Verify M2/M3 implementation, fix regressions against M0/M1

Regressions fixed: - gateway/src/worker.rs: missing session_manager field in AuthState (M3 regression) - gateway/src/main.rs: same missing field in monolithic gateway - storage/src/handlers.rs: removed unused validate_role (now handled by RlsTransaction) M2 Storage Pillar — verified complete: - StorageBackend trait with full API (put/get/delete/copy/head/list/multipart) - AwsS3Backend implementation with streaming get_object - StorageMode enum (Cloud/SelfHosted) in Config - All routes: CRUD buckets, CRUD objects, copy, move, sign, public URL, health - Bucket constraints: file_size_limit + allowed_mime_types enforced on upload - TUS resumable uploads with S3 multipart (5MB chunking) - Image transforms run via spawn_blocking - docker-compose.pillar-storage.yml, templates/storage-node.yaml - Shared Docker network on all pillar compose files M3 Auth Completeness — verified complete: - POST /logout revokes refresh tokens + Redis sessions - GET /settings returns provider availability - POST /magiclink with hashed token storage - DELETE /user soft-delete with token revocation - Recovery flow accepts new password - Email change requires re-verification via token - OAuth callback redirects with fragment tokens - MFA verify returns aal2 JWT with amr claims - MFA challenge validates factor ownership - SessionManager wired into login/logout - GET /sessions returns active sessions - Configurable ACCESS_TOKEN_LIFETIME - Claims model extended with session_id, aal, amr Tests: 62 passed, 0 failed, 11 ignored (external services) Warnings: 0 Made-with: Cursor
2026-03-15 14:40:48 +02:00
parent 0179cc285d
commit 38cab8c246
29 changed files with 1924 additions and 666 deletions
--- a/auth/src/mfa.rs
+++ b/auth/src/mfa.rs
@@ -11,6 +11,8 @@ use totp_rs::{Algorithm, Secret, TOTP};
 use uuid::Uuid;
 use crate::middleware::AuthContext;
 use crate::handlers::AuthState;
+use crate::utils::{generate_token_with_aal, issue_refresh_token};
+use crate::models::{User, AmrEntry};

 #[derive(Serialize)]
 pub struct EnrollResponse {
@@ -21,28 +23,33 @@ pub struct EnrollResponse {

 #[derive(Serialize)]
 pub struct TotpResponse {
-    pub qr_code: String, // SVG or PNG base64
+    pub qr_code: String,
    pub secret: String,
    pub uri: String,
 }

 #[derive(Deserialize)]
-pub struct VerifyRequest {
+pub struct MfaVerifyRequest {
    pub factor_id: Uuid,
    pub code: String,
-    pub challenge_id: Option<Uuid>, // For future use
+    pub challenge_id: Option<Uuid>,
 }

 #[derive(Serialize)]
 pub struct VerifyResponse {
-    pub access_token: String, // Potentially upgraded token
+    pub access_token: String,
    pub token_type: String,
-    pub expires_in: usize,
+    pub expires_in: i64,
    pub refresh_token: String,
-    pub user: serde_json::Value,
+    pub user: User,
+}
+
+#[derive(Serialize)]
+pub struct ChallengeResponse {
+    pub challenge_id: Uuid,
+    pub expires_at: i64,
 }

-// Enroll MFA (Generate Secret & QR)
 pub async fn enroll(
    State(state): State<AuthState>,
    Extension(auth_ctx): Extension<AuthContext>,
@@ -52,7 +59,6 @@ pub async fn enroll(
        .and_then(|c| Uuid::parse_str(&c.sub).ok())
        .ok_or((StatusCode::UNAUTHORIZED, "Invalid user".to_string()))?;

-    // 1. Generate TOTP Secret
    let secret = Secret::generate_secret();
    let totp = TOTP::new(
        Algorithm::SHA1,
@@ -60,15 +66,14 @@ pub async fn enroll(
        1,
        30,
        secret.to_bytes().unwrap(),
-        Some(project_ctx.project_ref.clone()), // Issuer
-        auth_ctx.claims.as_ref().and_then(|c| c.email.clone()).unwrap_or("user".to_string()), // Account Name
+        Some(project_ctx.project_ref.clone()),
+        auth_ctx.claims.as_ref().and_then(|c| c.email.clone()).unwrap_or("user".to_string()),
    ).unwrap();

    let secret_str = totp.get_secret_base32();
    let qr_code = totp.get_qr_base64().map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e))?;
    let uri = totp.get_url();

-    // 2. Store in DB (Unverified)
    let row = sqlx::query(
        "INSERT INTO auth.mfa_factors (user_id, factor_type, secret, status) VALUES ($1, 'totp', $2, 'unverified') RETURNING id"
    )
@@ -91,18 +96,16 @@ pub async fn enroll(
    }))
 }

-// Verify MFA (Activate Factor)
 pub async fn verify(
    State(state): State<AuthState>,
    Extension(auth_ctx): Extension<AuthContext>,
-    Extension(_project_ctx): Extension<ProjectContext>,
-    Json(payload): Json<VerifyRequest>,
+    Extension(project_ctx): Extension<ProjectContext>,
+    Json(payload): Json<MfaVerifyRequest>,
 ) -> Result<impl IntoResponse, (StatusCode, String)> {
    let user_id = auth_ctx.claims.as_ref()
        .and_then(|c| Uuid::parse_str(&c.sub).ok())
        .ok_or((StatusCode::UNAUTHORIZED, "Invalid user".to_string()))?;

-    // 1. Fetch Factor
    let row = sqlx::query(
        "SELECT secret, status FROM auth.mfa_factors WHERE id = $1 AND user_id = $2"
    )
@@ -116,7 +119,6 @@ pub async fn verify(
    let secret_str: String = row.get("secret");
    let status: String = row.get("status");

-    // 2. Validate Code
    let secret_bytes = base32::decode(base32::Alphabet::RFC4648 { padding: false }, &secret_str)
        .ok_or((StatusCode::INTERNAL_SERVER_ERROR, "Invalid secret format".to_string()))?;

@@ -136,7 +138,6 @@ pub async fn verify(
        return Err((StatusCode::BAD_REQUEST, "Invalid code".to_string()));
    }

-    // 3. Update Status if Unverified
    if status == "unverified" {
        sqlx::query("UPDATE auth.mfa_factors SET status = 'verified', updated_at = now() WHERE id = $1")
            .bind(payload.factor_id)
@@ -145,30 +146,85 @@ pub async fn verify(
            .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
    }

-    // 4. Return Success (In a real scenario, this might return an upgraded JWT with `aal: 2`)
-    // For now, we just confirm verification.
-    
-    Ok(Json(serde_json::json!({
-        "status": "verified",
-        "factor_id": payload.factor_id
-    })))
+    let _challenge_id = if let Some(cid) = payload.challenge_id {
+        let challenge_row = sqlx::query(
+            "SELECT created_at FROM auth.mfa_challenges WHERE id = $1 AND factor_id = $2"
+        )
+        .bind(cid)
+        .bind(payload.factor_id)
+        .fetch_optional(&state.db)
+        .await
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?
+        .ok_or((StatusCode::BAD_REQUEST, "Invalid challenge".to_string()))?;
+
+        let created_at: chrono::DateTime<chrono::Utc> = challenge_row.get("created_at");
+        let elapsed = chrono::Utc::now() - created_at;
+        if elapsed.num_seconds() > 300 {
+            return Err((StatusCode::BAD_REQUEST, "Challenge expired".to_string()));
+        }
+
+        sqlx::query("UPDATE auth.mfa_challenges SET verified_at = now() WHERE id = $1")
+            .bind(cid)
+            .execute(&state.db)
+            .await
+            .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+
+        cid
+    } else {
+        Uuid::new_v4()
+    };
+
+    let jwt_secret = project_ctx.jwt_secret.as_str();
+    let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
+        .bind(user_id)
+        .fetch_optional(&state.db)
+        .await
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?
+        .ok_or((StatusCode::NOT_FOUND, "User not found".to_string()))?;
+
+    let amr = vec![
+        AmrEntry {
+            method: "password".to_string(),
+            timestamp: chrono::Utc::now().timestamp() as usize,
+        },
+        AmrEntry {
+            method: "totp".to_string(),
+            timestamp: chrono::Utc::now().timestamp() as usize,
+        },
+    ];
+
+    let (token, expires_in, _) = generate_token_with_aal(
+        user_id, 
+        &user.email, 
+        "authenticated", 
+        jwt_secret, 
+        "aal2",
+        Some(amr)
+    ).map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+
+    let refresh_token = issue_refresh_token(&state.db, user_id, Uuid::new_v4(), None).await
+        .map_err(|(code, msg)| (StatusCode::from_u16(code.as_u16()).unwrap_or(StatusCode::INTERNAL_SERVER_ERROR), msg))?;
+
+    Ok(Json(VerifyResponse {
+        access_token: token,
+        token_type: "bearer".to_string(),
+        expires_in,
+        refresh_token,
+        user,
+    }))
 }

-// Challenge (Login with MFA)
 pub async fn challenge(
    State(state): State<AuthState>,
    Extension(auth_ctx): Extension<AuthContext>,
-    Json(payload): Json<VerifyRequest>,
+    Json(payload): Json<MfaVerifyRequest>,
 ) -> Result<impl IntoResponse, (StatusCode, String)> {
-    // This is essentially the same as verify for now, but semantically distinct.
-    // It implies checking a code against an ALREADY verified factor to allow login proceed.
-    
    let user_id = auth_ctx.claims.as_ref()
        .and_then(|c| Uuid::parse_str(&c.sub).ok())
        .ok_or((StatusCode::UNAUTHORIZED, "Invalid user".to_string()))?;

-    let row = sqlx::query(
-        "SELECT secret FROM auth.mfa_factors WHERE id = $1 AND user_id = $2 AND status = 'verified'"
+    let _row = sqlx::query(
+        "SELECT id FROM auth.mfa_factors WHERE id = $1 AND user_id = $2 AND status = 'verified'"
    )
    .bind(payload.factor_id)
    .bind(user_id)
@@ -177,29 +233,66 @@ pub async fn challenge(
    .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?
    .ok_or((StatusCode::BAD_REQUEST, "Factor not found or not verified".to_string()))?;

-    let secret_str: String = row.get("secret");
-    
-    let secret_bytes = base32::decode(base32::Alphabet::RFC4648 { padding: false }, &secret_str)
-        .ok_or((StatusCode::INTERNAL_SERVER_ERROR, "Invalid secret format".to_string()))?;
+    let challenge_id = Uuid::new_v4();
+    sqlx::query(
+        "INSERT INTO auth.mfa_challenges (id, factor_id, created_at) VALUES ($1, $2, now())"
+    )
+    .bind(challenge_id)
+    .bind(payload.factor_id)
+    .execute(&state.db)
+    .await
+    .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;

-    let totp = TOTP::new(
-        Algorithm::SHA1,
-        6,
-        1,
-        30,
-        secret_bytes,
-        None,
-        "".to_string(),
-    ).unwrap();
+    let expires_at = chrono::Utc::now() + chrono::Duration::seconds(300);

-    let is_valid = totp.check_current(&payload.code).unwrap_or(false);
+    Ok(Json(ChallengeResponse {
+        challenge_id,
+        expires_at: expires_at.timestamp(),
+    }))
+}

-    if !is_valid {
-        return Err((StatusCode::BAD_REQUEST, "Invalid code".to_string()));
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_verify_response_structure() {
+        let response = VerifyResponse {
+            access_token: "test_token".to_string(),
+            token_type: "bearer".to_string(),
+            expires_in: 3600,
+            refresh_token: "refresh".to_string(),
+            user: User {
+                id: Uuid::new_v4(),
+                email: "test@example.com".to_string(),
+                encrypted_password: "hash".to_string(),
+                created_at: chrono::Utc::now(),
+                updated_at: chrono::Utc::now(),
+                last_sign_in_at: None,
+                raw_app_meta_data: serde_json::json!({}),
+                raw_user_meta_data: serde_json::json!({}),
+                is_super_admin: None,
+                confirmed_at: None,
+                email_confirmed_at: None,
+                phone: None,
+                phone_confirmed_at: None,
+                confirmation_token: None,
+                recovery_token: None,
+                email_change_token_new: None,
+                email_change: None,
+                deleted_at: None,
+            },
+        };
+        assert_eq!(response.token_type, "bearer");
+        assert!(response.expires_in > 0);
    }

-    Ok(Json(serde_json::json!({
-        "status": "success",
-        "factor_id": payload.factor_id
-    })))
+    #[test]
+    fn test_challenge_response_structure() {
+        let response = ChallengeResponse {
+            challenge_id: Uuid::new_v4(),
+            expires_at: 1234567890,
+        };
+        assert!(response.expires_at > 0);
+    }
 }