@blackcode_sa/metaestetics-api 1.12.15 → 1.12.17

package/dist/index.d.mts

@@ -6185,11 +6185,10 @@ declare class AuthService extends BaseService {
     }>;
     /**
      * Signs in a user with a Google ID token from a mobile client.
-     * If the user does not exist in our database, the login is rejected.
+     * If the user does not exist, a new user is created.
      * @param idToken - The Google ID token obtained from the mobile app.
-     * @param initialRole - The role to assign to the user (currently unused).
-     * @returns The signed-in user if they exist in our database.
-     * @throws AuthError if no user profile is found.
+     * @param initialRole - The role to assign to the user if they are being created.
+     * @returns The signed-in or newly created user.
      */
     signInWithGoogleIdToken(idToken: string, initialRole?: UserRole): Promise<User>;
     /**

package/dist/index.d.ts

@@ -6185,11 +6185,10 @@ declare class AuthService extends BaseService {
     }>;
     /**
      * Signs in a user with a Google ID token from a mobile client.
-     * If the user does not exist in our database, the login is rejected.
+     * If the user does not exist, a new user is created.
      * @param idToken - The Google ID token obtained from the mobile app.
-     * @param initialRole - The role to assign to the user (currently unused).
-     * @returns The signed-in user if they exist in our database.
-     * @throws AuthError if no user profile is found.
+     * @param initialRole - The role to assign to the user if they are being created.
+     * @returns The signed-in or newly created user.
      */
     signInWithGoogleIdToken(idToken: string, initialRole?: UserRole): Promise<User>;
     /**

package/dist/index.js

@@ -10344,37 +10344,43 @@ var AuthService = class extends BaseService {
   }
   /**
    * Signs in a user with a Google ID token from a mobile client.
-   * If the user does not exist in our database, the login is rejected.
+   * If the user does not exist, a new user is created.
    * @param idToken - The Google ID token obtained from the mobile app.
-   * @param initialRole - The role to assign to the user (currently unused).
-   * @returns The signed-in user if they exist in our database.
-   * @throws AuthError if no user profile is found.
+   * @param initialRole - The role to assign to the user if they are being created.
+   * @returns The signed-in or newly created user.
    */
   async signInWithGoogleIdToken(idToken, initialRole = "patient" /* PATIENT */) {
     try {
       console.log("[AUTH] Signing in with Google ID Token");
-      const credential = import_auth7.GoogleAuthProvider.credential(idToken);
-      const decodedToken = JSON.parse(atob(idToken.split(".")[1]));
-      const userEmail = decodedToken.email;
-      const userUid = decodedToken.sub;
-      console.log("[AUTH] Checking if Firebase Auth user exists with email:", userEmail);
-      let existingAuthUser;
+      let email;
       try {
-        const admin = await import("firebase-admin");
-        existingAuthUser = await admin.auth().getUserByEmail(userEmail);
-        console.log("[AUTH] Firebase Auth user found:", existingAuthUser.uid);
-      } catch (authError) {
-        if (authError.code === "auth/user-not-found") {
-          console.log("[AUTH] No Firebase Auth user found for email:", userEmail);
-          throw new AuthError(
-            'No account found. Please complete registration by starting with "Get Started".',
-            "AUTH/USER_NOT_FOUND",
-            404
-          );
-        }
-        throw authError;
+        const payloadBase64 = idToken.split(".")[1];
+        const payloadJson = globalThis.atob ? globalThis.atob(payloadBase64) : Buffer.from(payloadBase64, "base64").toString("utf8");
+        const payload = JSON.parse(payloadJson);
+        email = payload.email;
+      } catch (decodeError) {
+        console.warn("[AUTH] Failed to decode email from Google ID token:", decodeError);
+      }
+      if (!email) {
+        throw new AuthError(
+          "Unable to read email from Google token. Please try again or use another sign-in method.",
+          "AUTH/INVALID_GOOGLE_TOKEN",
+          400
+        );
+      }
+      const methods = await (0, import_auth7.fetchSignInMethodsForEmail)(this.auth, email);
+      console.log("[AUTH] Fetch sign in methods for email:", email, methods);
+      const hasGoogleMethod = methods.includes(import_auth7.GoogleAuthProvider.GOOGLE_SIGN_IN_METHOD);
+      console.log("[AUTH] Has Google method:", hasGoogleMethod);
+      if (!hasGoogleMethod) {
+        console.log("[AUTH] No existing Google credential for email, aborting login:", email);
+        throw new AuthError(
+          "No account found for this Google user. Please complete registration first.",
+          "AUTH/USER_NOT_FOUND",
+          404
+        );
       }
-      console.log("[AUTH] Firebase Auth user exists, proceeding with sign-in");
+      const credential = import_auth7.GoogleAuthProvider.credential(idToken);
       const { user: firebaseUser } = await (0, import_auth7.signInWithCredential)(this.auth, credential);
       console.log("[AUTH] Firebase user signed in:", firebaseUser.uid);
       const existingUser = await this.userService.getUserById(firebaseUser.uid);
@@ -10382,11 +10388,12 @@ var AuthService = class extends BaseService {
         console.log("[AUTH] Existing user found, returning profile:", existingUser.uid);
         return existingUser;
       }
+      console.log("[AUTH] No existing MetaEstetics user for Google account \u2013 signing out.");
       await (0, import_auth7.signOut)(this.auth);
       throw new AuthError(
-        "Account found but registration incomplete. Please complete registration.",
-        "AUTH/INCOMPLETE_REGISTRATION",
-        400
+        'No account found. Please complete registration by starting with "Get Started".',
+        "AUTH/USER_NOT_FOUND",
+        404
       );
     } catch (error) {
       console.error("[AUTH] Error in signInWithGoogleIdToken:", error);

package/dist/index.mjs

@@ -1798,6 +1798,7 @@ import {
   sendPasswordResetEmail,
   verifyPasswordResetCode,
   confirmPasswordReset,
+  fetchSignInMethodsForEmail as fetchSignInMethodsForEmail2,
   signInWithCredential
 } from "firebase/auth";
 import {
@@ -10448,37 +10449,43 @@ var AuthService = class extends BaseService {
   }
   /**
    * Signs in a user with a Google ID token from a mobile client.
-   * If the user does not exist in our database, the login is rejected.
+   * If the user does not exist, a new user is created.
    * @param idToken - The Google ID token obtained from the mobile app.
-   * @param initialRole - The role to assign to the user (currently unused).
-   * @returns The signed-in user if they exist in our database.
-   * @throws AuthError if no user profile is found.
+   * @param initialRole - The role to assign to the user if they are being created.
+   * @returns The signed-in or newly created user.
    */
   async signInWithGoogleIdToken(idToken, initialRole = "patient" /* PATIENT */) {
     try {
       console.log("[AUTH] Signing in with Google ID Token");
-      const credential = GoogleAuthProvider.credential(idToken);
-      const decodedToken = JSON.parse(atob(idToken.split(".")[1]));
-      const userEmail = decodedToken.email;
-      const userUid = decodedToken.sub;
-      console.log("[AUTH] Checking if Firebase Auth user exists with email:", userEmail);
-      let existingAuthUser;
+      let email;
       try {
-        const admin = await import("firebase-admin");
-        existingAuthUser = await admin.auth().getUserByEmail(userEmail);
-        console.log("[AUTH] Firebase Auth user found:", existingAuthUser.uid);
-      } catch (authError) {
-        if (authError.code === "auth/user-not-found") {
-          console.log("[AUTH] No Firebase Auth user found for email:", userEmail);
-          throw new AuthError(
-            'No account found. Please complete registration by starting with "Get Started".',
-            "AUTH/USER_NOT_FOUND",
-            404
-          );
-        }
-        throw authError;
+        const payloadBase64 = idToken.split(".")[1];
+        const payloadJson = globalThis.atob ? globalThis.atob(payloadBase64) : Buffer.from(payloadBase64, "base64").toString("utf8");
+        const payload = JSON.parse(payloadJson);
+        email = payload.email;
+      } catch (decodeError) {
+        console.warn("[AUTH] Failed to decode email from Google ID token:", decodeError);
+      }
+      if (!email) {
+        throw new AuthError(
+          "Unable to read email from Google token. Please try again or use another sign-in method.",
+          "AUTH/INVALID_GOOGLE_TOKEN",
+          400
+        );
+      }
+      const methods = await fetchSignInMethodsForEmail2(this.auth, email);
+      console.log("[AUTH] Fetch sign in methods for email:", email, methods);
+      const hasGoogleMethod = methods.includes(GoogleAuthProvider.GOOGLE_SIGN_IN_METHOD);
+      console.log("[AUTH] Has Google method:", hasGoogleMethod);
+      if (!hasGoogleMethod) {
+        console.log("[AUTH] No existing Google credential for email, aborting login:", email);
+        throw new AuthError(
+          "No account found for this Google user. Please complete registration first.",
+          "AUTH/USER_NOT_FOUND",
+          404
+        );
       }
-      console.log("[AUTH] Firebase Auth user exists, proceeding with sign-in");
+      const credential = GoogleAuthProvider.credential(idToken);
       const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
       console.log("[AUTH] Firebase user signed in:", firebaseUser.uid);
       const existingUser = await this.userService.getUserById(firebaseUser.uid);
@@ -10486,11 +10493,12 @@ var AuthService = class extends BaseService {
         console.log("[AUTH] Existing user found, returning profile:", existingUser.uid);
         return existingUser;
       }
+      console.log("[AUTH] No existing MetaEstetics user for Google account \u2013 signing out.");
       await firebaseSignOut(this.auth);
       throw new AuthError(
-        "Account found but registration incomplete. Please complete registration.",
-        "AUTH/INCOMPLETE_REGISTRATION",
-        400
+        'No account found. Please complete registration by starting with "Get Started".',
+        "AUTH/USER_NOT_FOUND",
+        404
       );
     } catch (error) {
       console.error("[AUTH] Error in signInWithGoogleIdToken:", error);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@blackcode_sa/metaestetics-api",
   "private": false,
-  "version": "1.12.15",
+  "version": "1.12.17",
   "description": "Firebase authentication service with anonymous upgrade support",
   "main": "dist/index.js",
   "module": "dist/index.mjs",

package/src/services/auth/auth.service.ts

@@ -872,11 +872,10 @@ export class AuthService extends BaseService {
 
   /**
    * Signs in a user with a Google ID token from a mobile client.
-   * If the user does not exist in our database, the login is rejected.
+   * If the user does not exist, a new user is created.
    * @param idToken - The Google ID token obtained from the mobile app.
-   * @param initialRole - The role to assign to the user (currently unused).
-   * @returns The signed-in user if they exist in our database.
-   * @throws AuthError if no user profile is found.
+   * @param initialRole - The role to assign to the user if they are being created.
+   * @returns The signed-in or newly created user.
    */
   async signInWithGoogleIdToken(
     idToken: string,
@@ -885,55 +884,61 @@ export class AuthService extends BaseService {
     try {
       console.log('[AUTH] Signing in with Google ID Token');
 
-      // First, decode the ID token to get the user's email without signing them in
-      const credential = GoogleAuthProvider.credential(idToken);
-
-      // Parse the ID token to get user info without creating a Firebase Auth session
-      const decodedToken = JSON.parse(atob(idToken.split('.')[1]));
-      const userEmail = decodedToken.email;
-      const userUid = decodedToken.sub; // This will be the Firebase UID
-
-      console.log('[AUTH] Checking if Firebase Auth user exists with email:', userEmail);
-
-      // Check if a Firebase Auth user with this email already exists
-      let existingAuthUser;
+      // 1) Extract the email claim from the raw JWT so we can check Auth records *before* sign-in
+      let email: string | undefined;
       try {
-        const admin = await import('firebase-admin');
-        existingAuthUser = await admin.auth().getUserByEmail(userEmail);
-        console.log('[AUTH] Firebase Auth user found:', existingAuthUser.uid);
-      } catch (authError: any) {
-        if (authError.code === 'auth/user-not-found') {
-          // No Firebase Auth user exists - reject the login
-          console.log('[AUTH] No Firebase Auth user found for email:', userEmail);
-          throw new AuthError(
-            'No account found. Please complete registration by starting with "Get Started".',
-            'AUTH/USER_NOT_FOUND',
-            404,
-          );
-        }
-        // Re-throw other auth errors
-        throw authError;
+        const payloadBase64 = idToken.split('.')[1];
+        const payloadJson = globalThis.atob
+          ? globalThis.atob(payloadBase64)
+          : Buffer.from(payloadBase64, 'base64').toString('utf8');
+        const payload = JSON.parse(payloadJson);
+        email = payload.email as string | undefined;
+      } catch (decodeError) {
+        console.warn('[AUTH] Failed to decode email from Google ID token:', decodeError);
+      }
+
+      if (!email) {
+        throw new AuthError(
+          'Unable to read email from Google token. Please try again or use another sign-in method.',
+          'AUTH/INVALID_GOOGLE_TOKEN',
+          400,
+        );
       }
 
-      console.log('[AUTH] Firebase Auth user exists, proceeding with sign-in');
+      // 2) Check if this email already has a Google credential in Firebase Auth.
+      //    If not, abort early so we *never* create an unwanted Auth user.
+      const methods = await fetchSignInMethodsForEmail(this.auth, email);
+      console.log('[AUTH] Fetch sign in methods for email:', email, methods);
+      const hasGoogleMethod = methods.includes(GoogleAuthProvider.GOOGLE_SIGN_IN_METHOD);
+      console.log('[AUTH] Has Google method:', hasGoogleMethod);
+      if (!hasGoogleMethod) {
+        console.log('[AUTH] No existing Google credential for email, aborting login:', email);
+        throw new AuthError(
+          'No account found for this Google user. Please complete registration first.',
+          'AUTH/USER_NOT_FOUND',
+          404,
+        );
+      }
 
-      // Now proceed with the actual Firebase sign-in since we know the auth user exists
+      // 3) Safe to sign-in – we know the credential belongs to an existing Auth account.
+      const credential = GoogleAuthProvider.credential(idToken);
       const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
       console.log('[AUTH] Firebase user signed in:', firebaseUser.uid);
 
-      // Get the user profile from our database
+      // 4) Load our domain user document.
       const existingUser = await this.userService.getUserById(firebaseUser.uid);
       if (existingUser) {
         console.log('[AUTH] Existing user found, returning profile:', existingUser.uid);
         return existingUser;
       }
 
-      // Auth user exists but no profile - this means incomplete registration
+      // 5) If no profile exists we sign out immediately and error – but crucially no phantom user was created.
+      console.log('[AUTH] No existing MetaEstetics user for Google account – signing out.');
       await firebaseSignOut(this.auth);
       throw new AuthError(
-        'Account found but registration incomplete. Please complete registration.',
-        'AUTH/INCOMPLETE_REGISTRATION',
-        400,
+        'No account found. Please complete registration by starting with "Get Started".',
+        'AUTH/USER_NOT_FOUND',
+        404,
       );
     } catch (error) {
       console.error('[AUTH] Error in signInWithGoogleIdToken:', error);