appwrite/app/controllers/shared/api/auth.php

<?php

use Appwrite\Extend\Exception;
use Appwrite\Utopia\Database\Documents\User;
use Appwrite\Utopia\Request;
use MaxMind\Db\Reader;
use Utopia\App;
use Utopia\Config\Config;
use Utopia\Database\DateTime;
use Utopia\Database\Document;
use Utopia\Database\Validator\Authorization;
use Utopia\System\System;

App::init()
    ->groups(['mfaProtected'])
    ->inject('session')
    ->action(function (Document $session) {
        $isSessionFresh = false;

        $lastUpdate = $session->getAttribute('mfaUpdatedAt');
        if (!empty($lastUpdate)) {
            $now = DateTime::now();
            $maxAllowedDate = DateTime::addSeconds(new \DateTime($lastUpdate), MFA_RECENT_DURATION); // Maximum date until session is considered safe before asking for another challenge

            $isSessionFresh = DateTime::formatTz($maxAllowedDate) >= DateTime::formatTz($now);
        }

        if (!$isSessionFresh) {
            throw new Exception(Exception::USER_CHALLENGE_REQUIRED);
        }
    });

App::init()
    ->groups(['auth'])
    ->inject('utopia')
    ->inject('request')
    ->inject('project')
    ->inject('geodb')
    ->inject('authorization')
    ->action(function (App $utopia, Request $request, Document $project, Reader $geodb, Authorization $authorization) {
        $denylist = System::getEnv('_APP_CONSOLE_COUNTRIES_DENYLIST', '');
        if (!empty($denylist && $project->getId() === 'console')) {
            $countries = explode(',', $denylist);
            $record = $geodb->get($request->getIP()) ?? [];
            $country = $record['country']['iso_code'] ?? '';
            if (in_array($country, $countries)) {
                throw new Exception(Exception::GENERAL_REGION_ACCESS_DENIED);
            }
        }

        $route = $utopia->match($request);

        $isPrivilegedUser = User::isPrivileged($authorization->getRoles());
        $isAppUser = User::isApp($authorization->getRoles());

        if ($isAppUser || $isPrivilegedUser) { // Skip limits for app and console devs
            return;
        }

        $auths = $project->getAttribute('auths', []);
        switch ($route->getLabel('auth.type', '')) {
            case 'email-password':
                if (($auths[Config::getParam('auth')['email-password']['key']] ?? true) === false) {
                    throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Email / Password authentication is disabled for this project');
                }
                break;

            case 'magic-url':
                if (($auths[Config::getParam('auth')['magic-url']['key']] ?? true) === false) {
                    throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Magic URL authentication is disabled for this project');
                }
                break;

            case 'anonymous':
                if (($auths[Config::getParam('auth')['anonymous']['key']] ?? true) === false) {
                    throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Anonymous authentication is disabled for this project');
                }
                break;

            case 'phone':
                if (($auths[Config::getParam('auth')['phone']['key']] ?? true) === false) {
                    throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Phone authentication is disabled for this project');
                }
                break;

            case 'invites':
                if (($auths[Config::getParam('auth')['invites']['key']] ?? true) === false) {
                    throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Invites authentication is disabled for this project');
                }
                break;

            case 'jwt':
                if (($auths[Config::getParam('auth')['jwt']['key']] ?? true) === false) {
                    throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'JWT authentication is disabled for this project');
                }
                break;

            case 'email-otp':
                if (($auths[Config::getParam('auth')['email-otp']['key']] ?? true) === false) {
                    throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Email OTP authentication is disabled for this project');
                }
                break;

            default:
                throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Unsupported authentication route');
        }
    });
WIP 2022-11-24 07:53:52 +00:00			`<?php`

chore: run formatter 2024-03-06 17:34:21 +00:00			`use Appwrite\Extend\Exception;`
More refactor and fixes 2025-11-04 06:08:35 +00:00			`use Appwrite\Utopia\Database\Documents\User;`
WIP 2022-11-24 07:53:52 +00:00			`use Appwrite\Utopia\Request;`
chore: run formatter 2024-03-06 17:34:21 +00:00			`use MaxMind\Db\Reader;`
Revert "Feat adding coroutines" 2024-10-08 07:54:40 +00:00			`use Utopia\App;`
chore: used config in auth 2025-01-10 03:12:10 +00:00			`use Utopia\Config\Config;`
chore: run formatter 2024-03-06 17:34:21 +00:00			`use Utopia\Database\DateTime;`
WIP 2022-11-24 07:53:52 +00:00			`use Utopia\Database\Document;`
			`use Utopia\Database\Validator\Authorization;`
Updated getEnv to use system lib 2024-04-01 11:02:47 +00:00			`use Utopia\System\System;`
Re-implement mfa protection as hook 2024-03-03 14:18:09 +00:00
Revert "Feat adding coroutines" 2024-10-08 07:54:40 +00:00			`App::init()`
Re-implement mfa protection as hook 2024-03-03 14:18:09 +00:00			`->groups(['mfaProtected'])`
			`->inject('session')`
			`->action(function (Document $session) {`
PR review changes 2024-03-04 08:50:50 +00:00			`$isSessionFresh = false;`
Re-implement mfa protection as hook 2024-03-03 14:18:09 +00:00
			`$lastUpdate = $session->getAttribute('mfaUpdatedAt');`
			`if (!empty($lastUpdate)) {`
			`$now = DateTime::now();`
More refactor and fixes 2025-11-04 06:08:35 +00:00			`$maxAllowedDate = DateTime::addSeconds(new \DateTime($lastUpdate), MFA_RECENT_DURATION); // Maximum date until session is considered safe before asking for another challenge`
Re-implement mfa protection as hook 2024-03-03 14:18:09 +00:00
PR review changes 2024-03-04 08:50:50 +00:00			`$isSessionFresh = DateTime::formatTz($maxAllowedDate) >= DateTime::formatTz($now);`
Re-implement mfa protection as hook 2024-03-03 14:18:09 +00:00			`}`

PR review changes 2024-03-04 08:50:50 +00:00			`if (!$isSessionFresh) {`
Re-implement mfa protection as hook 2024-03-03 14:18:09 +00:00			`throw new Exception(Exception::USER_CHALLENGE_REQUIRED);`
			`}`
			`});`
WIP 2022-11-24 07:53:52 +00:00
Revert "Feat adding coroutines" 2024-10-08 07:54:40 +00:00			`App::init()`
WIP 2022-11-24 07:53:52 +00:00			`->groups(['auth'])`
Revert "Feat adding coroutines" 2024-10-08 07:54:40 +00:00			`->inject('utopia')`
WIP 2022-11-24 07:53:52 +00:00			`->inject('request')`
			`->inject('project')`
Remove restrict group and add logic to auth group 2024-02-01 12:10:41 +00:00			`->inject('geodb')`
Use authorization instance 2026-01-07 07:04:28 +00:00			`->inject('authorization')`
			`->action(function (App $utopia, Request $request, Document $project, Reader $geodb, Authorization $authorization) {`
Updated getEnv to use system lib 2024-04-01 11:02:47 +00:00			`$denylist = System::getEnv('_APP_CONSOLE_COUNTRIES_DENYLIST', '');`
Only disallow console requests 2024-02-02 14:31:54 +00:00			`if (!empty($denylist && $project->getId() === 'console')) {`
Remove restrict group and add logic to auth group 2024-02-01 12:10:41 +00:00			`$countries = explode(',', $denylist);`
			`$record = $geodb->get($request->getIP()) ?? [];`
			`$country = $record['country']['iso_code'] ?? '';`
			`if (in_array($country, $countries)) {`
			`throw new Exception(Exception::GENERAL_REGION_ACCESS_DENIED);`
			`}`
			`}`
WIP 2022-11-24 07:53:52 +00:00
Revert "Feat adding coroutines" 2024-10-08 07:54:40 +00:00			`$route = $utopia->match($request);`
WIP 2022-11-24 07:53:52 +00:00
Use authorization instance 2026-01-07 07:04:28 +00:00			`$isPrivilegedUser = User::isPrivileged($authorization->getRoles());`
			`$isAppUser = User::isApp($authorization->getRoles());`
feat: Coroutine graphql wip 2024-06-11 22:08:40 +00:00
Revert "Feat adding coroutines" 2024-10-08 07:54:40 +00:00			`if ($isAppUser \|\| $isPrivilegedUser) { // Skip limits for app and console devs`
reverting: to set coroutines as head 2024-10-01 14:30:47 +00:00			`return;`
			`}`

WIP 2022-11-24 07:53:52 +00:00			`$auths = $project->getAttribute('auths', []);`
			`switch ($route->getLabel('auth.type', '')) {`
chore: used config in auth 2025-01-10 03:12:10 +00:00			`case 'email-password':`
			`if (($auths[Config::getParam('auth')['email-password']['key']] ?? true) === false) {`
WIP 2022-11-24 07:53:52 +00:00			`throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Email / Password authentication is disabled for this project');`
			`}`
			`break;`

			`case 'magic-url':`
chore: used config in auth 2025-01-10 03:12:10 +00:00			`if (($auths[Config::getParam('auth')['magic-url']['key']] ?? true) === false) {`
WIP 2022-11-24 07:53:52 +00:00			`throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Magic URL authentication is disabled for this project');`
			`}`
			`break;`

			`case 'anonymous':`
chore: used config in auth 2025-01-10 03:12:10 +00:00			`if (($auths[Config::getParam('auth')['anonymous']['key']] ?? true) === false) {`
WIP 2022-11-24 07:53:52 +00:00			`throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Anonymous authentication is disabled for this project');`
			`}`
			`break;`

Merge main 2024-02-12 01:18:19 +00:00			`case 'phone':`
chore: used config in auth 2025-01-10 03:12:10 +00:00			`if (($auths[Config::getParam('auth')['phone']['key']] ?? true) === false) {`
Merge main 2024-02-12 01:18:19 +00:00			`throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Phone authentication is disabled for this project');`
			`}`
			`break;`

WIP 2022-11-24 07:53:52 +00:00			`case 'invites':`
chore: used config in auth 2025-01-10 03:12:10 +00:00			`if (($auths[Config::getParam('auth')['invites']['key']] ?? true) === false) {`
WIP 2022-11-24 07:53:52 +00:00			`throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Invites authentication is disabled for this project');`
			`}`
			`break;`

			`case 'jwt':`
chore: used config in auth 2025-01-10 03:12:10 +00:00			`if (($auths[Config::getParam('auth')['jwt']['key']] ?? true) === false) {`
WIP 2022-11-24 07:53:52 +00:00			`throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'JWT authentication is disabled for this project');`
			`}`
			`break;`

Add auth group to create email token endpoint 2024-02-02 08:33:20 +00:00			`case 'email-otp':`
chore: used config in auth 2025-01-10 03:12:10 +00:00			`if (($auths[Config::getParam('auth')['email-otp']['key']] ?? true) === false) {`
Add auth group to create email token endpoint 2024-02-02 08:33:20 +00:00			`throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Email OTP authentication is disabled for this project');`
			`}`
			`break;`

WIP 2022-11-24 07:53:52 +00:00			`default:`
			`throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Unsupported authentication route');`
			`}`
benchmarks 2022-12-19 08:25:49 +00:00			`});`