Add challenge type validation

src/db/models/ChallengeCode.ts

@@ -4,16 +4,20 @@ import { randomUUID } from 'crypto';
 // 30 seconds
 const CHALLENGE_EXPIRY_MS = 3000000 * 1000;
 
+export type ChallengeFlow = 'registration' | 'login';
+
+export type ChallengeType = 'mnemonic';
+
 @Entity({ tableName: 'challenge_codes' })
 export class ChallengeCode {
   @PrimaryKey({ name: 'code', type: 'uuid' })
   code: string = randomUUID();
 
-  @Property({ name: 'stage', type: 'text' })
-  stage!: 'registration' | 'login';
+  @Property({ name: 'flow', type: 'text' })
+  flow!: ChallengeFlow;
 
   @Property({ name: 'auth_type' })
-  authType!: 'mnemonic';
+  authType!: ChallengeType;
 
   @Property({ type: 'date' })
   createdAt: Date = new Date();
@@ -24,7 +28,7 @@ export class ChallengeCode {
 
 export interface ChallengeCodeDTO {
   code: string;
-  stage: string;
+  flow: string;
   authType: string;
   createdAt: string;
   expiresAt: string;
@@ -35,7 +39,7 @@ export function formatChallengeCode(
 ): ChallengeCodeDTO {
   return {
     code: challenge.code,
-    stage: challenge.stage,
+    flow: challenge.flow,
     authType: challenge.authType,
     createdAt: challenge.createdAt.toISOString(),
     expiresAt: challenge.expiresAt.toISOString(),

src/routes/auth/manage.ts

@@ -37,7 +37,7 @@ export const manageAuthRouter = makeRouter((app) => {
 
       const challenge = new ChallengeCode();
       challenge.authType = 'mnemonic';
-      challenge.stage = 'registration';
+      challenge.flow = 'registration';
 
       await em.persistAndFlush(challenge);
 
@@ -56,6 +56,8 @@ export const manageAuthRouter = makeRouter((app) => {
         body.challenge.code,
         body.publicKey,
         body.challenge.signature,
+        'registration',
+        'mnemonic',
       );
 
       const user = new User();

src/services/challenge.ts

@@ -8,6 +8,8 @@ export async function assertChallengeCode(
   code: string,
   publicKey: string,
   signature: string,
+  validFlow: ChallengeFlow,
+  validType: ChallengeType,
 ) {
   const now = Date.now();
 
@@ -15,7 +17,13 @@ export async function assertChallengeCode(
     code,
   });
 
-  if (!challenge) throw new StatusError('Challenge Code Invalid', 401);
+  if (
+    !challenge ||
+    challenge.flow !== validFlow ||
+    challenge.authType !== validType
+  ) {
+    throw new StatusError('Challenge Code Invalid', 401);
+  }
 
   if (challenge.expiresAt.getTime() <= now)
     throw new StatusError('Challenge Code Expired', 401);