fix: go: add default locale/roles to allowed list (#472)

go/cmd/config.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"fmt"
 	"net/url"
+	"slices"
 
 	"github.com/nhost/hasura-auth/go/controller"
 	"github.com/urfave/cli/v2"
@@ -29,6 +30,20 @@ func getConfig(cCtx *cli.Context) (controller.Config, error) {
 		allowedRedirectURLs[i] = url
 	}
 
+	defaultRole := cCtx.String(flagDefaultRole)
+	allowedRoles := cCtx.StringSlice(flagDefaultAllowedRoles)
+	if !slices.Contains(allowedRoles, defaultRole) {
+		allowedRoles = append(allowedRoles, defaultRole)
+	}
+	allowedRoles = slices.DeleteFunc(allowedRoles, func(s string) bool { return s == "" })
+
+	defaultLocale := cCtx.String(flagDefaultLocale)
+	allowedLocales := cCtx.StringSlice(flagAllowedLocales)
+	if !slices.Contains(allowedLocales, defaultLocale) {
+		allowedLocales = append(allowedLocales, defaultLocale)
+	}
+	allowedLocales = slices.DeleteFunc(allowedLocales, func(s string) bool { return s == "" })
+
 	return controller.Config{
 		HasuraGraphqlURL:         cCtx.String(flagGraphqlURL),
 		HasuraAdminSecret:        cCtx.String(flagHasuraAdminSecret),
@@ -38,10 +53,10 @@ func getConfig(cCtx *cli.Context) (controller.Config, error) {
 		ConcealErrors:            cCtx.Bool(flagConcealErrors),
 		DisableSignup:            cCtx.Bool(flagDisableSignup),
 		DisableNewUsers:          cCtx.Bool(flagDisableNewUsers),
-		DefaultAllowedRoles:      cCtx.StringSlice(flagDefaultAllowedRoles),
-		DefaultRole:              cCtx.String(flagDefaultRole),
-		DefaultLocale:            cCtx.String(flagDefaultLocale),
-		AllowedLocales:           cCtx.StringSlice(flagAllowedLocales),
+		DefaultAllowedRoles:      allowedRoles,
+		DefaultRole:              defaultRole,
+		DefaultLocale:            defaultLocale,
+		AllowedLocales:           allowedLocales,
 		GravatarEnabled:          cCtx.Bool(flagGravatarEnabled),
 		GravatarDefault:          GetEnumValue(cCtx, flagGravatarDefault),
 		GravatarRating:           cCtx.String(flagGravatarRating),

go/cmd/serve.go

@@ -71,7 +71,7 @@ func CommandServe() *cli.Command { //nolint:funlen
 			&cli.StringFlag{ //nolint: exhaustruct
 				Name:     flagAPIPrefix,
 				Usage:    "prefix for all routes",
-				Value:    "/v1",
+				Value:    "/",
 				Category: "server",
 				EnvVars:  []string{"AUTH_API_PREFIX"},
 			},
@@ -110,28 +110,28 @@ func CommandServe() *cli.Command { //nolint:funlen
 			},
 			&cli.BoolFlag{ //nolint: exhaustruct
 				Name:     flagDisableSignup,
-				Usage:    "Disable signup",
+				Usage:    "If set to true, all signup methods will throw an unauthorized error",
 				Value:    false,
 				Category: "signup",
 				EnvVars:  []string{"AUTH_DISABLE_SIGNUP"},
 			},
 			&cli.BoolFlag{ //nolint: exhaustruct
 				Name:     flagConcealErrors,
-				Usage:    "Conceal errors",
+				Usage:    "Conceal sensitive error messages to avoid leaking information about user accounts to attackers",
 				Value:    false,
 				Category: "server",
 				EnvVars:  []string{"AUTH_CONCEAL_ERRORS"},
 			},
 			&cli.StringSliceFlag{ //nolint: exhaustruct
 				Name:     flagDefaultAllowedRoles,
-				Usage:    "Default allowed roles",
+				Usage:    "Comma-separated list of default allowed user roles",
 				Category: "signup",
-				Value:    cli.NewStringSlice("user", "me"),
+				Value:    cli.NewStringSlice("me"),
 				EnvVars:  []string{"AUTH_USER_DEFAULT_ALLOWED_ROLES"},
 			},
 			&cli.StringFlag{ //nolint: exhaustruct
 				Name:     flagDefaultRole,
-				Usage:    "Default role",
+				Usage:    "Default user role for registered users",
 				Category: "signup",
 				Value:    "user",
 				EnvVars:  []string{"AUTH_USER_DEFAULT_ROLE"},
@@ -152,7 +152,7 @@ func CommandServe() *cli.Command { //nolint:funlen
 			},
 			&cli.BoolFlag{ //nolint: exhaustruct
 				Name:     flagDisableNewUsers,
-				Usage:    "Disable new users",
+				Usage:    "If set, new users will be disabled after finishing registration and won't be able to sign in",
 				Category: "signup",
 				EnvVars:  []string{"AUTH_DISABLE_NEW_USERS"},
 			},
@@ -207,9 +207,9 @@ func CommandServe() *cli.Command { //nolint:funlen
 			&cli.IntFlag{ //nolint: exhaustruct
 				Name:     flagAccessTokensExpiresIn,
 				Usage:    "Access tokens expires in (seconds)",
-				Value:    3600, //nolint:gomnd
+				Value:    900, //nolint:gomnd
 				Category: "jwt",
-				EnvVars:  []string{"AUTH_ACCESS_TOKENS_EXPIRES_IN"},
+				EnvVars:  []string{"AUTH_ACCESS_TOKEN_EXPIRES_IN"},
 			},
 			&cli.StringFlag{ //nolint: exhaustruct
 				Name:     flagHasuraGraphqlJWTSecret,
@@ -222,6 +222,7 @@ func CommandServe() *cli.Command { //nolint:funlen
 				Name:     flagEmailSigninEmailVerifiedRequired,
 				Usage:    "Require email to be verified for email signin",
 				Category: "signup",
+				Value:    true,
 				EnvVars:  []string{"AUTH_EMAIL_SIGNIN_EMAIL_VERIFIED_REQUIRED"},
 			},
 			&cli.StringFlag{ //nolint: exhaustruct
@@ -277,19 +278,19 @@ func CommandServe() *cli.Command { //nolint:funlen
 			},
 			&cli.StringFlag{ //nolint: exhaustruct
 				Name:     flagClientURL,
-				Usage:    "Client URL",
+				Usage:    "URL of your frontend application. Used to redirect users to the right page once actions based on emails or OAuth succeed",
 				Category: "application",
 				EnvVars:  []string{"AUTH_CLIENT_URL"},
 			},
 			&cli.StringSliceFlag{ //nolint:exhaustruct
 				Name:     flagAllowRedirectURLs,
 				Usage:    "Allowed redirect URLs",
 				Category: "application",
-				EnvVars:  []string{"AUTH_ALLOW_REDIRECT_URLS"},
+				EnvVars:  []string{"AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS"},
 			},
 			&cli.StringFlag{ //nolint: exhaustruct
 				Name:     flagServerURL,
-				Usage:    "Server URL",
+				Usage:    "Server URL of where Hasura Backend Plus is running. This value is to used as a callback in email templates and for the OAuth authentication process",
 				Category: "server",
 				EnvVars:  []string{"AUTH_SERVER_URL"},
 			},

go/controller/signup_email_password.go

@@ -30,7 +30,7 @@ func hashPassword(password string) (string, error) {
 
 func hashRefreshToken(token []byte) string {
 	hash := sha256.Sum256(token)
-	return hex.EncodeToString(hash[:])
+	return "\\x" + hex.EncodeToString(hash[:])
 }
 
 func deptr[T any](x *T) T { //nolint:ireturn
@@ -179,7 +179,7 @@ func (ctrl *Controller) postSignupEmailPasswordWithoutEmailVerification( //nolin
 			DefaultRole:           deptr(options.DefaultRole),
 			Metadata:              metadata,
 			Roles:                 deptr(options.AllowedRoles),
-			RefreshTokenHash:      sql.Text(hashRefreshToken(refreshToken[:])),
+			RefreshTokenHash:      sql.Text(hashRefreshToken([]byte(refreshToken.String()))),
 			RefreshTokenExpiresAt: sql.TimestampTz(expiresAt),
 		},
 	)

package.json

@@ -51,7 +51,7 @@
     "jose": "^5.2.2",
     "js-yaml": "3.13.1",
     "json-to-graphql-query": "^2.2.5",
-    "jsonata": "^1.8.6",
+    "jsonata": "^1.8.7",
     "jsonwebtoken": "^9.0.2",
     "jsrsasign": "11.0.0",
     "libphonenumber-js": "^1.10.57",
@@ -165,7 +165,8 @@
       "semver@<5.7.2": ">=5.7.2",
       "semver@>=7.0.0 <7.5.2": ">=7.5.2",
       "jsrsasign@<11.0.0": ">=11.0.0",
-      "nodemailer@<=6.9.8": ">=6.9.9"
+      "nodemailer@<=6.9.8": ">=6.9.9",
+      "jsonata@>=1.4.0 <1.8.7": ">=1.8.7"
     }
   }
 }