Merge pull request #74 from CityOfLosAngeles/mfa-sms-phone

MFA SMS Flow

.github/workflows/firebase-hosting-pull-request.yml

@@ -10,7 +10,8 @@ on:
       - 'web/**'
 jobs:
   build_and_preview:
-    if: '${{ github.event.pull_request.head.repo.full_name == github.repository }}'
+    if: '${{ github.event.pull_request.head.repo.full_name == github.repository &&
+      github.event.pull_request.draft == false }}'
     runs-on: ubuntu-latest
     environment: development
     steps:

firebase.json

@@ -14,7 +14,7 @@
         "region": "us-central1"
       },
       {
-        "source": "**",
+        "source": "/auth0/**",
         "function": "auth0",
         "region": "us-central1"
       }

functions/auth0/api/auth0.js

@@ -156,19 +156,36 @@ const authMethods = onRequest(async (req, res) => {
   }
 });
 
-const enrollOTP = onRequest(async (req, res) => {
+const enrollMFA = onRequest(async (req, res) => {
   const body = req.body;
 
+  const {
+    email,
+    password,
+    mfaFactor = '',
+    number,
+    channel
+  } = body;
+
   try {
     const validateResponse = await authorizeUser(
-      body.email,
-      body.password,
+      email,
+      password,
       "/mfa/"
     );
 
     if (validateResponse.status === 200) {
       const mfaToken = validateResponse?.data?.access_token;
 
+      let additionalData = {};
+
+      if (mfaFactor == "oob") {
+        additionalData = {
+         "oob_channels": [channel],
+         "phone_number": number
+        }
+      }
+
       const otpRequest = {
         method: "POST",
         url: `https://${auth0Domain}/mfa/associate`,
@@ -177,7 +194,8 @@ const enrollOTP = onRequest(async (req, res) => {
           Authorization: `Bearer ${mfaToken}`,
         },
         data: {
-          authenticator_types: ["otp"],
+          authenticator_types: [mfaFactor],
+          ...additionalData
         },
       };
 
@@ -202,22 +220,40 @@ const enrollOTP = onRequest(async (req, res) => {
   }
 });
 
-const confirmOTP = onRequest(async (req, res) => {
+const confirmMFA = onRequest(async (req, res) => {
   const body = req.body;
 
+  const {
+    mfaToken, 
+    userOtpCode = '',
+    oobCode = '',
+  } = body;
+
   try {
-    const {mfaToken, userOtpCode} = body;
+
+    let additionalData = {};
+
+     if (oobCode.length) {
+      additionalData = {
+        oob_code: `${oobCode}`,
+        binding_code: `${userOtpCode}`
+      }
+    } else {
+      additionalData = {
+        otp: `${userOtpCode}`
+      }
+    }
 
     const options = {
       method: "POST",
       url: `https://${auth0Domain}/oauth/token`,
       headers: {"content-type": "application/x-www-form-urlencoded"},
       data: new URLSearchParams({
-        grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
+        grant_type: `http://auth0.com/oauth/grant-type/${oobCode.length ? 'mfa-oob' : 'mfa-otp'}`,
         client_id: `${auth0ClientId}`,
-        mfa_token: `${mfaToken}`,
         client_secret: `${auth0ClientSecret}`,
-        otp: `${userOtpCode}`,
+        mfa_token: `${mfaToken}`,
+        ...additionalData
       }),
     };
 
@@ -268,7 +304,7 @@ module.exports = {
   updateUser,
   updatePassword,
   authMethods,
-  enrollOTP,
-  confirmOTP,
+  enrollMFA,
+  confirmMFA,
   unenrollMFA,
 };

functions/auth0/index.js

@@ -3,24 +3,24 @@ const admin = require("firebase-admin");
 const express = require("express");
 
 admin.initializeApp();
-const auth0 = express();
+const app = express();
 
 const {
   updateUser,
   updatePassword,
-  enrollOTP,
-  confirmOTP,
+  enrollMFA,
+  confirmMFA,
   authMethods,
   unenrollMFA
 } = require("./api/auth0");
 
-auth0.use(express.json());
+app.use(express.json());
 
-auth0.post("/updateUser", updateUser);
-auth0.post("/updatePassword", updatePassword);
-auth0.post("/enrollOTP", enrollOTP);
-auth0.post("/confirmOTP", confirmOTP);
-auth0.post("/authMethods", authMethods);
-auth0.post("/unenrollMFA", unenrollMFA);
+app.post("/auth0/updateUser", updateUser);
+app.post("/auth0/updatePassword", updatePassword);
+app.post("/auth0/enrollMFA", enrollMFA);
+app.post("/auth0/confirmMFA", confirmMFA);
+app.post("/auth0/authMethods", authMethods);
+app.post("/auth0/unenrollMFA", unenrollMFA);
 
-exports.auth0 = onRequest(auth0);
+exports.auth0 = onRequest(app);

functions/auth0/utils/constants.js

@@ -8,4 +8,4 @@ module.exports = {
   auth0ClientId,
   auth0ClientSecret,
   auth0Domain
-};
+};

functions/maps/index.js

@@ -4,9 +4,9 @@ const axios = require("axios");
 const express = require("express");
 
 admin.initializeApp();
-const maps = express();
+const app = express();
 
-maps.use(express.json());
+app.use(express.json());
 
 const corsProxyAutofill = onRequest(async (req, res) => {
 
@@ -16,7 +16,7 @@ const corsProxyPlaceDetails = onRequest(async (req, res) => {
 
 });
 
-maps.get("/corsProxyPlaceDetails", corsProxyPlaceDetails);
-maps.get("/corsProxyAutofill", corsProxyAutofill);
+app.get("/maps/corsProxyPlaceDetails", corsProxyPlaceDetails);
+app.get("/maps/corsProxyAutofill", corsProxyAutofill);
 
-exports.maps = onRequest(maps);
+exports.maps = onRequest(app);

lib/controllers/api.dart

@@ -12,9 +12,9 @@ abstract class Api {
 
   void getAuthenticationMethods(final String userId);
 
-  void enrollAuthenticator(final Map<String, String> body);
+  void enrollMFA(final Map<String, String> body);
 
-  void confirmTOTP(final Map<String, String> body);
+  void confirmMFA(final Map<String, String> body);
 
-  void unenrollAuthenticator(final Map<String, String> body);
+  void unenrollMFA(final Map<String, String> body);
 }

lib/controllers/api_implementation.dart

@@ -86,7 +86,7 @@ class UserApi extends Api {
       final body = json.encode(user);
 
       final response = await http.post(
-          Uri.parse('/updateUser'),
+          Uri.parse('/auth0/updateUser'),
           headers: headers,
           body: body
       ).timeout(const Duration(seconds: 15));
@@ -119,7 +119,7 @@ class UserApi extends Api {
 
     try {
       final request = await http.post(
-          Uri.parse('/updatePassword'),
+          Uri.parse('/auth0/updatePassword'),
           headers: headers,
           body: reqBody
       );
@@ -151,7 +151,7 @@ class UserApi extends Api {
 
     try {
       final request = await http.post(
-          Uri.parse('/authMethods'),
+          Uri.parse('/auth0/authMethods'),
           headers: headers,
           body: reqBody
       );
@@ -171,7 +171,7 @@ class UserApi extends Api {
 
   @override
   Future<Map<String, dynamic>>
-    enrollAuthenticator(final Map<String, String> body) async {
+    enrollMFA(final Map<String, String> body) async {
     late Map<String, dynamic> response;
 
     final headers = {
@@ -182,23 +182,25 @@ class UserApi extends Api {
 
     try {
       final request = await http.post(
-          Uri.parse('/enrollOTP'),
+          Uri.parse('/auth0/enrollMFA'),
           headers: headers,
           body: reqBody
       );
 
       final jsonBody = jsonDecode(request.body);
-      final barcode = jsonBody['barcode_uri'];
-      final token = jsonBody['token'];
-      final tokenSecret = jsonBody['secret'];
+      final barcode = jsonBody['barcode_uri'] ?? '';
+      final token = jsonBody['token'] ?? '';
+      final tokenSecret = jsonBody['secret'] ?? '';
+      final oobCode = jsonBody['oob_code'] ?? '';
 
       if (request.statusCode == HttpStatus.ok) {
         response = {
           'status': request.statusCode,
           'body': request.body,
           'barcode': barcode,
           'token': token,
-          'barcode_string': tokenSecret
+          'barcode_string': tokenSecret,
+          'oobCode': oobCode
         };
       } else {
         throw ApiException(request.statusCode, request.body);
@@ -220,7 +222,7 @@ class UserApi extends Api {
   }
 
   @override
-  Future<ApiResponse> confirmTOTP(final Map<String, String> body) async {
+  Future<ApiResponse> confirmMFA(final Map<String, String> body) async {
 
     final headers = {
       'Content-Type': 'application/json'
@@ -230,7 +232,7 @@ class UserApi extends Api {
 
     try {
       final request = await http.post(
-          Uri.parse('/confirmOTP'),
+          Uri.parse('/auth0/confirmMFA'),
           headers: headers,
           body: reqBody
       );
@@ -249,8 +251,7 @@ class UserApi extends Api {
   }
 
   @override
-  Future<ApiResponse> unenrollAuthenticator(final Map<String, String> body)
-  async {
+  Future<ApiResponse> unenrollMFA(final Map<String, String> body) async {
 
     final headers = {
       'Content-Type': 'application/json'
@@ -260,7 +261,7 @@ class UserApi extends Api {
 
     try {
       final request = await http.post(
-          Uri.parse('/unenrollMFA'),
+          Uri.parse('/auth0/unenrollMFA'),
           headers: headers,
           body: reqBody
       );