@flowerforce/flowerbase 1.2.0 → 1.2.1-beta.11

package/src/auth/plugins/jwt.test.ts

@@ -0,0 +1,93 @@
+jest.mock('node:diagnostics_channel', () => {
+  const createChannel = () => ({
+    publish: jest.fn(),
+    subscribe: jest.fn()
+  })
+  return {
+    channel: jest.fn(createChannel),
+    tracingChannel: () => ({
+      asyncStart: createChannel(),
+      asyncEnd: createChannel(),
+      error: createChannel()
+    })
+  }
+})
+
+import fastify, { FastifyInstance, FastifyReply } from 'fastify'
+import jwtAuthPlugin from './jwt'
+import { ObjectId } from 'bson'
+
+const SECRET = 'test-secret'
+
+const createAccessRequest = (payload: { typ: 'access'; sub: string; iat: number }) => {
+  const request: Record<string, unknown> = {}
+  request.jwtVerify = jest.fn(async () => {
+    request.user = payload
+  })
+  return request
+}
+
+describe('jwtAuthentication', () => {
+  let app: FastifyInstance
+
+  beforeEach(async () => {
+    app = fastify()
+    await app.register(jwtAuthPlugin, { secret: SECRET })
+    await app.ready()
+  })
+
+  afterEach(async () => {
+    await app.close()
+  })
+
+  const setupMongo = (userPayload: { _id: ObjectId; lastLogoutAt?: Date }) => {
+    const findOneMock = jest.fn().mockResolvedValue(userPayload)
+    const collectionMock = { findOne: findOneMock }
+    const dbMock = { collection: jest.fn().mockReturnValue(collectionMock) }
+    const mongoMock = { client: { db: jest.fn().mockReturnValue(dbMock) } }
+    ;(app as any).mongo = mongoMock
+  }
+
+  const createReply = () => {
+    return {
+      code: jest.fn().mockReturnThis(),
+      send: jest.fn()
+    } as unknown as FastifyReply
+  }
+
+  it('allows access tokens issued after the last logout', async () => {
+    const userId = new ObjectId()
+    const nowSeconds = Math.floor(Date.now() / 1000)
+    setupMongo({ _id: userId, lastLogoutAt: new Date((nowSeconds - 30) * 1000) })
+
+    const request = createAccessRequest({
+      typ: 'access',
+      sub: userId.toHexString(),
+      iat: nowSeconds
+    })
+    const reply = createReply()
+
+    await app.jwtAuthentication(request as any, reply)
+
+    expect(reply.code).not.toHaveBeenCalled()
+    expect(reply.send).not.toHaveBeenCalled()
+  })
+
+  it('rejects access tokens issued before the last logout', async () => {
+    const userId = new ObjectId()
+    const nowSeconds = Math.floor(Date.now() / 1000)
+    setupMongo({ _id: userId, lastLogoutAt: new Date((nowSeconds + 30) * 1000) })
+
+    const request = createAccessRequest({
+      typ: 'access',
+      sub: userId.toHexString(),
+      iat: nowSeconds
+    })
+    const reply = createReply()
+
+    await app.jwtAuthentication(request as any, reply)
+
+    expect(reply.code).toHaveBeenCalledWith(401)
+    expect(reply.send).toHaveBeenCalledWith({ message: 'Unauthorized' })
+  })
+})

package/src/auth/plugins/jwt.ts

@@ -1,11 +1,18 @@
 import fastifyJwt from '@fastify/jwt'
 import fp from 'fastify-plugin'
 import { Document, ObjectId, WithId } from 'mongodb'
+import { AUTH_CONFIG, DB_NAME, DEFAULT_CONFIG } from '../../constants'
 
 type Options = {
   secret: string
 }
 
+type JwtAccessWithTimestamp = {
+  typ: 'access'
+  sub: string
+  iat?: number
+}
+
 /**
  * This module is a Fastify plugin that sets up JWT-based authentication and token creation.
  * It registers JWT authentication, and provides methods to create access and refresh tokens.
@@ -25,8 +32,60 @@ export default fp(async function (fastify, opts: Options) {
     try {
       await request.jwtVerify()
     } catch (err) {
-      // TODO: handle error
-      reply.send(err)
+      fastify.log.warn({ err }, 'JWT authentication failed')
+      reply.code(401).send({ message: 'Unauthorized' })
+      return
+    }
+
+    if (request.user?.typ !== 'access') {
+      return
+    }
+
+    const db = fastify.mongo?.client?.db(DB_NAME)
+    if (!db) {
+      fastify.log.warn('Mongo client unavailable while checking logout state')
+      return
+    }
+
+    if (!request.user.sub) {
+      reply.code(401).send({ message: 'Unauthorized' })
+      return
+    }
+
+    let authUser
+    try {
+      authUser = await db
+        .collection<Document>(AUTH_CONFIG.authCollection)
+        .findOne({ _id: new ObjectId(request.user.sub) })
+    } catch (err) {
+      fastify.log.warn({ err }, 'Failed to lookup user during JWT authentication')
+      reply.code(401).send({ message: 'Unauthorized' })
+      return
+    }
+
+    if (!authUser) {
+      reply.code(401).send({ message: 'Unauthorized' })
+      return
+    }
+
+    const lastLogoutAt = authUser.lastLogoutAt ? new Date(authUser.lastLogoutAt) : null
+    const accessUser = request.user as JwtAccessWithTimestamp
+    const rawIssuedAt = accessUser.iat
+    const issuedAt =
+      typeof rawIssuedAt === 'number'
+        ? rawIssuedAt
+        : typeof rawIssuedAt === 'string'
+          ? Number(rawIssuedAt)
+          : undefined
+    if (
+      lastLogoutAt &&
+      !Number.isNaN(lastLogoutAt.getTime()) &&
+      typeof issuedAt === 'number' &&
+      !Number.isNaN(issuedAt) &&
+      lastLogoutAt.getTime() >= issuedAt * 1000
+    ) {
+      reply.code(401).send({ message: 'Unauthorized' })
+      return
     }
   })
 
@@ -66,7 +125,7 @@ export default fp(async function (fastify, opts: Options) {
       },
       {
         sub: user._id.toJSON(),
-        expiresIn: '60d'
+        expiresIn: `${DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS}d`
       }
     )
   })

package/src/auth/providers/custom-function/controller.ts

@@ -1,9 +1,10 @@
 import { FastifyInstance } from 'fastify'
-import { AUTH_CONFIG } from '../../../constants'
+import { AUTH_CONFIG, DB_NAME, DEFAULT_CONFIG } from '../../../constants'
 import handleUserRegistration from '../../../shared/handleUserRegistration'
 import { PROVIDER } from '../../../shared/models/handleUserRegistration.model'
 import { StateManager } from '../../../state'
 import { GenerateContext } from '../../../utils/context'
+import { hashToken } from '../../../utils/crypto'
 import {
   AUTH_ENDPOINTS,
   generatePassword,
@@ -22,6 +23,9 @@ export async function customFunctionController(app: FastifyInstance) {
 
   const functionsList = StateManager.select('functions')
   const services = StateManager.select('services')
+  const db = app.mongo.client.db(DB_NAME)
+  const { refreshTokensCollection } = AUTH_CONFIG
+  const refreshTokenTtlMs = DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000
 
   /**
    * Endpoint for user login.
@@ -53,6 +57,7 @@ export async function customFunctionController(app: FastifyInstance) {
         id
       } = req
 
+      type CustomFunctionAuthResult = { id?: string }
       const res = await GenerateContext({
         args: [
           req.body
@@ -72,23 +77,35 @@ export async function customFunctionController(app: FastifyInstance) {
           ip,
           id
         }
-      })
+      }) as CustomFunctionAuthResult
 
 
       if (res.id) {
         const user = await handleUserRegistration(app, { run_as_system: true, skipUserCheck: true, provider: PROVIDER.CUSTOM_FUNCTION })({ email: res.id, password: generatePassword() })
+        if (!user?.insertedId) {
+          throw new Error('Failed to register custom user')
+        }
 
         const currentUserData = {
           _id: user.insertedId,
           user_data: {
-            _id: user.insertedId,
+            _id: user.insertedId
           }
         }
+        const refreshToken = this.createRefreshToken(currentUserData)
+        const refreshTokenHash = hashToken(refreshToken)
+        await db.collection(refreshTokensCollection).insertOne({
+          userId: user.insertedId,
+          tokenHash: refreshTokenHash,
+          createdAt: new Date(),
+          expiresAt: new Date(Date.now() + refreshTokenTtlMs),
+          revokedAt: null
+        })
         return {
           access_token: this.createAccessToken(currentUserData),
-          refresh_token: this.createRefreshToken(currentUserData),
+          refresh_token: refreshToken,
           device_id: '',
-          user_id: user.insertedId.toString(),
+          user_id: user.insertedId.toString()
         }
       }
 

package/src/auth/providers/local-userpass/controller.ts

@@ -1,42 +1,119 @@
-import sendGrid from '@sendgrid/mail'
 import { FastifyInstance } from 'fastify'
-import { AUTH_CONFIG, DB_NAME } from '../../../constants'
+import { AUTH_CONFIG, DB_NAME, DEFAULT_CONFIG } from '../../../constants'
 import { services } from '../../../services'
 import handleUserRegistration from '../../../shared/handleUserRegistration'
 import { PROVIDER } from '../../../shared/models/handleUserRegistration.model'
 import { StateManager } from '../../../state'
 import { GenerateContext } from '../../../utils/context'
-import { comparePassword, generateToken, hashPassword } from '../../../utils/crypto'
+import { comparePassword, generateToken, hashPassword, hashToken } from '../../../utils/crypto'
 import {
   AUTH_ENDPOINTS,
   AUTH_ERRORS,
   CONFIRM_RESET_SCHEMA,
-  getMailConfig,
   LOGIN_SCHEMA,
   REGISTRATION_SCHEMA,
-  RESET_SCHEMA
+  RESET_CALL_SCHEMA,
+  RESET_SEND_SCHEMA
 } from '../../utils'
 import {
   ConfirmResetPasswordDto,
   LoginDto,
   RegistrationDto,
-  ResetPasswordDto
+  ResetPasswordCallDto,
+  ResetPasswordSendDto
 } from './dtos'
+
+const rateLimitStore = new Map<string, number[]>()
+
+const isRateLimited = (key: string, maxAttempts: number, windowMs: number) => {
+  const now = Date.now()
+  const existing = rateLimitStore.get(key) ?? []
+  const recent = existing.filter((timestamp) => now - timestamp < windowMs)
+  recent.push(now)
+  rateLimitStore.set(key, recent)
+  return recent.length > maxAttempts
+}
 /**
  * Controller for handling local user registration and login.
  * @testable
  * @param {FastifyInstance} app - The Fastify instance.
  */
 export async function localUserPassController(app: FastifyInstance) {
-  const functionsList = StateManager.select('functions')
-
-  const {
-    authCollection,
-    userCollection,
-    user_id_field,
-    on_user_creation_function_name
-  } = AUTH_CONFIG
+  const { authCollection, userCollection, user_id_field } = AUTH_CONFIG
+  const { resetPasswordCollection } = AUTH_CONFIG
+  const { refreshTokensCollection } = AUTH_CONFIG
   const db = app.mongo.client.db(DB_NAME)
+  const resetPasswordTtlSeconds = DEFAULT_CONFIG.RESET_PASSWORD_TTL_SECONDS
+  const rateLimitWindowMs = DEFAULT_CONFIG.AUTH_RATE_LIMIT_WINDOW_MS
+  const loginMaxAttempts = DEFAULT_CONFIG.AUTH_LOGIN_MAX_ATTEMPTS
+  const resetMaxAttempts = DEFAULT_CONFIG.AUTH_RESET_MAX_ATTEMPTS
+  const refreshTokenTtlMs = DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000
+
+  try {
+    await db.collection(resetPasswordCollection).createIndex(
+      { createdAt: 1 },
+      { expireAfterSeconds: resetPasswordTtlSeconds }
+    )
+  } catch (error) {
+    console.error('Failed to ensure reset password TTL index', error)
+  }
+
+  try {
+    await db.collection(refreshTokensCollection).createIndex(
+      { expiresAt: 1 },
+      { expireAfterSeconds: 0 }
+    )
+  } catch (error) {
+    console.error('Failed to ensure refresh token TTL index', error)
+  }
+  const handleResetPasswordRequest = async (
+    email: string,
+    password?: string,
+    extraArguments?: unknown[]
+  ) => {
+    const { resetPasswordConfig } = AUTH_CONFIG
+    const authUser = await db.collection(authCollection!).findOne({
+      email
+    })
+
+    if (!authUser) {
+      return
+    }
+
+    const token = generateToken()
+    const tokenId = generateToken()
+
+    await db
+      ?.collection(resetPasswordCollection)
+      .updateOne(
+        { email },
+        { $set: { token, tokenId, email, createdAt: new Date() } },
+        { upsert: true }
+      )
+
+    if (!resetPasswordConfig.runResetFunction && !resetPasswordConfig.resetFunctionName) {
+      throw new Error(AUTH_ERRORS.MISSING_RESET_FUNCTION)
+    }
+
+    if (resetPasswordConfig.runResetFunction && resetPasswordConfig.resetFunctionName) {
+      const functionsList = StateManager.select('functions')
+      const services = StateManager.select('services')
+      const currentFunction = functionsList[resetPasswordConfig.resetFunctionName]
+      const baseArgs = { token, tokenId, email, password, username: email }
+      const args = Array.isArray(extraArguments) ? [baseArgs, ...extraArguments] : [baseArgs]
+      await GenerateContext({
+        args,
+        app,
+        rules: {},
+        user: {},
+        currentFunction,
+        functionsList,
+        services
+      })
+      return
+    }
+
+  }
 
   /**
    * Endpoint for user registration.
@@ -55,8 +132,13 @@ export async function localUserPassController(app: FastifyInstance) {
 
       const result = await handleUserRegistration(app, { run_as_system: true, provider: PROVIDER.LOCAL_USERPASS })({ email: req.body.email.toLowerCase(), password: req.body.password })
 
+      if (!result?.insertedId) {
+        res?.status(500)
+        throw new Error('Failed to register user')
+      }
+
       res?.status(201)
-      return { userId: result?.insertedId.toString() }
+      return { userId: result.insertedId.toString() }
     }
   )
 
@@ -72,7 +154,12 @@ export async function localUserPassController(app: FastifyInstance) {
     {
       schema: LOGIN_SCHEMA
     },
-    async function (req) {
+    async function (req, res) {
+      const key = `login:${req.ip}`
+      if (isRateLimited(key, loginMaxAttempts, rateLimitWindowMs)) {
+        res.status(429).send({ message: 'Too many requests' })
+        return
+      }
       const authUser = await db.collection(authCollection!).findOne({
         email: req.body.username
       })
@@ -98,7 +185,12 @@ export async function localUserPassController(app: FastifyInstance) {
           : {}
       delete authUser?.password
 
-      const userWithCustomData = { ...authUser, user_data: user, id: authUser._id.toString() }
+      const userWithCustomData = {
+        ...authUser,
+        user_data: { ...(user || {}), _id: authUser._id },
+        data: { email: authUser.email },
+        id: authUser._id.toString()
+      }
 
       if (authUser && authUser.status === 'pending') {
         try {
@@ -115,37 +207,19 @@ export async function localUserPassController(app: FastifyInstance) {
         }
       }
 
-      if (
-        authUser &&
-        authUser.status === 'pending' &&
-        on_user_creation_function_name &&
-        functionsList[on_user_creation_function_name]
-      ) {
-        try {
-          await GenerateContext({
-            args: [
-              {
-                operationType: 'CREATE',
-                providers: 'local-userpass',
-                user: userWithCustomData,
-                time: new Date().getTime()
-              }
-            ],
-            app,
-            rules: {},
-            user: userWithCustomData,
-            currentFunction: functionsList[on_user_creation_function_name],
-            functionsList,
-            services
-          })
-        } catch (error) {
-          console.log('localUserPassController - /login - GenerateContext - CATCH:', error)
-        }
-      }
+      const refreshToken = this.createRefreshToken(userWithCustomData)
+      const refreshTokenHash = hashToken(refreshToken)
+      await db.collection(refreshTokensCollection).insertOne({
+        userId: authUser._id,
+        tokenHash: refreshTokenHash,
+        createdAt: new Date(),
+        expiresAt: new Date(Date.now() + refreshTokenTtlMs),
+        revokedAt: null
+      })
 
       return {
         access_token: this.createAccessToken(userWithCustomData),
-        refresh_token: this.createRefreshToken(userWithCustomData),
+        refresh_token: refreshToken,
         device_id: '',
         user_id: authUser._id.toString()
       }
@@ -155,65 +229,49 @@ export async function localUserPassController(app: FastifyInstance) {
   /**
    * Endpoint for reset password.
    *
-   * @route {POST} /reset/call
+   * @route {POST} /reset/send
    * @param {ResetPasswordDto} req - The request object with th reset request.
    * @returns {Promise<void>}
    */
-  app.post<ResetPasswordDto>(
+  app.post<ResetPasswordSendDto>(
     AUTH_ENDPOINTS.RESET,
     {
-      schema: RESET_SCHEMA
+      schema: RESET_SEND_SCHEMA
     },
-    async function (req) {
-      const { resetPasswordCollection, resetPasswordConfig } = AUTH_CONFIG
-      const email = req.body.email
-      const authUser = await db.collection(authCollection!).findOne({
-        email
-      })
-
-      if (!authUser) {
-        throw new Error(AUTH_ERRORS.INVALID_CREDENTIALS)
+    async function (req, res) {
+      const key = `reset:${req.ip}`
+      if (isRateLimited(key, resetMaxAttempts, rateLimitWindowMs)) {
+        res.status(429)
+        return { message: 'Too many requests' }
       }
-
-      const token = generateToken()
-      const tokenId = generateToken()
-
-      await db
-        ?.collection(resetPasswordCollection)
-        .updateOne(
-          { email },
-          { $set: { token, tokenId, email, createdAt: new Date() } },
-          { upsert: true }
-        )
-
-      if (resetPasswordConfig.runResetFunction && resetPasswordConfig.resetFunctionName) {
-        const functionsList = StateManager.select('functions')
-        const services = StateManager.select('services')
-        const currentFunction = functionsList[resetPasswordConfig.resetFunctionName]
-        await GenerateContext({
-          args: [{ token, tokenId, email }],
-          app,
-          rules: {},
-          user: {},
-          currentFunction,
-          functionsList,
-          services
-        })
-        return
+      await handleResetPasswordRequest(req.body.email)
+      res.status(202)
+      return {
+        status: 'ok'
       }
+    }
+  )
 
-      const { from, subject, mailToken, body } = getMailConfig(
-        resetPasswordConfig,
-        token,
-        tokenId
+  app.post<ResetPasswordCallDto>(
+    AUTH_ENDPOINTS.RESET_CALL,
+    {
+      schema: RESET_CALL_SCHEMA
+    },
+    async function (req, res) {
+      const key = `reset:${req.ip}`
+      if (isRateLimited(key, resetMaxAttempts, rateLimitWindowMs)) {
+        res.status(429)
+        return { message: 'Too many requests' }
+      }
+      await handleResetPasswordRequest(
+        req.body.email,
+        req.body.password,
+        req.body.arguments
       )
-      sendGrid.setApiKey(mailToken)
-      await sendGrid.send({
-        to: email,
-        from,
-        subject,
-        html: body
-      })
+      res.status(202)
+      return {
+        status: 'ok'
+      }
     }
   )
 
@@ -229,8 +287,12 @@ export async function localUserPassController(app: FastifyInstance) {
     {
       schema: CONFIRM_RESET_SCHEMA
     },
-    async function (req) {
-      const { resetPasswordCollection } = AUTH_CONFIG
+    async function (req, res) {
+      const key = `reset-confirm:${req.ip}`
+      if (isRateLimited(key, resetMaxAttempts, rateLimitWindowMs)) {
+        res.status(429)
+        return { message: 'Too many requests' }
+      }
       const { token, tokenId, password } = req.body
 
       const resetRequest = await db
@@ -240,6 +302,16 @@ export async function localUserPassController(app: FastifyInstance) {
       if (!resetRequest) {
         throw new Error(AUTH_ERRORS.INVALID_RESET_PARAMS)
       }
+
+      const createdAt = resetRequest.createdAt ? new Date(resetRequest.createdAt) : null
+      const isExpired = !createdAt ||
+        Number.isNaN(createdAt.getTime()) ||
+        Date.now() - createdAt.getTime() > resetPasswordTtlSeconds * 1000
+
+      if (isExpired) {
+        await db?.collection(resetPasswordCollection).deleteOne({ _id: resetRequest._id })
+        throw new Error(AUTH_ERRORS.INVALID_RESET_PARAMS)
+      }
       const hashedPassword = await hashPassword(password)
       await db.collection(authCollection!).updateOne(
         { email: resetRequest.email },

package/src/auth/providers/local-userpass/dtos.ts

@@ -15,19 +15,30 @@ export type LoginSuccessDto = {
   user_id: string
 }
 
+export type ErrorResponseDto = {
+  message: string
+}
+
 export interface RegistrationDto {
   Body: RegisterUserDto
 }
 
 export interface LoginDto {
   Body: LoginUserDto
-  Reply: LoginSuccessDto
+  Reply: LoginSuccessDto | ErrorResponseDto
+}
+
+export interface ResetPasswordSendDto {
+  Body: {
+    email: string
+  }
 }
 
-export interface ResetPasswordDto {
+export interface ResetPasswordCallDto {
   Body: {
     email: string
     password: string
+    arguments?: unknown[]
   }
 }