@goscribe/server 1.1.7 → 1.3.0

package/src/routers/auth.ts

@@ -1,18 +1,47 @@
 import { z } from 'zod';
 import { router, publicProcedure, authedProcedure } from '../trpc.js';
+import PusherService from '../lib/pusher.js';
+import { logger } from '../lib/logger.js';
 import bcrypt from 'bcryptjs';
 import { serialize } from 'cookie';
 import crypto from 'node:crypto';
 import { TRPCError } from '@trpc/server';
-import { supabaseClient } from 'src/lib/storage.js';
+import { supabaseClient } from '../lib/storage.js';
+import {
+  sendVerificationEmail,
+  sendAccountDeletionScheduledEmail,
+  sendAccountRestoredEmail,
+  sendPasswordResetEmail,
+} from '../lib/email.js';
+import { createStripeCustomer } from '../lib/stripe.js';
+import {
+  notifyAdminsAccountDeletionScheduled,
+  notifyAdminsOnSignup,
+} from '../lib/notification-service.js';
 
 // Helper to create custom auth token
+const passwordFieldSchema = z
+  .string()
+  .min(8, 'Password must be at least 8 characters')
+  .regex(/[A-Z]/, 'Password must contain at least one uppercase letter')
+  .regex(/[0-9]/, 'Password must contain at least one number')
+  .regex(/[^a-zA-Z0-9]/, 'Password must contain at least one special character');
+
+function hashPasswordResetToken(rawToken: string): string {
+  return crypto.createHash('sha256').update(rawToken, 'utf8').digest('hex');
+}
+
+/** Use until `npx prisma generate` runs after adding PasswordResetToken to the schema. */
+function passwordResetDb(ctx: { db: any }) {
+  return ctx.db.passwordResetToken;
+}
+
 function createCustomAuthToken(userId: string): string {
   const secret = process.env.AUTH_SECRET;
   if (!secret) {
-    throw new Error("AUTH_SECRET is not set");
+    throw new TRPCError({ code: 'INTERNAL_SERVER_ERROR', message: "AUTH_SECRET is not set" });
   }
-  
+
   const base64UserId = Buffer.from(userId, 'utf8').toString('base64url');
   const hmac = crypto.createHmac('sha256', secret);
   hmac.update(base64UserId);
@@ -25,7 +54,7 @@ export const auth = router({
     .input(z.object({
       name: z.string().min(1),
     }))
-    .mutation(async ({ctx, input}) => {
+    .mutation(async ({ ctx, input }) => {
       const { name } = input;
 
       await ctx.db.user.update({
@@ -42,19 +71,66 @@ export const auth = router({
         message: 'Profile updated successfully',
       };
     }),
-  uploadProfilePicture: publicProcedure
-    .mutation(async ({ctx, input}) => {
-      const objectKey = `profile_picture_${ctx.session.user.id}`;
+  changePassword: authedProcedure
+    .input(z.object({
+      currentPassword: z.string().min(1, "Current password is required"),
+      newPassword: passwordFieldSchema,
+    }))
+    .mutation(async ({ ctx, input }) => {
+      const user = await ctx.db.user.findUnique({
+        where: { id: ctx.session.user.id },
+        select: { id: true, passwordHash: true },
+      });
+
+      if (!user) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'User not found' });
+      }
+
+      if (!user.passwordHash) {
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: 'Password change is unavailable for this account.',
+        });
+      }
+
+      const validCurrentPassword = await bcrypt.compare(input.currentPassword, user.passwordHash);
+      if (!validCurrentPassword) {
+        throw new TRPCError({ code: 'UNAUTHORIZED', message: 'Current password is incorrect' });
+      }
+
+      const isSamePassword = await bcrypt.compare(input.newPassword, user.passwordHash);
+      if (isSamePassword) {
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: 'New password must be different from current password',
+        });
+      }
+
+      const newHash = await bcrypt.hash(input.newPassword, 10);
+      await ctx.db.user.update({
+        where: { id: user.id },
+        data: { passwordHash: newHash },
+      });
+
+      return { success: true, message: 'Password changed successfully' };
+    }),
+  uploadProfilePicture: authedProcedure
+    .mutation(async ({ ctx }) => {
+      const userId = ctx.session.user.id;
+      logger.info(`Generating upload URL for user ${userId}`, 'AUTH');
+      const objectKey = `profile_picture_${userId}`;
       const { data: signedUrlData, error: signedUrlError } = await supabaseClient.storage
         .from('media')
-        .createSignedUploadUrl(objectKey, { upsert: true }); // 5 minutes
+        .createSignedUploadUrl(objectKey, { upsert: true });
+
       if (signedUrlError) {
+        logger.error(`Failed to generate upload URL: ${signedUrlError.message}`, 'AUTH');
         throw new TRPCError({ code: 'INTERNAL_SERVER_ERROR', message: `Failed to generate upload URL: ${signedUrlError.message}` });
       }
 
-      await ctx.db.fileAsset.create({
+      const fileAsset = await ctx.db.fileAsset.create({
         data: {
-          userId: ctx.session.user.id,
+          userId: userId,
           name: 'Profile Picture',
           mimeType: 'image/jpeg',
           size: 0,
@@ -63,39 +139,162 @@ export const auth = router({
         },
       });
 
+      await ctx.db.user.update({
+        where: { id: userId },
+        data: {
+          fileAssetId: fileAsset.id,
+        },
+      });
+
+      logger.info(`Profile picture asset created and linked for user ${userId}`, 'AUTH');
       return {
         success: true,
         message: 'Profile picture uploaded successfully',
         signedUrl: signedUrlData.signedUrl,
       };
     }),
+  confirmProfileUpdate: authedProcedure
+    .mutation(async ({ ctx }) => {
+      logger.info(`Confirming profile update for user ${ctx.session.user.id}`, 'AUTH');
+      await PusherService.emitProfileUpdate(ctx.session.user.id);
+      return { success: true };
+    }),
   signup: publicProcedure
     .input(z.object({
       name: z.string().min(1),
       email: z.string().email(),
-      password: z.string().min(6),
+      password: passwordFieldSchema,
     }))
     .mutation(async ({ ctx, input }) => {
       const existing = await ctx.db.user.findUnique({
         where: { email: input.email },
       });
       if (existing) {
-        throw new Error("Email already registered");
+        throw new TRPCError({ code: 'CONFLICT', message: "Email already registered" });
       }
 
       const hash = await bcrypt.hash(input.password, 10);
 
+      // Get default "User" role
+      const userRole = await ctx.db.role.findUnique({
+        where: { name: 'User' },
+      });
+
       const user = await ctx.db.user.create({
         data: {
           name: input.name,
           email: input.email,
           passwordHash: hash,
-          emailVerified: new Date(), // skip verification for demo
+          roleId: userRole?.id,
+          // emailVerified is null -- user must verify
+        },
+      });
+
+      await notifyAdminsOnSignup(ctx.db, {
+        id: user.id,
+        name: user.name,
+        email: user.email,
+      });
+
+      // Create verification token (24h expiry)
+      const token = crypto.randomUUID();
+      await ctx.db.verificationToken.create({
+        data: {
+          identifier: input.email,
+          token,
+          expires: new Date(Date.now() + 24 * 60 * 60 * 1000),
         },
       });
 
+      // Send verification email (non-blocking)
+      sendVerificationEmail(input.email, token, input.name).catch(() => { });
+
+      // Create Stripe Customer (non-blocking for registration, but we want it)
+      createStripeCustomer(input.email, input.name).then(async (stripeCustomerId) => {
+        if (stripeCustomerId) {
+          await ctx.db.user.update({
+            where: { id: user.id },
+            data: { stripe_customer_id: stripeCustomerId }
+          }).catch((err: any) => logger.error(`Failed to update user with stripe_customer_id: ${err.message}`, 'AUTH'));
+        }
+      });
+
       return { id: user.id, email: user.email, name: user.name };
     }),
+
+  // Verify email with token from the email link
+  verifyEmail: publicProcedure
+    .input(z.object({
+      token: z.string(),
+    }))
+    .mutation(async ({ ctx, input }) => {
+      const record = await ctx.db.verificationToken.findUnique({
+        where: { token: input.token },
+      });
+
+      if (!record) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'Invalid or expired verification link' });
+      }
+
+      if (record.expires < new Date()) {
+        // Clean up expired token
+        await ctx.db.verificationToken.deleteMany({ where: { token: input.token } });
+        throw new TRPCError({ code: 'BAD_REQUEST', message: 'Verification link has expired. Please request a new one.' });
+      }
+
+      // Mark user as verified
+      await ctx.db.user.update({
+        where: { email: record.identifier },
+        data: { emailVerified: new Date() },
+      });
+
+      // Delete used token
+      await ctx.db.verificationToken.deleteMany({ where: { token: input.token } });
+
+      return { success: true, message: 'Email verified successfully' };
+    }),
+
+  // Resend verification email (for logged-in users who haven't verified)
+  resendVerification: publicProcedure
+    .mutation(async ({ ctx }) => {
+      if (!ctx.session?.user?.id) {
+        throw new TRPCError({ code: 'UNAUTHORIZED', message: 'Not logged in' });
+      }
+
+      const user = await ctx.db.user.findUnique({
+        where: { id: ctx.session.user.id },
+      });
+
+      if (!user || !user.email) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'User not found' });
+      }
+
+      if (user.emailVerified) {
+        return { success: true, message: 'Email is already verified' };
+      }
+
+      // Delete any existing tokens for this email
+      await ctx.db.verificationToken.deleteMany({
+        where: { identifier: user.email },
+      });
+
+      // Create new token
+      const token = crypto.randomUUID();
+      await ctx.db.verificationToken.create({
+        data: {
+          identifier: user.email,
+          token,
+          expires: new Date(Date.now() + 24 * 60 * 60 * 1000),
+        },
+      });
+
+      const sent = await sendVerificationEmail(user.email, token, user.name);
+      if (!sent) {
+        throw new TRPCError({ code: 'INTERNAL_SERVER_ERROR', message: 'Failed to send email. Please try again.' });
+      }
+
+      return { success: true, message: 'Verification email sent' };
+    }),
   login: publicProcedure
     .input(z.object({
       email: z.string().email(),
@@ -106,12 +305,16 @@ export const auth = router({
         where: { email: input.email },
       });
       if (!user) {
-        throw new Error("Invalid credentials");
+        throw new TRPCError({ code: 'UNAUTHORIZED', message: "Invalid credentials" });
+      }
+
+      if (user.deletedAt) {
+        throw new TRPCError({ code: 'UNAUTHORIZED', message: "Account scheduled for deletion. Please check your email for a restore link." });
       }
 
       const valid = await bcrypt.compare(input.password, user.passwordHash!);
       if (!valid) {
-        throw new Error("Invalid credentials");
+        throw new TRPCError({ code: 'UNAUTHORIZED', message: "Invalid credentials" });
       }
 
       // Create custom auth token
@@ -127,49 +330,245 @@ export const auth = router({
         domain: isProduction ? "server-w8mz.onrender.com" : undefined,
         maxAge: 60 * 60 * 24 * 30, // 30 days
       });
-      
+
       ctx.res.setHeader("Set-Cookie", cookieValue);
 
 
-      return { 
-        id: user.id, 
-        email: user.email, 
-        name: user.name, 
+      return {
+        id: user.id,
+        email: user.email,
+        name: user.name,
         token: authToken
       };
     }),
+
+  /**
+   * Request a password reset email. Always returns the same message (no email enumeration).
+   */
+  requestPasswordReset: publicProcedure
+    .input(z.object({ email: z.string().email() }))
+    .mutation(async ({ ctx, input }) => {
+      const email = input.email.trim().toLowerCase();
+      const generic = {
+        success: true as const,
+        message:
+          'If an account exists for this email, we sent password reset instructions.',
+      };
+
+      const user = await ctx.db.user.findUnique({
+        where: { email },
+        select: {
+          id: true,
+          email: true,
+          name: true,
+          passwordHash: true,
+          deletedAt: true,
+        },
+      });
+
+      if (!user?.passwordHash || user.deletedAt || !user.email) {
+        return generic;
+      }
+
+      await passwordResetDb(ctx).deleteMany({
+        where: { userId: user.id, usedAt: null },
+      });
+
+      const rawToken = crypto.randomBytes(32).toString('hex');
+      const tokenHash = hashPasswordResetToken(rawToken);
+      const expiresAt = new Date(Date.now() + 60 * 60 * 1000);
+
+      await passwordResetDb(ctx).create({
+        data: {
+          userId: user.id,
+          tokenHash,
+          expiresAt,
+        },
+      });
+
+      sendPasswordResetEmail(user.email, rawToken, user.name).catch(() => {});
+
+      return generic;
+    }),
+
+  /**
+   * Complete password reset using the token from the email link.
+   */
+  resetPassword: publicProcedure
+    .input(
+      z.object({
+        token: z.string().min(1),
+        newPassword: passwordFieldSchema,
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      const tokenHash = hashPasswordResetToken(input.token);
+
+      const record = await passwordResetDb(ctx).findUnique({
+        where: { tokenHash },
+      });
+
+      if (!record || record.usedAt || record.expiresAt < new Date()) {
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: 'Invalid or expired reset link. Please request a new one.',
+        });
+      }
+
+      const newHash = await bcrypt.hash(input.newPassword, 10);
+
+      await ctx.db.user.update({
+        where: { id: record.userId },
+        data: { passwordHash: newHash },
+      });
+
+      await passwordResetDb(ctx).update({
+        where: { id: record.id },
+        data: { usedAt: new Date() },
+      });
+
+      await passwordResetDb(ctx).deleteMany({
+        where: { userId: record.userId, id: { not: record.id } },
+      });
+
+      return { success: true, message: 'Password updated. You can sign in now.' };
+    }),
+
   getSession: publicProcedure.query(async ({ ctx }) => {
     // Just return the current session from context
     if (!ctx.session) {
-      throw new Error("No session found");
+      throw new TRPCError({ code: 'UNAUTHORIZED', message: "No session found" });
     }
 
+    const userId = (ctx.session as any).user.id;
     const user = await ctx.db.user.findUnique({
-      where: { id: (ctx.session as any).user.id },
+      where: { id: userId },
+      include: {
+        profilePicture: true,
+        role: true,
+      }
     });
 
     if (!user) {
-      throw new Error("User not found");
+      throw new TRPCError({ code: 'NOT_FOUND', message: "User not found" });
     }
 
-    return { 
-      user: { 
-        id: user.id, 
-        email: user.email, 
-        name: user.name, 
-      } 
+    const profilePictureUrl = user.profilePicture?.objectKey
+      ? `/profile-picture/${user.profilePicture.objectKey}?t=${new Date(user.updatedAt).getTime()}`
+      : null;
+
+    logger.info(`Session fetched for user ${userId}, profilePicture: ${profilePictureUrl}`, 'AUTH');
+
+    return {
+      user: {
+        id: user.id,
+        email: user.email,
+        name: user.name,
+        emailVerified: !!user.emailVerified,
+        profilePicture: profilePictureUrl,
+        role: user.role,
+      }
     };
   }),
+  requestAccountDeletion: authedProcedure
+    .mutation(async ({ ctx }) => {
+      const user = await ctx.db.user.findUnique({
+        where: { id: ctx.session.user.id },
+      });
+
+      if (!user) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'User not found' });
+      }
+
+      // Mark user as deleted
+      await ctx.db.user.update({
+        where: { id: user.id },
+        data: { deletedAt: new Date() },
+      });
+
+      await notifyAdminsAccountDeletionScheduled(ctx.db, {
+        id: user.id,
+        name: user.name,
+        email: user.email,
+      }).catch(() => {});
+
+      // Clear existing restore tokens
+      await ctx.db.verificationToken.deleteMany({
+        where: { identifier: `restore-${user.email}` },
+      });
+
+      // Create restore token (30 days expiry)
+      const token = crypto.randomUUID();
+      await ctx.db.verificationToken.create({
+        data: {
+          identifier: `restore-${user.email}`,
+          token,
+          expires: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000),
+        },
+      });
+
+      // Send email
+      if (user.email) {
+        sendAccountDeletionScheduledEmail(user.email, token).catch(() => { });
+      }
+
+      // Log out user by clearing cookie
+      ctx.res.setHeader("Set-Cookie", serialize("auth_token", "", {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        path: "/",
+        maxAge: 0,
+      }));
+
+      return { success: true, message: 'Account scheduled for deletion' };
+    }),
+
+  restoreAccount: publicProcedure
+    .input(z.object({
+      token: z.string(),
+    }))
+    .mutation(async ({ ctx, input }) => {
+      const record = await ctx.db.verificationToken.findUnique({
+        where: { token: input.token },
+      });
+
+      if (!record || !record.identifier.startsWith('restore-')) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'Invalid or expired restore link' });
+      }
+
+      if (record.expires < new Date()) {
+        await ctx.db.verificationToken.deleteMany({ where: { token: input.token } });
+        throw new TRPCError({ code: 'BAD_REQUEST', message: 'Restore link has expired.' });
+      }
+
+      const email = record.identifier.replace('restore-', '');
+
+      // Mark user as restored
+      await ctx.db.user.update({
+        where: { email },
+        data: { deletedAt: null },
+      });
+
+      // Delete used token
+      await ctx.db.verificationToken.deleteMany({ where: { token: input.token } });
+
+      // Send confirmation email
+      sendAccountRestoredEmail(email).catch(() => { });
+
+      return { success: true, message: 'Account restored successfully' };
+    }),
+
   logout: publicProcedure.mutation(async ({ ctx }) => {
     const token = ctx.cookies["auth_token"];
 
     if (!token) {
-      throw new Error("No token found");
+      throw new TRPCError({ code: 'UNAUTHORIZED', message: "No token found" });
     }
 
-    await ctx.db.session.delete({
-      where: { id: token },
-    });
+    // We don't need to delete from db.session because we use a stateless
+    // custom HMAC auth system (auth_token cookie).
+
 
     ctx.res.setHeader("Set-Cookie", serialize("auth_token", "", {
       httpOnly: true,