feat(web): switch to react (Partial Implementation) (#353)

Co-authored-by: BlankParticle <[email protected]>

Author: OmarMcAdam

.env.local.example

@@ -92,4 +92,9 @@ DB_REDIS_CONNECTION_STRING="redis://localhost:3901"
 MAIL_DOMAINS='{"free": ["free.localhost.email"], "premium": ["premium.localhost.email"],  "fwd": ["fwd.uninbox.dev"]}'
 PRIMARY_DOMAIN='localhost'
 
-UNKEY_ROOT_KEY=""
+UNKEY_ROOT_KEY=""
+
+############################ NEXT_PUBLIC VARIABLES ############################
+NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000
+NEXT_PUBLIC_STORAGE_URL=http://localhost:3200
+NEXT_PUBLIC_PLATFORM_URL=http://localhost:3300

apps/platform/package.json

@@ -9,8 +9,8 @@
   },
   "dependencies": {
     "@simplewebauthn/server": "^9.0.3",
-    "@trpc/client": "^10.45.2",
-    "@trpc/server": "^10.45.2",
+    "@trpc/client": "10.45.2",
+    "@trpc/server": "10.45.2",
     "@u22n/database": "workspace:^",
     "@u22n/realtime": "workspace:^",
     "@u22n/tiptap": "workspace:^",
@@ -21,7 +21,8 @@
     "h3": "^1.11.1",
     "lucia": "^3.1.1",
     "nitropack": "2.9.4",
-    "oslo": "^1.1.3"
+    "oslo": "^1.1.3",
+    "superjson": "^2.2.1"
   },
   "devDependencies": {
     "@simplewebauthn/types": "^9.0.1",

apps/platform/routes/auth/status.get.ts

@@ -6,7 +6,6 @@ type AuthStatusResponseType = {
 
 export default eventHandler((event): AuthStatusResponseType => {
   if (!event.context.account || !event.context.account.id) {
-    deleteCookie(event, 'unsession');
     return { authStatus: 'unauthenticated' };
   }
   return { authStatus: 'authenticated' };

apps/platform/trpc/createContext.ts

@@ -1,4 +1,3 @@
-import type { inferAsyncReturnType } from '@trpc/server';
 import type { H3Event } from 'h3';
 import { db } from '@u22n/database';
 import type { OrgContext, AccountContext } from '@u22n/types';
@@ -12,4 +11,4 @@ export const createContext = async (event: H3Event) => {
   return { db, account, org, event };
 };
 
-export type Context = inferAsyncReturnType<typeof createContext>;
+export type Context = Awaited<ReturnType<typeof createContext>>;

apps/platform/trpc/index.ts

@@ -20,6 +20,7 @@ import { addressRouter } from './routers/userRouter/addressRouter';
 import { defaultsRouter } from './routers/userRouter/defaultsRouter';
 import { twoFactorRouter } from './routers/authRouter/twoFactorRouter';
 import { securityRouter } from './routers/userRouter/securityRouter';
+import { storeRouter } from './routers/orgRouter/orgStoreRouter';
 
 export const trpcPlatformContext = createContext;
 
@@ -42,6 +43,7 @@ const trpcPlatformOrgSetupRouter = router({
   profile: orgProfileRouter,
   billing: billingRouter
 });
+
 const trpcPlatformOrgUsersRouter = router({
   invites: invitesRouter,
   members: orgMembersRouter,
@@ -57,7 +59,8 @@ const trpcPlatformOrgRouter = router({
   contacts: contactsRouter,
   setup: trpcPlatformOrgSetupRouter,
   users: trpcPlatformOrgUsersRouter,
-  mail: trpcPlatformOrgMailRouter
+  mail: trpcPlatformOrgMailRouter,
+  store: storeRouter
 });
 
 export const trpcPlatformRouter = router({

apps/platform/trpc/routers/authRouter/passkeyRouter.ts

@@ -26,13 +26,12 @@ export const passkeyRouter = router({
   signUpWithPasskeyStart: publicRateLimitedProcedure.signUpPasskeyStart
     .input(
       z.object({
-        username: zodSchemas.username(),
-        authenticatorType: z.enum(['platform', 'cross-platform'])
+        username: zodSchemas.username()
       })
     )
     .query(async ({ input, ctx }) => {
       const { db } = ctx;
-      const { username, authenticatorType } = input;
+      const { username } = input;
       const { available, error } = await validateUsername(db, input.username);
       if (!available) {
         throw new TRPCError({
@@ -45,8 +44,7 @@ export const passkeyRouter = router({
       const passkeyOptions = await usePasskeys.generateRegistrationOptions({
         userDisplayName: username,
         username: username,
-        accountPublicId: publicId,
-        authenticatorAttachment: authenticatorType
+        accountPublicId: publicId
       });
       return { publicId, options: passkeyOptions };
     }),
@@ -210,6 +208,18 @@ export const passkeyRouter = router({
           id: true,
           publicId: true,
           username: true
+        },
+        with: {
+          orgMemberships: {
+            with: {
+              org: {
+                columns: {
+                  shortcode: true,
+                  id: true
+                }
+              }
+            }
+          }
         }
       });
 
@@ -241,6 +251,9 @@ export const passkeyRouter = router({
         .set({ lastLoginAt: new Date() })
         .where(eq(accounts.id, account.id));
 
-      return { success: true };
+      const defaultOrg = account.orgMemberships.sort((a, b) => a.id - b.id)[0]
+        ?.org.shortcode;
+
+      return { success: true, defaultOrg };
     })
 });

apps/platform/trpc/routers/authRouter/passwordRouter.ts

@@ -14,7 +14,7 @@ import {
   strongPasswordSchema
 } from '@u22n/utils';
 import { TRPCError } from '@trpc/server';
-import { createError, setCookie } from 'h3';
+import { createError, deleteCookie, getCookie, setCookie } from 'h3';
 import { lucia } from '../../../utils/auth';
 import { validateUsername } from './signupRouter';
 import { createLuciaSessionCookie } from '../../../utils/session';
@@ -23,6 +23,9 @@ import { TOTPController } from 'oslo/otp';
 import { useStorage, useRuntimeConfig } from '#imports';
 
 export const passwordRouter = router({
+  /**
+   * @deprecated remove with Nuxt Webapp
+   */
   signUpWithPassword: publicRateLimitedProcedure.signUpWithPassword
     .input(
       z.object({
@@ -77,6 +80,106 @@ export const passwordRouter = router({
       return { success: true };
     }),
 
+  signUpWithPassword2FA: publicRateLimitedProcedure.signUpWithPassword
+    .input(
+      z.object({
+        username: zodSchemas.username(),
+        password: strongPasswordSchema,
+        twoFactorCode: z.string().min(6).max(6)
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      const { username, password, twoFactorCode } = input;
+      const { db } = ctx;
+
+      const twoFaChallengeCookie = getCookie(ctx.event, 'un-2fa-challenge');
+      if (!twoFaChallengeCookie) {
+        return {
+          success: false,
+          error: '2FA cookie not found or expired, Please try to setup new 2FA'
+        };
+      }
+
+      const authStorage = useStorage('auth');
+      const twoFaChallenge = await authStorage.getItem(
+        `un2faChallenge:${username}-${twoFaChallengeCookie}`
+      );
+
+      if (typeof twoFaChallenge !== 'string') {
+        return {
+          success: false,
+          error:
+            '2FA challenge was invalid or expired, Please try to setup new 2FA'
+        };
+      }
+
+      const secret = decodeHex(twoFaChallenge);
+      const isValid = await new TOTPController().verify(twoFactorCode, secret);
+
+      if (!isValid) {
+        return {
+          success: false,
+          error: 'Invalid 2FA code'
+        };
+      }
+
+      const { accountId, publicId, recoveryCode } = await db.transaction(
+        async (tx) => {
+          try {
+            // making sure someone doesn't bypass the client side validation
+            const { available, error } = await validateUsername(tx, username);
+            if (!available) {
+              throw new TRPCError({
+                code: 'FORBIDDEN',
+                message: `Username Error : ${error}`
+              });
+            }
+
+            const passwordHash = await new Argon2id().hash(password);
+            const publicId = typeIdGenerator('account');
+
+            const recoveryCode = nanoIdToken();
+            const hashedRecoveryCode = await new Argon2id().hash(recoveryCode);
+
+            const newUser = await tx.insert(accounts).values({
+              username,
+              publicId,
+              passwordHash,
+              twoFactorEnabled: true,
+              twoFactorSecret: twoFaChallenge,
+              recoveryCode: hashedRecoveryCode
+            });
+
+            return {
+              accountId: Number(newUser.insertId),
+              publicId,
+              recoveryCode
+            };
+          } catch (err) {
+            tx.rollback();
+            console.error(err);
+            throw err;
+          }
+        }
+      );
+
+      const cookie = await createLuciaSessionCookie(ctx.event, {
+        accountId,
+        username,
+        publicId
+      });
+
+      setCookie(ctx.event, cookie.name, cookie.value, cookie.attributes);
+      deleteCookie(ctx.event, 'un-2fa-challenge');
+
+      await db
+        .update(accounts)
+        .set({ lastLoginAt: new Date() })
+        .where(eq(accounts.id, accountId));
+
+      return { success: true, error: null, recoveryCode };
+    }),
+
   signInWithPassword: publicRateLimitedProcedure.signInWithPassword
     .input(
       z.object({
@@ -98,6 +201,18 @@ export const passwordRouter = router({
           passwordHash: true,
           twoFactorSecret: true,
           twoFactorEnabled: true
+        },
+        with: {
+          orgMemberships: {
+            with: {
+              org: {
+                columns: {
+                  shortcode: true,
+                  id: true
+                }
+              }
+            }
+          }
         }
       });
 
@@ -192,7 +307,11 @@ export const passwordRouter = router({
           .set({ lastLoginAt: new Date() })
           .where(eq(accounts.id, userResponse.id));
 
-        return { success: true };
+        const defaultOrg = userResponse.orgMemberships.sort(
+          (a, b) => a.id - b.id
+        )[0]?.org.shortcode;
+
+        return { success: true, defaultOrg };
       }
 
       throw new TRPCError({

apps/platform/trpc/routers/authRouter/signupRouter.ts

@@ -33,7 +33,7 @@ export async function validateUsername(
     return {
       available: false,
       error:
-        'This username is currently reserved. If you own this trademark, please Contact Support'
+        'This username is reserved. If you own this trademark, please contact support'
     };
   }
   return {

apps/platform/trpc/routers/authRouter/twoFactorRouter.ts

@@ -1,14 +1,23 @@
 import { z } from 'zod';
-import { router, accountProcedure } from '../../trpc';
+import {
+  router,
+  accountProcedure,
+  publicRateLimitedProcedure
+} from '../../trpc';
 import { eq } from '@u22n/database/orm';
 import { accounts } from '@u22n/database/schema';
 import { decodeHex, encodeHex } from 'oslo/encoding';
 import { TOTPController, createTOTPKeyURI } from 'oslo/otp';
 import { TRPCError } from '@trpc/server';
-import { nanoIdToken } from '@u22n/utils';
+import { nanoIdToken, zodSchemas } from '@u22n/utils';
 import { Argon2id } from 'oslo/password';
+import { setCookie, getCookie } from 'h3';
+import { useRuntimeConfig, useStorage } from '#imports';
 
 export const twoFactorRouter = router({
+  /**
+   * @deprecated remove with Nuxt Webapp
+   */
   createTwoFactorSecret: accountProcedure
     .input(z.object({}).strict())
     .mutation(async ({ ctx }) => {
@@ -51,6 +60,9 @@ export const twoFactorRouter = router({
       return { uri };
     }),
 
+  /**
+   * @deprecated remove with Nuxt Webapp
+   */
   verifyTwoFactor: accountProcedure
     .input(
       z
@@ -118,6 +130,10 @@ export const twoFactorRouter = router({
 
       return { recoveryCode: recoveryCode };
     }),
+
+  /**
+   * @deprecated remove with Nuxt Webapp
+   */
   disableTwoFactor: accountProcedure
     .input(z.object({ twoFactorCode: z.string() }).strict())
     .mutation(async ({ ctx, input }) => {
@@ -167,5 +183,41 @@ export const twoFactorRouter = router({
         })
         .where(eq(accounts.id, accountId));
       return {};
+    }),
+
+  createTwoFactorChallenge: publicRateLimitedProcedure.createTwoFactorChallenge
+    .input(z.object({ username: zodSchemas.username() }))
+    .query(async ({ ctx, input }) => {
+      const authStorage = useStorage('auth');
+      const existingChallenge = getCookie(ctx.event, 'un-2fa-challenge');
+
+      if (existingChallenge) {
+        const existingSecret = await authStorage.getItem(
+          `un2faChallenge:${input.username}-${existingChallenge}`
+        );
+        if (typeof existingSecret === 'string') {
+          return {
+            uri: createTOTPKeyURI(
+              'UnInbox.com',
+              input.username,
+              decodeHex(existingSecret)
+            )
+          };
+        }
+      }
+
+      const newSecret = crypto.getRandomValues(new Uint8Array(20));
+      const uri = createTOTPKeyURI('UnInbox.com', input.username, newSecret);
+      const hexSecret = encodeHex(newSecret);
+      const challengeId = nanoIdToken();
+      await authStorage.setItem(
+        `un2faChallenge:${input.username}-${challengeId}`,
+        hexSecret
+      );
+      setCookie(ctx.event, 'un-2fa-challenge', challengeId, {
+        domain: useRuntimeConfig().primaryDomain,
+        httpOnly: true
+      });
+      return { uri };
     })
 });