save

nhost · Apr 27, 2021 · 18c68e5 · 18c68e5
1 parent 6ef38d7
commit 18c68e5
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 5 deletions.
diff --git a/src/routes/auth/login.ts b/src/routes/auth/login.ts
@@ -5,7 +5,7 @@ import { asyncWrapper, selectAccount } from '@shared/helpers'
 import { newJwtExpiry, createHasuraJwt } from '@shared/jwt'
 import { setRefreshToken } from '@shared/cookies'
 import { loginAnonymouslySchema, loginSchema, magicLinkLoginSchema } from '@shared/validation'
-import { insertAccount } from '@shared/queries'
+import { insertAccount, updateTicketExpiration } from '@shared/queries'
 import { request } from '@shared/request'
 import { AccountData, UserData, Session } from '@shared/types'
 import { emailClient } from '@shared/email'
@@ -18,7 +18,8 @@ interface HasuraData {
   }
 }
 
-async function loginAccount({ body, headers }: Request, res: Response): Promise<unknown> {
+async function loginAccount({ body, headers, query }: Request, res: Response): Promise<unknown> {
+  query;
   // default to true
   const useCookie = typeof body.cookie !== 'undefined' ? body.cookie : true
 
@@ -131,6 +132,13 @@ async function loginAccount({ body, headers }: Request, res: Response): Promise<
   }
 
   if (mfa_enabled) {
+    await request(updateTicketExpiration, {
+      email,
+      ticket_expires_at: new Date(
+        +Date.now() + 60 * 60 * 1000
+      )
+    })
+
     return res.send({ mfa: true, ticket })
   }
 

diff --git a/src/routes/auth/mfa/mfa.test.ts b/src/routes/auth/mfa/mfa.test.ts
@@ -55,7 +55,7 @@ it('should enable mfa for account', (done) => {
 
 it('should return a ticket', (done) => {
   request
-    .post('/auth/login')
+    .post('/auth/login?abc=1')
     .send({ email: account.email, password: account.password })
     .expect(200)
     .expect(validTicket())

diff --git a/src/shared/helpers.ts b/src/shared/helpers.ts
@@ -43,7 +43,10 @@ export const selectAccountByEmail = async (email: string): Promise<AccountData>
 }
 
 export const selectAccountByTicket = async (ticket: string): Promise<AccountData> => {
-  const hasuraData = await request<QueryAccountData>(selectAccountByTicketQuery, { ticket })
+  const hasuraData = await request<QueryAccountData>(selectAccountByTicketQuery, {
+    ticket,
+    now: new Date()
+  })
   if (!hasuraData.auth_accounts[0]) throw new Error('Account does not exist.')
   return hasuraData.auth_accounts[0]
 }

diff --git a/src/shared/queries.ts b/src/shared/queries.ts
@@ -103,7 +103,7 @@ export const selectAccountByEmail = gql`
 
 export const selectAccountByTicket = gql`
   query($ticket: uuid!) {
-    auth_accounts(where: { ticket: { _eq: $ticket } }) {
+    auth_accounts(where: { _and: [{ ticket: { _eq: $ticket } }, { ticket_expires_at: { _gt: $now } }] }) {
       ...accountFragment
     }
   }
@@ -200,6 +200,20 @@ export const activateAccount = gql`
   }
 `
 
+export const updateTicketExpiration = gql`
+  mutation($email: citext!, $ticket_expires_at: timestamptz!) {
+    update_auth_accounts(
+      where: { email: { _eq: $email } }
+      _set: { ticket_expires_at: $ticket_expires_at }
+    ) {
+      affected_rows
+      returning {
+        id
+      }
+    }
+  }
+`
+
 export const updateOtpSecret = gql`
   mutation($user_id: uuid!, $otp_secret: String!) {
     update_auth_accounts(

diff --git a/src/shared/types.ts b/src/shared/types.ts
@@ -65,6 +65,7 @@ export interface AccountData {
   account_roles: { role: string }[]
   is_anonymous: boolean
   ticket?: string
+  ticket_expires_at: string
   otp_secret?: string
   mfa_enabled: boolean
   password_hash: string