@skroz/profile-api 1.0.16 → 1.0.18

package/dist/resolvers/createOauthResolver.js

@@ -0,0 +1,146 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createOauthResolver = createOauthResolver;
+const crypto_1 = __importDefault(require("crypto"));
+const nanoid_1 = require("nanoid");
+const type_graphql_1 = require("type-graphql");
+const OauthInput_1 = require("../dto/OauthInput");
+function validateTelegramHash(data, botToken) {
+    const { hash } = data, rest = __rest(data, ["hash"]);
+    const sorted = Object.keys(rest)
+        .filter((k) => {
+        const value = rest[k];
+        return value !== undefined && value !== null && value !== '';
+    })
+        .sort()
+        .map((k) => `${k}=${rest[k]}`)
+        .join('\n');
+    const secret = crypto_1.default.createHash('sha256').update(botToken).digest();
+    const hmac = crypto_1.default.createHmac('sha256', secret).update(sorted).digest('hex');
+    return hmac === hash;
+}
+function createOauthResolver(deps) {
+    const { authService, userType, providers, telegramBotToken, onUserCreated, onLogin, } = deps;
+    const getAuthService = (ctx) => {
+        if (typeof authService === 'function')
+            return authService(ctx);
+        return authService;
+    };
+    let OauthResolver = class OauthResolver {
+        oauthLogin(input, ctx) {
+            return __awaiter(this, void 0, void 0, function* () {
+                const service = getAuthService(ctx);
+                let user;
+                let isNew = false;
+                if (input.provider === 'telegram') {
+                    if (!input.tgData)
+                        throw new Error('tgData is required for Telegram login');
+                    if (!telegramBotToken)
+                        throw new Error('Telegram bot token is not configured');
+                    if (!validateTelegramHash(input.tgData, telegramBotToken)) {
+                        throw new Error('Telegram auth verification failed');
+                    }
+                    user = yield service.db.findUserByTelegramId(input.tgData.id);
+                    if (!user) {
+                        const passwordHash = yield service.hashPassword((0, nanoid_1.nanoid)(20));
+                        user = yield service.db.createUser({
+                            email: null,
+                            passwordHash,
+                            isTempPassword: true,
+                        });
+                        yield service.db.updateUserProviderId(user.id, 'telegram', input.tgData.id);
+                        isNew = true;
+                    }
+                }
+                else {
+                    if (!input.code)
+                        throw new Error('code is required for OAuth login');
+                    const provider = providers[input.provider];
+                    if (!provider)
+                        throw new Error(`Unknown OAuth provider: ${input.provider}`);
+                    const profile = yield provider.exchangeCode(input.code);
+                    // 1. Find by provider ID
+                    user = yield service.db.findUserByProviderId(input.provider, profile.providerId);
+                    if (!user && profile.email) {
+                        // 2. Find by email — link provider ID to existing account
+                        user = yield service.db.findUserByEmail(profile.email);
+                        if (user) {
+                            yield service.db.updateUserProviderId(user.id, input.provider, profile.providerId);
+                        }
+                    }
+                    if (!user) {
+                        // 3. Create new user
+                        const passwordHash = yield service.hashPassword((0, nanoid_1.nanoid)(20));
+                        user = yield service.db.createUser({
+                            email: profile.email,
+                            passwordHash,
+                            isTempPassword: true,
+                        });
+                        yield service.db.updateUserProviderId(user.id, input.provider, profile.providerId);
+                        isNew = true;
+                    }
+                }
+                if (user.isBanned)
+                    throw new Error('User is banned');
+                const userAgent = decodeURI(ctx.req.get('user-agent') || '');
+                yield ctx.req.session.create({
+                    userId: user.id,
+                    ip: ctx.req.ip,
+                    userAgent: userAgent.slice(0, 500),
+                });
+                if (isNew && onUserCreated)
+                    yield onUserCreated(user, ctx);
+                if (!isNew && onLogin)
+                    yield onLogin(user, ctx);
+                return user;
+            });
+        }
+    };
+    __decorate([
+        (0, type_graphql_1.Mutation)(() => userType),
+        __param(0, (0, type_graphql_1.Arg)('input')),
+        __param(1, (0, type_graphql_1.Ctx)()),
+        __metadata("design:type", Function),
+        __metadata("design:paramtypes", [OauthInput_1.OauthLoginInput, Object]),
+        __metadata("design:returntype", Promise)
+    ], OauthResolver.prototype, "oauthLogin", null);
+    OauthResolver = __decorate([
+        (0, type_graphql_1.Resolver)(() => userType)
+    ], OauthResolver);
+    return OauthResolver;
+}

package/dist/types/index.d.ts

@@ -19,10 +19,13 @@ export interface ProfileDbAdapter {
     findUserById(id: number): Promise<AuthUser | null>;
     findUserByTelegramId(telegramId: string): Promise<AuthUser | null>;
     createUser(data: {
-        email: string;
+        email?: string | null;
         passwordHash: string;
+        isTempPassword?: boolean;
     }): Promise<AuthUser>;
     isEmailTaken(email: string, excludeUserId?: number): Promise<boolean>;
+    findUserByProviderId(provider: string, id: string): Promise<AuthUser | null>;
+    updateUserProviderId(userId: number, provider: string, id: string): Promise<void>;
 }
 export interface ProfileAuthConfig {
     resendEmailLimitSeconds: number;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skroz/profile-api",
-  "version": "1.0.16",
+  "version": "1.0.18",
   "license": "MIT",
   "repository": "git@gitlab.com:skroz/libs/utils.git",
   "main": "dist/index.js",
@@ -26,6 +26,7 @@
     "@os-team/session": "1.0.32",
     "argon2": "0.30.2",
     "class-validator": "0.13.2",
+    "isomorphic-unfetch": "4.0.2",
     "nanoid": "3.3.4",
     "pug": "3.0.2"
   },
@@ -43,5 +44,5 @@
     "type-graphql": "^1.1.1",
     "typeorm": "^0.2.45"
   },
-  "gitHead": "20236f7b5f15fc83912ce95bea870d52b7ac0667"
+  "gitHead": "a074f427f040b742ba51a9a23942893a3c3b2cf6"
 }

package/src/adapters/TypeOrmProfileAdapter.ts

@@ -20,11 +20,12 @@ export class TypeOrmProfileAdapter implements ProfileDbAdapter {
         return this.repo.findOne({ where: { telegramId } }) as Promise<AuthUser | null>;
     }
 
-    async createUser(data: { email: string; passwordHash: string }): Promise<AuthUser> {
+    async createUser(data: { email?: string | null; passwordHash: string; isTempPassword?: boolean }): Promise<AuthUser> {
         const user = this.repo.create({
-            email: data.email.toLowerCase(),
+            email: data.email ? data.email.toLowerCase() : null,
             password: data.passwordHash,
             isEmailConfirmed: false,
+            isTempPassword: data.isTempPassword ?? false,
         });
         return (await this.repo.save(user)) as AuthUser;
     }
@@ -37,4 +38,14 @@ export class TypeOrmProfileAdapter implements ProfileDbAdapter {
         const count = await this.repo.count({ where });
         return count > 0;
     }
+
+    async findUserByProviderId(provider: string, id: string): Promise<AuthUser | null> {
+        const field = `${provider}Id`;
+        return this.repo.findOne({ where: { [field]: id } }) as Promise<AuthUser | null>;
+    }
+
+    async updateUserProviderId(userId: number, provider: string, id: string): Promise<void> {
+        const field = `${provider}Id`;
+        await this.repo.update(userId, { [field]: id } as any);
+    }
 }

package/src/dto/OauthInput.ts

@@ -0,0 +1,37 @@
+import { Field, InputType } from 'type-graphql';
+
+@InputType()
+export class TelegramAuthData {
+  @Field()
+  public id!: string;
+
+  @Field()
+  public first_name!: string;
+
+  @Field({ nullable: true })
+  public last_name?: string;
+
+  @Field({ nullable: true })
+  public username?: string;
+
+  @Field({ nullable: true })
+  public photo_url?: string;
+
+  @Field()
+  public auth_date!: string;
+
+  @Field()
+  public hash!: string;
+}
+
+@InputType()
+export class OauthLoginInput {
+  @Field()
+  public provider!: string;
+
+  @Field({ nullable: true })
+  public code?: string;
+
+  @Field(() => TelegramAuthData, { nullable: true })
+  public tgData?: TelegramAuthData;
+}

package/src/dto/index.ts

@@ -14,3 +14,4 @@ export { default as UpdateEmailInput, updateEmailTransformers, updateEmailValida
 export { default as UpdateProfileInput, updateProfileTransformers, updateProfileValidators } from './UpdateProfileInput';
 export { default as SendTokenInput, sendTokenTransformers, sendTokenValidators } from './SendTokenInput';
 export { default as RecoverPasswordInput, recoverPasswordTransformers, recoverPasswordValidators } from './RecoverPasswordInput';
+export { OauthLoginInput, TelegramAuthData } from './OauthInput';

package/src/entities/TypeOrmBaseUser.ts

@@ -60,6 +60,21 @@ export abstract class TypeOrmBaseUser extends TypeORMBaseEntity {
     @Column({ type: 'varchar', nullable: true, unique: true })
     public telegramId!: string | null;
 
+    @Column({ type: 'varchar', nullable: true })
+    public googleId?: string | null;
+
+    @Column({ type: 'varchar', nullable: true })
+    public vkId?: string | null;
+
+    @Column({ type: 'varchar', nullable: true })
+    public yaId?: string | null;
+
+    @Column({ type: 'varchar', nullable: true })
+    public mailId?: string | null;
+
+    @Column({ type: 'varchar', nullable: true })
+    public appleId?: string | null;
+
     @Field(() => String, { nullable: true })
     @Column({ type: 'varchar', nullable: true })
     public avatar?: string | null;

package/src/index.ts

@@ -6,3 +6,5 @@ export * from './services/ProfileEmailService';
 export * from './dto';
 export * from './resolvers/AuthResolver';
 export * from './resolvers/ProfileResolver';
+export * from './resolvers/createOauthResolver';
+export * from './oauth';

package/src/oauth/AppleOauth.ts

@@ -0,0 +1,83 @@
+import fetch from 'isomorphic-unfetch';
+import crypto from 'crypto';
+import { OAuthProfile, OAuthProvider } from './OAuthProvider';
+
+interface AppleOauthConfig {
+  clientId: string;   // Services ID (e.g. ru.vikneska.web)
+  teamId: string;     // Apple Developer Team ID
+  keyId: string;      // Key ID from Apple Developer
+  privateKey: string; // PEM private key content (ES256)
+}
+
+function base64urlEncode(str: string | Buffer): string {
+  const buf = typeof str === 'string' ? Buffer.from(str) : str;
+  return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+
+function generateClientSecret(config: AppleOauthConfig): string {
+  const now = Math.floor(Date.now() / 1000);
+  const header = base64urlEncode(JSON.stringify({ alg: 'ES256', kid: config.keyId }));
+  const payload = base64urlEncode(JSON.stringify({
+    iss: config.teamId,
+    iat: now,
+    exp: now + 15777000, // ~6 months
+    aud: 'https://appleid.apple.com',
+    sub: config.clientId,
+  }));
+
+  const signingInput = `${header}.${payload}`;
+  const sign = crypto.createSign('SHA256');
+  sign.update(signingInput);
+  const signature = sign.sign(config.privateKey);
+  // Convert DER to base64url
+  const signatureBase64url = base64urlEncode(signature);
+
+  return `${signingInput}.${signatureBase64url}`;
+}
+
+function decodeJwtPayload(token: string): Record<string, any> {
+  const parts = token.split('.');
+  if (parts.length < 2) throw new Error('Invalid JWT');
+  const payload = Buffer.from(parts[1], 'base64').toString('utf8');
+  return JSON.parse(payload);
+}
+
+export class AppleOauth implements OAuthProvider {
+  constructor(private config: AppleOauthConfig) {}
+
+  async exchangeCode(code: string): Promise<OAuthProfile> {
+    const clientSecret = generateClientSecret(this.config);
+
+    const tokenResponse = await fetch('https://appleid.apple.com/auth/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: this.config.clientId,
+        client_secret: clientSecret,
+        code,
+      }).toString(),
+    });
+
+    const tokenData = await tokenResponse.json();
+    if (!tokenData.id_token) {
+      throw new Error(`Apple OAuth error: ${tokenData.error || 'no id_token'}`);
+    }
+
+    // Apple sends user data only on first authorization — decode from id_token
+    const idTokenPayload = decodeJwtPayload(tokenData.id_token);
+    const appleId = idTokenPayload.sub;
+
+    if (!appleId) {
+      throw new Error('Apple OAuth: failed to get user ID from id_token');
+    }
+
+    return {
+      providerId: appleId,
+      // Apple provides email only on first authorization
+      email: idTokenPayload.email || null,
+      name: null, // Apple does not provide name in id_token; handle via front-end form on first login
+      avatarUrl: null, // Apple does not provide avatar
+    };
+  }
+}

package/src/oauth/GoogleOauth.ts

@@ -0,0 +1,47 @@
+import fetch from 'isomorphic-unfetch';
+import { OAuthProfile, OAuthProvider } from './OAuthProvider';
+
+interface GoogleOauthConfig {
+  clientId: string;
+  clientSecret: string;
+  redirectUri: string;
+}
+
+export class GoogleOauth implements OAuthProvider {
+  constructor(private config: GoogleOauthConfig) {}
+
+  async exchangeCode(code: string): Promise<OAuthProfile> {
+    const tokenResponse = await fetch('https://oauth2.googleapis.com/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        redirect_uri: this.config.redirectUri,
+        code,
+      }).toString(),
+    });
+
+    const tokenData = await tokenResponse.json();
+    if (!tokenData.access_token) {
+      throw new Error(`Google OAuth error: ${tokenData.error_description || tokenData.error}`);
+    }
+
+    const userResponse = await fetch('https://www.googleapis.com/oauth2/v3/userinfo', {
+      headers: { Authorization: `Bearer ${tokenData.access_token}` },
+    });
+
+    const user = await userResponse.json();
+    if (!user.sub) {
+      throw new Error('Google OAuth: failed to get user profile');
+    }
+
+    return {
+      providerId: user.sub,
+      email: user.email || null,
+      name: user.name || null,
+      avatarUrl: user.picture || null,
+    };
+  }
+}

package/src/oauth/MailOauth.ts

@@ -0,0 +1,49 @@
+import fetch from 'isomorphic-unfetch';
+import crypto from 'crypto';
+import { OAuthProfile, OAuthProvider } from './OAuthProvider';
+
+interface MailOauthConfig {
+  clientId: string;
+  clientSecret: string;
+  redirectUri: string;
+}
+
+export class MailOauth implements OAuthProvider {
+  constructor(private config: MailOauthConfig) {}
+
+  async exchangeCode(code: string): Promise<OAuthProfile> {
+    const tokenResponse = await fetch('https://connect.mail.ru/oauth/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: `grant_type=authorization_code&client_id=${this.config.clientId}&client_secret=${this.config.clientSecret}&code=${code}&redirect_uri=${this.config.redirectUri}`,
+    });
+
+    const tokenData = await tokenResponse.json();
+    if (!tokenData.access_token || !tokenData.x_mailru_vid) {
+      throw new Error(`Mail.ru OAuth error: ${tokenData.error_description || tokenData.error || 'no token'}`);
+    }
+
+    const mailRuId = tokenData.x_mailru_vid;
+
+    const sig = `app_id=${this.config.clientId}method=users.getInfosecure=1uids=${mailRuId}${this.config.clientSecret}`;
+    const md5Sig = crypto.createHash('md5').update(sig).digest('hex');
+    const infoUrl = `https://www.appsmail.ru/platform/api?sig=${md5Sig}&app_id=${this.config.clientId}&method=users.getInfo&secure=1&uids=${mailRuId}`;
+
+    const userResponse = await fetch(infoUrl);
+    const userData = await userResponse.json();
+    const user = Array.isArray(userData) ? userData[0] : null;
+
+    if (!user) {
+      throw new Error('Mail.ru OAuth: failed to get user profile');
+    }
+
+    const hasAvatar = user.has_pic === 1;
+
+    return {
+      providerId: String(mailRuId),
+      email: user.email || null,
+      name: user.first_name || null,
+      avatarUrl: hasAvatar ? user.pic_big : null,
+    };
+  }
+}

package/src/oauth/OAuthProvider.ts

@@ -0,0 +1,10 @@
+export interface OAuthProfile {
+  providerId: string;
+  email?: string | null;
+  name?: string | null;
+  avatarUrl?: string | null;
+}
+
+export interface OAuthProvider {
+  exchangeCode(code: string): Promise<OAuthProfile>;
+}

package/src/oauth/VKOauth.ts

@@ -0,0 +1,43 @@
+import fetch from 'isomorphic-unfetch';
+import { OAuthProfile, OAuthProvider } from './OAuthProvider';
+
+interface VKOauthConfig {
+  clientId: string;
+  clientSecret: string;
+  redirectUri: string;
+}
+
+export class VKOauth implements OAuthProvider {
+  constructor(private config: VKOauthConfig) {}
+
+  async exchangeCode(code: string): Promise<OAuthProfile> {
+    const tokenResponse = await fetch(
+      `https://oauth.vk.com/access_token?client_id=${this.config.clientId}&client_secret=${this.config.clientSecret}&redirect_uri=${this.config.redirectUri}&code=${code}`
+    );
+
+    const tokenData = await tokenResponse.json();
+    if (tokenData.error) {
+      throw new Error(`VK OAuth error: ${tokenData.error_description || tokenData.error}`);
+    }
+    if (!tokenData.access_token || !tokenData.user_id) {
+      throw new Error('VK OAuth: failed to get access token');
+    }
+
+    const userResponse = await fetch(
+      `https://api.vk.com/method/users.get?user_ids=${tokenData.user_id}&fields=photo_200&access_token=${tokenData.access_token}&v=5.131`
+    );
+
+    const userData = await userResponse.json();
+    const user = userData.response?.[0];
+    if (!user) {
+      throw new Error('VK OAuth: failed to get user profile');
+    }
+
+    return {
+      providerId: String(tokenData.user_id),
+      email: tokenData.email || null,
+      name: user.first_name || null,
+      avatarUrl: user.photo_200 || null,
+    };
+  }
+}

package/src/oauth/YandexOauth.ts

@@ -0,0 +1,49 @@
+import fetch from 'isomorphic-unfetch';
+import { OAuthProfile, OAuthProvider } from './OAuthProvider';
+
+interface YandexOauthConfig {
+  clientId: string;
+  clientSecret: string;
+}
+
+export class YandexOauth implements OAuthProvider {
+  constructor(private config: YandexOauthConfig) {}
+
+  async exchangeCode(code: string): Promise<OAuthProfile> {
+    const tokenResponse = await fetch('https://oauth.yandex.ru/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: `grant_type=authorization_code&client_id=${this.config.clientId}&client_secret=${this.config.clientSecret}&code=${code}`,
+    });
+
+    const tokenData = await tokenResponse.json();
+    if (!tokenData.access_token) {
+      throw new Error(`Yandex OAuth error: ${tokenData.error_description || tokenData.error}`);
+    }
+
+    const userResponse = await fetch('https://login.yandex.ru/info', {
+      method: 'POST',
+      headers: {
+        Authorization: `OAuth ${tokenData.access_token}`,
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: 'format=json',
+    });
+
+    const user = await userResponse.json();
+    if (!user.id) {
+      throw new Error('Yandex OAuth: failed to get user profile');
+    }
+
+    const avatarUrl = !user.is_avatar_empty
+      ? `https://avatars.yandex.net/get-yapic/${user.default_avatar_id}/islands-200`
+      : null;
+
+    return {
+      providerId: String(user.id),
+      email: user.default_email || null,
+      name: user.first_name || null,
+      avatarUrl,
+    };
+  }
+}

package/src/oauth/index.ts

@@ -0,0 +1,6 @@
+export * from './OAuthProvider';
+export * from './GoogleOauth';
+export * from './VKOauth';
+export * from './YandexOauth';
+export * from './MailOauth';
+export * from './AppleOauth';

package/src/resolvers/ProfileResolver.ts

@@ -80,12 +80,14 @@ export function createProfileResolver<
       if (!user) throw new UnauthorizedError();
 
       const service = getAuthService(ctx);
-      const isOldPasswordOk = await service.verifyPassword(
-        user.password!,
-        input.oldPassword
-      );
-      if (!isOldPasswordOk)
-        throw new Error(t('validation:updatePassword.wrongPassword'));
+      if (!user.isTempPassword) {
+        const isOldPasswordOk = await service.verifyPassword(
+          user.password!,
+          input.oldPassword
+        );
+        if (!isOldPasswordOk)
+          throw new Error(t('validation:updatePassword.wrongPassword'));
+      }
 
       user.password = await service.hashPassword(input.password);
       user.isTempPassword = false;