Check whether ticket has expired on selectAccountByTicket (#493)

* refactor: register ticket_expires_at * fix: check ticket_expires_at * fix: create new ticket on mfa login
nhost · Apr 29, 2021 · 735f27b · 735f27b
1 parent f75959a
commit 735f27b
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 8 deletions.
diff --git a/src/routes/auth/login.ts b/src/routes/auth/login.ts
@@ -5,7 +5,7 @@ import { asyncWrapper, selectAccount } from '@shared/helpers'
 import { newJwtExpiry, createHasuraJwt } from '@shared/jwt'
 import { setRefreshToken } from '@shared/cookies'
 import { loginAnonymouslySchema, loginSchema, magicLinkLoginSchema } from '@shared/validation'
-import { insertAccount } from '@shared/queries'
+import { insertAccount, setNewTicket } from '@shared/queries'
 import { request } from '@shared/request'
 import { AccountData, UserData, Session } from '@shared/types'
 import { emailClient } from '@shared/email'
@@ -77,7 +77,7 @@ async function loginAccount({ body, headers }: Request, res: Response): Promise<
     return res.boom.badRequest('Account does not exist.')
   }
 
-  const { id, mfa_enabled, password_hash, active, ticket, email } = account
+  const { id, mfa_enabled, password_hash, active, email } = account
 
   if (typeof password === 'undefined') {
     const refresh_token = await setRefreshToken(res, id, useCookie)
@@ -131,6 +131,16 @@ async function loginAccount({ body, headers }: Request, res: Response): Promise<
   }
 
   if (mfa_enabled) {
+    const ticket = uuidv4()
+    const ticket_expires_at = new Date(+new Date() + 60 * 60 * 1000)
+
+    // set new ticket
+    await request(setNewTicket, {
+      user_id: account.user.id,
+      ticket,
+      ticket_expires_at
+    })
+
     return res.send({ mfa: true, ticket })
   }
 

diff --git a/src/routes/auth/register.ts b/src/routes/auth/register.ts
@@ -30,9 +30,7 @@ async function registerAccount(req: Request, res: Response): Promise<unknown> {
   let password_hash: string | null = null;
 
   const ticket = uuidv4()
-  const now = new Date()
-  const ticket_expires_at = new Date()
-  ticket_expires_at.setTime(now.getTime() + 60 * 60 * 1000) // active for 60 minutes
+  const ticket_expires_at = new Date(+new Date() + 60 * 60 * 1000).toISOString() // active for 60 minutes
 
   if (typeof password !== 'undefined') {
     try {

diff --git a/src/shared/helpers.ts b/src/shared/helpers.ts
@@ -43,7 +43,10 @@ export const selectAccountByEmail = async (email: string): Promise<AccountData>
 }
 
 export const selectAccountByTicket = async (ticket: string): Promise<AccountData> => {
-  const hasuraData = await request<QueryAccountData>(selectAccountByTicketQuery, { ticket })
+  const hasuraData = await request<QueryAccountData>(selectAccountByTicketQuery, {
+    ticket,
+    now: new Date()
+  })
   if (!hasuraData.auth_accounts[0]) throw new Error('Account does not exist.')
   return hasuraData.auth_accounts[0]
 }

diff --git a/src/shared/queries.ts b/src/shared/queries.ts
@@ -102,8 +102,8 @@ export const selectAccountByEmail = gql`
 `
 
 export const selectAccountByTicket = gql`
-  query($ticket: uuid!) {
-    auth_accounts(where: { ticket: { _eq: $ticket } }) {
+  query($ticket: uuid!, $now: timestamptz!) {
+    auth_accounts(where: { _and: [{ ticket: { _eq: $ticket } }, { ticket_expires_at: { _gt: $now } }] }) {
       ...accountFragment
     }
   }