add defaultDeviceSyncTOTP (#345)

* add defaultDeviceSyncTOTP * always sync TOTP for master device Former-commit-id: ffe818611f5198946da566475fcb891c8dbcde5b [formerly ffa1c7a] Former-commit-id: 627a022
authier-pm · Mar 19, 2023 · d3c2835 · d3c2835
1 parent eba009a
commit d3c2835
Show file tree

Hide file tree

Showing 9 changed files with 48 additions and 6 deletions.
diff --git a/backend/gqlSchemas/authier.graphql b/backend/gqlSchemas/authier.graphql
@@ -26,6 +26,7 @@ type UserQuery {
   autofillTOTPEnabled: Boolean!
   uiLanguage: String!
   defaultDeviceTheme: String!
+  defaultDeviceSyncTOTP: Boolean!
   Token: [TokenGQL!]!
   masterDevice: DeviceGQL
   recoveryDecryptionChallenge: DecryptionChallengeGQL
@@ -96,6 +97,7 @@ type UserGQL {
   autofillTOTPEnabled: Boolean!
   uiLanguage: String!
   defaultDeviceTheme: String!
+  defaultDeviceSyncTOTP: Boolean!
   Token: [TokenGQL!]!
   masterDevice: DeviceGQL
   recoveryDecryptionChallenge: DecryptionChallengeGQL
@@ -368,6 +370,7 @@ type UserMutation {
   autofillTOTPEnabled: Boolean!
   uiLanguage: String!
   defaultDeviceTheme: String!
+  defaultDeviceSyncTOTP: Boolean!
   Token: [TokenGQL!]!
   masterDevice: DeviceGQL
   recoveryDecryptionChallenge: DecryptionChallengeGQL

diff --git a/backend/models/DecryptionChallenge.ts b/backend/models/DecryptionChallenge.ts
@@ -62,11 +62,9 @@ export class DecryptionChallengeApproved extends DecryptionChallengeGQL {
   ) {
     const { id, deviceId, userId } = this
 
-    const where = { id: userId }
-
     // TODO use findUnique when prisma bug gets fixed
     const user = await ctx.prisma.user.findFirst({
-      where: where,
+      where: { id: userId },
       include: {
         EncryptedSecrets: true
       }
@@ -110,7 +108,7 @@ export class DecryptionChallengeApproved extends DecryptionChallengeGQL {
 
     if (device) {
       if (device.userId !== user.id) {
-        throw new GraphqlError('Device is already registered for another user')
+        throw new GraphqlError('Device is already registered for another user') // prevents users from circumventing our limits by using multiple accounts
       }
 
       device = await ctx.prisma.device.update({
@@ -121,6 +119,7 @@ export class DecryptionChallengeApproved extends DecryptionChallengeGQL {
       device = await ctx.prisma.device.create({
         data: {
           id: deviceId,
+          syncTOTP: user.defaultDeviceSyncTOTP,
           firstIpAddress: ipAddress,
           lastIpAddress: ipAddress,
           firebaseToken: firebaseToken,

diff --git a/backend/models/Device.spec.ts b/backend/models/Device.spec.ts
@@ -269,6 +269,9 @@ describe('Device', () => {
       // eslint-disable-next-line @typescript-eslint/no-empty-function
       reply: { setCookie: () => {}, clearCookie: () => vi.fn() },
       request: { headers: {} },
+      device: {
+        syncTOTP: true
+      },
       prisma: prismaClient,
       jwtPayload: { userId: userId },
       masterDeviceId: masterDeviceId,
@@ -296,6 +299,26 @@ describe('Device', () => {
       expect(secrets).toHaveLength(user.loginCredentialsLimit)
     })
 
+    it('should not sync TOTP when device has syncTOTP set to false', async () => {
+      testData.push({
+        encrypted: faker.datatype.string(25),
+        kind: EncryptedSecretTypeGQL.TOTP,
+        userId: userId,
+        version: 1
+      })
+      fakeCtx.device.syncTOTP = false
+      await prismaClient.encryptedSecret.createMany({
+        data: testData
+      })
+
+      const res = await deviceQuery.encryptedSecretsToSync(fakeCtx)
+      expect(res).toHaveLength(0)
+
+      fakeCtx.device.syncTOTP = true
+
+      testData.length = 0
+    })
+
     it("should show 'TOTP limit exceeded, remove TOTP secrets'", async () => {
       //Generate fake secrets for user
       const numOverLimit = 5
@@ -304,7 +327,7 @@ describe('Device', () => {
       for (let i = 0; i < user.TOTPlimit + numOverLimit; i++) {
         testData.push({
           encrypted: faker.datatype.string(25),
-          kind: 'TOTP',
+          kind: EncryptedSecretTypeGQL.TOTP,
           userId: userId,
           version: 1
         })

diff --git a/backend/models/Device.ts b/backend/models/Device.ts
@@ -109,19 +109,27 @@ export class DeviceQuery extends DeviceGQL {
         )
       }
 
+      const kindOfSecret =
+        ctx.device.syncTOTP === true
+          ? undefined // returns all secrets
+          : EncryptedSecretTypeGQL.LOGIN_CREDENTIALS // returns only login credentials
+
       const res = await ctx.prisma.encryptedSecret.findMany({
         where: {
           OR: [
             {
               userId: this.userId,
+              kind: kindOfSecret,
               createdAt: lastSyncCondition
             },
             {
               userId: this.userId,
+              kind: kindOfSecret,
               updatedAt: lastSyncCondition
             },
             {
               userId: this.userId,
+              kind: kindOfSecret,
               deletedAt: lastSyncCondition
             }
           ]

diff --git a/backend/models/generated/UserGQL.ts b/backend/models/generated/UserGQL.ts
@@ -55,6 +55,9 @@ export class UserGQLScalars {
 
   @Field()
   defaultDeviceTheme: string
+
+  @Field()
+  defaultDeviceSyncTOTP: boolean
 }
 
 @ObjectType()

diff --git a/backend/prisma/migrations/20230319182414_add_default_device_sync_totp/migration.sql b/backend/prisma/migrations/20230319182414_add_default_device_sync_totp/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "User" ADD COLUMN     "defaultDeviceSyncTOTP" BOOLEAN NOT NULL DEFAULT true;
diff --git a/backend/prisma/prismaClient.ts b/backend/prisma/prismaClient.ts
@@ -19,7 +19,9 @@ console.log('~ dbUrl', dbUrl)
 const workerId = process.env.VITEST_WORKER_ID
 if (workerId) {
   const vitestWorkerId = Number(process.env.VITEST_WORKER_ID) % getDbCount()
-  dbUrl = `${dbUrl}_test_${vitestWorkerId + 1}` // this allows us to run tests in parallel against multiple dbs without conflicts
+  dbUrl = `${dbUrl}_test_${
+    vitestWorkerId + 1
+  }?connection_limit=500&pool_timeout=0&connect_timeout=0` // this allows us to run tests in parallel against multiple dbs without conflicts
 } else {
   log('DATABASE_URL', dbUrl)
 }

diff --git a/backend/prisma/schema.prisma b/backend/prisma/schema.prisma
@@ -186,6 +186,7 @@ model User {
   autofillTOTPEnabled           Boolean @default(true)
   uiLanguage                    String  @default("en")
   defaultDeviceTheme            String  @default("dark")
+  defaultDeviceSyncTOTP         Boolean @default(true)
 
   UsageEvents          SecretUsageEvent[]
   EncryptedSecrets     EncryptedSecret[]

diff --git a/backend/schemas/RootResolver.ts b/backend/schemas/RootResolver.ts
@@ -175,6 +175,7 @@ export class RootResolver {
           TOTPlimit: 3,
           Devices: {
             create: {
+              syncTOTP: true,
               platform: input.devicePlatform,
               id: deviceId,
               firstIpAddress: ipAddress,