@skroz/profile-api 1.0.18 → 1.0.20

package/dist/oauth/AppleOauth.d.ts

@@ -7,6 +7,7 @@ interface AppleOauthConfig {
 }
 export declare class AppleOauth implements OAuthProvider {
     private config;
+    readonly trustedEmail = true;
     constructor(config: AppleOauthConfig);
     exchangeCode(code: string): Promise<OAuthProfile>;
 }

package/dist/oauth/AppleOauth.js

@@ -47,6 +47,9 @@ function decodeJwtPayload(token) {
 class AppleOauth {
     constructor(config) {
         this.config = config;
+        // Apple provides email only on first authorization. On subsequent logins email will be null,
+        // so confirmation flags are only set when email is actually present in the profile.
+        this.trustedEmail = true;
     }
     exchangeCode(code) {
         return __awaiter(this, void 0, void 0, function* () {

package/dist/oauth/GoogleOauth.d.ts

@@ -6,6 +6,7 @@ interface GoogleOauthConfig {
 }
 export declare class GoogleOauth implements OAuthProvider {
     private config;
+    readonly trustedEmail = true;
     constructor(config: GoogleOauthConfig);
     exchangeCode(code: string): Promise<OAuthProfile>;
 }

package/dist/oauth/GoogleOauth.js

@@ -17,6 +17,7 @@ const isomorphic_unfetch_1 = __importDefault(require("isomorphic-unfetch"));
 class GoogleOauth {
     constructor(config) {
         this.config = config;
+        this.trustedEmail = true;
     }
     exchangeCode(code) {
         return __awaiter(this, void 0, void 0, function* () {

package/dist/oauth/MailOauth.d.ts

@@ -6,6 +6,7 @@ interface MailOauthConfig {
 }
 export declare class MailOauth implements OAuthProvider {
     private config;
+    readonly trustedEmail = true;
     constructor(config: MailOauthConfig);
     exchangeCode(code: string): Promise<OAuthProfile>;
 }

package/dist/oauth/MailOauth.js

@@ -18,6 +18,7 @@ const crypto_1 = __importDefault(require("crypto"));
 class MailOauth {
     constructor(config) {
         this.config = config;
+        this.trustedEmail = true;
     }
     exchangeCode(code) {
         return __awaiter(this, void 0, void 0, function* () {

package/dist/oauth/OAuthProvider.d.ts

@@ -6,4 +6,12 @@ export interface OAuthProfile {
 }
 export interface OAuthProvider {
     exchangeCode(code: string): Promise<OAuthProfile>;
+    /**
+     * Whether this provider verifies the user's email address.
+     * When true, isEmailConfirmed and isEmailNotificationEnabled are automatically
+     * set to true upon login/registration via this provider.
+     *
+     * Set to false for providers that do not supply a verified email (e.g. Telegram).
+     */
+    readonly trustedEmail: boolean;
 }

package/dist/oauth/VKOauth.d.ts

@@ -6,6 +6,7 @@ interface VKOauthConfig {
 }
 export declare class VKOauth implements OAuthProvider {
     private config;
+    readonly trustedEmail = true;
     constructor(config: VKOauthConfig);
     exchangeCode(code: string): Promise<OAuthProfile>;
 }

package/dist/oauth/VKOauth.js

@@ -17,6 +17,9 @@ const isomorphic_unfetch_1 = __importDefault(require("isomorphic-unfetch"));
 class VKOauth {
     constructor(config) {
         this.config = config;
+        // VK returns email only if the user has a confirmed email in their account and grants access.
+        // If email is absent, trustedEmail guard in the resolver prevents setting confirmation flags.
+        this.trustedEmail = true;
     }
     exchangeCode(code) {
         return __awaiter(this, void 0, void 0, function* () {

package/dist/oauth/YandexOauth.d.ts

@@ -5,6 +5,7 @@ interface YandexOauthConfig {
 }
 export declare class YandexOauth implements OAuthProvider {
     private config;
+    readonly trustedEmail = true;
     constructor(config: YandexOauthConfig);
     exchangeCode(code: string): Promise<OAuthProfile>;
 }

package/dist/oauth/YandexOauth.js

@@ -17,6 +17,7 @@ const isomorphic_unfetch_1 = __importDefault(require("isomorphic-unfetch"));
 class YandexOauth {
     constructor(config) {
         this.config = config;
+        this.trustedEmail = true;
     }
     exchangeCode(code) {
         return __awaiter(this, void 0, void 0, function* () {

package/dist/resolvers/createOauthResolver.d.ts

@@ -1,12 +1,22 @@
 import { ProfileAuthService } from '../services/ProfileAuthService';
 import { OAuthProvider } from '../oauth/OAuthProvider';
 import { ProfileContext } from '../types';
+type RedisClient = {
+    get(key: string): Promise<string | null>;
+    setex(key: string, ttl: number, value: string): Promise<any>;
+    del(key: string): Promise<any>;
+};
 export interface OauthResolverDependencies<TContext extends ProfileContext = ProfileContext> {
     authService: ProfileAuthService | ((ctx: TContext) => ProfileAuthService);
     userType: any;
     providers: Record<string, OAuthProvider>;
     telegramBotToken?: string;
+    /** Имя Telegram-бота (без @) для авторизации через бота (bot deep link) */
+    telegramBotName?: string;
+    /** Redis-клиент для авторизации через бота */
+    redis?: RedisClient;
     onUserCreated?: (user: any, ctx: TContext) => Promise<void>;
     onLogin?: (user: any, ctx: TContext) => Promise<void>;
 }
 export declare function createOauthResolver<TContext extends ProfileContext = ProfileContext>(deps: OauthResolverDependencies<TContext>): any;
+export {};

package/dist/resolvers/createOauthResolver.js

@@ -40,6 +40,36 @@ const crypto_1 = __importDefault(require("crypto"));
 const nanoid_1 = require("nanoid");
 const type_graphql_1 = require("type-graphql");
 const OauthInput_1 = require("../dto/OauthInput");
+// Префикс Redis-ключей намеренно длинный, чтобы исключить коллизии с любыми
+// другими ключами в том же Redis-инстансе.
+const TELEGRAM_BOT_AUTH_REDIS_PREFIX = 'skroz:profile:tgbotauth';
+const TELEGRAM_BOT_AUTH_TOKEN_TTL_SECONDS = 300; // 5 минут
+let TelegramBotAuthLinkPayload = class TelegramBotAuthLinkPayload {
+};
+__decorate([
+    (0, type_graphql_1.Field)(),
+    __metadata("design:type", String)
+], TelegramBotAuthLinkPayload.prototype, "token", void 0);
+__decorate([
+    (0, type_graphql_1.Field)(),
+    __metadata("design:type", String)
+], TelegramBotAuthLinkPayload.prototype, "url", void 0);
+TelegramBotAuthLinkPayload = __decorate([
+    (0, type_graphql_1.ObjectType)()
+], TelegramBotAuthLinkPayload);
+let TelegramBotAuthConfirmResult = class TelegramBotAuthConfirmResult {
+};
+__decorate([
+    (0, type_graphql_1.Field)(),
+    __metadata("design:type", Boolean)
+], TelegramBotAuthConfirmResult.prototype, "confirmed", void 0);
+__decorate([
+    (0, type_graphql_1.Field)(),
+    __metadata("design:type", Boolean)
+], TelegramBotAuthConfirmResult.prototype, "expired", void 0);
+TelegramBotAuthConfirmResult = __decorate([
+    (0, type_graphql_1.ObjectType)()
+], TelegramBotAuthConfirmResult);
 function validateTelegramHash(data, botToken) {
     const { hash } = data, rest = __rest(data, ["hash"]);
     const sorted = Object.keys(rest)
@@ -55,7 +85,7 @@ function validateTelegramHash(data, botToken) {
     return hmac === hash;
 }
 function createOauthResolver(deps) {
-    const { authService, userType, providers, telegramBotToken, onUserCreated, onLogin, } = deps;
+    const { authService, userType, providers, telegramBotToken, telegramBotName, redis, onUserCreated, onLogin, } = deps;
     const getAuthService = (ctx) => {
         if (typeof authService === 'function')
             return authService(ctx);
@@ -114,6 +144,12 @@ function createOauthResolver(deps) {
                         yield service.db.updateUserProviderId(user.id, input.provider, profile.providerId);
                         isNew = true;
                     }
+                    // Auto-confirm email for trusted providers when email is present
+                    if (provider.trustedEmail && profile.email && (!user.isEmailConfirmed || !user.isEmailNotificationEnabled)) {
+                        user.isEmailConfirmed = true;
+                        user.isEmailNotificationEnabled = true;
+                        yield user.save();
+                    }
                 }
                 if (user.isBanned)
                     throw new Error('User is banned');
@@ -130,6 +166,50 @@ function createOauthResolver(deps) {
                 return user;
             });
         }
+        generateTelegramAuthToken() {
+            return __awaiter(this, void 0, void 0, function* () {
+                if (!telegramBotName)
+                    throw new Error('telegramBotName is not configured');
+                if (!redis)
+                    throw new Error('redis is not configured');
+                const token = (0, nanoid_1.nanoid)(32);
+                const redisKey = `${TELEGRAM_BOT_AUTH_REDIS_PREFIX}:${token}`;
+                yield redis.setex(redisKey, TELEGRAM_BOT_AUTH_TOKEN_TTL_SECONDS, 'pending');
+                const url = `https://t.me/${telegramBotName}?start=tgauth_${token}`;
+                return { token, url };
+            });
+        }
+        confirmTelegramAuthToken(token, ctx) {
+            return __awaiter(this, void 0, void 0, function* () {
+                if (!redis)
+                    throw new Error('redis is not configured');
+                const redisKey = `${TELEGRAM_BOT_AUTH_REDIS_PREFIX}:${token}`;
+                const val = yield redis.get(redisKey);
+                if (!val) {
+                    return { confirmed: false, expired: true };
+                }
+                if (val === 'pending') {
+                    return { confirmed: false, expired: false };
+                }
+                const userId = parseInt(val, 10);
+                if (Number.isNaN(userId)) {
+                    return { confirmed: false, expired: true };
+                }
+                const service = getAuthService(ctx);
+                const user = yield service.db.findUserById(userId);
+                if (!user) {
+                    return { confirmed: false, expired: true };
+                }
+                const userAgent = decodeURI(ctx.req.get('user-agent') || '');
+                yield ctx.req.session.create({
+                    userId: user.id,
+                    ip: ctx.req.ip,
+                    userAgent: userAgent.slice(0, 500),
+                });
+                yield redis.del(redisKey);
+                return { confirmed: true, expired: false };
+            });
+        }
     };
     __decorate([
         (0, type_graphql_1.Mutation)(() => userType),
@@ -139,6 +219,20 @@ function createOauthResolver(deps) {
         __metadata("design:paramtypes", [OauthInput_1.OauthLoginInput, Object]),
         __metadata("design:returntype", Promise)
     ], OauthResolver.prototype, "oauthLogin", null);
+    __decorate([
+        (0, type_graphql_1.Mutation)(() => TelegramBotAuthLinkPayload),
+        __metadata("design:type", Function),
+        __metadata("design:paramtypes", []),
+        __metadata("design:returntype", Promise)
+    ], OauthResolver.prototype, "generateTelegramAuthToken", null);
+    __decorate([
+        (0, type_graphql_1.Mutation)(() => TelegramBotAuthConfirmResult),
+        __param(0, (0, type_graphql_1.Arg)('token')),
+        __param(1, (0, type_graphql_1.Ctx)()),
+        __metadata("design:type", Function),
+        __metadata("design:paramtypes", [String, Object]),
+        __metadata("design:returntype", Promise)
+    ], OauthResolver.prototype, "confirmTelegramAuthToken", null);
     OauthResolver = __decorate([
         (0, type_graphql_1.Resolver)(() => userType)
     ], OauthResolver);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skroz/profile-api",
-  "version": "1.0.18",
+  "version": "1.0.20",
   "license": "MIT",
   "repository": "git@gitlab.com:skroz/libs/utils.git",
   "main": "dist/index.js",
@@ -44,5 +44,5 @@
     "type-graphql": "^1.1.1",
     "typeorm": "^0.2.45"
   },
-  "gitHead": "a074f427f040b742ba51a9a23942893a3c3b2cf6"
+  "gitHead": "7613b73a6980c945cb2ef597747f74855bc2cbfb"
 }

package/src/oauth/AppleOauth.ts

@@ -43,6 +43,10 @@ function decodeJwtPayload(token: string): Record<string, any> {
 }
 
 export class AppleOauth implements OAuthProvider {
+  // Apple provides email only on first authorization. On subsequent logins email will be null,
+  // so confirmation flags are only set when email is actually present in the profile.
+  readonly trustedEmail = true;
+
   constructor(private config: AppleOauthConfig) {}
 
   async exchangeCode(code: string): Promise<OAuthProfile> {

package/src/oauth/GoogleOauth.ts

@@ -8,6 +8,8 @@ interface GoogleOauthConfig {
 }
 
 export class GoogleOauth implements OAuthProvider {
+  readonly trustedEmail = true;
+
   constructor(private config: GoogleOauthConfig) {}
 
   async exchangeCode(code: string): Promise<OAuthProfile> {

package/src/oauth/MailOauth.ts

@@ -9,6 +9,8 @@ interface MailOauthConfig {
 }
 
 export class MailOauth implements OAuthProvider {
+  readonly trustedEmail = true;
+
   constructor(private config: MailOauthConfig) {}
 
   async exchangeCode(code: string): Promise<OAuthProfile> {

package/src/oauth/OAuthProvider.ts

@@ -7,4 +7,12 @@ export interface OAuthProfile {
 
 export interface OAuthProvider {
   exchangeCode(code: string): Promise<OAuthProfile>;
+  /**
+   * Whether this provider verifies the user's email address.
+   * When true, isEmailConfirmed and isEmailNotificationEnabled are automatically
+   * set to true upon login/registration via this provider.
+   *
+   * Set to false for providers that do not supply a verified email (e.g. Telegram).
+   */
+  readonly trustedEmail: boolean;
 }

package/src/oauth/VKOauth.ts

@@ -8,6 +8,10 @@ interface VKOauthConfig {
 }
 
 export class VKOauth implements OAuthProvider {
+  // VK returns email only if the user has a confirmed email in their account and grants access.
+  // If email is absent, trustedEmail guard in the resolver prevents setting confirmation flags.
+  readonly trustedEmail = true;
+
   constructor(private config: VKOauthConfig) {}
 
   async exchangeCode(code: string): Promise<OAuthProfile> {

package/src/oauth/YandexOauth.ts

@@ -7,6 +7,8 @@ interface YandexOauthConfig {
 }
 
 export class YandexOauth implements OAuthProvider {
+  readonly trustedEmail = true;
+
   constructor(private config: YandexOauthConfig) {}
 
   async exchangeCode(code: string): Promise<OAuthProfile> {

package/src/resolvers/createOauthResolver.ts

@@ -1,11 +1,40 @@
 import crypto from 'crypto';
 import { nanoid } from 'nanoid';
-import { Arg, Ctx, Mutation, Resolver } from 'type-graphql';
+import { Arg, Ctx, Mutation, ObjectType, Field, Resolver } from 'type-graphql';
 import { ProfileAuthService } from '../services/ProfileAuthService';
 import { OAuthProvider } from '../oauth/OAuthProvider';
 import { OauthLoginInput, TelegramAuthData } from '../dto/OauthInput';
 import { ProfileContext } from '../types';
 
+// Префикс Redis-ключей намеренно длинный, чтобы исключить коллизии с любыми
+// другими ключами в том же Redis-инстансе.
+const TELEGRAM_BOT_AUTH_REDIS_PREFIX = 'skroz:profile:tgbotauth';
+const TELEGRAM_BOT_AUTH_TOKEN_TTL_SECONDS = 300; // 5 минут
+
+@ObjectType()
+class TelegramBotAuthLinkPayload {
+  @Field()
+  token!: string;
+
+  @Field()
+  url!: string;
+}
+
+@ObjectType()
+class TelegramBotAuthConfirmResult {
+  @Field()
+  confirmed!: boolean;
+
+  @Field()
+  expired!: boolean;
+}
+
+type RedisClient = {
+  get(key: string): Promise<string | null>;
+  setex(key: string, ttl: number, value: string): Promise<any>;
+  del(key: string): Promise<any>;
+};
+
 export interface OauthResolverDependencies<
   TContext extends ProfileContext = ProfileContext
 > {
@@ -13,6 +42,10 @@ export interface OauthResolverDependencies<
   userType: any;
   providers: Record<string, OAuthProvider>;
   telegramBotToken?: string;
+  /** Имя Telegram-бота (без @) для авторизации через бота (bot deep link) */
+  telegramBotName?: string;
+  /** Redis-клиент для авторизации через бота */
+  redis?: RedisClient;
   onUserCreated?: (user: any, ctx: TContext) => Promise<void>;
   onLogin?: (user: any, ctx: TContext) => Promise<void>;
 }
@@ -43,6 +76,8 @@ export function createOauthResolver<
     userType,
     providers,
     telegramBotToken,
+    telegramBotName,
+    redis,
     onUserCreated,
     onLogin,
   } = deps;
@@ -114,6 +149,13 @@ export function createOauthResolver<
           await service.db.updateUserProviderId(user.id, input.provider, profile.providerId);
           isNew = true;
         }
+
+        // Auto-confirm email for trusted providers when email is present
+        if (provider.trustedEmail && profile.email && (!user.isEmailConfirmed || !user.isEmailNotificationEnabled)) {
+          user.isEmailConfirmed = true;
+          user.isEmailNotificationEnabled = true;
+          await user.save();
+        }
       }
 
       if (user.isBanned) throw new Error('User is banned');
@@ -130,6 +172,58 @@ export function createOauthResolver<
 
       return user;
     }
+
+    @Mutation(() => TelegramBotAuthLinkPayload)
+    async generateTelegramAuthToken(): Promise<TelegramBotAuthLinkPayload> {
+      if (!telegramBotName) throw new Error('telegramBotName is not configured');
+      if (!redis) throw new Error('redis is not configured');
+
+      const token = nanoid(32);
+      const redisKey = `${TELEGRAM_BOT_AUTH_REDIS_PREFIX}:${token}`;
+      await redis.setex(redisKey, TELEGRAM_BOT_AUTH_TOKEN_TTL_SECONDS, 'pending');
+      const url = `https://t.me/${telegramBotName}?start=tgauth_${token}`;
+      return { token, url };
+    }
+
+    @Mutation(() => TelegramBotAuthConfirmResult)
+    async confirmTelegramAuthToken(
+      @Arg('token') token: string,
+      @Ctx() ctx: TContext
+    ): Promise<TelegramBotAuthConfirmResult> {
+      if (!redis) throw new Error('redis is not configured');
+
+      const redisKey = `${TELEGRAM_BOT_AUTH_REDIS_PREFIX}:${token}`;
+      const val = await redis.get(redisKey);
+
+      if (!val) {
+        return { confirmed: false, expired: true };
+      }
+
+      if (val === 'pending') {
+        return { confirmed: false, expired: false };
+      }
+
+      const userId = parseInt(val, 10);
+      if (Number.isNaN(userId)) {
+        return { confirmed: false, expired: true };
+      }
+
+      const service = getAuthService(ctx);
+      const user = await service.db.findUserById(userId);
+      if (!user) {
+        return { confirmed: false, expired: true };
+      }
+
+      const userAgent = decodeURI(ctx.req.get('user-agent') || '');
+      await ctx.req.session.create({
+        userId: user.id,
+        ip: ctx.req.ip,
+        userAgent: userAgent.slice(0, 500),
+      });
+      await redis.del(redisKey);
+
+      return { confirmed: true, expired: false };
+    }
   }
 
   return OauthResolver;