npm - @ozdao/martyrs - Versions diffs - 0.2.585 → 0.2.586 - Mend

@ozdao/martyrs 0.2.585 → 0.2.586

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (386) hide show

package/src/modules/auth/controllers/middlewares/otp.middleware.js ADDED Viewed

@@ -0,0 +1,166 @@
+import { getOtpService } from '../services/otp.service.js';
+function maskIdentifier(identifier) {
+  if (identifier.includes('@')) {
+    const [name, domain] = identifier.split('@');
+    return `${name[0]}${'*'.repeat(Math.max(name.length - 2, 1))}${name.slice(-1)}@${domain}`;
+  }
+  return `${identifier.slice(0, 2)}${'*'.repeat(identifier.length - 4)}${identifier.slice(-2)}`;
+}
+const middlewareFactory = () => {
+  const { sendOtp, verifyOtp } = getOtpService();
+  const stepUp = (purpose, getCredentials) => {
+    return async (req, res, next) => {
+      const { identifier, type, target = null } = getCredentials(req);
+      if (!identifier || !type) {
+        return res.status(400).json({ errorCode: 'IDENTIFIER_REQUIRED' });
+      }
+      const { challengeId, otp } = req.body;
+      if (challengeId && otp) {
+        const result = await verifyOtp({ challengeId, code: otp, target });
+        if (result.errorCode) {
+          return res.status(result.status || 400).json({ errorCode: result.errorCode, attemptsLeft: result.attemptsLeft });
+        }
+        return next();
+      }
+      const result = await sendOtp({ identifier, type, purpose, target });
+      if (result.errorCode) {
+        return res.status(result.status || 500).json({ errorCode: result.errorCode, retryAfter: result.retryAfter });
+      }
+      return res.status(200).json({
+        status: 'requires_otp',
+        challenge: {
+          challengeId: result.challengeId,
+          identifier: maskIdentifier(identifier)
+        }
+      });
+    };
+  };
+  const dualVerify = (field) => {
+    return async (req, res, next) => {
+      const target = req.userId;
+      const targetId = req.params._id;
+      if (target !== targetId) {
+        return res.status(403).json({ errorCode: 'FORBIDDEN' });
+      }
+      const oldContact = req.user[field];
+      const newContact = req.body[field];
+      if (!newContact) {
+        return res.status(400).json({ errorCode: 'MISSING_FIELD', field });
+      }
+      if (!oldContact) {
+        const { challengeId, otp } = req.body;
+        if (challengeId && otp) {
+          const result = await verifyOtp({ challengeId, code: otp, target });
+          if (result.errorCode) {
+            return res.status(result.status || 400).json({ errorCode: result.errorCode, attemptsLeft: result.attemptsLeft });
+          }
+          return next();
+        }
+        const result = await sendOtp({ identifier: newContact, type: field, purpose: `add-${field}`, target });
+        if (result.errorCode) {
+          return res.status(result.status || 500).json({ errorCode: result.errorCode, retryAfter: result.retryAfter });
+        }
+        return res.status(200).json({
+          status: 'requires_otp',
+          challenge: {
+            challengeId: result.challengeId,
+            identifier: maskIdentifier(newContact)
+          }
+        });
+      }
+      const hasChallenges = req.body.challenges && Array.isArray(req.body.challenges) && req.body.challenges.length > 0;
+      if (!hasChallenges) {
+        const oldResult = await sendOtp({ identifier: oldContact, type: field, purpose: `change-${field}-old`, target });
+        if (oldResult.errorCode) {
+          return res.status(oldResult.status || 500).json({
+            errorCode: oldResult.errorCode,
+            retryAfter: oldResult.retryAfter,
+            field: 'old'
+          });
+        }
+        const newResult = await sendOtp({ identifier: newContact, type: field, purpose: `change-${field}-new`, target });
+        if (newResult.errorCode) {
+          return res.status(newResult.status || 500).json({
+            errorCode: newResult.errorCode,
+            retryAfter: newResult.retryAfter,
+            field: 'new'
+          });
+        }
+        return res.json({
+          status: 'requires_otp',
+          mode: 'dual',
+          challenges: [
+            { challengeId: oldResult.challengeId, identifier: maskIdentifier(oldContact), label: 'old' },
+            { challengeId: newResult.challengeId, identifier: maskIdentifier(newContact), label: 'new' }
+          ]
+        });
+      }
+      const { challenges } = req.body;
+      if (!Array.isArray(challenges) || challenges.length !== 2) {
+        return res.status(400).json({ errorCode: 'INVALID_CHALLENGES' });
+      }
+      for (const c of challenges) {
+        if (typeof c.challengeId !== 'string' || c.challengeId.length !== 64) {
+          return res.status(400).json({ errorCode: 'INVALID_CHALLENGE_ID' });
+        }
+        if (typeof c.code !== 'string' || c.code.length !== 4) {
+          return res.status(400).json({ errorCode: 'INVALID_CODE_FORMAT' });
+        }
+      }
+      const oldValid = await verifyOtp({ challengeId: challenges[0].challengeId, code: challenges[0].code, target });
+      if (oldValid.errorCode) {
+        return res.status(oldValid.status || 400).json({
+          errorCode: oldValid.errorCode,
+          field: 'old',
+          attemptsLeft: oldValid.attemptsLeft
+        });
+      }
+      const newValid = await verifyOtp({ challengeId: challenges[1].challengeId, code: challenges[1].code, target });
+      if (newValid.errorCode) {
+        return res.status(newValid.status || 400).json({
+          errorCode: newValid.errorCode,
+          field: 'new',
+          attemptsLeft: newValid.attemptsLeft
+        });
+      }
+      next();
+    };
+  };
+  return { stepUp, dualVerify };
+};
+export default middlewareFactory;

package/src/modules/auth/controllers/middlewares/verifySignUp.js CHANGED Viewed

@@ -4,7 +4,6 @@ const middlewareFactory = db => {
   const Role = db.role;
   const checkDuplicateUsernameOrEmail = async (req, res, next) => {
     const { type, email, phone } = req.body;
-    console.log(req.body);
     let query;
     if (type === 'phone' && phone) {
       query = { phone };

package/src/modules/auth/controllers/middlewares/verifyUser.js CHANGED Viewed

@@ -2,6 +2,14 @@
 const middlewareFactory = db => {
   const User = db.user;
   const Role = db.role;
+  const checkOwnership = (req, res, next) => {
+    if (!req.userId || req.userId !== req.params._id) {
+      return res.status(403).json({ errorCode: 'FORBIDDEN', message: 'Cannot modify other users' });
+    }
+    next();
+  };
   const checkDuplicateUsername = async (req, res, next) => {
     const { username } = req.body;
     // Если username не передан, пропускаем проверку
@@ -25,22 +33,58 @@ const middlewareFactory = db => {
       res.status(500).send({ message: err.message });
     }
   };
-  // Ваш middleware для проверки существования пользователя
-  const checkUserExist = async (req, res, next) => {
-    const { type, email, phone } = req.body;
-    let query;
-    if (type === 'phone' && phone) {
-      query = { phone };
+  const checkDuplicateEmail = async (req, res, next) => {
+    const { email } = req.body;
+    if (!email) {
+      return next();
+    }
+    try {
+      const user = await User.findOne({
+        email,
+        _id: { $ne: req.params._id }
+      });
+      if (user) {
+        return res.status(400).json({ errorCode: 'EMAIL_ALREADY_USED' });
+      }
+      next();
+    } catch (err) {
+      res.status(500).send({ message: err.message });
+    }
+  };
+  const checkDuplicatePhone = async (req, res, next) => {
+    const { phone } = req.body;
+    if (!phone) {
+      return next();
+    }
+    try {
+      const user = await User.findOne({
+        phone,
+        _id: { $ne: req.params._id }
+      });
+      if (user) {
+        return res.status(400).json({ errorCode: 'PHONE_ALREADY_USED' });
+      }
+      next();
+    } catch (err) {
+      res.status(500).send({ message: err.message });
     }
-    if (type === 'email' && email) {
-      query = { email };
+  };
+  const checkUserExist = async (req, res, next) => {
+    const { type, identifier } = req.body;
+    if (!type || !identifier) {
+      return res.status(400).json({ errorCode: 'MISSING_IDENTIFIER' });
     }
+    const query = type === 'phone' ? { phone: identifier } : { email: identifier };
     try {
       const user = await User.findOne(query).exec();
       if (!user) {
-        console.log(query);
-        res.status(400).send({ errorCode: 'USER_NOT_REGISTERED_YET' });
-        return;
+        return res.status(400).json({ errorCode: 'USER_NOT_REGISTERED_YET' });
       }
       next();
     } catch (err) {
@@ -48,7 +92,10 @@ const middlewareFactory = db => {
     }
   };
   return {
+    checkOwnership,
     checkDuplicateUsername,
+    checkDuplicateEmail,
+    checkDuplicatePhone,
     checkUserExist,
   };
 };

package/src/modules/auth/controllers/routes/auth.routes.js CHANGED Viewed

@@ -1,19 +1,61 @@
 import middlewareFactory from '../middlewares/index.js';
 import controllerFactory from '../services/auth.service.js';
-import controllerFactoryTwofa from '../services/twofa.service.js';
+import { getSessionsService } from '@martyrs/src/modules/core/controllers/services/sessions.service.js';
 export default (function (app, db, origins) {
   const controller = controllerFactory(db);
-  const controllerTwofa = controllerFactoryTwofa(db);
-  const { verifySignUp, verifyUser, authJwt } = middlewareFactory(db);
+  const { verifySignUp, verifyUser, otp, authJwt } = middlewareFactory(db);
   app.post(
     '/api/auth/signup',
     [
       verifySignUp.checkDuplicateUsernameOrEmail,
-      // verifySignUp.checkRolesExisted
+      otp.stepUp('signup', req => ({
+        identifier: req.body.type === 'email' ? req.body.email : req.body.phone,
+        type: req.body.type
+      }))
     ],
     controller.signup
   );
   app.post('/api/auth/signin', controller.signin);
-  app.post('/api/auth/reset-password', [verifyUser.checkUserExist], controllerTwofa.sendcode);
-  app.post('/api/auth/update-password', controller.updatePassword);
+  // Сброс пароля — публичный flow
+  app.post(
+    '/api/auth/reset-password',
+    [
+      verifyUser.checkUserExist,
+      otp.stepUp('reset-password', req => ({
+        identifier: req.body.identifier,
+        type: req.body.type
+      }))
+    ],
+    controller.updatePassword
+  );
+  // Logout current session
+  app.post('/api/auth/logout', [authJwt.verifyToken()], async (req, res) => {
+    try {
+      if (req.sessionId) {
+        const sessionsService = getSessionsService();
+        await sessionsService.deactivateSession(req.sessionId);
+      }
+      res.status(200).send({ success: true });
+    } catch (err) {
+      res.status(500).send({ message: err.message });
+    }
+  });
+  // Logout all sessions
+  app.post('/api/auth/logout-all', [authJwt.verifyToken()], async (req, res) => {
+    try {
+      if (req.userId) {
+        const sessionsService = getSessionsService();
+        await sessionsService.deactivateAllUserSessions(req.userId);
+      }
+      res.status(200).send({ success: true });
+    } catch (err) {
+      res.status(500).send({ message: err.message });
+    }
+  });
 });

package/src/modules/auth/controllers/routes/users.routes.js CHANGED Viewed

@@ -1,15 +1,36 @@
 import middlewareFactory from '../middlewares/index.js';
 import controllerFactory from '../services/users.service.js';
 export default (function (app, db, origins) {
   const controller = controllerFactory(db);
-  // Middlewares
-  const { authJwt, verifyUser } = middlewareFactory(db);
-  // Create a User
+  const { authJwt, verifyUser, otp } = middlewareFactory(db);
   app.post('/api/users', [authJwt.verifyToken(), verifyUser.checkDuplicateUsername], controller.create);
-  // Fetch Users
   app.get('/api/users', controller.read);
-  // Update User by _id
-  app.put('/api/users/:_id', [authJwt.verifyToken(), verifyUser.checkDuplicateUsername], controller.update);
-  // Delete User by _id
-  app.delete('/api/users/:_id', [authJwt.verifyToken()], controller.remove);
+  // Профиль (без email/phone)
+  app.put('/api/users/:_id', [
+    authJwt.verifyToken(),
+    verifyUser.checkOwnership,
+    verifyUser.checkDuplicateUsername
+  ], controller.update);
+  // Email
+  app.put('/api/users/:_id/email', [
+    authJwt.verifyToken(),
+    authJwt.loadUser,
+    verifyUser.checkOwnership,
+    verifyUser.checkDuplicateEmail,
+    otp.dualVerify('email')
+  ], controller.updateEmail);
+  // Phone
+  app.put('/api/users/:_id/phone', [
+    authJwt.verifyToken(),
+    authJwt.loadUser,
+    verifyUser.checkOwnership,
+    verifyUser.checkDuplicatePhone,
+    otp.dualVerify('phone')
+  ], controller.updatePhone);
 });

package/src/modules/auth/controllers/services/auth.service.js CHANGED Viewed

@@ -2,6 +2,9 @@ import bcrypt from 'bcryptjs';
 import jwt from 'jsonwebtoken';
 import { Types } from 'mongoose';
 import { verifyAppleIdToken } from '../utils/verifyAppleIdToken.js';
+import { getSessionsService } from '@martyrs/src/modules/core/controllers/services/sessions.service.js';
+import { getVisitorsService } from '@martyrs/src/modules/core/controllers/services/visitors.service.js';
 const ObjectId = { Types }.Types.ObjectId;
 // Factory
 const controllerFactory = db => {
@@ -11,6 +14,7 @@ const controllerFactory = db => {
   const Organization = db.organization;
   const Invite = db.invite;
   const Role = db.role;
   const signin = async (req, res) => {
     const { type, email, phone, authorization } = req.body;
     let query;
@@ -52,9 +56,29 @@ const controllerFactory = db => {
           return res.status(401).send({ errorCode: 'INCORRECT_PASSWORD_ENTERED', accessToken: null });
         }
       }
+      // Create session
+      const sessionsService = getSessionsService();
+      const session = await sessionsService.createSession({
+        userId: user._id,
+        visitorId: req.visitorId || null,
+        req,
+      });
+      // Link visitor to user
+      if (req.visitorId) {
+        const visitorsService = getVisitorsService();
+        await visitorsService.linkVisitorToUser({
+          visitorId: req.visitorId,
+          userId: user._id,
+          sessionId: session._id,
+        });
+      }
       const token = jwt.sign(
         {
           _id: user._id,
+          session_id: session._id,
         },
         process.env.SECRET_KEY,
         {
@@ -128,9 +152,29 @@ const controllerFactory = db => {
         console.log(err);
       }
     }
+    // Create session
+    const sessionsService = getSessionsService();
+    const session = await sessionsService.createSession({
+      userId: user._id,
+      visitorId: req.visitorId || null,
+      req,
+    });
+    // Link visitor to user
+    if (req.visitorId) {
+      const visitorsService = getVisitorsService();
+      await visitorsService.linkVisitorToUser({
+        visitorId: req.visitorId,
+        userId: user._id,
+        sessionId: session._id,
+      });
+    }
     const token = jwt.sign(
       {
         _id: user._id,
+        session_id: session._id,
         organization: invite ? invite.organization : null,
       },
       process.env.SECRET_KEY,
@@ -150,19 +194,13 @@ const controllerFactory = db => {
   };
   const updatePassword = async (req, res) => {
     try {
-      const { phone, email, password, type } = req.body;
-      let query;
-      if (type === 'phone' && phone) {
-        query = { phone };
-      }
-      if (type === 'email' && email) {
-        query = { email };
-      }
-      if (!query || !password) {
+      const { identifier, password, type } = req.body;
+      if (!identifier || !type || !password) {
         return res.status(400).send({ errorCode: 'MISSING_REQUIRED_PARAMETERS' });
       }
-      const salt = await bcrypt.genSalt(8); // Generating a salt asynchronously
-      const hashedPassword = await bcrypt.hash(password, salt); // Hashing the password asynchronously
+      const query = type === 'phone' ? { phone: identifier } : { email: identifier };
+      const salt = await bcrypt.genSalt(8);
+      const hashedPassword = await bcrypt.hash(password, salt);
       const user = await User.findOneAndUpdate(query, {
         password: hashedPassword,
       })
@@ -171,7 +209,19 @@ const controllerFactory = db => {
       if (!user) {
         return res.status(404).send({ errorCode: 'ERROR_UPDATING_USER' });
       }
-      const token = jwt.sign({ _id: user._id }, process.env.SECRET_KEY, {
+      // Deactivate all existing sessions (logout-all on password reset)
+      const sessionsService = getSessionsService();
+      await sessionsService.deactivateAllUserSessions(user._id);
+      // Create new session
+      const session = await sessionsService.createSession({
+        userId: user._id,
+        visitorId: req.visitorId || null,
+        req,
+      });
+      const token = jwt.sign({ _id: user._id, session_id: session._id }, process.env.SECRET_KEY, {
         expiresIn: 86400,
       });
       const authorities = user.roles.map(role => `ROLE_${role.name.toUpperCase()}`);

package/src/modules/auth/controllers/services/otp.service.js ADDED Viewed

@@ -0,0 +1,109 @@
+import crypto from 'crypto';
+import mailing from '@martyrs/src/modules/core/controllers/utils/mailing.js';
+const { sendEmail, sendSms } = mailing;
+const RATE_LIMIT_SECONDS = 30;
+const MAX_ATTEMPTS = 3;
+const generateChallengeId = () => crypto.randomBytes(32).toString('hex');
+let instance = null;
+export function initOtpService(db) {
+  const Otp = db.otp;
+  async function sendOtp({ identifier, type, purpose, target = null }) {
+    const existingOtp = await Otp.findOne({ identifier, purpose }).sort({ createdAt: -1 });
+    if (existingOtp) {
+      const secondsSinceCreated = (Date.now() - existingOtp.createdAt.getTime()) / 1000;
+      if (secondsSinceCreated < RATE_LIMIT_SECONDS) {
+        return {
+          errorCode: 'RATE_LIMITED',
+          status: 429,
+          retryAfter: Math.ceil(RATE_LIMIT_SECONDS - secondsSinceCreated)
+        };
+      }
+    }
+    if (target) {
+      await Otp.updateMany(
+        { target: new db.mongoose.Types.ObjectId(target), purpose, invalidatedAt: null, verifiedAt: null },
+        { invalidatedAt: new Date() }
+      );
+    } else if (identifier) {
+      await Otp.updateMany(
+        { identifier, purpose, invalidatedAt: null, verifiedAt: null },
+        { invalidatedAt: new Date() }
+      );
+    }
+    const code = String(crypto.randomInt(1000, 10000));
+    const challengeId = generateChallengeId();
+    let sent = false;
+    if (type === 'email') {
+      sent = await sendEmail(
+        identifier,
+        `${process.env.APP_NAME} Verification Code`,
+        `Your ${process.env.APP_NAME} verification code is ${code}`
+      );
+    } else if (type === 'phone') {
+      sent = await sendSms(identifier, `Your ${process.env.APP_NAME} verification code: ${code}`);
+    }
+    if (!sent) {
+      return { errorCode: 'SEND_FAILED', status: 500 };
+    }
+    await Otp.create({ identifier, code, type, purpose, target: target ? new db.mongoose.Types.ObjectId(target) : null, challengeId });
+    return { success: true, challengeId };
+  }
+  async function verifyOtp({ challengeId, code, target = null }) {
+    const otp = await Otp.findOneAndUpdate(
+      {
+        challengeId,
+        verifiedAt: null,
+        invalidatedAt: null,
+        createdAt: { $gt: new Date(Date.now() - 10 * 60 * 1000) },
+        attempts: { $lt: MAX_ATTEMPTS },
+        ...(target && { target: new db.mongoose.Types.ObjectId(target) })
+      },
+      { $inc: { attempts: 1 } },
+      { new: true }
+    );
+    if (!otp) {
+      return { errorCode: 'CODE_NOT_FOUND' };
+    }
+    if (otp.code !== code) {
+      return { errorCode: 'INVALID_CODE', attemptsLeft: MAX_ATTEMPTS - otp.attempts };
+    }
+    const consumed = await Otp.findOneAndUpdate(
+      { _id: otp._id, verifiedAt: null, attempts: { $lte: MAX_ATTEMPTS } },
+      { verifiedAt: new Date() }
+    );
+    if (!consumed) {
+      return { errorCode: 'ALREADY_USED' };
+    }
+    return { valid: true };
+  }
+  instance = { sendOtp, verifyOtp };
+  return instance;
+}
+export function getOtpService() {
+  if (!instance) {
+    throw new Error('OTP service not initialized. Call initOtpService(db) first.');
+  }
+  return instance;
+}
+export default { initOtpService, getOtpService };