@rovela-ai/sdk 0.4.1 → 0.4.2

package/dist/auth/server/password-reset-service.js

@@ -0,0 +1,203 @@
+/**
+ * @rovela/sdk/auth/server/password-reset-service
+ *
+ * Password reset token management.
+ * Handles creating, validating, and using reset tokens.
+ * Each store has its own database (via Neon branches) - no tenant isolation needed.
+ */
+import { eq, lt } from 'drizzle-orm';
+import { nanoid } from 'nanoid';
+import { getDb } from '../../core/db/client';
+import * as schema from '../../core/db/schema';
+import { findCustomerByEmail, updateCustomerPassword } from './customer-service';
+import { sendPasswordResetEmail, getStoreUrl } from '../../emails';
+// =============================================================================
+// Constants
+// =============================================================================
+/**
+ * Password reset token expiry time in milliseconds (1 hour).
+ * Shorter than verification tokens for security.
+ */
+const TOKEN_EXPIRY_MS = 60 * 60 * 1000;
+/**
+ * Token length (URL-safe).
+ */
+const TOKEN_LENGTH = 32;
+// =============================================================================
+// Token Management
+// =============================================================================
+/**
+ * Request a password reset for a customer.
+ * Creates a token and sends reset email.
+ *
+ * Note: Always returns success to prevent email enumeration attacks.
+ *
+ * @param email - Customer email address
+ * @returns Always returns success (security best practice)
+ *
+ * @example
+ * ```typescript
+ * const result = await requestPasswordReset('customer@example.com')
+ * // Always show "If an account exists, we've sent a reset email"
+ * ```
+ */
+export async function requestPasswordReset(email) {
+    // Find customer by email
+    const customer = await findCustomerByEmail(email);
+    if (!customer) {
+        // Don't reveal if email exists - return success anyway
+        return { success: true };
+    }
+    // Delete any existing reset tokens for this customer
+    await deletePasswordResetTokens(customer.id);
+    // Generate new token
+    const db = getDb();
+    const token = nanoid(TOKEN_LENGTH);
+    const expires = new Date(Date.now() + TOKEN_EXPIRY_MS);
+    await db.insert(schema.customerPasswordResetTokens).values({
+        customerId: customer.id,
+        token,
+        expires,
+    });
+    // Send reset email
+    try {
+        const resetLink = `${getStoreUrl()}/auth/reset-password?token=${token}`;
+        await sendPasswordResetEmail({
+            to: email,
+            customerName: customer.name || email.split('@')[0],
+            resetLink,
+            expiryTime: '1',
+        });
+    }
+    catch (error) {
+        console.error('[Auth Reset] Failed to send password reset email:', error);
+        // Don't fail the request if email fails - still return success for security
+    }
+    return { success: true };
+}
+/**
+ * Validate a password reset token.
+ * Does NOT consume the token - use resetPassword() for that.
+ *
+ * @param token - Reset token from email link
+ * @returns Validation result
+ *
+ * @example
+ * ```typescript
+ * const result = await validateResetToken(token)
+ * if (result.valid) {
+ *   // Show password reset form
+ * } else {
+ *   // Show error message
+ * }
+ * ```
+ */
+export async function validateResetToken(token) {
+    const db = getDb();
+    // Find the token
+    const [tokenRecord] = await db
+        .select()
+        .from(schema.customerPasswordResetTokens)
+        .where(eq(schema.customerPasswordResetTokens.token, token))
+        .limit(1);
+    if (!tokenRecord) {
+        return {
+            valid: false,
+            error: 'Invalid or expired reset link. Please request a new one.',
+        };
+    }
+    // Check if token has expired
+    if (new Date() > tokenRecord.expires) {
+        // Clean up expired token
+        await db
+            .delete(schema.customerPasswordResetTokens)
+            .where(eq(schema.customerPasswordResetTokens.id, tokenRecord.id));
+        return {
+            valid: false,
+            error: 'Reset link has expired. Please request a new one.',
+        };
+    }
+    return { valid: true };
+}
+/**
+ * Reset password using a token.
+ * Validates the token, updates the password, and deletes the token.
+ *
+ * @param token - Reset token from email link
+ * @param newPassword - New password (plain text, will be hashed)
+ * @returns Reset result
+ *
+ * @example
+ * ```typescript
+ * const result = await resetPassword(token, 'newSecurePassword123')
+ * if (result.success) {
+ *   // Redirect to login
+ * } else {
+ *   // Show error
+ * }
+ * ```
+ */
+export async function resetPassword(token, newPassword) {
+    const db = getDb();
+    // Find the token
+    const [tokenRecord] = await db
+        .select()
+        .from(schema.customerPasswordResetTokens)
+        .where(eq(schema.customerPasswordResetTokens.token, token))
+        .limit(1);
+    if (!tokenRecord) {
+        return {
+            success: false,
+            error: 'Invalid or expired reset link. Please request a new one.',
+        };
+    }
+    // Check if token has expired
+    if (new Date() > tokenRecord.expires) {
+        // Clean up expired token
+        await db
+            .delete(schema.customerPasswordResetTokens)
+            .where(eq(schema.customerPasswordResetTokens.id, tokenRecord.id));
+        return {
+            success: false,
+            error: 'Reset link has expired. Please request a new one.',
+        };
+    }
+    // Update the customer's password
+    await updateCustomerPassword(tokenRecord.customerId, newPassword);
+    // Delete all reset tokens for this customer
+    await db
+        .delete(schema.customerPasswordResetTokens)
+        .where(eq(schema.customerPasswordResetTokens.customerId, tokenRecord.customerId));
+    return { success: true };
+}
+/**
+ * Delete all password reset tokens for a customer.
+ *
+ * @param customerId - Customer UUID
+ *
+ * @example
+ * ```typescript
+ * await deletePasswordResetTokens(customerId)
+ * ```
+ */
+export async function deletePasswordResetTokens(customerId) {
+    const db = getDb();
+    await db
+        .delete(schema.customerPasswordResetTokens)
+        .where(eq(schema.customerPasswordResetTokens.customerId, customerId));
+}
+/**
+ * Clean up expired password reset tokens.
+ * Should be called periodically (e.g., via cron job).
+ *
+ * @returns Number of tokens deleted
+ */
+export async function cleanupExpiredResetTokens() {
+    const db = getDb();
+    const result = await db
+        .delete(schema.customerPasswordResetTokens)
+        .where(lt(schema.customerPasswordResetTokens.expires, new Date()))
+        .returning({ id: schema.customerPasswordResetTokens.id });
+    return result.length;
+}
+//# sourceMappingURL=password-reset-service.js.map

package/dist/auth/server/password-reset-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset-service.js","sourceRoot":"","sources":["../../../src/auth/server/password-reset-service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC/B,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAC9C,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAA;AAChF,OAAO,EAAE,sBAAsB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAElE,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;AAEtC;;GAEG;AACH,MAAM,YAAY,GAAG,EAAE,CAAA;AAEvB,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,KAAa;IAGtD,yBAAyB;IACzB,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,KAAK,CAAC,CAAA;IAEjD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,uDAAuD;QACvD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;IAC1B,CAAC;IAED,qDAAqD;IACrD,MAAM,yBAAyB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAA;IAE5C,qBAAqB;IACrB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAClB,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,CAAA;IAClC,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC,CAAA;IAEtD,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,2BAA2B,CAAC,CAAC,MAAM,CAAC;QACzD,UAAU,EAAE,QAAQ,CAAC,EAAE;QACvB,KAAK;QACL,OAAO;KACR,CAAC,CAAA;IAEF,mBAAmB;IACnB,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,GAAG,WAAW,EAAE,8BAA8B,KAAK,EAAE,CAAA;QACvE,MAAM,sBAAsB,CAAC;YAC3B,EAAE,EAAE,KAAK;YACT,YAAY,EAAE,QAAQ,CAAC,IAAI,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAClD,SAAS;YACT,UAAU,EAAE,GAAG;SAChB,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,mDAAmD,EAAE,KAAK,CAAC,CAAA;QACzE,4EAA4E;IAC9E,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;AAC1B,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,KAAa;IAIpD,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,iBAAiB;IACjB,MAAM,CAAC,WAAW,CAAC,GAAG,MAAM,EAAE;SAC3B,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,2BAA2B,CAAC;SACxC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,2BAA2B,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;SAC1D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,0DAA0D;SAClE,CAAA;IACH,CAAC;IAED,6BAA6B;IAC7B,IAAI,IAAI,IAAI,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC;QACrC,yBAAyB;QACzB,MAAM,EAAE;aACL,MAAM,CAAC,MAAM,CAAC,2BAA2B,CAAC;aAC1C,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,2BAA2B,CAAC,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,CAAA;QAEnE,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,mDAAmD;SAC3D,CAAA;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;AACxB,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,WAAmB;IAKnB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,iBAAiB;IACjB,MAAM,CAAC,WAAW,CAAC,GAAG,MAAM,EAAE;SAC3B,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,2BAA2B,CAAC;SACxC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,2BAA2B,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;SAC1D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,0DAA0D;SAClE,CAAA;IACH,CAAC;IAED,6BAA6B;IAC7B,IAAI,IAAI,IAAI,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC;QACrC,yBAAyB;QACzB,MAAM,EAAE;aACL,MAAM,CAAC,MAAM,CAAC,2BAA2B,CAAC;aAC1C,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,2BAA2B,CAAC,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,CAAA;QAEnE,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,mDAAmD;SAC3D,CAAA;IACH,CAAC;IAED,iCAAiC;IACjC,MAAM,sBAAsB,CAAC,WAAW,CAAC,UAAU,EAAE,WAAW,CAAC,CAAA;IAEjE,4CAA4C;IAC5C,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,2BAA2B,CAAC;SAC1C,KAAK,CACJ,EAAE,CAAC,MAAM,CAAC,2BAA2B,CAAC,UAAU,EAAE,WAAW,CAAC,UAAU,CAAC,CAC1E,CAAA;IAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;AAC1B,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,UAAkB;IAElB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,2BAA2B,CAAC;SAC1C,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,2BAA2B,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAAA;AACzE,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB;IAC7C,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,MAAM,GAAG,MAAM,EAAE;SACpB,MAAM,CAAC,MAAM,CAAC,2BAA2B,CAAC;SAC1C,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,2BAA2B,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;SACjE,SAAS,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,2BAA2B,CAAC,EAAE,EAAE,CAAC,CAAA;IAE3D,OAAO,MAAM,CAAC,MAAM,CAAA;AACtB,CAAC"}

package/dist/auth/server/password.d.ts

@@ -0,0 +1,58 @@
+/**
+ * @rovela/sdk/auth/server/password
+ *
+ * Password hashing and verification utilities.
+ * Uses bcryptjs with 12 salt rounds for security.
+ */
+/**
+ * Minimum password length required.
+ */
+export declare const MIN_PASSWORD_LENGTH = 8;
+/**
+ * Hash a password using bcrypt.
+ *
+ * @param password - Plain text password to hash
+ * @returns Hashed password string
+ *
+ * @example
+ * ```typescript
+ * const hash = await hashPassword('mySecurePassword123')
+ * // Store hash in database
+ * ```
+ */
+export declare function hashPassword(password: string): Promise<string>;
+/**
+ * Verify a password against a hash.
+ *
+ * @param password - Plain text password to verify
+ * @param hashedPassword - Hashed password from database
+ * @returns True if password matches, false otherwise
+ *
+ * @example
+ * ```typescript
+ * const isValid = await verifyPassword('mySecurePassword123', storedHash)
+ * if (!isValid) {
+ *   throw new Error('Invalid password')
+ * }
+ * ```
+ */
+export declare function verifyPassword(password: string, hashedPassword: string): Promise<boolean>;
+/**
+ * Validate password strength.
+ *
+ * @param password - Password to validate
+ * @returns Object with valid flag and optional error message
+ *
+ * @example
+ * ```typescript
+ * const result = validatePassword('short')
+ * if (!result.valid) {
+ *   console.error(result.error) // "Password must be at least 8 characters"
+ * }
+ * ```
+ */
+export declare function validatePassword(password: string): {
+    valid: boolean;
+    error?: string;
+};
+//# sourceMappingURL=password.d.ts.map

package/dist/auth/server/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../../src/auth/server/password.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAcH;;GAEG;AACH,eAAO,MAAM,mBAAmB,IAAI,CAAA;AAMpC;;;;;;;;;;;GAWG;AACH,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEpE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,OAAO,CAAC,CAElB;AAMD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG;IAClD,KAAK,EAAE,OAAO,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,CAaA"}

package/dist/auth/server/password.js

@@ -0,0 +1,85 @@
+/**
+ * @rovela/sdk/auth/server/password
+ *
+ * Password hashing and verification utilities.
+ * Uses bcryptjs with 12 salt rounds for security.
+ */
+import bcrypt from 'bcryptjs';
+// =============================================================================
+// Constants
+// =============================================================================
+/**
+ * Number of salt rounds for bcrypt.
+ * 12 rounds provides a good balance of security and performance.
+ */
+const SALT_ROUNDS = 12;
+/**
+ * Minimum password length required.
+ */
+export const MIN_PASSWORD_LENGTH = 8;
+// =============================================================================
+// Password Hashing
+// =============================================================================
+/**
+ * Hash a password using bcrypt.
+ *
+ * @param password - Plain text password to hash
+ * @returns Hashed password string
+ *
+ * @example
+ * ```typescript
+ * const hash = await hashPassword('mySecurePassword123')
+ * // Store hash in database
+ * ```
+ */
+export async function hashPassword(password) {
+    return bcrypt.hash(password, SALT_ROUNDS);
+}
+/**
+ * Verify a password against a hash.
+ *
+ * @param password - Plain text password to verify
+ * @param hashedPassword - Hashed password from database
+ * @returns True if password matches, false otherwise
+ *
+ * @example
+ * ```typescript
+ * const isValid = await verifyPassword('mySecurePassword123', storedHash)
+ * if (!isValid) {
+ *   throw new Error('Invalid password')
+ * }
+ * ```
+ */
+export async function verifyPassword(password, hashedPassword) {
+    return bcrypt.compare(password, hashedPassword);
+}
+// =============================================================================
+// Password Validation
+// =============================================================================
+/**
+ * Validate password strength.
+ *
+ * @param password - Password to validate
+ * @returns Object with valid flag and optional error message
+ *
+ * @example
+ * ```typescript
+ * const result = validatePassword('short')
+ * if (!result.valid) {
+ *   console.error(result.error) // "Password must be at least 8 characters"
+ * }
+ * ```
+ */
+export function validatePassword(password) {
+    if (!password) {
+        return { valid: false, error: 'Password is required' };
+    }
+    if (password.length < MIN_PASSWORD_LENGTH) {
+        return {
+            valid: false,
+            error: `Password must be at least ${MIN_PASSWORD_LENGTH} characters`,
+        };
+    }
+    return { valid: true };
+}
+//# sourceMappingURL=password.js.map

package/dist/auth/server/password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.js","sourceRoot":"","sources":["../../../src/auth/server/password.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,MAAM,MAAM,UAAU,CAAA;AAE7B,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,WAAW,GAAG,EAAE,CAAA;AAEtB;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAA;AAEpC,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;AAC3C,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAAgB,EAChB,cAAsB;IAEtB,OAAO,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAA;AACjD,CAAC;AAED,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAI/C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAA;IACxD,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;QAC1C,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,6BAA6B,mBAAmB,aAAa;SACrE,CAAA;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;AACxB,CAAC"}

package/dist/auth/server/verification-service.d.ts

@@ -0,0 +1,88 @@
+/**
+ * @rovela/sdk/auth/server/verification-service
+ *
+ * Email verification token management.
+ * Handles creating, validating, and cleaning up verification tokens.
+ * Each store has its own database (via Neon branches) - no tenant isolation needed.
+ */
+/**
+ * Create a verification token for a customer.
+ * Deletes any existing tokens for the customer first.
+ *
+ * @param customerId - Customer UUID
+ * @returns The verification token
+ *
+ * @example
+ * ```typescript
+ * const token = await createVerificationToken(customerId)
+ * // Use token in verification email link
+ * ```
+ */
+export declare function createVerificationToken(customerId: string): Promise<string>;
+/**
+ * Verify email using a token.
+ * Marks the customer's email as verified if token is valid.
+ *
+ * @param token - Verification token from email link
+ * @returns Verification result
+ *
+ * @example
+ * ```typescript
+ * const result = await verifyEmail(token)
+ * if (result.success) {
+ *   console.log('Email verified for customer:', result.customerId)
+ * } else {
+ *   console.error('Verification failed:', result.error)
+ * }
+ * ```
+ */
+export declare function verifyEmail(token: string): Promise<{
+    success: boolean;
+    customerId?: string;
+    error?: string;
+}>;
+/**
+ * Delete all verification tokens for a customer.
+ *
+ * @param customerId - Customer UUID
+ *
+ * @example
+ * ```typescript
+ * await deleteVerificationTokens(customerId)
+ * ```
+ */
+export declare function deleteVerificationTokens(customerId: string): Promise<void>;
+/**
+ * Resend verification email to a customer.
+ * Creates a new token and sends the email.
+ *
+ * @param email - Customer email address
+ * @returns Result with success status
+ *
+ * @example
+ * ```typescript
+ * const result = await resendVerificationEmail('customer@example.com')
+ * if (result.success) {
+ *   console.log('Verification email sent')
+ * }
+ * ```
+ */
+export declare function resendVerificationEmail(email: string): Promise<{
+    success: boolean;
+    error?: string;
+}>;
+/**
+ * Check if a customer's email is verified.
+ *
+ * @param customerId - Customer UUID
+ * @returns True if email is verified
+ */
+export declare function isEmailVerified(customerId: string): Promise<boolean>;
+/**
+ * Clean up expired verification tokens.
+ * Should be called periodically (e.g., via cron job).
+ *
+ * @returns Number of tokens deleted
+ */
+export declare function cleanupExpiredTokens(): Promise<number>;
+//# sourceMappingURL=verification-service.d.ts.map

package/dist/auth/server/verification-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification-service.d.ts","sourceRoot":"","sources":["../../../src/auth/server/verification-service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA2BH;;;;;;;;;;;;GAYG;AACH,wBAAsB,uBAAuB,CAC3C,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAiBjB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IACxD,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,CAAC,CA6CD;AAED;;;;;;;;;GASG;AACH,wBAAsB,wBAAwB,CAC5C,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC,CAMf;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,uBAAuB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IACpE,OAAO,EAAE,OAAO,CAAA;IAChB,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,CAAC,CAoCD;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAU1E;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,MAAM,CAAC,CAS5D"}

package/dist/auth/server/verification-service.js

@@ -0,0 +1,231 @@
+/**
+ * @rovela/sdk/auth/server/verification-service
+ *
+ * Email verification token management.
+ * Handles creating, validating, and cleaning up verification tokens.
+ * Each store has its own database (via Neon branches) - no tenant isolation needed.
+ */
+import { eq, lt } from 'drizzle-orm';
+import { nanoid } from 'nanoid';
+import { getDb } from '../../core/db/client';
+import * as schema from '../../core/db/schema';
+import { findCustomerByEmail, markEmailVerified } from './customer-service';
+import { sendVerificationEmail, sendWelcomeEmail, getStoreUrl } from '../../emails';
+// =============================================================================
+// Constants
+// =============================================================================
+/**
+ * Verification token expiry time in milliseconds (24 hours).
+ */
+const TOKEN_EXPIRY_MS = 24 * 60 * 60 * 1000;
+/**
+ * Token length (URL-safe).
+ */
+const TOKEN_LENGTH = 32;
+// =============================================================================
+// Token Management
+// =============================================================================
+/**
+ * Create a verification token for a customer.
+ * Deletes any existing tokens for the customer first.
+ *
+ * @param customerId - Customer UUID
+ * @returns The verification token
+ *
+ * @example
+ * ```typescript
+ * const token = await createVerificationToken(customerId)
+ * // Use token in verification email link
+ * ```
+ */
+export async function createVerificationToken(customerId) {
+    const db = getDb();
+    // Delete any existing tokens for this customer
+    await deleteVerificationTokens(customerId);
+    // Generate new token
+    const token = nanoid(TOKEN_LENGTH);
+    const expires = new Date(Date.now() + TOKEN_EXPIRY_MS);
+    await db.insert(schema.customerVerificationTokens).values({
+        customerId,
+        token,
+        expires,
+    });
+    return token;
+}
+/**
+ * Verify email using a token.
+ * Marks the customer's email as verified if token is valid.
+ *
+ * @param token - Verification token from email link
+ * @returns Verification result
+ *
+ * @example
+ * ```typescript
+ * const result = await verifyEmail(token)
+ * if (result.success) {
+ *   console.log('Email verified for customer:', result.customerId)
+ * } else {
+ *   console.error('Verification failed:', result.error)
+ * }
+ * ```
+ */
+export async function verifyEmail(token) {
+    const db = getDb();
+    // Find the token
+    const [tokenRecord] = await db
+        .select()
+        .from(schema.customerVerificationTokens)
+        .where(eq(schema.customerVerificationTokens.token, token))
+        .limit(1);
+    if (!tokenRecord) {
+        return {
+            success: false,
+            error: 'Invalid verification link. Please request a new one.',
+        };
+    }
+    // Check if token has expired
+    if (new Date() > tokenRecord.expires) {
+        // Clean up expired token
+        await db
+            .delete(schema.customerVerificationTokens)
+            .where(eq(schema.customerVerificationTokens.id, tokenRecord.id));
+        return {
+            success: false,
+            error: 'Verification link has expired. Please request a new one.',
+        };
+    }
+    // Mark customer email as verified
+    await markEmailVerified(tokenRecord.customerId);
+    // Delete the used token and any other tokens for this customer
+    await db
+        .delete(schema.customerVerificationTokens)
+        .where(eq(schema.customerVerificationTokens.customerId, tokenRecord.customerId));
+    // Send welcome email after verification
+    await sendWelcomeEmailInternal(tokenRecord.customerId);
+    return {
+        success: true,
+        customerId: tokenRecord.customerId,
+    };
+}
+/**
+ * Delete all verification tokens for a customer.
+ *
+ * @param customerId - Customer UUID
+ *
+ * @example
+ * ```typescript
+ * await deleteVerificationTokens(customerId)
+ * ```
+ */
+export async function deleteVerificationTokens(customerId) {
+    const db = getDb();
+    await db
+        .delete(schema.customerVerificationTokens)
+        .where(eq(schema.customerVerificationTokens.customerId, customerId));
+}
+/**
+ * Resend verification email to a customer.
+ * Creates a new token and sends the email.
+ *
+ * @param email - Customer email address
+ * @returns Result with success status
+ *
+ * @example
+ * ```typescript
+ * const result = await resendVerificationEmail('customer@example.com')
+ * if (result.success) {
+ *   console.log('Verification email sent')
+ * }
+ * ```
+ */
+export async function resendVerificationEmail(email) {
+    // Find customer by email
+    const customer = await findCustomerByEmail(email);
+    if (!customer) {
+        // Don't reveal if email exists - return success anyway
+        return { success: true };
+    }
+    // Check if already verified
+    if (customer.emailVerified) {
+        return {
+            success: false,
+            error: 'Email is already verified',
+        };
+    }
+    // Create new verification token
+    const token = await createVerificationToken(customer.id);
+    // Send verification email
+    try {
+        const verificationLink = `${getStoreUrl()}/auth/verify-email?token=${token}`;
+        await sendVerificationEmail({
+            to: email,
+            customerName: customer.name || email.split('@')[0],
+            verificationLink,
+            expiryTime: '24',
+        });
+        return { success: true };
+    }
+    catch {
+        return {
+            success: false,
+            error: 'Failed to send verification email. Please try again.',
+        };
+    }
+}
+/**
+ * Check if a customer's email is verified.
+ *
+ * @param customerId - Customer UUID
+ * @returns True if email is verified
+ */
+export async function isEmailVerified(customerId) {
+    const db = getDb();
+    const [customer] = await db
+        .select({ emailVerified: schema.customers.emailVerified })
+        .from(schema.customers)
+        .where(eq(schema.customers.id, customerId))
+        .limit(1);
+    return !!customer?.emailVerified;
+}
+/**
+ * Clean up expired verification tokens.
+ * Should be called periodically (e.g., via cron job).
+ *
+ * @returns Number of tokens deleted
+ */
+export async function cleanupExpiredTokens() {
+    const db = getDb();
+    const result = await db
+        .delete(schema.customerVerificationTokens)
+        .where(lt(schema.customerVerificationTokens.expires, new Date()))
+        .returning({ id: schema.customerVerificationTokens.id });
+    return result.length;
+}
+// =============================================================================
+// Internal Helpers
+// =============================================================================
+/**
+ * Send welcome email after successful email verification.
+ * Errors are logged but don't throw to prevent verification failure.
+ */
+async function sendWelcomeEmailInternal(customerId) {
+    try {
+        const db = getDb();
+        const [customer] = await db
+            .select({ email: schema.customers.email, name: schema.customers.name })
+            .from(schema.customers)
+            .where(eq(schema.customers.id, customerId))
+            .limit(1);
+        if (customer) {
+            await sendWelcomeEmail({
+                to: customer.email,
+                customerName: customer.name || customer.email.split('@')[0],
+            });
+        }
+    }
+    catch (error) {
+        // Log but don't throw - welcome email is not critical
+        console.error('[Auth Verification] Failed to send welcome email:', error);
+    }
+}
+//# sourceMappingURL=verification-service.js.map