feat: Add TOTP authentication adapter (#8457)

Author: dblythy

package-lock.json

@@ -48,6 +48,7 @@
  "mime": "3.0.0",
  "mongodb": "4.10.0",
  "mustache": "4.2.0",
+ "otpauth": "9.0.2",
  "parse": "4.1.0",
  "path-to-regexp": "6.2.1",
  "pg-monitor": "2.0.0",

package.json

@@ -2406,3 +2406,298 @@ describe('facebook limited auth adapter', () => {
  }
  });
 });
+
+describe('OTP TOTP auth adatper', () => {
+ const headers = {
+ 'Content-Type': 'application/json',
+ 'X-Parse-Application-Id': 'test',
+ 'X-Parse-REST-API-Key': 'rest',
+ };
+ beforeEach(async () => {
+ await reconfigureServer({
+ auth: {
+ mfa: {
+ enabled: true,
+ options: ['TOTP'],
+ algorithm: 'SHA1',
+ digits: 6,
+ period: 30,
+ },
+ },
+ });
+ });
+
+ it('can enroll', async () => {
+ const user = await Parse.User.signUp('username', 'password');
+ const OTPAuth = require('otpauth');
+ const secret = new OTPAuth.Secret();
+ const totp = new OTPAuth.TOTP({
+ algorithm: 'SHA1',
+ digits: 6,
+ period: 30,
+ secret,
+ });
+ const token = totp.generate();
+ await user.save(
+ { authData: { mfa: { secret: secret.base32, token } } },
+ { sessionToken: user.getSessionToken() }
+ );
+ const response = user.get('authDataResponse');
+ expect(response.mfa).toBeDefined();
+ expect(response.mfa.recovery).toBeDefined();
+ expect(response.mfa.recovery.length).toEqual(2);
+ await user.fetch();
+ expect(user.get('authData').mfa).toEqual({ enabled: true });
+ });
+
+ it('can login with valid token', async () => {
+ const user = await Parse.User.signUp('username', 'password');
+ const OTPAuth = require('otpauth');
+ const secret = new OTPAuth.Secret();
+ const totp = new OTPAuth.TOTP({
+ algorithm: 'SHA1',
+ digits: 6,
+ period: 30,
+ secret,
+ });
+ const token = totp.generate();
+ await user.save(
+ { authData: { mfa: { secret: secret.base32, token } } },
+ { sessionToken: user.getSessionToken() }
+ );
+ const response = await request({
+ headers,
+ method: 'POST',
+ url: 'http://localhost:8378/1/login',
+ body: JSON.stringify({
+ username: 'username',
+ password: 'password',
+ authData: {
+ mfa: totp.generate(),
+ },
+ }),
+ }).then(res => res.data);
+ expect(response.objectId).toEqual(user.id);
+ expect(response.sessionToken).toBeDefined();
+ expect(response.authData).toEqual({ mfa: { enabled: true } });
+ expect(Object.keys(response).sort()).toEqual(
+ [
+ 'objectId',
+ 'username',
+ 'createdAt',
+ 'updatedAt',
+ 'authData',
+ 'ACL',
+ 'sessionToken',
+ 'authDataResponse',
+ ].sort()
+ );
+ });
+
+ it('can change OTP with valid token', async () => {
+ const user = await Parse.User.signUp('username', 'password');
+ const OTPAuth = require('otpauth');
+ const secret = new OTPAuth.Secret();
+ const totp = new OTPAuth.TOTP({
+ algorithm: 'SHA1',
+ digits: 6,
+ period: 30,
+ secret,
+ });
+ const token = totp.generate();
+ await user.save(
+ { authData: { mfa: { secret: secret.base32, token } } },
+ { sessionToken: user.getSessionToken() }
+ );
+
+ const new_secret = new OTPAuth.Secret();
+ const new_totp = new OTPAuth.TOTP({
+ algorithm: 'SHA1',
+ digits: 6,
+ period: 30,
+ secret: new_secret,
+ });
+ const new_token = new_totp.generate();
+ await user.save(
+ {
+ authData: { mfa: { secret: new_secret.base32, token: new_token, old: totp.generate() } },
+ },
+ { sessionToken: user.getSessionToken() }
+ );
+ await user.fetch({ useMasterKey: true });
+ expect(user.get('authData').mfa.secret).toEqual(new_secret.base32);
+ });
+
+ it('future logins require TOTP token', async () => {
+ const user = await Parse.User.signUp('username', 'password');
+ const OTPAuth = require('otpauth');
+ const secret = new OTPAuth.Secret();
+ const totp = new OTPAuth.TOTP({
+ algorithm: 'SHA1',
+ digits: 6,
+ period: 30,
+ secret,
+ });
+ const token = totp.generate();
+ await user.save(
+ { authData: { mfa: { secret: secret.base32, token } } },
+ { sessionToken: user.getSessionToken() }
+ );
+ await expectAsync(Parse.User.logIn('username', 'password')).toBeRejectedWith(
+ new Parse.Error(Parse.Error.OTHER_CAUSE, 'Missing additional authData mfa')
+ );
+ });
+
+ it('future logins reject incorrect TOTP token', async () => {
+ const user = await Parse.User.signUp('username', 'password');
+ const OTPAuth = require('otpauth');
+ const secret = new OTPAuth.Secret();
+ const totp = new OTPAuth.TOTP({
+ algorithm: 'SHA1',
+ digits: 6,
+ period: 30,
+ secret,
+ });
+ const token = totp.generate();
+ await user.save(
+ { authData: { mfa: { secret: secret.base32, token } } },
+ { sessionToken: user.getSessionToken() }
+ );
+ await expectAsync(
+ request({
+ headers,
+ method: 'POST',
+ url: 'http://localhost:8378/1/login',
+ body: JSON.stringify({
+ username: 'username',
+ password: 'password',
+ authData: {
+ mfa: 'abcd',
+ },
+ }),
+ }).catch(e => {
+ throw e.data;
+ })
+ ).toBeRejectedWith({ code: Parse.Error.SCRIPT_FAILED, error: 'Invalid MFA token' });
+ });
+});
+
+describe('OTP SMS auth adatper', () => {
+ const headers = {
+ 'Content-Type': 'application/json',
+ 'X-Parse-Application-Id': 'test',
+ 'X-Parse-REST-API-Key': 'rest',
+ };
+ let code;
+ let mobile;
+ const mfa = {
+ enabled: true,
+ options: ['SMS'],
+ sendSMS(smsCode, number) {
+ expect(smsCode).toBeDefined();
+ expect(number).toBeDefined();
+ expect(smsCode.length).toEqual(6);
+ code = smsCode;
+ mobile = number;
+ },
+ digits: 6,
+ period: 30,
+ };
+ beforeEach(async () => {
+ code = '';
+ mobile = '';
+ await reconfigureServer({
+ auth: {
+ mfa,
+ },
+ });
+ });
+
+ it('can enroll', async () => {
+ const user = await Parse.User.signUp('username', 'password');
+ const sessionToken = user.getSessionToken();
+ const spy = spyOn(mfa, 'sendSMS').and.callThrough();
+ await user.save({ authData: { mfa: { mobile: '+11111111111' } } }, { sessionToken });
+ await user.fetch({ sessionToken });
+ expect(user.get('authData')).toEqual({ mfa: { enabled: false } });
+ expect(spy).toHaveBeenCalledWith(code, '+11111111111');
+ await user.fetch({ useMasterKey: true });
+ const authData = user.get('authData').mfa?.pending;
+ expect(authData).toBeDefined();
+ expect(authData['+11111111111']).toBeDefined();
+ expect(Object.keys(authData['+11111111111'])).toEqual(['token', 'expiry']);
+
+ await user.save({ authData: { mfa: { mobile, token: code } } }, { sessionToken });
+ await user.fetch({ sessionToken });
+ expect(user.get('authData')).toEqual({ mfa: { enabled: true } });
+ });
+
+ it('future logins require SMS code', async () => {
+ const user = await Parse.User.signUp('username', 'password');
+ const spy = spyOn(mfa, 'sendSMS').and.callThrough();
+ await user.save(
+ { authData: { mfa: { mobile: '+11111111111' } } },
+ { sessionToken: user.getSessionToken() }
+ );
+
+ await user.save(
+ { authData: { mfa: { mobile, token: code } } },
+ { sessionToken: user.getSessionToken() }
+ );
+
+ spy.calls.reset();
+
+ await expectAsync(Parse.User.logIn('username', 'password')).toBeRejectedWith(
+ new Parse.Error(Parse.Error.OTHER_CAUSE, 'Missing additional authData mfa')
+ );
+ const res = await request({
+ headers,
+ method: 'POST',
+ url: 'http://localhost:8378/1/login',
+ body: JSON.stringify({
+ username: 'username',
+ password: 'password',
+ authData: {
+ mfa: true,
+ },
+ }),
+ }).catch(e => e.data);
+ expect(res).toEqual({ code: Parse.Error.SCRIPT_FAILED, error: 'Please enter the token' });
+ expect(spy).toHaveBeenCalledWith(code, '+11111111111');
+ const response = await request({
+ headers,
+ method: 'POST',
+ url: 'http://localhost:8378/1/login',
+ body: JSON.stringify({
+ username: 'username',
+ password: 'password',
+ authData: {
+ mfa: code,
+ },
+ }),
+ }).then(res => res.data);
+ expect(response.objectId).toEqual(user.id);
+ expect(response.sessionToken).toBeDefined();
+ expect(response.authData).toEqual({ mfa: { enabled: true } });
+ expect(Object.keys(response).sort()).toEqual(
+ [
+ 'objectId',
+ 'username',
+ 'createdAt',
+ 'updatedAt',
+ 'authData',
+ 'ACL',
+ 'sessionToken',
+ 'authDataResponse',
+ ].sort()
+ );
+ });
+
+ it('partially enrolled users can still login', async () => {
+ const user = await Parse.User.signUp('username', 'password');
+ await user.save({ authData: { mfa: { mobile: '+11111111111' } } });
+ const spy = spyOn(mfa, 'sendSMS').and.callThrough();
+ await Parse.User.logIn('username', 'password');
+ expect(spy).not.toHaveBeenCalled();
+ });
+});

spec/AuthenticationAdapters.spec.js

@@ -21,7 +21,9 @@ export class AuthAdapter {
  * Usage policy
  * @type {AuthPolicy}
  */
- this.policy = 'default';
+ if (!this.policy) {
+ this.policy = 'default';
+ }
  }
  /**
  * @param appIds The specified app IDs in the configuration