chore(vendor): update @lightbasenl/backend (#84)

_This PR is created by sync and will be force-pushed daily. Overwriting any manual changes done to this PR._ - feat(backend): remove LPC_AUTH_REDUCE_ERROR_KEY_INFO flag (lightbasenl/platform-components@10d1789)- Failed to execute `npx compas lint`. Sync is not able to correct this, so human checks and fixes are necessary for this PR. Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
lightbasenl · Mar 25, 2024 · 1870188 · 1870188
1 parent d1c1b9d
commit 1870188
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 83 deletions.
diff --git a/vendor/backend/package.json b/vendor/backend/package.json
@@ -29,5 +29,5 @@
     "url": "https://github.com/lightbasenl/platform-components.git",
     "directory": "packages/backend"
   },
-  "gitHead": "e781b16f3a20fbdfe07f18fd3f537379ba13a53e"
+  "gitHead": "10d17891e252e6f8d231a26057f41ea8189ee3ea"
 }
diff --git a/vendor/backend/src/auth/password-based/events.js b/vendor/backend/src/auth/password-based/events.js
@@ -9,7 +9,6 @@ import {
 import { query, queueWorkerAddJob } from "@compas/store";
 import bcrypt from "bcrypt";
 import speakeasy from "speakeasy";
-import { featureFlagGetDynamic } from "../../feature-flag/events.js";
 import {
   passwordBasedForcePasswordResetAfterSixMonths,
   passwordBasedRollingLoginAttemptBlock,
@@ -77,26 +76,15 @@ export async function authPasswordBasedLogin(event, sql, resolvedTenant, body) {
     },
   }).exec(sql);
 
-  const reduceErrorKeyInfoFlag = await featureFlagGetDynamic(
-    newEventFromEvent(event),
-    undefined,
-    undefined,
-    "__FEATURE_LPC_AUTH_REDUCE_ERROR_KEY_INFO",
-  );
-
   if (isNil(user)) {
-    if (reduceErrorKeyInfoFlag) {
-      // Do some work to prevent time-base leaking that the user is known.
-      await bcrypt.compare(
-        "abcdefghijk",
-        `$2b$${BCRYPT_DEFAULT_COST}$t7oxiwchWGHa/B9w0AzrYO2WH2rQbA86YSuQjSTmwIrpC/0ZXN7V2`,
-      );
-      throw AppError.validationError(
-        "authPasswordBased.login.invalidEmailPasswordCombination",
-      );
-    } else {
-      throw AppError.validationError("authPasswordBased.login.unknownEmail");
-    }
+    // Do some work to prevent time-base leaking that the user is known.
+    await bcrypt.compare(
+      "abcdefghijk",
+      `$2b$${BCRYPT_DEFAULT_COST}$t7oxiwchWGHa/B9w0AzrYO2WH2rQbA86YSuQjSTmwIrpC/0ZXN7V2`,
+    );
+    throw AppError.validationError(
+      "authPasswordBased.login.invalidEmailPasswordCombination",
+    );
   }
 
   if (passwordBasedRollingLoginAttemptBlock) {
@@ -448,23 +436,10 @@ export async function authPasswordBasedVerifyEmail(
     (it) => it.resetToken === body.verifyToken,
   );
 
-  const reduceErrorKeyInfoFlag = await featureFlagGetDynamic(
-    newEventFromEvent(event),
-    undefined,
-    undefined,
-    "__FEATURE_LPC_AUTH_REDUCE_ERROR_KEY_INFO",
-  );
-
   if (token?.shouldSetPassword) {
-    if (reduceErrorKeyInfoFlag) {
-      throw AppError.validationError(
-        "authPasswordBased.verifyEmail.invalidVerifyToken",
-      );
-    } else {
-      throw AppError.validationError(
-        "authPasswordBased.verifyEmail.useResetPassword",
-      );
-    }
+    throw AppError.validationError(
+      "authPasswordBased.verifyEmail.invalidVerifyToken",
+    );
   }
 
   // @ts-expect-error
@@ -549,23 +524,10 @@ export async function authPasswordBasedResetPassword(
     (it) => it.resetToken === body.resetToken,
   );
 
-  const reduceErrorKeyInfoFlag = await featureFlagGetDynamic(
-    newEventFromEvent(event),
-    undefined,
-    undefined,
-    "__FEATURE_LPC_AUTH_REDUCE_ERROR_KEY_INFO",
-  );
-
   if (!token?.shouldSetPassword) {
-    if (reduceErrorKeyInfoFlag) {
-      throw AppError.validationError(
-        "authPasswordBased.resetPassword.invalidResetToken",
-      );
-    } else {
-      throw AppError.validationError(
-        "authPasswordBased.resetPassword.useVerifyEmail",
-      );
-    }
+    throw AppError.validationError(
+      "authPasswordBased.resetPassword.invalidResetToken",
+    );
   }
 
   await queries.passwordLoginUpdate(sql, {
@@ -634,24 +596,11 @@ export async function authPasswordBasedForgotPassword(
     },
   }).exec(sql);
 
-  const reduceErrorKeyInfoFlag = await featureFlagGetDynamic(
-    newEventFromEvent(event),
-    undefined,
-    undefined,
-    "__FEATURE_LPC_AUTH_REDUCE_ERROR_KEY_INFO",
-  );
-
   if (isNil(user)) {
-    if (reduceErrorKeyInfoFlag) {
-      // Silently ignore, we may want to do some work here still. However, the timing
-      // diff won't be that obvious like with password comparing.
-      eventStop(event);
-      return;
-    }
-
-    throw AppError.validationError(
-      "authPasswordBased.forgotPassword.unknownEmail",
-    );
+    // Silently ignore, we may want to do some work here still. However, the timing
+    // diff won't be that obvious like with password comparing.
+    eventStop(event);
+    return;
   }
 
   const expiresAt = new Date();

diff --git a/vendor/backend/src/auth/password-based/structure.js b/vendor/backend/src/auth/password-based/structure.js
@@ -136,8 +136,6 @@ export async function extendWithAuthPasswordBased(app) {
         Errors:
         - \`authPasswordBased.verifyEmail.invalidVerifyToken\` -> unknown token or token
             expired. Redirect user to do a 'forgotPassword' flow.
-        - \`authPasswordBased.verifyEmail.useResetPassword\` -> token is for
-            \`resetPassword\` instead of \`verifyEmail\` (unused after __FEATURE_LPC_AUTH_REDUCE_ERROR_KEY_INFO)
         `,
       )
       .body({
@@ -152,8 +150,7 @@ export async function extendWithAuthPasswordBased(app) {
 tokens expire in 24 hours.
 
 Errors:
-- \`authPasswordBased.forgotPassword.unknownEmail\` -> email is unknown in the
-  platform (unused after __FEATURE_LPC_AUTH_REDUCE_ERROR_KEY_INFO)`,
+`,
       )
       .body({
         email,
@@ -169,8 +166,7 @@ be called multiple times.
 Errors:
 - \`authPasswordBased.resetPassword.invalidResetToken\` -> unknown token or
   expired. Let the user request a new token via \`forgotPassword\`
-- \`authPasswordBased.resetPassword.useVerifyEmail\` -> token is a verify token,
-  use \`verifyEmail\` (unused after __FEATURE_LPC_AUTH_REDUCE_ERROR_KEY_INFO)`,
+`,
       )
       .body({
         resetToken: T.string().min(tokenLength),
@@ -183,8 +179,6 @@ Errors:
         `Do a password based login, requires a verified email.
 
 Errors:
-- \`authPasswordBased.login.unknownEmail\` -> can't find a user with the provider
-  email (unused after __FEATURE_LPC_AUTH_REDUCE_ERROR_KEY_INFO)
 - \`authPasswordBased.login.maxAttemptsExceeded\` -> more then 10 login attempts done in a rolling 5 minute interval
 - \`authPasswordBased.login.invalidEmailPasswordCombination\` -> combination of
   email and password is invalid

diff --git a/vendor/backend/src/constants.js b/vendor/backend/src/constants.js
@@ -3,8 +3,4 @@
  *
  * @type {string[]}
  */
-export const lpcInternalFeatureFlags = [
-  // If this feature flag is set, frontend gets a different set of error keys, conveying
-  // less information to protect against enumeration attacks and the like.
-  "__FEATURE_LPC_AUTH_REDUCE_ERROR_KEY_INFO",
-];
+export const lpcInternalFeatureFlags = [];