@ma7moudsalama/falak-app 1.0.0

package/template/src/composables/useAuth.js

@@ -0,0 +1,393 @@
+/**
+ * useAuth — Firebase Authentication Composable
+ * ──────────────────────────────────────────────
+ * Supports:
+ *  • Email + Password (register / login / reset)
+ *  • Google OAuth
+ *  • Facebook OAuth
+ *  • User roles stored in RTDB: /users/{uid}/role
+ *  • Session data mirrored to RTDB: /sessions/{uid}
+ *  • Reactive currentUser, userRole, isAuthenticated
+ */
+
+import { ref, computed, readonly } from 'vue'
+import {
+  createUserWithEmailAndPassword,
+  signInWithEmailAndPassword,
+  signOut,
+  sendPasswordResetEmail,
+  sendEmailVerification,
+  updateProfile,
+  updatePassword,
+  reauthenticateWithCredential,
+  EmailAuthProvider,
+  GoogleAuthProvider,
+  FacebookAuthProvider,
+  signInWithPopup,
+  signInWithRedirect,
+  getRedirectResult,
+  onAuthStateChanged,
+  deleteUser
+} from 'firebase/auth'
+import {
+  ref as dbRef,
+  set,
+  get,
+  update,
+  onValue,
+  serverTimestamp,
+  onDisconnect,
+  remove
+} from 'firebase/database'
+import { auth, rtdb } from '@/firebase/index.js'
+import { useCrypto } from '@/composables/useCrypto.js'
+
+// ── Singleton state (shared across all composable calls) ──
+const currentUser   = ref(null)
+const userProfile   = ref(null)
+const userRole      = ref(null)
+const isAuthReady   = ref(false)
+const authError     = ref(null)
+const isLoading     = ref(false)
+
+let roleListener    = null
+let sessionRef      = null
+
+// ── Roles ──────────────────────────────────────
+export const ROLES = {
+  SUPER_ADMIN: 'super_admin',
+  ADMIN:       'admin',
+  USER:        'user',
+  GUEST:       'guest'
+}
+
+// ── Role permissions map ───────────────────────
+const ROLE_PERMISSIONS = {
+  super_admin: ['read', 'write', 'delete', 'manage_users', 'manage_roles'],
+  admin:       ['read', 'write', 'delete', 'manage_users'],
+  user:        ['read', 'write'],
+  guest:       ['read']
+}
+
+// ── Initialize Auth State Listener ────────────
+function initAuthListener() {
+  onAuthStateChanged(auth, async (user) => {
+    if (user) {
+      currentUser.value = user
+      await syncUserProfile(user)
+      listenToRole(user.uid)
+      await updateSession(user.uid, true)
+    } else {
+      if (sessionRef) {
+        await updateSession(currentUser.value?.uid, false).catch(() => {})
+      }
+      currentUser.value  = null
+      userProfile.value  = null
+      userRole.value     = null
+      if (roleListener) { roleListener(); roleListener = null }
+    }
+    isAuthReady.value = true
+  })
+}
+
+// ── Sync user profile from RTDB ───────────────
+async function syncUserProfile(user) {
+  const snap = await get(dbRef(rtdb, `users/${user.uid}`))
+  if (snap.exists()) {
+    userProfile.value = snap.val()
+  } else {
+    // First-time: create profile
+    const profile = {
+      uid:         user.uid,
+      email:       user.email,
+      displayName: user.displayName || '',
+      photoURL:    user.photoURL || '',
+      role:        ROLES.USER,
+      createdAt:   serverTimestamp(),
+      provider:    user.providerData[0]?.providerId || 'email'
+    }
+    await set(dbRef(rtdb, `users/${user.uid}`), profile)
+    userProfile.value = profile
+  }
+}
+
+// ── Listen to role changes in real-time ───────
+function listenToRole(uid) {
+  if (roleListener) roleListener()
+  const roleDbRef = dbRef(rtdb, `users/${uid}/role`)
+  roleListener = onValue(roleDbRef, (snap) => {
+    userRole.value = snap.val() || ROLES.USER
+  })
+}
+
+// ── Session management in RTDB ─────────────────
+async function updateSession(uid, online) {
+  if (!uid) return
+  sessionRef = dbRef(rtdb, `sessions/${uid}`)
+  const data = {
+    online,
+    lastSeen: serverTimestamp(),
+    userAgent: navigator.userAgent,
+    ...(online ? { loginAt: serverTimestamp() } : {})
+  }
+  await set(sessionRef, data)
+  // Auto-mark offline on disconnect
+  if (online) {
+    onDisconnect(sessionRef).update({ online: false, lastSeen: serverTimestamp() })
+  }
+}
+
+// ── Initialize on first import ─────────────────
+initAuthListener()
+
+// ── Composable ────────────────────────────────
+export function useAuth() {
+  const { encrypt } = useCrypto()
+
+  // ── Computed ──────────────────────────────
+  const isAuthenticated = computed(() => !!currentUser.value)
+  const isAdmin         = computed(() => [ROLES.ADMIN, ROLES.SUPER_ADMIN].includes(userRole.value))
+  const isSuperAdmin    = computed(() => userRole.value === ROLES.SUPER_ADMIN)
+  const userPermissions = computed(() => ROLE_PERMISSIONS[userRole.value] || [])
+
+  function hasPermission(permission) {
+    return userPermissions.value.includes(permission)
+  }
+
+  function hasRole(...roles) {
+    return roles.includes(userRole.value)
+  }
+
+  // ── Email / Password ──────────────────────
+  async function register({ email, password, displayName }) {
+    isLoading.value = true
+    authError.value = null
+    try {
+      const cred = await createUserWithEmailAndPassword(auth, email, password)
+      if (displayName) {
+        await updateProfile(cred.user, { displayName })
+      }
+      await sendEmailVerification(cred.user)
+      return { success: true, user: cred.user }
+    } catch (err) {
+      authError.value = formatAuthError(err)
+      return { success: false, error: authError.value }
+    } finally {
+      isLoading.value = false
+    }
+  }
+
+  async function login({ email, password }) {
+    isLoading.value = true
+    authError.value = null
+    try {
+      const cred = await signInWithEmailAndPassword(auth, email, password)
+      return { success: true, user: cred.user }
+    } catch (err) {
+      authError.value = formatAuthError(err)
+      return { success: false, error: authError.value }
+    } finally {
+      isLoading.value = false
+    }
+  }
+
+  async function resetPassword(email) {
+    isLoading.value = true
+    authError.value = null
+    try {
+      await sendPasswordResetEmail(auth, email)
+      return { success: true }
+    } catch (err) {
+      authError.value = formatAuthError(err)
+      return { success: false, error: authError.value }
+    } finally {
+      isLoading.value = false
+    }
+  }
+
+  async function changePassword({ currentPassword, newPassword }) {
+    isLoading.value = true
+    authError.value = null
+    try {
+      const credential = EmailAuthProvider.credential(
+        currentUser.value.email,
+        currentPassword
+      )
+      await reauthenticateWithCredential(currentUser.value, credential)
+      await updatePassword(currentUser.value, newPassword)
+      return { success: true }
+    } catch (err) {
+      authError.value = formatAuthError(err)
+      return { success: false, error: authError.value }
+    } finally {
+      isLoading.value = false
+    }
+  }
+
+  // ── Google OAuth ──────────────────────────
+  async function loginWithGoogle(useRedirect = false) {
+    isLoading.value = true
+    authError.value = null
+    const provider = new GoogleAuthProvider()
+    provider.addScope('profile')
+    provider.addScope('email')
+    try {
+      let cred
+      if (useRedirect) {
+        await signInWithRedirect(auth, provider)
+        cred = await getRedirectResult(auth)
+      } else {
+        cred = await signInWithPopup(auth, provider)
+      }
+      return { success: true, user: cred?.user }
+    } catch (err) {
+      authError.value = formatAuthError(err)
+      return { success: false, error: authError.value }
+    } finally {
+      isLoading.value = false
+    }
+  }
+
+  // ── Facebook OAuth ────────────────────────
+  async function loginWithFacebook(useRedirect = false) {
+    isLoading.value = true
+    authError.value = null
+    const provider = new FacebookAuthProvider()
+    provider.addScope('email')
+    provider.addScope('public_profile')
+    try {
+      let cred
+      if (useRedirect) {
+        await signInWithRedirect(auth, provider)
+        cred = await getRedirectResult(auth)
+      } else {
+        cred = await signInWithPopup(auth, provider)
+      }
+      return { success: true, user: cred?.user }
+    } catch (err) {
+      authError.value = formatAuthError(err)
+      return { success: false, error: authError.value }
+    } finally {
+      isLoading.value = false
+    }
+  }
+
+  // ── Sign Out ──────────────────────────────
+  async function logout() {
+    isLoading.value = true
+    try {
+      if (currentUser.value) {
+        await updateSession(currentUser.value.uid, false)
+      }
+      await signOut(auth)
+      return { success: true }
+    } catch (err) {
+      authError.value = formatAuthError(err)
+      return { success: false, error: authError.value }
+    } finally {
+      isLoading.value = false
+    }
+  }
+
+  // ── Update Profile ────────────────────────
+  async function updateUserProfile(data) {
+    isLoading.value = true
+    try {
+      if (data.displayName || data.photoURL) {
+        await updateProfile(currentUser.value, {
+          displayName: data.displayName,
+          photoURL:    data.photoURL
+        })
+      }
+      // Persist extra fields to RTDB
+      await update(dbRef(rtdb, `users/${currentUser.value.uid}`), {
+        ...data,
+        updatedAt: serverTimestamp()
+      })
+      userProfile.value = { ...userProfile.value, ...data }
+      return { success: true }
+    } catch (err) {
+      return { success: false, error: err.message }
+    } finally {
+      isLoading.value = false
+    }
+  }
+
+  // ── Admin: Set Role ───────────────────────
+  async function setUserRole(uid, role) {
+    if (!isSuperAdmin.value && !isAdmin.value) {
+      return { success: false, error: 'Insufficient permissions' }
+    }
+    if (!Object.values(ROLES).includes(role)) {
+      return { success: false, error: `Invalid role: ${role}` }
+    }
+    try {
+      await update(dbRef(rtdb, `users/${uid}`), { role })
+      return { success: true }
+    } catch (err) {
+      return { success: false, error: err.message }
+    }
+  }
+
+  // ── Admin: Delete User ────────────────────
+  async function deleteAccount() {
+    try {
+      const uid = currentUser.value.uid
+      await remove(dbRef(rtdb, `users/${uid}`))
+      await remove(dbRef(rtdb, `sessions/${uid}`))
+      await deleteUser(currentUser.value)
+      return { success: true }
+    } catch (err) {
+      return { success: false, error: err.message }
+    }
+  }
+
+  // ── Auth Error Formatter ──────────────────
+  function formatAuthError(err) {
+    const map = {
+      'auth/user-not-found':        'No account found with this email.',
+      'auth/wrong-password':        'Incorrect password.',
+      'auth/email-already-in-use':  'This email is already registered.',
+      'auth/weak-password':         'Password must be at least 6 characters.',
+      'auth/invalid-email':         'Invalid email address.',
+      'auth/popup-closed-by-user':  'Sign-in popup was closed.',
+      'auth/account-exists-with-different-credential':
+        'An account already exists with this email. Try another login method.',
+      'auth/too-many-requests':     'Too many attempts. Please try again later.',
+      'auth/network-request-failed': 'Network error. Check your connection.',
+      'auth/requires-recent-login': 'Please log in again to perform this action.'
+    }
+    return map[err.code] || err.message
+  }
+
+  return {
+    // State (readonly to prevent external mutation)
+    currentUser:     readonly(currentUser),
+    userProfile:     readonly(userProfile),
+    userRole:        readonly(userRole),
+    isAuthReady:     readonly(isAuthReady),
+    authError:       readonly(authError),
+    isLoading:       readonly(isLoading),
+
+    // Computed
+    isAuthenticated,
+    isAdmin,
+    isSuperAdmin,
+    userPermissions,
+
+    // Methods
+    register,
+    login,
+    logout,
+    resetPassword,
+    changePassword,
+    loginWithGoogle,
+    loginWithFacebook,
+    updateUserProfile,
+    setUserRole,
+    deleteAccount,
+    hasPermission,
+    hasRole,
+    ROLES
+  }
+}

package/template/src/composables/useCrypto.js

@@ -0,0 +1,153 @@
+/**
+ * useCrypto — Encryption & Decryption Composable
+ * ────────────────────────────────────────────────
+ * Uses AES-256 via crypto-js.
+ * Encrypt sensitive data before storing in Firebase or localStorage.
+ *
+ * Usage:
+ *   const { encrypt, decrypt, encryptObject, decryptObject, hash } = useCrypto()
+ *   const cipher = encrypt('hello world')
+ *   const plain  = decrypt(cipher)        // → 'hello world'
+ */
+
+import CryptoJS from 'crypto-js'
+
+const SECRET = import.meta.env.VITE_ENCRYPTION_KEY || 'fallback_dev_key_change_me'
+
+// ── Derive a key from the secret (PBKDF2) ─────
+function deriveKey(salt = 'falak_salt') {
+  return CryptoJS.PBKDF2(SECRET, salt, { keySize: 256 / 32, iterations: 1000 })
+}
+
+export function useCrypto() {
+  /**
+   * Encrypt a string value.
+   * Returns a base64-encoded string prefixed with the IV.
+   */
+  function encrypt(plaintext, customKey = null) {
+    if (plaintext === null || plaintext === undefined) return plaintext
+    try {
+      const key = customKey ? CryptoJS.enc.Utf8.parse(customKey) : deriveKey()
+      const iv  = CryptoJS.lib.WordArray.random(128 / 8)
+      const encrypted = CryptoJS.AES.encrypt(String(plaintext), key, {
+        iv,
+        mode:    CryptoJS.mode.CBC,
+        padding: CryptoJS.pad.Pkcs7
+      })
+      // Prepend IV so decrypt can use it
+      const combined = iv.toString(CryptoJS.enc.Hex) + ':' + encrypted.toString()
+      return CryptoJS.enc.Base64.stringify(CryptoJS.enc.Utf8.parse(combined))
+    } catch (err) {
+      console.error('[useCrypto] encrypt error:', err)
+      return null
+    }
+  }
+
+  /**
+   * Decrypt a value encrypted with encrypt().
+   */
+  function decrypt(ciphertext, customKey = null) {
+    if (!ciphertext) return ciphertext
+    try {
+      const decoded  = CryptoJS.enc.Base64.parse(ciphertext).toString(CryptoJS.enc.Utf8)
+      const [ivHex, encryptedStr] = decoded.split(':')
+      const iv  = CryptoJS.enc.Hex.parse(ivHex)
+      const key = customKey ? CryptoJS.enc.Utf8.parse(customKey) : deriveKey()
+      const decrypted = CryptoJS.AES.decrypt(encryptedStr, key, {
+        iv,
+        mode:    CryptoJS.mode.CBC,
+        padding: CryptoJS.pad.Pkcs7
+      })
+      return decrypted.toString(CryptoJS.enc.Utf8)
+    } catch (err) {
+      console.error('[useCrypto] decrypt error:', err)
+      return null
+    }
+  }
+
+  /**
+   * Encrypt a plain JS object → JSON string → encrypted.
+   */
+  function encryptObject(obj, customKey = null) {
+    if (!obj) return null
+    return encrypt(JSON.stringify(obj), customKey)
+  }
+
+  /**
+   * Decrypt back to a JS object.
+   */
+  function decryptObject(ciphertext, customKey = null) {
+    const str = decrypt(ciphertext, customKey)
+    if (!str) return null
+    try {
+      return JSON.parse(str)
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * Encrypt only specified fields of an object, leave others plain.
+   * Useful for partial encryption of Firebase records.
+   *
+   * @param {Object} obj - source object
+   * @param {string[]} fields - keys to encrypt
+   */
+  function encryptFields(obj, fields = []) {
+    if (!obj) return obj
+    const result = { ...obj }
+    for (const field of fields) {
+      if (result[field] !== undefined) {
+        result[field] = encrypt(String(result[field]))
+      }
+    }
+    return result
+  }
+
+  /**
+   * Decrypt only specified fields.
+   */
+  function decryptFields(obj, fields = []) {
+    if (!obj) return obj
+    const result = { ...obj }
+    for (const field of fields) {
+      if (result[field]) {
+        result[field] = decrypt(result[field])
+      }
+    }
+    return result
+  }
+
+  /**
+   * One-way SHA256 hash (for passwords, tokens, etc.)
+   */
+  function hash(value) {
+    return CryptoJS.SHA256(String(value)).toString(CryptoJS.enc.Hex)
+  }
+
+  /**
+   * HMAC-SHA256 signature (used by Paymob, etc.)
+   */
+  function hmac(message, secret = SECRET) {
+    return CryptoJS.HmacSHA256(String(message), secret).toString(CryptoJS.enc.Hex)
+  }
+
+  /**
+   * Generate a random secure token (hex string).
+   */
+  function randomToken(bytes = 32) {
+    return CryptoJS.lib.WordArray.random(bytes).toString(CryptoJS.enc.Hex)
+  }
+
+  return {
+    encrypt,
+    decrypt,
+    encryptObject,
+    decryptObject,
+    encryptFields,
+    decryptFields,
+    hash,
+    hmac,
+    randomToken
+  }
+}