@restingowlorg/owlauth 1.0.1

package/dist/services/auth.service.test.js

@@ -0,0 +1,297 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const auth_service_1 = require("./auth.service");
+const core_1 = require("@zxcvbn-ts/core");
+const pwned_passwords_1 = require("../infra/security/pwned-passwords");
+const check_blocked_passwords_1 = require("../utils/check-blocked-passwords");
+// Mock dependencies
+jest.mock("@zxcvbn-ts/core");
+jest.mock("../infra/security/pwned-passwords");
+jest.mock("../utils/check-blocked-passwords");
+describe("AuthService", () => {
+    let authService;
+    let mockUserRepo;
+    let mockCrypto;
+    let mockLogger;
+    beforeEach(() => {
+        mockUserRepo = {
+            findById: jest.fn(),
+            findByEmail: jest.fn(),
+            findByUsername: jest.fn(),
+            create: jest.fn(),
+            updatePassword: jest.fn()
+        };
+        mockCrypto = {
+            hashPassword: jest.fn(),
+            verifyPassword: jest.fn(),
+            generateToken: jest.fn(),
+            hashToken: jest.fn(),
+            verifyToken: jest.fn()
+        };
+        mockLogger = {
+            audit: jest.fn(),
+            info: jest.fn(),
+            warn: jest.fn(),
+            error: jest.fn()
+        };
+        authService = new auth_service_1.AuthService(mockUserRepo, mockCrypto, mockLogger);
+    });
+    describe("signup", () => {
+        const signupData = {
+            email: "test@example.com",
+            username: "testuser",
+            password: "Password123!"
+        };
+        it("should successfully sign up a user", async () => {
+            check_blocked_passwords_1.containsBlockedPasswords.mockReturnValue(false);
+            core_1.zxcvbn.mockReturnValue({ score: 4 });
+            pwned_passwords_1.isBreachedPassword.mockResolvedValue({ detected: false });
+            mockUserRepo.findByUsername.mockResolvedValue(null);
+            mockUserRepo.findByEmail.mockResolvedValue(null);
+            mockCrypto.hashPassword.mockResolvedValue("hashed_password");
+            mockUserRepo.create.mockResolvedValue({
+                id: "1",
+                email: signupData.email,
+                username: signupData.username
+            });
+            const result = await authService.signup(signupData.email, signupData.username, signupData.password);
+            expect(result.success).toBe(true);
+            expect(result.httpCode).toBe(201);
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.audit).toHaveBeenCalledWith(expect.objectContaining({ type: "SIGNUP" }));
+        });
+        it("should fail if required fields are missing", async () => {
+            const result = await authService.signup("", "", "");
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(400);
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.audit).toHaveBeenCalledWith(expect.objectContaining({ type: "SIGNUP_FAILURE" }));
+        });
+        it("should fail if username format is invalid", async () => {
+            const result = await authService.signup("test@example.com", "us", "Password123!");
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(400);
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.audit).toHaveBeenCalledWith(expect.objectContaining({ type: "SIGNUP_FAILURE" }));
+        });
+        it("should fail if password contains blocked terms", async () => {
+            check_blocked_passwords_1.containsBlockedPasswords.mockReturnValue(true);
+            const result = await authService.signup(signupData.email, signupData.username, "blockedpassword");
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(400);
+        });
+        it("should fail if password is too weak", async () => {
+            check_blocked_passwords_1.containsBlockedPasswords.mockReturnValue(false);
+            core_1.zxcvbn.mockReturnValue({ score: 1 });
+            const result = await authService.signup(signupData.email, signupData.username, "weak");
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(400);
+        });
+        it("should fail if password is found in a data breach", async () => {
+            check_blocked_passwords_1.containsBlockedPasswords.mockReturnValue(false);
+            core_1.zxcvbn.mockReturnValue({ score: 4 });
+            pwned_passwords_1.isBreachedPassword.mockResolvedValue({ detected: true });
+            const result = await authService.signup(signupData.email, signupData.username, "breachedpassword");
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(400);
+        });
+        it("should fail if username is already taken", async () => {
+            check_blocked_passwords_1.containsBlockedPasswords.mockReturnValue(false);
+            core_1.zxcvbn.mockReturnValue({ score: 4 });
+            pwned_passwords_1.isBreachedPassword.mockResolvedValue({ detected: false });
+            mockUserRepo.findByUsername.mockResolvedValue({ id: "1" });
+            const result = await authService.signup(signupData.email, signupData.username, signupData.password);
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(400);
+            expect(result.message).toBe("Username already taken.");
+        });
+        it("should fail if email is already registered", async () => {
+            check_blocked_passwords_1.containsBlockedPasswords.mockReturnValue(false);
+            core_1.zxcvbn.mockReturnValue({ score: 4 });
+            pwned_passwords_1.isBreachedPassword.mockResolvedValue({ detected: false });
+            mockUserRepo.findByUsername.mockResolvedValue(null);
+            mockUserRepo.findByEmail.mockResolvedValue({ id: "1" });
+            const result = await authService.signup(signupData.email, signupData.username, signupData.password);
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(400);
+            expect(result.message).toBe("Email already registered.");
+        });
+        it("should return 503 SERVICE_UNAVAILABLE if pwned check fails and pwnedPasswordFailClosed is true", async () => {
+            check_blocked_passwords_1.containsBlockedPasswords.mockReturnValue(false);
+            core_1.zxcvbn.mockReturnValue({ score: 4 });
+            pwned_passwords_1.isBreachedPassword.mockResolvedValue({
+                detected: false,
+                error: new Error("HIBP API Down")
+            });
+            const result = await authService.signup(signupData.email, signupData.username, signupData.password, { pwnedPasswordFailClosed: true });
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(503);
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.audit).toHaveBeenCalledWith(expect.objectContaining({
+                metadata: expect.objectContaining({
+                    reason: expect.stringContaining("Fail-Closed")
+                })
+            }));
+        });
+        it("should propagate correlationId to auditLogger during signup", async () => {
+            check_blocked_passwords_1.containsBlockedPasswords.mockReturnValue(false);
+            core_1.zxcvbn.mockReturnValue({ score: 4 });
+            pwned_passwords_1.isBreachedPassword.mockResolvedValue({ detected: false });
+            mockUserRepo.findByUsername.mockResolvedValue(null);
+            mockUserRepo.findByEmail.mockResolvedValue(null);
+            mockCrypto.hashPassword.mockResolvedValue("hashed");
+            mockUserRepo.create.mockResolvedValue({
+                id: "1",
+                email: signupData.email,
+                username: signupData.username
+            });
+            const correlationId = "test-corr-id";
+            await authService.signup(signupData.email, signupData.username, signupData.password, {
+                correlationId
+            });
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.audit).toHaveBeenCalledWith(expect.objectContaining({ correlationId }));
+        });
+    });
+    describe("login", () => {
+        const loginData = {
+            email: "test@example.com",
+            password: "Password123!"
+        };
+        it("should successfully log in a user", async () => {
+            mockUserRepo.findByEmail.mockResolvedValue({
+                id: "1",
+                email: loginData.email,
+                password: "hashed_password"
+            });
+            mockCrypto.verifyPassword.mockResolvedValue(true);
+            const result = await authService.login(loginData.email, loginData.password);
+            expect(result.success).toBe(true);
+            expect(result.httpCode).toBe(200);
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.audit).toHaveBeenCalledWith(expect.objectContaining({ type: "LOGIN_SUCCESS" }));
+        });
+        it("should fail if credentials are missing", async () => {
+            const result = await authService.login("", "");
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(400);
+        });
+        it("should fail if user not found", async () => {
+            mockUserRepo.findByEmail.mockResolvedValue(null);
+            const result = await authService.login(loginData.email, loginData.password);
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(401);
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.audit).toHaveBeenCalledWith(expect.objectContaining({ type: "LOGIN_FAILURE", metadata: { reason: "User not found" } }));
+        });
+        it("should fail if password does not match", async () => {
+            mockUserRepo.findByEmail.mockResolvedValue({
+                id: "1",
+                email: loginData.email,
+                password: "hashed_password"
+            });
+            mockCrypto.verifyPassword.mockResolvedValue(false);
+            const result = await authService.login(loginData.email, loginData.password);
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(401);
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.audit).toHaveBeenCalledWith(expect.objectContaining({ type: "LOGIN_FAILURE", metadata: { reason: "Invalid password" } }));
+        });
+        it("should propagate correlationId to auditLogger and error logs during login", async () => {
+            const email = "test@example.com";
+            const correlationId = "login-trace-id";
+            // 1. Audit log on failure
+            mockUserRepo.findByEmail.mockResolvedValue(null);
+            await authService.login(email, "pass", { correlationId });
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.audit).toHaveBeenCalledWith(expect.objectContaining({ type: "LOGIN_FAILURE", correlationId }));
+            // 2. Error log on exception
+            const error = new Error("DB Error");
+            mockUserRepo.findByEmail.mockRejectedValue(error);
+            await authService.login(email, "pass", { correlationId });
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.error).toHaveBeenCalledWith("Login exception", error, { email }, correlationId);
+        });
+    });
+    describe("changePassword", () => {
+        const changePwdData = {
+            userId: "1",
+            currentPassword: "OldPassword123!",
+            newPassword: "NewPassword123!"
+        };
+        it("should successfully change password", async () => {
+            mockUserRepo.findById.mockResolvedValue({
+                id: "1",
+                email: "test@example.com",
+                username: "testuser",
+                password: "old_hashed_password"
+            });
+            mockCrypto.verifyPassword.mockResolvedValue(true);
+            check_blocked_passwords_1.containsBlockedPasswords.mockReturnValue(false);
+            core_1.zxcvbn.mockReturnValue({ score: 4 });
+            pwned_passwords_1.isBreachedPassword.mockResolvedValue({ detected: false });
+            mockCrypto.hashPassword.mockResolvedValue("new_hashed_password");
+            mockUserRepo.updatePassword.mockResolvedValue(true);
+            const result = await authService.changePassword(changePwdData.userId, changePwdData.currentPassword, changePwdData.newPassword);
+            expect(result.success).toBe(true);
+            expect(result.httpCode).toBe(200);
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.audit).toHaveBeenCalledWith(expect.objectContaining({ type: "PASSWORD_CHANGE" }));
+        });
+        it("should fail if user not found", async () => {
+            mockUserRepo.findById.mockResolvedValue(null);
+            const result = await authService.changePassword("99", "pass", "newpass");
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(404);
+        });
+        it("should fail if current password is incorrect", async () => {
+            mockUserRepo.findById.mockResolvedValue({
+                id: "1",
+                password: "hashed_password"
+            });
+            mockCrypto.verifyPassword.mockResolvedValue(false);
+            const result = await authService.changePassword("1", "wrong", "newpass");
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(401);
+        });
+        it("should fail if new password is too weak", async () => {
+            mockUserRepo.findById.mockResolvedValue({
+                id: "1",
+                password: "hashed_password"
+            });
+            mockCrypto.verifyPassword.mockResolvedValue(true);
+            check_blocked_passwords_1.containsBlockedPasswords.mockReturnValue(false);
+            core_1.zxcvbn.mockReturnValue({ score: 1 });
+            const result = await authService.changePassword("1", "old", "weak");
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(400);
+        });
+        it("should return 503 SERVICE_UNAVAILABLE during password change if fail-closed is enabled and check fails", async () => {
+            mockUserRepo.findById.mockResolvedValue({
+                id: "1",
+                email: "test@example.com",
+                username: "testuser",
+                password: "old"
+            });
+            mockCrypto.verifyPassword.mockResolvedValue(true);
+            check_blocked_passwords_1.containsBlockedPasswords.mockReturnValue(false);
+            core_1.zxcvbn.mockReturnValue({ score: 4 });
+            pwned_passwords_1.isBreachedPassword.mockResolvedValue({
+                detected: false,
+                error: new Error("Network Error")
+            });
+            const result = await authService.changePassword("1", "old", "new", {
+                pwnedPasswordFailClosed: true
+            });
+            expect(result.success).toBe(false);
+            expect(result.httpCode).toBe(503);
+        });
+        it("should propagate correlationId to all logs during password change", async () => {
+            const correlationId = "change-pwd-trace";
+            mockUserRepo.findById.mockRejectedValue(new Error("DB Error")); // Force exception for error log check
+            await authService.changePassword("1", "old", "new", { correlationId });
+            // eslint-disable-next-line @typescript-eslint/unbound-method
+            expect(mockLogger.error).toHaveBeenCalledWith(expect.any(String), expect.any(Error), undefined, correlationId);
+        });
+    });
+});

package/dist/services/magic-link.service.d.ts

@@ -0,0 +1,22 @@
+import { UserRepository, MagicLinkRepository } from "../repositories/contracts";
+import { ICryptoAdapter, IAuditLogger } from "../types";
+import { AuthResult, RequestMagicLinkResult, VerifyMagicLinkResult, ConsumeMagicLinkResult } from "../types/index";
+export declare class MagicLinkService {
+    private users;
+    private magicLinks;
+    private crypto;
+    private logger;
+    constructor(users: UserRepository, magicLinks: MagicLinkRepository, crypto: ICryptoAdapter, logger: IAuditLogger);
+    /** Request a magic link (passwordless login) */
+    request(email: string, options?: {
+        correlationId?: string;
+    }): Promise<AuthResult<RequestMagicLinkResult>>;
+    /** Verify a magic link token without consuming it */
+    verify(token: string, options?: {
+        correlationId?: string;
+    }): Promise<AuthResult<VerifyMagicLinkResult>>;
+    /** Consume a magic link token */
+    consume(token: string, options?: {
+        correlationId?: string;
+    }): Promise<AuthResult<ConsumeMagicLinkResult>>;
+}

package/dist/services/magic-link.service.js

@@ -0,0 +1,196 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MagicLinkService = void 0;
+class MagicLinkService {
+    constructor(users, magicLinks, crypto, logger) {
+        this.users = users;
+        this.magicLinks = magicLinks;
+        this.crypto = crypto;
+        this.logger = logger;
+    }
+    /** Request a magic link (passwordless login) */
+    async request(email, options) {
+        try {
+            const user = await this.users.findByEmail(email);
+            if (!user) {
+                this.logger.audit({
+                    type: "MAGIC_LINK_FAILURE",
+                    email,
+                    metadata: { reason: "User not found" },
+                    correlationId: options === null || options === void 0 ? void 0 : options.correlationId
+                });
+                return {
+                    success: false,
+                    data: undefined,
+                    message: "User not found",
+                    httpCode: 404
+                };
+            }
+            const token = this.crypto.generateToken();
+            const tokenHash = await this.crypto.hashToken(token);
+            // invalidate existing tokens for this user
+            const invalidated = await this.magicLinks.invalidateByUserId(user.id);
+            if (!invalidated) {
+                this.logger.error("Failed to invalidate magic links", new Error("DB update failed"), undefined, options === null || options === void 0 ? void 0 : options.correlationId);
+                return {
+                    success: false,
+                    data: undefined,
+                    message: "Failed to invalidate existing magic links",
+                    httpCode: 500
+                };
+            }
+            // create new token
+            const record = await this.magicLinks.create({
+                userId: user.id,
+                tokenHash,
+                expiresAt: new Date(Date.now() + 15 * 60 * 1000)
+            });
+            if (!record) {
+                this.logger.error("Failed to create magic link", new Error("DB insert failed"), undefined, options === null || options === void 0 ? void 0 : options.correlationId);
+                return {
+                    success: false,
+                    data: undefined,
+                    message: "Failed to create magic link",
+                    httpCode: 500
+                };
+            }
+            this.logger.audit({
+                type: "MAGIC_LINK_REQUESTED",
+                email: user.email,
+                correlationId: options === null || options === void 0 ? void 0 : options.correlationId
+            });
+            return {
+                success: true,
+                data: `${record.id}.${token}`,
+                message: "Magic link created",
+                httpCode: 200
+            };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : "Unknown error";
+            this.logger.error("Magic link request exception", err, { email }, options === null || options === void 0 ? void 0 : options.correlationId);
+            return {
+                success: false,
+                data: undefined,
+                message: "Failed to request magic link: " + message,
+                httpCode: 500
+            };
+        }
+    }
+    /** Verify a magic link token without consuming it */
+    async verify(token, options) {
+        try {
+            const parts = token.split(".");
+            if (parts.length !== 2) {
+                this.logger.audit({
+                    type: "MAGIC_LINK_FAILURE",
+                    metadata: { reason: "Malformed token" },
+                    correlationId: options === null || options === void 0 ? void 0 : options.correlationId
+                });
+                return {
+                    success: false,
+                    data: undefined,
+                    message: "Invalid or malformed magic link token",
+                    httpCode: 400
+                };
+            }
+            const [tokenId, tokenValue] = parts;
+            const record = await this.magicLinks.findById(tokenId);
+            if (!record || record.usedAt || record.expiresAt.getTime() < Date.now()) {
+                this.logger.audit({
+                    type: "MAGIC_LINK_FAILURE",
+                    metadata: { reason: "Invalid or expired token" },
+                    correlationId: options === null || options === void 0 ? void 0 : options.correlationId
+                });
+                return {
+                    success: false,
+                    data: undefined,
+                    message: "Invalid or expired magic link",
+                    httpCode: 401
+                };
+            }
+            const match = await this.crypto.verifyToken(tokenValue, record.tokenHash);
+            if (!match) {
+                this.logger.audit({
+                    type: "MAGIC_LINK_FAILURE",
+                    metadata: { reason: "Token mismatch" },
+                    correlationId: options === null || options === void 0 ? void 0 : options.correlationId
+                });
+                return {
+                    success: false,
+                    data: undefined,
+                    message: "Invalid or expired magic link",
+                    httpCode: 401
+                };
+            }
+            this.logger.audit({ type: "MAGIC_LINK_VERIFIED", correlationId: options === null || options === void 0 ? void 0 : options.correlationId });
+            return {
+                success: true,
+                data: { isValid: true, userId: String(record.userId), tokenId: String(record.id) },
+                message: "Magic link is valid",
+                httpCode: 200
+            };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : "Unknown error";
+            this.logger.error("Magic link verify exception", err, undefined, options === null || options === void 0 ? void 0 : options.correlationId);
+            return {
+                success: false,
+                data: undefined,
+                message: "Failed to verify magic link: " + message,
+                httpCode: 500
+            };
+        }
+    }
+    /** Consume a magic link token */
+    async consume(token, options) {
+        try {
+            const verifyResult = await this.verify(token, options);
+            if (!verifyResult.success) {
+                return {
+                    success: false,
+                    data: undefined,
+                    message: verifyResult.message,
+                    httpCode: verifyResult.httpCode
+                };
+            }
+            const consumed = await this.magicLinks.consume(verifyResult.data.tokenId);
+            if (!consumed) {
+                this.logger.error("Failed to consume magic link", new Error("DB update failed"), undefined, options === null || options === void 0 ? void 0 : options.correlationId);
+                this.logger.audit({
+                    type: "MAGIC_LINK_FAILURE",
+                    metadata: { reason: "Token already used" },
+                    correlationId: options === null || options === void 0 ? void 0 : options.correlationId
+                });
+                return {
+                    success: false,
+                    message: "Magic link already used",
+                    httpCode: 401
+                };
+            }
+            this.logger.audit({ type: "MAGIC_LINK_CONSUMED", correlationId: options === null || options === void 0 ? void 0 : options.correlationId });
+            this.logger.audit({
+                type: "LOGIN_SUCCESS",
+                metadata: { method: "magic-link" },
+                correlationId: options === null || options === void 0 ? void 0 : options.correlationId
+            });
+            return {
+                success: true,
+                data: { userId: verifyResult.data.userId },
+                message: "Magic link consumed",
+                httpCode: 200
+            };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : "Unknown error";
+            this.logger.error("Magic link consume exception", err, undefined, options === null || options === void 0 ? void 0 : options.correlationId);
+            return {
+                success: false,
+                data: undefined,
+                message: "Failed to consume magic link: " + message,
+                httpCode: 500
+            };
+        }
+    }
+}
+exports.MagicLinkService = MagicLinkService;

package/dist/services/magic-link.service.test.d.ts

@@ -0,0 +1 @@
+export {};