supabase · J0 · Nov 30, 2023 · Nov 20, 2023 · Nov 20, 2023 · Nov 20, 2023
diff --git a/internal/api/auth_hooks.go b/internal/api/auth_hooks.go
@@ -0,0 +1,149 @@
+package api
+
+import (
+	"encoding/json"
+	"errors"
+	"net/url"
+	"time"
+
+	"fmt"
+	"github.com/gofrs/uuid"
+	"github.com/supabase/gotrue/internal/conf"
+	"github.com/supabase/gotrue/internal/storage"
+	"strings"
+)
+
+type HookType string
+
+const (
+	PostgresHook HookType = "postgres"
+	HTTPHook     HookType = "http"
+)
+
+type AuthHook struct {
+	*conf.ExtensibilityPointConfiguration
+	payload  []byte
+	hookType HookType
+	event    string
+	db       *storage.Connection
+}
+
+// Hook Events
+const (
+	MFAVerificationEvent = "auth.mfa_verfication"
+)
+
+const (
+	defaultTimeout = time.Second * 2
+)
+
+type HookErrorResponse struct {
+	ErrorMessage string `json:"error_message"`
+	ErrorCode    string `json:"error_code"`
+	RetryAfter   bool   `json:"retry_after"`
+}
+
+type MFAVerificationHookResponse struct {
+	Decision string `json:"decision"`
+}
+
+func parseErrorResponse(response []byte) (*HookErrorResponse, error) {
+	var errResp HookErrorResponse
+	err := json.Unmarshal(response, &errResp)
+	if err != nil {
+		return nil, err
+	}
+	if errResp.ErrorMessage != "" {
+		return &errResp, nil
+	}
+	return nil, err
+}
+
+func parseMFAVerificationResponse(response []byte) (*MFAVerificationHookResponse, error) {
+	var MFAVerificationResponse MFAVerificationHookResponse
+	err := json.Unmarshal(response, &MFAVerificationResponse)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MFAVerificationResponse, err
+}
+
+// Functions for encoding and decoding payload
+func CreateMFAVerificationHookInput(user_id uuid.UUID, factor_id uuid.UUID, valid bool) ([]byte, error) {
+	payload := struct {
+		UserID   uuid.UUID `json:"user_id"`
+		FactorID uuid.UUID `json:"factor_id"`
+		Valid    bool      `json:"valid"`
+	}{
+		UserID:   user_id,
+		FactorID: factor_id,
+		Valid:    valid,
+	}
+	data, err := json.Marshal(&payload)
+	if err != nil {
+		return nil, err
+	}
+	return data, nil
+}
+
+func (ah *AuthHook) Trigger() ([]byte, error) {
+	// Parse URI object
+	url, err := url.Parse(ah.ExtensibilityPointConfiguration.URI)
+	if err != nil {
+		return nil, err
+	}
+	// trigger appropriate type of hook
+	switch url.Scheme {
+	case string(PostgresHook):
+		return ah.triggerPostgresHook()
+	case string(HTTPHook):
+		return ah.triggerHTTPHook()
+	default:
+		return nil, errors.New("unsupported hook type")
+	}
+
+	return nil, nil
+}
+
+func (ah *AuthHook) fetchHookName() (string, error) {
+	u, err := url.Parse(ah.ExtensibilityPointConfiguration.URI)
+	if err != nil {
+		return "", err
+	}
+	pathParts := strings.Split(u.Path, "/")
+	if len(pathParts) < 3 {
+		return "", fmt.Errorf("URI path does not contain enough parts")
+	}
+	schema := pathParts[1]
+	table := pathParts[2]
+	// TODO: maybe enforce checks on this name?
+
+	return schema + "." + table, nil
+}
+
+func (ah *AuthHook) triggerPostgresHook() ([]byte, error) {
+	// Determine Result payload and request payload
+	var result []byte
+	hookName, err := ah.fetchHookName()
+	if err != nil {
+		return nil, err
+	}
+	if err := ah.db.Transaction(func(tx *storage.Connection) error {
+		resp := tx.RawQuery(fmt.Sprintf("SELECT %s('%s')", hookName, ah.payload))
+		terr := resp.First(result)
+		if terr != nil {
+			return terr
+		}
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+
+	return result, nil
+
+}
+
+func (a *AuthHook) triggerHTTPHook() ([]byte, error) {
+	return nil, errors.New("not implemented error")
+}
diff --git a/internal/api/hooks.go b/internal/api/hooks.go
@@ -28,16 +28,14 @@ type HookEvent string
 
 const (
 	headerHookSignature = "x-webhook-signature"
-	defaultHookRetries  = 3
 	gotrueIssuer        = "gotrue"
 	ValidateEvent       = "validate"
 	SignupEvent         = "signup"
 	EmailChangeEvent    = "email_change"
 	LoginEvent          = "login"
+	defaultHookRetries  = 3
 )
 
-var defaultTimeout = time.Second * 5
-
 type webhookClaims struct {
 	jwt.StandardClaims
 	SHA256 string `json:"sha256"`

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"net/http"
 
+	"errors"
 	"net/url"
 
 	"github.com/aaronarduino/goqrsvg"
@@ -245,7 +246,45 @@ func (a *API) VerifyFactor(w http.ResponseWriter, r *http.Request) error {
 		return badRequestError("%v has expired, verify against another challenge or create a new challenge.", challenge.ID)
 	}
 
-	if valid := totp.Validate(params.Code, factor.Secret); !valid {
+	valid := totp.Validate(params.Code, factor.Secret)
+	if config.Hook.MFA.IsEnabled() {
+		// To allow for future cases where we don't know that the payload is going to be passed in
+
+		payload, err := CreateMFAVerificationHookInput(user.ID, factor.ID, valid)
+		if err != nil {
+			return err
+		}
+
+		h := AuthHook{
+			event:    MFAVerificationEvent,
+			payload:  payload,
+			hookType: PostgresHook,
+			// TODO: find a better way to relay this
+			db: a.db,
+		}
+
+		resp, err := h.Trigger()
+		if err != nil {
+			return err
+		}
+		parsedErrorResponse, err := parseErrorResponse(resp)
+		if err != nil {
+			return err
+		}
+		if parsedErrorResponse != nil {
+			return errors.New(parsedErrorResponse.ErrorMessage)
+		}
+		// TODO: Decide what to do here
+		response, err := parseMFAVerificationResponse(resp)
+		if err != nil {
+			return err
+		}
+		// TODO: don't hard code this and also change to Enum + handle success case
+		if response.Decision == "reject" {
+			return errors.New("has made 5 unsuccssful verification attempts")
+		}
+	}
+	if !valid {
 		return badRequestError("Invalid TOTP code entered")
 	}
 

@@ -36,6 +36,9 @@ type Settings struct {
 	SmsProvider       string           `json:"sms_provider"`
 	MFAEnabled        bool             `json:"mfa_enabled"`
 	SAMLEnabled       bool             `json:"saml_enabled"`
+
+	// TODO: Remove this later. For debugging
+	MFAHook string `json:"mfa_hook"`
 }
 
 func (a *API) Settings(w http.ResponseWriter, r *http.Request) error {
@@ -67,6 +70,8 @@ func (a *API) Settings(w http.ResponseWriter, r *http.Request) error {
 			Phone:        config.External.Phone.Enabled,
 			Zoom:         config.External.Zoom.Enabled,
 		},
+		// TODO: Remove this too. For debugging
+		MFAHook: config.Hook.MFA.URI,
 
 		DisableSignup:     config.DisableSignup,
 		MailerAutoconfirm: config.Mailer.Autoconfirm,

@@ -158,6 +158,7 @@ type GlobalConfiguration struct {
 	Sms               SmsProviderConfiguration `json:"sms"`
 	DisableSignup     bool                     `json:"disable_signup" split_words:"true"`
 	Webhook           WebhookConfig            `json:"webhook" split_words:"true"`
+	Hook              HookConfiguration        `json:"hook" split_words:"true"`
 	Security          SecurityConfiguration    `json:"security"`
 	Sessions          SessionsConfiguration    `json:"sessions"`
 	MFA               MFAConfiguration         `json:"MFA"`
@@ -379,6 +380,29 @@ type WebhookConfig struct {
 	Events     []string `json:"events"`
 }
 
+// Moving away from the existing HookConfig so we can get a fresh start.
+type HookConfiguration struct {
+	// TODO (Joel): Fix the naming later
+	MFA ExtensibilityPointConfiguration `json:"mfa"`
+}
+
+type ExtensibilityPointConfiguration struct {
+	URI string `json:"uri"`
+}
+
+func (e *ExtensibilityPointConfiguration) ValidateExtensibilityPoint() error {
+	if e.URI != "" {
+		_, err := url.Parse(e.URI)
+		if err != nil {
+			return errors.New("hook entry should be a valid URI")
+		}
+	}
+	return nil
+}
+func (e *ExtensibilityPointConfiguration) IsEnabled() bool {
+	return e.URI != ""
+}
+
 func (w *WebhookConfig) HasEvent(event string) bool {
 	for _, name := range w.Events {
 		if event == name {
@@ -424,7 +448,6 @@ func LoadGlobal(filename string) (*GlobalConfiguration, error) {
 		}
 		config.Sms.SMSTemplate = template
 	}
-
 	return config, nil
 }
 

@@ -15,14 +15,16 @@ func TestMain(m *testing.M) {
 
 func TestGlobal(t *testing.T) {
 	os.Setenv("GOTRUE_SITE_URL", "http://localhost:8080")
-	os.Setenv("GOTRUE_DB_DRIVER", "mysql")
+	os.Setenv("GOTRUE_DB_DRIVER", "postgres")
 	os.Setenv("GOTRUE_DB_DATABASE_URL", "fake")
 	os.Setenv("GOTRUE_OPERATOR_TOKEN", "token")
 	os.Setenv("GOTRUE_API_REQUEST_ID_HEADER", "X-Request-ID")
 	os.Setenv("GOTRUE_JWT_SECRET", "secret")
 	os.Setenv("API_EXTERNAL_URL", "http://localhost:9999")
+	os.Setenv("GOTRUE_HOOK_MFA_URI", "postgres://postgres/auth/count_failed_attempts")
 	gc, err := LoadGlobal("")
 	require.NoError(t, err)
 	require.NotNil(t, gc)
 	assert.Equal(t, "X-Request-ID", gc.API.RequestIDHeader)
+	assert.Equal(t, "postgres://postgres/auth/count_failed_attempts", gc.Hook.MFA.URI)
 }