housingbayarea · emilyjablonski · Jun 25, 2024 · Jul 3, 2024 · Jul 3, 2024
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -24,6 +24,10 @@ executors:
       TEST_DATABASE_URL: "postgres://bloom-ci@localhost:5432/bloom"
       PARTNERS_PORTAL_URL: "http://localhost:3001"
       JURISDICTION_NAME: Alameda
+      GOOGLE_API_EMAIL: "secret-key"
+      GOOGLE_API_ID: "secret-key"
+      GOOGLE_API_KEY: "secret-key"
+      GOOGLE_CLOUD_PROJECT_ID: "secret-key"
   standard-node:
     docker:
       - image: "cimg/node:18.14.2"
@@ -188,7 +192,6 @@ jobs:
             APP_SECRET: "CI-LONG-SECRET-KEY"
             # DB URL for migration and seeds:
             DATABASE_URL: "postgres://bloom-ci@localhost:5432/bloom_prisma"
-
 
 workflows:
   build:

diff --git a/api/.env.template b/api/.env.template
@@ -54,3 +54,11 @@ THROTTLE_LIMIT=100
 API_PASS_KEY="some-key-here"
 # this is used to test the script runner's data transfer job
 TEST_CONNECTION_STRING=""
+# recaptcha api key, if set enables recaptcha on backend
+RECAPTCHA_KEY=
+# needed for recaptcha setup
+GOOGLE_CLOUD_PROJECT_ID=
+# the score from 0 to 1 that a recaptcha check must pass to continue without 2fa
+RECAPTCHA_THRESHOLD=0.7
+# if scores should block login flows
+ENABLE_RECAPTCHA=TRUE
diff --git a/api/package.json b/api/package.json
@@ -33,6 +33,7 @@
     "setup:dev": "yarn install && yarn prisma generate && yarn build && yarn db:setup"
   },
   "dependencies": {
+    "@google-cloud/recaptcha-enterprise": "^5.8.0",
     "@google-cloud/translate": "^7.2.1",
     "@nestjs/axios": "~3.0.0",
     "@nestjs/common": "^10.3.2",

diff --git a/api/src/controllers/auth.controller.ts b/api/src/controllers/auth.controller.ts
@@ -46,8 +46,17 @@ export class AuthController {
   async login(
     @Request() req: ExpressRequest,
     @Response({ passthrough: true }) res: ExpressResponse,
+    @Body() dto: Login,
   ): Promise<SuccessDTO> {
-    return await this.authService.setCredentials(res, mapTo(User, req['user']));
+    return await this.authService.setCredentials(
+      res,
+      mapTo(User, req['user']),
+      undefined,
+      dto.reCaptchaToken,
+      !!process.env.RECAPTCHA_KEY,
+      !!dto.mfaCode,
+      process.env.ENABLE_RECAPTCHA === 'TRUE',
+    );
   }
 
   @Post('loginViaSingleUseCode')

diff --git a/api/src/dtos/auth/login.dto.ts b/api/src/dtos/auth/login.dto.ts
@@ -27,4 +27,9 @@ export class Login {
   @IsEnum(MfaType, { groups: [ValidationsGroupsEnum.default] })
   @ApiPropertyOptional({ enum: MfaType, enumName: 'MfaType' })
   mfaType?: MfaType;
+
+  @Expose()
+  @IsString({ groups: [ValidationsGroupsEnum.default] })
+  @ApiPropertyOptional()
+  reCaptchaToken?: string;
 }
diff --git a/api/src/passports/single-use-code.strategy.ts b/api/src/passports/single-use-code.strategy.ts
@@ -70,12 +70,6 @@ export class SingleUseCodeStrategy extends PassportStrategy(
       );
     }
 
-    if (!juris.allowSingleUseCodeLogin) {
-      throw new BadRequestException(
-        `Single use code login is not setup for ${jurisName}`,
-      );
-    }
-
     const rawUser = await this.prisma.userAccounts.findFirst({
       include: {
         userRoles: true,

diff --git a/api/src/services/auth.service.ts b/api/src/services/auth.service.ts
@@ -6,6 +6,7 @@ import {
 } from '@nestjs/common';
 import { CookieOptions, Response } from 'express';
 import { sign, verify } from 'jsonwebtoken';
+import { RecaptchaEnterpriseServiceClient } from '@google-cloud/recaptcha-enterprise';
 import { Prisma } from '@prisma/client';
 import { UpdatePassword } from '../dtos/auth/update-password.dto';
 import { MfaType } from '../enums/mfa/mfa-type-enum';
@@ -84,11 +85,74 @@ export class AuthService {
     res: Response,
     user: User,
     incomingRefreshToken?: string,
+    reCaptchaToken?: string,
+    reCaptchaConfigured?: boolean,
+    mfaCode?: boolean,
+    shouldReCaptchaBlockLogin?: boolean,
   ): Promise<SuccessDTO> {
     if (!user?.id) {
       throw new UnauthorizedException('no user found');
     }
 
+    if (reCaptchaConfigured && !user.mfaEnabled && !mfaCode) {
+      const client = new RecaptchaEnterpriseServiceClient({
+        credentials: {
+          private_key: process.env.GOOGLE_API_KEY.replace(/\\n/gm, '\n'),
+          client_email: process.env.GOOGLE_API_EMAIL,
+        },
+        projectID: process.env.GOOGLE_API_ID,
+      });
+
+      const request = {
+        assessment: {
+          event: {
+            token: reCaptchaToken,
+            siteKey: process.env.RECAPTCHA_KEY,
+          },
+        },
+        parent: client.projectPath(process.env.GOOGLE_CLOUD_PROJECT_ID),
+      };
+
+      const [response] = await client.createAssessment(request);
+      client.close();
+
+      if (!response.tokenProperties.valid && shouldReCaptchaBlockLogin) {
+        throw new UnauthorizedException({
+          name: 'failedReCaptchaToken',
+          knownError: true,
+          message: `The ReCaptcha CreateAssessment call failed because the token was: ${response.tokenProperties.invalidReason}`,
+        });
+      }
+
+      if (response.tokenProperties.action === 'login') {
+        response.riskAnalysis.reasons.forEach((reason) => {
+          console.log(reason);
+        });
+
+        console.log(`The ReCaptcha score is ${response.riskAnalysis.score}`);
+
+        const threshold = parseFloat(process.env.RECAPTCHA_THRESHOLD);
+
+        if (
+          response.riskAnalysis.score < threshold &&
+          shouldReCaptchaBlockLogin
+        ) {
+          throw new UnauthorizedException({
+            name: 'failedReCaptchaScore',
+            knownError: true,
+            message: `ReCaptcha failed because the score was ${response.riskAnalysis.score}`,
+          });
+        }
+      } else {
+        if (shouldReCaptchaBlockLogin)
+          throw new UnauthorizedException({
+            name: 'failedReCaptchaAction',
+            knownError: true,
+            message: `ReCaptcha failed because the action didn't match, action was: ${response.tokenProperties.action}`,
+          });
+      }
+    }
+
     if (incomingRefreshToken) {
       // if token is provided, verify that its the correct refresh token
       const userCount = await this.prisma.userAccounts.count({
@@ -190,12 +254,6 @@ export class AuthService {
       UserViews.full,
     );
 
-    if (!user.mfaEnabled) {
-      throw new UnauthorizedException(
-        `user ${dto.email} requested an mfa code, but has mfa disabled`,
-      );
-    }
-
     if (!(await isPasswordValid(user.passwordHash, dto.password))) {
       throw new UnauthorizedException(
         `user ${dto.email} requested an mfa code, but provided incorrect password`,

diff --git a/api/src/services/user.service.ts b/api/src/services/user.service.ts
@@ -984,12 +984,6 @@ export class UserService {
       );
     }
 
-    if (!juris.allowSingleUseCodeLogin) {
-      throw new BadRequestException(
-        `Single use code login is not setup for ${jurisdictionName}`,
-      );
-    }
-
     const singleUseCode = generateSingleUseCode(
       Number(process.env.MFA_CODE_LENGTH),
     );

diff --git a/api/test/integration/user.e2e-spec.ts b/api/test/integration/user.e2e-spec.ts
@@ -778,50 +778,6 @@ describe('User Controller Tests', () => {
     expect(user.singleUseCodeUpdatedAt).not.toBeNull();
   });
 
-  it('should request single use code, but jurisdiction does not allow', async () => {
-    const storedUser = await prisma.userAccounts.create({
-      data: await userFactory({
-        roles: { isAdmin: true },
-        mfaEnabled: true,
-        confirmedAt: new Date(),
-        phoneNumber: '111-111-1111',
-        phoneNumberVerified: true,
-      }),
-    });
-
-    const jurisdiction = await prisma.jurisdictions.create({
-      data: {
-        name: 'single_use_code_2',
-        allowSingleUseCodeLogin: false,
-        rentalAssistanceDefault: 'test',
-      },
-    });
-    emailService.sendSingleUseCode = jest.fn();
-
-    const res = await request(app.getHttpServer())
-      .post('/user/request-single-use-code')
-      .set({ passkey: process.env.API_PASS_KEY || '' })
-      .send({
-        email: storedUser.email,
-      } as RequestMfaCode)
-      .set({ jurisdictionname: jurisdiction.name })
-      .expect(400);
-
-    expect(res.body.message).toEqual(
-      'Single use code login is not setup for single_use_code_2',
-    );
-
-    expect(emailService.sendSingleUseCode).not.toHaveBeenCalled();
-
-    const user = await prisma.userAccounts.findUnique({
-      where: {
-        id: storedUser.id,
-      },
-    });
-
-    expect(user.singleUseCode).toBeNull();
-  });
-
   it('should request single use code, but user does not exist', async () => {
     const jurisdiction = await prisma.jurisdictions.create({
       data: {

diff --git a/api/test/jest-with-coverage.config.js b/api/test/jest-with-coverage.config.js
@@ -28,5 +28,4 @@ module.exports = {
       lines: 85,
     },
   },
-  workerIdleMemoryLimit: '70%',
 };
diff --git a/api/test/unit/passports/single-use-code.strategy.spec.ts b/api/test/unit/passports/single-use-code.strategy.spec.ts
@@ -515,60 +515,6 @@ describe('Testing single-use-code strategy', () => {
     });
   });
 
-  it('should fail if jurisdiction disallows single use code login', async () => {
-    const id = randomUUID();
-    prisma.userAccounts.findFirst = jest.fn().mockResolvedValue({
-      id: id,
-      lastLoginAt: new Date(),
-      failedLoginAttemptsCount: 0,
-      confirmedAt: new Date(),
-      passwordValidForDays: 100,
-      passwordUpdatedAt: new Date(),
-      userRoles: { isAdmin: false },
-      passwordHash: await passwordToHash('Abcdef12345!'),
-      mfaEnabled: true,
-      phoneNumberVerified: false,
-      singleUseCode: 'zyxwv',
-      singleUseCodeUpdatedAt: new Date(0),
-    });
-
-    prisma.userAccounts.update = jest.fn().mockResolvedValue({ id });
-
-    prisma.jurisdictions.findFirst = jest.fn().mockResolvedValue({
-      id: randomUUID(),
-      allowSingleUseCodeLogin: false,
-    });
-
-    const request = {
-      body: {
-        email: '[email protected]',
-        singleUseCode: 'zyxwv',
-      } as LoginViaSingleUseCode,
-      headers: { jurisdictionname: 'juris 1' },
-    };
-
-    await expect(
-      async () => await strategy.validate(request as unknown as Request),
-    ).rejects.toThrowError(`Single use code login is not setup for juris 1`);
-
-    expect(prisma.userAccounts.findFirst).not.toHaveBeenCalled();
-
-    expect(prisma.userAccounts.update).not.toHaveBeenCalled();
-
-    expect(prisma.jurisdictions.findFirst).toHaveBeenCalledWith({
-      select: {
-        id: true,
-        allowSingleUseCodeLogin: true,
-      },
-      where: {
-        name: 'juris 1',
-      },
-      orderBy: {
-        allowSingleUseCodeLogin: OrderByEnum.DESC,
-      },
-    });
-  });
-
   it('should fail if jurisdiction is missing from header', async () => {
     const id = randomUUID();
     prisma.userAccounts.findFirst = jest.fn().mockResolvedValue({
-Original file line number
+Diff line change
@@ Expand Up / @@ -28,5 +28,4 @@ module.exports = { @@
           lines: 85,
         },
       },
-      workerIdleMemoryLimit: '70%',
     };