@hed-hog/core 0.0.96 → 0.0.99

package/src/auth/auth.service.ts

@@ -6,6 +6,7 @@ import {
   forwardRef,
   Inject,
   Injectable,
+  NotFoundException,
 } from '@nestjs/common';
 import { ChallengeService } from '../challenge/challenge.service';
 import { MailService as MailManagerService } from '../mail/mail.service';
@@ -53,17 +54,314 @@ export class AuthService {
 
   }
 
+  async requiresMfaForLogin(locale: string, email: string, user: any) {
+
+    console.log('MFA required, setting up email MFA');
+
+    const settings = await this.setting.getSettingValues([
+      'require-mfa',
+      'require-email-verification',
+      'mfa-email-code-length',
+      'mfa-challenge-expiration-minutes'
+    ]);
+
+    const code = this.security.generateCode(settings['mfa-email-code-length'] || 6);
+    const codeHash = this.security.hashWithPepper(code);
+
+    const identifier = await this.prisma.user_identifier.findFirst({
+      where: {
+        user_id: user.id,
+        type: 'email',
+        value: email,
+      },
+      select: { id: true }
+    });
+
+    if (!identifier) {
+      throw new NotFoundException(getLocaleText('identifierNotFound', locale, 'Email identifier not found or already verified.'));
+    }
+
+    const challengeIdentifier = await this.prisma.user_identifier_challenge.create({
+      data: {
+        hash: codeHash,
+        expires_at: new Date(Date.now() + (settings['mfa-challenge-expiration-minutes'] || 15) * 60000),
+        user_identifier_id: identifier.id,
+      },
+      select: {
+        id: true,
+      }
+    });
+
+    const mfa = await this.prisma.user_mfa.create({
+      data: {
+        name: getLocaleText('mfaEmailDefaultName', locale, 'Email MFA'),
+        type: 'email',
+        user_id: user.id,
+        user_mfa_email: {
+          create: {
+            email,
+          }
+        },
+        user_mfa_challenge: {
+          create: {
+            expires_at: new Date(Date.now() + (settings['mfa-challenge-expiration-minutes'] || 15) * 60000),
+            hash: codeHash,
+          }
+        }
+      },
+      select: {
+        user_mfa_challenge: {
+          select: { id: true }
+        }
+      }
+    });
+
+    const challengeMfaId = mfa.user_mfa_challenge[0].id;
+
+    await this.mail.sendTemplatedMail(
+      locale,
+      {
+        email,
+        slug: 'auth-sign-up-confirm-email',
+        variables: {
+          code,
+          name: user.name,
+        }
+      }
+    );
+
+    return {
+      requiresMfa: true,
+      token: await this.token.createAccessToken({
+        challengeIdentifierId: challengeIdentifier.id,
+        challengeMfaId,
+      })
+    }
+  }
+
+  async requiresEmailVerificationForLogin(locale: string, email: string, user: any) {
+
+    const settings = await this.setting.getSettingValues([
+      'require-mfa',
+      'require-email-verification',
+      'mfa-email-code-length',
+      'mfa-challenge-expiration-minutes'
+    ]);
+
+    const code = this.security.generateCode(settings['mfa-email-code-length'] || 6);
+    const codeHash = this.security.hashWithPepper(code);
+
+    const identifier = await this.prisma.user_identifier.findFirst({
+      where: {
+        user_id: user.id,
+        type: 'email',
+        value: email,
+      },
+      select: { id: true }
+    });
+
+    if (!identifier) {
+      throw new NotFoundException(getLocaleText('identifierNotFound', locale, 'Email identifier not found or already verified.'));
+    }
+
+    const challengeIdentifier = await this.prisma.user_identifier_challenge.create({
+      data: {
+        hash: codeHash,
+        expires_at: new Date(Date.now() + (settings['mfa-challenge-expiration-minutes'] || 15) * 60000),
+        user_identifier_id: identifier.id,
+      },
+      select: {
+        id: true,
+      }
+    });
+
+      await this.mail.sendTemplatedMail(
+      locale,
+      {
+        email,
+        slug: 'auth-sign-up-confirm-email',
+        variables: {
+          code,
+          name: user.name,
+        }
+      }
+    );
+
+    return {
+      requiresEmailVerification: true,
+      token: await this.token.createAccessToken({
+        challengeIdentifierId: challengeIdentifier.id,
+        email
+      })
+    }
+
+  }
+
+  async emailVerificationLoginResend(locale: string, token: string) {
+
+    try {
+      const payload = await this.token.verify(locale, token);
+
+      const challenge = await this.prisma.user_identifier_challenge.findUnique({
+        where: { id: payload.challengeIdentifierId },
+        select: {
+          user_identifier: {
+            select: {
+              user_id: true
+            }
+          }
+        }
+      });
+
+      if (!challenge) {
+        throw new NotFoundException(getLocaleText('challengeNotFound', locale, 'Challenge not found.'));
+      }
+
+      const user = await this.user.findUserById(locale, challenge.user_identifier.user_id);
+
+      return await this.requiresEmailVerificationForLogin(locale, payload.email, user);
+
+    } catch (error: any) {
+      if (error.message?.includes('jwt expired') || error.name === 'TokenExpiredError') {
+        
+        const expiredPayload = await this.token.decodeExpiredToken(token);
+        const newToken = await this.token.createAccessToken({
+            challengeIdentifierId: expiredPayload.challengeIdentifierId,
+            email: expiredPayload.email
+          });
+
+        return this.emailVerificationLoginResend(locale, newToken);
+      }
+      
+      throw error;
+    }
+  }
+
+  async emailVerificationLogin(locale: string, token: string, code: string, ipAddress: string, userAgent: string, res: any) {
+
+    try {
+      const payload = await this.token.verify(locale, token);
+
+      const challenge = await this.prisma.user_identifier_challenge.findUnique({
+        where: { id: payload.challengeIdentifierId },
+        select: {
+          hash: true,
+          user_identifier_id: true,
+          user_identifier: {
+            select: {
+              user_id: true
+            }
+          }
+        }
+      });
+
+      if (!challenge) {
+        throw new NotFoundException(getLocaleText('challengeNotFound', locale, 'Challenge not found.'));
+      }
+
+      await this.prisma.user_identifier_challenge.update({
+        where: { id: payload.challengeIdentifierId },
+        data: {
+          attempts: { increment: 1 }
+        }
+      });
+
+      if (challenge.hash !== this.security.hashWithPepper(code)) {
+        throw new BadRequestException(getLocaleText('invalidVerificationCode', locale, 'Invalid verification code.'));
+      }
+
+      await this.prisma.$transaction(async (tx) => {
+
+        await tx.user_identifier_challenge.update({
+          where: { id: payload.challengeIdentifierId },
+          data: {
+            verified_at: new Date(),
+          }
+        });
+
+        await tx.user_identifier.update({
+          where: { id: challenge.user_identifier_id },
+          data: {
+            verified_at: new Date(),
+          }
+        });
+
+      });
+
+      const user = await this.user.findUserById(locale, challenge.user_identifier.user_id);
+
+      return this.login(locale, user as unknown as User, ipAddress, userAgent, res);
+
+    } catch (error) {
+        throw error;
+    }
+  }
+
+  private async login(locale: string, user: User, ipAddress: string, userAgent: string, res: any) {
+
+    const emails = await this.prisma.user_identifier.findMany({
+      where: {
+        user_id: user.id,
+        type: 'email',
+      },
+      select: { value: true }
+    });
+
+    if (!emails || emails.length === 0) {
+      throw new BadRequestException(getLocaleText('accessDenied', locale, 'Access denied.'));
+    }
+
+    const { accessToken, refreshToken, session } = await this.getAuthenticationPayload(
+      locale,
+      user.id,
+      ipAddress,
+      userAgent
+    );
+
+    for (const emailObj of emails) {
+
+        this.mail.sendTemplatedMail(
+          locale,
+          {
+            email: emailObj.value,
+            slug: 'auth-login-new-device',
+            variables: {
+              name: user.name,
+              ipAddress,
+              userAgent,
+              location: 'Unknown',
+            }
+          }
+        );
+
+      }
+
+    await this.user.registerUserActivity(user.id, "login")
+
+    await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
+
+    if (refreshToken) {
+      return { accessToken, refreshToken };
+    }
+
+    return { accessToken };
+  }
+
   async loginWithEmailAndPassword(
+    res: any,
     locale: string,
     ipAddress: string,
     userAgent: string,
     { email, password }: LoginDTO,
   ) {
+
     const user = await this.user.findUserByEmail(locale, email);
+
     if (!user) throw new BadRequestException(getLocaleText('accessDenied', locale, 'Access denied.'));
     const credentials = (user as unknown as User).user_credential?.filter((c) => c.type === 'password') || [];
+    const identifier = user.user_identifier?.find((i) => i.type === 'email' && i.value === email);
 
-    if (!await this.security.validatePassword(locale, credentials, password)) {
+    if (!(await this.security.validatePassword(locale, credentials, password))) {
       throw new BadRequestException(getLocaleText('accessDenied', locale, 'Access denied.'));
     }
 
@@ -100,29 +398,39 @@ export class AuthService {
       };
     }
 
-    const { accessToken, refreshToken, session } = await this.getAuthenticationPayload(
-      locale,
-      user.id,
-      ipAddress,
-      userAgent
-    );
+    const settings = await this.setting.getSettingValues([
+      'require-mfa',
+      'require-email-verification',
+      'mfa-email-code-length',
+      'mfa-challenge-expiration-minutes'
+    ]);
 
-    this.mail.sendTemplatedMail(
-      locale,
-      {
-        email,
-        slug: 'auth-login-new-device',
-        variables: {
-          name: user.name,
-          ipAddress,
-          userAgent,
-          location: 'Unknown',
+    if (settings['require-mfa'] === true && mfaMethods.length === 0) {
+
+      return this.requiresMfaForLogin(locale, email, user);
+
+    } else if (settings['require-email-verification'] === true && identifier?.verified_at === null) {
+
+      return this.requiresEmailVerificationForLogin(locale, email, user);
+
+    }
+
+    return this.login(locale, user as unknown as User, ipAddress, userAgent, res);
+  }
+
+  async verifyRoles(_locale: string, userId: number) {
+    return this.prisma.role.findMany({
+      where: {
+        role_user: {
+          some: {
+            user_id: userId
+          }
         }
+      },
+      select: {
+        slug: true
       }
-    );
-
-    await this.user.registerUserActivity(user.id, "login")
-    return { accessToken, refreshToken, session };
+    })
   }
 
   async verifyUser(locale: string, userId: number) {

package/src/auth/dto/login-email-verification-resend.dto.ts

@@ -0,0 +1,7 @@
+import { IsNotEmpty, IsString } from 'class-validator';
+
+export class LoginEmailVerificationResendDTO {
+  @IsString()
+  @IsNotEmpty()
+  token: string;
+}

package/src/auth/dto/login-email-verification.dto.ts

@@ -0,0 +1,12 @@
+import { IsNotEmpty, IsString } from 'class-validator';
+import { IsPinCodeWithSetting } from '../../validators/is-pin-code-with-setting.validator';
+
+export class LoginEmailVerificationDTO {
+  @IsString()
+  @IsNotEmpty()
+  token: string;
+
+  @IsPinCodeWithSetting()
+  @IsNotEmpty()
+  code: string;
+}

package/src/challenge/challenge.service.ts

@@ -375,6 +375,9 @@ export class ChallengeService {
   }
 
   async sendMfaCodeToMultipleEmails(locale: string, userId: number, emails: string[]) {
+
+    console.log('Sending MFA codes to multiple emails:', emails);
+
     if (!emails || emails.length === 0) {
       return { success: true };
     }
@@ -416,6 +419,7 @@ export class ChallengeService {
     });
 
     for (const email of emails) {
+      
       this.mail.sendTemplatedMail(
         locale,
         {

package/src/mail/mail.controller.ts

@@ -2,19 +2,19 @@ import { DeleteDTO, Role } from '@hed-hog/api';
 import { Locale } from '@hed-hog/api-locale';
 import { Pagination } from '@hed-hog/api-pagination';
 import {
-    Body,
-    Controller,
-    Delete,
-    Get,
-    Header,
-    Inject,
-    Param,
-    ParseIntPipe,
-    Patch,
-    Post,
-    Query,
-    Res,
-    forwardRef,
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Header,
+  Inject,
+  Param,
+  ParseIntPipe,
+  Patch,
+  Post,
+  Query,
+  Res,
+  forwardRef,
 } from '@nestjs/common';
 import { Response } from 'express';
 import { CreateDTO } from './dto/create.dto';

package/src/profile/dto/email-verification-confirm.dto.ts

@@ -1,12 +1,18 @@
 
 import { getLocaleText } from '@hed-hog/api-locale';
-import { IsNotEmpty, IsNumber, IsString } from 'class-validator';
+import { IsNotEmpty, IsNumber, IsOptional, IsString } from 'class-validator';
+import { IsPinCodeWithSetting } from '../../validators/is-pin-code-with-setting.validator';
 
 export class EmailVerificationDto {
   @IsString({ message: (args) => getLocaleText('validation.stringRequired', args.value) })
+  @IsPinCodeWithSetting()
   pin: string;
 
   @IsNumber({}, { message: (args) => getLocaleText('validation.numberRequired', args.value) })
   @IsNotEmpty({ message: (args) => getLocaleText('validation.fieldRequired', args.value) }) 
   challengeId: number;
+
+  @IsOptional()
+  @IsString({ message: (args) => getLocaleText('validation.stringRequired', args.value) })
+  name?: string;
 }

package/src/profile/profile.controller.ts

@@ -81,6 +81,7 @@ export class ProfileController {
 
   @Post('mfa/email/verify/confirm')
   sendEmailVerificationMfaConfirm(@User() {id}, @Body() data: EmailVerificationDto, @Locale() locale: string) {
+    console.log('sendEmailVerificationMfaConfirm')
     return this.profileService.confirmEmailVerificationMfa(locale, id, data);
   }
   

package/src/profile/profile.service.ts

@@ -135,15 +135,84 @@ export class ProfileService {
     return { success: true };
   }
 
-  async confirmEmailVerificationMfa(locale: string, userId: number, { pin, challengeId }: EmailVerificationDto) {
+  async confirmEmailVerificationMfa(locale: string, userId: number, { pin, challengeId, name }: EmailVerificationDto) {
 
-    return {
-      locale,
-      userId,
-      pin,
-      challengeId
+    const user = await this.prisma.user.findUnique({
+      where: { id: userId },
+    });
+
+    if (!user) {
+      throw new NotFoundException(getLocaleText('userNotFound', locale, 'User not found.'));
+    }
+
+    const challenge = await this.prisma.user_mfa_challenge.findFirst({
+      where: {
+        id: challengeId,
+        expires_at: {
+          gt: new Date()
+        },
+        verified_at: null        
+      },
+      include: {
+        user_mfa: {
+          include: {
+            user_mfa_email: true
+          }
+        }
+      }
+    });
+
+    if (!challenge) {
+      throw new NotFoundException(getLocaleText('challengeNotFound', locale, 'Challenge not found.'));
     }
 
+    await this.prisma.user_mfa_challenge.update({
+      where: {
+        id: challengeId
+      },
+      data: {
+        attempts: { increment: 1 }
+      }
+    });
+
+    if (challenge.hash !== this.security.hashWithPepper(pin)) {
+      throw new BadRequestException(getLocaleText('invalidPin', locale, 'Invalid PIN.'));
+    }
+
+    await this.prisma.$transaction(async (tx) => {
+
+      await tx.user_mfa_challenge.update({
+        where: { id: challengeId },
+        data: { verified_at: new Date() },
+      });
+
+      await tx.user_mfa.update({
+        where: { id: challenge.user_mfa.id },
+        data: {
+          verified_at: new Date(),
+          name: name || challenge.user_mfa.name
+        },
+      });
+
+      await tx.user_identifier.updateMany({
+        where: {
+          user_id: userId,
+          verified_at: { not: null },
+          value: challenge.user_mfa.user_mfa_email[0].email,
+        },
+        data: {
+          enabled: true,
+          verified_at: new Date(),
+        }
+      })
+
+    });
+
+    const updatedUser = await this.prisma.user.findFirst({ where: { id: user.id }})
+    const codes = await this.createMfaRecoveryCodes(user.id);
+    const newToken = await this.getToken(updatedUser);
+    return { ...newToken, codes };
+
   }
 
   async confirmEmailVerification(locale: string, userId: number, { pin, challengeId }: EmailVerificationDto) {

package/src/security/security.service.ts

@@ -100,4 +100,12 @@ export class SecurityService {
     }
   }
 
+  generateCode(length: number): string {
+
+    return Array.from(crypto.getRandomValues(new Uint8Array(length || 6)))
+        .map(n => (n % 10).toString())
+        .join('');
+
+  }
+
 }

package/src/token/token.service.ts

@@ -18,8 +18,13 @@ export class TokenService {
 
   async verify(locale: string, token: string) {
     try {
-      return this.jwt.verifyAsync(token, { secret: this.security.getJwtSecret() });
+      return this.jwt.verifyAsync(token, {
+        secret: this.security.getJwtSecret(),
+      });
     } catch (error) {
+
+      console.log('JWT ERROR', error);
+
       // Return 401 for JWT errors (expired, invalid, etc.)
       throw new UnauthorizedException(
         (error as any).message || getLocaleText('accessDenied', locale, 'Access denied.')
@@ -107,4 +112,15 @@ export class TokenService {
       throw new ForbiddenException('Invalid or expired MFA token');
     }
   }
+
+  async decodeExpiredToken(token: string): Promise<any> {
+    try {
+      return await this.jwt.verifyAsync(token, {
+        secret: this.security.getJwtSecret(),
+        ignoreExpiration: true,
+      });
+    } catch (error) {
+      throw new UnauthorizedException('Invalid token');
+    }
+  }
 }

package/src/user/user.service.ts

@@ -1,6 +1,6 @@
 import { getLocaleText } from '@hed-hog/api-locale';
 import { PaginationService } from '@hed-hog/api-pagination';
-import { PrismaService, user } from '@hed-hog/api-prisma';
+import { PrismaService } from '@hed-hog/api-prisma';
 import {
   BadRequestException,
   Inject,
@@ -143,8 +143,16 @@ export class UserService {
       include: {
         user_account: true,
         user_credential: true,
-        user_identifier: true,
-        user_mfa: true,
+        user_identifier: {
+          where: {
+            enabled: true,
+          }
+        },
+        user_mfa: {
+          where: {
+            verified_at: { not: null },
+          }
+        },
         user_activity: {
           orderBy: {
             created_at: 'desc',
@@ -228,7 +236,7 @@ export class UserService {
       return { user, challenge };
     }
 
-    async findUserById(locale: string, id: number) {
+  async findUserById(locale: string, id: number) {
     const user = await this.prismaService.user.findUnique({
       where: { id },
       include: {
@@ -247,7 +255,7 @@ export class UserService {
     return user;
   }
 
-  async findUserByEmail(locale: string, email: string): Promise<user | null>  {
+  async findUserByEmail(_locale: string, email: string)  {
     const user = await this.prismaService.user.findFirst({
       where: {
         user_identifier: {