feat(MFA): Restructures for reset 2FA flow

README.md

@@ -101,7 +101,7 @@ docker compose up -d
 Whenever you make changes to an object that is mapped into the database, you have to use `typeORM` and create a new migration file. Make sure the database container is running and then:
 
 ```
-docker compose run app npm run typeorm migration:generate -- -n <MigrationName>
+docker compose run -u root app npm run typeorm migration:generate -- -n <MigrationName>
 npm run build
 docker compose run app npm run typeorm migration:run
 ```

gulpfile.js

@@ -1,3 +1,4 @@
+require("module-alias/register");
 const autoprefixer = require("autoprefixer");
 const gulp = require("gulp");
 const postcss = require("gulp-postcss");

package.json

@@ -144,6 +144,8 @@
     "@apps": "./built/apps",
     "@config": "./built/config/config.js",
     "@locale": "./built/locales/current.js",
-    "@models": "./built/models"
+    "@models": "./built/models",
+    "@type": "./built/type",
+    "@enums": "./built/enums"
   }
 }

src/api/app.ts

@@ -4,16 +4,14 @@ import "reflect-metadata";
 import { RoleType } from "@beabee/beabee-common";
 import cookie from "cookie-parser";
 import cors from "cors";
-import crypto from "crypto";
-import express, { ErrorRequestHandler, Request } from "express";
+import express, { ErrorRequestHandler } from "express";
 import {
   Action,
   HttpError,
   InternalServerError,
   NotFoundError,
   useExpressServer
 } from "routing-controllers";
-import { getRepository } from "typeorm";
 
 import { ApiKeyController } from "./controllers/ApiKeyController";
 import { AuthController } from "./controllers/AuthController";

src/api/controllers/AuthController.ts

@@ -20,17 +20,15 @@ import { UnauthorizedError } from "../errors/UnauthorizedError";
 import passport from "@core/lib/passport";
 
 import ContactsService from "@core/services/ContactsService";
-import ContactMfaService from "@core/services/ContactMfaService";
 
 import Contact from "@models/Contact";
 import ContactRole from "@models/ContactRole";
 
 import { login } from "@api/utils";
 
-import {
-  LOGIN_CODES,
-  PassportLoginInfo
-} from "@api/data/ContactData/interface";
+import { PassportLoginInfo } from "@type/passport-login-info";
+
+import { LOGIN_CODES } from "@enums/login-codes";
 
 import config from "@config";
 

src/api/controllers/ContactController.ts

@@ -48,11 +48,8 @@ import {
   CreateContactData,
   DeleteContactMfaData,
   fetchPaginatedContacts,
-  GetContactData,
   GetContactQuery,
-  GetContactRoleData,
   GetContactsQuery,
-  GetContactWith,
   UpdateContactRoleData,
   UpdateContactData,
   exportContacts,
@@ -61,6 +58,9 @@ import {
   CreateContactMfaData,
   GetContactMfaData
 } from "@api/data/ContactData";
+import { GetContactData } from "@type/get-contact-data";
+import { GetContactRoleData } from "@type/get-contact-role-data";
+import { GetContactWith } from "@enums/get-contact-with";
 import {
   CompleteJoinFlowData,
   StartJoinFlowData
@@ -77,7 +77,6 @@ import {
   GetExportQuery
 } from "@api/data/PaginatedData";
 import { GetPaymentData, GetPaymentsQuery } from "@api/data/PaymentData";
-import { LOGIN_CODES } from "@api/data/ContactData/interface";
 
 import PartialBody from "@api/decorators/PartialBody";
 import CantUpdateContribution from "@api/errors/CantUpdateContribution";
@@ -313,7 +312,13 @@ export class ContactController {
     @Body() data: DeleteContactMfaData,
     @Params() { id }: { id: string }
   ): Promise<void> {
-    await ContactMfaService.delete(target, id, data);
+    if (id === "me") {
+      await ContactMfaService.deleteSecure(target, data);
+    } else {
+      // It's secure to call this unsecure method here because the user is an admin,
+      // this is checked in the `@TargetUser()` decorator
+      await ContactMfaService.deleteUnsecure(target);
+    }
   }
 
   @OnUndefined(204)

src/api/controllers/ResetDeviceController.ts

@@ -16,22 +16,22 @@ import EmailService from "@core/services/EmailService";
 import AuthService from "@core/services/AuthService";
 import ContactMfaService from "@core/services/ContactMfaService";
 
-import ResetPasswordFlow from "@models/ResetPasswordFlow";
+import ResetSecurityFlow from "@models/ResetSecurityFlow";
 
 import { login } from "@api/utils";
 import { UUIDParam } from "@api/data";
 import {
   CreateResetDeviceData,
   UpdateResetDeviceData
 } from "@api/data/ResetDeviceData";
-import { ContactMfaType } from "@api/data/ContactData/interface";
 import UnauthorizedError from "@api/errors/UnauthorizedError";
 
 @JsonController("/reset-device")
 export class ResetDeviceController {
   @OnUndefined(204)
   @Post()
   async create(@Body() data: CreateResetDeviceData): Promise<void> {
+    // TODO: Create ResetSecurityFlowService
     const contact = await ContactsService.findOne({ email: data.email });
     if (!contact) {
       return;
@@ -41,7 +41,7 @@ export class ResetDeviceController {
 
     // TODO: Check if reset password flow already exists, if so throw error
 
-    const rpFlow = await getRepository(ResetPasswordFlow).save({ contact });
+    const rpFlow = await getRepository(ResetSecurityFlow).save({ contact });
     await EmailService.sendTemplateToContact("reset-device", contact, {
       rpLink: data.resetUrl + "/" + rpFlow.id
     });
@@ -54,7 +54,8 @@ export class ResetDeviceController {
     @Params() { id }: UUIDParam,
     @Body() data: UpdateResetDeviceData
   ): Promise<void> {
-    const rpFlow = await getRepository(ResetPasswordFlow).findOne({
+    // TODO: Create ResetSecurityFlowService
+    const rpFlow = await getRepository(ResetSecurityFlow).findOne({
       where: { id },
       relations: ["contact"]
     });
@@ -75,13 +76,10 @@ export class ResetDeviceController {
     }
 
     // Disable MFA
-    await ContactMfaService.delete(rpFlow.contact, rpFlow.contact.id, {
-      type: ContactMfaType.TOTP
-    });
+    await ContactMfaService.deleteUnsecure(rpFlow.contact);
 
     // Stop reset flow
-    // TODO: ResetPasswordFlow -> ResetSecurityFlow
-    await getRepository(ResetPasswordFlow).delete(id);
+    await getRepository(ResetSecurityFlow).delete(id);
 
     await login(req, rpFlow.contact);
   }

src/api/controllers/ResetPasswordController.ts

@@ -16,7 +16,7 @@ import { generatePassword } from "@core/utils/auth";
 import ContactsService from "@core/services/ContactsService";
 import EmailService from "@core/services/EmailService";
 
-import ResetPasswordFlow from "@models/ResetPasswordFlow";
+import ResetSecurityFlow from "@models/ResetSecurityFlow";
 
 import { login } from "@api/utils";
 import { UUIDParam } from "@api/data";
@@ -30,9 +30,10 @@ export class ResetPasswordController {
   @OnUndefined(204)
   @Post()
   async create(@Body() data: CreateResetPasswordData): Promise<void> {
+    // TODO: Create ResetSecurityFlowService
     const contact = await ContactsService.findOne({ email: data.email });
     if (contact) {
-      const rpFlow = await getRepository(ResetPasswordFlow).save({ contact });
+      const rpFlow = await getRepository(ResetSecurityFlow).save({ contact });
       await EmailService.sendTemplateToContact("reset-password", contact, {
         rpLink: data.resetUrl + "/" + rpFlow.id
       });
@@ -46,15 +47,16 @@ export class ResetPasswordController {
     @Params() { id }: UUIDParam,
     @Body() data: UpdateResetPasswordData
   ): Promise<void> {
-    const rpFlow = await getRepository(ResetPasswordFlow).findOne({
+    // TODO: Create ResetSecurityFlowService
+    const rpFlow = await getRepository(ResetSecurityFlow).findOne({
       where: { id },
       relations: ["contact"]
     });
     if (rpFlow) {
       await ContactsService.updateContact(rpFlow.contact, {
         password: await generatePassword(data.password)
       });
-      await getRepository(ResetPasswordFlow).delete(id);
+      await getRepository(ResetSecurityFlow).delete(id);
 
       await login(req, rpFlow.contact);
     } else {

src/api/controllers/SegmentController.ts

@@ -15,7 +15,6 @@ import { getRepository } from "typeorm";
 
 import { UUIDParam } from "@api/data";
 import {
-  GetContactData,
   GetContactsQuery,
   fetchPaginatedContacts
 } from "@api/data/ContactData";
@@ -34,6 +33,8 @@ import Segment from "@models/Segment";
 import SegmentContact from "@models/SegmentContact";
 import SegmentOngoingEmail from "@models/SegmentOngoingEmail";
 
+import type { GetContactData } from "@type/get-contact-data";
+
 @JsonController("/segments")
 @Authorized("admin")
 export class SegmentController {

src/api/data/ApiKeyData/interface.ts

@@ -1,5 +1,5 @@
 import { IsDate, IsIn, IsOptional, IsString } from "class-validator";
-import { GetContactData } from "../ContactData";
+import { GetContactData } from "@type/get-contact-data";
 import { GetPaginatedQuery } from "../PaginatedData";
 import { Type } from "class-transformer";
 

src/api/data/CalloutResponseCommentData/interface.ts

@@ -1,6 +1,6 @@
 import Contact from "@models/Contact";
 import { IsIn, IsObject, IsString } from "class-validator";
-import { GetContactData } from "../ContactData";
+import { GetContactData } from "@type/get-contact-data";
 import { GetPaginatedQuery } from "../PaginatedData";
 
 export interface UpdateCalloutResponseComment {

src/api/data/CalloutResponseData/interface.ts

@@ -19,7 +19,7 @@ import { UUIDParam } from "..";
 import { GetCalloutData } from "../CalloutData";
 import { GetCalloutResponseCommentData } from "../CalloutResponseCommentData/interface";
 import { GetCalloutTagData } from "../CalloutTagData";
-import { GetContactData } from "../ContactData";
+import { GetContactData } from "@type/get-contact-data";
 import { GetPaginatedQuery, GetPaginatedRuleGroup } from "../PaginatedData";
 
 export enum GetCalloutResponseWith {

src/api/data/ContactData/index.ts

@@ -17,12 +17,11 @@ import {
   GetPaginatedRuleGroup
 } from "@api/data/PaginatedData";
 
-import {
-  GetContactData,
-  GetContactRoleData,
-  GetContactsQuery,
-  GetContactWith
-} from "./interface";
+import { GetContactWith } from "@enums/get-contact-with";
+
+import type { GetContactData } from "@type/get-contact-data";
+import type { GetContactRoleData } from "@type/get-contact-role-data";
+import type { GetContactsQuery } from "@api/data/ContactData";
 
 interface ConvertOpts {
   with: GetContactWith[] | undefined;