feat: email verification

virtual-designer · web-flow · commit edeb162132c4 · 2024-06-08T20:01:03.000Z
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
@@ -228,6 +228,7 @@ model VerificationEntry {
     guildId   String
     code      String   @unique
     attempts  Int      @default(0)
+    metadata  Json?
     expiresAt DateTime
     createdAt DateTime @default(now())
     updatedAt DateTime @default(now()) @updatedAt
diff --git a/src/main/typescript/api/controllers/VerificationController.ts b/src/main/typescript/api/controllers/VerificationController.ts
@@ -357,6 +357,121 @@ class VerificationController extends Controller {
             body: { error: "We're unable to verify your Google Account." }
         });
     }
+
+    @Action("POST", "/start-challenge/email")
+    @Validate(
+        z.object({
+            email: z.string().email(),
+            token: z.string()
+        })
+    )
+    public async initiateEmailVerification(request: Request) {
+        if (!env.FRONTEND_KEY) {
+            return new Response({
+                status: 403,
+                body: { error: "Google OAuth is not supported." }
+            });
+        }
+
+        if (request.headers["x-frontend-key"] !== env.FRONTEND_KEY) {
+            return new Response({
+                status: 403,
+                body: { error: "Forbidden request." }
+            });
+        }
+
+        const { email, token } = request.parsedBody ?? {};
+        const entry = await this.verificationService.getVerificationEntry(token);
+
+        if (!entry || entry.code !== token) {
+            return new Response({
+                status: 400,
+                body: { error: "Invalid token." }
+            });
+        }
+
+        const guild = this.application.client.guilds.cache.get(entry.guildId);
+
+        if (!guild) {
+            return new Response({
+                status: 400,
+                body: { error: "Guild not found." }
+            });
+        }
+
+        const emailToken = await this.verificationService.generateEmailToken(entry, email);
+
+        if (!emailToken) {
+            return new Response({
+                status: 403,
+                body: { error: "Cannot initiate verification." }
+            });
+        }
+
+        return new Response({
+            status: 200,
+            body: {
+                emailToken,
+                email,
+                guild
+            }
+        });
+    }
+
+    @Action("POST", "/challenge/email")
+    @Validate(
+        z.object({
+            email: z.string().email(),
+            token: z.string(),
+            emailToken: z.string()
+        })
+    )
+    public async verifyByEmail(request: Request) {
+        const { email, token, emailToken } = request.parsedBody ?? {};
+        const entry = await this.verificationService.getVerificationEntry(token);
+
+        if (
+            !entry ||
+            entry.code !== token ||
+            !entry.metadata ||
+            typeof entry.metadata !== "object" ||
+            !("emailToken" in entry.metadata) ||
+            entry.metadata.emailToken !== emailToken
+        ) {
+            return new Response({
+                status: 403,
+                body: { error: "We're unable to verify you, please try again." }
+            });
+        }
+
+        const result = await this.application
+            .service("verificationService")
+            .verifyWithEntry(entry, {
+                email,
+                method: VerificationMethod.EMAIL
+            });
+
+        if (!result) {
+            return new Response({
+                status: 403,
+                body: { error: "We're unable to verify you, please try again." }
+            });
+        }
+
+        if (result.error === "record_exists") {
+            return new Response({
+                status: 403,
+                body: { error: "You cannot use this account to verify." }
+            });
+        }
+
+        return new Response({
+            status: 200,
+            body: {
+                message: "You have been verified successfully."
+            }
+        });
+    }
 }
 
 export default VerificationController;
diff --git a/src/main/typescript/automod/VerificationService.ts b/src/main/typescript/automod/VerificationService.ts
@@ -267,6 +267,41 @@ class VerificationService extends Service {
             userId: member.id
         };
     }
+
+    public async generateEmailToken(entry: VerificationEntry, email: string) {
+        const config = this.configFor(entry.guildId);
+
+        if (!config?.enabled) {
+            return null;
+        }
+
+        const token = jwt.sign(
+            {
+                guildId: entry.guildId,
+                userId: entry.userId,
+                email
+            },
+            env.JWT_SECRET,
+            {
+                expiresIn: "6h",
+                issuer: env.JWT_ISSUER
+            }
+        );
+
+        await this.application.prisma.verificationEntry.update({
+            where: {
+                id: entry.id
+            },
+            data: {
+                metadata: {
+                    emailToken: token,
+                    email
+                }
+            }
+        });
+
+        return token;
+    }
 }
 
 export type VerificationPayload = {
diff --git a/src/main/typescript/schemas/EnvironmentVariableSchema.ts b/src/main/typescript/schemas/EnvironmentVariableSchema.ts
@@ -40,7 +40,8 @@ export const EnvironmentVariableSchema = z.object({
     GITHUB_CLIENT_ID: z.string().optional(),
     GITHUB_CLIENT_SECRET: z.string().optional(),
     GOOGLE_CLIENT_ID: z.string().optional(),
-    GOOGLE_CLIENT_SECRET: z.string().optional()
+    GOOGLE_CLIENT_SECRET: z.string().optional(),
+    FRONTEND_KEY: z.string().optional()
 });
 
 export type EnvironmentVariableRecord = z.infer<typeof EnvironmentVariableSchema>;
