@digitaldefiance/node-express-suite 1.0.21 → 1.0.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (633) hide show
  1. package/README.md +9 -0
  2. package/package.json +27 -32
  3. package/src/application-base.ts +492 -0
  4. package/src/application.ts +254 -0
  5. package/src/backup-code.ts +336 -0
  6. package/src/constants.ts +69 -0
  7. package/src/controllers/base.ts +440 -0
  8. package/{dist/controllers/index.d.ts → src/controllers/index.ts} +0 -1
  9. package/src/controllers/user.ts +1451 -0
  10. package/src/decorators/base-controller.ts +61 -0
  11. package/src/decorators/controller.ts +109 -0
  12. package/{dist/decorators/index.d.ts → src/decorators/index.ts} +0 -1
  13. package/src/decorators/zod-validation.ts +57 -0
  14. package/src/defaults.ts +94 -0
  15. package/src/documents/base.ts +7 -0
  16. package/src/documents/email-token.ts +14 -0
  17. package/{dist/documents/index.d.ts → src/documents/index.ts} +0 -1
  18. package/{dist/documents/mnemonic.d.ts → src/documents/mnemonic.ts} +5 -2
  19. package/{dist/documents/role.d.ts → src/documents/role.ts} +5 -2
  20. package/src/documents/used-direct-login-token.ts +7 -0
  21. package/{dist/documents/user-role.d.ts → src/documents/user-role.ts} +5 -2
  22. package/{dist/documents/user.d.ts → src/documents/user.ts} +4 -2
  23. package/src/enumerations/base-model-name.ts +41 -0
  24. package/{dist/enumerations/index.d.ts → src/enumerations/index.ts} +0 -1
  25. package/src/enumerations/length-encoding-type.ts +6 -0
  26. package/src/enumerations/schema-collection.ts +33 -0
  27. package/src/enumerations/symmetric-error-type.ts +4 -0
  28. package/src/environment.ts +770 -0
  29. package/src/errors/express-validation.ts +21 -0
  30. package/{dist/errors/index.d.ts → src/errors/index.ts} +0 -1
  31. package/src/errors/invalid-backup-code-version.ts +14 -0
  32. package/src/errors/invalid-jwt-token.ts +10 -0
  33. package/src/errors/invalid-model.ts +11 -0
  34. package/src/errors/invalid-new-password.ts +18 -0
  35. package/src/errors/invalid-password.ts +13 -0
  36. package/src/errors/missing-validated-data.ts +36 -0
  37. package/src/errors/mnemonic-or-password-required.ts +12 -0
  38. package/src/errors/model-not-registered.ts +11 -0
  39. package/src/errors/mongoose-validation.ts +34 -0
  40. package/src/errors/symmetric.ts +41 -0
  41. package/src/errors/token-expired.ts +10 -0
  42. package/src/get-language.ts +53 -0
  43. package/src/get-timezone.ts +45 -0
  44. package/{dist/index.d.ts → src/index.ts} +3 -2
  45. package/{dist/interfaces/api-error-response.d.ts → src/interfaces/api-error-response.ts} +2 -2
  46. package/src/interfaces/api-express-validation-error-response.ts +8 -0
  47. package/src/interfaces/api-message-response.ts +3 -0
  48. package/{dist/interfaces/api-mongo-validation-error-response.d.ts → src/interfaces/api-mongo-validation-error-response.ts} +2 -2
  49. package/{dist/interfaces/api-responses/backup-codes-response.d.ts → src/interfaces/api-responses/backup-codes-response.ts} +2 -2
  50. package/{dist/interfaces/api-responses/challenge-response.d.ts → src/interfaces/api-responses/challenge-response.ts} +3 -3
  51. package/{dist/interfaces/api-responses/code-count-response.d.ts → src/interfaces/api-responses/code-count-response.ts} +2 -2
  52. package/{dist/interfaces/api-responses/index.d.ts → src/interfaces/api-responses/index.ts} +0 -1
  53. package/{dist/interfaces/api-responses/login-response.d.ts → src/interfaces/api-responses/login-response.ts} +4 -4
  54. package/{dist/interfaces/api-responses/mnemonic-response.d.ts → src/interfaces/api-responses/mnemonic-response.ts} +2 -2
  55. package/{dist/interfaces/api-responses/registration-response.d.ts → src/interfaces/api-responses/registration-response.ts} +3 -3
  56. package/{dist/interfaces/api-responses/request-user-response.d.ts → src/interfaces/api-responses/request-user-response.ts} +2 -2
  57. package/{dist/interfaces/application.d.ts → src/interfaces/application.ts} +7 -7
  58. package/src/interfaces/backend-objects/email-token.ts +11 -0
  59. package/{dist/interfaces/backend-objects/index.d.ts → src/interfaces/backend-objects/index.ts} +0 -1
  60. package/{dist/interfaces/backend-objects/request-user.d.ts → src/interfaces/backend-objects/request-user.ts} +7 -2
  61. package/{dist/interfaces/backend-objects/role.d.ts → src/interfaces/backend-objects/role.ts} +1 -1
  62. package/src/interfaces/backend-objects/user.ts +9 -0
  63. package/src/interfaces/checksum-config.ts +4 -0
  64. package/src/interfaces/checksum-consts.ts +13 -0
  65. package/{dist/interfaces/constants.d.ts → src/interfaces/constants.ts} +5 -5
  66. package/src/interfaces/create-user-basics.ts +17 -0
  67. package/src/interfaces/csp-config.ts +35 -0
  68. package/src/interfaces/deep-partial.ts +3 -0
  69. package/{dist/interfaces/discriminator-collections.d.ts → src/interfaces/discriminator-collections.ts} +3 -3
  70. package/src/interfaces/email-service.ts +8 -0
  71. package/src/interfaces/environment-mongo.ts +76 -0
  72. package/src/interfaces/environment.ts +181 -0
  73. package/src/interfaces/failable-result.ts +6 -0
  74. package/src/interfaces/fec-consts.ts +4 -0
  75. package/src/interfaces/handleable-error-options.ts +6 -0
  76. package/{dist/interfaces/index.d.ts → src/interfaces/index.ts} +0 -1
  77. package/src/interfaces/jwt-consts.ts +23 -0
  78. package/src/interfaces/jwt-sign-response.ts +19 -0
  79. package/src/interfaces/mongo-errors.ts +5 -0
  80. package/src/interfaces/request-user.ts +50 -0
  81. package/src/interfaces/required-string-keys.ts +26 -0
  82. package/src/interfaces/schema.ts +31 -0
  83. package/src/interfaces/server-init-result.ts +37 -0
  84. package/src/interfaces/status-code-response.ts +7 -0
  85. package/src/interfaces/symmetric-encryption-results.d.ts +5 -0
  86. package/src/interfaces/symmetric-encryption-results.d.ts.map +1 -0
  87. package/src/interfaces/symmetric-encryption-results.js.map +1 -0
  88. package/src/interfaces/symmetric-encryption-results.ts +4 -0
  89. package/{dist/interfaces/token-response.d.ts → src/interfaces/token-response.ts} +2 -2
  90. package/src/middlewares/authenticate-crypto.ts +243 -0
  91. package/src/middlewares/authenticate-token.ts +152 -0
  92. package/src/middlewares/cleanup-crypto.ts +40 -0
  93. package/{dist/middlewares/index.d.ts → src/middlewares/index.ts} +0 -1
  94. package/src/middlewares/set-global-context-language.ts +24 -0
  95. package/src/middlewares.ts +120 -0
  96. package/src/model-registry.ts +75 -0
  97. package/src/models/email-token.ts +19 -0
  98. package/{dist/models/index.d.ts → src/models/index.ts} +0 -1
  99. package/src/models/mnemonic.ts +19 -0
  100. package/src/models/role.ts +19 -0
  101. package/src/models/used-direct-login-token.ts +23 -0
  102. package/src/models/user-role.ts +17 -0
  103. package/src/models/user.ts +19 -0
  104. package/src/registry/email-service-registry.ts +24 -0
  105. package/{dist/registry/index.d.ts → src/registry/index.ts} +0 -1
  106. package/src/routers/api.ts +151 -0
  107. package/src/routers/app.ts +258 -0
  108. package/src/routers/base.ts +17 -0
  109. package/{dist/routers/index.d.ts → src/routers/index.ts} +0 -1
  110. package/src/schemas/email-token.ts +91 -0
  111. package/{dist/schemas/index.d.ts → src/schemas/index.ts} +1 -2
  112. package/src/schemas/mnemonic.ts +37 -0
  113. package/src/schemas/role.ts +127 -0
  114. package/src/schemas/schema.ts +140 -0
  115. package/src/schemas/used-direct-login-token.ts +38 -0
  116. package/src/schemas/user-role.ts +75 -0
  117. package/src/schemas/user.ts +202 -0
  118. package/src/services/backup-code.ts +316 -0
  119. package/src/services/base.ts +33 -0
  120. package/src/services/checksum.ts +161 -0
  121. package/src/services/crc.ts +213 -0
  122. package/src/services/database-initialization.ts +1479 -0
  123. package/src/services/db-init-cache.d.ts +16 -0
  124. package/src/services/direct-login-token.ts +62 -0
  125. package/src/services/fec-usage-example.ts +102 -0
  126. package/src/services/fec.ts +296 -0
  127. package/{dist/services/index.d.ts → src/services/index.ts} +0 -1
  128. package/src/services/jwt.ts +134 -0
  129. package/src/services/key-wrapping.ts +434 -0
  130. package/src/services/mnemonic.ts +167 -0
  131. package/src/services/request-user.ts +62 -0
  132. package/src/services/role.ts +396 -0
  133. package/src/services/symmetric.ts +139 -0
  134. package/src/services/system-user.ts +82 -0
  135. package/src/services/user.ts +2137 -0
  136. package/src/services/xor.ts +34 -0
  137. package/src/types.d.ts +44 -0
  138. package/src/types.ts +128 -0
  139. package/src/utils.ts +1022 -0
  140. package/dist/application-base.d.ts +0 -112
  141. package/dist/application-base.d.ts.map +0 -1
  142. package/dist/application-base.js +0 -301
  143. package/dist/application-base.js.map +0 -1
  144. package/dist/application.d.ts +0 -23
  145. package/dist/application.d.ts.map +0 -1
  146. package/dist/application.js +0 -126
  147. package/dist/application.js.map +0 -1
  148. package/dist/backup-code.d.ts +0 -67
  149. package/dist/backup-code.d.ts.map +0 -1
  150. package/dist/backup-code.js +0 -270
  151. package/dist/backup-code.js.map +0 -1
  152. package/dist/constants.d.ts +0 -16
  153. package/dist/constants.d.ts.map +0 -1
  154. package/dist/constants.js +0 -54
  155. package/dist/constants.js.map +0 -1
  156. package/dist/controllers/base.d.ts +0 -63
  157. package/dist/controllers/base.d.ts.map +0 -1
  158. package/dist/controllers/base.js +0 -269
  159. package/dist/controllers/base.js.map +0 -1
  160. package/dist/controllers/index.d.ts.map +0 -1
  161. package/dist/controllers/index.js +0 -19
  162. package/dist/controllers/index.js.map +0 -1
  163. package/dist/controllers/user.d.ts +0 -45
  164. package/dist/controllers/user.d.ts.map +0 -1
  165. package/dist/controllers/user.js +0 -750
  166. package/dist/controllers/user.js.map +0 -1
  167. package/dist/decorators/base-controller.d.ts +0 -14
  168. package/dist/decorators/base-controller.d.ts.map +0 -1
  169. package/dist/decorators/base-controller.js +0 -49
  170. package/dist/decorators/base-controller.js.map +0 -1
  171. package/dist/decorators/controller.d.ts +0 -32
  172. package/dist/decorators/controller.d.ts.map +0 -1
  173. package/dist/decorators/controller.js +0 -67
  174. package/dist/decorators/controller.js.map +0 -1
  175. package/dist/decorators/index.d.ts.map +0 -1
  176. package/dist/decorators/index.js +0 -20
  177. package/dist/decorators/index.js.map +0 -1
  178. package/dist/decorators/zod-validation.d.ts +0 -5
  179. package/dist/decorators/zod-validation.d.ts.map +0 -1
  180. package/dist/decorators/zod-validation.js +0 -47
  181. package/dist/decorators/zod-validation.js.map +0 -1
  182. package/dist/defaults.d.ts +0 -7
  183. package/dist/defaults.d.ts.map +0 -1
  184. package/dist/defaults.js +0 -83
  185. package/dist/defaults.js.map +0 -1
  186. package/dist/documents/base.d.ts +0 -3
  187. package/dist/documents/base.d.ts.map +0 -1
  188. package/dist/documents/base.js +0 -3
  189. package/dist/documents/base.js.map +0 -1
  190. package/dist/documents/email-token.d.ts +0 -8
  191. package/dist/documents/email-token.d.ts.map +0 -1
  192. package/dist/documents/email-token.js +0 -3
  193. package/dist/documents/email-token.js.map +0 -1
  194. package/dist/documents/index.d.ts.map +0 -1
  195. package/dist/documents/index.js +0 -3
  196. package/dist/documents/index.js.map +0 -1
  197. package/dist/documents/mnemonic.d.ts.map +0 -1
  198. package/dist/documents/mnemonic.js +0 -3
  199. package/dist/documents/mnemonic.js.map +0 -1
  200. package/dist/documents/role.d.ts.map +0 -1
  201. package/dist/documents/role.js +0 -3
  202. package/dist/documents/role.js.map +0 -1
  203. package/dist/documents/used-direct-login-token.d.ts +0 -5
  204. package/dist/documents/used-direct-login-token.d.ts.map +0 -1
  205. package/dist/documents/used-direct-login-token.js +0 -3
  206. package/dist/documents/used-direct-login-token.js.map +0 -1
  207. package/dist/documents/user-role.d.ts.map +0 -1
  208. package/dist/documents/user-role.js +0 -3
  209. package/dist/documents/user-role.js.map +0 -1
  210. package/dist/documents/user.d.ts.map +0 -1
  211. package/dist/documents/user.js +0 -3
  212. package/dist/documents/user.js.map +0 -1
  213. package/dist/enumerations/base-model-name.d.ts +0 -38
  214. package/dist/enumerations/base-model-name.d.ts.map +0 -1
  215. package/dist/enumerations/base-model-name.js +0 -34
  216. package/dist/enumerations/base-model-name.js.map +0 -1
  217. package/dist/enumerations/index.d.ts.map +0 -1
  218. package/dist/enumerations/index.js +0 -21
  219. package/dist/enumerations/index.js.map +0 -1
  220. package/dist/enumerations/length-encoding-type.d.ts +0 -7
  221. package/dist/enumerations/length-encoding-type.d.ts.map +0 -1
  222. package/dist/enumerations/length-encoding-type.js +0 -11
  223. package/dist/enumerations/length-encoding-type.js.map +0 -1
  224. package/dist/enumerations/schema-collection.d.ts +0 -34
  225. package/dist/enumerations/schema-collection.d.ts.map +0 -1
  226. package/dist/enumerations/schema-collection.js +0 -38
  227. package/dist/enumerations/schema-collection.js.map +0 -1
  228. package/dist/enumerations/symmetric-error-type.d.ts +0 -5
  229. package/dist/enumerations/symmetric-error-type.d.ts.map +0 -1
  230. package/dist/enumerations/symmetric-error-type.js +0 -9
  231. package/dist/enumerations/symmetric-error-type.js.map +0 -1
  232. package/dist/environment.d.ts +0 -189
  233. package/dist/environment.d.ts.map +0 -1
  234. package/dist/environment.js +0 -618
  235. package/dist/environment.js.map +0 -1
  236. package/dist/errors/express-validation.d.ts +0 -9
  237. package/dist/errors/express-validation.d.ts.map +0 -1
  238. package/dist/errors/express-validation.js +0 -17
  239. package/dist/errors/express-validation.js.map +0 -1
  240. package/dist/errors/index.d.ts.map +0 -1
  241. package/dist/errors/index.js +0 -29
  242. package/dist/errors/index.js.map +0 -1
  243. package/dist/errors/invalid-backup-code-version.d.ts +0 -6
  244. package/dist/errors/invalid-backup-code-version.d.ts.map +0 -1
  245. package/dist/errors/invalid-backup-code-version.js +0 -14
  246. package/dist/errors/invalid-backup-code-version.js.map +0 -1
  247. package/dist/errors/invalid-jwt-token.d.ts +0 -5
  248. package/dist/errors/invalid-jwt-token.d.ts.map +0 -1
  249. package/dist/errors/invalid-jwt-token.js +0 -11
  250. package/dist/errors/invalid-jwt-token.js.map +0 -1
  251. package/dist/errors/invalid-model.d.ts +0 -6
  252. package/dist/errors/invalid-model.d.ts.map +0 -1
  253. package/dist/errors/invalid-model.js +0 -13
  254. package/dist/errors/invalid-model.js.map +0 -1
  255. package/dist/errors/invalid-new-password.d.ts +0 -5
  256. package/dist/errors/invalid-new-password.d.ts.map +0 -1
  257. package/dist/errors/invalid-new-password.js +0 -14
  258. package/dist/errors/invalid-new-password.js.map +0 -1
  259. package/dist/errors/invalid-password.d.ts +0 -5
  260. package/dist/errors/invalid-password.d.ts.map +0 -1
  261. package/dist/errors/invalid-password.js +0 -14
  262. package/dist/errors/invalid-password.js.map +0 -1
  263. package/dist/errors/missing-validated-data.d.ts +0 -7
  264. package/dist/errors/missing-validated-data.d.ts.map +0 -1
  265. package/dist/errors/missing-validated-data.js +0 -34
  266. package/dist/errors/missing-validated-data.js.map +0 -1
  267. package/dist/errors/mnemonic-or-password-required.d.ts +0 -5
  268. package/dist/errors/mnemonic-or-password-required.d.ts.map +0 -1
  269. package/dist/errors/mnemonic-or-password-required.js +0 -13
  270. package/dist/errors/mnemonic-or-password-required.js.map +0 -1
  271. package/dist/errors/model-not-registered.d.ts +0 -5
  272. package/dist/errors/model-not-registered.d.ts.map +0 -1
  273. package/dist/errors/model-not-registered.js +0 -12
  274. package/dist/errors/model-not-registered.js.map +0 -1
  275. package/dist/errors/mongoose-validation.d.ts +0 -11
  276. package/dist/errors/mongoose-validation.d.ts.map +0 -1
  277. package/dist/errors/mongoose-validation.js +0 -16
  278. package/dist/errors/mongoose-validation.js.map +0 -1
  279. package/dist/errors/symmetric.d.ts +0 -8
  280. package/dist/errors/symmetric.d.ts.map +0 -1
  281. package/dist/errors/symmetric.js +0 -23
  282. package/dist/errors/symmetric.js.map +0 -1
  283. package/dist/errors/token-expired.d.ts +0 -5
  284. package/dist/errors/token-expired.d.ts.map +0 -1
  285. package/dist/errors/token-expired.js +0 -11
  286. package/dist/errors/token-expired.js.map +0 -1
  287. package/dist/get-language.d.ts +0 -2
  288. package/dist/get-language.d.ts.map +0 -1
  289. package/dist/get-language.js +0 -30
  290. package/dist/get-language.js.map +0 -1
  291. package/dist/get-timezone.d.ts +0 -3
  292. package/dist/get-timezone.d.ts.map +0 -1
  293. package/dist/get-timezone.js +0 -31
  294. package/dist/get-timezone.js.map +0 -1
  295. package/dist/index.d.ts.map +0 -1
  296. package/dist/index.js +0 -40
  297. package/dist/index.js.map +0 -1
  298. package/dist/interfaces/api-error-response.d.ts.map +0 -1
  299. package/dist/interfaces/api-error-response.js +0 -3
  300. package/dist/interfaces/api-error-response.js.map +0 -1
  301. package/dist/interfaces/api-express-validation-error-response.d.ts +0 -7
  302. package/dist/interfaces/api-express-validation-error-response.d.ts.map +0 -1
  303. package/dist/interfaces/api-express-validation-error-response.js +0 -3
  304. package/dist/interfaces/api-express-validation-error-response.js.map +0 -1
  305. package/dist/interfaces/api-message-response.d.ts +0 -4
  306. package/dist/interfaces/api-message-response.d.ts.map +0 -1
  307. package/dist/interfaces/api-message-response.js +0 -3
  308. package/dist/interfaces/api-message-response.js.map +0 -1
  309. package/dist/interfaces/api-mongo-validation-error-response.d.ts.map +0 -1
  310. package/dist/interfaces/api-mongo-validation-error-response.js +0 -3
  311. package/dist/interfaces/api-mongo-validation-error-response.js.map +0 -1
  312. package/dist/interfaces/api-responses/backup-codes-response.d.ts.map +0 -1
  313. package/dist/interfaces/api-responses/backup-codes-response.js +0 -3
  314. package/dist/interfaces/api-responses/backup-codes-response.js.map +0 -1
  315. package/dist/interfaces/api-responses/challenge-response.d.ts.map +0 -1
  316. package/dist/interfaces/api-responses/challenge-response.js +0 -3
  317. package/dist/interfaces/api-responses/challenge-response.js.map +0 -1
  318. package/dist/interfaces/api-responses/code-count-response.d.ts.map +0 -1
  319. package/dist/interfaces/api-responses/code-count-response.js +0 -3
  320. package/dist/interfaces/api-responses/code-count-response.js.map +0 -1
  321. package/dist/interfaces/api-responses/index.d.ts.map +0 -1
  322. package/dist/interfaces/api-responses/index.js +0 -24
  323. package/dist/interfaces/api-responses/index.js.map +0 -1
  324. package/dist/interfaces/api-responses/login-response.d.ts.map +0 -1
  325. package/dist/interfaces/api-responses/login-response.js +0 -3
  326. package/dist/interfaces/api-responses/login-response.js.map +0 -1
  327. package/dist/interfaces/api-responses/mnemonic-response.d.ts.map +0 -1
  328. package/dist/interfaces/api-responses/mnemonic-response.js +0 -3
  329. package/dist/interfaces/api-responses/mnemonic-response.js.map +0 -1
  330. package/dist/interfaces/api-responses/registration-response.d.ts.map +0 -1
  331. package/dist/interfaces/api-responses/registration-response.js +0 -3
  332. package/dist/interfaces/api-responses/registration-response.js.map +0 -1
  333. package/dist/interfaces/api-responses/request-user-response.d.ts.map +0 -1
  334. package/dist/interfaces/api-responses/request-user-response.js +0 -3
  335. package/dist/interfaces/api-responses/request-user-response.js.map +0 -1
  336. package/dist/interfaces/application.d.ts.map +0 -1
  337. package/dist/interfaces/application.js +0 -3
  338. package/dist/interfaces/application.js.map +0 -1
  339. package/dist/interfaces/backend-objects/email-token.d.ts +0 -4
  340. package/dist/interfaces/backend-objects/email-token.d.ts.map +0 -1
  341. package/dist/interfaces/backend-objects/email-token.js +0 -3
  342. package/dist/interfaces/backend-objects/email-token.js.map +0 -1
  343. package/dist/interfaces/backend-objects/index.d.ts.map +0 -1
  344. package/dist/interfaces/backend-objects/index.js +0 -21
  345. package/dist/interfaces/backend-objects/index.js.map +0 -1
  346. package/dist/interfaces/backend-objects/request-user.d.ts.map +0 -1
  347. package/dist/interfaces/backend-objects/request-user.js +0 -3
  348. package/dist/interfaces/backend-objects/request-user.js.map +0 -1
  349. package/dist/interfaces/backend-objects/role.d.ts.map +0 -1
  350. package/dist/interfaces/backend-objects/role.js +0 -3
  351. package/dist/interfaces/backend-objects/role.js.map +0 -1
  352. package/dist/interfaces/backend-objects/user.d.ts +0 -4
  353. package/dist/interfaces/backend-objects/user.d.ts.map +0 -1
  354. package/dist/interfaces/backend-objects/user.js +0 -3
  355. package/dist/interfaces/backend-objects/user.js.map +0 -1
  356. package/dist/interfaces/checksum-config.d.ts +0 -5
  357. package/dist/interfaces/checksum-config.d.ts.map +0 -1
  358. package/dist/interfaces/checksum-config.js +0 -3
  359. package/dist/interfaces/checksum-config.js.map +0 -1
  360. package/dist/interfaces/checksum-consts.d.ts +0 -11
  361. package/dist/interfaces/checksum-consts.d.ts.map +0 -1
  362. package/dist/interfaces/checksum-consts.js +0 -3
  363. package/dist/interfaces/checksum-consts.js.map +0 -1
  364. package/dist/interfaces/constants.d.ts.map +0 -1
  365. package/dist/interfaces/constants.js +0 -3
  366. package/dist/interfaces/constants.js.map +0 -1
  367. package/dist/interfaces/create-user-basics.d.ts +0 -18
  368. package/dist/interfaces/create-user-basics.d.ts.map +0 -1
  369. package/dist/interfaces/create-user-basics.js +0 -3
  370. package/dist/interfaces/create-user-basics.js.map +0 -1
  371. package/dist/interfaces/csp-config.d.ts +0 -14
  372. package/dist/interfaces/csp-config.d.ts.map +0 -1
  373. package/dist/interfaces/csp-config.js +0 -3
  374. package/dist/interfaces/csp-config.js.map +0 -1
  375. package/dist/interfaces/deep-partial.d.ts +0 -4
  376. package/dist/interfaces/deep-partial.d.ts.map +0 -1
  377. package/dist/interfaces/deep-partial.js +0 -3
  378. package/dist/interfaces/deep-partial.js.map +0 -1
  379. package/dist/interfaces/discriminator-collections.d.ts.map +0 -1
  380. package/dist/interfaces/discriminator-collections.js +0 -3
  381. package/dist/interfaces/discriminator-collections.js.map +0 -1
  382. package/dist/interfaces/email-service.d.ts +0 -4
  383. package/dist/interfaces/email-service.d.ts.map +0 -1
  384. package/dist/interfaces/email-service.js +0 -3
  385. package/dist/interfaces/email-service.js.map +0 -1
  386. package/dist/interfaces/environment-mongo.d.ts +0 -76
  387. package/dist/interfaces/environment-mongo.d.ts.map +0 -1
  388. package/dist/interfaces/environment-mongo.js +0 -3
  389. package/dist/interfaces/environment-mongo.js.map +0 -1
  390. package/dist/interfaces/environment.d.ts +0 -181
  391. package/dist/interfaces/environment.d.ts.map +0 -1
  392. package/dist/interfaces/environment.js +0 -3
  393. package/dist/interfaces/environment.js.map +0 -1
  394. package/dist/interfaces/failable-result.d.ts +0 -7
  395. package/dist/interfaces/failable-result.d.ts.map +0 -1
  396. package/dist/interfaces/failable-result.js +0 -3
  397. package/dist/interfaces/failable-result.js.map +0 -1
  398. package/dist/interfaces/fec-consts.d.ts +0 -5
  399. package/dist/interfaces/fec-consts.d.ts.map +0 -1
  400. package/dist/interfaces/fec-consts.js +0 -3
  401. package/dist/interfaces/fec-consts.js.map +0 -1
  402. package/dist/interfaces/handleable-error-options.d.ts +0 -7
  403. package/dist/interfaces/handleable-error-options.d.ts.map +0 -1
  404. package/dist/interfaces/handleable-error-options.js +0 -3
  405. package/dist/interfaces/handleable-error-options.js.map +0 -1
  406. package/dist/interfaces/index.d.ts.map +0 -1
  407. package/dist/interfaces/index.js +0 -46
  408. package/dist/interfaces/index.js.map +0 -1
  409. package/dist/interfaces/jwt-consts.d.ts +0 -11
  410. package/dist/interfaces/jwt-consts.d.ts.map +0 -1
  411. package/dist/interfaces/jwt-consts.js +0 -3
  412. package/dist/interfaces/jwt-consts.js.map +0 -1
  413. package/dist/interfaces/jwt-sign-response.d.ts +0 -11
  414. package/dist/interfaces/jwt-sign-response.d.ts.map +0 -1
  415. package/dist/interfaces/jwt-sign-response.js +0 -3
  416. package/dist/interfaces/jwt-sign-response.js.map +0 -1
  417. package/dist/interfaces/mongo-errors.d.ts +0 -5
  418. package/dist/interfaces/mongo-errors.d.ts.map +0 -1
  419. package/dist/interfaces/mongo-errors.js +0 -3
  420. package/dist/interfaces/mongo-errors.js.map +0 -1
  421. package/dist/interfaces/request-user.d.ts +0 -42
  422. package/dist/interfaces/request-user.d.ts.map +0 -1
  423. package/dist/interfaces/request-user.js +0 -3
  424. package/dist/interfaces/request-user.js.map +0 -1
  425. package/dist/interfaces/required-string-keys.d.ts +0 -22
  426. package/dist/interfaces/required-string-keys.d.ts.map +0 -1
  427. package/dist/interfaces/required-string-keys.js +0 -3
  428. package/dist/interfaces/required-string-keys.js.map +0 -1
  429. package/dist/interfaces/schema.d.ts +0 -29
  430. package/dist/interfaces/schema.d.ts.map +0 -1
  431. package/dist/interfaces/schema.js +0 -3
  432. package/dist/interfaces/schema.js.map +0 -1
  433. package/dist/interfaces/server-init-result.d.ts +0 -35
  434. package/dist/interfaces/server-init-result.d.ts.map +0 -1
  435. package/dist/interfaces/server-init-result.js +0 -3
  436. package/dist/interfaces/server-init-result.js.map +0 -1
  437. package/dist/interfaces/status-code-response.d.ts +0 -7
  438. package/dist/interfaces/status-code-response.d.ts.map +0 -1
  439. package/dist/interfaces/status-code-response.js +0 -3
  440. package/dist/interfaces/status-code-response.js.map +0 -1
  441. package/dist/interfaces/symmetric-encryption-results.d.ts +0 -5
  442. package/dist/interfaces/symmetric-encryption-results.d.ts.map +0 -1
  443. package/dist/interfaces/symmetric-encryption-results.js.map +0 -1
  444. package/dist/interfaces/token-response.d.ts.map +0 -1
  445. package/dist/interfaces/token-response.js +0 -3
  446. package/dist/interfaces/token-response.js.map +0 -1
  447. package/dist/middlewares/authenticate-crypto.d.ts +0 -13
  448. package/dist/middlewares/authenticate-crypto.d.ts.map +0 -1
  449. package/dist/middlewares/authenticate-crypto.js +0 -146
  450. package/dist/middlewares/authenticate-crypto.js.map +0 -1
  451. package/dist/middlewares/authenticate-token.d.ts +0 -24
  452. package/dist/middlewares/authenticate-token.d.ts.map +0 -1
  453. package/dist/middlewares/authenticate-token.js +0 -102
  454. package/dist/middlewares/authenticate-token.js.map +0 -1
  455. package/dist/middlewares/cleanup-crypto.d.ts +0 -7
  456. package/dist/middlewares/cleanup-crypto.d.ts.map +0 -1
  457. package/dist/middlewares/cleanup-crypto.js +0 -32
  458. package/dist/middlewares/cleanup-crypto.js.map +0 -1
  459. package/dist/middlewares/index.d.ts.map +0 -1
  460. package/dist/middlewares/index.js +0 -21
  461. package/dist/middlewares/index.js.map +0 -1
  462. package/dist/middlewares/set-global-context-language.d.ts +0 -3
  463. package/dist/middlewares/set-global-context-language.d.ts.map +0 -1
  464. package/dist/middlewares/set-global-context-language.js +0 -14
  465. package/dist/middlewares/set-global-context-language.js.map +0 -1
  466. package/dist/middlewares.d.ts +0 -18
  467. package/dist/middlewares.d.ts.map +0 -1
  468. package/dist/middlewares.js +0 -76
  469. package/dist/middlewares.js.map +0 -1
  470. package/dist/model-registry.d.ts +0 -23
  471. package/dist/model-registry.d.ts.map +0 -1
  472. package/dist/model-registry.js +0 -47
  473. package/dist/model-registry.js.map +0 -1
  474. package/dist/models/email-token.d.ts +0 -11
  475. package/dist/models/email-token.d.ts.map +0 -1
  476. package/dist/models/email-token.js +0 -11
  477. package/dist/models/email-token.js.map +0 -1
  478. package/dist/models/index.d.ts.map +0 -1
  479. package/dist/models/index.js +0 -23
  480. package/dist/models/index.js.map +0 -1
  481. package/dist/models/mnemonic.d.ts +0 -11
  482. package/dist/models/mnemonic.d.ts.map +0 -1
  483. package/dist/models/mnemonic.js +0 -11
  484. package/dist/models/mnemonic.js.map +0 -1
  485. package/dist/models/role.d.ts +0 -11
  486. package/dist/models/role.d.ts.map +0 -1
  487. package/dist/models/role.js +0 -11
  488. package/dist/models/role.js.map +0 -1
  489. package/dist/models/used-direct-login-token.d.ts +0 -11
  490. package/dist/models/used-direct-login-token.d.ts.map +0 -1
  491. package/dist/models/used-direct-login-token.js +0 -11
  492. package/dist/models/used-direct-login-token.js.map +0 -1
  493. package/dist/models/user-role.d.ts +0 -6
  494. package/dist/models/user-role.d.ts.map +0 -1
  495. package/dist/models/user-role.js +0 -10
  496. package/dist/models/user-role.js.map +0 -1
  497. package/dist/models/user.d.ts +0 -7
  498. package/dist/models/user.d.ts.map +0 -1
  499. package/dist/models/user.js +0 -11
  500. package/dist/models/user.js.map +0 -1
  501. package/dist/registry/email-service-registry.d.ts +0 -9
  502. package/dist/registry/email-service-registry.d.ts.map +0 -1
  503. package/dist/registry/email-service-registry.js +0 -17
  504. package/dist/registry/email-service-registry.js.map +0 -1
  505. package/dist/registry/index.d.ts.map +0 -1
  506. package/dist/registry/index.js +0 -6
  507. package/dist/registry/index.js.map +0 -1
  508. package/dist/routers/api.d.ts +0 -27
  509. package/dist/routers/api.d.ts.map +0 -1
  510. package/dist/routers/api.js +0 -44
  511. package/dist/routers/api.js.map +0 -1
  512. package/dist/routers/app.d.ts +0 -28
  513. package/dist/routers/app.d.ts.map +0 -1
  514. package/dist/routers/app.js +0 -182
  515. package/dist/routers/app.js.map +0 -1
  516. package/dist/routers/base.d.ts +0 -12
  517. package/dist/routers/base.d.ts.map +0 -1
  518. package/dist/routers/base.js +0 -12
  519. package/dist/routers/base.js.map +0 -1
  520. package/dist/routers/index.d.ts.map +0 -1
  521. package/dist/routers/index.js +0 -20
  522. package/dist/routers/index.js.map +0 -1
  523. package/dist/schemas/email-token.d.ts +0 -38
  524. package/dist/schemas/email-token.d.ts.map +0 -1
  525. package/dist/schemas/email-token.js +0 -56
  526. package/dist/schemas/email-token.js.map +0 -1
  527. package/dist/schemas/index.d.ts.map +0 -1
  528. package/dist/schemas/index.js +0 -24
  529. package/dist/schemas/index.js.map +0 -1
  530. package/dist/schemas/mnemonic.d.ts +0 -20
  531. package/dist/schemas/mnemonic.d.ts.map +0 -1
  532. package/dist/schemas/mnemonic.js +0 -30
  533. package/dist/schemas/mnemonic.js.map +0 -1
  534. package/dist/schemas/role.d.ts +0 -32
  535. package/dist/schemas/role.d.ts.map +0 -1
  536. package/dist/schemas/role.js +0 -86
  537. package/dist/schemas/role.js.map +0 -1
  538. package/dist/schemas/schema.d.ts +0 -40
  539. package/dist/schemas/schema.d.ts.map +0 -1
  540. package/dist/schemas/schema.js +0 -64
  541. package/dist/schemas/schema.js.map +0 -1
  542. package/dist/schemas/used-direct-login-token.d.ts +0 -27
  543. package/dist/schemas/used-direct-login-token.d.ts.map +0 -1
  544. package/dist/schemas/used-direct-login-token.js +0 -23
  545. package/dist/schemas/used-direct-login-token.js.map +0 -1
  546. package/dist/schemas/user-role.d.ts +0 -29
  547. package/dist/schemas/user-role.d.ts.map +0 -1
  548. package/dist/schemas/user-role.js +0 -54
  549. package/dist/schemas/user-role.js.map +0 -1
  550. package/dist/schemas/user.d.ts +0 -21
  551. package/dist/schemas/user.d.ts.map +0 -1
  552. package/dist/schemas/user.js +0 -178
  553. package/dist/schemas/user.js.map +0 -1
  554. package/dist/services/backup-code.d.ts +0 -78
  555. package/dist/services/backup-code.d.ts.map +0 -1
  556. package/dist/services/backup-code.js +0 -180
  557. package/dist/services/backup-code.js.map +0 -1
  558. package/dist/services/base.d.ts +0 -13
  559. package/dist/services/base.d.ts.map +0 -1
  560. package/dist/services/base.js +0 -14
  561. package/dist/services/base.js.map +0 -1
  562. package/dist/services/checksum.d.ts +0 -67
  563. package/dist/services/checksum.d.ts.map +0 -1
  564. package/dist/services/checksum.js +0 -175
  565. package/dist/services/checksum.js.map +0 -1
  566. package/dist/services/crc.d.ts +0 -87
  567. package/dist/services/crc.d.ts.map +0 -1
  568. package/dist/services/crc.js +0 -198
  569. package/dist/services/crc.js.map +0 -1
  570. package/dist/services/database-initialization.d.ts +0 -105
  571. package/dist/services/database-initialization.d.ts.map +0 -1
  572. package/dist/services/database-initialization.js +0 -779
  573. package/dist/services/database-initialization.js.map +0 -1
  574. package/dist/services/direct-login-token.d.ts +0 -9
  575. package/dist/services/direct-login-token.d.ts.map +0 -1
  576. package/dist/services/direct-login-token.js +0 -41
  577. package/dist/services/direct-login-token.js.map +0 -1
  578. package/dist/services/fec-usage-example.d.ts +0 -38
  579. package/dist/services/fec-usage-example.d.ts.map +0 -1
  580. package/dist/services/fec-usage-example.js +0 -77
  581. package/dist/services/fec-usage-example.js.map +0 -1
  582. package/dist/services/fec.d.ts +0 -46
  583. package/dist/services/fec.d.ts.map +0 -1
  584. package/dist/services/fec.js +0 -192
  585. package/dist/services/fec.js.map +0 -1
  586. package/dist/services/index.d.ts.map +0 -1
  587. package/dist/services/index.js +0 -35
  588. package/dist/services/index.js.map +0 -1
  589. package/dist/services/jwt.d.ts +0 -33
  590. package/dist/services/jwt.d.ts.map +0 -1
  591. package/dist/services/jwt.js +0 -90
  592. package/dist/services/jwt.js.map +0 -1
  593. package/dist/services/key-wrapping.d.ts +0 -60
  594. package/dist/services/key-wrapping.d.ts.map +0 -1
  595. package/dist/services/key-wrapping.js +0 -311
  596. package/dist/services/key-wrapping.js.map +0 -1
  597. package/dist/services/mnemonic.d.ts +0 -61
  598. package/dist/services/mnemonic.d.ts.map +0 -1
  599. package/dist/services/mnemonic.js +0 -112
  600. package/dist/services/mnemonic.js.map +0 -1
  601. package/dist/services/request-user.d.ts +0 -20
  602. package/dist/services/request-user.d.ts.map +0 -1
  603. package/dist/services/request-user.js +0 -50
  604. package/dist/services/request-user.js.map +0 -1
  605. package/dist/services/role.d.ts +0 -88
  606. package/dist/services/role.d.ts.map +0 -1
  607. package/dist/services/role.js +0 -263
  608. package/dist/services/role.js.map +0 -1
  609. package/dist/services/symmetric.d.ts +0 -42
  610. package/dist/services/symmetric.d.ts.map +0 -1
  611. package/dist/services/symmetric.js +0 -101
  612. package/dist/services/symmetric.js.map +0 -1
  613. package/dist/services/system-user.d.ts +0 -17
  614. package/dist/services/system-user.d.ts.map +0 -1
  615. package/dist/services/system-user.js +0 -46
  616. package/dist/services/system-user.js.map +0 -1
  617. package/dist/services/user.d.ts +0 -320
  618. package/dist/services/user.d.ts.map +0 -1
  619. package/dist/services/user.js +0 -1374
  620. package/dist/services/user.js.map +0 -1
  621. package/dist/services/xor.d.ts +0 -24
  622. package/dist/services/xor.d.ts.map +0 -1
  623. package/dist/services/xor.js +0 -37
  624. package/dist/services/xor.js.map +0 -1
  625. package/dist/types.d.ts +0 -70
  626. package/dist/types.d.ts.map +0 -1
  627. package/dist/types.js +0 -14
  628. package/dist/types.js.map +0 -1
  629. package/dist/utils.d.ts +0 -202
  630. package/dist/utils.d.ts.map +0 -1
  631. package/dist/utils.js +0 -786
  632. package/dist/utils.js.map +0 -1
  633. /package/{dist → src}/interfaces/symmetric-encryption-results.js +0 -0
package/dist/services/user.js DELETED
@@ -1,1374 +0,0 @@
1
- "use strict";
2
- var __importDefault = (this && this.__importDefault) || function (mod) {
3
- return (mod && mod.__esModule) ? mod : { "default": mod };
4
- };
5
- Object.defineProperty(exports, "__esModule", { value: true });
6
- exports.UserService = void 0;
7
- const ecies_lib_1 = require("@digitaldefiance/ecies-lib");
8
- const i18n_lib_1 = require("@digitaldefiance/i18n-lib");
9
- const node_ecies_lib_1 = require("@digitaldefiance/node-ecies-lib");
10
- const suite_core_lib_1 = require("@digitaldefiance/suite-core-lib");
11
- const crypto_1 = require("crypto");
12
- const mongodb_1 = require("mongodb");
13
- const mongoose_1 = require("mongoose");
14
- const validator_1 = __importDefault(require("validator"));
15
- const errors_1 = require("../errors");
16
- const backup_code_1 = require("../backup-code");
17
- const base_model_name_1 = require("../enumerations/base-model-name");
18
- const mongoose_validation_1 = require("../errors/mongoose-validation");
19
- const model_registry_1 = require("../model-registry");
20
- const utils_1 = require("../utils");
21
- const base_1 = require("./base");
22
- const direct_login_token_1 = require("./direct-login-token");
23
- const mnemonic_1 = require("./mnemonic");
24
- const request_user_1 = require("./request-user");
25
- const system_user_1 = require("./system-user");
26
- class UserService extends base_1.BaseService {
27
- constructor(application, roleService, emailService, keyWrappingService, backupCodeService) {
28
- super(application);
29
- this.roleService = roleService;
30
- this.emailService = emailService;
31
- this.keyWrappingService = keyWrappingService;
32
- this.backupCodeService = backupCodeService;
33
- this.serverUrl = application.environment.serverUrl;
34
- this.disableEmailSend = application.environment.disableEmailSend;
35
- const config = {
36
- curveName: this.application.constants.ECIES.CURVE_NAME,
37
- primaryKeyDerivationPath: this.application.constants.ECIES.PRIMARY_KEY_DERIVATION_PATH,
38
- mnemonicStrength: this.application.constants.ECIES.MNEMONIC_STRENGTH,
39
- symmetricAlgorithm: this.application.constants.ECIES.SYMMETRIC_ALGORITHM_CONFIGURATION,
40
- symmetricKeyBits: this.application.constants.ECIES.SYMMETRIC.KEY_BITS,
41
- symmetricKeyMode: this.application.constants.ECIES.SYMMETRIC.MODE,
42
- };
43
- this.eciesService = new node_ecies_lib_1.ECIESService(config);
44
- const mnemonicModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.Mnemonic);
45
- this.mnemonicService = new mnemonic_1.MnemonicService(mnemonicModel, application.environment.mnemonicHmacSecret, this.keyWrappingService);
46
- }
47
- /**
48
- * Given a User Document, make a User DTO
49
- * @param user a User Document
50
- * @returns An IUserDTO
51
- */
52
- static userToUserDTO(user) {
53
- return {
54
- ...(user instanceof mongoose_1.Document ? user.toObject() : user),
55
- _id: (user._id instanceof mongoose_1.Types.ObjectId
56
- ? user._id.toString()
57
- : user._id),
58
- createdBy: (user.createdBy instanceof Date
59
- ? user.createdBy.toString()
60
- : user.createdBy),
61
- updatedBy: (user.updatedBy instanceof Date
62
- ? user.updatedBy.toString()
63
- : user.updatedBy),
64
- ...(user.lastLogin
65
- ? {
66
- lastLogin: (user.lastLogin instanceof Date
67
- ? user.lastLogin.toString()
68
- : user.lastLogin),
69
- }
70
- : {}),
71
- ...(user.deletedBy
72
- ? {
73
- deletedBy: (user.deletedBy instanceof Date
74
- ? user.deletedBy.toString()
75
- : user.deletedBy),
76
- }
77
- : {}),
78
- };
79
- }
80
- /**
81
- * Given a User DTO, reconstitute ids and dates
82
- * @param user a User DTO
83
- * @returns An IUserBackendObject
84
- */
85
- hydrateUserDTOToBackend(user) {
86
- return {
87
- ...user,
88
- _id: new mongodb_1.ObjectId(user._id),
89
- ...(user.lastLogin ? { lastLogin: new Date(user.lastLogin) } : {}),
90
- createdAt: new Date(user.createdAt),
91
- createdBy: new mongodb_1.ObjectId(user.createdBy),
92
- updatedAt: new Date(user.updatedAt),
93
- updatedBy: new mongodb_1.ObjectId(user.updatedBy),
94
- ...(user.deletedAt ? { deletedAt: new Date(user.deletedAt) } : {}),
95
- ...(user.deletedBy
96
- ? {
97
- deletedBy: new mongodb_1.ObjectId(user.deletedBy),
98
- }
99
- : {}),
100
- ...(user.mnemonicId ? { mnemonicId: new mongodb_1.ObjectId(user.mnemonicId) } : {}),
101
- };
102
- }
103
- /**
104
- * Create a new email token to send to the user for email verification
105
- * @param userDoc The user to create the email token for
106
- * @param type The type of email token to create
107
- * @param session The session to use for the query
108
- * @returns The email token document
109
- */
110
- async createEmailToken(userDoc, type, session) {
111
- const EmailTokenModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.EmailToken);
112
- // If we already have a session, use it directly to avoid nested transactions
113
- if (session) {
114
- const now = new Date();
115
- const tokenData = {
116
- userId: userDoc._id,
117
- type: type,
118
- email: userDoc.email,
119
- token: (0, crypto_1.randomBytes)(this.application.constants.EmailTokenLength).toString('hex'),
120
- createdAt: now,
121
- updatedAt: now,
122
- expiresAt: new Date(now.getTime() + this.application.constants.EmailTokenExpiration),
123
- };
124
- // Use findOneAndUpdate with upsert to avoid duplicate key errors
125
- const emailToken = await EmailTokenModel.findOneAndUpdate({
126
- userId: userDoc._id,
127
- email: userDoc.email,
128
- type: type,
129
- }, tokenData, {
130
- upsert: true,
131
- new: true,
132
- session,
133
- });
134
- if (!emailToken) {
135
- throw new suite_core_lib_1.TranslatableSuiteError(suite_core_lib_1.SuiteCoreStringKey.Error_FailedToCreateEmailToken);
136
- }
137
- return emailToken;
138
- }
139
- // Only create a new transaction if no session is provided
140
- return await this.withTransaction(async (sess) => {
141
- const now = new Date();
142
- const tokenData = {
143
- userId: userDoc._id,
144
- type: type,
145
- email: userDoc.email,
146
- token: (0, crypto_1.randomBytes)(this.application.constants.EmailTokenLength).toString('hex'),
147
- createdAt: now,
148
- updatedAt: now,
149
- expiresAt: new Date(now.getTime() + this.application.constants.EmailTokenExpiration),
150
- };
151
- // Use findOneAndUpdate with upsert to avoid duplicate key errors
152
- const emailToken = await EmailTokenModel.findOneAndUpdate({
153
- userId: userDoc._id,
154
- email: userDoc.email,
155
- type: type,
156
- }, tokenData, {
157
- upsert: true,
158
- new: true,
159
- session: sess,
160
- });
161
- if (!emailToken) {
162
- throw new suite_core_lib_1.TranslatableSuiteError(suite_core_lib_1.SuiteCoreStringKey.Error_FailedToCreateEmailToken);
163
- }
164
- return emailToken;
165
- }, undefined, {
166
- timeoutMs: this.application.environment.mongo.transactionTimeout,
167
- retryAttempts: 2,
168
- });
169
- }
170
- /**
171
- * Create and send an email token to the user for email verification
172
- * @param user The user to send the email token to
173
- * @param type The type of email token to send
174
- * @param session The session to use for the query
175
- * @returns The email token document
176
- */
177
- async createAndSendEmailToken(user, type = suite_core_lib_1.EmailTokenType.AccountVerification, session, debug = false) {
178
- const emailToken = await this.createEmailToken(user, type, session);
179
- try {
180
- await this.sendEmailToken(emailToken, session, debug);
181
- }
182
- catch (error) {
183
- // keep parity with previous behavior: continue returning token even if email send fails
184
- }
185
- return emailToken;
186
- }
187
- /**
188
- * Create and send an email token directly within an existing transaction
189
- * @param user The user to send the email token to
190
- * @param type The type of email token to send
191
- * @param session The session to use for the query (required)
192
- * @param debug Whether to enable debug logging
193
- * @returns The email token document
194
- */
195
- async createAndSendEmailTokenDirect(user, type = suite_core_lib_1.EmailTokenType.AccountVerification, session, debug = false) {
196
- const EmailTokenModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.EmailToken);
197
- // Create token directly within the existing session using upsert
198
- const now = new Date();
199
- const tokenData = {
200
- userId: user._id,
201
- type: type,
202
- email: user.email,
203
- token: (0, crypto_1.randomBytes)(this.application.constants.EmailTokenLength).toString('hex'),
204
- createdAt: now,
205
- updatedAt: now,
206
- expiresAt: new Date(now.getTime() + this.application.constants.EmailTokenExpiration),
207
- };
208
- // Use findOneAndUpdate with upsert to avoid duplicate key errors
209
- const emailToken = await EmailTokenModel.findOneAndUpdate({
210
- userId: user._id,
211
- email: user.email,
212
- type: type,
213
- }, tokenData, {
214
- upsert: true,
215
- new: true,
216
- session,
217
- });
218
- if (!emailToken) {
219
- throw new suite_core_lib_1.TranslatableSuiteError(suite_core_lib_1.SuiteCoreStringKey.Error_FailedToCreateEmailToken);
220
- }
221
- try {
222
- await this.sendEmailToken(emailToken, session, debug);
223
- }
224
- catch (error) {
225
- // Ignore email send errors in direct token creation
226
- }
227
- return emailToken;
228
- }
229
- /**
230
- * Send an email token to the user for email verification
231
- * @param emailToken The email token to send
232
- * @param session The session to use for the query
233
- * @returns void
234
- */
235
- async sendEmailToken(emailToken, session, debug = false) {
236
- if (this.disableEmailSend) {
237
- (0, utils_1.debugLog)(debug, 'log', 'Email sending disabled for testing');
238
- // Still update lastSent and expiration to keep token valid during tests
239
- emailToken.lastSent = new Date();
240
- emailToken.expiresAt = new Date(Date.now() + this.application.constants.EmailTokenExpiration);
241
- await emailToken.save({ session });
242
- return;
243
- }
244
- if (emailToken.lastSent &&
245
- emailToken.lastSent.getTime() +
246
- this.application.constants.EmailTokenResendInterval >
247
- Date.now()) {
248
- throw new suite_core_lib_1.EmailTokenSentTooRecentlyError(emailToken.lastSent);
249
- }
250
- let subjectString;
251
- let bodyString;
252
- let url;
253
- switch (emailToken.type) {
254
- case suite_core_lib_1.EmailTokenType.AccountVerification:
255
- subjectString = suite_core_lib_1.SuiteCoreStringKey.Email_ConfirmationSubjectTemplate;
256
- bodyString = suite_core_lib_1.SuiteCoreStringKey.Email_ConfirmationBody;
257
- url = `${this.serverUrl}/verify-email?token=${emailToken.token}`;
258
- break;
259
- case suite_core_lib_1.EmailTokenType.PasswordReset:
260
- subjectString = suite_core_lib_1.SuiteCoreStringKey.Email_ResetPasswordSubjectTemplate;
261
- bodyString = suite_core_lib_1.SuiteCoreStringKey.Email_ResetPasswordBody;
262
- url = `${this.serverUrl}/forgot-password?token=${emailToken.token}`;
263
- break;
264
- case suite_core_lib_1.EmailTokenType.LoginRequest:
265
- subjectString = suite_core_lib_1.SuiteCoreStringKey.Email_LoginRequestSubjectTemplate;
266
- bodyString = suite_core_lib_1.SuiteCoreStringKey.Email_LoginRequestBody;
267
- url = `${this.serverUrl}/challenge?token=${emailToken.token}`;
268
- break;
269
- case suite_core_lib_1.EmailTokenType.MnemonicRecoveryRequest:
270
- case suite_core_lib_1.EmailTokenType.PrivateKeyRequest:
271
- default:
272
- throw new Error('Invalid email token type');
273
- }
274
- const emailSubject = (0, suite_core_lib_1.getSuiteCoreTranslation)(subjectString);
275
- const emailText = `${(0, suite_core_lib_1.getSuiteCoreTranslation)(bodyString)}\r\n\r\n${url}`;
276
- const emailHtml = `<p>${(0, suite_core_lib_1.getSuiteCoreTranslation)(bodyString)}</p><br/><p><a href="${url}">${url}</a></p><p>${(0, suite_core_lib_1.getSuiteCoreTranslation)(suite_core_lib_1.SuiteCoreStringKey.Email_LinkExpiresInTemplate)}</p>`;
277
- try {
278
- // Use the EmailService to send the email
279
- await this.emailService.sendEmail(emailToken.email, emailSubject, emailText, emailHtml);
280
- // update last sent/expiration
281
- emailToken.lastSent = new Date();
282
- emailToken.expiresAt = new Date(Date.now() + this.application.constants.EmailTokenExpiration);
283
- await emailToken.save({ session });
284
- }
285
- catch (error) {
286
- throw new suite_core_lib_1.EmailTokenFailedToSendError(emailToken.type);
287
- }
288
- }
289
- /**
290
- * Find a user by email or username and enforce account status checks
291
- * @param email Optional email
292
- * @param username Optional username
293
- * @param session Optional mongoose session
294
- * @throws UsernameOrEmailRequiredError if neither provided
295
- * @throws InvalidCredentialsError if not found or deleted
296
- * @throws AccountLockedError | PendingEmailVerificationError | AccountStatusError per status
297
- */
298
- async findUser(email, username, session) {
299
- if (!email && !username) {
300
- throw new suite_core_lib_1.UsernameOrEmailRequiredError();
301
- }
302
- const UserModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.User);
303
- let userDoc = null;
304
- try {
305
- if (email) {
306
- userDoc = await UserModel.findOne({
307
- email: email.toLowerCase(),
308
- })
309
- .session(session ?? null)
310
- .exec();
311
- }
312
- else if (username) {
313
- userDoc = await UserModel.findOne({ username })
314
- .collation({ locale: 'en', strength: 2 })
315
- .session(session ?? null)
316
- .exec();
317
- }
318
- }
319
- catch (error) {
320
- // Database error in findUser - convert to InvalidCredentialsError for security
321
- throw new suite_core_lib_1.InvalidCredentialsError();
322
- }
323
- if (!userDoc || userDoc.deletedAt) {
324
- if (email) {
325
- const engine = i18n_lib_1.I18nEngine.getInstance();
326
- throw new ecies_lib_1.InvalidEmailError(ecies_lib_1.InvalidEmailErrorType.Missing, engine);
327
- }
328
- throw new suite_core_lib_1.InvalidUsernameError();
329
- }
330
- switch (userDoc.accountStatus) {
331
- case suite_core_lib_1.AccountStatus.Active:
332
- break;
333
- case suite_core_lib_1.AccountStatus.AdminLock:
334
- throw new suite_core_lib_1.AccountLockedError();
335
- case suite_core_lib_1.AccountStatus.PendingEmailVerification:
336
- throw new suite_core_lib_1.PendingEmailVerificationError();
337
- default:
338
- throw new suite_core_lib_1.AccountStatusError(userDoc.accountStatus);
339
- }
340
- return userDoc;
341
- }
342
- /**
343
- * Finds a user record by ID
344
- * @param userId The user ID
345
- * @param throwIfNotActive Whether to throw if the user is inactive
346
- * @param session The active session, if present
347
- * @returns The user document
348
- */
349
- async findUserById(userId, throwIfNotActive, session, select) {
350
- const UserModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.User);
351
- const baseQuery = UserModel.findById(userId).session(session ?? null);
352
- if (select) {
353
- // Always include fields needed for status checks
354
- const merged = this.ensureRequiredFieldsInProjection(select, [
355
- 'deletedAt',
356
- 'accountStatus',
357
- ]);
358
- baseQuery.select(merged);
359
- }
360
- const userDoc = (await baseQuery.exec());
361
- if (!userDoc || userDoc.deletedAt) {
362
- throw new suite_core_lib_1.UserNotFoundError();
363
- }
364
- if (throwIfNotActive) {
365
- switch (userDoc.accountStatus) {
366
- case suite_core_lib_1.AccountStatus.Active:
367
- break;
368
- case suite_core_lib_1.AccountStatus.AdminLock:
369
- throw new suite_core_lib_1.AccountLockedError();
370
- case suite_core_lib_1.AccountStatus.PendingEmailVerification:
371
- throw new suite_core_lib_1.PendingEmailVerificationError();
372
- default:
373
- throw new suite_core_lib_1.AccountStatusError(userDoc.accountStatus);
374
- }
375
- }
376
- return userDoc;
377
- }
378
- /**
379
- * Ensure required fields are present in a projection for queries that rely on them.
380
- * Supports string and object-style projections. For inclusion projections, adds fields.
381
- * For exclusion projections, ensures required fields are not excluded.
382
- */
383
- ensureRequiredFieldsInProjection(select, required) {
384
- if (typeof select === 'string') {
385
- const parts = select
386
- .split(/\s+/)
387
- .map((s) => s.trim())
388
- .filter(Boolean);
389
- const exclusions = new Set(parts.filter((p) => p.startsWith('-')).map((p) => p.slice(1)));
390
- // Remove exclusions on required fields
391
- for (const r of required) {
392
- exclusions.delete(r);
393
- }
394
- const cleaned = parts.filter((p) => !p.startsWith('-'));
395
- for (const r of required) {
396
- if (!cleaned.includes(r))
397
- cleaned.push(r);
398
- }
399
- const result = [...cleaned, ...[...exclusions].map((r) => `-${r}`)];
400
- return result.join(' ');
401
- }
402
- if (select && typeof select === 'object') {
403
- const proj = { ...select };
404
- const values = Object.values(proj);
405
- const hasInclusions = values.some((v) => v === 1 || v === true);
406
- if (hasInclusions) {
407
- for (const r of required) {
408
- proj[r] = 1;
409
- }
410
- }
411
- else {
412
- const keysToRemove = required.filter((r) => proj[r] === 0 || proj[r] === false || proj[r] === -1);
413
- keysToRemove.forEach((key) => delete proj[key]);
414
- }
415
- return proj;
416
- }
417
- return select;
418
- }
419
- /**
420
- * Fill in the default values to a user object
421
- * @param newUser The user object to fill in
422
- * @param createdBy The user ID of the user creating the new user
423
- * @returns The filled in user
424
- */
425
- fillUserDefaults(newUser, createdBy, backupCodes, encryptedMnemonic, userId) {
426
- return {
427
- ...(userId ? { _id: userId } : {}),
428
- timezone: 'UTC',
429
- ...newUser,
430
- email: newUser.email.toLowerCase(),
431
- emailVerified: false,
432
- accountStatus: suite_core_lib_1.AccountStatus.PendingEmailVerification,
433
- duressPasswords: [],
434
- siteLanguage: suite_core_lib_1.DefaultLanguageCode,
435
- publicKey: '',
436
- backupCodes,
437
- mnemonicRecovery: encryptedMnemonic,
438
- directChallenge: false,
439
- createdAt: new Date(),
440
- createdBy: createdBy,
441
- updatedAt: new Date(),
442
- updatedBy: createdBy,
443
- };
444
- }
445
- /**
446
- * Create a new user document from an IUser and unhashed password
447
- * @param newUser The user object
448
- * @returns The new user document
449
- */
450
- async makeUserDoc(newUser) {
451
- const UserModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.User);
452
- const newUserDoc = new UserModel(newUser);
453
- const validationError = newUserDoc.validateSync();
454
- if (validationError) {
455
- throw new mongoose_validation_1.MongooseValidationError(validationError.errors);
456
- }
457
- return newUserDoc;
458
- }
459
- /**
460
- * Create a new user.
461
- * Do not set createdBy to a new (non-existing) ObjectId unless you also set newUserId to it.
462
- * If newUserId is not set, one will be generated.
463
- * @param systemUser The system user performing the operation
464
- * @param userData Username, email, password in a ICreateUserBasics object
465
- * @param createdBy The user id of the user creating the user
466
- * @param newUserId the user id of the new user object- usually the createdBy user id.
467
- * @param session The session to use for the query
468
- * @param debug Whether to log debug information
469
- * @param password The password to use for the new user (optional, if not provided, mnemonic will be used)
470
- * @returns The new user document
471
- */
472
- async newUser(systemUser, userData, createdBy, newUserId, session, debug = false, password) {
473
- const _newUserId = newUserId ?? new mongoose_1.Types.ObjectId();
474
- if (!this.application.constants.UsernameRegex.test(userData.username)) {
475
- throw new suite_core_lib_1.InvalidUsernameError();
476
- }
477
- if (password && !this.application.constants.PasswordRegex.test(password)) {
478
- throw new errors_1.InvalidNewPasswordError();
479
- }
480
- const UserModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.User);
481
- return await this.withTransaction(async (sess) => {
482
- const existingEmail = await UserModel.findOne({
483
- email: userData.email.toLowerCase(),
484
- }).session(sess ?? null);
485
- if (existingEmail) {
486
- throw new suite_core_lib_1.EmailInUseError();
487
- }
488
- const existingUsername = await UserModel.findOne({
489
- username: { $regex: new RegExp(`^${userData.username}$`, 'i') },
490
- }).session(sess ?? null);
491
- if (existingUsername) {
492
- throw new suite_core_lib_1.UsernameInUseError();
493
- }
494
- let mnemonic;
495
- let member;
496
- while (!mnemonic || !member) {
497
- try {
498
- const { member: newMember, mnemonic: newMnemonic } = node_ecies_lib_1.Member.newMember(this.eciesService, ecies_lib_1.MemberType.User, userData.username, new ecies_lib_1.EmailString(userData.email), undefined, createdBy);
499
- // make sure the new mnemonic is not already in the database
500
- const mnemonicExists = await this.mnemonicService.mnemonicExists(newMnemonic, sess);
501
- if (!mnemonicExists) {
502
- member = newMember;
503
- mnemonic = newMnemonic;
504
- }
505
- }
506
- catch {
507
- // If we fail to create a new member, we will retry until we succeed.
508
- // This is to ensure that we do not end up with duplicate mnemonics.
509
- (0, utils_1.debugLog)(debug, 'warn', 'Failed to create a new member, retrying...');
510
- }
511
- }
512
- const backupCodes = backup_code_1.BackupCode.generateBackupCodes();
513
- const encryptedBackupCodes = await backup_code_1.BackupCode.encryptBackupCodes(member, systemUser, backupCodes);
514
- const encryptedMnemonic = member
515
- .encryptData(Buffer.from(mnemonic.value ?? '', 'utf-8'))
516
- .toString('hex');
517
- const newUserDoc = new UserModel({
518
- ...this.fillUserDefaults(userData, createdBy ?? _newUserId, encryptedBackupCodes, encryptedMnemonic, _newUserId),
519
- publicKey: member.publicKey.toString('hex'),
520
- });
521
- const validationError = newUserDoc.validateSync();
522
- if (validationError) {
523
- throw new mongoose_validation_1.MongooseValidationError(validationError.errors);
524
- }
525
- // Always add HMAC-only mnemonic doc
526
- const newMnemonicDoc = await this.mnemonicService.addMnemonic(mnemonic, sess);
527
- if (newMnemonicDoc) {
528
- newUserDoc.mnemonicId = newMnemonicDoc._id;
529
- }
530
- // If password provided, wrap the ECIES private key with the password (Option B)
531
- if (password) {
532
- const passwordSecure = new ecies_lib_1.SecureString(password);
533
- try {
534
- const priv = new ecies_lib_1.SecureBuffer(member.privateKey.value);
535
- try {
536
- const wrapped = this.keyWrappingService.wrapSecret(priv, passwordSecure);
537
- newUserDoc.passwordWrappedPrivateKey = wrapped;
538
- }
539
- finally {
540
- priv.dispose();
541
- }
542
- }
543
- finally {
544
- passwordSecure.dispose();
545
- }
546
- }
547
- const savedUserDoc = await newUserDoc.save({ session: sess });
548
- const memberRoleId = await this.roleService.getRoleIdByName(this.application.constants.MemberRole, sess);
549
- if (!memberRoleId) {
550
- throw new suite_core_lib_1.TranslatableSuiteError(suite_core_lib_1.SuiteCoreStringKey.Error_FailedToLookupRoleTemplate, {
551
- ROLE: (0, suite_core_lib_1.getSuiteCoreTranslation)(suite_core_lib_1.SuiteCoreStringKey.Common_Member),
552
- });
553
- }
554
- await this.roleService.addUserToRole(memberRoleId, savedUserDoc._id, _newUserId, sess);
555
- return {
556
- user: savedUserDoc,
557
- mnemonic: mnemonic.value ?? '',
558
- backupCodes: backupCodes.map((code) => code.value ?? ''),
559
- ...(password ? { password } : {}),
560
- };
561
- }, session, {
562
- timeoutMs: this.application.environment.mongo.transactionTimeout * 10,
563
- });
564
- }
565
- /**
566
- * Get the backup codes for a user.
567
- * Requires the user not be deleted or inactive
568
- */
569
- async getEncryptedUserBackupCodes(userId, session) {
570
- const userWithCodes = await this.findUserById(userId, true, session, {
571
- backupCodes: 1,
572
- });
573
- return userWithCodes.backupCodes;
574
- }
575
- /**
576
- * Resets the given user's backup codes
577
- * @param backupUser The user to generate codes for
578
- * @param session The current session, if any
579
- * @returns A promise of an array of backup codes
580
- */
581
- async resetUserBackupCodes(backupUser, systemUser, session) {
582
- if (!backupUser.hasPrivateKey) {
583
- throw new suite_core_lib_1.PrivateKeyRequiredError();
584
- }
585
- const backupCodes = backup_code_1.BackupCode.generateBackupCodes();
586
- const encryptedBackupCodes = await backup_code_1.BackupCode.encryptBackupCodes(backupUser, systemUser, backupCodes);
587
- const UserModel = model_registry_1.ModelRegistry.instance.get('User')?.model;
588
- return await this.withTransaction(async (sess) => {
589
- await UserModel.updateOne({ _id: backupUser.id }, { $set: { backupCodes: encryptedBackupCodes } }, { session: sess });
590
- return backupCodes;
591
- }, session, {
592
- timeoutMs: this.application.environment.mongo.transactionTimeout,
593
- });
594
- }
595
- /**
596
- * Recover a user's mnemonic from an encrypted mnemonic
597
- * @param user The user whose mnemonic to recover
598
- * @param encryptedMnemonic The encrypted mnemonic
599
- * @returns The recovered mnemonic
600
- */
601
- recoverMnemonic(user, encryptedMnemonic) {
602
- if (!encryptedMnemonic) {
603
- throw new suite_core_lib_1.TranslatableSuiteHandleableError(suite_core_lib_1.SuiteCoreStringKey.MnemonicRecovery_Missing, undefined, undefined, {
604
- statusCode: 400,
605
- });
606
- }
607
- return new ecies_lib_1.SecureString(user.decryptData(Buffer.from(encryptedMnemonic, 'hex')).toString('utf-8'));
608
- }
609
- /**
610
- * Make a Member from a user document and optional private key
611
- * @param userDoc The user document
612
- * @param privateKey Optional private key to load the wallet
613
- * @param publicKey Optional public key to override the userDoc public key
614
- * @param session The current session, if any
615
- * @returns A promise containing the created Member
616
- */
617
- async makeUserFromUserDoc(userDoc, privateKey, publicKey, mnemonic, wallet, session) {
618
- const memberType = await this.roleService.getMemberType(userDoc, session);
619
- const user = new node_ecies_lib_1.Member(this.eciesService, memberType, userDoc.username, new ecies_lib_1.EmailString(userDoc.email), publicKey ?? Buffer.from(userDoc.publicKey, 'hex'), privateKey, wallet, userDoc._id, new Date(userDoc.createdAt), new Date(userDoc.updatedAt), userDoc.createdBy);
620
- if ((privateKey?.originalLength ?? -1) > 0 && user.hasPrivateKey) {
621
- user.loadWallet(mnemonic ?? this.recoverMnemonic(user, userDoc.mnemonicRecovery));
622
- }
623
- return user;
624
- }
625
- /**
626
- * Challenges a given userDoc with a given mnemonic, returns a system and user Member
627
- * @param userDoc The userDoc in question
628
- * @param mnemonic The mnemonic to challenge against
629
- * @returns A promise containing the user and system Members
630
- * @throws InvalidCredentialsError if the challenge fails
631
- * @throws AccountLockedError if the account is locked
632
- * @throws PendingEmailVerificationError if the email is not verified
633
- * @throws AccountStatusError if the account status is invalid
634
- */
635
- async challengeUserWithMnemonic(userDoc, mnemonic, session) {
636
- try {
637
- // Verify provided mnemonic corresponds to the stored mnemonic HMAC (no password required)
638
- // This prevents any valid mnemonic from authenticating as another user.
639
- const MnemonicModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.Mnemonic);
640
- if (!userDoc.mnemonicId) {
641
- throw new suite_core_lib_1.InvalidCredentialsError();
642
- }
643
- const mnemonicDoc = await MnemonicModel.findById(userDoc.mnemonicId)
644
- .select('hmac')
645
- .session(session ?? null)
646
- .lean()
647
- .exec();
648
- if (!mnemonicDoc) {
649
- throw new suite_core_lib_1.InvalidCredentialsError();
650
- }
651
- const computedHmac = this.mnemonicService.getMnemonicHmac(mnemonic);
652
- console.log('Debug mnemonic auth:', {
653
- userDocId: userDoc._id.toString(),
654
- userDocEmail: userDoc.email,
655
- userDocUsername: userDoc.username,
656
- mnemonicDocId: mnemonicDoc._id?.toString(),
657
- storedHmac: mnemonicDoc.hmac,
658
- computedHmac,
659
- mnemonicsMatch: computedHmac === mnemonicDoc.hmac,
660
- });
661
- if (computedHmac !== mnemonicDoc.hmac) {
662
- throw new suite_core_lib_1.InvalidCredentialsError();
663
- }
664
- // Create a Member from the provided mnemonic to get the keys
665
- const { wallet } = this.eciesService.walletAndSeedFromMnemonic(mnemonic);
666
- const privateKey = wallet.getPrivateKey();
667
- const publicKey = wallet.getPublicKey();
668
- const publicKeyWithPrefix = Buffer.concat([
669
- Buffer.from([this.application.constants.ECIES.PUBLIC_KEY_MAGIC]),
670
- publicKey,
671
- ]);
672
- const userMember = await this.makeUserFromUserDoc(userDoc, new ecies_lib_1.SecureBuffer(privateKey), publicKeyWithPrefix, mnemonic, wallet, session);
673
- // Verify the public key matches the stored userDoc public key
674
- if (userMember.publicKey.toString('hex') !== userDoc.publicKey) {
675
- throw new suite_core_lib_1.InvalidCredentialsError();
676
- }
677
- // Generate a nonce challenge to verify they can decrypt with their key
678
- const adminMember = system_user_1.SystemUserService.getSystemUser(this.application.environment);
679
- const nonce = (0, crypto_1.randomBytes)(32);
680
- const signature = adminMember.sign(nonce);
681
- const payload = Buffer.concat([nonce, signature]);
682
- const encryptedPayload = userMember.encryptData(payload);
683
- const decryptedPayload = userMember.decryptData(encryptedPayload);
684
- // Verify the server's signature on the nonce
685
- const decryptedNonce = decryptedPayload.subarray(0, 32);
686
- const decryptedSignature = decryptedPayload.subarray(32);
687
- const isSignatureValid = adminMember.verify(decryptedSignature, decryptedNonce);
688
- if (!isSignatureValid || !nonce.equals(decryptedNonce)) {
689
- throw new suite_core_lib_1.InvalidCredentialsError();
690
- }
691
- return {
692
- userMember,
693
- adminMember: adminMember,
694
- };
695
- }
696
- catch (error) {
697
- if (error instanceof suite_core_lib_1.InvalidCredentialsError ||
698
- error instanceof suite_core_lib_1.AccountLockedError ||
699
- error instanceof suite_core_lib_1.PendingEmailVerificationError ||
700
- error instanceof suite_core_lib_1.AccountStatusError) {
701
- throw error;
702
- }
703
- throw new suite_core_lib_1.InvalidCredentialsError();
704
- }
705
- }
706
- /**
707
- * Validates a login challenge response
708
- * @param challengeResponse The challenge response bytes in hex
709
- * @param email The email address of the user
710
- * @param username The username of the user
711
- * @param session The mongo session for the query
712
- * @returns A promise that resolves to the user document, user member, and system member
713
- */
714
- async loginWithChallengeResponse(challengeResponse, email, username, session) {
715
- const challengeBuffer = Buffer.from(challengeResponse, 'hex');
716
- // validate the expected challenge response length (8 + 32 + 64 = 104 bytes)
717
- if (challengeBuffer.length !=
718
- this.application.constants.DirectLoginChallengeLength) {
719
- throw new suite_core_lib_1.InvalidChallengeResponseError();
720
- }
721
- // disassemble the challengeResponse into time, nonce, signature
722
- //
723
- const time = challengeBuffer.subarray(0, 8); // 16 hex characters
724
- const nonce = challengeBuffer.subarray(8, 40); // 64 hex characters
725
- const signature = challengeBuffer.subarray(40); // 65 * 2 hex characters
726
- const timeMs = parseInt(time.toString('hex'), 16);
727
- if (new Date().getTime() - timeMs >
728
- this.application.constants.LoginChallengeExpiration) {
729
- throw new suite_core_lib_1.LoginChallengeExpiredError();
730
- }
731
- const userDoc = await this.findUser(email, username, session);
732
- if (!userDoc && email) {
733
- const engine = i18n_lib_1.I18nEngine.getInstance();
734
- throw new ecies_lib_1.InvalidEmailError(ecies_lib_1.InvalidEmailErrorType.Missing, engine);
735
- }
736
- else if (!userDoc) {
737
- throw new suite_core_lib_1.InvalidUsernameError();
738
- }
739
- // re-sign the time + nonce and check if the signature matches
740
- const adminMember = system_user_1.SystemUserService.getSystemUser(this.application.environment);
741
- const timeAndNonce = Buffer.concat([time, nonce]);
742
- const expectedSignature = adminMember.sign(timeAndNonce);
743
- if (expectedSignature.toString('hex') !== signature.toString('hex')) {
744
- throw new suite_core_lib_1.InvalidChallengeResponseError();
745
- }
746
- const userMember = await this.makeUserFromUserDoc(userDoc, undefined, undefined, undefined, undefined, session);
747
- return {
748
- userDoc,
749
- userMember,
750
- adminMember: adminMember,
751
- };
752
- }
753
- /**
754
- * Authenticate a user with client-verified challenge (skips server-side challenge)
755
- * @returns The authenticated user document.
756
- */
757
- async loginWithClientVerifiedChallenge(usernameOrEmail, mnemonic, session) {
758
- const UserModel = this.application.getModel(base_model_name_1.BaseModelName.User);
759
- const userQuery = validator_1.default.isEmail(usernameOrEmail)
760
- ? UserModel.findOne({ email: usernameOrEmail.toLowerCase() }).select('_id username email accountStatus deletedAt mnemonicId publicKey passwordWrappedPrivateKey')
761
- : UserModel.findOne({ username: usernameOrEmail })
762
- .collation({ locale: 'en', strength: 2 })
763
- .select('_id username email accountStatus deletedAt mnemonicId publicKey passwordWrappedPrivateKey');
764
- const userDoc = await userQuery.lean().session(session ?? null);
765
- if (!userDoc || userDoc.deletedAt) {
766
- throw new suite_core_lib_1.InvalidCredentialsError();
767
- }
768
- // Check account status
769
- switch (userDoc.accountStatus) {
770
- case suite_core_lib_1.AccountStatus.Active:
771
- break;
772
- case suite_core_lib_1.AccountStatus.AdminLock:
773
- throw new suite_core_lib_1.AccountLockedError();
774
- case suite_core_lib_1.AccountStatus.PendingEmailVerification:
775
- throw new suite_core_lib_1.PendingEmailVerificationError();
776
- default:
777
- throw new suite_core_lib_1.AccountStatusError(userDoc.accountStatus);
778
- }
779
- // Verify mnemonic matches user (simplified verification)
780
- try {
781
- const MnemonicModel = this.application.getModel(base_model_name_1.BaseModelName.Mnemonic);
782
- if (!userDoc.mnemonicId) {
783
- throw new suite_core_lib_1.InvalidCredentialsError();
784
- }
785
- const mnemonicDoc = await MnemonicModel.findById(userDoc.mnemonicId)
786
- .select('hmac')
787
- .session(session ?? null)
788
- .lean()
789
- .exec();
790
- if (!mnemonicDoc) {
791
- throw new suite_core_lib_1.InvalidCredentialsError();
792
- }
793
- const computedHmac = this.mnemonicService.getMnemonicHmac(mnemonic);
794
- if (computedHmac !== mnemonicDoc.hmac) {
795
- throw new suite_core_lib_1.InvalidCredentialsError();
796
- }
797
- // Create Member from mnemonic
798
- const { wallet } = this.eciesService.walletAndSeedFromMnemonic(mnemonic);
799
- const privateKey = wallet.getPrivateKey();
800
- const publicKey = wallet.getPublicKey();
801
- const publicKeyWithPrefix = Buffer.concat([
802
- Buffer.from([this.application.constants.ECIES.PUBLIC_KEY_MAGIC]),
803
- publicKey,
804
- ]);
805
- const userMember = await this.makeUserFromUserDoc(userDoc, new ecies_lib_1.SecureBuffer(privateKey), publicKeyWithPrefix, mnemonic, wallet, session);
806
- // Verify public key matches
807
- if (userMember.publicKey.toString('hex') !== userDoc.publicKey) {
808
- throw new suite_core_lib_1.InvalidCredentialsError();
809
- }
810
- const adminMember = system_user_1.SystemUserService.getSystemUser(this.application.environment);
811
- return {
812
- userMember,
813
- adminMember,
814
- userDoc,
815
- };
816
- }
817
- catch (error) {
818
- if (error instanceof suite_core_lib_1.InvalidCredentialsError ||
819
- error instanceof suite_core_lib_1.AccountLockedError ||
820
- error instanceof suite_core_lib_1.PendingEmailVerificationError ||
821
- error instanceof suite_core_lib_1.AccountStatusError) {
822
- throw error;
823
- }
824
- throw new suite_core_lib_1.InvalidCredentialsError();
825
- }
826
- }
827
- /**
828
- * Authenticate a user with their mnemonic.
829
- * @returns The authenticated user document.
830
- */
831
- async loginWithMnemonic(usernameOrEmail, mnemonic, session) {
832
- const UserModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.User);
833
- const userQuery = validator_1.default.isEmail(usernameOrEmail)
834
- ? UserModel.findOne({ email: usernameOrEmail.toLowerCase() }).select('_id username email accountStatus deletedAt mnemonicId publicKey passwordWrappedPrivateKey')
835
- : UserModel.findOne({ username: usernameOrEmail })
836
- .collation({ locale: 'en', strength: 2 })
837
- .select('_id username email accountStatus deletedAt mnemonicId publicKey passwordWrappedPrivateKey');
838
- const userDoc = await userQuery.lean().session(session ?? null);
839
- if (!userDoc || userDoc.deletedAt) {
840
- throw new suite_core_lib_1.InvalidCredentialsError();
841
- }
842
- // Check account status
843
- switch (userDoc.accountStatus) {
844
- case suite_core_lib_1.AccountStatus.Active:
845
- break;
846
- case suite_core_lib_1.AccountStatus.AdminLock:
847
- throw new suite_core_lib_1.AccountLockedError();
848
- case suite_core_lib_1.AccountStatus.PendingEmailVerification:
849
- throw new suite_core_lib_1.PendingEmailVerificationError();
850
- default:
851
- throw new suite_core_lib_1.AccountStatusError(userDoc.accountStatus);
852
- }
853
- const challengeResponse = await this.challengeUserWithMnemonic(userDoc, mnemonic, session);
854
- return { ...challengeResponse, userDoc };
855
- }
856
- /**
857
- * Authenticate a user with their password (for key-wrapped accounts).
858
- * @returns The authenticated user document.
859
- */
860
- async loginWithPassword(usernameOrEmail, password, session) {
861
- const UserModel = this.application.getModel(base_model_name_1.BaseModelName.User);
862
- const query = validator_1.default.isEmail(usernameOrEmail)
863
- ? UserModel.findOne({ email: usernameOrEmail.toLowerCase() })
864
- : UserModel.findOne({ username: usernameOrEmail }).collation({
865
- locale: 'en',
866
- strength: 2,
867
- });
868
- const userDoc = await query
869
- .session(session ?? null)
870
- .exec();
871
- if (!userDoc || userDoc.deletedAt) {
872
- throw new suite_core_lib_1.InvalidCredentialsError();
873
- }
874
- // Check account status
875
- switch (userDoc.accountStatus) {
876
- case suite_core_lib_1.AccountStatus.Active:
877
- break;
878
- case suite_core_lib_1.AccountStatus.AdminLock:
879
- throw new suite_core_lib_1.AccountLockedError();
880
- case suite_core_lib_1.AccountStatus.PendingEmailVerification:
881
- throw new suite_core_lib_1.PendingEmailVerificationError();
882
- default:
883
- throw new suite_core_lib_1.AccountStatusError(userDoc.accountStatus);
884
- }
885
- // Check if user has password-based authentication set up (Option B requires passwordWrappedPrivateKey)
886
- if (!userDoc.passwordWrappedPrivateKey || !userDoc.mnemonicId) {
887
- throw new suite_core_lib_1.InvalidCredentialsError();
888
- }
889
- // Unwrap password-wrapped private key and complete challenge with possession of private key
890
- const unwrapped = await this.keyWrappingService.unwrapSecretAsync(userDoc.passwordWrappedPrivateKey, password);
891
- // Build user member with unwrapped private key to decrypt challenge
892
- // Note: userMember now owns the unwrapped SecureBuffer, so we don't dispose it here
893
- const userMember = await this.makeUserFromUserDoc(userDoc, unwrapped, undefined, undefined, undefined, session);
894
- // Generate a nonce challenge signed by system
895
- const adminMember = system_user_1.SystemUserService.getSystemUser(this.application.environment);
896
- const nonce = (0, crypto_1.randomBytes)(32);
897
- const signature = adminMember.sign(nonce);
898
- const payload = Buffer.concat([nonce, signature]);
899
- const encryptedPayload = userMember.encryptData(payload);
900
- const decryptedPayload = userMember.decryptData(encryptedPayload);
901
- const decryptedNonce = decryptedPayload.subarray(0, 32);
902
- const decryptedSignature = decryptedPayload.subarray(32);
903
- const isSignatureValid = adminMember.verify(decryptedSignature, decryptedNonce);
904
- if (!isSignatureValid || !nonce.equals(decryptedNonce)) {
905
- throw new suite_core_lib_1.InvalidCredentialsError();
906
- }
907
- return { userDoc, userMember, adminMember: adminMember };
908
- }
909
- /**
910
- * Re-send a previously sent email token
911
- * @param userId The user id
912
- * @param session The session to use for the query
913
- * @returns void
914
- * @throws EmailTokenUsedOrInvalidError
915
- */
916
- async resendEmailToken(userId, type, session, debug = false) {
917
- const EmailTokenModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.EmailToken);
918
- return await this.withTransaction(async (sess) => {
919
- // look up the most recent email token for a given user, then send it
920
- const emailToken = await EmailTokenModel.findOne({
921
- userId,
922
- type,
923
- expiresAt: { $gt: new Date() },
924
- })
925
- .session(sess ?? null)
926
- .sort({ createdAt: -1 })
927
- .limit(1);
928
- if (!emailToken) {
929
- throw new suite_core_lib_1.EmailTokenUsedOrInvalidError();
930
- }
931
- await this.sendEmailToken(emailToken, sess, debug);
932
- }, session, {
933
- timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
934
- });
935
- }
936
- /**
937
- * Verify the email token and update the user's account status
938
- * @param emailToken The email token to verify
939
- * @param session The session to use for the query
940
- * @returns void
941
- * @throws EmailTokenUsedOrInvalidError
942
- * @throws EmailTokenExpiredError
943
- * @throws EmailVerifiedError
944
- * @throws UserNotFoundError
945
- */
946
- async verifyAccountTokenAndComplete(emailToken, session) {
947
- let alreadyVerified = false;
948
- await this.withTransaction(async (sess) => {
949
- const EmailTokenModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.EmailToken);
950
- const UserModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.User);
951
- const token = await this.findEmailToken(emailToken, suite_core_lib_1.EmailTokenType.AccountVerification, sess);
952
- if (!token) {
953
- throw new suite_core_lib_1.EmailTokenUsedOrInvalidError();
954
- }
955
- if (token.expiresAt < new Date()) {
956
- await EmailTokenModel.deleteOne({ _id: token._id }).session(sess ?? null);
957
- throw new suite_core_lib_1.EmailTokenExpiredError();
958
- }
959
- const user = await UserModel.findById(token.userId).session(sess ?? null);
960
- if (!user || user.deletedAt) {
961
- throw new suite_core_lib_1.UserNotFoundError();
962
- }
963
- if (user.emailVerified) {
964
- // Delete the token and mark to throw error after transaction commits
965
- await EmailTokenModel.deleteOne({ _id: token._id }).session(sess ?? null);
966
- alreadyVerified = true;
967
- return;
968
- }
969
- // set user email to token email and mark as verified
970
- user.email = token.email;
971
- user.emailVerified = true;
972
- user.accountStatus = suite_core_lib_1.AccountStatus.Active;
973
- user.updatedBy = user._id;
974
- await user.save({ session: sess });
975
- // Delete the token after successful verification
976
- await EmailTokenModel.deleteOne({ _id: token._id }).session(sess ?? null);
977
- // add the user to the member role
978
- const memberRoleId = await this.roleService.getRoleIdByName(this.application.constants.MemberRole, sess);
979
- if (memberRoleId) {
980
- await this.roleService.addUserToRole(memberRoleId, user._id, user._id, sess);
981
- }
982
- else {
983
- throw new Error('Member role not found');
984
- }
985
- }, session, {
986
- timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
987
- });
988
- if (alreadyVerified) {
989
- throw new suite_core_lib_1.EmailVerifiedError(409);
990
- }
991
- }
992
- /**
993
- * Validate the email token
994
- * @param token The token to validate
995
- * @param restrictType The type of email token to validate (or throw)
996
- * @param session The session to use for the query
997
- * @returns void
998
- * @throws EmailTokenUsedOrInvalidError
999
- */
1000
- async validateEmailToken(token, restrictType, session) {
1001
- return await this.withTransaction(async (ses) => {
1002
- const EmailTokenModel = this.application.getModel(base_model_name_1.BaseModelName.EmailToken);
1003
- const emailToken = await EmailTokenModel.findOne({
1004
- token,
1005
- ...(restrictType ? { type: suite_core_lib_1.EmailTokenType.PasswordReset } : {}),
1006
- }).session(ses ?? null);
1007
- if (!emailToken) {
1008
- throw new suite_core_lib_1.EmailTokenUsedOrInvalidError();
1009
- }
1010
- else if (emailToken.expiresAt < new Date()) {
1011
- await EmailTokenModel.deleteOne({ _id: emailToken._id }).session(ses ?? null);
1012
- throw new suite_core_lib_1.EmailTokenExpiredError();
1013
- }
1014
- // nothing else to do here, token is valid
1015
- }, session, {
1016
- timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
1017
- });
1018
- }
1019
- /**
1020
- * Updates the user's language
1021
- * @param userId - The ID of the user
1022
- * @param newLanguage - The new language
1023
- * @param session - The session to use for the query
1024
- * @returns The updated user
1025
- */
1026
- async updateSiteLanguage(userId, newLanguage, session) {
1027
- return await this.withTransaction(async (sess) => {
1028
- const UserModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.User);
1029
- const userDoc = await UserModel.findByIdAndUpdate(new mongoose_1.Types.ObjectId(userId), {
1030
- siteLanguage: newLanguage,
1031
- }, { new: true }).session(sess ?? null);
1032
- if (!userDoc) {
1033
- throw new suite_core_lib_1.UserNotFoundError();
1034
- }
1035
- const roles = await this.roleService.getUserRoles(userDoc._id);
1036
- const tokenRoles = this.roleService.rolesToTokenRoles(roles);
1037
- return request_user_1.RequestUserService.makeRequestUserDTO(userDoc, tokenRoles);
1038
- }, session, {
1039
- timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
1040
- });
1041
- }
1042
- /**
1043
- * Changes the user's password by re-wrapping their master key
1044
- * @param userId - The ID of the user
1045
- * @param currentPassword - The current password
1046
- * @param newPassword - The new password
1047
- * @param session - The session to use for the query
1048
- * @returns void
1049
- */
1050
- async changePassword(userId, currentPassword, newPassword, session) {
1051
- return await this.withTransaction(async (sess) => {
1052
- const UserModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.User);
1053
- const userDoc = await UserModel.findById(userId).session(sess ?? null);
1054
- if (!userDoc || !userDoc.passwordWrappedPrivateKey) {
1055
- throw new suite_core_lib_1.UserNotFoundError();
1056
- }
1057
- if (!ecies_lib_1.Constants.PasswordRegex.test(newPassword)) {
1058
- throw new errors_1.InvalidNewPasswordError();
1059
- }
1060
- const currentPasswordSecure = new ecies_lib_1.SecureString(currentPassword);
1061
- const newPasswordSecure = new ecies_lib_1.SecureString(newPassword);
1062
- try {
1063
- // Unwrap existing private key and rewrap under new password
1064
- const priv = this.keyWrappingService.unwrapSecret(userDoc.passwordWrappedPrivateKey, currentPasswordSecure);
1065
- try {
1066
- const wrapped = this.keyWrappingService.wrapSecret(priv, newPasswordSecure);
1067
- userDoc.passwordWrappedPrivateKey = wrapped;
1068
- await userDoc.save({ session: sess });
1069
- }
1070
- finally {
1071
- priv.dispose();
1072
- }
1073
- }
1074
- catch (error) {
1075
- // Re-throw original error so controller can map it properly
1076
- // Re-throw original error so controller can map it properly
1077
- throw error;
1078
- }
1079
- finally {
1080
- currentPasswordSecure.dispose();
1081
- newPasswordSecure.dispose();
1082
- }
1083
- }, session, {
1084
- timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
1085
- });
1086
- }
1087
- /**
1088
- * Retrieve an email token by its token string and type
1089
- * @param token - The token string
1090
- * @param type - The type of the email token
1091
- * @param session - The session to use for the query
1092
- * @returns The email token document or null if not found
1093
- */
1094
- async findEmailToken(token, type, session) {
1095
- const EmailTokenModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.EmailToken);
1096
- return await EmailTokenModel.findOne({
1097
- token: token.toLowerCase().trim(),
1098
- ...(type ? { type } : {}),
1099
- expiresAt: { $gt: new Date() },
1100
- }).session(session ?? null);
1101
- }
1102
- /**
1103
- * Verify email token is valid
1104
- * @param token - The email token
1105
- * @param session - The session to use for the query
1106
- * @returns void
1107
- */
1108
- async verifyEmailToken(token, type, session) {
1109
- return await this.withTransaction(async (sess) => {
1110
- // Find and validate the token
1111
- const emailToken = await this.findEmailToken(token, type, sess);
1112
- if (!emailToken) {
1113
- throw new suite_core_lib_1.EmailTokenUsedOrInvalidError();
1114
- }
1115
- }, session, {
1116
- timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
1117
- });
1118
- }
1119
- /**
1120
- * Reset password using email token
1121
- * @param token - The email token
1122
- * @param newPassword - The new password
1123
- * @param session - The session to use for the query
1124
- * @returns void
1125
- */
1126
- async resetPasswordWithToken(token, newPassword, credential, // either mnemonic or current password; required
1127
- session) {
1128
- if (!ecies_lib_1.Constants.PasswordRegex.test(newPassword)) {
1129
- throw new errors_1.InvalidNewPasswordError();
1130
- }
1131
- if (!credential) {
1132
- throw new suite_core_lib_1.EmailTokenUsedOrInvalidError();
1133
- }
1134
- return await this.withTransaction(async (sess) => {
1135
- const EmailTokenModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.EmailToken);
1136
- const UserModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.User);
1137
- // Find and validate the token
1138
- const emailToken = await this.findEmailToken(token, suite_core_lib_1.EmailTokenType.PasswordReset, sess);
1139
- if (!emailToken) {
1140
- throw new suite_core_lib_1.EmailTokenUsedOrInvalidError();
1141
- }
1142
- // Find the user
1143
- const userDoc = await UserModel.findById(emailToken.userId).session(sess ?? null);
1144
- if (!userDoc) {
1145
- throw new suite_core_lib_1.UserNotFoundError();
1146
- }
1147
- // Update password-wrapped secrets based on credential type (Option B)
1148
- const newPasswordSecure = new ecies_lib_1.SecureString(newPassword);
1149
- try {
1150
- if (ecies_lib_1.Constants.MnemonicRegex.test(credential)) {
1151
- // Credential is mnemonic: verify it belongs to this user via public key
1152
- const providedMnemonic = new ecies_lib_1.SecureString(credential);
1153
- try {
1154
- const { wallet } = this.eciesService.walletAndSeedFromMnemonic(providedMnemonic);
1155
- const pub = Buffer.concat([
1156
- Buffer.from([
1157
- this.application.constants.ECIES.PUBLIC_KEY_MAGIC,
1158
- ]),
1159
- wallet.getPublicKey(),
1160
- ]);
1161
- if (pub.toString('hex') !== userDoc.publicKey) {
1162
- throw new suite_core_lib_1.InvalidCredentialsError();
1163
- }
1164
- // Derive private key from mnemonic and wrap it with new password
1165
- const privateKey = wallet.getPrivateKey();
1166
- const priv = new ecies_lib_1.SecureBuffer(privateKey);
1167
- try {
1168
- const wrappedPriv = this.keyWrappingService.wrapSecret(priv, newPasswordSecure);
1169
- userDoc.passwordWrappedPrivateKey = wrappedPriv;
1170
- await userDoc.save({ session: sess });
1171
- }
1172
- finally {
1173
- priv.dispose();
1174
- }
1175
- }
1176
- finally {
1177
- providedMnemonic.dispose();
1178
- }
1179
- }
1180
- else {
1181
- // Credential is current password: unwrap existing master key
1182
- if (!userDoc.passwordWrappedPrivateKey) {
1183
- throw new suite_core_lib_1.InvalidCredentialsError();
1184
- }
1185
- const privateKeyBuf = await this.keyWrappingService.unwrapSecretAsync(userDoc.passwordWrappedPrivateKey, credential);
1186
- try {
1187
- // Re-wrap the existing private key under the new password
1188
- const wrappedPriv = this.keyWrappingService.wrapSecret(privateKeyBuf, newPasswordSecure);
1189
- userDoc.passwordWrappedPrivateKey = wrappedPriv;
1190
- await userDoc.save({ session: sess });
1191
- }
1192
- finally {
1193
- privateKeyBuf.dispose();
1194
- }
1195
- }
1196
- // Delete the used token
1197
- await EmailTokenModel.deleteOne({ _id: emailToken._id }).session(sess ?? null);
1198
- // Dispose temporary master key
1199
- }
1200
- finally {
1201
- newPasswordSecure.dispose();
1202
- }
1203
- }, session, {
1204
- timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
1205
- });
1206
- }
1207
- /**
1208
- * Generate a login challenge for the client to sign
1209
- * @returns The login challenge in hex
1210
- */
1211
- generateDirectLoginChallenge() {
1212
- const adminMember = system_user_1.SystemUserService.getSystemUser(this.application.environment);
1213
- const time = Buffer.alloc(8);
1214
- time.writeBigUInt64BE(BigInt(new Date().getTime()));
1215
- const nonce = (0, crypto_1.randomBytes)(32);
1216
- const signature = adminMember.sign(Buffer.concat([time, nonce]));
1217
- return Buffer.concat([time, nonce, signature]).toString('hex');
1218
- }
1219
- /**
1220
- * Verifies a direct login challenge response
1221
- * @param serverSignedRequest The login challenge response in hex
1222
- * @param session The mongoose session, if provided
1223
- * @returns A promise with the user document and user member object
1224
- */
1225
- async verifyDirectLoginChallenge(serverSignedRequest, signature, username, email, session) {
1226
- return await this.withTransaction(async (sess) => {
1227
- // serverSignedRequest is:
1228
- // time (8) +
1229
- // nonce (32) +
1230
- // server signature (64) +
1231
- // signature (64)
1232
- if (serverSignedRequest.length <
1233
- (8 + 32 + this.application.constants.ECIES.SIGNATURE_SIZE) * 2) {
1234
- throw new suite_core_lib_1.InvalidChallengeResponseError();
1235
- }
1236
- // get signed request into a buffer
1237
- const requestBuffer = Buffer.from(serverSignedRequest, 'hex');
1238
- // start tracking offset
1239
- let offset = 0;
1240
- // get the time
1241
- const time = requestBuffer.subarray(offset, 8);
1242
- offset += 8;
1243
- // get the nonce
1244
- const nonce = requestBuffer.subarray(offset, 40);
1245
- offset += 32;
1246
- // get the server signature
1247
- const serverSignature = requestBuffer.subarray(offset, this.application.constants.ECIES.SIGNATURE_SIZE + 40);
1248
- offset += this.application.constants.ECIES.SIGNATURE_SIZE;
1249
- const signedDataLength = offset;
1250
- if (offset !== requestBuffer.length) {
1251
- throw new suite_core_lib_1.InvalidChallengeResponseError();
1252
- }
1253
- // validate time is within acceptable range
1254
- const timeMs = time.readBigUInt64BE();
1255
- if (new Date().getTime() - Number(timeMs) >
1256
- this.application.constants.LoginChallengeExpiration) {
1257
- throw new suite_core_lib_1.LoginChallengeExpiredError();
1258
- }
1259
- // validate the server's signature on the time + nonce portion
1260
- const adminMember = system_user_1.SystemUserService.getSystemUser(this.application.environment);
1261
- if (!adminMember.verify(serverSignature, Buffer.concat([time, nonce]))) {
1262
- throw new suite_core_lib_1.InvalidChallengeResponseError();
1263
- }
1264
- // locate the user by email or username
1265
- const userDoc = await this.findUser(email, username, sess);
1266
- if (!userDoc) {
1267
- throw new suite_core_lib_1.InvalidChallengeResponseError();
1268
- }
1269
- // get the user's member object
1270
- const user = await this.makeUserFromUserDoc(userDoc, undefined, undefined, undefined, undefined, sess);
1271
- // get the signed portion of the response
1272
- const signedData = requestBuffer.subarray(0, signedDataLength);
1273
- // verify the user's signature on the signed portion
1274
- if (!user.verify(Buffer.from(signature, 'hex'), signedData)) {
1275
- throw new suite_core_lib_1.InvalidChallengeResponseError();
1276
- }
1277
- if (userDoc.directChallenge !== true) {
1278
- throw new suite_core_lib_1.InvalidChallengeResponseError();
1279
- }
1280
- // if the user is valid, try to use the token (prevents replay attacks)
1281
- await direct_login_token_1.DirectLoginTokenService.useToken(this.application, userDoc._id, nonce.toString('hex'));
1282
- // if successful, update lastLogin
1283
- await this.updateLastLogin(userDoc._id);
1284
- // return the user document and member object
1285
- return { userDoc, userMember: user };
1286
- }, session, { timeoutMs: this.application.environment.mongo.transactionTimeout });
1287
- }
1288
- /**
1289
- * Request a login link via email
1290
- * @param email Email address
1291
- * @param username Username
1292
- * @param session Existing session, if any
1293
- * @returns void
1294
- */
1295
- async requestEmailLogin(email, username, session) {
1296
- return this.withTransaction(async (sess) => {
1297
- const userDoc = await this.findUser(email, username, sess);
1298
- if (!userDoc) {
1299
- return;
1300
- }
1301
- await this.createAndSendEmailToken(userDoc, suite_core_lib_1.EmailTokenType.LoginRequest, sess, this.application.environment.debug);
1302
- }, session, {
1303
- timeoutMs: this.application.environment.mongo.transactionTimeout,
1304
- });
1305
- }
1306
- /**
1307
- * Validate an email login token challenge
1308
- * @param token The token to challenge
1309
- * @param signature The signature of the token by the user's private key
1310
- * @param session The session to use for the query
1311
- * @returns The user document if the challenge is valid
1312
- */
1313
- async validateEmailLoginTokenChallenge(token, signature, session) {
1314
- return this.withTransaction(async (sess) => {
1315
- const emailToken = await this.findEmailToken(token, suite_core_lib_1.EmailTokenType.LoginRequest, sess);
1316
- if (!emailToken) {
1317
- throw new suite_core_lib_1.EmailTokenUsedOrInvalidError();
1318
- }
1319
- const userDoc = await this.findUser(emailToken.email, undefined, sess);
1320
- if (!userDoc) {
1321
- throw new suite_core_lib_1.UserNotFoundError();
1322
- }
1323
- const user = await this.makeUserFromUserDoc(userDoc, undefined, undefined, undefined, undefined, sess);
1324
- const result = user.verify(Buffer.from(signature, 'hex'), Buffer.from(token, 'hex'));
1325
- if (!result) {
1326
- throw new suite_core_lib_1.InvalidChallengeResponseError();
1327
- }
1328
- await emailToken.deleteOne({ session: sess ?? null });
1329
- await this.updateLastLogin(userDoc._id);
1330
- return userDoc;
1331
- }, session, {
1332
- timeoutMs: this.application.environment.mongo.transactionTimeout,
1333
- });
1334
- }
1335
- /**
1336
- * Updates the user's last login time atomically
1337
- * @param userId - The ID of the user
1338
- * @returns void
1339
- */
1340
- async updateLastLogin(userId) {
1341
- const UserModel = model_registry_1.ModelRegistry.instance.get('User')?.model;
1342
- try {
1343
- // Check if the database connection is still open
1344
- const connection = this.application.db.connection;
1345
- if (connection.readyState !== 1) {
1346
- // Connection is not open (0 = disconnected, 1 = connected, 2 = connecting, 3 = disconnecting)
1347
- return; // Silently return if connection is not available
1348
- }
1349
- // Use atomic update to avoid conflicts and ensure we only update lastLogin
1350
- // Use a separate session to avoid interfering with any ongoing transactions
1351
- await UserModel.updateOne({ _id: userId }, {
1352
- $set: { lastLogin: new Date() },
1353
- $setOnInsert: {}, // Prevent any unintended document creation
1354
- }, {
1355
- upsert: false, // Never create a new document
1356
- runValidators: false, // Skip validation for performance since we're only updating lastLogin
1357
- // Don't use any session to avoid transaction conflicts
1358
- });
1359
- }
1360
- catch (error) {
1361
- // Check if the error is due to client being closed
1362
- if (error instanceof Error &&
1363
- (error.message.includes('client was closed') ||
1364
- error.message.includes('MongoClientClosedError') ||
1365
- error.name === 'MongoClientClosedError')) {
1366
- // This is expected during shutdown, don't log it as an error
1367
- return;
1368
- }
1369
- // If this fails, it's not critical for login functionality. Ignore and move on.
1370
- }
1371
- }
1372
- }
1373
- exports.UserService = UserService;
1374
- //# sourceMappingURL=user.js.map