@flowerforce/flowerbase 1.2.1-beta.2 → 1.2.1-beta.20

package/src/auth/providers/anon-user/controller.ts

@@ -0,0 +1,91 @@
+import { FastifyInstance } from 'fastify'
+import { AUTH_CONFIG, DB_NAME, DEFAULT_CONFIG } from '../../../constants'
+import { hashToken } from '../../../utils/crypto'
+import { PROVIDER } from '../../../shared/models/handleUserRegistration.model'
+import { AUTH_ENDPOINTS } from '../../utils'
+import { LoginDto } from './dtos'
+
+/**
+ * Controller for handling anonymous user login.
+ * @testable
+ * @param {FastifyInstance} app - The Fastify instance.
+ */
+export async function anonUserController(app: FastifyInstance) {
+  const db = app.mongo.client.db(DB_NAME)
+  const { authCollection, refreshTokensCollection, providers } = AUTH_CONFIG
+  const refreshTokenTtlMs = DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000
+  const anonUserTtlSeconds = DEFAULT_CONFIG.ANON_USER_TTL_SECONDS
+
+  try {
+    await db.collection(authCollection!).createIndex(
+      { createdAt: 1 },
+      {
+        expireAfterSeconds: anonUserTtlSeconds,
+        partialFilterExpression: { 'identities.provider_type': PROVIDER.ANON_USER }
+      }
+    )
+  } catch (error) {
+    console.error('Failed to ensure anonymous user TTL index', error)
+  }
+
+  app.post<LoginDto>(
+    AUTH_ENDPOINTS.LOGIN,
+    async function () {
+      const anonProvider = providers?.['anon-user']
+      if (anonProvider?.disabled) {
+        throw new Error('Anonymous authentication disabled')
+      }
+
+      const now = new Date()
+      const insertResult = await db.collection(authCollection!).insertOne({
+        status: 'confirmed',
+        createdAt: now,
+        custom_data: {},
+        identities: [
+          {
+            provider_type: PROVIDER.ANON_USER,
+            provider_data: {}
+          }
+        ]
+      })
+
+      const userId = insertResult.insertedId
+      await db.collection(authCollection!).updateOne(
+        { _id: userId },
+        {
+          $set: {
+            identities: [
+              {
+                id: userId.toString(),
+                provider_id: userId.toString(),
+                provider_type: PROVIDER.ANON_USER,
+                provider_data: {}
+              }
+            ]
+          }
+        }
+      )
+
+      const currentUserData = {
+        _id: userId,
+        user_data: {}
+      }
+      const refreshToken = this.createRefreshToken(currentUserData)
+      const refreshTokenHash = hashToken(refreshToken)
+      await db.collection(refreshTokensCollection).insertOne({
+        userId,
+        tokenHash: refreshTokenHash,
+        createdAt: now,
+        expiresAt: new Date(Date.now() + refreshTokenTtlMs),
+        revokedAt: null
+      })
+
+      return {
+        access_token: this.createAccessToken(currentUserData),
+        refresh_token: refreshToken,
+        device_id: '',
+        user_id: userId.toString()
+      }
+    }
+  )
+}

package/src/auth/providers/anon-user/dtos.ts

@@ -0,0 +1,10 @@
+export type LoginSuccessDto = {
+  access_token: string
+  device_id: string
+  refresh_token: string
+  user_id: string
+}
+
+export interface LoginDto {
+  Reply: LoginSuccessDto
+}

package/src/auth/providers/custom-function/controller.ts

@@ -1,16 +1,10 @@
 import { FastifyInstance } from 'fastify'
-import { AUTH_CONFIG } from '../../../constants'
-import handleUserRegistration from '../../../shared/handleUserRegistration'
-import { PROVIDER } from '../../../shared/models/handleUserRegistration.model'
+import { AUTH_CONFIG, DB_NAME, DEFAULT_CONFIG } from '../../../constants'
 import { StateManager } from '../../../state'
 import { GenerateContext } from '../../../utils/context'
-import {
-  AUTH_ENDPOINTS,
-  generatePassword,
-} from '../../utils'
-import {
-  LoginDto
-} from './dtos'
+import { hashToken } from '../../../utils/crypto'
+import { AUTH_ENDPOINTS } from '../../utils'
+import { LoginDto } from './dtos'
 import { LOGIN_SCHEMA } from './schema'
 
 /**
@@ -22,6 +16,9 @@ export async function customFunctionController(app: FastifyInstance) {
 
   const functionsList = StateManager.select('functions')
   const services = StateManager.select('services')
+  const db = app.mongo.client.db(DB_NAME)
+  const { authCollection, refreshTokensCollection } = AUTH_CONFIG
+  const refreshTokenTtlMs = DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000
 
   /**
    * Endpoint for user login.
@@ -35,7 +32,7 @@ export async function customFunctionController(app: FastifyInstance) {
     {
       schema: LOGIN_SCHEMA
     },
-    async function (req) {
+    async function (req, reply) {
       const { providers } = AUTH_CONFIG
       const authFunctionName = providers["custom-function"].authFunctionName
 
@@ -53,7 +50,8 @@ export async function customFunctionController(app: FastifyInstance) {
         id
       } = req
 
-      const res = await GenerateContext({
+      type CustomFunctionAuthResult = { id?: string }
+      const authResult = await GenerateContext({
         args: [
           req.body
         ],
@@ -72,30 +70,41 @@ export async function customFunctionController(app: FastifyInstance) {
           ip,
           id
         }
-      })
+      }) as CustomFunctionAuthResult
 
 
-      if (res.id) {
-        const user = await handleUserRegistration(app, { run_as_system: true, skipUserCheck: true, provider: PROVIDER.CUSTOM_FUNCTION })({ email: res.id, password: generatePassword() })
-        if (!user?.insertedId) {
-          throw new Error('Failed to register custom user')
-        }
+      if (!authResult.id) {
+        reply.code(401).send({ message: 'Unauthorized' })
+        return
+      }
 
-        const currentUserData = {
-          _id: user.insertedId,
-          user_data: {
-            _id: user.insertedId
-          }
-        }
-        return {
-          access_token: this.createAccessToken(currentUserData),
-          refresh_token: this.createRefreshToken(currentUserData),
-          device_id: '',
-          user_id: user.insertedId.toString()
-        }
+      const authUser = await db.collection(authCollection!).findOne({ email: authResult.id })
+      if (!authUser) {
+        reply.code(401).send({ message: 'Unauthorized' })
+        return
       }
 
-      throw new Error("Authentication Failed")
+      const currentUserData = {
+        _id: authUser._id,
+        user_data: {
+          _id: authUser._id
+        }
+      }
+      const refreshToken = this.createRefreshToken(currentUserData)
+      const refreshTokenHash = hashToken(refreshToken)
+      await db.collection(refreshTokensCollection).insertOne({
+        userId: authUser._id,
+        tokenHash: refreshTokenHash,
+        createdAt: new Date(),
+        expiresAt: new Date(Date.now() + refreshTokenTtlMs),
+        revokedAt: null
+      })
+      return {
+        access_token: this.createAccessToken(currentUserData),
+        refresh_token: refreshToken,
+        device_id: '',
+        user_id: authUser._id.toString()
+      }
     }
   )
 

package/src/auth/providers/custom-function/dtos.ts

@@ -10,7 +10,11 @@ export type LoginSuccessDto = {
   user_id: string
 }
 
+export type LoginErrorDto = {
+  message: string
+}
+
 export interface LoginDto {
   Body: LoginUserDto
-  Reply: LoginSuccessDto
+  Reply: LoginSuccessDto | LoginErrorDto
 }

package/src/auth/providers/local-userpass/controller.ts

@@ -1,42 +1,122 @@
-import sendGrid from '@sendgrid/mail'
 import { FastifyInstance } from 'fastify'
-import { AUTH_CONFIG, DB_NAME } from '../../../constants'
-import { services } from '../../../services'
+import { ObjectId } from 'mongodb'
+import { AUTH_CONFIG, DB_NAME, DEFAULT_CONFIG } from '../../../constants'
 import handleUserRegistration from '../../../shared/handleUserRegistration'
 import { PROVIDER } from '../../../shared/models/handleUserRegistration.model'
 import { StateManager } from '../../../state'
 import { GenerateContext } from '../../../utils/context'
-import { comparePassword, generateToken, hashPassword } from '../../../utils/crypto'
+import { comparePassword, generateToken, hashPassword, hashToken } from '../../../utils/crypto'
 import {
   AUTH_ENDPOINTS,
   AUTH_ERRORS,
   CONFIRM_RESET_SCHEMA,
-  getMailConfig,
+  CONFIRM_USER_SCHEMA,
   LOGIN_SCHEMA,
   REGISTRATION_SCHEMA,
-  RESET_SCHEMA
+  RESET_CALL_SCHEMA,
+  RESET_SEND_SCHEMA
 } from '../../utils'
 import {
   ConfirmResetPasswordDto,
+  ConfirmUserDto,
   LoginDto,
   RegistrationDto,
-  ResetPasswordDto
+  ResetPasswordCallDto,
+  ResetPasswordSendDto
 } from './dtos'
+
+const rateLimitStore = new Map<string, number[]>()
+
+const isRateLimited = (key: string, maxAttempts: number, windowMs: number) => {
+  const now = Date.now()
+  const existing = rateLimitStore.get(key) ?? []
+  const recent = existing.filter((timestamp) => now - timestamp < windowMs)
+  recent.push(now)
+  rateLimitStore.set(key, recent)
+  return recent.length > maxAttempts
+}
 /**
  * Controller for handling local user registration and login.
  * @testable
  * @param {FastifyInstance} app - The Fastify instance.
  */
 export async function localUserPassController(app: FastifyInstance) {
-  const functionsList = StateManager.select('functions')
-
-  const {
-    authCollection,
-    userCollection,
-    user_id_field,
-    on_user_creation_function_name
-  } = AUTH_CONFIG
+  const { authCollection, userCollection, user_id_field } = AUTH_CONFIG
+  const { resetPasswordCollection } = AUTH_CONFIG
+  const { refreshTokensCollection } = AUTH_CONFIG
   const db = app.mongo.client.db(DB_NAME)
+  const resetPasswordTtlSeconds = DEFAULT_CONFIG.RESET_PASSWORD_TTL_SECONDS
+  const rateLimitWindowMs = DEFAULT_CONFIG.AUTH_RATE_LIMIT_WINDOW_MS
+  const loginMaxAttempts = DEFAULT_CONFIG.AUTH_LOGIN_MAX_ATTEMPTS
+  const registerMaxAttempts = DEFAULT_CONFIG.AUTH_REGISTER_MAX_ATTEMPTS
+  const resetMaxAttempts = DEFAULT_CONFIG.AUTH_RESET_MAX_ATTEMPTS
+  const refreshTokenTtlMs = DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000
+
+  try {
+    await db.collection(resetPasswordCollection).createIndex(
+      { createdAt: 1 },
+      { expireAfterSeconds: resetPasswordTtlSeconds }
+    )
+  } catch (error) {
+    console.error('Failed to ensure reset password TTL index', error)
+  }
+
+  try {
+    await db.collection(refreshTokensCollection).createIndex(
+      { expiresAt: 1 },
+      { expireAfterSeconds: 0 }
+    )
+  } catch (error) {
+    console.error('Failed to ensure refresh token TTL index', error)
+  }
+  const handleResetPasswordRequest = async (
+    email: string,
+    password?: string,
+    extraArguments?: unknown[]
+  ) => {
+    const { resetPasswordConfig } = AUTH_CONFIG
+    const authUser = await db.collection(authCollection!).findOne({
+      email
+    })
+
+    if (!authUser) {
+      return
+    }
+
+    const token = generateToken()
+    const tokenId = generateToken()
+
+    await db
+      ?.collection(resetPasswordCollection)
+      .updateOne(
+        { email },
+        { $set: { token, tokenId, email, createdAt: new Date() } },
+        { upsert: true }
+      )
+
+    if (!resetPasswordConfig.runResetFunction && !resetPasswordConfig.resetFunctionName) {
+      throw new Error(AUTH_ERRORS.MISSING_RESET_FUNCTION)
+    }
+
+    if (resetPasswordConfig.runResetFunction && resetPasswordConfig.resetFunctionName) {
+      const functionsList = StateManager.select('functions')
+      const services = StateManager.select('services')
+      const currentFunction = functionsList[resetPasswordConfig.resetFunctionName]
+      const baseArgs = { token, tokenId, email, password, username: email }
+      const args = Array.isArray(extraArguments) ? [baseArgs, ...extraArguments] : [baseArgs]
+      await GenerateContext({
+        args,
+        app,
+        rules: {},
+        user: {},
+        currentFunction,
+        functionsList,
+        services
+      })
+      return
+    }
+
+  }
 
   /**
    * Endpoint for user registration.
@@ -52,6 +132,11 @@ export async function localUserPassController(app: FastifyInstance) {
       schema: REGISTRATION_SCHEMA
     },
     async (req, res) => {
+      const key = `register:${req.ip}`
+      if (isRateLimited(key, registerMaxAttempts, rateLimitWindowMs)) {
+        res.status(429).send({ message: 'Too many requests' })
+        return
+      }
 
       const result = await handleUserRegistration(app, { run_as_system: true, provider: PROVIDER.LOCAL_USERPASS })({ email: req.body.email.toLowerCase(), password: req.body.password })
 
@@ -65,6 +150,50 @@ export async function localUserPassController(app: FastifyInstance) {
     }
   )
 
+  /**
+   * Endpoint for confirming a user registration.
+   *
+   * @route {POST} /confirm
+   * @param {ConfirmUserDto} req - The request object with confirmation data.
+   * @returns {Promise<Object>} A promise resolving with confirmation status.
+   */
+  app.post<ConfirmUserDto>(
+    AUTH_ENDPOINTS.CONFIRM,
+    {
+      schema: CONFIRM_USER_SCHEMA
+    },
+    async (req, res) => {
+      const key = `confirm:${req.ip}`
+      if (isRateLimited(key, resetMaxAttempts, rateLimitWindowMs)) {
+        res.status(429).send({ message: 'Too many requests' })
+        return
+      }
+
+      const existing = await db.collection(authCollection!).findOne({
+        confirmationToken: req.body.token,
+        confirmationTokenId: req.body.tokenId
+      }) as { _id: ObjectId; status?: string } | null
+
+      if (!existing) {
+        res.status(500)
+        throw new Error(AUTH_ERRORS.INVALID_TOKEN)
+      }
+
+      if (existing.status !== 'confirmed') {
+        await db.collection(authCollection!).updateOne(
+          { _id: existing._id },
+          {
+            $set: { status: 'confirmed' },
+            $unset: { confirmationToken: '', confirmationTokenId: '' }
+          }
+        )
+      }
+
+      res.status(200)
+      return { status: 'confirmed' }
+    }
+  )
+
   /**
    * Endpoint for user login.
    *
@@ -77,7 +206,12 @@ export async function localUserPassController(app: FastifyInstance) {
     {
       schema: LOGIN_SCHEMA
     },
-    async function (req) {
+    async function (req, res) {
+      const key = `login:${req.ip}`
+      if (isRateLimited(key, loginMaxAttempts, rateLimitWindowMs)) {
+        res.status(429).send({ message: 'Too many requests' })
+        return
+      }
       const authUser = await db.collection(authCollection!).findOne({
         email: req.body.username
       })
@@ -110,45 +244,23 @@ export async function localUserPassController(app: FastifyInstance) {
         id: authUser._id.toString()
       }
 
-      if (authUser && authUser.status === 'pending') {
-        try {
-          await db?.collection(authCollection!).updateOne(
-            { _id: authUser._id },
-            {
-              $set: {
-                status: 'confirmed'
-              }
-            }
-          )
-        } catch (error) {
-          console.log('>>> 🚀 ~ localUserPassController ~ error:', error)
-        }
+      if (authUser && authUser.status !== 'confirmed') {
+        throw new Error(AUTH_ERRORS.USER_NOT_CONFIRMED)
       }
 
-      if (
-        authUser &&
-        authUser.status === 'pending' &&
-        on_user_creation_function_name &&
-        functionsList[on_user_creation_function_name]
-      ) {
-        try {
-          await GenerateContext({
-            args: [userWithCustomData],
-            app,
-            rules: {},
-            user: userWithCustomData,
-            currentFunction: functionsList[on_user_creation_function_name],
-            functionsList,
-            services
-          })
-        } catch (error) {
-          console.log('localUserPassController - /login - GenerateContext - CATCH:', error)
-        }
-      }
+      const refreshToken = this.createRefreshToken(userWithCustomData)
+      const refreshTokenHash = hashToken(refreshToken)
+      await db.collection(refreshTokensCollection).insertOne({
+        userId: authUser._id,
+        tokenHash: refreshTokenHash,
+        createdAt: new Date(),
+        expiresAt: new Date(Date.now() + refreshTokenTtlMs),
+        revokedAt: null
+      })
 
       return {
         access_token: this.createAccessToken(userWithCustomData),
-        refresh_token: this.createRefreshToken(userWithCustomData),
+        refresh_token: refreshToken,
         device_id: '',
         user_id: authUser._id.toString()
       }
@@ -158,65 +270,49 @@ export async function localUserPassController(app: FastifyInstance) {
   /**
    * Endpoint for reset password.
    *
-   * @route {POST} /reset/call
+   * @route {POST} /reset/send
    * @param {ResetPasswordDto} req - The request object with th reset request.
    * @returns {Promise<void>}
    */
-  app.post<ResetPasswordDto>(
+  app.post<ResetPasswordSendDto>(
     AUTH_ENDPOINTS.RESET,
     {
-      schema: RESET_SCHEMA
+      schema: RESET_SEND_SCHEMA
     },
-    async function (req) {
-      const { resetPasswordCollection, resetPasswordConfig } = AUTH_CONFIG
-      const email = req.body.email
-      const authUser = await db.collection(authCollection!).findOne({
-        email
-      })
-
-      if (!authUser) {
-        throw new Error(AUTH_ERRORS.INVALID_CREDENTIALS)
+    async function (req, res) {
+      const key = `reset:${req.ip}`
+      if (isRateLimited(key, resetMaxAttempts, rateLimitWindowMs)) {
+        res.status(429)
+        return { message: 'Too many requests' }
       }
-
-      const token = generateToken()
-      const tokenId = generateToken()
-
-      await db
-        ?.collection(resetPasswordCollection)
-        .updateOne(
-          { email },
-          { $set: { token, tokenId, email, createdAt: new Date() } },
-          { upsert: true }
-        )
-
-      if (resetPasswordConfig.runResetFunction && resetPasswordConfig.resetFunctionName) {
-        const functionsList = StateManager.select('functions')
-        const services = StateManager.select('services')
-        const currentFunction = functionsList[resetPasswordConfig.resetFunctionName]
-        await GenerateContext({
-          args: [{ token, tokenId, email }],
-          app,
-          rules: {},
-          user: {},
-          currentFunction,
-          functionsList,
-          services
-        })
-        return
+      await handleResetPasswordRequest(req.body.email)
+      res.status(202)
+      return {
+        status: 'ok'
       }
+    }
+  )
 
-      const { from, subject, mailToken, body } = getMailConfig(
-        resetPasswordConfig,
-        token,
-        tokenId
+  app.post<ResetPasswordCallDto>(
+    AUTH_ENDPOINTS.RESET_CALL,
+    {
+      schema: RESET_CALL_SCHEMA
+    },
+    async function (req, res) {
+      const key = `reset:${req.ip}`
+      if (isRateLimited(key, resetMaxAttempts, rateLimitWindowMs)) {
+        res.status(429)
+        return { message: 'Too many requests' }
+      }
+      await handleResetPasswordRequest(
+        req.body.email,
+        req.body.password,
+        req.body.arguments
       )
-      sendGrid.setApiKey(mailToken)
-      await sendGrid.send({
-        to: email,
-        from,
-        subject,
-        html: body
-      })
+      res.status(202)
+      return {
+        status: 'ok'
+      }
     }
   )
 
@@ -232,8 +328,12 @@ export async function localUserPassController(app: FastifyInstance) {
     {
       schema: CONFIRM_RESET_SCHEMA
     },
-    async function (req) {
-      const { resetPasswordCollection } = AUTH_CONFIG
+    async function (req, res) {
+      const key = `reset-confirm:${req.ip}`
+      if (isRateLimited(key, resetMaxAttempts, rateLimitWindowMs)) {
+        res.status(429)
+        return { message: 'Too many requests' }
+      }
       const { token, tokenId, password } = req.body
 
       const resetRequest = await db
@@ -243,6 +343,16 @@ export async function localUserPassController(app: FastifyInstance) {
       if (!resetRequest) {
         throw new Error(AUTH_ERRORS.INVALID_RESET_PARAMS)
       }
+
+      const createdAt = resetRequest.createdAt ? new Date(resetRequest.createdAt) : null
+      const isExpired = !createdAt ||
+        Number.isNaN(createdAt.getTime()) ||
+        Date.now() - createdAt.getTime() > resetPasswordTtlSeconds * 1000
+
+      if (isExpired) {
+        await db?.collection(resetPasswordCollection).deleteOne({ _id: resetRequest._id })
+        throw new Error(AUTH_ERRORS.INVALID_RESET_PARAMS)
+      }
       const hashedPassword = await hashPassword(password)
       await db.collection(authCollection!).updateOne(
         { email: resetRequest.email },

package/src/auth/providers/local-userpass/dtos.ts

@@ -15,19 +15,30 @@ export type LoginSuccessDto = {
   user_id: string
 }
 
+export type ErrorResponseDto = {
+  message: string
+}
+
 export interface RegistrationDto {
   Body: RegisterUserDto
 }
 
 export interface LoginDto {
   Body: LoginUserDto
-  Reply: LoginSuccessDto
+  Reply: LoginSuccessDto | ErrorResponseDto
+}
+
+export interface ResetPasswordSendDto {
+  Body: {
+    email: string
+  }
 }
 
-export interface ResetPasswordDto {
+export interface ResetPasswordCallDto {
   Body: {
     email: string
     password: string
+    arguments?: unknown[]
   }
 }
 
@@ -38,3 +49,10 @@ export interface ConfirmResetPasswordDto {
     password: string
   }
 }
+
+export interface ConfirmUserDto {
+  Body: {
+    token: string
+    tokenId: string
+  }
+}