npm - @baseplate-dev/plugin-auth - Versions diffs - 4.0.1 → 4.0.2 - Mend

@baseplate-dev/plugin-auth 4.0.1 → 4.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (268) hide show

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/auth-verification.service.ts ADDED Viewed

@@ -0,0 +1,146 @@
+// @ts-nocheck
+import type { AuthVerification, Prisma } from '%prismaGeneratedImports';
+import { prisma } from '%prismaImports';
+import * as crypto from 'node:crypto';
+/**
+ * Split-token pattern for secure verification flows.
+ *
+ * - selector: random identifier used for DB lookup (stored as `identifier`)
+ * - verifier: random secret, hashed before storage (stored as `value`)
+ * - token: `{selector}.{verifier}` — the value sent to the user
+ */
+function generateSplitToken(): { selector: string; verifier: string } {
+  return {
+    selector: crypto.randomBytes(16).toString('base64url'),
+    verifier: crypto.randomBytes(16).toString('base64url'),
+  };
+}
+function hashVerifier(verifier: string): string {
+  return crypto.createHash('sha256').update(verifier).digest('hex');
+}
+/**
+ * Constant-time comparison of two hex strings to prevent timing attacks.
+ */
+function safeCompare(a: string, b: string): boolean {
+  if (a.length !== b.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(a, 'hex'), Buffer.from(b, 'hex'));
+}
+function encodeToken(selector: string, verifier: string): string {
+  return `${selector}.${verifier}`;
+}
+function decodeToken(
+  token: string,
+): { selector: string; verifier: string } | null {
+  const dotIndex = token.indexOf('.');
+  if (dotIndex === -1) {
+    return null;
+  }
+  return {
+    selector: token.slice(0, dotIndex),
+    verifier: token.slice(dotIndex + 1),
+  };
+}
+/**
+ * Creates a new auth verification using the split-token pattern.
+ *
+ * @param type - Verification type (e.g., "password-reset", "email-verify")
+ * @param userId - Optional user ID to associate with the token
+ * @param expiresInSec - Token lifetime in seconds
+ * @param metadata - Optional JSON metadata to store with the token
+ * @returns The combined token (`{selector}.{verifier}`) to send to the user
+ */
+export async function createAuthVerification({
+  type,
+  userId,
+  expiresInSec,
+  metadata,
+}: {
+  type: string;
+  userId?: string;
+  expiresInSec: number;
+  metadata?: Prisma.JsonValue;
+}): Promise<{ token: string }> {
+  const { selector, verifier } = generateSplitToken();
+  const value = hashVerifier(verifier);
+  const expiresAt = new Date(Date.now() + expiresInSec * 1000);
+  await prisma.authVerification.create({
+    data: {
+      type,
+      identifier: selector,
+      value,
+      userId,
+      metadata: metadata ?? undefined,
+      expiresAt,
+    },
+  });
+  return { token: encodeToken(selector, verifier) };
+}
+/**
+ * Validates an auth verification token without consuming it.
+ * Returns the full record if valid so the caller can delete it
+ * as part of their own transaction.
+ *
+ * Security: If the selector matches but the verifier is wrong or expired,
+ * the token is deleted to prevent brute-force attempts.
+ *
+ * @throws BadRequestError if token is invalid, expired, or malformed
+ */
+export async function validateAuthVerification({
+  type,
+  token,
+}: {
+  type: string;
+  token: string;
+}): Promise<AuthVerification | null> {
+  const decoded = decodeToken(token);
+  if (!decoded) {
+    return null;
+  }
+  const record = await prisma.authVerification.findUnique({
+    where: { type_identifier: { type, identifier: decoded.selector } },
+  });
+  if (!record) {
+    return null;
+  }
+  if (
+    !safeCompare(record.value, hashVerifier(decoded.verifier)) ||
+    record.expiresAt < new Date()
+  ) {
+    await prisma.authVerification.delete({ where: { id: record.id } });
+    return null;
+  }
+  return record;
+}
+/**
+ * Cleanup job to delete expired auth verification tokens.
+ * Should be called periodically (e.g., via cron job or queue).
+ */
+export async function cleanupExpiredAuthVerifications(): Promise<{
+  deletedCount: number;
+}> {
+  const result = await prisma.authVerification.deleteMany({
+    where: {
+      expiresAt: { lt: new Date() },
+    },
+  });
+  return { deletedCount: result.count };
+}

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/email-verification.service.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import type { RequestServiceContext } from '%requestServiceContextImports';
+/**
+ * Request an email verification for the authenticated user.
+ * Sends a verification email with a link to verify.
+ */
+export declare function requestEmailVerification({ userId, context, }: {
+    userId: string;
+    context: RequestServiceContext;
+}): Promise<{
+    success: true;
+}>;
+/**
+ * Verify a user's email using the token from the verification email.
+ * This is a public (anonymous) mutation — the token proves identity.
+ *
+ * @throws BadRequestError if token is invalid or expired
+ */
+export declare function verifyEmail({ token, context, }: {
+    token: string;
+    context: RequestServiceContext;
+}): Promise<{
+    success: true;
+}>;
+//# sourceMappingURL=email-verification.service.d.ts.map

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/email-verification.service.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"email-verification.service.d.ts","sourceRoot":"","sources":["../../../../../../../../src/local-auth/core/generators/auth-email-password/templates/module/services/email-verification.service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AA4C3E;;;GAGG;AACH,wBAAsB,wBAAwB,CAAC,EAC7C,MAAM,EACN,OAAO,GACR,EAAE;IACD,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,qBAAqB,CAAC;CAChC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,IAAI,CAAA;CAAE,CAAC,CA0C7B;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,EAChC,KAAK,EACL,OAAO,GACR,EAAE;IACD,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,qBAAqB,CAAC;CAChC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,IAAI,CAAA;CAAE,CAAC,CA4B7B"}

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/email-verification.service.js ADDED Viewed

@@ -0,0 +1,88 @@
+// @ts-nocheck
+import { EMAIL_VERIFICATION_TOKEN_EXPIRY_SEC } from '$constantsPassword';
+import { createAuthVerification, validateAuthVerification, } from '$servicesAuthVerification';
+import { config } from '%configServiceImports';
+import { sendEmail } from '%emailModuleImports';
+import { BadRequestError } from '%errorHandlerServiceImports';
+import { prisma } from '%prismaImports';
+import { memoizeRateLimiter } from '%rateLimitImports';
+import { AccountVerificationEmail } from '@blog-with-auth/transactional';
+const EMAIL_VERIFY_TYPE = 'email-verify';
+/**
+ * Rate limiters for email verification operations.
+ */
+// Per-user rate limit: 3 requests per 20 minutes
+const getRequestEmailVerificationUserLimiter = memoizeRateLimiter('request-email-verification-user', {
+    points: 3,
+    duration: 60 * 20, // 20 minutes
+});
+// Per-IP rate limit: 10 requests/hour
+const getRequestEmailVerificationIpLimiter = memoizeRateLimiter('request-email-verification-ip', {
+    points: 10,
+    duration: 60 * 60, // 1 hour
+});
+// Per-IP rate limit for verify endpoint: 10 requests/hour
+const getVerifyEmailIpLimiter = memoizeRateLimiter('verify-email-ip', {
+    points: 10,
+    duration: 60 * 60, // 1 hour
+});
+/**
+ * Request an email verification for the authenticated user.
+ * Sends a verification email with a link to verify.
+ */
+export async function requestEmailVerification({ userId, context, }) {
+    await Promise.all([
+        getRequestEmailVerificationIpLimiter().consumeOrThrow(context.reqInfo.ip, 'Too many verification attempts. Please try again later.', 'too-many-requests'),
+        getRequestEmailVerificationUserLimiter().consumeOrThrow(userId, 'Too many verification attempts. Please try again later.', 'too-many-requests'),
+    ]);
+    const user = await prisma.user.findUnique({
+        where: { id: userId },
+        select: { id: true, email: true, emailVerified: true },
+    });
+    if (!user?.email) {
+        throw new BadRequestError('No email address on account', 'no-email');
+    }
+    if (user.emailVerified) {
+        return { success: true };
+    }
+    const { token } = await createAuthVerification({
+        type: EMAIL_VERIFY_TYPE,
+        userId: user.id,
+        expiresInSec: EMAIL_VERIFICATION_TOKEN_EXPIRY_SEC,
+    });
+    // Construct verification URL using configured domain
+    const verifyLink = `${config.AUTH_FRONTEND_URL}/auth/verify-email?token=${encodeURIComponent(token)}`;
+    await sendEmail(AccountVerificationEmail, {
+        to: user.email,
+        data: { verifyLink },
+    });
+    return { success: true };
+}
+/**
+ * Verify a user's email using the token from the verification email.
+ * This is a public (anonymous) mutation — the token proves identity.
+ *
+ * @throws BadRequestError if token is invalid or expired
+ */
+export async function verifyEmail({ token, context, }) {
+    await getVerifyEmailIpLimiter().consumeOrThrow(context.reqInfo.ip, 'Too many verification attempts. Please try again later.', 'too-many-requests');
+    const record = await validateAuthVerification({
+        type: EMAIL_VERIFY_TYPE,
+        token,
+    });
+    if (!record?.userId) {
+        throw new BadRequestError('Invalid or expired token', 'invalid-token');
+    }
+    // Delete this token + remaining email-verify tokens + update user in one transaction
+    await prisma.$transaction([
+        prisma.authVerification.deleteMany({
+            where: { type: EMAIL_VERIFY_TYPE, userId: record.userId },
+        }),
+        prisma.user.update({
+            where: { id: record.userId },
+            data: { emailVerified: true },
+        }),
+    ]);
+    return { success: true };
+}
+//# sourceMappingURL=email-verification.service.js.map

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/email-verification.service.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"email-verification.service.js","sourceRoot":"","sources":["../../../../../../../../src/local-auth/core/generators/auth-email-password/templates/module/services/email-verification.service.ts"],"names":[],"mappings":"AAAA,cAAc;AAId,OAAO,EAAE,mCAAmC,EAAE,MAAM,oBAAoB,CAAC;AACzE,OAAO,EACL,sBAAsB,EACtB,wBAAwB,GACzB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AAEzE,MAAM,iBAAiB,GAAG,cAAc,CAAC;AAEzC;;GAEG;AAEH,iDAAiD;AACjD,MAAM,sCAAsC,GAAG,kBAAkB,CAC/D,iCAAiC,EACjC;IACE,MAAM,EAAE,CAAC;IACT,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAE,aAAa;CACjC,CACF,CAAC;AAEF,sCAAsC;AACtC,MAAM,oCAAoC,GAAG,kBAAkB,CAC7D,+BAA+B,EAC/B;IACE,MAAM,EAAE,EAAE;IACV,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAE,SAAS;CAC7B,CACF,CAAC;AAEF,0DAA0D;AAC1D,MAAM,uBAAuB,GAAG,kBAAkB,CAAC,iBAAiB,EAAE;IACpE,MAAM,EAAE,EAAE;IACV,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAE,SAAS;CAC7B,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAAC,EAC7C,MAAM,EACN,OAAO,GAIR;IACC,MAAM,OAAO,CAAC,GAAG,CAAC;QAChB,oCAAoC,EAAE,CAAC,cAAc,CACnD,OAAO,CAAC,OAAO,CAAC,EAAE,EAClB,yDAAyD,EACzD,mBAAmB,CACpB;QACD,sCAAsC,EAAE,CAAC,cAAc,CACrD,MAAM,EACN,yDAAyD,EACzD,mBAAmB,CACpB;KACF,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACxC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;QACrB,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE;KACvD,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;QACjB,MAAM,IAAI,eAAe,CAAC,6BAA6B,EAAE,UAAU,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,sBAAsB,CAAC;QAC7C,IAAI,EAAE,iBAAiB;QACvB,MAAM,EAAE,IAAI,CAAC,EAAE;QACf,YAAY,EAAE,mCAAmC;KAClD,CAAC,CAAC;IAEH,qDAAqD;IACrD,MAAM,UAAU,GAAG,GAAG,MAAM,CAAC,iBAAiB,4BAA4B,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;IAEtG,MAAM,SAAS,CAAC,wBAAwB,EAAE;QACxC,EAAE,EAAE,IAAI,CAAC,KAAK;QACd,IAAI,EAAE,EAAE,UAAU,EAAE;KACrB,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,EAChC,KAAK,EACL,OAAO,GAIR;IACC,MAAM,uBAAuB,EAAE,CAAC,cAAc,CAC5C,OAAO,CAAC,OAAO,CAAC,EAAE,EAClB,yDAAyD,EACzD,mBAAmB,CACpB,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC;QAC5C,IAAI,EAAE,iBAAiB;QACvB,KAAK;KACN,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,IAAI,eAAe,CAAC,0BAA0B,EAAE,eAAe,CAAC,CAAC;IACzE,CAAC;IAED,qFAAqF;IACrF,MAAM,MAAM,CAAC,YAAY,CAAC;QACxB,MAAM,CAAC,gBAAgB,CAAC,UAAU,CAAC;YACjC,KAAK,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE;SAC1D,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;YACjB,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE;YAC5B,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE;SAC9B,CAAC;KACH,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC"}

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/email-verification.service.ts ADDED Viewed

@@ -0,0 +1,141 @@
+// @ts-nocheck
+import type { RequestServiceContext } from '%requestServiceContextImports';
+import { EMAIL_VERIFICATION_TOKEN_EXPIRY_SEC } from '$constantsPassword';
+import {
+  createAuthVerification,
+  validateAuthVerification,
+} from '$servicesAuthVerification';
+import { config } from '%configServiceImports';
+import { sendEmail } from '%emailModuleImports';
+import { BadRequestError } from '%errorHandlerServiceImports';
+import { prisma } from '%prismaImports';
+import { memoizeRateLimiter } from '%rateLimitImports';
+import { AccountVerificationEmail } from '@blog-with-auth/transactional';
+const EMAIL_VERIFY_TYPE = 'email-verify';
+/**
+ * Rate limiters for email verification operations.
+ */
+// Per-user rate limit: 3 requests per 20 minutes
+const getRequestEmailVerificationUserLimiter = memoizeRateLimiter(
+  'request-email-verification-user',
+  {
+    points: 3,
+    duration: 60 * 20, // 20 minutes
+  },
+);
+// Per-IP rate limit: 10 requests/hour
+const getRequestEmailVerificationIpLimiter = memoizeRateLimiter(
+  'request-email-verification-ip',
+  {
+    points: 10,
+    duration: 60 * 60, // 1 hour
+  },
+);
+// Per-IP rate limit for verify endpoint: 10 requests/hour
+const getVerifyEmailIpLimiter = memoizeRateLimiter('verify-email-ip', {
+  points: 10,
+  duration: 60 * 60, // 1 hour
+});
+/**
+ * Request an email verification for the authenticated user.
+ * Sends a verification email with a link to verify.
+ */
+export async function requestEmailVerification({
+  userId,
+  context,
+}: {
+  userId: string;
+  context: RequestServiceContext;
+}): Promise<{ success: true }> {
+  await Promise.all([
+    getRequestEmailVerificationIpLimiter().consumeOrThrow(
+      context.reqInfo.ip,
+      'Too many verification attempts. Please try again later.',
+      'too-many-requests',
+    ),
+    getRequestEmailVerificationUserLimiter().consumeOrThrow(
+      userId,
+      'Too many verification attempts. Please try again later.',
+      'too-many-requests',
+    ),
+  ]);
+  const user = await prisma.user.findUnique({
+    where: { id: userId },
+    select: { id: true, email: true, emailVerified: true },
+  });
+  if (!user?.email) {
+    throw new BadRequestError('No email address on account', 'no-email');
+  }
+  if (user.emailVerified) {
+    return { success: true };
+  }
+  const { token } = await createAuthVerification({
+    type: EMAIL_VERIFY_TYPE,
+    userId: user.id,
+    expiresInSec: EMAIL_VERIFICATION_TOKEN_EXPIRY_SEC,
+  });
+  // Construct verification URL using configured domain
+  const verifyLink = `${config.AUTH_FRONTEND_URL}/auth/verify-email?token=${encodeURIComponent(token)}`;
+  await sendEmail(AccountVerificationEmail, {
+    to: user.email,
+    data: { verifyLink },
+  });
+  return { success: true };
+}
+/**
+ * Verify a user's email using the token from the verification email.
+ * This is a public (anonymous) mutation — the token proves identity.
+ *
+ * @throws BadRequestError if token is invalid or expired
+ */
+export async function verifyEmail({
+  token,
+  context,
+}: {
+  token: string;
+  context: RequestServiceContext;
+}): Promise<{ success: true }> {
+  await getVerifyEmailIpLimiter().consumeOrThrow(
+    context.reqInfo.ip,
+    'Too many verification attempts. Please try again later.',
+    'too-many-requests',
+  );
+  const record = await validateAuthVerification({
+    type: EMAIL_VERIFY_TYPE,
+    token,
+  });
+  if (!record?.userId) {
+    throw new BadRequestError('Invalid or expired token', 'invalid-token');
+  }
+  // Delete this token + remaining email-verify tokens + update user in one transaction
+  await prisma.$transaction([
+    prisma.authVerification.deleteMany({
+      where: { type: EMAIL_VERIFY_TYPE, userId: record.userId },
+    }),
+    prisma.user.update({
+      where: { id: record.userId },
+      data: { emailVerified: true },
+    }),
+  ]);
+  return { success: true };
+}

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/password-reset.service.d.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import type { RequestServiceContext } from '%requestServiceContextImports';
+/**
+ * Request a password reset for the given email.
+ */
+export declare function requestPasswordReset({ email: rawEmail, context, }: {
+    email: string;
+    context: RequestServiceContext;
+}): Promise<{
+    success: true;
+}>;
+/**
+ * Validates a password reset token without consuming it.
+ * Used by the frontend to verify the token is valid before showing the reset form.
+ */
+export declare function validatePasswordResetToken({ token: rawToken, }: {
+    token: string;
+}): Promise<{
+    valid: boolean;
+}>;
+/**
+ * Completes the password reset process by setting a new password.
+ *
+ * Security notes (OWASP Forgot Password Cheat Sheet):
+ * - Token is single-use (deleted after successful reset)
+ * - Does not auto-login the user
+ * - Always invalidates all existing sessions for security
+ * - All remaining password-reset tokens for this user are deleted
+ */
+export declare function completePasswordReset({ token: rawToken, newPassword: rawNewPassword, }: {
+    token: string;
+    newPassword: string;
+}): Promise<{
+    success: true;
+}>;
+//# sourceMappingURL=password-reset.service.d.ts.map

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/password-reset.service.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"password-reset.service.d.ts","sourceRoot":"","sources":["../../../../../../../../src/local-auth/core/generators/auth-email-password/templates/module/services/password-reset.service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAgE3E;;GAEG;AACH,wBAAsB,oBAAoB,CAAC,EACzC,KAAK,EAAE,QAAQ,EACf,OAAO,GACR,EAAE;IACD,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,qBAAqB,CAAC;CAChC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,IAAI,CAAA;CAAE,CAAC,CAgD7B;AAMD;;;GAGG;AACH,wBAAsB,0BAA0B,CAAC,EAC/C,KAAK,EAAE,QAAQ,GAChB,EAAE;IACD,KAAK,EAAE,MAAM,CAAC;CACf,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAA;CAAE,CAAC,CAW9B;AAOD;;;;;;;;GAQG;AACH,wBAAsB,qBAAqB,CAAC,EAC1C,KAAK,EAAE,QAAQ,EACf,WAAW,EAAE,cAAc,GAC5B,EAAE;IACD,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;CACrB,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,IAAI,CAAA;CAAE,CAAC,CA8D7B"}

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/password-reset.service.js ADDED Viewed

@@ -0,0 +1,157 @@
+// @ts-nocheck
+import { PASSWORD_MAX_LENGTH, PASSWORD_MIN_LENGTH, PASSWORD_RESET_TOKEN_EXPIRY_SEC, } from '$constantsPassword';
+import { createAuthVerification, validateAuthVerification, } from '$servicesAuthVerification';
+import { config } from '%configServiceImports';
+import { sendEmail } from '%emailModuleImports';
+import { BadRequestError, handleZodRequestValidationError, } from '%errorHandlerServiceImports';
+import { createPasswordHash } from '%passwordHasherServiceImports';
+import { prisma } from '%prismaImports';
+import { memoizeRateLimiter } from '%rateLimitImports';
+import { PasswordChangedEmail, PasswordResetEmail, } from '@blog-with-auth/transactional';
+import z from 'zod';
+const PROVIDER_ID = 'email-password';
+const PASSWORD_RESET_TYPE = 'password-reset';
+/**
+ * Rate limiters for password reset operations.
+ */
+// Per-email rate limit: 3 requests/hour
+const getPasswordResetEmailLimiter = memoizeRateLimiter('password-reset-email', {
+    points: 3,
+    duration: 60 * 60, // 1 hour
+});
+// Per-IP rate limit: 10 requests/hour (prevents email scanning)
+const getPasswordResetIpLimiter = memoizeRateLimiter('password-reset-ip', {
+    points: 10,
+    duration: 60 * 60, // 1 hour
+});
+// Global rate limit: 100 requests/hour (prevents overloading the email service)
+const getPasswordResetGlobalLimiter = memoizeRateLimiter('password-reset-global', {
+    points: 100,
+    duration: 60 * 60, // 1 hour
+});
+const requestPasswordResetSchema = z.object({
+    email: z
+        .email()
+        .max(PASSWORD_MAX_LENGTH)
+        .transform((value) => value.toLowerCase()),
+});
+/**
+ * Request a password reset for the given email.
+ */
+export async function requestPasswordReset({ email: rawEmail, context, }) {
+    const { email } = await requestPasswordResetSchema
+        .parseAsync({ email: rawEmail })
+        .catch(handleZodRequestValidationError);
+    await Promise.all([
+        getPasswordResetIpLimiter().consumeOrThrow(context.reqInfo.ip, 'Too many password reset attempts. Please try again later.', 'too-many-requests'),
+        getPasswordResetEmailLimiter().consumeOrThrow(email, 'Too many password reset attempts. Please try again later.', 'too-many-requests'),
+        getPasswordResetGlobalLimiter().consumeOrThrow('global', 'Too many password reset attempts. Please try again later.', 'too-many-requests'),
+    ]);
+    // Find user by email - silently handle non-existent users to prevent enumeration
+    const user = await prisma.user.findUnique({
+        where: { email },
+        select: { id: true, email: true },
+    });
+    if (user?.email) {
+        const { token } = await createAuthVerification({
+            type: PASSWORD_RESET_TYPE,
+            userId: user.id,
+            expiresInSec: PASSWORD_RESET_TOKEN_EXPIRY_SEC,
+        });
+        // Construct reset URL using configured domain
+        const resetLink = `${config.AUTH_FRONTEND_URL}/auth/reset-password?token=${encodeURIComponent(token)}`;
+        // Send email asynchronously (queue-based)
+        await sendEmail(PasswordResetEmail, {
+            to: user.email,
+            data: { resetLink },
+        });
+    }
+    // Always return success to prevent user enumeration
+    return { success: true };
+}
+const validateTokenSchema = z.object({
+    token: z.string().min(1).max(PASSWORD_MAX_LENGTH),
+});
+/**
+ * Validates a password reset token without consuming it.
+ * Used by the frontend to verify the token is valid before showing the reset form.
+ */
+export async function validatePasswordResetToken({ token: rawToken, }) {
+    const { token } = await validateTokenSchema
+        .parseAsync({ token: rawToken })
+        .catch(handleZodRequestValidationError);
+    const record = await validateAuthVerification({
+        type: PASSWORD_RESET_TYPE,
+        token,
+    });
+    return { valid: record !== null };
+}
+const completePasswordResetSchema = z.object({
+    token: z.string().min(1).max(PASSWORD_MAX_LENGTH),
+    newPassword: z.string().min(PASSWORD_MIN_LENGTH).max(PASSWORD_MAX_LENGTH),
+});
+/**
+ * Completes the password reset process by setting a new password.
+ *
+ * Security notes (OWASP Forgot Password Cheat Sheet):
+ * - Token is single-use (deleted after successful reset)
+ * - Does not auto-login the user
+ * - Always invalidates all existing sessions for security
+ * - All remaining password-reset tokens for this user are deleted
+ */
+export async function completePasswordReset({ token: rawToken, newPassword: rawNewPassword, }) {
+    const { token, newPassword } = await completePasswordResetSchema
+        .parseAsync({
+        token: rawToken,
+        newPassword: rawNewPassword,
+    })
+        .catch(handleZodRequestValidationError);
+    const record = await validateAuthVerification({
+        type: PASSWORD_RESET_TYPE,
+        token,
+    });
+    if (!record?.userId) {
+        throw new BadRequestError('Invalid or expired token', 'invalid-token');
+    }
+    const user = await prisma.user.findUniqueOrThrow({
+        where: { id: record.userId },
+        select: { id: true, email: true },
+    });
+    if (!user.email) {
+        throw new BadRequestError('User has no email', 'user-has-no-email');
+    }
+    const passwordHash = await createPasswordHash(newPassword);
+    // Delete token + remaining reset tokens + update password + invalidate sessions
+    await prisma.$transaction([
+        prisma.authVerification.deleteMany({
+            where: { type: PASSWORD_RESET_TYPE, userId: user.id },
+        }),
+        prisma.userAccount.upsert({
+            where: {
+                accountId_providerId: {
+                    accountId: user.email,
+                    providerId: PROVIDER_ID,
+                },
+            },
+            create: {
+                userId: user.id,
+                accountId: user.email,
+                providerId: PROVIDER_ID,
+                password: passwordHash,
+            },
+            update: {
+                password: passwordHash,
+            },
+        }),
+        prisma.userSession.deleteMany({
+            where: { userId: user.id },
+        }),
+    ]);
+    // Send password changed confirmation email
+    await sendEmail(PasswordChangedEmail, {
+        to: user.email,
+        data: {},
+    });
+    return { success: true };
+}
+//# sourceMappingURL=password-reset.service.js.map

package/dist/local-auth/core/generators/auth-email-password/templates/module/services/password-reset.service.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"password-reset.service.js","sourceRoot":"","sources":["../../../../../../../../src/local-auth/core/generators/auth-email-password/templates/module/services/password-reset.service.ts"],"names":[],"mappings":"AAAA,cAAc;AAId,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,+BAA+B,GAChC,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,sBAAsB,EACtB,wBAAwB,GACzB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EACL,eAAe,EACf,+BAA+B,GAChC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EACL,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,+BAA+B,CAAC;AACvC,OAAO,CAAC,MAAM,KAAK,CAAC;AAEpB,MAAM,WAAW,GAAG,gBAAgB,CAAC;AACrC,MAAM,mBAAmB,GAAG,gBAAgB,CAAC;AAE7C;;GAEG;AAEH,wCAAwC;AACxC,MAAM,4BAA4B,GAAG,kBAAkB,CACrD,sBAAsB,EACtB;IACE,MAAM,EAAE,CAAC;IACT,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAE,SAAS;CAC7B,CACF,CAAC;AAEF,gEAAgE;AAChE,MAAM,yBAAyB,GAAG,kBAAkB,CAAC,mBAAmB,EAAE;IACxE,MAAM,EAAE,EAAE;IACV,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAE,SAAS;CAC7B,CAAC,CAAC;AAEH,gFAAgF;AAChF,MAAM,6BAA6B,GAAG,kBAAkB,CACtD,uBAAuB,EACvB;IACE,MAAM,EAAE,GAAG;IACX,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAE,SAAS;CAC7B,CACF,CAAC;AAEF,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,KAAK,EAAE,CAAC;SACL,KAAK,EAAE;SACP,GAAG,CAAC,mBAAmB,CAAC;SACxB,SAAS,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;CAC7C,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,EACzC,KAAK,EAAE,QAAQ,EACf,OAAO,GAIR;IACC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,0BAA0B;SAC/C,UAAU,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;SAC/B,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAE1C,MAAM,OAAO,CAAC,GAAG,CAAC;QAChB,yBAAyB,EAAE,CAAC,cAAc,CACxC,OAAO,CAAC,OAAO,CAAC,EAAE,EAClB,2DAA2D,EAC3D,mBAAmB,CACpB;QACD,4BAA4B,EAAE,CAAC,cAAc,CAC3C,KAAK,EACL,2DAA2D,EAC3D,mBAAmB,CACpB;QACD,6BAA6B,EAAE,CAAC,cAAc,CAC5C,QAAQ,EACR,2DAA2D,EAC3D,mBAAmB,CACpB;KACF,CAAC,CAAC;IAEH,iFAAiF;IACjF,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACxC,KAAK,EAAE,EAAE,KAAK,EAAE;QAChB,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;KAClC,CAAC,CAAC;IAEH,IAAI,IAAI,EAAE,KAAK,EAAE,CAAC;QAChB,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,sBAAsB,CAAC;YAC7C,IAAI,EAAE,mBAAmB;YACzB,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,YAAY,EAAE,+BAA+B;SAC9C,CAAC,CAAC;QAEH,8CAA8C;QAC9C,MAAM,SAAS,GAAG,GAAG,MAAM,CAAC,iBAAiB,8BAA8B,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;QAEvG,0CAA0C;QAC1C,MAAM,SAAS,CAAC,kBAAkB,EAAE;YAClC,EAAE,EAAE,IAAI,CAAC,KAAK;YACd,IAAI,EAAE,EAAE,SAAS,EAAE;SACpB,CAAC,CAAC;IACL,CAAC;IAED,oDAAoD;IACpD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,mBAAmB,CAAC;CAClD,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,EAC/C,KAAK,EAAE,QAAQ,GAGhB;IACC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,mBAAmB;SACxC,UAAU,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;SAC/B,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC;QAC5C,IAAI,EAAE,mBAAmB;QACzB,KAAK;KACN,CAAC,CAAC;IAEH,OAAO,EAAE,KAAK,EAAE,MAAM,KAAK,IAAI,EAAE,CAAC;AACpC,CAAC;AAED,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACjD,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,GAAG,CAAC,mBAAmB,CAAC;CAC1E,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,EAC1C,KAAK,EAAE,QAAQ,EACf,WAAW,EAAE,cAAc,GAI5B;IACC,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,MAAM,2BAA2B;SAC7D,UAAU,CAAC;QACV,KAAK,EAAE,QAAQ;QACf,WAAW,EAAE,cAAc;KAC5B,CAAC;SACD,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC;QAC5C,IAAI,EAAE,mBAAmB;QACzB,KAAK;KACN,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,IAAI,eAAe,CAAC,0BAA0B,EAAE,eAAe,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC;QAC/C,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE;QAC5B,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;KAClC,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,IAAI,eAAe,CAAC,mBAAmB,EAAE,mBAAmB,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,kBAAkB,CAAC,WAAW,CAAC,CAAC;IAE3D,gFAAgF;IAChF,MAAM,MAAM,CAAC,YAAY,CAAC;QACxB,MAAM,CAAC,gBAAgB,CAAC,UAAU,CAAC;YACjC,KAAK,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE;SACtD,CAAC;QACF,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC;YACxB,KAAK,EAAE;gBACL,oBAAoB,EAAE;oBACpB,SAAS,EAAE,IAAI,CAAC,KAAK;oBACrB,UAAU,EAAE,WAAW;iBACxB;aACF;YACD,MAAM,EAAE;gBACN,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,SAAS,EAAE,IAAI,CAAC,KAAK;gBACrB,UAAU,EAAE,WAAW;gBACvB,QAAQ,EAAE,YAAY;aACvB;YACD,MAAM,EAAE;gBACN,QAAQ,EAAE,YAAY;aACvB;SACF,CAAC;QACF,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC;YAC5B,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE;SAC3B,CAAC;KACH,CAAC,CAAC;IAEH,2CAA2C;IAC3C,MAAM,SAAS,CAAC,oBAAoB,EAAE;QACpC,EAAE,EAAE,IAAI,CAAC,KAAK;QACd,IAAI,EAAE,EAAE;KACT,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC"}