Merge branch 'master' into login_call_unsecureLogin

2025-12-13 07:45:54 +00:00 · 2021-11-17 00:23:57 +01:00 · 2021-11-17 00:23:57 +01:00 · 0341ae0d13
commit 0341ae0d13
parent a73a36b971 640c5ec88d
10 changed files with 234 additions and 108 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -344,7 +344,7 @@ jobs:
          report_name: Coverage Frontend
          type: lcov
          result_path: ./coverage/lcov.info
-          min_coverage: 85
+          min_coverage: 86
          token: ${{ github.token }}
  
  ##############################################################################
@ -394,7 +394,7 @@ jobs:
          report_name: Coverage Backend
          type: lcov
          result_path: ./backend/coverage/lcov.info
-          min_coverage: 39
+          min_coverage: 38
          token: ${{ github.token }}

  ##############################################################################
--- a/backend/src/graphql/model/UpdateUserInfosResponse.ts
+++ b/backend/src/graphql/model/UpdateUserInfosResponse.ts
@ -1,13 +0,0 @@
-/* eslint-disable @typescript-eslint/no-explicit-any */
-/* eslint-disable @typescript-eslint/explicit-module-boundary-types */
-import { ObjectType, Field } from 'type-graphql'
-
-@ObjectType()
-export class UpdateUserInfosResponse {
-  constructor(json: any) {
-    this.validValues = json.valid_values
-  }
-
-  @Field(() => Number)
-  validValues: number
-}
--- a/backend/src/graphql/resolver/CommunityResolver.test.ts
+++ b/backend/src/graphql/resolver/CommunityResolver.test.ts
@ -48,7 +48,7 @@ describe('CommunityResolver', () => {

  describe('getCommunityInfo', () => {
    it('returns the default values', async () => {
-      expect(query({ query: getCommunityInfoQuery })).resolves.toMatchObject({
+      await expect(query({ query: getCommunityInfoQuery })).resolves.toMatchObject({
        data: {
          getCommunityInfo: {
            name: 'Gradido Entwicklung',
@ -68,7 +68,7 @@ describe('CommunityResolver', () => {
      })

      it('returns three communities', async () => {
-        expect(query({ query: communities })).resolves.toMatchObject({
+        await expect(query({ query: communities })).resolves.toMatchObject({
          data: {
            communities: [
              {
@ -104,7 +104,7 @@ describe('CommunityResolver', () => {
      })

      it('returns one community', async () => {
-        expect(query({ query: communities })).resolves.toMatchObject({
+        await expect(query({ query: communities })).resolves.toMatchObject({
          data: {
            communities: [
              {
--- a/backend/src/graphql/resolver/TransactionResolver.ts
+++ b/backend/src/graphql/resolver/TransactionResolver.ts
@ -33,6 +33,7 @@ import { calculateDecay, calculateDecayWithInterval } from '../../util/decay'
 import { TransactionTypeId } from '../enum/TransactionTypeId'
 import { TransactionType } from '../enum/TransactionType'
 import { hasUserAmount, isHexPublicKey } from '../../util/validate'
+import { LoginUserRepository } from '../../typeorm/repository/LoginUser'

 /*
 # Test
@ -451,15 +452,15 @@ async function addUserTransaction(
  })
 }

-async function getPublicKey(email: string, sessionId: number): Promise<string | undefined> {
-  const result = await apiPost(CONFIG.LOGIN_API_URL + 'getUserInfos', {
-    session_id: sessionId,
-    email,
-    ask: ['user.pubkeyhex'],
-  })
-  if (result.success) {
-    return result.data.userData.pubkeyhex
+async function getPublicKey(email: string): Promise<string | null> {
+  const loginUserRepository = getCustomRepository(LoginUserRepository)
+  const loginUser = await loginUserRepository.findOne({ email: email })
+  // User not found
+  if (!loginUser) {
+    return null
  }
+
+  return loginUser.pubKey.toString('hex')
 }

@Resolver()
@ -519,7 +520,7 @@ export class TransactionResolver {

    // validate recipient user
    // TODO: the detour over the public key is unnecessary
-    const recipiantPublicKey = await getPublicKey(email, context.sessionId)
+    const recipiantPublicKey = await getPublicKey(email)
    if (!recipiantPublicKey) {
      throw new Error('recipiant not known')
    }
--- a/backend/src/graphql/resolver/UserResolver.ts
+++ b/backend/src/graphql/resolver/UserResolver.ts
@ -7,7 +7,6 @@ import { getConnection, getCustomRepository } from 'typeorm'
 import CONFIG from '../../config'
 import { LoginViaVerificationCode } from '../model/LoginViaVerificationCode'
 import { SendPasswordResetEmailResponse } from '../model/SendPasswordResetEmailResponse'
-import { UpdateUserInfosResponse } from '../model/UpdateUserInfosResponse'
 import { User } from '../model/User'
 import { User as DbUser } from '@entity/User'
 import encode from '../../jwt/encode'
@ -31,6 +30,7 @@ import { LoginUserBackup } from '@entity/LoginUserBackup'
 import { LoginEmailOptIn } from '@entity/LoginEmailOptIn'
 import { sendEMail } from '../../util/sendEMail'
 import { LoginElopageBuysRepository } from '../../typeorm/repository/LoginElopageBuys'
+import { LoginUserRepository } from '../../typeorm/repository/LoginUser'

 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const sodium = require('sodium-native')
@ -175,7 +175,7 @@ const getEmailHash = (email: string): Buffer => {
 }

 const SecretKeyCryptographyEncrypt = (message: Buffer, encryptionKey: Buffer): Buffer => {
-  const encrypted = Buffer.alloc(sodium.crypto_secretbox_MACBYTES + message.length)
+  const encrypted = Buffer.alloc(message.length + sodium.crypto_secretbox_MACBYTES)
  const nonce = Buffer.alloc(sodium.crypto_secretbox_NONCEBYTES)
  nonce.fill(31) // static nonce

@ -183,6 +183,16 @@ const SecretKeyCryptographyEncrypt = (message: Buffer, encryptionKey: Buffer): B
  return encrypted
 }

+const SecretKeyCryptographyDecrypt = (encryptedMessage: Buffer, encryptionKey: Buffer): Buffer => {
+  const message = Buffer.alloc(encryptedMessage.length - sodium.crypto_secretbox_MACBYTES)
+  const nonce = Buffer.alloc(sodium.crypto_secretbox_NONCEBYTES)
+  nonce.fill(31) // static nonce
+
+  sodium.crypto_secretbox_open_easy(message, encryptedMessage, nonce, encryptionKey)
+
+  return message
+}
+
@Resolver()
 export class UserResolver {
  @Query(() => User)
@ -239,8 +249,12 @@ export class UserResolver {
    user.hasElopage = await this.hasElopage({ pubKey: loginUser.pubKey })
    if (!user.hasElopage && publisherId) {
      user.publisherId = publisherId
-      // TODO: Merge login_call_updateUserInfos
+      // TODO: Check if we can use updateUserInfos
      // await this.updateUserInfos({ publisherId }, { pubKey: loginUser.pubKey })
+      const loginUserRepository = getCustomRepository(LoginUserRepository)
+      const loginUser = await loginUserRepository.findOneOrFail({ email: userEntity.email })
+      loginUser.publisherId = publisherId
+      loginUserRepository.save(loginUser)
    }

    // coinAnimation
@ -277,13 +291,13 @@ export class UserResolver {

  @Authorized()
  @Query(() => String)
-  async logout(@Ctx() context: any): Promise<string> {
-    const payload = { session_id: context.sessionId }
-    const result = await apiPost(CONFIG.LOGIN_API_URL + 'logout', payload)
-    if (!result.success) {
-      throw new Error(result.data)
-    }
-    return 'success'
+  async logout(): Promise<boolean> {
+    // TODO: We dont need this anymore, but might need this in the future in oder to invalidate a valid JWT-Token.
+    // Furthermore this hook can be useful for tracking user behaviour (did he logout or not? Warn him if he didn't on next login)
+    // The functionality is fully client side - the client just needs to delete his token with the current implementation.
+    // we could try to force this by sending `token: null` or `token: ''` with this call. But since it bares no real security
+    // we should just return true for now.
+    return true
  }

  @Mutation(() => String)
@ -460,7 +474,7 @@ export class UserResolver {
  }

  @Authorized()
-  @Mutation(() => UpdateUserInfosResponse)
+  @Mutation(() => Boolean)
  async updateUserInfos(
    @Args()
    {
@ -475,80 +489,97 @@ export class UserResolver {
      coinanimation,
    }: UpdateUserInfosArgs,
    @Ctx() context: any,
-  ): Promise<UpdateUserInfosResponse> {
-    const payload = {
-      session_id: context.sessionId,
-      update: {
-        'User.first_name': firstName || undefined,
-        'User.last_name': lastName || undefined,
-        'User.description': description || undefined,
-        'User.username': username || undefined,
-        'User.language': language || undefined,
-        'User.publisher_id': publisherId || undefined,
-        'User.password': passwordNew || undefined,
-        'User.password_old': password || undefined,
-      },
-    }
-    let response: UpdateUserInfosResponse | undefined
+  ): Promise<boolean> {
    const userRepository = getCustomRepository(UserRepository)
+    const userEntity = await userRepository.findByPubkeyHex(context.pubKey)
+    const loginUserRepository = getCustomRepository(LoginUserRepository)
+    const loginUser = await loginUserRepository.findOneOrFail({ email: userEntity.email })

-    if (
-      firstName ||
-      lastName ||
-      description ||
-      username ||
-      language ||
-      publisherId ||
-      passwordNew ||
-      password
-    ) {
-      const result = await apiPost(CONFIG.LOGIN_API_URL + 'updateUserInfos', payload)
-      if (!result.success) throw new Error(result.data)
-      response = new UpdateUserInfosResponse(result.data)
-
-      const pubKeyString = Buffer.from(context.pubKey).toString('hex')
-      const userEntity = await userRepository.findByPubkeyHex(pubKeyString)
-      let userEntityChanged = false
-      if (firstName) {
-        userEntity.firstName = firstName
-        userEntityChanged = true
-      }
-      if (lastName) {
-        userEntity.lastName = lastName
-        userEntityChanged = true
-      }
    if (username) {
-        userEntity.username = username
-        userEntityChanged = true
+      throw new Error('change username currently not supported!')
+      // TODO: this error was thrown on login_server whenever you tried to change the username
+      // to anything except "" which is an exception to the rules below. Those were defined
+      // aswell, even tho never used.
+      // ^[a-zA-Z][a-zA-Z0-9_-]*$
+      // username must start with [a-z] or [A-Z] and than can contain also [0-9], - and _
+      // username already used
+      // userEntity.username = username
    }
-      if (userEntityChanged) {
-        userRepository.save(userEntity).catch((error) => {
-          throw new Error(error)
-        })
-      }
-    }
-    if (coinanimation !== undefined) {
-      // load user and balance
-      const pubKeyString = Buffer.from(context.pubKey).toString('hex')
-      const userEntity = await userRepository.findByPubkeyHex(pubKeyString)

-      const userSettingRepository = getCustomRepository(UserSettingRepository)
-      userSettingRepository
+    if (firstName) {
+      loginUser.firstName = firstName
+      userEntity.firstName = firstName
+    }
+
+    if (lastName) {
+      loginUser.lastName = lastName
+      userEntity.lastName = lastName
+    }
+
+    if (description) {
+      loginUser.description = description
+    }
+
+    if (language) {
+      if (!isLanguage(language)) {
+        throw new Error(`"${language}" isn't a valid language`)
+      }
+      loginUser.language = language
+    }
+
+    if (password && passwordNew) {
+      // TODO: This had some error cases defined - like missing private key. This is no longer checked.
+      const oldPasswordHash = SecretKeyCryptographyCreateKey(loginUser.email, password)
+      if (loginUser.password !== oldPasswordHash[0].readBigUInt64LE()) {
+        throw new Error(`Old password is invalid`)
+      }
+
+      const privKey = SecretKeyCryptographyDecrypt(loginUser.privKey, oldPasswordHash[1])
+
+      const newPasswordHash = SecretKeyCryptographyCreateKey(loginUser.email, passwordNew) // return short and long hash
+      const encryptedPrivkey = SecretKeyCryptographyEncrypt(privKey, newPasswordHash[1])
+
+      // Save new password hash and newly encrypted private key
+      loginUser.password = newPasswordHash[0].readBigInt64LE()
+      loginUser.privKey = encryptedPrivkey
+    }
+
+    // Save publisherId only if Elopage is not yet registered
+    if (publisherId && !(await this.hasElopage(context))) {
+      loginUser.publisherId = publisherId
+    }
+
+    const queryRunner = getConnection().createQueryRunner()
+    await queryRunner.connect()
+    await queryRunner.startTransaction('READ UNCOMMITTED')
+
+    try {
+      if (coinanimation) {
+        queryRunner.manager
+          .getCustomRepository(UserSettingRepository)
          .setOrUpdate(userEntity.id, Setting.COIN_ANIMATION, coinanimation.toString())
          .catch((error) => {
-          throw new Error(error)
+            throw new Error('error saving coinanimation: ' + error)
+          })
+      }
+
+      await queryRunner.manager.save(loginUser).catch((error) => {
+        throw new Error('error saving loginUser: ' + error)
      })

-      if (!response) {
-        response = new UpdateUserInfosResponse({ valid_values: 1 })
-      } else {
-        response.validValues++
+      await queryRunner.manager.save(userEntity).catch((error) => {
+        throw new Error('error saving user: ' + error)
+      })
+
+      await queryRunner.commitTransaction()
+    } catch (e) {
+      await queryRunner.rollbackTransaction()
+      throw e
+    } finally {
+      await queryRunner.release()
    }
-    }
-    if (!response) {
-      throw new Error('no valid response')
-    }
-    return response
+
+    return true
  }

  @Query(() => Boolean)
--- a/backend/src/util/sendEMail.ts
+++ b/backend/src/util/sendEMail.ts
@ -2,7 +2,12 @@ import { createTransport } from 'nodemailer'

 import CONFIG from '../config'

-export const sendEMail = async (emailDef: any): Promise<boolean> => {
+export const sendEMail = async (emailDef: {
+  from: string
+  to: string
+  subject: string
+  text: string
+}): Promise<boolean> => {
  if (!CONFIG.EMAIL) {
    // eslint-disable-next-line no-console
    console.log('Emails are disabled via config')
--- a/frontend/src/graphql/mutations.js
+++ b/frontend/src/graphql/mutations.js
@ -38,9 +38,7 @@ export const updateUserInfos = gql`
      passwordNew: $passwordNew
      language: $locale
      coinanimation: $coinanimation
-    ) {
-      validValues
-    }
+    )
  }
 `

--- a/frontend/src/plugins/globalComponents.test.js
+++ b/frontend/src/plugins/globalComponents.test.js
@ -0,0 +1,29 @@
+import GlobalComponents from './globalComponents.js'
+import Vue from 'vue'
+import 'vee-validate'
+
+jest.mock('vue')
+jest.mock('vee-validate', () => {
+  const originalModule = jest.requireActual('vee-validate')
+  return {
+    __esModule: true,
+    ...originalModule,
+    ValidationProvider: 'mocked validation provider',
+    ValidationObserver: 'mocked validation observer',
+  }
+})
+
+const vueComponentMock = jest.fn()
+Vue.component = vueComponentMock
+
+describe('global Components', () => {
+  GlobalComponents.install(Vue)
+
+  it('installs the validation provider', () => {
+    expect(vueComponentMock).toBeCalledWith('validation-provider', 'mocked validation provider')
+  })
+
+  it('installs the validation observer', () => {
+    expect(vueComponentMock).toBeCalledWith('validation-observer', 'mocked validation observer')
+  })
+})
--- a/frontend/src/views/Pages/SendOverview/GddSend/QrCode.spec.js
+++ b/frontend/src/views/Pages/SendOverview/GddSend/QrCode.spec.js
@ -0,0 +1,70 @@
+import { mount } from '@vue/test-utils'
+import QrCode from './QrCode'
+
+const localVue = global.localVue
+
+describe('QrCode', () => {
+  let wrapper
+
+  const mocks = {
+    $t: jest.fn((t) => t),
+  }
+
+  const stubs = {
+    QrcodeStream: true,
+    QrcodeCapture: true,
+  }
+
+  const Wrapper = () => {
+    return mount(QrCode, { localVue, mocks, stubs })
+  }
+
+  describe('mount', () => {
+    beforeEach(() => {
+      wrapper = Wrapper()
+    })
+
+    it('renders the component', () => {
+      expect(wrapper.find('div.alert').exists()).toBeTruthy()
+    })
+
+    describe('scanning', () => {
+      beforeEach(async () => {
+        wrapper.find('a').trigger('click')
+      })
+
+      it('has a scanning stream', () => {
+        expect(wrapper.findComponent({ name: 'QrcodeStream' }).exists()).toBeTruthy()
+      })
+
+      describe('decode', () => {
+        beforeEach(async () => {
+          await wrapper
+            .findComponent({ name: 'QrcodeStream' })
+            .vm.$emit('decode', '[{"email": "user@example.org", "amount": 10.0}]')
+        })
+
+        it('emits set transaction', () => {
+          expect(wrapper.emitted()['set-transaction']).toEqual([
+            [
+              {
+                email: 'user@example.org',
+                amount: 10,
+              },
+            ],
+          ])
+        })
+      })
+
+      describe('detect', () => {
+        beforeEach(async () => {
+          await wrapper.find('div.row > *').vm.$emit('detect')
+        })
+
+        it('calls onDetect', () => {
+          expect(wrapper.vm.detect).toBeTruthy()
+        })
+      })
+    })
+  })
+})
--- a/frontend/src/views/Pages/SendOverview/GddSend/QrCode.vue
+++ b/frontend/src/views/Pages/SendOverview/GddSend/QrCode.vue
@ -44,6 +44,7 @@ export default {
  data() {
    return {
      scan: false,
+      detect: false,
    }
  },
  methods: {
@ -55,6 +56,10 @@ export default {
      this.$emit('set-transaction', { email: arr[0].email, amount: arr[0].amount })
      this.scan = false
    },
+    async onDetect() {
+      // TODO: what is this for? I added the detect data to test that the method is called
+      this.detect = !this.detect
+    },
  },
 }
 </script>