@flowerforce/flowerbase 1.2.1-beta.2 → 1.2.1-beta.21

package/src/auth/plugins/jwt.ts

@@ -1,11 +1,18 @@
 import fastifyJwt from '@fastify/jwt'
 import fp from 'fastify-plugin'
 import { Document, ObjectId, WithId } from 'mongodb'
+import { AUTH_CONFIG, DB_NAME, DEFAULT_CONFIG } from '../../constants'
 
 type Options = {
   secret: string
 }
 
+type JwtAccessWithTimestamp = {
+  typ: 'access'
+  sub: string
+  iat?: number
+}
+
 /**
  * This module is a Fastify plugin that sets up JWT-based authentication and token creation.
  * It registers JWT authentication, and provides methods to create access and refresh tokens.
@@ -25,20 +32,72 @@ export default fp(async function (fastify, opts: Options) {
     try {
       await request.jwtVerify()
     } catch (err) {
-      // TODO: handle error
-      reply.send(err)
+      fastify.log.warn({ err }, 'JWT authentication failed')
+      reply.code(401).send({ message: 'Unauthorized' })
+      return
+    }
+
+    if (request.user?.typ !== 'access') {
+      return
+    }
+
+    const db = fastify.mongo?.client?.db(DB_NAME)
+    if (!db) {
+      fastify.log.warn('Mongo client unavailable while checking logout state')
+      return
+    }
+
+    if (!request.user.sub) {
+      reply.code(401).send({ message: 'Unauthorized' })
+      return
+    }
+
+    let authUser
+    try {
+      authUser = await db
+        .collection<Document>(AUTH_CONFIG.authCollection)
+        .findOne({ _id: new ObjectId(request.user.sub) })
+    } catch (err) {
+      fastify.log.warn({ err }, 'Failed to lookup user during JWT authentication')
+      reply.code(401).send({ message: 'Unauthorized' })
+      return
+    }
+
+    if (!authUser) {
+      reply.code(401).send({ message: 'Unauthorized' })
+      return
+    }
+
+    const lastLogoutAt = authUser.lastLogoutAt ? new Date(authUser.lastLogoutAt) : null
+    const accessUser = request.user as JwtAccessWithTimestamp
+    const rawIssuedAt = accessUser.iat
+    const issuedAt =
+      typeof rawIssuedAt === 'number'
+        ? rawIssuedAt
+        : typeof rawIssuedAt === 'string'
+          ? Number(rawIssuedAt)
+          : undefined
+    if (
+      lastLogoutAt &&
+      !Number.isNaN(lastLogoutAt.getTime()) &&
+      typeof issuedAt === 'number' &&
+      !Number.isNaN(issuedAt) &&
+      lastLogoutAt.getTime() >= issuedAt * 1000
+    ) {
+      reply.code(401).send({ message: 'Unauthorized' })
+      return
     }
   })
 
   fastify.decorate('createAccessToken', function (user: WithId<Document>) {
     const id = user._id.toString()
-    const userDataId = user.user_data._id.toString()
+    // const userDataId = user.user_data._id.toString()
 
     const user_data = {
-      _id: userDataId,
-      id: userDataId,
+      ...user.user_data,
+      _id: id,
+      id: id,
       email: user.email,
-      ...user.user_data
     }
 
     return this.jwt.sign(
@@ -52,7 +111,7 @@ export default fp(async function (fastify, opts: Options) {
       {
         iss: BAAS_ID,
         jti: BAAS_ID,
-        sub: user._id.toJSON(),
+        sub: id,
         expiresIn: '300m'
       }
     )
@@ -66,7 +125,7 @@ export default fp(async function (fastify, opts: Options) {
       },
       {
         sub: user._id.toJSON(),
-        expiresIn: '60d'
+        expiresIn: `${DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS}d`
       }
     )
   })

package/src/auth/providers/anon-user/controller.ts

@@ -0,0 +1,91 @@
+import { FastifyInstance } from 'fastify'
+import { AUTH_CONFIG, DB_NAME, DEFAULT_CONFIG } from '../../../constants'
+import { hashToken } from '../../../utils/crypto'
+import { PROVIDER } from '../../../shared/models/handleUserRegistration.model'
+import { AUTH_ENDPOINTS } from '../../utils'
+import { LoginDto } from './dtos'
+
+/**
+ * Controller for handling anonymous user login.
+ * @testable
+ * @param {FastifyInstance} app - The Fastify instance.
+ */
+export async function anonUserController(app: FastifyInstance) {
+  const db = app.mongo.client.db(DB_NAME)
+  const { authCollection, refreshTokensCollection, providers } = AUTH_CONFIG
+  const refreshTokenTtlMs = DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000
+  const anonUserTtlSeconds = DEFAULT_CONFIG.ANON_USER_TTL_SECONDS
+
+  try {
+    await db.collection(authCollection!).createIndex(
+      { createdAt: 1 },
+      {
+        expireAfterSeconds: anonUserTtlSeconds,
+        partialFilterExpression: { 'identities.provider_type': PROVIDER.ANON_USER }
+      }
+    )
+  } catch (error) {
+    console.error('Failed to ensure anonymous user TTL index', error)
+  }
+
+  app.post<LoginDto>(
+    AUTH_ENDPOINTS.LOGIN,
+    async function () {
+      const anonProvider = providers?.['anon-user']
+      if (anonProvider?.disabled) {
+        throw new Error('Anonymous authentication disabled')
+      }
+
+      const now = new Date()
+      const insertResult = await db.collection(authCollection!).insertOne({
+        status: 'confirmed',
+        createdAt: now,
+        custom_data: {},
+        identities: [
+          {
+            provider_type: PROVIDER.ANON_USER,
+            provider_data: {}
+          }
+        ]
+      })
+
+      const userId = insertResult.insertedId
+      await db.collection(authCollection!).updateOne(
+        { _id: userId },
+        {
+          $set: {
+            identities: [
+              {
+                id: userId.toString(),
+                provider_id: userId.toString(),
+                provider_type: PROVIDER.ANON_USER,
+                provider_data: {}
+              }
+            ]
+          }
+        }
+      )
+
+      const currentUserData = {
+        _id: userId,
+        user_data: {}
+      }
+      const refreshToken = this.createRefreshToken(currentUserData)
+      const refreshTokenHash = hashToken(refreshToken)
+      await db.collection(refreshTokensCollection).insertOne({
+        userId,
+        tokenHash: refreshTokenHash,
+        createdAt: now,
+        expiresAt: new Date(Date.now() + refreshTokenTtlMs),
+        revokedAt: null
+      })
+
+      return {
+        access_token: this.createAccessToken(currentUserData),
+        refresh_token: refreshToken,
+        device_id: '',
+        user_id: userId.toString()
+      }
+    }
+  )
+}

package/src/auth/providers/anon-user/dtos.ts

@@ -0,0 +1,10 @@
+export type LoginSuccessDto = {
+  access_token: string
+  device_id: string
+  refresh_token: string
+  user_id: string
+}
+
+export interface LoginDto {
+  Reply: LoginSuccessDto
+}

package/src/auth/providers/custom-function/controller.ts

@@ -1,16 +1,10 @@
 import { FastifyInstance } from 'fastify'
-import { AUTH_CONFIG } from '../../../constants'
-import handleUserRegistration from '../../../shared/handleUserRegistration'
-import { PROVIDER } from '../../../shared/models/handleUserRegistration.model'
+import { AUTH_CONFIG, DB_NAME, DEFAULT_CONFIG } from '../../../constants'
 import { StateManager } from '../../../state'
 import { GenerateContext } from '../../../utils/context'
-import {
-  AUTH_ENDPOINTS,
-  generatePassword,
-} from '../../utils'
-import {
-  LoginDto
-} from './dtos'
+import { hashToken } from '../../../utils/crypto'
+import { AUTH_ENDPOINTS } from '../../utils'
+import { LoginDto } from './dtos'
 import { LOGIN_SCHEMA } from './schema'
 
 /**
@@ -22,6 +16,9 @@ export async function customFunctionController(app: FastifyInstance) {
 
   const functionsList = StateManager.select('functions')
   const services = StateManager.select('services')
+  const db = app.mongo.client.db(DB_NAME)
+  const { authCollection, refreshTokensCollection } = AUTH_CONFIG
+  const refreshTokenTtlMs = DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000
 
   /**
    * Endpoint for user login.
@@ -35,7 +32,7 @@ export async function customFunctionController(app: FastifyInstance) {
     {
       schema: LOGIN_SCHEMA
     },
-    async function (req) {
+    async function (req, reply) {
       const { providers } = AUTH_CONFIG
       const authFunctionName = providers["custom-function"].authFunctionName
 
@@ -53,7 +50,8 @@ export async function customFunctionController(app: FastifyInstance) {
         id
       } = req
 
-      const res = await GenerateContext({
+      type CustomFunctionAuthResult = { id?: string }
+      const authResult = await GenerateContext({
         args: [
           req.body
         ],
@@ -72,30 +70,41 @@ export async function customFunctionController(app: FastifyInstance) {
           ip,
           id
         }
-      })
+      }) as CustomFunctionAuthResult
 
 
-      if (res.id) {
-        const user = await handleUserRegistration(app, { run_as_system: true, skipUserCheck: true, provider: PROVIDER.CUSTOM_FUNCTION })({ email: res.id, password: generatePassword() })
-        if (!user?.insertedId) {
-          throw new Error('Failed to register custom user')
-        }
+      if (!authResult.id) {
+        reply.code(401).send({ message: 'Unauthorized' })
+        return
+      }
 
-        const currentUserData = {
-          _id: user.insertedId,
-          user_data: {
-            _id: user.insertedId
-          }
-        }
-        return {
-          access_token: this.createAccessToken(currentUserData),
-          refresh_token: this.createRefreshToken(currentUserData),
-          device_id: '',
-          user_id: user.insertedId.toString()
-        }
+      const authUser = await db.collection(authCollection!).findOne({ email: authResult.id })
+      if (!authUser) {
+        reply.code(401).send({ message: 'Unauthorized' })
+        return
       }
 
-      throw new Error("Authentication Failed")
+      const currentUserData = {
+        _id: authUser._id,
+        user_data: {
+          _id: authUser._id
+        }
+      }
+      const refreshToken = this.createRefreshToken(currentUserData)
+      const refreshTokenHash = hashToken(refreshToken)
+      await db.collection(refreshTokensCollection).insertOne({
+        userId: authUser._id,
+        tokenHash: refreshTokenHash,
+        createdAt: new Date(),
+        expiresAt: new Date(Date.now() + refreshTokenTtlMs),
+        revokedAt: null
+      })
+      return {
+        access_token: this.createAccessToken(currentUserData),
+        refresh_token: refreshToken,
+        device_id: '',
+        user_id: authUser._id.toString()
+      }
     }
   )
 

package/src/auth/providers/custom-function/dtos.ts

@@ -10,7 +10,11 @@ export type LoginSuccessDto = {
   user_id: string
 }
 
+export type LoginErrorDto = {
+  message: string
+}
+
 export interface LoginDto {
   Body: LoginUserDto
-  Reply: LoginSuccessDto
+  Reply: LoginSuccessDto | LoginErrorDto
 }