npm - @baseplate-dev/plugin-auth - Versions diffs - 4.0.0 → 4.0.2 - Mend

@baseplate-dev/plugin-auth 4.0.0 → 4.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (339) hide show

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/password-reset.service.ts ADDED Viewed

@@ -0,0 +1,233 @@
+// @ts-nocheck
+import type { RequestServiceContext } from '%requestServiceContextImports';
+import {
+  PASSWORD_MAX_LENGTH,
+  PASSWORD_MIN_LENGTH,
+  PASSWORD_RESET_TOKEN_EXPIRY_SEC,
+} from '$constantsPassword';
+import {
+  createAuthVerification,
+  validateAuthVerification,
+} from '$servicesAuthVerification';
+import { config } from '%configServiceImports';
+import { sendEmail } from '%emailModuleImports';
+import {
+  BadRequestError,
+  handleZodRequestValidationError,
+} from '%errorHandlerServiceImports';
+import { createPasswordHash } from '%passwordHasherServiceImports';
+import { prisma } from '%prismaImports';
+import { memoizeRateLimiter } from '%rateLimitImports';
+import {
+  PasswordChangedEmail,
+  PasswordResetEmail,
+} from '@blog-with-auth/transactional';
+import z from 'zod';
+const PROVIDER_ID = 'email-password';
+const PASSWORD_RESET_TYPE = 'password-reset';
+/**
+ * Rate limiters for password reset operations.
+ */
+// Per-email rate limit: 3 requests/hour
+const getPasswordResetEmailLimiter = memoizeRateLimiter(
+  'password-reset-email',
+  {
+    points: 3,
+    duration: 60 * 60, // 1 hour
+  },
+);
+// Per-IP rate limit: 10 requests/hour (prevents email scanning)
+const getPasswordResetIpLimiter = memoizeRateLimiter('password-reset-ip', {
+  points: 10,
+  duration: 60 * 60, // 1 hour
+});
+// Global rate limit: 100 requests/hour (prevents overloading the email service)
+const getPasswordResetGlobalLimiter = memoizeRateLimiter(
+  'password-reset-global',
+  {
+    points: 100,
+    duration: 60 * 60, // 1 hour
+  },
+);
+const requestPasswordResetSchema = z.object({
+  email: z
+    .email()
+    .max(PASSWORD_MAX_LENGTH)
+    .transform((value) => value.toLowerCase()),
+});
+/**
+ * Request a password reset for the given email.
+ */
+export async function requestPasswordReset({
+  email: rawEmail,
+  context,
+}: {
+  email: string;
+  context: RequestServiceContext;
+}): Promise<{ success: true }> {
+  const { email } = await requestPasswordResetSchema
+    .parseAsync({ email: rawEmail })
+    .catch(handleZodRequestValidationError);
+  await Promise.all([
+    getPasswordResetIpLimiter().consumeOrThrow(
+      context.reqInfo.ip,
+      'Too many password reset attempts. Please try again later.',
+      'too-many-requests',
+    ),
+    getPasswordResetEmailLimiter().consumeOrThrow(
+      email,
+      'Too many password reset attempts. Please try again later.',
+      'too-many-requests',
+    ),
+    getPasswordResetGlobalLimiter().consumeOrThrow(
+      'global',
+      'Too many password reset attempts. Please try again later.',
+      'too-many-requests',
+    ),
+  ]);
+  // Find user by email - silently handle non-existent users to prevent enumeration
+  const user = await prisma.user.findUnique({
+    where: { email },
+    select: { id: true, email: true },
+  });
+  if (user?.email) {
+    const { token } = await createAuthVerification({
+      type: PASSWORD_RESET_TYPE,
+      userId: user.id,
+      expiresInSec: PASSWORD_RESET_TOKEN_EXPIRY_SEC,
+    });
+    // Construct reset URL using configured domain
+    const resetLink = `${config.AUTH_FRONTEND_URL}/auth/reset-password?token=${encodeURIComponent(token)}`;
+    // Send email asynchronously (queue-based)
+    await sendEmail(PasswordResetEmail, {
+      to: user.email,
+      data: { resetLink },
+    });
+  }
+  // Always return success to prevent user enumeration
+  return { success: true };
+}
+const validateTokenSchema = z.object({
+  token: z.string().min(1).max(PASSWORD_MAX_LENGTH),
+});
+/**
+ * Validates a password reset token without consuming it.
+ * Used by the frontend to verify the token is valid before showing the reset form.
+ */
+export async function validatePasswordResetToken({
+  token: rawToken,
+}: {
+  token: string;
+}): Promise<{ valid: boolean }> {
+  const { token } = await validateTokenSchema
+    .parseAsync({ token: rawToken })
+    .catch(handleZodRequestValidationError);
+  const record = await validateAuthVerification({
+    type: PASSWORD_RESET_TYPE,
+    token,
+  });
+  return { valid: record !== null };
+}
+const completePasswordResetSchema = z.object({
+  token: z.string().min(1).max(PASSWORD_MAX_LENGTH),
+  newPassword: z.string().min(PASSWORD_MIN_LENGTH).max(PASSWORD_MAX_LENGTH),
+});
+/**
+ * Completes the password reset process by setting a new password.
+ *
+ * Security notes (OWASP Forgot Password Cheat Sheet):
+ * - Token is single-use (deleted after successful reset)
+ * - Does not auto-login the user
+ * - Always invalidates all existing sessions for security
+ * - All remaining password-reset tokens for this user are deleted
+ */
+export async function completePasswordReset({
+  token: rawToken,
+  newPassword: rawNewPassword,
+}: {
+  token: string;
+  newPassword: string;
+}): Promise<{ success: true }> {
+  const { token, newPassword } = await completePasswordResetSchema
+    .parseAsync({
+      token: rawToken,
+      newPassword: rawNewPassword,
+    })
+    .catch(handleZodRequestValidationError);
+  const record = await validateAuthVerification({
+    type: PASSWORD_RESET_TYPE,
+    token,
+  });
+  if (!record?.userId) {
+    throw new BadRequestError('Invalid or expired token', 'invalid-token');
+  }
+  const user = await prisma.user.findUniqueOrThrow({
+    where: { id: record.userId },
+    select: { id: true, email: true },
+  });
+  if (!user.email) {
+    throw new BadRequestError('User has no email', 'user-has-no-email');
+  }
+  const passwordHash = await createPasswordHash(newPassword);
+  // Delete token + remaining reset tokens + update password + invalidate sessions
+  await prisma.$transaction([
+    prisma.authVerification.deleteMany({
+      where: { type: PASSWORD_RESET_TYPE, userId: user.id },
+    }),
+    prisma.userAccount.upsert({
+      where: {
+        accountId_providerId: {
+          accountId: user.email,
+          providerId: PROVIDER_ID,
+        },
+      },
+      create: {
+        userId: user.id,
+        accountId: user.email,
+        providerId: PROVIDER_ID,
+        password: passwordHash,
+      },
+      update: {
+        password: passwordHash,
+      },
+    }),
+    prisma.userSession.deleteMany({
+      where: { userId: user.id },
+    }),
+  ]);
+  // Send password changed confirmation email
+  await sendEmail(PasswordChangedEmail, {
+    to: user.email,
+    data: {},
+  });
+  return { success: true };
+}

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/user-password.service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"user-password.service.d.ts","sourceRoot":"","sources":["../../../../../../../../src/local-auth/core/generators/auth-email-password/templates/module/services/user-password.service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;~~AA4BnE~~,wBAAsB,8BAA8B,CAAC,EACnD,KAAK,GACN,EAAE;IACD,KAAK,EAAE;QACL,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;CACH,GAAG,OAAO,CAAC,IAAI,CAAC,CAiChB;AAED,wBAAsB,gCAAgC,CAAC,EACrD,KAAK,EACL,OAAO,GACR,EAAE;IACD,KAAK,EAAE;QACL,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,OAAO,EAAE,qBAAqB,CAAC;CAChC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,kBAAkB,CAAC;IAAC,IAAI,EAAE,IAAI,CAAA;CAAE,CAAC,~~CAKvD~~;AAED,wBAAsB,oCAAoC,CAAC,EACzD,KAAK,EACL,OAAO,GACR,EAAE;IACD,KAAK,EAAE;QACL,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,OAAO,EAAE,qBAAqB,CAAC;CAChC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,kBAAkB,CAAA;CAAE,CAAC,~~CAkC3C~~;AAOD;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CAAC,EACvC,MAAM,EACN,KAAK,GACN,EAAE;IACD,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE;QACL,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,GAAG,OAAO,CAAC,IAAI,CAAC,CAyChB;AAMD;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CAAC,EACtC,MAAM,EACN,KAAK,GACN,EAAE;IACD,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE;QACL,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,GAAG,OAAO,CAAC,IAAI,CAAC,CA2ChB"}
1	+ {"version":3,"file":"user-password.service.d.ts","sourceRoot":"","sources":["../../../../../../../../src/local-auth/core/generators/auth-email-password/templates/module/services/user-password.service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAuDnE,wBAAsB,8BAA8B,CAAC,EACnD,KAAK,GACN,EAAE;IACD,KAAK,EAAE;QACL,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;CACH,GAAG,OAAO,CAAC,IAAI,CAAC,CAiChB;AAED,wBAAsB,gCAAgC,CAAC,EACrD,KAAK,EACL,OAAO,GACR,EAAE;IACD,KAAK,EAAE;QACL,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,OAAO,EAAE,qBAAqB,CAAC;CAChC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,kBAAkB,CAAC;IAAC,IAAI,EAAE,IAAI,CAAA;CAAE,CAAC,CAevD;AAED,wBAAsB,oCAAoC,CAAC,EACzD,KAAK,EACL,OAAO,GACR,EAAE;IACD,KAAK,EAAE;QACL,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,OAAO,EAAE,qBAAqB,CAAC;CAChC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,kBAAkB,CAAA;CAAE,CAAC,CA6D3C;AAOD;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CAAC,EACvC,MAAM,EACN,KAAK,GACN,EAAE;IACD,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE;QACL,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,GAAG,OAAO,CAAC,IAAI,CAAC,CAyChB;AAMD;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CAAC,EACtC,MAAM,EACN,KAAK,GACN,EAAE;IACD,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE;QACL,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,GAAG,OAAO,CAAC,IAAI,CAAC,CA2ChB"}

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/user-password.service.js CHANGED Viewed

@@ -1,18 +1,37 @@
 // @ts-nocheck
-import { PASSWORD_MIN_LENGTH } from '$constantsPassword';
-import { BadRequestError, handleZodRequestValidationError, NotFoundError, } from '%errorHandlerServiceImports';
+import { PASSWORD_MAX_LENGTH, PASSWORD_MIN_LENGTH } from '$constantsPassword';
+import { requestEmailVerification } from '$servicesEmailVerification';
+import { BadRequestError, handleZodRequestValidationError, logError, NotFoundError, TooManyRequestsError, } from '%errorHandlerServiceImports';
 import { createPasswordHash, verifyPasswordHash, } from '%passwordHasherServiceImports';
 import { prisma } from '%prismaImports';
+import { memoizeRateLimiter } from '%rateLimitImports';
 import { userSessionService } from '%userSessionServiceImports';
 import z from 'zod';
 const PROVIDER_ID = 'email-password';
-const MAX_VALUE_LENGTH = 255;
 const emailPasswordSchema = z.object({
     email: z
         .email()
-        .max(MAX_VALUE_LENGTH)
+        .max(PASSWORD_MAX_LENGTH)
         .transform((value) => value.toLowerCase()),
-    password: z.string().min(PASSWORD_MIN_LENGTH).max(MAX_VALUE_LENGTH),
+    password: z.string().min(PASSWORD_MIN_LENGTH).max(PASSWORD_MAX_LENGTH),
+});
+/**
+ * Rate limiters for authentication operations.
+ */
+const getRegistrationLimiter = memoizeRateLimiter('registration', {
+    points: 10,
+    duration: 60 * 60, // 1 hour
+    blockDuration: 60 * 60, // Block for 1 hour if exceeded
+});
+const getLoginIpLimiter = memoizeRateLimiter('login-ip', {
+    points: 10,
+    duration: 60 * 60 * 24, // 24 hours
+    blockDuration: 60 * 60, // Block for 1 hour if exceeded
+});
+const getLoginConsecutiveFailsLimiter = memoizeRateLimiter('login-consecutive-fails', {
+    points: 5,
+    duration: 60 * 60 * 24, // 24 hours (duration for tracking)
+    blockDuration: 60 * 15, // Block for 15 minutes after 5 consecutive fails
 });
 export async function createUserWithEmailAndPassword({ input, }) {
     const { email, password } = await emailPasswordSchema
@@ -46,14 +65,28 @@ export async function createUserWithEmailAndPassword({ input, }) {
     return user;
 }
 export async function registerUserWithEmailAndPassword({ input, context, }) {
+    // Rate limit registration by IP
+    await getRegistrationLimiter().consumeOrThrow(context.reqInfo.ip, 'Too many registration attempts. Please try again later.', 'registration-rate-limited');
     const user = await createUserWithEmailAndPassword({ input });
     const session = await userSessionService.createSession(user.id, context);
+    // Send verification email (fire-and-forget, don't block registration)
+    requestEmailVerification({ userId: user.id, context }).catch(logError);
     return { session, user };
 }
 export async function authenticateUserWithEmailAndPassword({ input, context, }) {
     const { email, password } = await emailPasswordSchema
         .parseAsync(input)
         .catch(handleZodRequestValidationError);
+    // Rate limiting setup
+    const clientIp = context.reqInfo.ip;
+    const emailIpKey = `${email}_${clientIp}`;
+    // Check IP-based rate limit (slow brute force protection)
+    await getLoginIpLimiter().consumeOrThrow(clientIp, 'Too many login attempts. Please try again later.', 'login-ip-rate-limited');
+    // Check consecutive failures rate limit (fast brute force protection)
+    const consecutiveFailsResult = await getLoginConsecutiveFailsLimiter().get(emailIpKey);
+    if (consecutiveFailsResult && !consecutiveFailsResult.allowed) {
+        throw new TooManyRequestsError('Account temporarily locked due to too many failed attempts. Please try again later.', 'login-consecutive-fails-blocked', { retryAfterMs: consecutiveFailsResult.msBeforeNext });
+    }
     // check if user with that email exists
     const userAccount = await prisma.userAccount.findUnique({
         where: {
@@ -63,20 +96,21 @@ export async function authenticateUserWithEmailAndPassword({ input, context, })
             },
         },
     });
-    if (userAccount === null) {
-        throw new BadRequestError('Invalid email', 'invalid-email');
-    }
     // check for password match
-    const isValid = await verifyPasswordHash(userAccount.password ?? '', password);
-    if (!isValid) {
-        throw new BadRequestError('Invalid password', 'invalid-password');
+    const isValid = await verifyPasswordHash(userAccount?.password ?? '', password);
+    if (!isValid || !userAccount) {
+        // Track failed attempt
+        await getLoginConsecutiveFailsLimiter().consume(emailIpKey);
+        throw new BadRequestError('Invalid email or password', 'invalid-credentials');
     }
+    // Reset consecutive failures on successful login
+    await getLoginConsecutiveFailsLimiter().delete(emailIpKey);
     const session = await userSessionService.createSession(userAccount.userId, context);
     return { session };
 }
 const changePasswordSchema = z.object({
-    currentPassword: z.string().min(1).max(MAX_VALUE_LENGTH),
-    newPassword: z.string().min(PASSWORD_MIN_LENGTH).max(MAX_VALUE_LENGTH),
+    currentPassword: z.string().min(1).max(PASSWORD_MAX_LENGTH),
+    newPassword: z.string().min(PASSWORD_MIN_LENGTH).max(PASSWORD_MAX_LENGTH),
 });
 /**
  * Change a user's password after validating their current password.
@@ -120,7 +154,7 @@ export async function changeUserPassword({ userId, input, }) {
     });
 }
 const resetPasswordSchema = z.object({
-    newPassword: z.string().min(PASSWORD_MIN_LENGTH).max(MAX_VALUE_LENGTH),
+    newPassword: z.string().min(PASSWORD_MIN_LENGTH).max(PASSWORD_MAX_LENGTH),
 });
 /**
  * Reset a user's password without requiring the current password.

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/user-password.service.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"user-password.service.js","sourceRoot":"","sources":["../../../../../../../../src/local-auth/core/generators/auth-email-password/templates/module/services/user-password.service.ts"],"names":[],"mappings":"AAAA,cAAc;AAMd,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;~~AACzD~~,OAAO,EACL,eAAe,EACf,+BAA+B,EAC/B,aAAa,~~GACd~~,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,CAAC,MAAM,KAAK,CAAC;AAEpB,MAAM,WAAW,GAAG,gBAAgB,CAAC;AAErC,MAAM,~~gBAAgB,GAAG,GAAG,CAAC;AAE7B,MAAM,~~mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,KAAK,EAAE,CAAC;SACL,KAAK,EAAE;SACP,GAAG,CAAC,~~gBAAgB~~,CAAC;~~SACrB~~,SAAS,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;IAC5C,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,GAAG,CAAC,~~gBAAgB~~,CAAC;~~CACpE~~,CAAC,CAAC;AAEH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAAC,EACnD,KAAK,GAMN;IACC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,MAAM,mBAAmB;SAClD,UAAU,CAAC,KAAK,CAAC;SACjB,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAC1C,+CAA+C;IAC/C,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC;QACvD,KAAK,EAAE;YACL,oBAAoB,EAAE;gBACpB,SAAS,EAAE,KAAK;gBAChB,UAAU,EAAE,WAAW;aACxB;SACF;KACF,CAAC,CAAC;IAEH,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QAC1B,MAAM,IAAI,eAAe,CAAC,qBAAqB,EAAE,aAAa,CAAC,CAAC;IAClE,CAAC;IAED,cAAc;IACd,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;QACpC,IAAI,EAAE;YACJ,KAAK;YACL,QAAQ,EAAE;gBACR,MAAM,EAAE;oBACN,SAAS,EAAE,KAAK;oBAChB,UAAU,EAAE,WAAW;oBACvB,QAAQ,EAAE,MAAM,kBAAkB,CAAC,QAAQ,CAAC;iBAC7C;aACF;SACF;KACF,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gCAAgC,CAAC,EACrD,KAAK,EACL,OAAO,GAOR;IACC,MAAM,IAAI,GAAG,MAAM,8BAA8B,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IAEzE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oCAAoC,CAAC,EACzD,KAAK,EACL,OAAO,GAOR;IACC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,MAAM,mBAAmB;SAClD,UAAU,CAAC,KAAK,CAAC;SACjB,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAE1C,~~uCAAuC~~;~~IACvC~~,MAAM,~~WAAW~~,GAAG,~~MAAM~~,~~MAAM,~~CAAC,~~WAAW~~,CAAC,~~UAAU~~,CAAC;~~QACtD~~,KAAK,~~EAAE;YACL~~,~~oBAAoB~~,EAAE;~~gBACpB~~,~~SAAS~~,EAAE,~~KAAK;gBAChB~~,~~UAAU~~,~~EAAE~~,~~WAAW~~;~~aACxB~~;~~SACF;KACF~~,CAAC,CAAC;~~IAEH~~,IAAI,~~WAAW~~,~~KAAK,~~IAAI,EAAE,CAAC;~~QACzB~~,MAAM,IAAI,~~eAAe~~,~~CAAC~~,~~eAAe~~,EAAE,~~eAAe~~,CAAC,CAAC;~~IAC9D~~,CAAC;IAED,2BAA2B;IAC3B,MAAM,OAAO,GAAG,MAAM,kBAAkB,CACtC,WAAW,~~CAAC~~,QAAQ,IAAI,EAAE,~~EAC1B~~,QAAQ,CACT,CAAC;IACF,IAAI,CAAC,OAAO,EAAE,CAAC;~~QACb~~,MAAM,IAAI,eAAe,CAAC,~~kBAAkB~~,EAAE,~~kBAAkB~~,CAAC,CAAC~~;IACpE~~,CAAC;~~IAED~~,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,aAAa,CACpD,WAAW,CAAC,MAAM,EAClB,OAAO,CACR,CAAC;IAEF,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC;AAED,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,~~gBAAgB~~,CAAC;~~IACxD~~,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,GAAG,CAAC,~~gBAAgB~~,CAAC;~~CACvE~~,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,EACvC,MAAM,EACN,KAAK,GAON;IACC,MAAM,EAAE,eAAe,EAAE,WAAW,EAAE,GAAG,MAAM,oBAAoB;SAChE,UAAU,CAAC,KAAK,CAAC;SACjB,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAE1C,yBAAyB;IACzB,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC;QACrD,KAAK,EAAE;YACL,MAAM;YACN,UAAU,EAAE,WAAW;SACxB;KACF,CAAC,CAAC;IAEH,0BAA0B;IAC1B,MAAM,OAAO,GAAG,MAAM,kBAAkB,CACtC,WAAW,EAAE,QAAQ,IAAI,EAAE,EAC3B,eAAe,CAChB,CAAC;IACF,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7B,MAAM,IAAI,eAAe,CACvB,+BAA+B,EAC/B,0BAA0B,CAC3B,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,MAAM,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC;QAC9B,KAAK,EAAE;YACL,oBAAoB,EAAE;gBACpB,SAAS,EAAE,WAAW,CAAC,SAAS;gBAChC,UAAU,EAAE,WAAW;aACxB;SACF;QACD,IAAI,EAAE;YACJ,QAAQ,EAAE,MAAM,kBAAkB,CAAC,WAAW,CAAC;SAChD;KACF,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC;QACnC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;KACtB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,GAAG,CAAC,~~gBAAgB~~,CAAC;~~CACvE~~,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,EACtC,MAAM,EACN,KAAK,GAMN;IACC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB;SAC9C,UAAU,CAAC,KAAK,CAAC;SACjB,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAE1C,uBAAuB;IACvB,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACxC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;KACtB,CAAC,CAAC;IAEH,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,aAAa,CAAC,gBAAgB,EAAE,gBAAgB,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,IAAI,eAAe,CAAC,mBAAmB,EAAE,mBAAmB,CAAC,CAAC;IACtE,CAAC;IAED,4CAA4C;IAC5C,MAAM,YAAY,GAAG,MAAM,kBAAkB,CAAC,WAAW,CAAC,CAAC;IAC3D,MAAM,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC;QAC9B,KAAK,EAAE;YACL,oBAAoB,EAAE;gBACpB,SAAS,EAAE,IAAI,CAAC,KAAK;gBACrB,UAAU,EAAE,WAAW;aACxB;SACF;QACD,MAAM,EAAE;YACN,IAAI,EAAE;gBACJ,OAAO,EAAE;oBACP,EAAE,EAAE,MAAM;iBACX;aACF;YACD,SAAS,EAAE,IAAI,CAAC,KAAK;YACrB,UAAU,EAAE,WAAW;YACvB,QAAQ,EAAE,YAAY;SACvB;QACD,MAAM,EAAE;YACN,QAAQ,EAAE,YAAY;SACvB;KACF,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC;AACd,CAAC"}
1	+ {"version":3,"file":"user-password.service.js","sourceRoot":"","sources":["../../../../../../../../src/local-auth/core/generators/auth-email-password/templates/module/services/user-password.service.ts"],"names":[],"mappings":"AAAA,cAAc;AAMd,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9E,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EACL,eAAe,EACf,+BAA+B,EAC/B,QAAQ,EACR,aAAa,EACb,oBAAoB,GACrB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,CAAC,MAAM,KAAK,CAAC;AAEpB,MAAM,WAAW,GAAG,gBAAgB,CAAC;AAErC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,KAAK,EAAE,CAAC;SACL,KAAK,EAAE;SACP,GAAG,CAAC,mBAAmB,CAAC;SACxB,SAAS,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;IAC5C,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,GAAG,CAAC,mBAAmB,CAAC;CACvE,CAAC,CAAC;AAEH;;GAEG;AAEH,MAAM,sBAAsB,GAAG,kBAAkB,CAAC,cAAc,EAAE;IAChE,MAAM,EAAE,EAAE;IACV,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAE,SAAS;IAC5B,aAAa,EAAE,EAAE,GAAG,EAAE,EAAE,+BAA+B;CACxD,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,UAAU,EAAE;IACvD,MAAM,EAAE,EAAE;IACV,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,WAAW;IACnC,aAAa,EAAE,EAAE,GAAG,EAAE,EAAE,+BAA+B;CACxD,CAAC,CAAC;AAEH,MAAM,+BAA+B,GAAG,kBAAkB,CACxD,yBAAyB,EACzB;IACE,MAAM,EAAE,CAAC;IACT,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,mCAAmC;IAC3D,aAAa,EAAE,EAAE,GAAG,EAAE,EAAE,iDAAiD;CAC1E,CACF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAAC,EACnD,KAAK,GAMN;IACC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,MAAM,mBAAmB;SAClD,UAAU,CAAC,KAAK,CAAC;SACjB,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAC1C,+CAA+C;IAC/C,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC;QACvD,KAAK,EAAE;YACL,oBAAoB,EAAE;gBACpB,SAAS,EAAE,KAAK;gBAChB,UAAU,EAAE,WAAW;aACxB;SACF;KACF,CAAC,CAAC;IAEH,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QAC1B,MAAM,IAAI,eAAe,CAAC,qBAAqB,EAAE,aAAa,CAAC,CAAC;IAClE,CAAC;IAED,cAAc;IACd,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;QACpC,IAAI,EAAE;YACJ,KAAK;YACL,QAAQ,EAAE;gBACR,MAAM,EAAE;oBACN,SAAS,EAAE,KAAK;oBAChB,UAAU,EAAE,WAAW;oBACvB,QAAQ,EAAE,MAAM,kBAAkB,CAAC,QAAQ,CAAC;iBAC7C;aACF;SACF;KACF,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gCAAgC,CAAC,EACrD,KAAK,EACL,OAAO,GAOR;IACC,gCAAgC;IAChC,MAAM,sBAAsB,EAAE,CAAC,cAAc,CAC3C,OAAO,CAAC,OAAO,CAAC,EAAE,EAClB,yDAAyD,EACzD,2BAA2B,CAC5B,CAAC;IAEF,MAAM,IAAI,GAAG,MAAM,8BAA8B,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IAEzE,sEAAsE;IACtE,wBAAwB,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAEvE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oCAAoC,CAAC,EACzD,KAAK,EACL,OAAO,GAOR;IACC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,MAAM,mBAAmB;SAClD,UAAU,CAAC,KAAK,CAAC;SACjB,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAE1C,sBAAsB;IACtB,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;IACpC,MAAM,UAAU,GAAG,GAAG,KAAK,IAAI,QAAQ,EAAE,CAAC;IAE1C,0DAA0D;IAC1D,MAAM,iBAAiB,EAAE,CAAC,cAAc,CACtC,QAAQ,EACR,kDAAkD,EAClD,uBAAuB,CACxB,CAAC;IAEF,sEAAsE;IACtE,MAAM,sBAAsB,GAC1B,MAAM,+BAA+B,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAE1D,IAAI,sBAAsB,IAAI,CAAC,sBAAsB,CAAC,OAAO,EAAE,CAAC;QAC9D,MAAM,IAAI,oBAAoB,CAC5B,qFAAqF,EACrF,iCAAiC,EACjC,EAAE,YAAY,EAAE,sBAAsB,CAAC,YAAY,EAAE,CACtD,CAAC;IACJ,CAAC;IAED,uCAAuC;IACvC,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC;QACtD,KAAK,EAAE;YACL,oBAAoB,EAAE;gBACpB,SAAS,EAAE,KAAK;gBAChB,UAAU,EAAE,WAAW;aACxB;SACF;KACF,CAAC,CAAC;IAEH,2BAA2B;IAC3B,MAAM,OAAO,GAAG,MAAM,kBAAkB,CACtC,WAAW,EAAE,QAAQ,IAAI,EAAE,EAC3B,QAAQ,CACT,CAAC;IACF,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7B,uBAAuB;QACvB,MAAM,+BAA+B,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC5D,MAAM,IAAI,eAAe,CACvB,2BAA2B,EAC3B,qBAAqB,CACtB,CAAC;IACJ,CAAC;IAED,iDAAiD;IACjD,MAAM,+BAA+B,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAE3D,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,aAAa,CACpD,WAAW,CAAC,MAAM,EAClB,OAAO,CACR,CAAC;IAEF,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC;AAED,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC3D,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,GAAG,CAAC,mBAAmB,CAAC;CAC1E,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,EACvC,MAAM,EACN,KAAK,GAON;IACC,MAAM,EAAE,eAAe,EAAE,WAAW,EAAE,GAAG,MAAM,oBAAoB;SAChE,UAAU,CAAC,KAAK,CAAC;SACjB,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAE1C,yBAAyB;IACzB,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC;QACrD,KAAK,EAAE;YACL,MAAM;YACN,UAAU,EAAE,WAAW;SACxB;KACF,CAAC,CAAC;IAEH,0BAA0B;IAC1B,MAAM,OAAO,GAAG,MAAM,kBAAkB,CACtC,WAAW,EAAE,QAAQ,IAAI,EAAE,EAC3B,eAAe,CAChB,CAAC;IACF,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7B,MAAM,IAAI,eAAe,CACvB,+BAA+B,EAC/B,0BAA0B,CAC3B,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,MAAM,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC;QAC9B,KAAK,EAAE;YACL,oBAAoB,EAAE;gBACpB,SAAS,EAAE,WAAW,CAAC,SAAS;gBAChC,UAAU,EAAE,WAAW;aACxB;SACF;QACD,IAAI,EAAE;YACJ,QAAQ,EAAE,MAAM,kBAAkB,CAAC,WAAW,CAAC;SAChD;KACF,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC;QACnC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;KACtB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,GAAG,CAAC,mBAAmB,CAAC;CAC1E,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,EACtC,MAAM,EACN,KAAK,GAMN;IACC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB;SAC9C,UAAU,CAAC,KAAK,CAAC;SACjB,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAE1C,uBAAuB;IACvB,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACxC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;KACtB,CAAC,CAAC;IAEH,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,aAAa,CAAC,gBAAgB,EAAE,gBAAgB,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,IAAI,eAAe,CAAC,mBAAmB,EAAE,mBAAmB,CAAC,CAAC;IACtE,CAAC;IAED,4CAA4C;IAC5C,MAAM,YAAY,GAAG,MAAM,kBAAkB,CAAC,WAAW,CAAC,CAAC;IAC3D,MAAM,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC;QAC9B,KAAK,EAAE;YACL,oBAAoB,EAAE;gBACpB,SAAS,EAAE,IAAI,CAAC,KAAK;gBACrB,UAAU,EAAE,WAAW;aACxB;SACF;QACD,MAAM,EAAE;YACN,IAAI,EAAE;gBACJ,OAAO,EAAE;oBACP,EAAE,EAAE,MAAM;iBACX;aACF;YACD,SAAS,EAAE,IAAI,CAAC,KAAK;YACrB,UAAU,EAAE,WAAW;YACvB,QAAQ,EAAE,YAAY;SACvB;QACD,MAAM,EAAE;YACN,QAAQ,EAAE,YAAY;SACvB;KACF,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/user-password.service.ts CHANGED Viewed

@@ -4,32 +4,59 @@ import type { User } from '%prismaGeneratedImports';
 import type { RequestServiceContext } from '%requestServiceContextImports';
 import type { UserSessionPayload } from '%userSessionTypesImports';
-import { PASSWORD_MIN_LENGTH } from '$constantsPassword';
+import { PASSWORD_MAX_LENGTH, PASSWORD_MIN_LENGTH } from '$constantsPassword';
+import { requestEmailVerification } from '$servicesEmailVerification';
 import {
   BadRequestError,
   handleZodRequestValidationError,
+  logError,
   NotFoundError,
+  TooManyRequestsError,
 } from '%errorHandlerServiceImports';
 import {
   createPasswordHash,
   verifyPasswordHash,
 } from '%passwordHasherServiceImports';
 import { prisma } from '%prismaImports';
+import { memoizeRateLimiter } from '%rateLimitImports';
 import { userSessionService } from '%userSessionServiceImports';
 import z from 'zod';
 const PROVIDER_ID = 'email-password';
-const MAX_VALUE_LENGTH = 255;
 const emailPasswordSchema = z.object({
   email: z
     .email()
-    .max(MAX_VALUE_LENGTH)
+    .max(PASSWORD_MAX_LENGTH)
     .transform((value) => value.toLowerCase()),
-  password: z.string().min(PASSWORD_MIN_LENGTH).max(MAX_VALUE_LENGTH),
+  password: z.string().min(PASSWORD_MIN_LENGTH).max(PASSWORD_MAX_LENGTH),
 });
+/**
+ * Rate limiters for authentication operations.
+ */
+const getRegistrationLimiter = memoizeRateLimiter('registration', {
+  points: 10,
+  duration: 60 * 60, // 1 hour
+  blockDuration: 60 * 60, // Block for 1 hour if exceeded
+});
+const getLoginIpLimiter = memoizeRateLimiter('login-ip', {
+  points: 10,
+  duration: 60 * 60 * 24, // 24 hours
+  blockDuration: 60 * 60, // Block for 1 hour if exceeded
+});
+const getLoginConsecutiveFailsLimiter = memoizeRateLimiter(
+  'login-consecutive-fails',
+  {
+    points: 5,
+    duration: 60 * 60 * 24, // 24 hours (duration for tracking)
+    blockDuration: 60 * 15, // Block for 15 minutes after 5 consecutive fails
+  },
+);
 export async function createUserWithEmailAndPassword({
   input,
 }: {
@@ -82,9 +109,19 @@ export async function registerUserWithEmailAndPassword({
   };
   context: RequestServiceContext;
 }): Promise<{ session: UserSessionPayload; user: User }> {
+  // Rate limit registration by IP
+  await getRegistrationLimiter().consumeOrThrow(
+    context.reqInfo.ip,
+    'Too many registration attempts. Please try again later.',
+    'registration-rate-limited',
+  );
   const user = await createUserWithEmailAndPassword({ input });
   const session = await userSessionService.createSession(user.id, context);
+  // Send verification email (fire-and-forget, don't block registration)
+  requestEmailVerification({ userId: user.id, context }).catch(logError);
   return { session, user };
 }
@@ -102,6 +139,29 @@ export async function authenticateUserWithEmailAndPassword({
     .parseAsync(input)
     .catch(handleZodRequestValidationError);
+  // Rate limiting setup
+  const clientIp = context.reqInfo.ip;
+  const emailIpKey = `${email}_${clientIp}`;
+  // Check IP-based rate limit (slow brute force protection)
+  await getLoginIpLimiter().consumeOrThrow(
+    clientIp,
+    'Too many login attempts. Please try again later.',
+    'login-ip-rate-limited',
+  );
+  // Check consecutive failures rate limit (fast brute force protection)
+  const consecutiveFailsResult =
+    await getLoginConsecutiveFailsLimiter().get(emailIpKey);
+  if (consecutiveFailsResult && !consecutiveFailsResult.allowed) {
+    throw new TooManyRequestsError(
+      'Account temporarily locked due to too many failed attempts. Please try again later.',
+      'login-consecutive-fails-blocked',
+      { retryAfterMs: consecutiveFailsResult.msBeforeNext },
+    );
+  }
   // check if user with that email exists
   const userAccount = await prisma.userAccount.findUnique({
     where: {
@@ -112,19 +172,23 @@ export async function authenticateUserWithEmailAndPassword({
     },
   });
-  if (userAccount === null) {
-    throw new BadRequestError('Invalid email', 'invalid-email');
-  }
   // check for password match
   const isValid = await verifyPasswordHash(
-    userAccount.password ?? '',
+    userAccount?.password ?? '',
     password,
   );
-  if (!isValid) {
-    throw new BadRequestError('Invalid password', 'invalid-password');
+  if (!isValid || !userAccount) {
+    // Track failed attempt
+    await getLoginConsecutiveFailsLimiter().consume(emailIpKey);
+    throw new BadRequestError(
+      'Invalid email or password',
+      'invalid-credentials',
+    );
   }
+  // Reset consecutive failures on successful login
+  await getLoginConsecutiveFailsLimiter().delete(emailIpKey);
   const session = await userSessionService.createSession(
     userAccount.userId,
     context,
@@ -134,8 +198,8 @@ export async function authenticateUserWithEmailAndPassword({
 }
 const changePasswordSchema = z.object({
-  currentPassword: z.string().min(1).max(MAX_VALUE_LENGTH),
-  newPassword: z.string().min(PASSWORD_MIN_LENGTH).max(MAX_VALUE_LENGTH),
+  currentPassword: z.string().min(1).max(PASSWORD_MAX_LENGTH),
+  newPassword: z.string().min(PASSWORD_MIN_LENGTH).max(PASSWORD_MAX_LENGTH),
 });
 /**
@@ -200,7 +264,7 @@ export async function changeUserPassword({
 }
 const resetPasswordSchema = z.object({
-  newPassword: z.string().min(PASSWORD_MIN_LENGTH).max(MAX_VALUE_LENGTH),
+  newPassword: z.string().min(PASSWORD_MIN_LENGTH).max(PASSWORD_MAX_LENGTH),
 });
 /**

package/dist/local-auth/core/generators/auth-email-templates/auth-email-templates.generator.d.ts ADDED Viewed

@@ -0,0 +1,43 @@
+/**
+ * Generator for auth email templates.
+ *
+ * Registers auth-related email templates (password reset, password changed,
+ * account verification) with the transactional email library and generates
+ * the corresponding .tsx template files.
+ */
+export declare const authEmailTemplatesGenerator: import("@baseplate-dev/sync").GeneratorBundleCreator<Record<string, never>, {
+    paths: import("@baseplate-dev/sync").GeneratorTask<{
+        localAuthAuthEmailTemplatesPaths: import("@baseplate-dev/sync").ProviderExport<import("./generated/template-paths.js").LocalAuthAuthEmailTemplatesPaths>;
+    }, {
+        packageInfo: import("@baseplate-dev/sync").ProviderType<import("@baseplate-dev/core-generators").PackageInfoProvider>;
+    }, undefined>;
+    renderers: import("@baseplate-dev/sync").GeneratorTask<{
+        localAuthAuthEmailTemplatesRenderers: import("@baseplate-dev/sync").ProviderExport<import("./generated/template-renderers.js").LocalAuthAuthEmailTemplatesRenderers>;
+    }, {
+        paths: import("@baseplate-dev/sync").ProviderType<import("./generated/template-paths.js").LocalAuthAuthEmailTemplatesPaths>;
+        transactionalLibImports: import("@baseplate-dev/sync").ProviderType<import("@baseplate-dev/core-generators").InferTsImportMapFromSchema<{
+            Button: {};
+            defineEmail: {};
+            DefineEmailOptions: {
+                isTypeOnly: true;
+            };
+            Divider: {};
+            EmailComponent: {
+                isTypeOnly: true;
+            };
+            EmailLayout: {};
+            Heading: {};
+            renderEmail: {};
+            Section: {};
+            Text: {};
+            theme: {};
+        }>>;
+        typescriptFile: import("@baseplate-dev/sync").ProviderType<import("@baseplate-dev/core-generators").TypescriptFileProvider>;
+    }, undefined>;
+    main: import("@baseplate-dev/sync").GeneratorTask<any, {
+        emailTemplates: import("@baseplate-dev/sync").ProviderType<import("@baseplate-dev/plugin-email").EmailTemplatesProvider>;
+        paths: import("@baseplate-dev/sync").ProviderType<import("./generated/template-paths.js").LocalAuthAuthEmailTemplatesPaths>;
+        renderers: import("@baseplate-dev/sync").ProviderType<import("./generated/template-renderers.js").LocalAuthAuthEmailTemplatesRenderers>;
+    }, any>;
+}>;
+//# sourceMappingURL=auth-email-templates.generator.d.ts.map

package/dist/local-auth/core/generators/auth-email-templates/auth-email-templates.generator.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"auth-email-templates.generator.d.ts","sourceRoot":"","sources":["../../../../../src/local-auth/core/generators/auth-email-templates/auth-email-templates.generator.ts"],"names":[],"mappings":"AAQA;;;;;;GAMG;AACH,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAyCtC,CAAC"}

package/dist/local-auth/core/generators/auth-email-templates/auth-email-templates.generator.js ADDED Viewed

@@ -0,0 +1,48 @@
+import { emailTemplatesProvider } from '@baseplate-dev/plugin-email';
+import { createGenerator, createGeneratorTask } from '@baseplate-dev/sync';
+import { z } from 'zod';
+import { LOCAL_AUTH_AUTH_EMAIL_TEMPLATES_GENERATED as GENERATED_TEMPLATES } from './generated/index.js';
+const descriptorSchema = z.object({});
+/**
+ * Generator for auth email templates.
+ *
+ * Registers auth-related email templates (password reset, password changed,
+ * account verification) with the transactional email library and generates
+ * the corresponding .tsx template files.
+ */
+export const authEmailTemplatesGenerator = createGenerator({
+    name: 'local-auth/auth-email-templates',
+    generatorFileUrl: import.meta.url,
+    descriptorSchema,
+    buildTasks: () => ({
+        paths: GENERATED_TEMPLATES.paths.task,
+        renderers: GENERATED_TEMPLATES.renderers.task,
+        main: createGeneratorTask({
+            dependencies: {
+                emailTemplates: emailTemplatesProvider,
+                paths: GENERATED_TEMPLATES.paths.provider,
+                renderers: GENERATED_TEMPLATES.renderers.provider,
+            },
+            run({ emailTemplates, paths, renderers }) {
+                emailTemplates.registerExport({
+                    exportName: 'AccountVerificationEmail',
+                    exportPath: paths.accountVerificationEmail,
+                });
+                emailTemplates.registerExport({
+                    exportName: 'PasswordChangedEmail',
+                    exportPath: paths.passwordChangedEmail,
+                });
+                emailTemplates.registerExport({
+                    exportName: 'PasswordResetEmail',
+                    exportPath: paths.passwordResetEmail,
+                });
+                return {
+                    build: async (builder) => {
+                        await builder.apply(renderers.accountVerificationEmail.render({}), renderers.passwordChangedEmail.render({}), renderers.passwordResetEmail.render({}));
+                    },
+                };
+            },
+        }),
+    }),
+});
+//# sourceMappingURL=auth-email-templates.generator.js.map

package/dist/local-auth/core/generators/auth-email-templates/auth-email-templates.generator.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-email-templates.generator.js","sourceRoot":"","sources":["../../../../../src/local-auth/core/generators/auth-email-templates/auth-email-templates.generator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC3E,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,yCAAyC,IAAI,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAExG,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAEtC;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,eAAe,CAAC;IACzD,IAAI,EAAE,iCAAiC;IACvC,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG;IACjC,gBAAgB;IAChB,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;QACjB,KAAK,EAAE,mBAAmB,CAAC,KAAK,CAAC,IAAI;QACrC,SAAS,EAAE,mBAAmB,CAAC,SAAS,CAAC,IAAI;QAC7C,IAAI,EAAE,mBAAmB,CAAC;YACxB,YAAY,EAAE;gBACZ,cAAc,EAAE,sBAAsB;gBACtC,KAAK,EAAE,mBAAmB,CAAC,KAAK,CAAC,QAAQ;gBACzC,SAAS,EAAE,mBAAmB,CAAC,SAAS,CAAC,QAAQ;aAClD;YACD,GAAG,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,SAAS,EAAE;gBACtC,cAAc,CAAC,cAAc,CAAC;oBAC5B,UAAU,EAAE,0BAA0B;oBACtC,UAAU,EAAE,KAAK,CAAC,wBAAwB;iBAC3C,CAAC,CAAC;gBAEH,cAAc,CAAC,cAAc,CAAC;oBAC5B,UAAU,EAAE,sBAAsB;oBAClC,UAAU,EAAE,KAAK,CAAC,oBAAoB;iBACvC,CAAC,CAAC;gBAEH,cAAc,CAAC,cAAc,CAAC;oBAC5B,UAAU,EAAE,oBAAoB;oBAChC,UAAU,EAAE,KAAK,CAAC,kBAAkB;iBACrC,CAAC,CAAC;gBAEH,OAAO;oBACL,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;wBACvB,MAAM,OAAO,CAAC,KAAK,CACjB,SAAS,CAAC,wBAAwB,CAAC,MAAM,CAAC,EAAE,CAAC,EAC7C,SAAS,CAAC,oBAAoB,CAAC,MAAM,CAAC,EAAE,CAAC,EACzC,SAAS,CAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CACxC,CAAC;oBACJ,CAAC;iBACF,CAAC;YACJ,CAAC;SACF,CAAC;KACH,CAAC;CACH,CAAC,CAAC"}