feat: mandatory password change on login + UI fixes

server/graph/resolvers/authentication.js

@@ -7,16 +7,16 @@ const graphHelper = require('../../helpers/graph')
 
 module.exports = {
   Query: {
-    async authentication() { return {} }
+    async authentication () { return {} }
   },
   Mutation: {
-    async authentication() { return {} }
+    async authentication () { return {} }
   },
   AuthenticationQuery: {
     /**
      * Fetch active authentication strategies
      */
-    async strategies(obj, args, context, info) {
+    async strategies (obj, args, context, info) {
       let strategies = await WIKI.models.authentication.getStrategies(args.isEnabled)
       strategies = strategies.map(stg => {
         const strategyInfo = _.find(WIKI.data.authentication, ['key', stg.key]) || {}
@@ -44,7 +44,7 @@ module.exports = {
     /**
      * Perform Login
      */
-    async login(obj, args, context) {
+    async login (obj, args, context) {
       try {
         const authResult = await WIKI.models.users.login(args, context)
         return {
@@ -63,7 +63,7 @@ module.exports = {
     /**
      * Perform 2FA Login
      */
-    async loginTFA(obj, args, context) {
+    async loginTFA (obj, args, context) {
       try {
         const authResult = await WIKI.models.users.loginTFA(args, context)
         return {
@@ -74,10 +74,24 @@ module.exports = {
         return graphHelper.generateError(err)
       }
     },
+    /**
+     * Perform Mandatory Password Change after Login
+     */
+    async loginChangePassword (obj, args, context) {
+      try {
+        const authResult = await WIKI.models.users.loginChangePassword(args, context)
+        return {
+          ...authResult,
+          responseResult: graphHelper.generateSuccess('Password changed successfully')
+        }
+      } catch (err) {
+        return graphHelper.generateError(err)
+      }
+    },
     /**
      * Register a new account
      */
-    async register(obj, args, context) {
+    async register (obj, args, context) {
       try {
         await WIKI.models.users.register({ ...args, verify: true }, context)
         return {
@@ -90,7 +104,7 @@ module.exports = {
     /**
      * Update Authentication Strategies
      */
-    async updateStrategies(obj, args, context) {
+    async updateStrategies (obj, args, context) {
       try {
         WIKI.config.auth = {
           audience: _.get(args, 'config.audience', WIKI.config.auth.audience),
@@ -122,7 +136,7 @@ module.exports = {
     /**
      * Generate New Authentication Public / Private Key Certificates
      */
-    async regenerateCertificates(obj, args, context) {
+    async regenerateCertificates (obj, args, context) {
       try {
         await WIKI.auth.regenerateCertificates()
         return {
@@ -135,7 +149,7 @@ module.exports = {
     /**
      * Reset Guest User
      */
-    async resetGuestUser(obj, args, context) {
+    async resetGuestUser (obj, args, context) {
       try {
         await WIKI.auth.resetGuestUser()
         return {

server/graph/resolvers/site.js

@@ -17,7 +17,8 @@ module.exports = {
         company: WIKI.config.company,
         ...WIKI.config.seo,
         ...WIKI.config.logo,
-        ...WIKI.config.features
+        ...WIKI.config.features,
+        ...WIKI.config.security
       }
     }
   },
@@ -42,7 +43,15 @@ module.exports = {
           featurePageComments: args.featurePageComments,
           featurePersonalWikis: args.featurePersonalWikis
         }
-        await WIKI.configSvc.saveToDb(['host', 'title', 'company', 'seo', 'logo', 'features'])
+        WIKI.config.security = {
+          securityIframe: args.securityIframe,
+          securityReferrerPolicy: args.securityReferrerPolicy,
+          securityHSTS: args.securityHSTS,
+          securityHSTSDuration: args.securityHSTSDuration,
+          securityCSP: args.securityCSP,
+          securityCSPDirectives: args.securityCSPDirectives
+        }
+        await WIKI.configSvc.saveToDb(['host', 'title', 'company', 'seo', 'logo', 'features', 'security'])
 
         return {
           responseResult: graphHelper.generateSuccess('Site configuration updated successfully')

server/graph/schemas/authentication.graphql

@@ -32,9 +32,14 @@ type AuthenticationMutation {
   ): AuthenticationLoginResponse @rateLimit(limit: 5, duration: 60)
 
   loginTFA(
-    loginToken: String!
+    continuationToken: String!
     securityCode: String!
-  ): DefaultResponse @rateLimit(limit: 5, duration: 60)
+  ): AuthenticationLoginResponse @rateLimit(limit: 5, duration: 60)
+
+  loginChangePassword(
+    continuationToken: String!
+    newPassword: String!
+  ): AuthenticationLoginResponse @rateLimit(limit: 5, duration: 60)
 
   register(
     email: String!
@@ -76,8 +81,9 @@ type AuthenticationStrategy {
 type AuthenticationLoginResponse {
   responseResult: ResponseStatus
   jwt: String
-  tfaRequired: Boolean
-  tfaLoginToken: String
+  mustChangePwd: Boolean
+  mustProvideTFA: Boolean
+  continuationToken: String
 }
 
 type AuthenticationRegisterResponse {

server/graph/schemas/site.graphql

@@ -36,6 +36,12 @@ type SiteMutation {
     featurePageRatings: Boolean!
     featurePageComments: Boolean!
     featurePersonalWikis: Boolean!
+    securityIframe: Boolean!
+    securityReferrerPolicy: Boolean!
+    securityHSTS: Boolean!
+    securityHSTSDuration: Int!
+    securityCSP: Boolean!
+    securityCSPDirectives: String!
   ): DefaultResponse @auth(requires: ["manage:system"])
 }
 
@@ -56,4 +62,10 @@ type SiteConfig {
   featurePageRatings: Boolean!
   featurePageComments: Boolean!
   featurePersonalWikis: Boolean!
+  securityIframe: Boolean!
+  securityReferrerPolicy: Boolean!
+  securityHSTS: Boolean!
+  securityHSTSDuration: Int!
+  securityCSP: Boolean!
+  securityCSPDirectives: String!
 }

server/graph/schemas/user.graphql

@@ -89,6 +89,8 @@ type User {
   providerKey: String!
   providerId: String
   isSystem: Boolean!
+  isActive: Boolean!
+  isVerified: Boolean!
   location: String!
   jobTitle: String!
   timezone: String!