@flowerforce/flowerbase 1.2.1-beta.2 → 1.2.1-beta.20

package/README.md

@@ -96,6 +96,13 @@ Ensure the following environment variables are set in your .env file or deployme
 | `APP_SECRET`           | Secret used to sign and verify JWT tokens (choose a strong secret).         | `supersecretkey123!`                               |
 | `HOST`                 | The host address the server binds to (usually `0.0.0.0` for public access). | `0.0.0.0`                                          |
 | `HTTPS_SCHEMA`         | The schema for your server requests (usually `https` or `http`).            | `http`                                             |
+| `RESET_PASSWORD_TTL_SECONDS` | Time-to-live for password reset tokens (in seconds).                  | `3600`                                             |
+| `AUTH_RATE_LIMIT_WINDOW_MS`  | Rate limit window for auth endpoints (in ms).                          | `900000`                                           |
+| `AUTH_LOGIN_MAX_ATTEMPTS`    | Max login attempts per window.                                         | `10`                                               |
+| `AUTH_RESET_MAX_ATTEMPTS`    | Max reset requests per window.                                         | `5`                                                |
+| `REFRESH_TOKEN_TTL_DAYS`     | Refresh token time-to-live (in days).                                  | `60`                                               |
+| `SWAGGER_UI_USER`      | Basic Auth username for Swagger UI (optional).                            | `admin`                                            |
+| `SWAGGER_UI_PASSWORD`  | Basic Auth password for Swagger UI (optional).                            | `change-me`                                        |
 
 
 Example:
@@ -106,6 +113,13 @@ DB_CONNECTION_STRING=mongodb+srv://username:password@cluster.mongodb.net/dbname
 APP_SECRET=your-jwt-secret
 HOST=0.0.0.0
 HTTPS_SCHEMA=http
+RESET_PASSWORD_TTL_SECONDS=3600
+AUTH_RATE_LIMIT_WINDOW_MS=900000
+AUTH_LOGIN_MAX_ATTEMPTS=10
+AUTH_RESET_MAX_ATTEMPTS=5
+REFRESH_TOKEN_TTL_DAYS=60
+SWAGGER_UI_USER=admin
+SWAGGER_UI_PASSWORD=change-me
 ```
 
 🛡️ Note: Never commit .env files to source control. Use a .gitignore file to exclude it.
@@ -215,11 +229,12 @@ However, all users will be required to reset their passwords since it is not pos
 
 ### ✅ Supported Auth Method
 
-The only authentication mode currently re-implemented in `@flowerforce/flowerbase` is:
+The authentication modes currently re-implemented in `@flowerforce/flowerbase` are:
 
 - Local Email/Password (local-userpass)
+- Anonymous (anon-user)
 
-> Other methods (OAuth, API key, anonymous, etc.) are not supported yet.
+> Other methods (OAuth, API key, etc.) are not supported yet.
 
 ####  Example user:
 ```js
@@ -256,13 +271,18 @@ Example
         "name": "local-userpass",
         "type": "local-userpass",
         "disabled": false,
-        "auth_collection": "my-users-collection" //custom collection name
+        "auth_collection": "my-users-collection", //custom collection name
         "config": {
             "autoConfirm": true,
             "resetPasswordSubject": "reset",
             "resetPasswordUrl": "https://my.app.url/password-reset",
             "runConfirmationFunction": false
         }
+    },
+    "anon-user": {
+        "name": "anon-user",
+        "type": "anon-user",
+        "disabled": false
     }
 }
 
@@ -406,6 +426,13 @@ Ensure the following environment variables are set in your .env file or deployme
 | `APP_SECRET`           | Secret used to sign and verify JWT tokens (choose a strong secret).         | `supersecretkey123!`                               |
 | `HOST`                 | The host address the server binds to (usually `0.0.0.0` for public access). | `0.0.0.0`                                          |
 | `HTTPS_SCHEMA`         | The schema for your server requests (usually `https` or `http`).            | `http`                                             |
+| `RESET_PASSWORD_TTL_SECONDS` | Time-to-live for password reset tokens (in seconds).                  | `3600`                                             |
+| `AUTH_RATE_LIMIT_WINDOW_MS`  | Rate limit window for auth endpoints (in ms).                          | `900000`                                           |
+| `AUTH_LOGIN_MAX_ATTEMPTS`    | Max login attempts per window.                                         | `10`                                               |
+| `AUTH_RESET_MAX_ATTEMPTS`    | Max reset requests per window.                                         | `5`                                                |
+| `REFRESH_TOKEN_TTL_DAYS`     | Refresh token time-to-live (in days).                                  | `60`                                               |
+| `SWAGGER_UI_USER`      | Basic Auth username for Swagger UI (optional).                            | `admin`                                            |
+| `SWAGGER_UI_PASSWORD`  | Basic Auth password for Swagger UI (optional).                            | `change-me`                                        |
 
 
 Example:
@@ -416,6 +443,13 @@ DB_CONNECTION_STRING=mongodb+srv://username:password@cluster.mongodb.net/dbname
 APP_SECRET=your-jwt-secret
 HOST=0.0.0.0
 HTTPS_SCHEMA=http
+RESET_PASSWORD_TTL_SECONDS=3600
+AUTH_RATE_LIMIT_WINDOW_MS=900000
+AUTH_LOGIN_MAX_ATTEMPTS=10
+AUTH_RESET_MAX_ATTEMPTS=5
+REFRESH_TOKEN_TTL_DAYS=60
+SWAGGER_UI_USER=admin
+SWAGGER_UI_PASSWORD=change-me
 ```
 
 🛡️ Note: Never commit .env files to source control. Use a .gitignore file to exclude it.
@@ -472,6 +506,3 @@ export default app;
 
 >🔗 The baseUrl should point to the backend URL you deployed earlier using Flowerbase.
 This tells the frontend SDK where to send authentication and data requests.
-
-
-

package/dist/auth/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../src/auth/controller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAOzC;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,eAAe,iBA8ExD"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../src/auth/controller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAQzC;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,eAAe,iBA+IxD"}

package/dist/auth/controller.js

@@ -12,6 +12,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.authController = authController;
 const bson_1 = require("bson");
 const constants_1 = require("../constants");
+const crypto_1 = require("../utils/crypto");
 const utils_1 = require("./utils");
 const HANDLER_TYPE = 'preHandler';
 /**
@@ -21,8 +22,15 @@ const HANDLER_TYPE = 'preHandler';
  */
 function authController(app) {
     return __awaiter(this, void 0, void 0, function* () {
-        const { authCollection, userCollection } = constants_1.AUTH_CONFIG;
+        const { authCollection, userCollection, refreshTokensCollection } = constants_1.AUTH_CONFIG;
         const db = app.mongo.client.db(constants_1.DB_NAME);
+        const refreshTokenTtlMs = constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
+        try {
+            yield db.collection(refreshTokensCollection).createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+        }
+        catch (error) {
+            console.error('Failed to ensure refresh token TTL index', error);
+        }
         app.addHook(HANDLER_TYPE, app.jwtAuthentication);
         /**
          * Endpoint to retrieve the authenticated user's profile.
@@ -64,6 +72,20 @@ function authController(app) {
                 if (req.user.typ !== 'refresh') {
                     throw new Error(utils_1.AUTH_ERRORS.INVALID_TOKEN);
                 }
+                const authHeader = req.headers.authorization;
+                if (!(authHeader === null || authHeader === void 0 ? void 0 : authHeader.startsWith('Bearer '))) {
+                    throw new Error(utils_1.AUTH_ERRORS.INVALID_TOKEN);
+                }
+                const refreshToken = authHeader.slice('Bearer '.length).trim();
+                const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
+                const storedToken = yield db.collection(refreshTokensCollection).findOne({
+                    tokenHash: refreshTokenHash,
+                    revokedAt: null,
+                    expiresAt: { $gt: new Date() }
+                });
+                if (!storedToken) {
+                    throw new Error(utils_1.AUTH_ERRORS.INVALID_TOKEN);
+                }
                 const auth_user = yield (db === null || db === void 0 ? void 0 : db.collection(authCollection).findOne({ _id: new this.mongo.ObjectId(req.user.sub) }));
                 if (!auth_user) {
                     throw new Error(`User with ID ${req.user.sub} not found`);
@@ -73,16 +95,45 @@ function authController(app) {
                     : {};
                 res.status(201);
                 return {
-                    access_token: this.createAccessToken(Object.assign(Object.assign({}, auth_user), { user_data: user }))
+                    access_token: this.createAccessToken(Object.assign(Object.assign({}, auth_user), { user_data: Object.assign(Object.assign({}, user), { id: req.user.sub }) }))
                 };
             });
         });
         /**
            * Endpoint to destroy the existing session.
            */
-        app.delete(utils_1.AUTH_ENDPOINTS.SESSION, function () {
+        app.delete(utils_1.AUTH_ENDPOINTS.SESSION, function (req, res) {
             return __awaiter(this, void 0, void 0, function* () {
-                return { status: "ok" };
+                var _a, _b;
+                const authHeader = req.headers.authorization;
+                if (!(authHeader === null || authHeader === void 0 ? void 0 : authHeader.startsWith('Bearer '))) {
+                    res.status(204);
+                    return;
+                }
+                const refreshToken = authHeader.slice('Bearer '.length).trim();
+                const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
+                const now = new Date();
+                const expiresAt = new Date(Date.now() + refreshTokenTtlMs);
+                const updateResult = yield db.collection(refreshTokensCollection).findOneAndUpdate({ tokenHash: refreshTokenHash }, {
+                    $set: {
+                        revokedAt: now,
+                        expiresAt
+                    }
+                }, { returnDocument: 'after' });
+                const fromToken = (_a = req.user) === null || _a === void 0 ? void 0 : _a.sub;
+                let userId = (_b = updateResult === null || updateResult === void 0 ? void 0 : updateResult.value) === null || _b === void 0 ? void 0 : _b.userId;
+                if (!userId && fromToken) {
+                    try {
+                        userId = new bson_1.ObjectId(fromToken);
+                    }
+                    catch (_c) {
+                        userId = fromToken;
+                    }
+                }
+                if (userId && authCollection) {
+                    yield db.collection(authCollection).updateOne({ _id: userId }, { $set: { lastLogoutAt: now } });
+                }
+                return { status: 'ok' };
             });
         });
     });

package/dist/auth/plugins/jwt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/auth/plugins/jwt.ts"],"names":[],"mappings":"AAIA,KAAK,OAAO,GAAG;IACb,MAAM,EAAE,MAAM,CAAA;CACf,CAAA;AAED;;;;;;;GAOG;iUAC8C,OAAO;AAAxD,wBAwDE"}
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/auth/plugins/jwt.ts"],"names":[],"mappings":"AAKA,KAAK,OAAO,GAAG;IACb,MAAM,EAAE,MAAM,CAAA;CACf,CAAA;AAQD;;;;;;;GAOG;iUAC8C,OAAO;AAAxD,wBA4GE"}

package/dist/auth/plugins/jwt.js

@@ -15,6 +15,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const jwt_1 = __importDefault(require("@fastify/jwt"));
 const fastify_plugin_1 = __importDefault(require("fastify-plugin"));
 const mongodb_1 = require("mongodb");
+const constants_1 = require("../../constants");
 /**
  * This module is a Fastify plugin that sets up JWT-based authentication and token creation.
  * It registers JWT authentication, and provides methods to create access and refresh tokens.
@@ -31,19 +32,64 @@ exports.default = (0, fastify_plugin_1.default)(function (fastify, opts) {
         });
         fastify.decorate('jwtAuthentication', function (request, reply) {
             return __awaiter(this, void 0, void 0, function* () {
+                var _a, _b, _c;
                 try {
                     yield request.jwtVerify();
                 }
                 catch (err) {
-                    // TODO: handle error
-                    reply.send(err);
+                    fastify.log.warn({ err }, 'JWT authentication failed');
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
+                }
+                if (((_a = request.user) === null || _a === void 0 ? void 0 : _a.typ) !== 'access') {
+                    return;
+                }
+                const db = (_c = (_b = fastify.mongo) === null || _b === void 0 ? void 0 : _b.client) === null || _c === void 0 ? void 0 : _c.db(constants_1.DB_NAME);
+                if (!db) {
+                    fastify.log.warn('Mongo client unavailable while checking logout state');
+                    return;
+                }
+                if (!request.user.sub) {
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
+                }
+                let authUser;
+                try {
+                    authUser = yield db
+                        .collection(constants_1.AUTH_CONFIG.authCollection)
+                        .findOne({ _id: new mongodb_1.ObjectId(request.user.sub) });
+                }
+                catch (err) {
+                    fastify.log.warn({ err }, 'Failed to lookup user during JWT authentication');
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
+                }
+                if (!authUser) {
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
+                }
+                const lastLogoutAt = authUser.lastLogoutAt ? new Date(authUser.lastLogoutAt) : null;
+                const accessUser = request.user;
+                const rawIssuedAt = accessUser.iat;
+                const issuedAt = typeof rawIssuedAt === 'number'
+                    ? rawIssuedAt
+                    : typeof rawIssuedAt === 'string'
+                        ? Number(rawIssuedAt)
+                        : undefined;
+                if (lastLogoutAt &&
+                    !Number.isNaN(lastLogoutAt.getTime()) &&
+                    typeof issuedAt === 'number' &&
+                    !Number.isNaN(issuedAt) &&
+                    lastLogoutAt.getTime() >= issuedAt * 1000) {
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
                 }
             });
         });
         fastify.decorate('createAccessToken', function (user) {
             const id = user._id.toString();
-            const userDataId = user.user_data._id.toString();
-            const user_data = Object.assign({ _id: userDataId, id: userDataId, email: user.email }, user.user_data);
+            // const userDataId = user.user_data._id.toString()
+            const user_data = Object.assign(Object.assign({}, user.user_data), { _id: id, id: id, email: user.email });
             return this.jwt.sign({
                 typ: 'access',
                 id,
@@ -53,7 +99,7 @@ exports.default = (0, fastify_plugin_1.default)(function (fastify, opts) {
             }, {
                 iss: BAAS_ID,
                 jti: BAAS_ID,
-                sub: user._id.toJSON(),
+                sub: id,
                 expiresIn: '300m'
             });
         });
@@ -63,7 +109,7 @@ exports.default = (0, fastify_plugin_1.default)(function (fastify, opts) {
                 baas_id: BAAS_ID
             }, {
                 sub: user._id.toJSON(),
-                expiresIn: '60d'
+                expiresIn: `${constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS}d`
             });
         });
     });

package/dist/auth/providers/anon-user/controller.d.ts

@@ -0,0 +1,8 @@
+import { FastifyInstance } from 'fastify';
+/**
+ * Controller for handling anonymous user login.
+ * @testable
+ * @param {FastifyInstance} app - The Fastify instance.
+ */
+export declare function anonUserController(app: FastifyInstance): Promise<void>;
+//# sourceMappingURL=controller.d.ts.map

package/dist/auth/providers/anon-user/controller.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/anon-user/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAOzC;;;;GAIG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,eAAe,iBA8E5D"}

package/dist/auth/providers/anon-user/controller.js

@@ -0,0 +1,90 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.anonUserController = anonUserController;
+const constants_1 = require("../../../constants");
+const crypto_1 = require("../../../utils/crypto");
+const handleUserRegistration_model_1 = require("../../../shared/models/handleUserRegistration.model");
+const utils_1 = require("../../utils");
+/**
+ * Controller for handling anonymous user login.
+ * @testable
+ * @param {FastifyInstance} app - The Fastify instance.
+ */
+function anonUserController(app) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const db = app.mongo.client.db(constants_1.DB_NAME);
+        const { authCollection, refreshTokensCollection, providers } = constants_1.AUTH_CONFIG;
+        const refreshTokenTtlMs = constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
+        const anonUserTtlSeconds = constants_1.DEFAULT_CONFIG.ANON_USER_TTL_SECONDS;
+        try {
+            yield db.collection(authCollection).createIndex({ createdAt: 1 }, {
+                expireAfterSeconds: anonUserTtlSeconds,
+                partialFilterExpression: { 'identities.provider_type': handleUserRegistration_model_1.PROVIDER.ANON_USER }
+            });
+        }
+        catch (error) {
+            console.error('Failed to ensure anonymous user TTL index', error);
+        }
+        app.post(utils_1.AUTH_ENDPOINTS.LOGIN, function () {
+            return __awaiter(this, void 0, void 0, function* () {
+                const anonProvider = providers === null || providers === void 0 ? void 0 : providers['anon-user'];
+                if (anonProvider === null || anonProvider === void 0 ? void 0 : anonProvider.disabled) {
+                    throw new Error('Anonymous authentication disabled');
+                }
+                const now = new Date();
+                const insertResult = yield db.collection(authCollection).insertOne({
+                    status: 'confirmed',
+                    createdAt: now,
+                    custom_data: {},
+                    identities: [
+                        {
+                            provider_type: handleUserRegistration_model_1.PROVIDER.ANON_USER,
+                            provider_data: {}
+                        }
+                    ]
+                });
+                const userId = insertResult.insertedId;
+                yield db.collection(authCollection).updateOne({ _id: userId }, {
+                    $set: {
+                        identities: [
+                            {
+                                id: userId.toString(),
+                                provider_id: userId.toString(),
+                                provider_type: handleUserRegistration_model_1.PROVIDER.ANON_USER,
+                                provider_data: {}
+                            }
+                        ]
+                    }
+                });
+                const currentUserData = {
+                    _id: userId,
+                    user_data: {}
+                };
+                const refreshToken = this.createRefreshToken(currentUserData);
+                const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
+                yield db.collection(refreshTokensCollection).insertOne({
+                    userId,
+                    tokenHash: refreshTokenHash,
+                    createdAt: now,
+                    expiresAt: new Date(Date.now() + refreshTokenTtlMs),
+                    revokedAt: null
+                });
+                return {
+                    access_token: this.createAccessToken(currentUserData),
+                    refresh_token: refreshToken,
+                    device_id: '',
+                    user_id: userId.toString()
+                };
+            });
+        });
+    });
+}

package/dist/auth/providers/anon-user/dtos.d.ts

@@ -0,0 +1,10 @@
+export type LoginSuccessDto = {
+    access_token: string;
+    device_id: string;
+    refresh_token: string;
+    user_id: string;
+};
+export interface LoginDto {
+    Reply: LoginSuccessDto;
+}
+//# sourceMappingURL=dtos.d.ts.map

package/dist/auth/providers/anon-user/dtos.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dtos.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/anon-user/dtos.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,WAAW,QAAQ;IACvB,KAAK,EAAE,eAAe,CAAA;CACvB"}

package/dist/auth/providers/anon-user/dtos.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/auth/providers/custom-function/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/custom-function/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAezC;;;;GAIG;AACH,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,eAAe,iBAiFlE"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/custom-function/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AASzC;;;;GAIG;AACH,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,eAAe,iBAgGlE"}

package/dist/auth/providers/custom-function/controller.js

@@ -8,16 +8,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.customFunctionController = customFunctionController;
 const constants_1 = require("../../../constants");
-const handleUserRegistration_1 = __importDefault(require("../../../shared/handleUserRegistration"));
-const handleUserRegistration_model_1 = require("../../../shared/models/handleUserRegistration.model");
 const state_1 = require("../../../state");
 const context_1 = require("../../../utils/context");
+const crypto_1 = require("../../../utils/crypto");
 const utils_1 = require("../../utils");
 const schema_1 = require("./schema");
 /**
@@ -29,6 +25,9 @@ function customFunctionController(app) {
     return __awaiter(this, void 0, void 0, function* () {
         const functionsList = state_1.StateManager.select('functions');
         const services = state_1.StateManager.select('services');
+        const db = app.mongo.client.db(constants_1.DB_NAME);
+        const { authCollection, refreshTokensCollection } = constants_1.AUTH_CONFIG;
+        const refreshTokenTtlMs = constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
         /**
          * Endpoint for user login.
          *
@@ -38,7 +37,7 @@ function customFunctionController(app) {
          */
         app.post(utils_1.AUTH_ENDPOINTS.LOGIN, {
             schema: schema_1.LOGIN_SCHEMA
-        }, function (req) {
+        }, function (req, reply) {
             return __awaiter(this, void 0, void 0, function* () {
                 const { providers } = constants_1.AUTH_CONFIG;
                 const authFunctionName = providers["custom-function"].authFunctionName;
@@ -46,7 +45,7 @@ function customFunctionController(app) {
                     throw new Error("Missing Auth Function");
                 }
                 const { ips, host, hostname, url, method, ip, id } = req;
-                const res = yield (0, context_1.GenerateContext)({
+                const authResult = yield (0, context_1.GenerateContext)({
                     args: [
                         req.body
                     ],
@@ -66,25 +65,36 @@ function customFunctionController(app) {
                         id
                     }
                 });
-                if (res.id) {
-                    const user = yield (0, handleUserRegistration_1.default)(app, { run_as_system: true, skipUserCheck: true, provider: handleUserRegistration_model_1.PROVIDER.CUSTOM_FUNCTION })({ email: res.id, password: (0, utils_1.generatePassword)() });
-                    if (!(user === null || user === void 0 ? void 0 : user.insertedId)) {
-                        throw new Error('Failed to register custom user');
-                    }
-                    const currentUserData = {
-                        _id: user.insertedId,
-                        user_data: {
-                            _id: user.insertedId
-                        }
-                    };
-                    return {
-                        access_token: this.createAccessToken(currentUserData),
-                        refresh_token: this.createRefreshToken(currentUserData),
-                        device_id: '',
-                        user_id: user.insertedId.toString()
-                    };
+                if (!authResult.id) {
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
+                }
+                const authUser = yield db.collection(authCollection).findOne({ email: authResult.id });
+                if (!authUser) {
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
                 }
-                throw new Error("Authentication Failed");
+                const currentUserData = {
+                    _id: authUser._id,
+                    user_data: {
+                        _id: authUser._id
+                    }
+                };
+                const refreshToken = this.createRefreshToken(currentUserData);
+                const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
+                yield db.collection(refreshTokensCollection).insertOne({
+                    userId: authUser._id,
+                    tokenHash: refreshTokenHash,
+                    createdAt: new Date(),
+                    expiresAt: new Date(Date.now() + refreshTokenTtlMs),
+                    revokedAt: null
+                });
+                return {
+                    access_token: this.createAccessToken(currentUserData),
+                    refresh_token: refreshToken,
+                    device_id: '',
+                    user_id: authUser._id.toString()
+                };
             });
         });
     });

package/dist/auth/providers/custom-function/dtos.d.ts

@@ -8,8 +8,11 @@ export type LoginSuccessDto = {
     refresh_token: string;
     user_id: string;
 };
+export type LoginErrorDto = {
+    message: string;
+};
 export interface LoginDto {
     Body: LoginUserDto;
-    Reply: LoginSuccessDto;
+    Reply: LoginSuccessDto | LoginErrorDto;
 }
 //# sourceMappingURL=dtos.d.ts.map

package/dist/auth/providers/custom-function/dtos.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dtos.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/custom-function/dtos.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,YAAY,CAAA;IAClB,KAAK,EAAE,eAAe,CAAA;CACvB"}
+{"version":3,"file":"dtos.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/custom-function/dtos.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,aAAa,GAAG;IAC1B,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,YAAY,CAAA;IAClB,KAAK,EAAE,eAAe,GAAG,aAAa,CAAA;CACvC"}

package/dist/auth/providers/local-userpass/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/controller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAuBzC;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,eAAe,iBAqOjE"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAqCzC;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,eAAe,iBAsUjE"}