: 'Re-authentication is required to perform a protected action.', // UNTRANSLATED }, guard: { invalid_input: '{{type}} 요청 타입은 유효하지 않아요.', diff --git a/packages/phrases/src/locales/pt-pt/errors.ts b/packages/phrases/src/locales/pt-pt/errors.ts index 1ffcfa591..e884dff56 100644 --- a/packages/phrases/src/locales/pt-pt/errors.ts +++ b/packages/phrases/src/locales/pt-pt/errors.ts @@ -6,7 +6,6 @@ const errors = { forbidden: 'Proibido. Verifique os seus cargos e permissões.', expected_role_not_found: 'Role esperado não encontrado. Verifique os seus cargos e permissões.', jwt_sub_missing: 'Campo `sub` está ausente no JWT.', - require_re_authentication: 'Re-authentication is required to perform a protected action.', // UNTRANSLATED }, guard: { invalid_input: 'O pedido {{type}} é inválido.', diff --git a/packages/phrases/src/locales/tr-tr/errors.ts b/packages/phrases/src/locales/tr-tr/errors.ts index ca789a8d3..777bd05fc 100644 --- a/packages/phrases/src/locales/tr-tr/errors.ts +++ b/packages/phrases/src/locales/tr-tr/errors.ts @@ -7,7 +7,6 @@ const errors = { expected_role_not_found: 'Expected role not found. Please check your user roles and permissions.', jwt_sub_missing: 'JWTde `sub` eksik.', - require_re_authentication: 'Re-authentication is required to perform a protected action.', // UNTRANSLATED }, guard: { invalid_input: 'İstek {{type}} geçersiz.', diff --git a/packages/phrases/src/locales/zh-cn/errors.ts b/packages/phrases/src/locales/zh-cn/errors.ts index 31746f4a0..5a461d4a3 100644 --- a/packages/phrases/src/locales/zh-cn/errors.ts +++ b/packages/phrases/src/locales/zh-cn/errors.ts @@ -6,7 +6,6 @@ const errors = { forbidden: '禁止访问。请检查用户 role 与权限。', expected_role_not_found: '未找到期望的 role。请检查用户 role 与权限。', jwt_sub_missing: 'JWT 缺失 `sub`', - require_re_authentication: '需要重新认证以进行受保护操作。', }, guard: { invalid_input: '请求中 {{type}} 无效',