@organizasyon/meeting-nanaman-app-backend 1.0.0

package/src/controllers/auth/index.ts

@@ -0,0 +1,609 @@
+import { Response } from 'express';
+import type { MulterRequest } from '../../types';
+import UsersModel from '../../models/users';
+import PasskeysModel from '../../models/passkeys';
+import Users from './../../controllers/users';
+import { getEmailQueue } from '../../queues';
+import bcrypt from 'bcrypt';
+import crypto from 'crypto';
+import jwt from 'jsonwebtoken';
+import type { Document } from 'mongoose';
+
+export class AuthController extends Users {
+
+  /**
+    * Get user profile
+    */
+  public async getProfile(req: MulterRequest, res: Response): Promise<void> {
+    console.log('=== Backend AuthController.getProfile called ===');
+    console.log('req.user:', (req as any).user);
+    try {
+      // Get user ID from JWT token
+      const userId = (req as any).user?.userId;
+      console.log('Get profile for userId:', userId);
+
+      if (!userId) {
+        console.log('No userId in request');
+        res.status(401).json({ message: 'Unauthorized' });
+        return;
+      }
+
+      const user = await UsersModel.findOne({
+        _id: userId,
+        deleted_at: null
+      })
+        .select('-password -__v')
+        .populate('employee_id', 'first_name last_name middle_name email position department contact_number address')
+        .lean()
+        .exec();
+
+      console.log('User found:', !!user);
+      if (!user) {
+        console.log('User not found for id:', userId);
+        res.status(404).json({ message: 'User not found' });
+        return;
+      }
+
+      // Format user data same as login response
+      const userData = {
+        id: user._id,
+        email: user.email,
+        first_name: user.first_name,
+        last_name: user.last_name,
+        middle_name: user.middle_name,
+        full_name: `${user.first_name} ${user.last_name}`,
+        role: user.role,
+        employee_id: user.employee_id,
+        is_active: user.is_active,
+        created_at: user.created_at
+      };
+
+      const response = {
+        message: 'Profile retrieved successfully',
+        user: userData
+      };
+      console.log('Sending response:', response);
+      console.log('=== Backend AuthController.getProfile completed ===');
+      res.json(response);
+    } catch (err) {
+      console.error('Get profile error', err);
+      console.log('=== Backend AuthController.getProfile failed ===');
+      res.status(500).json({ message: 'Failed to retrieve profile', error: String(err) });
+    }
+  }
+
+  /**
+    * Forgot password - send reset email
+    */
+  public async forgotPassword(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {};
+      const { email } = body;
+
+      if (!email) {
+        res.status(400).json({ message: 'Email is required' });
+        return;
+      }
+
+      // Find user by email
+      const user = await UsersModel.findOne({
+        email: email.trim().toLowerCase(),
+        deleted_at: null,
+        is_active: true
+      }).lean().exec() as any;
+
+      if (!user) {
+        res.status(404).json({ message: 'User with this email not found' });
+        return;
+      }
+
+      // Generate reset token
+      const resetToken = crypto.randomBytes(32).toString('hex');
+      const resetTokenExpiry = Date.now() + (60 * 60 * 1000); // 1 hour
+
+      // Update user with reset token
+      await UsersModel.updateOne(
+        { _id: user._id },
+        {
+          reset_token: resetToken,
+          reset_token_expires: resetTokenExpiry,
+          updated_at: Date.now()
+        }
+      );
+
+      // Add to email queue
+      await getEmailQueue().add('send-email', {
+        type: 'password_reset',
+        data: {
+          user_id: user._id,
+          email: user.email,
+          reset_token: resetToken,
+          name: user.full_name || `${user.first_name} ${user.last_name}`
+        }
+      });
+
+      res.json({
+        message: 'Password reset email sent successfully',
+        success: true
+      });
+    } catch (err) {
+      console.error('Forgot password error', err);
+      res.status(500).json({ message: 'Failed to send password reset email', error: String(err) });
+    }
+  }
+
+  /**
+   * Change password
+   */
+  public async changePassword(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {};
+      const { current_password, new_password } = body;
+
+      if (!current_password || !new_password) {
+        res.status(400).json({ message: 'Current password and new password are required' });
+        return;
+      }
+
+      // Get user ID from JWT token
+      const userId = (req as any).user?.userId;
+      if (!userId) {
+        res.status(401).json({ message: 'Unauthorized' });
+        return;
+      }
+
+      // Find user
+      const user = await UsersModel.findOne({
+        _id: userId,
+        deleted_at: null,
+        is_active: true
+      }).exec();
+
+      if (!user) {
+        res.status(404).json({ message: 'User not found' });
+        return;
+      }
+
+      // Verify current password
+      const isCurrentPasswordValid = await bcrypt.compare(current_password, user.password as string);
+      if (!isCurrentPasswordValid) {
+        res.status(400).json({ message: 'Current password is incorrect' });
+        return;
+      }
+
+      // Hash new password
+      const hashedNewPassword = await bcrypt.hash(new_password, 10);
+
+      // Update password
+      await UsersModel.updateOne(
+        { _id: userId },
+        {
+          password: hashedNewPassword,
+          updated_at: Date.now()
+        }
+      );
+
+      // Add to email queue
+      await getEmailQueue().add('send-email', {
+        type: 'password_changed',
+        data: {
+          user_id: user._id,
+          email: user.email,
+          name: `${user.first_name} ${user.middle_name ? user.middle_name + ' ' : ''}${user.last_name}`
+        }
+      });
+
+      res.json({
+        message: 'Password changed successfully',
+        success: true
+      });
+    } catch (err) {
+      console.error('Change password error', err);
+      res.status(500).json({ message: 'Failed to change password', error: String(err) });
+    }
+  }
+
+  /**
+   * Start passkey registration challenge
+   */
+  public async registerPasskey(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {};
+      const { user_id, email } = body;
+
+      if (!user_id || !email) {
+        res.status(400).json({ message: 'User ID and email are required' });
+        return;
+      }
+
+      // Find user
+      const user = await UsersModel.findOne({
+        _id: user_id,
+        email: email.trim().toLowerCase(),
+        deleted_at: null,
+        is_active: true
+      }).lean().exec();
+
+      if (!user) {
+        res.status(404).json({ message: 'User not found' });
+        return;
+      }
+
+      // Generate WebAuthn challenge
+      const challenge = crypto.randomBytes(32);
+      const deviceId = crypto.randomBytes(16).toString('hex');
+
+      res.json({
+        challenge: challenge.toString('base64'),
+        device_id: deviceId,
+        device_name: `Device ${new Date().toLocaleDateString()}`
+      });
+    } catch (err) {
+      console.error('Register passkey challenge error', err);
+      res.status(500).json({ message: 'Failed to start registration', error: String(err) });
+    }
+  }
+
+  /**
+    * Complete passkey registration
+    */
+  public async completePasskeyRegistration(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {};
+      const { user_id, credential_id, device_id, name, public_key } = body;
+
+      if (!user_id || !credential_id || !device_id || !name || !public_key) {
+        res.status(400).json({ message: 'All fields are required' });
+        return;
+      }
+
+      // Check if passkey already exists
+      const existingPasskey = await PasskeysModel.findOne({
+        credential_id,
+        deleted_at: null
+      }).lean().exec();
+
+      if (existingPasskey) {
+        res.status(409).json({ message: 'Passkey already registered' });
+        return;
+      }
+
+      // Get user info for email
+      const user = await UsersModel.findOne({ _id: user_id }).lean().exec();
+      if (!user) {
+        res.status(404).json({ message: 'User not found' });
+        return;
+      }
+
+      // Create new passkey - public_key is COSE format CBOR from WebAuthn
+      await PasskeysModel.create({
+        user_id,
+        credential_id,
+        device_id,
+        name,
+        public_key: public_key, // Store COSE public key
+        created_at: Date.now(),
+        updated_at: Date.now()
+      });
+
+      // Add to email queue
+      await getEmailQueue().add('send-email', {
+        type: 'passkey',
+        data: {
+          user_id: user._id,
+          email: user.email,
+          name: `${user.first_name} ${user.middle_name ? user.middle_name + ' ' : ''}${user.last_name}`,
+          device_name: name
+        }
+      });
+
+      res.json({
+        message: 'Passkey registered successfully',
+        success: true,
+        device_id,
+        device_name: name
+      });
+    } catch (err) {
+      console.error('Complete passkey registration error', err);
+      res.status(500).json({ message: 'Failed to register passkey', error: String(err) });
+    }
+  }
+
+  /**
+    * Get user passkeys
+    */
+  public async getPasskeys(req: MulterRequest, res: Response): Promise<void> {
+    try {
+      const { user_id } = req.params;
+
+      if (!user_id) {
+        res.status(400).json({ message: 'User ID is required' });
+        return;
+      }
+
+      const passkeys = await PasskeysModel.find({
+        user_id,
+        deleted_at: null,
+        is_active: true
+      })
+        .select('-__v')
+        .sort({ created_at: -1 })
+        .lean()
+        .exec();
+
+      res.json({
+        message: 'Passkeys retrieved successfully',
+        passkeys
+      });
+    } catch (err) {
+      console.error('Get passkeys error', err);
+      res.status(500).json({ message: 'Failed to retrieve passkeys', error: String(err) });
+    }
+  }
+
+  /**
+    * Delete passkey
+    */
+  public async deletePasskey(req: MulterRequest, res: Response): Promise<void> {
+    try {
+      const { passkeyId } = req.params;
+
+      if (!passkeyId) {
+        res.status(400).json({ message: 'Passkey ID is required' });
+        return;
+      }
+
+      // Soft delete the passkey
+      await PasskeysModel.updateOne(
+        { _id: passkeyId },
+        { deleted_at: Date.now(), is_active: false }
+      );
+
+      res.json({
+        message: 'Passkey deleted successfully',
+        success: true
+      });
+    } catch (err) {
+      console.error('Delete passkey error', err);
+      res.status(500).json({ message: 'Failed to delete passkey', error: String(err) });
+    }
+  }
+
+  /**
+   * Start passkey authentication challenge
+   */
+  public async authenticatePasskey(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {};
+      const { email, device_id } = body;
+
+      if (!email || !device_id) {
+        res.status(400).json({ message: 'Email and device ID are required' });
+        return;
+      }
+
+      // Find user by email
+      const user = await UsersModel.findOne({
+        email: email.trim().toLowerCase(),
+        deleted_at: null,
+        is_active: true
+      }).lean().exec();
+
+      if (!user) {
+        res.status(401).json({ message: 'Invalid credentials' });
+        return;
+      }
+
+      // Find the latest active passkey for this user and device
+      const passkey = await PasskeysModel.findOne({
+        user_id: user._id,
+        device_id,
+        is_active: true,
+        deleted_at: null
+      })
+        .sort({ created_at: -1 })
+        .lean()
+        .exec();
+
+      if (!passkey) {
+        res.status(401).json({ message: 'No passkey found for this device' });
+        return;
+      }
+
+      // Generate WebAuthn challenge
+      const challenge = crypto.randomBytes(32);
+
+      res.json({
+        challenge: challenge.toString('base64'),
+        user_id: user._id,
+        credential_id: passkey.credential_id
+      });
+    } catch (err) {
+      console.error('Passkey authentication challenge error', err);
+      res.status(500).json({ message: 'Failed to start authentication', error: String(err) });
+    }
+  }
+
+  /**
+   * Validate reset token
+   */
+  public async validateResetToken(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {};
+      const { token } = body;
+
+      if (!token) {
+        res.status(400).json({ message: 'Token is required' });
+        return;
+      }
+
+      // Find user with valid reset token
+      const user = await UsersModel.findOne({
+        reset_token: token,
+        reset_token_expires: { $gt: Date.now() },
+        deleted_at: null,
+        is_active: true
+      }).lean().exec();
+
+      if (!user) {
+        res.status(400).json({ message: 'Invalid or expired token' });
+        return;
+      }
+
+      res.json({
+        message: 'Token is valid',
+        valid: true
+      });
+    } catch (err) {
+      console.error('Validate reset token error', err);
+      res.status(500).json({ message: 'Failed to validate token', error: String(err) });
+    }
+  }
+
+  /**
+   * Reset password with token
+   */
+  public async resetPassword(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {};
+      const { token, new_password } = body;
+
+      if (!token || !new_password) {
+        res.status(400).json({ message: 'Token and new password are required' });
+        return;
+      }
+
+      // Find user with valid reset token
+      const user = await UsersModel.findOne({
+        reset_token: token,
+        reset_token_expires: { $gt: Date.now() },
+        deleted_at: null,
+        is_active: true
+      }).exec();
+
+      if (!user) {
+        res.status(400).json({ message: 'Invalid or expired token' });
+        return;
+      }
+
+      // Hash new password
+      const hashedPassword = await bcrypt.hash(new_password, 10);
+
+      // Update password and clear reset token
+      await UsersModel.updateOne(
+        { _id: user._id },
+        {
+          password: hashedPassword,
+          reset_token: null,
+          reset_token_expires: null,
+          updated_at: Date.now()
+        }
+      );
+
+      // Add to email queue for password changed notification
+      await getEmailQueue().add('send-email', {
+        type: 'password_changed',
+        data: {
+          user_id: user._id,
+          email: user.email,
+          name: `${user.first_name} ${user.middle_name ? user.middle_name + ' ' : ''}${user.last_name}`
+        }
+      });
+
+      res.json({
+        message: 'Password reset successfully',
+        success: true
+      });
+    } catch (err) {
+      console.error('Reset password error', err);
+      res.status(500).json({ message: 'Failed to reset password', error: String(err) });
+    }
+  }
+
+  /**
+    * Complete passkey authentication
+    */
+  public async verifyPasskey(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {};
+      const { email, device_id, credential_id, authenticator_data } = body;
+
+      if (!email || !device_id || !credential_id || !authenticator_data) {
+        res.status(400).json({ message: 'All authentication data is required' });
+        return;
+      }
+
+      // Find user by email
+      const user = await UsersModel.findOne({
+        email: email.trim().toLowerCase(),
+        deleted_at: null,
+        is_active: true
+      }).lean().exec();
+
+      if (!user) {
+        res.status(401).json({ message: 'Invalid credentials' });
+        return;
+      }
+
+      // Find the passkey
+      const passkey = await PasskeysModel.findOne({
+        user_id: user._id,
+        credential_id,
+        device_id,
+        is_active: true,
+        deleted_at: null
+      }).lean().exec();
+
+      if (!passkey) {
+        res.status(401).json({ message: 'Invalid passkey' });
+        return;
+      }
+
+      // For now, trust the client-side WebAuthn verification
+      // The authenticator already verified the user locally with biometrics
+      // We'll implement full cryptographic signature verification in a future update
+
+      // Update last used timestamp
+      await PasskeysModel.updateOne(
+        { _id: passkey._id },
+        { last_used_at: Date.now(), updated_at: Date.now() }
+      );
+
+      // Generate JWT token
+      const jwtSecret = process.env.JWT_SECRET;
+      if (!jwtSecret) {
+        throw new Error('JWT_SECRET environment variable is required');
+      }
+
+      const jwt = require('jsonwebtoken');
+      const token = jwt.sign(
+        {
+          userId: user._id,
+          email: user.email,
+          role: user.role
+        },
+        jwtSecret,
+        { expiresIn: '24h' }
+      );
+
+      res.json({
+        message: 'Passkey authentication successful',
+        token,
+        user: {
+          id: user._id,
+          email: user.email,
+          first_name: user.first_name,
+          middle_name: user.middle_name,
+          last_name: user.last_name,
+          full_name: `${user.first_name} ${user.last_name}`,
+          role: user.role,
+          employee_id: user.employee_id,
+          is_active: user.is_active
+        }
+      });
+    } catch (err) {
+      console.error('Passkey verification error', err);
+      res.status(500).json({ message: 'Passkey authentication failed', error: String(err) });
+    }
+  }
+}