@goscribe/server 1.3.4 → 1.6.0

package/src/routers/auth.ts

@@ -1,23 +1,15 @@
 import { z } from 'zod';
 import { router, publicProcedure, authedProcedure } from '../trpc.js';
-import PusherService from '../lib/pusher.js';
-import { logger } from '../lib/logger.js';
-import bcrypt from 'bcryptjs';
 import { serialize } from 'cookie';
-import crypto from 'node:crypto';
 import { TRPCError } from '@trpc/server';
-import { supabaseClient } from '../lib/storage.js';
-import {
-  sendVerificationEmail,
-  sendAccountDeletionScheduledEmail,
-  sendAccountRestoredEmail,
-  sendPasswordResetEmail,
-} from '../lib/email.js';
-import { createStripeCustomer } from '../lib/stripe.js';
-import {
-  notifyAdminsAccountDeletionScheduled,
-  notifyAdminsOnSignup,
-} from '../lib/notification-service.js';
+import PusherService from '../lib/pusher.js';
+import { logger } from '../lib/logger.js';
+import { AuthService } from '../services/auth/auth.service.js';
+
+/**
+ * Router owns HTTP-level concerns (cookie set/clear). The service is
+ * HTTP-free and returns pure data; the router wires it into `ctx.res`.
+ */
 
 function getAuthCookieConfig(isProduction: boolean) {
   return {
@@ -26,12 +18,10 @@ function getAuthCookieConfig(isProduction: boolean) {
     sameSite: (isProduction ? 'none' : 'lax') as 'none' | 'lax',
     path: '/',
     maxAge: 60 * 60 * 24 * 30,
-    // Use parent domain in production so scribe.study and api.scribe.study share auth state.
     domain: isProduction ? '.scribe.study' : undefined,
   };
 }
 
-// Helper to create custom auth token
 const passwordFieldSchema = z
   .string()
   .min(8, 'Password must be at least 8 characters')
@@ -39,549 +29,121 @@ const passwordFieldSchema = z
   .regex(/[0-9]/, 'Password must contain at least one number')
   .regex(/[^a-zA-Z0-9]/, 'Password must contain at least one special character');
 
-function hashPasswordResetToken(rawToken: string): string {
-  return crypto.createHash('sha256').update(rawToken, 'utf8').digest('hex');
-}
-
-/** Use until `npx prisma generate` runs after adding PasswordResetToken to the schema. */
-function passwordResetDb(ctx: { db: any }) {
-  return ctx.db.passwordResetToken;
-}
-
-function createCustomAuthToken(userId: string): string {
-  const secret = process.env.AUTH_SECRET;
-  if (!secret) {
-    throw new TRPCError({ code: 'INTERNAL_SERVER_ERROR', message: "AUTH_SECRET is not set" });
-  }
-
-  const base64UserId = Buffer.from(userId, 'utf8').toString('base64url');
-  const hmac = crypto.createHmac('sha256', secret);
-  hmac.update(base64UserId);
-  const signature = hmac.digest('hex');
-  return `${base64UserId}.${signature}`;
-}
-
 export const auth = router({
-  updateProfile: publicProcedure
-    .input(z.object({
-      name: z.string().min(1),
-    }))
-    .mutation(async ({ ctx, input }) => {
-      const { name } = input;
-
-      await ctx.db.user.update({
-        where: {
-          id: ctx.session.user.id,
-        },
-        data: {
-          name: name,
-        }
-      });
+  updateProfile: authedProcedure
+    .input(z.object({ name: z.string().min(1) }))
+    .mutation(({ ctx, input }) =>
+      new AuthService(ctx.db).updateProfile(ctx.session.user.id, input),
+    ),
 
-      return {
-        success: true,
-        message: 'Profile updated successfully',
-      };
-    }),
   changePassword: authedProcedure
-    .input(z.object({
-      currentPassword: z.string().min(1, "Current password is required"),
-      newPassword: passwordFieldSchema,
-    }))
-    .mutation(async ({ ctx, input }) => {
-      const user = await ctx.db.user.findUnique({
-        where: { id: ctx.session.user.id },
-        select: { id: true, passwordHash: true },
-      });
-
-      if (!user) {
-        throw new TRPCError({ code: 'NOT_FOUND', message: 'User not found' });
-      }
-
-      if (!user.passwordHash) {
-        throw new TRPCError({
-          code: 'BAD_REQUEST',
-          message: 'Password change is unavailable for this account.',
-        });
-      }
-
-      const validCurrentPassword = await bcrypt.compare(input.currentPassword, user.passwordHash);
-      if (!validCurrentPassword) {
-        throw new TRPCError({ code: 'UNAUTHORIZED', message: 'Current password is incorrect' });
-      }
-
-      const isSamePassword = await bcrypt.compare(input.newPassword, user.passwordHash);
-      if (isSamePassword) {
-        throw new TRPCError({
-          code: 'BAD_REQUEST',
-          message: 'New password must be different from current password',
-        });
-      }
-
-      const newHash = await bcrypt.hash(input.newPassword, 10);
-      await ctx.db.user.update({
-        where: { id: user.id },
-        data: { passwordHash: newHash },
-      });
-
-      return { success: true, message: 'Password changed successfully' };
-    }),
-  uploadProfilePicture: authedProcedure
-    .mutation(async ({ ctx }) => {
-      const userId = ctx.session.user.id;
-      logger.info(`Generating upload URL for user ${userId}`, 'AUTH');
-      const objectKey = `profile_picture_${userId}`;
-      const { data: signedUrlData, error: signedUrlError } = await supabaseClient.storage
-        .from('media')
-        .createSignedUploadUrl(objectKey, { upsert: true });
-
-      if (signedUrlError) {
-        logger.error(`Failed to generate upload URL: ${signedUrlError.message}`, 'AUTH');
-        throw new TRPCError({ code: 'INTERNAL_SERVER_ERROR', message: `Failed to generate upload URL: ${signedUrlError.message}` });
-      }
+    .input(
+      z.object({
+        currentPassword: z.string().min(1, 'Current password is required'),
+        newPassword: passwordFieldSchema,
+      }),
+    )
+    .mutation(({ ctx, input }) =>
+      new AuthService(ctx.db).changePassword(ctx.session.user.id, input),
+    ),
 
-      const fileAsset = await ctx.db.fileAsset.create({
-        data: {
-          userId: userId,
-          name: 'Profile Picture',
-          mimeType: 'image/jpeg',
-          size: 0,
-          bucket: 'media',
-          objectKey: objectKey,
-        },
-      });
+  uploadProfilePicture: authedProcedure.mutation(({ ctx }) =>
+    new AuthService(ctx.db).uploadProfilePicture(ctx.session.user.id),
+  ),
 
-      await ctx.db.user.update({
-        where: { id: userId },
-        data: {
-          fileAssetId: fileAsset.id,
-        },
-      });
+  confirmProfileUpdate: authedProcedure.mutation(async ({ ctx }) => {
+    logger.info(`Confirming profile update for user ${ctx.session.user.id}`, 'AUTH');
+    await PusherService.emitProfileUpdate(ctx.session.user.id);
+    return { success: true };
+  }),
 
-      logger.info(`Profile picture asset created and linked for user ${userId}`, 'AUTH');
-      return {
-        success: true,
-        message: 'Profile picture uploaded successfully',
-        signedUrl: signedUrlData.signedUrl,
-      };
-    }),
-  confirmProfileUpdate: authedProcedure
-    .mutation(async ({ ctx }) => {
-      logger.info(`Confirming profile update for user ${ctx.session.user.id}`, 'AUTH');
-      await PusherService.emitProfileUpdate(ctx.session.user.id);
-      return { success: true };
-    }),
   signup: publicProcedure
-    .input(z.object({
-      name: z.string().min(1),
-      email: z.string().email(),
-      password: passwordFieldSchema,
-    }))
-    .mutation(async ({ ctx, input }) => {
-      const existing = await ctx.db.user.findUnique({
-        where: { email: input.email },
-      });
-      if (existing) {
-        throw new TRPCError({ code: 'CONFLICT', message: "Email already registered" });
-      }
-
-      const hash = await bcrypt.hash(input.password, 10);
-
-      // Get default "User" role
-      const userRole = await ctx.db.role.findUnique({
-        where: { name: 'User' },
-      });
-
-      const user = await ctx.db.user.create({
-        data: {
-          name: input.name,
-          email: input.email,
-          passwordHash: hash,
-          roleId: userRole?.id,
-          // emailVerified is null -- user must verify
-        },
-      });
-
-      await notifyAdminsOnSignup(ctx.db, {
-        id: user.id,
-        name: user.name,
-        email: user.email,
-      });
-
-      // Create verification token (24h expiry)
-      const token = crypto.randomUUID();
-      await ctx.db.verificationToken.create({
-        data: {
-          identifier: input.email,
-          token,
-          expires: new Date(Date.now() + 24 * 60 * 60 * 1000),
-        },
-      });
-
-      // Send verification email (non-blocking)
-      sendVerificationEmail(input.email, token, input.name).catch(() => { });
-
-      // Create Stripe Customer (non-blocking for registration, but we want it)
-      createStripeCustomer(input.email, input.name).then(async (stripeCustomerId) => {
-        if (stripeCustomerId) {
-          await ctx.db.user.update({
-            where: { id: user.id },
-            data: { stripe_customer_id: stripeCustomerId }
-          }).catch((err: any) => logger.error(`Failed to update user with stripe_customer_id: ${err.message}`, 'AUTH'));
-        }
-      });
-
-      return { id: user.id, email: user.email, name: user.name };
-    }),
+    .input(
+      z.object({
+        name: z.string().min(1),
+        email: z.string().email(),
+        password: passwordFieldSchema,
+      }),
+    )
+    .mutation(({ ctx, input }) => new AuthService(ctx.db).signup(input)),
 
-  // Verify email with token from the email link
   verifyEmail: publicProcedure
-    .input(z.object({
-      token: z.string(),
-    }))
-    .mutation(async ({ ctx, input }) => {
-      const record = await ctx.db.verificationToken.findUnique({
-        where: { token: input.token },
-      });
-
-      if (!record) {
-        throw new TRPCError({ code: 'NOT_FOUND', message: 'Invalid or expired verification link' });
-      }
-
-      if (record.expires < new Date()) {
-        // Clean up expired token
-        await ctx.db.verificationToken.deleteMany({ where: { token: input.token } });
-        throw new TRPCError({ code: 'BAD_REQUEST', message: 'Verification link has expired. Please request a new one.' });
-      }
-
-      // Mark user as verified
-      await ctx.db.user.update({
-        where: { email: record.identifier },
-        data: { emailVerified: new Date() },
-      });
-
-      // Delete used token
-      await ctx.db.verificationToken.deleteMany({ where: { token: input.token } });
-
-      return { success: true, message: 'Email verified successfully' };
-    }),
-
-  // Resend verification email (for logged-in users who haven't verified)
-  resendVerification: publicProcedure
-    .mutation(async ({ ctx }) => {
-      if (!ctx.session?.user?.id) {
-        throw new TRPCError({ code: 'UNAUTHORIZED', message: 'Not logged in' });
-      }
-
-      const user = await ctx.db.user.findUnique({
-        where: { id: ctx.session.user.id },
-      });
-
-      if (!user || !user.email) {
-        throw new TRPCError({ code: 'NOT_FOUND', message: 'User not found' });
-      }
-
-      if (user.emailVerified) {
-        return { success: true, message: 'Email is already verified' };
-      }
+    .input(z.object({ token: z.string() }))
+    .mutation(({ ctx, input }) => new AuthService(ctx.db).verifyEmail(input.token)),
 
-      // Delete any existing tokens for this email
-      await ctx.db.verificationToken.deleteMany({
-        where: { identifier: user.email },
-      });
+  resendVerification: publicProcedure.mutation(({ ctx }) =>
+    new AuthService(ctx.db).resendVerification(ctx.session?.user?.id),
+  ),
 
-      // Create new token
-      const token = crypto.randomUUID();
-      await ctx.db.verificationToken.create({
-        data: {
-          identifier: user.email,
-          token,
-          expires: new Date(Date.now() + 24 * 60 * 60 * 1000),
-        },
-      });
-
-      const sent = await sendVerificationEmail(user.email, token, user.name);
-      if (!sent) {
-        throw new TRPCError({ code: 'INTERNAL_SERVER_ERROR', message: 'Failed to send email. Please try again.' });
-      }
-
-      return { success: true, message: 'Verification email sent' };
-    }),
   login: publicProcedure
-    .input(z.object({
-      email: z.string().email(),
-      password: z.string().min(6),
-    }))
+    .input(
+      z.object({
+        email: z.string().email(),
+        password: z.string().min(6),
+      }),
+    )
     .mutation(async ({ ctx, input }) => {
-      const user = await ctx.db.user.findUnique({
-        where: { email: input.email },
-      });
-      if (!user) {
-        throw new TRPCError({ code: 'UNAUTHORIZED', message: "Invalid credentials" });
-      }
-
-      if (user.deletedAt) {
-        throw new TRPCError({ code: 'UNAUTHORIZED', message: "Account scheduled for deletion. Please check your email for a restore link." });
-      }
+      const result = await new AuthService(ctx.db).login(input);
 
-      const valid = await bcrypt.compare(input.password, user.passwordHash!);
-      if (!valid) {
-        throw new TRPCError({ code: 'UNAUTHORIZED', message: "Invalid credentials" });
-      }
+      const isProduction = (process.env.NODE_ENV === 'production' || process.env.RENDER) as boolean;
+      const cookieValue = serialize(
+        'auth_token',
+        result.token,
+        getAuthCookieConfig(isProduction),
+      );
+      ctx.res.setHeader('Set-Cookie', cookieValue);
 
-      // Create custom auth token
-      const authToken = createCustomAuthToken(user.id);
-
-      const isProduction = (process.env.NODE_ENV === "production" || process.env.RENDER) as boolean;
-
-      const cookieValue = serialize("auth_token", authToken, getAuthCookieConfig(isProduction));
-
-      ctx.res.setHeader("Set-Cookie", cookieValue);
-
-
-      return {
-        id: user.id,
-        email: user.email,
-        name: user.name,
-        token: authToken
-      };
+      return result;
     }),
 
-  /**
-   * Request a password reset email. Always returns the same message (no email enumeration).
-   */
   requestPasswordReset: publicProcedure
     .input(z.object({ email: z.string().email() }))
-    .mutation(async ({ ctx, input }) => {
-      const email = input.email.trim().toLowerCase();
-      const generic = {
-        success: true as const,
-        message:
-          'If an account exists for this email, we sent password reset instructions.',
-      };
-
-      const user = await ctx.db.user.findUnique({
-        where: { email },
-        select: {
-          id: true,
-          email: true,
-          name: true,
-          passwordHash: true,
-          deletedAt: true,
-        },
-      });
+    .mutation(({ ctx, input }) => new AuthService(ctx.db).requestPasswordReset(input)),
 
-      if (!user?.passwordHash || user.deletedAt || !user.email) {
-        return generic;
-      }
-
-      await passwordResetDb(ctx).deleteMany({
-        where: { userId: user.id, usedAt: null },
-      });
-
-      const rawToken = crypto.randomBytes(32).toString('hex');
-      const tokenHash = hashPasswordResetToken(rawToken);
-      const expiresAt = new Date(Date.now() + 60 * 60 * 1000);
-
-      await passwordResetDb(ctx).create({
-        data: {
-          userId: user.id,
-          tokenHash,
-          expiresAt,
-        },
-      });
-
-      sendPasswordResetEmail(user.email, rawToken, user.name).catch(() => {});
-
-      return generic;
-    }),
-
-  /**
-   * Complete password reset using the token from the email link.
-   */
   resetPassword: publicProcedure
     .input(
       z.object({
         token: z.string().min(1),
         newPassword: passwordFieldSchema,
-      })
+      }),
     )
-    .mutation(async ({ ctx, input }) => {
-      const tokenHash = hashPasswordResetToken(input.token);
-
-      const record = await passwordResetDb(ctx).findUnique({
-        where: { tokenHash },
-      });
-
-      if (!record || record.usedAt || record.expiresAt < new Date()) {
-        throw new TRPCError({
-          code: 'BAD_REQUEST',
-          message: 'Invalid or expired reset link. Please request a new one.',
-        });
-      }
-
-      const newHash = await bcrypt.hash(input.newPassword, 10);
-
-      await ctx.db.user.update({
-        where: { id: record.userId },
-        data: { passwordHash: newHash },
-      });
-
-      await passwordResetDb(ctx).update({
-        where: { id: record.id },
-        data: { usedAt: new Date() },
-      });
-
-      await passwordResetDb(ctx).deleteMany({
-        where: { userId: record.userId, id: { not: record.id } },
-      });
+    .mutation(({ ctx, input }) => new AuthService(ctx.db).resetPassword(input)),
 
-      return { success: true, message: 'Password updated. You can sign in now.' };
-    }),
-
-  getSession: publicProcedure.query(async ({ ctx }) => {
-    // Just return the current session from context
-    if (!ctx.session) {
-      throw new TRPCError({ code: 'UNAUTHORIZED', message: "No session found" });
-    }
+  getSession: publicProcedure.query(({ ctx }) =>
+    new AuthService(ctx.db).getSession((ctx.session as any)?.user?.id),
+  ),
 
-    const userId = (ctx.session as any).user.id;
-    const user = await ctx.db.user.findUnique({
-      where: { id: userId },
-      include: {
-        profilePicture: true,
-        role: true,
-      }
-    });
+  requestAccountDeletion: authedProcedure.mutation(async ({ ctx }) => {
+    const result = await new AuthService(ctx.db).requestAccountDeletion(ctx.session.user.id);
 
-    if (!user) {
-      throw new TRPCError({ code: 'NOT_FOUND', message: "User not found" });
-    }
-
-    const profilePictureUrl = user.profilePicture?.objectKey
-      ? `/profile-picture/${user.profilePicture.objectKey}?t=${new Date(user.updatedAt).getTime()}`
-      : null;
-
-    logger.info(`Session fetched for user ${userId}, profilePicture: ${profilePictureUrl}`, 'AUTH');
+    const isProduction = (process.env.NODE_ENV === 'production' || process.env.RENDER) as boolean;
+    const clearCookieConfig = getAuthCookieConfig(isProduction);
+    ctx.res.setHeader(
+      'Set-Cookie',
+      serialize('auth_token', '', { ...clearCookieConfig, maxAge: 0 }),
+    );
 
-    return {
-      user: {
-        id: user.id,
-        email: user.email,
-        name: user.name,
-        emailVerified: !!user.emailVerified,
-        profilePicture: profilePictureUrl,
-        role: user.role,
-      }
-    };
+    return result;
   }),
-  requestAccountDeletion: authedProcedure
-    .mutation(async ({ ctx }) => {
-      const user = await ctx.db.user.findUnique({
-        where: { id: ctx.session.user.id },
-      });
-
-      if (!user) {
-        throw new TRPCError({ code: 'NOT_FOUND', message: 'User not found' });
-      }
-
-      // Mark user as deleted
-      await ctx.db.user.update({
-        where: { id: user.id },
-        data: { deletedAt: new Date() },
-      });
-
-      await notifyAdminsAccountDeletionScheduled(ctx.db, {
-        id: user.id,
-        name: user.name,
-        email: user.email,
-      }).catch(() => {});
-
-      // Clear existing restore tokens
-      await ctx.db.verificationToken.deleteMany({
-        where: { identifier: `restore-${user.email}` },
-      });
-
-      // Create restore token (30 days expiry)
-      const token = crypto.randomUUID();
-      await ctx.db.verificationToken.create({
-        data: {
-          identifier: `restore-${user.email}`,
-          token,
-          expires: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000),
-        },
-      });
-
-      // Send email
-      if (user.email) {
-        sendAccountDeletionScheduledEmail(user.email, token).catch(() => { });
-      }
-
-      // Log out user by clearing cookie
-      const isProduction = (process.env.NODE_ENV === "production" || process.env.RENDER) as boolean;
-      const clearCookieConfig = getAuthCookieConfig(isProduction);
-      ctx.res.setHeader("Set-Cookie", serialize("auth_token", "", {
-        ...clearCookieConfig,
-        maxAge: 0,
-      }));
-
-      return { success: true, message: 'Account scheduled for deletion' };
-    }),
 
   restoreAccount: publicProcedure
-    .input(z.object({
-      token: z.string(),
-    }))
-    .mutation(async ({ ctx, input }) => {
-      const record = await ctx.db.verificationToken.findUnique({
-        where: { token: input.token },
-      });
-
-      if (!record || !record.identifier.startsWith('restore-')) {
-        throw new TRPCError({ code: 'NOT_FOUND', message: 'Invalid or expired restore link' });
-      }
-
-      if (record.expires < new Date()) {
-        await ctx.db.verificationToken.deleteMany({ where: { token: input.token } });
-        throw new TRPCError({ code: 'BAD_REQUEST', message: 'Restore link has expired.' });
-      }
-
-      const email = record.identifier.replace('restore-', '');
-
-      // Mark user as restored
-      await ctx.db.user.update({
-        where: { email },
-        data: { deletedAt: null },
-      });
-
-      // Delete used token
-      await ctx.db.verificationToken.deleteMany({ where: { token: input.token } });
-
-      // Send confirmation email
-      sendAccountRestoredEmail(email).catch(() => { });
-
-      return { success: true, message: 'Account restored successfully' };
-    }),
+    .input(z.object({ token: z.string() }))
+    .mutation(({ ctx, input }) => new AuthService(ctx.db).restoreAccount(input.token)),
 
   logout: publicProcedure.mutation(async ({ ctx }) => {
-    const token = ctx.cookies["auth_token"];
+    const token = ctx.cookies['auth_token'];
 
     if (!token) {
-      throw new TRPCError({ code: 'UNAUTHORIZED', message: "No token found" });
+      throw new TRPCError({ code: 'UNAUTHORIZED', message: 'No token found' });
     }
 
-    // We don't need to delete from db.session because we use a stateless
-    // custom HMAC auth system (auth_token cookie).
-
-
-    const isProduction = (process.env.NODE_ENV === "production" || process.env.RENDER) as boolean;
+    const isProduction = (process.env.NODE_ENV === 'production' || process.env.RENDER) as boolean;
     const clearCookieConfig = getAuthCookieConfig(isProduction);
-    ctx.res.setHeader("Set-Cookie", serialize("auth_token", "", {
-      ...clearCookieConfig,
-      maxAge: 0, // Expire immediately
-    }));
+    ctx.res.setHeader(
+      'Set-Cookie',
+      serialize('auth_token', '', { ...clearCookieConfig, maxAge: 0 }),
+    );
 
     return { success: true };
   }),
 });
-