@lenne.tech/nest-server 11.7.0 → 11.7.2

package/src/core/modules/auth/services/core-auth.service.ts

@@ -1,4 +1,11 @@
-import { BadRequestException, Injectable, UnauthorizedException } from '@nestjs/common';
+import {
+  BadRequestException,
+  Injectable,
+  Logger,
+  NotFoundException,
+  Optional,
+  UnauthorizedException,
+} from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
 import bcrypt = require('bcrypt');
 import { randomUUID } from 'crypto';
@@ -8,6 +15,8 @@ import { getStringIds } from '../../../common/helpers/db.helper';
 import { prepareServiceOptions } from '../../../common/helpers/service.helper';
 import { ServiceOptions } from '../../../common/interfaces/service-options.interface';
 import { ConfigService } from '../../../common/services/config.service';
+import { BetterAuthUserMapper } from '../../better-auth/better-auth-user.mapper';
+import { BetterAuthService } from '../../better-auth/better-auth.service';
 import { CoreAuthModel } from '../core-auth.model';
 import { CoreAuthSignInInput } from '../inputs/core-auth-sign-in.input';
 import { CoreAuthSignUpInput } from '../inputs/core-auth-sign-up.input';
@@ -29,9 +38,23 @@ export interface GetResultOptions {
 
 /**
  * CoreAuthService to handle user authentication
+ *
+ * When Better-Auth (IAM) is enabled, this service delegates authentication to IAM
+ * while maintaining backwards compatibility by returning Legacy JWT format tokens.
+ *
+ * Migration strategy:
+ * - New users: Created directly in IAM with scrypt password hash
+ * - Existing Legacy users: Lazily migrated on first sign-in
+ *   (Legacy bcrypt password verified, then IAM account created with scrypt hash)
+ *
+ * @deprecated The signIn and signUp methods are deprecated when IAM is enabled.
+ * Use the IAM REST endpoints (/iam/sign-in/email, /iam/sign-up/email) directly
+ * for new implementations. Legacy endpoints remain for backwards compatibility.
  */
 @Injectable()
 export class CoreAuthService {
+  private readonly logger = new Logger(CoreAuthService.name);
+
   /**
    * Integrate services
    */
@@ -39,6 +62,8 @@ export class CoreAuthService {
     protected readonly userService: CoreAuthUserService,
     protected readonly jwtService: JwtService,
     protected readonly configService: ConfigService,
+    @Optional() protected readonly betterAuthService?: BetterAuthService,
+    @Optional() protected readonly betterAuthUserMapper?: BetterAuthUserMapper,
   ) {}
 
   /**
@@ -99,6 +124,14 @@ export class CoreAuthService {
 
   /**
    * User sign in via email
+   *
+   * When IAM is enabled, this method:
+   * 1. For migrated users (have iamId): Verifies password via IAM
+   * 2. For non-migrated users: Verifies via Legacy, then migrates to IAM
+   *
+   * Always returns Legacy JWT format for backwards compatibility.
+   *
+   * @deprecated When IAM is enabled, prefer using /iam/sign-in/email REST endpoint directly.
    */
   async signIn(input: CoreAuthSignInInput, serviceOptions?: ServiceOptions): Promise<CoreAuthModel> {
     // Check input
@@ -106,6 +139,9 @@ export class CoreAuthService {
       throw new BadRequestException('Missing input');
     }
 
+    // Check if user enumeration prevention is enabled
+    const preventUserEnumeration = this.configService.getFastButReadOnly('auth.preventUserEnumeration', false);
+
     // Prepare service options
     const serviceOptionsForUserService = prepareServiceOptions(serviceOptions, {
       // We need password, so we can't use prepare output handling and have to deactivate it
@@ -119,12 +155,47 @@ export class CoreAuthService {
     const { deviceDescription, deviceId, email, password } = input;
 
     // Get user
-    const user = await this.userService.getViaEmail(email, serviceOptionsForUserService);
+    let user: ICoreAuthUser;
+    try {
+      user = await this.userService.getViaEmail(email, serviceOptionsForUserService);
+    } catch (error) {
+      if (error instanceof NotFoundException) {
+        throw new UnauthorizedException(preventUserEnumeration ? 'Invalid credentials' : 'Unknown email');
+      }
+      throw error;
+    }
     if (!user) {
-      throw new UnauthorizedException('Unknown email');
+      throw new UnauthorizedException(preventUserEnumeration ? 'Invalid credentials' : 'Unknown email');
     }
-    if (!((await bcrypt.compare(password, user.password)) || (await bcrypt.compare(sha256(password), user.password)))) {
-      throw new UnauthorizedException('Wrong password');
+
+    // Determine if IAM delegation is available
+    const iamEnabled = this.isIamEnabled();
+
+    if (iamEnabled && user.iamId) {
+      // User is already migrated to IAM - verify via IAM
+      const iamVerified = await this.verifyPasswordViaIam(email, password);
+      if (!iamVerified) {
+        throw new UnauthorizedException(preventUserEnumeration ? 'Invalid credentials' : 'Wrong password');
+      }
+      this.logger.debug(`User ${email} authenticated via IAM (already migrated)`);
+    } else {
+      // Verify via Legacy (bcrypt)
+      // Check if user has a password (social login only users don't have one)
+      if (!user.password) {
+        throw new UnauthorizedException(
+          preventUserEnumeration ? 'Invalid credentials' : 'No password set for this account',
+        );
+      }
+      if (
+        !((await bcrypt.compare(password, user.password)) || (await bcrypt.compare(sha256(password), user.password)))
+      ) {
+        throw new UnauthorizedException(preventUserEnumeration ? 'Invalid credentials' : 'Wrong password');
+      }
+
+      // If IAM is enabled but user not migrated, migrate them now
+      if (iamEnabled && !user.iamId) {
+        await this.migrateUserToIam(user, email, password);
+      }
     }
 
     // Return tokens and user with currentUser set so securityCheck knows user is requesting own data
@@ -136,6 +207,13 @@ export class CoreAuthService {
 
   /**
    * Register a new user account
+   *
+   * When IAM is enabled, this method:
+   * 1. Creates the user in IAM first (with scrypt password hash)
+   * 2. Creates/links the Legacy user with iamId
+   * 3. Returns Legacy JWT format for backwards compatibility
+   *
+   * @deprecated When IAM is enabled, prefer using /iam/sign-up/email REST endpoint directly.
    */
   async signUp(input: CoreAuthSignUpInput, serviceOptions?: ServiceOptions): Promise<CoreAuthModel> {
     // Prepare service options
@@ -146,7 +224,19 @@ export class CoreAuthService {
 
     // Get and check user
     try {
-      const user = await this.userService.create(input, serviceOptionsForUserService);
+      // Determine if IAM delegation is available
+      const iamEnabled = this.isIamEnabled();
+
+      let user: ICoreAuthUser;
+
+      if (iamEnabled) {
+        // Create via IAM first, then create/link Legacy user
+        user = await this.createUserViaIam(input, serviceOptionsForUserService);
+      } else {
+        // Create via Legacy
+        user = await this.userService.create(input, serviceOptionsForUserService);
+      }
+
       if (!user) {
         throw new BadRequestException('Email address already in use');
       }
@@ -332,4 +422,153 @@ export class CoreAuthService {
     // Return new token
     return newRefreshToken;
   }
+
+  // ===================================================================================================================
+  // IAM Delegation Helper Methods
+  // ===================================================================================================================
+
+  /**
+   * Checks if IAM (Better-Auth) delegation is available and enabled
+   */
+  protected isIamEnabled(): boolean {
+    return !!(this.betterAuthService?.isEnabled() && this.betterAuthUserMapper);
+  }
+
+  /**
+   * Verifies password via IAM for already-migrated users
+   *
+   * @param email - User email
+   * @param password - Plain password to verify
+   * @returns true if password is valid, false otherwise
+   */
+  protected async verifyPasswordViaIam(email: string, password: string): Promise<boolean> {
+    if (!this.betterAuthService) {
+      return false;
+    }
+
+    const api = this.betterAuthService.getApi();
+    if (!api) {
+      return false;
+    }
+
+    try {
+      const response = await api.signInEmail({
+        body: { email, password },
+      });
+
+      // Check if response indicates successful authentication
+      return !!(response && 'user' in response && response.user);
+    } catch (error) {
+      this.logger.debug(
+        `IAM password verification failed for ${email}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      );
+      return false;
+    }
+  }
+
+  /**
+   * Migrates a Legacy user to IAM
+   *
+   * This creates the IAM user and account with a scrypt password hash,
+   * then links the Legacy user via iamId.
+   *
+   * @param user - The Legacy user to migrate
+   * @param email - User email
+   * @param plainPassword - Plain password (needed to create scrypt hash)
+   */
+  protected async migrateUserToIam(user: ICoreAuthUser, email: string, plainPassword: string): Promise<void> {
+    if (!this.betterAuthUserMapper) {
+      return;
+    }
+
+    try {
+      // Create IAM account with the plain password (creates scrypt hash)
+      const migrated = await this.betterAuthUserMapper.migrateAccountToIam(email, plainPassword);
+
+      if (migrated) {
+        this.logger.log(`Migrated Legacy user ${email} to IAM`);
+
+        // Refresh user to get updated iamId
+        const updatedUser = await this.userService.getViaEmail(email, { force: true });
+        if (updatedUser?.iamId) {
+          // Update the user object in place so subsequent operations see the iamId
+          (user as any).iamId = updatedUser.iamId;
+        }
+      }
+    } catch (error) {
+      // Log but don't throw - migration failure shouldn't block login
+      this.logger.warn(
+        `Failed to migrate user ${email} to IAM: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      );
+    }
+  }
+
+  /**
+   * Creates a user via IAM and links to Legacy user
+   *
+   * @param input - Sign-up input data
+   * @param serviceOptions - Service options for user service
+   * @returns The created Legacy user (linked to IAM)
+   */
+  protected async createUserViaIam(input: CoreAuthSignUpInput, serviceOptions: ServiceOptions): Promise<ICoreAuthUser> {
+    if (!this.betterAuthService || !this.betterAuthUserMapper) {
+      throw new BadRequestException('IAM service not available');
+    }
+
+    const api = this.betterAuthService.getApi();
+    if (!api) {
+      throw new BadRequestException('IAM API not available');
+    }
+
+    try {
+      // Create user in IAM first
+      // Note: firstName and lastName are project-specific fields, may not exist on CoreAuthSignUpInput
+      const inputAny = input as any;
+      const name = [inputAny.firstName, inputAny.lastName].filter(Boolean).join(' ') || input.email.split('@')[0];
+      const response = await api.signUpEmail({
+        body: {
+          email: input.email,
+          name,
+          password: input.password,
+        },
+      });
+
+      if (!response || !('user' in response) || !response.user) {
+        throw new BadRequestException('Email address already in use');
+      }
+
+      // Link or create Legacy user with iamId
+      const iamUser = response.user as { email: string; id: string; name?: string };
+      const syncedUser = await this.betterAuthUserMapper.linkOrCreateUser(iamUser as any, {
+        firstName: inputAny.firstName,
+        lastName: inputAny.lastName,
+      });
+
+      if (!syncedUser) {
+        throw new BadRequestException('Failed to create user');
+      }
+
+      // Sync password to Legacy (enables backwards compatibility)
+      // Pass plain password so bcrypt hash can be created for Legacy Auth
+      await this.betterAuthUserMapper.syncPasswordToLegacy(iamUser.id, input.email, input.password);
+
+      this.logger.log(`Created user ${input.email} via IAM`);
+
+      // Get the full user from our database
+      const user = await this.userService.getViaEmail(input.email, serviceOptions);
+      if (!user) {
+        throw new BadRequestException('Failed to retrieve created user');
+      }
+
+      return user;
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+      this.logger.debug(`IAM sign-up error for ${input.email}: ${errorMessage}`);
+
+      if (errorMessage.includes('already exists') || errorMessage.includes('already in use')) {
+        throw new BadRequestException('Email address already in use');
+      }
+      throw error;
+    }
+  }
 }

package/src/core/modules/auth/services/legacy-auth-rate-limiter.service.ts

@@ -0,0 +1,283 @@
+import { Injectable, Logger, OnModuleInit } from '@nestjs/common';
+
+import { IAuthRateLimit } from '../../../common/interfaces/server-options.interface';
+import { ConfigService } from '../../../common/services/config.service';
+
+/**
+ * Rate limit entry for tracking requests
+ */
+interface RateLimitEntry {
+  count: number;
+  resetTime: number;
+}
+
+/**
+ * Result of a rate limit check
+ *
+ * @internal This interface is identical to BetterAuthRateLimiter's RateLimitResult.
+ * Use the exported RateLimitResult from better-auth module if needed externally.
+ */
+interface RateLimitResult {
+  /** Whether the request is allowed */
+  allowed: boolean;
+  /** Current request count in the window */
+  current: number;
+  /** Maximum requests allowed */
+  limit: number;
+  /** Number of remaining requests in the window */
+  remaining: number;
+  /** Seconds until the rate limit resets */
+  resetIn: number;
+}
+
+/**
+ * Default rate limiting configuration
+ */
+const DEFAULT_CONFIG: Required<IAuthRateLimit> = {
+  enabled: false,
+  max: 10,
+  message: 'Too many requests, please try again later.',
+  windowSeconds: 60,
+};
+
+/**
+ * In-memory rate limiter for Legacy Auth endpoints
+ *
+ * This service provides rate limiting to protect against brute-force attacks
+ * on authentication endpoints. It uses an in-memory store with automatic cleanup.
+ *
+ * Features:
+ * - Configurable request limits and time windows
+ * - Automatic cleanup of expired entries
+ * - IP-based tracking
+ * - Auto-configuration from ConfigService
+ *
+ * Configuration via config.env.ts:
+ * ```typescript
+ * auth: {
+ *   rateLimit: {
+ *     enabled: true,
+ *     max: 10,
+ *     windowSeconds: 60,
+ *     message: 'Too many login attempts, please try again later.',
+ *   }
+ * }
+ * ```
+ *
+ * @since 11.7.x
+ */
+@Injectable()
+export class LegacyAuthRateLimiter implements OnModuleInit {
+  private readonly logger = new Logger(LegacyAuthRateLimiter.name);
+  private readonly store = new Map<string, RateLimitEntry>();
+  private config: Required<IAuthRateLimit> = DEFAULT_CONFIG;
+  private cleanupInterval: NodeJS.Timeout | null = null;
+
+  constructor() {
+    // Start cleanup interval (every 5 minutes)
+    this.startCleanup();
+  }
+
+  /**
+   * Auto-configure from ConfigService on module initialization
+   */
+  onModuleInit(): void {
+    const rateLimitConfig = ConfigService.getFastButReadOnly<IAuthRateLimit>('auth.rateLimit');
+    if (rateLimitConfig) {
+      this.configure(rateLimitConfig);
+    }
+  }
+
+  /**
+   * Configure the rate limiter
+   *
+   * Follows the "presence implies enabled" pattern:
+   * - If config is undefined/null: rate limiting is disabled (backward compatible)
+   * - If config is an object (even empty {}): rate limiting is enabled by default
+   * - Unless `enabled: false` is explicitly set to disable while pre-configuring
+   *
+   * @param config - Rate limiting configuration (presence implies enabled)
+   */
+  configure(config: IAuthRateLimit | null | undefined): void {
+    // If config is not provided, rate limiting stays disabled (backward compatible)
+    if (config === undefined || config === null) {
+      return;
+    }
+
+    // Presence of config implies enabled, unless explicitly disabled
+    const enabled = config.enabled !== false;
+
+    this.config = {
+      ...DEFAULT_CONFIG,
+      ...config,
+      enabled,
+    };
+
+    if (this.config.enabled) {
+      this.logger.debug(
+        `Legacy Auth rate limiting enabled: ${this.config.max} requests per ${this.config.windowSeconds}s`,
+      );
+    }
+  }
+
+  /**
+   * Check if a request is allowed under the rate limit
+   *
+   * @param ip - Client IP address
+   * @param endpoint - Endpoint name (e.g., 'signIn', 'signUp')
+   * @returns Rate limit check result
+   */
+  check(ip: string, endpoint: string): RateLimitResult {
+    // If rate limiting is disabled, always allow
+    if (!this.config.enabled) {
+      return {
+        allowed: true,
+        current: 0,
+        limit: Infinity,
+        remaining: Infinity,
+        resetIn: 0,
+      };
+    }
+
+    const limit = this.config.max;
+    const key = `${ip}:${endpoint}`;
+    const now = Date.now();
+
+    // Get or create entry
+    let entry = this.store.get(key);
+
+    if (!entry || now >= entry.resetTime) {
+      // Create new entry or reset expired one
+      entry = {
+        count: 1,
+        resetTime: now + this.config.windowSeconds * 1000,
+      };
+      this.store.set(key, entry);
+
+      return {
+        allowed: true,
+        current: 1,
+        limit,
+        remaining: limit - 1,
+        resetIn: this.config.windowSeconds,
+      };
+    }
+
+    // Increment count
+    entry.count++;
+
+    const resetIn = Math.ceil((entry.resetTime - now) / 1000);
+    const allowed = entry.count <= limit;
+    const remaining = Math.max(0, limit - entry.count);
+
+    if (!allowed) {
+      this.logger.warn(`Rate limit exceeded for IP ${this.maskIp(ip)} on ${endpoint}: ${entry.count}/${limit}`);
+    }
+
+    return {
+      allowed,
+      current: entry.count,
+      limit,
+      remaining,
+      resetIn,
+    };
+  }
+
+  /**
+   * Get the configured error message
+   */
+  getMessage(): string {
+    return this.config.message;
+  }
+
+  /**
+   * Check if rate limiting is enabled
+   */
+  isEnabled(): boolean {
+    return this.config.enabled;
+  }
+
+  /**
+   * Reset rate limit for a specific IP (useful for testing or admin override)
+   *
+   * @param ip - Client IP address
+   */
+  reset(ip: string): void {
+    for (const key of this.store.keys()) {
+      if (key.startsWith(`${ip}:`)) {
+        this.store.delete(key);
+      }
+    }
+  }
+
+  /**
+   * Clear all rate limit entries (useful for testing)
+   */
+  clear(): void {
+    this.store.clear();
+  }
+
+  /**
+   * Get statistics about the rate limiter
+   */
+  getStats(): { activeEntries: number; enabled: boolean } {
+    return {
+      activeEntries: this.store.size,
+      enabled: this.config.enabled,
+    };
+  }
+
+  /**
+   * Stop the cleanup interval (for graceful shutdown)
+   */
+  onModuleDestroy(): void {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+  }
+
+  /**
+   * Mask IP address for logging (privacy)
+   */
+  private maskIp(ip: string): string {
+    if (ip.includes('.')) {
+      // IPv4: show first two octets
+      const parts = ip.split('.');
+      return `${parts[0]}.${parts[1]}.*.*`;
+    }
+    // IPv6: show first segment
+    const parts = ip.split(':');
+    return `${parts[0]}:****`;
+  }
+
+  /**
+   * Start periodic cleanup of expired entries
+   */
+  private startCleanup(): void {
+    // Clean up every 5 minutes
+    this.cleanupInterval = setInterval(
+      () => {
+        const now = Date.now();
+        let cleaned = 0;
+
+        for (const [key, entry] of this.store.entries()) {
+          if (now >= entry.resetTime) {
+            this.store.delete(key);
+            cleaned++;
+          }
+        }
+
+        if (cleaned > 0) {
+          this.logger.debug(`Cleaned up ${cleaned} expired rate limit entries`);
+        }
+      },
+      5 * 60 * 1000,
+    );
+
+    // Prevent the interval from keeping the process alive
+    if (this.cleanupInterval.unref) {
+      this.cleanupInterval.unref();
+    }
+  }
+}