chore(release): publish new version

- @standardnotes/api-gateway@1.45.1
 - @standardnotes/files-server@1.9.4

.pnp.cjs

@@ -2701,6 +2701,7 @@ const RAW_RUNTIME_STATE =
           ["eslint", "npm:8.25.0"],\
           ["eslint-plugin-prettier", "virtual:c66bf20e88479ada0172094776519a9f51acc4731d22079b60a295bcec7ea42d5545cbce58a77a50d932bf953298799135e99707486e343da6d99ba1d167bdbd#npm:4.2.1"],\
           ["express", "npm:4.18.2"],\
+          ["express-robots-txt", "virtual:04783e12400851b8a3d76e71495851cc94959db6e62f04cb0a31190080629440b182d8c8eb4d7f2b04e281912f2783a5fd4d2c3c6ab68d38b7097246c93f4c19#npm:1.0.0"],\
           ["helmet", "npm:6.0.0"],\
           ["inversify", "npm:6.0.1"],\
           ["inversify-express-utils", "npm:6.4.3"],\
@@ -2990,6 +2991,7 @@ const RAW_RUNTIME_STATE =
           ["eslint", "npm:8.25.0"],\
           ["eslint-plugin-prettier", "virtual:c66bf20e88479ada0172094776519a9f51acc4731d22079b60a295bcec7ea42d5545cbce58a77a50d932bf953298799135e99707486e343da6d99ba1d167bdbd#npm:4.2.1"],\
           ["express", "npm:4.18.2"],\
+          ["express-robots-txt", "virtual:04783e12400851b8a3d76e71495851cc94959db6e62f04cb0a31190080629440b182d8c8eb4d7f2b04e281912f2783a5fd4d2c3c6ab68d38b7097246c93f4c19#npm:1.0.0"],\
           ["express-winston", "virtual:b442cf0427cc365d1c137f7340f9b81f9b204561afe791a8564ae9590c3a7fc4b5f793aaf8817b946f75a3cb64d03ef8790eb847f8b576b41e700da7b00c240c#npm:4.2.0"],\
           ["helmet", "npm:6.0.0"],\
           ["inversify", "npm:6.0.1"],\
@@ -7316,6 +7318,28 @@ const RAW_RUNTIME_STATE =
         "linkType": "HARD"\
       }]\
     ]],\
+    ["express-robots-txt", [\
+      ["npm:1.0.0", {\
+        "packageLocation": "./.yarn/cache/express-robots-txt-npm-1.0.0-dcc8bd8f0a-54f066f6c3.zip/node_modules/express-robots-txt/",\
+        "packageDependencies": [\
+          ["express-robots-txt", "npm:1.0.0"]\
+        ],\
+        "linkType": "SOFT"\
+      }],\
+      ["virtual:04783e12400851b8a3d76e71495851cc94959db6e62f04cb0a31190080629440b182d8c8eb4d7f2b04e281912f2783a5fd4d2c3c6ab68d38b7097246c93f4c19#npm:1.0.0", {\
+        "packageLocation": "./.yarn/__virtual__/express-robots-txt-virtual-0a3eb9f2f5/0/cache/express-robots-txt-npm-1.0.0-dcc8bd8f0a-54f066f6c3.zip/node_modules/express-robots-txt/",\
+        "packageDependencies": [\
+          ["express-robots-txt", "virtual:04783e12400851b8a3d76e71495851cc94959db6e62f04cb0a31190080629440b182d8c8eb4d7f2b04e281912f2783a5fd4d2c3c6ab68d38b7097246c93f4c19#npm:1.0.0"],\
+          ["@types/express", "npm:4.17.14"],\
+          ["express", "npm:4.18.2"]\
+        ],\
+        "packagePeers": [\
+          "@types/express",\
+          "express"\
+        ],\
+        "linkType": "HARD"\
+      }]\
+    ]],\
     ["express-winston", [\
       ["npm:4.2.0", {\
         "packageLocation": "./.yarn/cache/express-winston-npm-4.2.0-e4cfb26486-2d4b37671d.zip/node_modules/express-winston/",\

packages/api-gateway/CHANGELOG.md

@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.45.1](https://github.com/standardnotes/api-gateway/compare/@standardnotes/api-gateway@1.45.0...@standardnotes/api-gateway@1.45.1) (2023-01-13)
+
+### Bug Fixes
+
+* add robots.txt setup for api-gateway and files server to disallow indexing ([bb82043](https://github.com/standardnotes/api-gateway/commit/bb820437af2b9644d7597de045b5840037b81db3))
+
 # [1.45.0](https://github.com/standardnotes/api-gateway/compare/@standardnotes/api-gateway@1.44.0...@standardnotes/api-gateway@1.45.0) (2023-01-05)
 
 ### Features

packages/api-gateway/bin/server.ts

@@ -31,6 +31,8 @@ import helmet from 'helmet'
 import * as cors from 'cors'
 import { text, json, Request, Response, NextFunction, RequestHandler, ErrorRequestHandler } from 'express'
 import * as winston from 'winston'
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const robots = require('express-robots-txt')
 
 import { InversifyExpressServer } from 'inversify-express-utils'
 import { ContainerConfigLoader } from '../src/Bootstrap/Container'
@@ -78,6 +80,12 @@ void container.load().then((container) => {
       }),
     )
     app.use(cors())
+    app.use(
+      robots({
+        UserAgent: '*',
+        Disallow: '/',
+      }),
+    )
 
     if (env.get('SENTRY_DSN', true)) {
       Sentry.init({

packages/api-gateway/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/api-gateway",
-  "version": "1.45.0",
+  "version": "1.45.1",
   "engines": {
     "node": ">=18.0.0 <19.0.0"
   },
@@ -32,6 +32,7 @@
     "cors": "2.8.5",
     "dotenv": "^16.0.1",
     "express": "^4.18.2",
+    "express-robots-txt": "^1.0.0",
     "helmet": "^6.0.0",
     "inversify": "^6.0.1",
     "inversify-express-utils": "^6.4.3",

packages/auth/.env.sample

@@ -67,3 +67,7 @@ VALET_TOKEN_SECRET=
 VALET_TOKEN_TTL=
 
 WEB_SOCKET_CONNECTION_TOKEN_SECRET=
+
+# (Optional) U2F Setup
+U2F_RELYING_PARTY_ID=
+U2F_RELYING_PARTY_NAME=

packages/auth/CHANGELOG.md

@@ -3,6 +3,54 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.81.8](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.81.7...@standardnotes/auth-server@1.81.8) (2023-01-11)
+
+### Bug Fixes
+
+* **auth:** add relying party configuration options ([d18f6cc](https://github.com/standardnotes/server/commit/d18f6ccd32fa97c927781c17659cf7a8e662ee07))
+
+## [1.81.7](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.81.6...@standardnotes/auth-server@1.81.7) (2023-01-09)
+
+### Bug Fixes
+
+* **auth:** failure messages for debug logs upon signing in with recovery codes ([7ae8845](https://github.com/standardnotes/server/commit/7ae8845ae9ff9c208d192aea48e5517a16c8338f))
+
+## [1.81.6](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.81.5...@standardnotes/auth-server@1.81.6) (2023-01-09)
+
+### Bug Fixes
+
+* **auth:** request parameters names ([dda8d79](https://github.com/standardnotes/server/commit/dda8d795262d6629493377ae5a6143263a792378))
+
+## [1.81.5](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.81.4...@standardnotes/auth-server@1.81.5) (2023-01-09)
+
+### Bug Fixes
+
+* **auth:** debuggin recovery sign in ([96669bf](https://github.com/standardnotes/server/commit/96669bff5bc0903f28c51628e9289626622e674c))
+
+## [1.81.4](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.81.3...@standardnotes/auth-server@1.81.4) (2023-01-09)
+
+### Bug Fixes
+
+* **auth:** error messages on account recovery ([1fc3c9b](https://github.com/standardnotes/server/commit/1fc3c9b83ee2239b618dfb609b1dc2d68d063331))
+
+## [1.81.3](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.81.2...@standardnotes/auth-server@1.81.3) (2023-01-09)
+
+### Bug Fixes
+
+* **auth:** remove mfa settings after recovery sign in ([a0208dd](https://github.com/standardnotes/server/commit/a0208dd5b3ce54ccfa96b3497cb36e16ccb4cf89))
+
+## [1.81.2](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.81.1...@standardnotes/auth-server@1.81.2) (2023-01-05)
+
+### Bug Fixes
+
+* **auth:** return type to include user ([db0baf9](https://github.com/standardnotes/server/commit/db0baf92f1336071a8602a1a20ba6439f10028e6))
+
+## [1.81.1](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.81.0...@standardnotes/auth-server@1.81.1) (2023-01-05)
+
+### Bug Fixes
+
+* **auth:** allow retrieval of recovery codes setting ([13c5c97](https://github.com/standardnotes/server/commit/13c5c97ba73fcf1f4bd2905a1d8668ef5b468016))
+
 # [1.81.0](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.80.0...@standardnotes/auth-server@1.81.0) (2023-01-05)
 
 ### Features

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/auth-server",
-  "version": "1.81.0",
+  "version": "1.81.8",
   "engines": {
     "node": ">=18.0.0 <19.0.0"
   },

packages/auth/src/Bootstrap/Container.ts

@@ -463,7 +463,12 @@ export class ContainerConfigLoader {
     container
       .bind(TYPES.SESSION_TRACE_DAYS_TTL)
       .toConstantValue(env.get('SESSION_TRACE_DAYS_TTL', true) ? +env.get('SESSION_TRACE_DAYS_TTL', true) : 90)
-
+    container
+      .bind(TYPES.U2F_RELYING_PARTY_NAME)
+      .toConstantValue(env.get('U2F_RELYING_PARTY_NAME', true) ?? 'Standard Notes')
+    container
+      .bind(TYPES.U2F_RELYING_PARTY_ID)
+      .toConstantValue(env.get('U2F_RELYING_PARTY_ID', true) ?? 'standardnotes.com')
     // Services
     container.bind<UAParser>(TYPES.DeviceDetector).toConstantValue(new UAParser())
     container.bind<SessionService>(TYPES.SessionService).to(SessionService)
@@ -567,6 +572,8 @@ export class ContainerConfigLoader {
         new GenerateAuthenticatorRegistrationOptions(
           container.get(TYPES.AuthenticatorRepository),
           container.get(TYPES.AuthenticatorChallengeRepository),
+          container.get(TYPES.U2F_RELYING_PARTY_NAME),
+          container.get(TYPES.U2F_RELYING_PARTY_ID),
         ),
       )
     container
@@ -575,6 +582,7 @@ export class ContainerConfigLoader {
         new VerifyAuthenticatorRegistrationResponse(
           container.get(TYPES.AuthenticatorRepository),
           container.get(TYPES.AuthenticatorChallengeRepository),
+          container.get(TYPES.U2F_RELYING_PARTY_ID),
         ),
       )
     container
@@ -591,6 +599,7 @@ export class ContainerConfigLoader {
         new VerifyAuthenticatorAuthenticationResponse(
           container.get(TYPES.AuthenticatorRepository),
           container.get(TYPES.AuthenticatorChallengeRepository),
+          container.get(TYPES.U2F_RELYING_PARTY_ID),
         ),
       )
     container
@@ -619,20 +628,6 @@ export class ContainerConfigLoader {
     container.bind<VerifyMFA>(TYPES.VerifyMFA).to(VerifyMFA)
     container.bind<ClearLoginAttempts>(TYPES.ClearLoginAttempts).to(ClearLoginAttempts)
     container.bind<IncreaseLoginAttempts>(TYPES.IncreaseLoginAttempts).to(IncreaseLoginAttempts)
-    container
-      .bind<SignInWithRecoveryCodes>(TYPES.SignInWithRecoveryCodes)
-      .toConstantValue(
-        new SignInWithRecoveryCodes(
-          container.get(TYPES.UserRepository),
-          container.get(TYPES.AuthResponseFactory20200115),
-          container.get(TYPES.PKCERepository),
-          container.get(TYPES.Crypter),
-          container.get(TYPES.SettingService),
-          container.get(TYPES.GenerateRecoveryCodes),
-          container.get(TYPES.IncreaseLoginAttempts),
-          container.get(TYPES.ClearLoginAttempts),
-        ),
-      )
     container
       .bind<GetUserKeyParamsRecovery>(TYPES.GetUserKeyParamsRecovery)
       .toConstantValue(
@@ -655,6 +650,21 @@ export class ContainerConfigLoader {
     container.bind<GetUserFeatures>(TYPES.GetUserFeatures).to(GetUserFeatures)
     container.bind<UpdateSetting>(TYPES.UpdateSetting).to(UpdateSetting)
     container.bind<DeleteSetting>(TYPES.DeleteSetting).to(DeleteSetting)
+    container
+      .bind<SignInWithRecoveryCodes>(TYPES.SignInWithRecoveryCodes)
+      .toConstantValue(
+        new SignInWithRecoveryCodes(
+          container.get(TYPES.UserRepository),
+          container.get(TYPES.AuthResponseFactory20200115),
+          container.get(TYPES.PKCERepository),
+          container.get(TYPES.Crypter),
+          container.get(TYPES.SettingService),
+          container.get(TYPES.GenerateRecoveryCodes),
+          container.get(TYPES.IncreaseLoginAttempts),
+          container.get(TYPES.ClearLoginAttempts),
+          container.get(TYPES.DeleteSetting),
+        ),
+      )
     container.bind<DeleteAccount>(TYPES.DeleteAccount).to(DeleteAccount)
     container.bind<GetUserSubscription>(TYPES.GetUserSubscription).to(GetUserSubscription)
     container.bind<GetUserOfflineSubscription>(TYPES.GetUserOfflineSubscription).to(GetUserOfflineSubscription)

packages/auth/src/Bootstrap/Types.ts

@@ -94,6 +94,8 @@ const TYPES = {
   VERSION: Symbol.for('VERSION'),
   PAYMENTS_SERVER_URL: Symbol.for('PAYMENTS_SERVER_URL'),
   SESSION_TRACE_DAYS_TTL: Symbol.for('SESSION_TRACE_DAYS_TTL'),
+  U2F_RELYING_PARTY_ID: Symbol.for('U2F_RELYING_PARTY_ID'),
+  U2F_RELYING_PARTY_NAME: Symbol.for('U2F_RELYING_PARTY_NAME'),
   // use cases
   AuthenticateUser: Symbol.for('AuthenticateUser'),
   AuthenticateRequest: Symbol.for('AuthenticateRequest'),

packages/auth/src/Controller/AuthController.spec.ts

@@ -12,6 +12,7 @@ import { ApiVersion } from '@standardnotes/api'
 import { SignInWithRecoveryCodes } from '../Domain/UseCase/SignInWithRecoveryCodes/SignInWithRecoveryCodes'
 import { GetUserKeyParamsRecovery } from '../Domain/UseCase/GetUserKeyParamsRecovery/GetUserKeyParamsRecovery'
 import { GenerateRecoveryCodes } from '../Domain/UseCase/GenerateRecoveryCodes/GenerateRecoveryCodes'
+import { Logger } from 'winston'
 
 describe('AuthController', () => {
   let clearLoginAttempts: ClearLoginAttempts
@@ -23,6 +24,7 @@ describe('AuthController', () => {
   let doSignInWithRecoveryCodes: SignInWithRecoveryCodes
   let getUserKeyParamsRecovery: GetUserKeyParamsRecovery
   let doGenerateRecoveryCodes: GenerateRecoveryCodes
+  let logger: Logger
 
   const createController = () =>
     new AuthController(
@@ -33,6 +35,7 @@ describe('AuthController', () => {
       doSignInWithRecoveryCodes,
       getUserKeyParamsRecovery,
       doGenerateRecoveryCodes,
+      logger,
     )
 
   beforeEach(() => {
@@ -52,6 +55,9 @@ describe('AuthController', () => {
 
     domainEventFactory = {} as jest.Mocked<DomainEventFactoryInterface>
     domainEventFactory.createUserRegisteredEvent = jest.fn().mockReturnValue(event)
+
+    logger = {} as jest.Mocked<Logger>
+    logger.debug = jest.fn()
   })
 
   it('should register a user', async () => {

packages/auth/src/Controller/AuthController.ts

@@ -23,6 +23,7 @@ import { RecoveryKeyParamsResponse } from '../Infra/Http/Response/RecoveryKeyPar
 import { GenerateRecoveryCodes } from '../Domain/UseCase/GenerateRecoveryCodes/GenerateRecoveryCodes'
 import { GenerateRecoveryCodesRequestParams } from '../Infra/Http/Request/GenerateRecoveryCodesRequestParams'
 import { GenerateRecoveryCodesResponse } from '../Infra/Http/Response/GenerateRecoveryCodesResponse'
+import { Logger } from 'winston'
 
 @injectable()
 export class AuthController implements UserServerInterface {
@@ -34,6 +35,7 @@ export class AuthController implements UserServerInterface {
     @inject(TYPES.SignInWithRecoveryCodes) private doSignInWithRecoveryCodes: SignInWithRecoveryCodes,
     @inject(TYPES.GetUserKeyParamsRecovery) private getUserKeyParamsRecovery: GetUserKeyParamsRecovery,
     @inject(TYPES.GenerateRecoveryCodes) private doGenerateRecoveryCodes: GenerateRecoveryCodes,
+    @inject(TYPES.Logger) private logger: Logger,
   ) {}
 
   async deleteAccount(_params: never): Promise<UserDeletionResponse> {
@@ -138,6 +140,8 @@ export class AuthController implements UserServerInterface {
     })
 
     if (result.isFailed()) {
+      this.logger.debug(`Failed to sign in with recovery codes: ${result.getError()}`)
+
       return {
         status: HttpStatusCode.Unauthorized,
         data: {
@@ -173,6 +177,8 @@ export class AuthController implements UserServerInterface {
     })
 
     if (result.isFailed()) {
+      this.logger.debug(`Failed to get recovery key params: ${result.getError()}`)
+
       return {
         status: HttpStatusCode.Unauthorized,
         data: {

packages/auth/src/Domain/Authenticator/RelyingParty.ts

@@ -1,4 +0,0 @@
-export enum RelyingParty {
-  RP_NAME = 'Standard Notes',
-  RP_ID = 'standardnotes.com',
-}

packages/auth/src/Domain/UseCase/GenerateAuthenticatorRegistrationOptions/GenerateAuthenticatorRegistrationOptions.spec.ts

@@ -11,7 +11,12 @@ describe('GenerateAuthenticatorRegistrationOptions', () => {
   let authenticatorChallengeRepository: AuthenticatorChallengeRepositoryInterface
 
   const createUseCase = () =>
-    new GenerateAuthenticatorRegistrationOptions(authenticatorRepository, authenticatorChallengeRepository)
+    new GenerateAuthenticatorRegistrationOptions(
+      authenticatorRepository,
+      authenticatorChallengeRepository,
+      'Standard Notes',
+      'standardnotes.com',
+    )
 
   beforeEach(() => {
     const authenticator = Authenticator.create({

packages/auth/src/Domain/UseCase/GenerateAuthenticatorRegistrationOptions/GenerateAuthenticatorRegistrationOptions.ts

@@ -5,12 +5,13 @@ import { GenerateAuthenticatorRegistrationOptionsDTO } from './GenerateAuthentic
 import { AuthenticatorRepositoryInterface } from '../../Authenticator/AuthenticatorRepositoryInterface'
 import { AuthenticatorChallengeRepositoryInterface } from '../../Authenticator/AuthenticatorChallengeRepositoryInterface'
 import { AuthenticatorChallenge } from '../../Authenticator/AuthenticatorChallenge'
-import { RelyingParty } from '../../Authenticator/RelyingParty'
 
 export class GenerateAuthenticatorRegistrationOptions implements UseCaseInterface<Record<string, unknown>> {
   constructor(
     private authenticatorRepository: AuthenticatorRepositoryInterface,
     private authenticatorChallengeRepository: AuthenticatorChallengeRepositoryInterface,
+    private relyingPartyName: string,
+    private relyingPartyId: string,
   ) {}
 
   async execute(dto: GenerateAuthenticatorRegistrationOptionsDTO): Promise<Result<Record<string, unknown>>> {
@@ -28,8 +29,8 @@ export class GenerateAuthenticatorRegistrationOptions implements UseCaseInterfac
 
     const authenticators = await this.authenticatorRepository.findByUserUuid(userUuid)
     const options = generateRegistrationOptions({
-      rpID: RelyingParty.RP_ID,
-      rpName: RelyingParty.RP_NAME,
+      rpID: this.relyingPartyId,
+      rpName: this.relyingPartyName,
       userID: userUuid.value,
       userName: username.value,
       attestationType: 'none',

packages/auth/src/Domain/UseCase/GenerateRecoveryCodes/GenerateRecoveryCodes.ts

@@ -38,7 +38,7 @@ export class GenerateRecoveryCodes implements UseCaseInterface<string> {
         name: SettingName.RecoveryCodes,
         unencryptedValue: recoveryCodes,
         serverEncryptionVersion: EncryptionVersion.Default,
-        sensitive: true,
+        sensitive: false,
       },
     })
 

packages/auth/src/Domain/UseCase/SignInWithRecoveryCodes/SignInWithRecoveryCodes.spec.ts

@@ -9,6 +9,7 @@ import { PKCERepositoryInterface } from '../../User/PKCERepositoryInterface'
 import { User } from '../../User/User'
 import { UserRepositoryInterface } from '../../User/UserRepositoryInterface'
 import { ClearLoginAttempts } from '../ClearLoginAttempts'
+import { DeleteSetting } from '../DeleteSetting/DeleteSetting'
 import { GenerateRecoveryCodes } from '../GenerateRecoveryCodes/GenerateRecoveryCodes'
 import { IncreaseLoginAttempts } from '../IncreaseLoginAttempts'
 import { SignInWithRecoveryCodes } from './SignInWithRecoveryCodes'
@@ -22,6 +23,7 @@ describe('SignInWithRecoveryCodes', () => {
   let generateRecoveryCodes: GenerateRecoveryCodes
   let increaseLoginAttempts: IncreaseLoginAttempts
   let clearLoginAttempts: ClearLoginAttempts
+  let deleteSetting: DeleteSetting
 
   const createUseCase = () =>
     new SignInWithRecoveryCodes(
@@ -33,6 +35,7 @@ describe('SignInWithRecoveryCodes', () => {
       generateRecoveryCodes,
       increaseLoginAttempts,
       clearLoginAttempts,
+      deleteSetting,
     )
 
   beforeEach(() => {
@@ -63,6 +66,9 @@ describe('SignInWithRecoveryCodes', () => {
 
     clearLoginAttempts = {} as jest.Mocked<ClearLoginAttempts>
     clearLoginAttempts.execute = jest.fn()
+
+    deleteSetting = {} as jest.Mocked<DeleteSetting>
+    deleteSetting.execute = jest.fn()
   })
 
   it('should return error if password is not provided', async () => {
@@ -75,7 +81,7 @@ describe('SignInWithRecoveryCodes', () => {
     })
 
     expect(result.isFailed()).toBe(true)
-    expect(result.getError()).toBe('Invalid email or password')
+    expect(result.getError()).toBe('Empty password')
   })
 
   it('should return error if username is not provided', async () => {
@@ -101,7 +107,7 @@ describe('SignInWithRecoveryCodes', () => {
     })
 
     expect(result.isFailed()).toBe(true)
-    expect(result.getError()).toBe('Invalid email or password')
+    expect(result.getError()).toBe('Invalid code verifier')
   })
 
   it('should return error if recovery codes are not provided', async () => {
@@ -114,7 +120,7 @@ describe('SignInWithRecoveryCodes', () => {
     })
 
     expect(result.isFailed()).toBe(true)
-    expect(result.getError()).toBe('Invalid recovery codes')
+    expect(result.getError()).toBe('Empty recovery codes')
   })
 
   it('should return error if code verifier is invalid', async () => {
@@ -129,7 +135,7 @@ describe('SignInWithRecoveryCodes', () => {
     })
 
     expect(result.isFailed()).toBe(true)
-    expect(result.getError()).toBe('Invalid email or password')
+    expect(result.getError()).toBe('Invalid code verifier')
   })
 
   it('should return error if user is not found', async () => {
@@ -144,7 +150,7 @@ describe('SignInWithRecoveryCodes', () => {
     })
 
     expect(result.isFailed()).toBe(true)
-    expect(result.getError()).toBe('Invalid email or password')
+    expect(result.getError()).toBe('Could not find user')
   })
 
   it('should return error if recovery codes are invalid', async () => {
@@ -170,7 +176,7 @@ describe('SignInWithRecoveryCodes', () => {
     })
 
     expect(result.isFailed()).toBe(true)
-    expect(result.getError()).toBe('Invalid email or password')
+    expect(result.getError()).toBe('Invalid password')
   })
 
   it('should return error if recovery codes are not generated for user', async () => {
@@ -213,6 +219,7 @@ describe('SignInWithRecoveryCodes', () => {
     })
 
     expect(clearLoginAttempts.execute).toHaveBeenCalled()
+    expect(deleteSetting.execute).toHaveBeenCalled()
     expect(result.isFailed()).toBe(false)
   })
 })

packages/auth/src/Domain/UseCase/SignInWithRecoveryCodes/SignInWithRecoveryCodes.ts

@@ -14,6 +14,7 @@ import { SignInWithRecoveryCodesDTO } from './SignInWithRecoveryCodesDTO'
 import { AuthResponseFactory20200115 } from '../../Auth/AuthResponseFactory20200115'
 import { IncreaseLoginAttempts } from '../IncreaseLoginAttempts'
 import { ClearLoginAttempts } from '../ClearLoginAttempts'
+import { DeleteSetting } from '../DeleteSetting/DeleteSetting'
 
 export class SignInWithRecoveryCodes implements UseCaseInterface<AuthResponse20200115> {
   constructor(
@@ -25,6 +26,7 @@ export class SignInWithRecoveryCodes implements UseCaseInterface<AuthResponse202
     private generateRecoveryCodes: GenerateRecoveryCodes,
     private increaseLoginAttempts: IncreaseLoginAttempts,
     private clearLoginAttempts: ClearLoginAttempts,
+    private deleteSetting: DeleteSetting,
   ) {}
 
   async execute(dto: SignInWithRecoveryCodesDTO): Promise<Result<AuthResponse20200115>> {
@@ -38,21 +40,21 @@ export class SignInWithRecoveryCodes implements UseCaseInterface<AuthResponse202
     if (!validCodeVerifier) {
       await this.increaseLoginAttempts.execute({ email: username.value })
 
-      return Result.fail('Invalid email or password')
+      return Result.fail('Invalid code verifier')
     }
 
     const passwordValidationResult = Validator.isNotEmpty(dto.password)
     if (passwordValidationResult.isFailed()) {
       await this.increaseLoginAttempts.execute({ email: username.value })
 
-      return Result.fail('Invalid email or password')
+      return Result.fail('Empty password')
     }
 
     const recoveryCodesValidationResult = Validator.isNotEmpty(dto.recoveryCodes)
     if (recoveryCodesValidationResult.isFailed()) {
       await this.increaseLoginAttempts.execute({ email: username.value })
 
-      return Result.fail('Invalid recovery codes')
+      return Result.fail('Empty recovery codes')
     }
 
     const user = await this.userRepository.findOneByEmail(username.value)
@@ -60,14 +62,14 @@ export class SignInWithRecoveryCodes implements UseCaseInterface<AuthResponse202
     if (!user) {
       await this.increaseLoginAttempts.execute({ email: username.value })
 
-      return Result.fail('Invalid email or password')
+      return Result.fail('Could not find user')
     }
 
     const passwordMatches = await bcrypt.compare(dto.password, user.encryptedPassword)
     if (!passwordMatches) {
       await this.increaseLoginAttempts.execute({ email: username.value })
 
-      return Result.fail('Invalid email or password')
+      return Result.fail('Invalid password')
     }
 
     const recoveryCodesSetting = await this.settingService.findSettingWithDecryptedValue({
@@ -103,6 +105,11 @@ export class SignInWithRecoveryCodes implements UseCaseInterface<AuthResponse202
       return Result.fail(`Could not sign in with recovery codes: ${generateNewRecoveryCodesResult.getError()}`)
     }
 
+    await this.deleteSetting.execute({
+      settingName: SettingName.MfaSecret,
+      userUuid: user.uuid,
+    })
+
     await this.clearLoginAttempts.execute({ email: username.value })
 
     return Result.ok(authResponse as AuthResponse20200115)

packages/auth/src/Domain/UseCase/VerifyAuthenticatorAuthenticationResponse/VerifyAuthenticatorAuthenticationResponse.spec.ts

@@ -13,7 +13,11 @@ describe('VerifyAuthenticatorAuthenticationResponse', () => {
   let authenticatorChallengeRepository: AuthenticatorChallengeRepositoryInterface
 
   const createUseCase = () =>
-    new VerifyAuthenticatorAuthenticationResponse(authenticatorRepository, authenticatorChallengeRepository)
+    new VerifyAuthenticatorAuthenticationResponse(
+      authenticatorRepository,
+      authenticatorChallengeRepository,
+      'standardnotes.com',
+    )
 
   beforeEach(() => {
     const authenticator = Authenticator.create({

packages/auth/src/Domain/UseCase/VerifyAuthenticatorAuthenticationResponse/VerifyAuthenticatorAuthenticationResponse.ts

@@ -5,12 +5,12 @@ import { AuthenticatorDevice } from '@simplewebauthn/typescript-types'
 import { AuthenticatorChallengeRepositoryInterface } from '../../Authenticator/AuthenticatorChallengeRepositoryInterface'
 import { AuthenticatorRepositoryInterface } from '../../Authenticator/AuthenticatorRepositoryInterface'
 import { VerifyAuthenticatorAuthenticationResponseDTO } from './VerifyAuthenticatorAuthenticationResponseDTO'
-import { RelyingParty } from '../../Authenticator/RelyingParty'
 
 export class VerifyAuthenticatorAuthenticationResponse implements UseCaseInterface<boolean> {
   constructor(
     private authenticatorRepository: AuthenticatorRepositoryInterface,
     private authenticatorChallengeRepository: AuthenticatorChallengeRepositoryInterface,
+    private relyingPartyId: string,
   ) {}
 
   async execute(dto: VerifyAuthenticatorAuthenticationResponseDTO): Promise<Result<boolean>> {
@@ -40,8 +40,8 @@ export class VerifyAuthenticatorAuthenticationResponse implements UseCaseInterfa
       verification = await verifyAuthenticationResponse({
         credential: dto.authenticationCredential,
         expectedChallenge: authenticatorChallenge.props.challenge.toString(),
-        expectedOrigin: `https://${RelyingParty.RP_ID}`,
-        expectedRPID: RelyingParty.RP_ID,
+        expectedOrigin: `https://${this.relyingPartyId}`,
+        expectedRPID: this.relyingPartyId,
         authenticator: {
           counter: authenticator.props.counter,
           credentialID: authenticator.props.credentialId,

packages/auth/src/Domain/UseCase/VerifyAuthenticatorRegistrationResponse/VerifyAuthenticatorRegistrationResponse.spec.ts

@@ -13,7 +13,11 @@ describe('VerifyAuthenticatorRegistrationResponse', () => {
   let authenticatorChallengeRepository: AuthenticatorChallengeRepositoryInterface
 
   const createUseCase = () =>
-    new VerifyAuthenticatorRegistrationResponse(authenticatorRepository, authenticatorChallengeRepository)
+    new VerifyAuthenticatorRegistrationResponse(
+      authenticatorRepository,
+      authenticatorChallengeRepository,
+      'standardnotes.com',
+    )
 
   beforeEach(() => {
     authenticatorRepository = {} as jest.Mocked<AuthenticatorRepositoryInterface>

packages/auth/src/Domain/UseCase/VerifyAuthenticatorRegistrationResponse/VerifyAuthenticatorRegistrationResponse.ts

@@ -2,7 +2,6 @@ import { Dates, Result, UseCaseInterface, Uuid, Validator } from '@standardnotes
 import { VerifiedRegistrationResponse, verifyRegistrationResponse } from '@simplewebauthn/server'
 
 import { AuthenticatorChallengeRepositoryInterface } from '../../Authenticator/AuthenticatorChallengeRepositoryInterface'
-import { RelyingParty } from '../../Authenticator/RelyingParty'
 import { AuthenticatorRepositoryInterface } from '../../Authenticator/AuthenticatorRepositoryInterface'
 import { Authenticator } from '../../Authenticator/Authenticator'
 import { VerifyAuthenticatorRegistrationResponseDTO } from './VerifyAuthenticatorRegistrationResponseDTO'
@@ -11,6 +10,7 @@ export class VerifyAuthenticatorRegistrationResponse implements UseCaseInterface
   constructor(
     private authenticatorRepository: AuthenticatorRepositoryInterface,
     private authenticatorChallengeRepository: AuthenticatorChallengeRepositoryInterface,
+    private relyingPartyId: string,
   ) {}
 
   async execute(dto: VerifyAuthenticatorRegistrationResponseDTO): Promise<Result<boolean>> {
@@ -35,8 +35,8 @@ export class VerifyAuthenticatorRegistrationResponse implements UseCaseInterface
       verification = await verifyRegistrationResponse({
         credential: dto.registrationCredential,
         expectedChallenge: authenticatorChallenge.props.challenge.toString(),
-        expectedOrigin: `https://${RelyingParty.RP_ID}`,
-        expectedRPID: RelyingParty.RP_ID,
+        expectedOrigin: `https://${this.relyingPartyId}`,
+        expectedRPID: this.relyingPartyId,
       })
 
       if (!verification.verified) {

packages/auth/src/Infra/Http/Response/SignInWithRecoveryCodesResponseBody.ts

@@ -3,4 +3,9 @@ import { KeyParamsData, SessionBody } from '@standardnotes/responses'
 export interface SignInWithRecoveryCodesResponseBody {
   session: SessionBody
   key_params: KeyParamsData
+  user: {
+    uuid: string
+    email: string
+    protocolVersion: string
+  }
 }

packages/auth/src/Infra/InversifyExpressUtils/InversifyExpressAuthController.ts

@@ -264,10 +264,10 @@ export class InversifyExpressAuthController extends BaseHttpController {
   @httpPost('/recovery/login', TYPES.LockMiddleware)
   async recoveryLogin(request: Request): Promise<results.JsonResult> {
     const result = await this.authController.signInWithRecoveryCodes({
-      apiVersion: request.body.api,
+      apiVersion: request.body.api_version,
       userAgent: <string>request.headers['user-agent'],
       codeVerifier: request.body.code_verifier,
-      username: request.body.email,
+      username: request.body.username,
       recoveryCodes: request.body.recovery_codes,
       password: request.body.password,
     })
@@ -278,8 +278,8 @@ export class InversifyExpressAuthController extends BaseHttpController {
   @httpPost('/recovery/params')
   async recoveryParams(request: Request): Promise<results.JsonResult> {
     const result = await this.authController.recoveryKeyParams({
-      apiVersion: request.body.api,
-      username: request.body.email,
+      apiVersion: request.body.api_version,
+      username: request.body.username,
       codeChallenge: request.body.code_challenge,
       recoveryCodes: request.body.recovery_codes,
     })

packages/files/CHANGELOG.md

@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.9.4](https://github.com/standardnotes/files/compare/@standardnotes/files-server@1.9.3...@standardnotes/files-server@1.9.4) (2023-01-13)
+
+### Bug Fixes
+
+* add robots.txt setup for api-gateway and files server to disallow indexing ([bb82043](https://github.com/standardnotes/files/commit/bb820437af2b9644d7597de045b5840037b81db3))
+
 ## [1.9.3](https://github.com/standardnotes/files/compare/@standardnotes/files-server@1.9.2...@standardnotes/files-server@1.9.3) (2022-12-28)
 
 **Note:** Version bump only for package @standardnotes/files-server

packages/files/bin/server.ts

@@ -12,6 +12,8 @@ import helmet from 'helmet'
 import * as cors from 'cors'
 import { urlencoded, json, raw, Request, Response, NextFunction, RequestHandler, ErrorRequestHandler } from 'express'
 import * as winston from 'winston'
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const robots = require('express-robots-txt')
 
 import { InversifyExpressServer } from 'inversify-express-utils'
 import { ContainerConfigLoader } from '../src/Bootstrap/Container'
@@ -65,6 +67,12 @@ void container.load().then((container) => {
         exposedHeaders: ['Content-Range', 'Accept-Ranges'],
       }),
     )
+    app.use(
+      robots({
+        UserAgent: '*',
+        Disallow: '/',
+      }),
+    )
 
     if (env.get('SENTRY_DSN', true)) {
       Sentry.init({

packages/files/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/files-server",
-  "version": "1.9.3",
+  "version": "1.9.4",
   "engines": {
     "node": ">=18.0.0 <19.0.0"
   },
@@ -39,6 +39,7 @@
     "dayjs": "^1.11.6",
     "dotenv": "^16.0.1",
     "express": "^4.18.2",
+    "express-robots-txt": "^1.0.0",
     "express-winston": "^4.0.5",
     "helmet": "^6.0.0",
     "inversify": "^6.0.1",

packages/scheduler/CHANGELOG.md

@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.16.5](https://github.com/standardnotes/server/compare/@standardnotes/scheduler-server@1.16.4...@standardnotes/scheduler-server@1.16.5) (2023-01-06)
+
+### Bug Fixes
+
+* **scheduler:** change email levels ([79c3e33](https://github.com/standardnotes/server/commit/79c3e33434d186df7240d17cb598914361b1c9fe))
+
 ## [1.16.4](https://github.com/standardnotes/server/compare/@standardnotes/scheduler-server@1.16.3...@standardnotes/scheduler-server@1.16.4) (2022-12-28)
 
 **Note:** Version bump only for package @standardnotes/scheduler-server

packages/scheduler/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/scheduler-server",
-  "version": "1.16.4",
+  "version": "1.16.5",
   "engines": {
     "node": ">=18.0.0 <19.0.0"
   },

packages/scheduler/src/Domain/Job/JobDoneInterpreter.ts

@@ -97,7 +97,7 @@ export class JobDoneInterpreter implements JobDoneInterpreterInterface {
         messageIdentifier: 'ENCOURAGE_EMAIL_BACKUPS',
         subject: getEncourageEmailBackupsSubject(),
         body: getEncourageEmailBackupsBody(),
-        level: EmailLevel.LEVELS.System,
+        level: EmailLevel.LEVELS.Marketing,
       }),
     )
   }
@@ -113,7 +113,7 @@ export class JobDoneInterpreter implements JobDoneInterpreterInterface {
         body: getEncourageSubscriptionPurchasingBody(
           this.timer.convertMicrosecondsToDate(job.createdAt).toLocaleString(),
         ),
-        level: EmailLevel.LEVELS.System,
+        level: EmailLevel.LEVELS.Marketing,
       }),
     )
   }
@@ -127,7 +127,7 @@ export class JobDoneInterpreter implements JobDoneInterpreterInterface {
         messageIdentifier: 'EXIT_INTERVIEW',
         subject: getExitInterviewSubject(),
         body: getExitInterviewBody(),
-        level: EmailLevel.LEVELS.System,
+        level: EmailLevel.LEVELS.Marketing,
       }),
     )
   }

yarn.lock

@@ -1929,6 +1929,7 @@ __metadata:
     eslint: "npm:^8.14.0"
     eslint-plugin-prettier: "npm:^4.0.0"
     express: "npm:^4.18.2"
+    express-robots-txt: "npm:^1.0.0"
     helmet: "npm:^6.0.0"
     inversify: "npm:^6.0.1"
     inversify-express-utils: "npm:^6.4.3"
@@ -2216,6 +2217,7 @@ __metadata:
     eslint: "npm:^8.14.0"
     eslint-plugin-prettier: "npm:^4.0.0"
     express: "npm:^4.18.2"
+    express-robots-txt: "npm:^1.0.0"
     express-winston: "npm:^4.0.5"
     helmet: "npm:^6.0.0"
     inversify: "npm:^6.0.1"
@@ -5580,6 +5582,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"express-robots-txt@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "express-robots-txt@npm:1.0.0"
+  peerDependencies:
+    express: ^4.12.1
+  checksum: 54f066f6c305694ea2082d2b0a46bab8dcbf2b478780cf3f1bc404a5d8c83a4e2d6f06e15b42f0aec2c8866ffb97150487e0bb9abdd9604fa78ea68950946b43
+  languageName: node
+  linkType: hard
+
 "express-winston@npm:^4.0.5":
   version: 4.2.0
   resolution: "express-winston@npm:4.2.0"