@skroz/profile-api 1.0.5

package/src/entities/TypeOrmBaseUser.ts

@@ -0,0 +1,87 @@
+import {
+    Column,
+    CreateDateColumn,
+    PrimaryGeneratedColumn,
+    UpdateDateColumn,
+    BaseEntity as TypeORMBaseEntity,
+} from 'typeorm';
+import { Field, ID, ObjectType, GraphQLTimestamp } from 'type-graphql';
+
+@ObjectType({ isAbstract: true })
+export abstract class TypeOrmBaseUser extends TypeORMBaseEntity {
+    public static config = {
+        isOnlineSeconds: 60,
+        isOnlineRecentlySeconds: 300,
+    };
+
+    @Field(() => ID)
+    @PrimaryGeneratedColumn()
+    public id!: number;
+
+    @Field(() => GraphQLTimestamp)
+    @CreateDateColumn({ type: 'timestamptz' })
+    public createdAt!: Date;
+
+    @Field(() => GraphQLTimestamp)
+    @UpdateDateColumn({ type: 'timestamptz' })
+    public updatedAt!: Date;
+
+    @Column({ type: 'varchar', nullable: true, unique: true })
+    public email!: string | null;
+
+    @Column()
+    public password!: string;
+
+    @Column({ default: false })
+    public isTempPassword!: boolean;
+
+    @Column({ default: false })
+    public isEmailConfirmed!: boolean;
+
+    @Field(() => Boolean)
+    @Column({ default: true })
+    public isEmailNotificationEnabled!: boolean;
+
+    @Field(() => Boolean)
+    @Column({ default: true })
+    public isTelegramNotificationEnabled!: boolean;
+
+    @Field(() => Boolean)
+    @Column({ default: false })
+    public isBanned!: boolean;
+
+    @Field(() => Boolean)
+    @Column({ default: false })
+    public isDeleted!: boolean;
+
+    @Column({ type: 'varchar', nullable: true, unique: true })
+    public urlSlug?: string;
+
+    @Column({ type: 'varchar', nullable: true, unique: true })
+    public telegramId!: string | null;
+
+    @Field(() => String, { nullable: true })
+    @Column({ type: 'varchar', nullable: true })
+    public avatar?: string | null;
+
+    @Field(() => GraphQLTimestamp)
+    @Column({ type: 'timestamp', default: () => 'CURRENT_TIMESTAMP' })
+    public lastSeenAt!: Date;
+
+    public checkOnline(seconds: number): boolean {
+        if (!this.lastSeenAt) return false;
+        const filterDate = new Date();
+        filterDate.setSeconds(filterDate.getSeconds() - seconds);
+        return this.lastSeenAt > filterDate;
+    }
+
+    @Field(() => Boolean)
+    get isOnline(): boolean {
+        return this.checkOnline(TypeOrmBaseUser.config.isOnlineSeconds);
+    }
+
+    @Field(() => Boolean)
+    get isOnlineRecently(): boolean {
+        return this.checkOnline(TypeOrmBaseUser.config.isOnlineRecentlySeconds);
+    }
+}

package/src/index.ts

@@ -0,0 +1,8 @@
+export * from './types';
+export * from './adapters/TypeOrmProfileAdapter';
+export * from './entities/TypeOrmBaseUser';
+export * from './services/ProfileAuthService';
+export * from './services/ProfileEmailService';
+export * from './dto';
+export * from './resolvers/AuthResolver';
+export * from './resolvers/ProfileResolver';

package/src/resolvers/AuthResolver.ts

@@ -0,0 +1,195 @@
+import {
+    Arg,
+    Authorized,
+    Ctx,
+    Mutation,
+    Resolver,
+} from 'type-graphql';
+import { StatusPayload } from '@os-team/graphql-utils';
+import { TransformArgs } from '@os-team/graphql-transformers';
+import { ValidateArgs } from '@os-team/graphql-validators';
+import { ProfileAuthService, CONFIRMATION_REDIS_PREFIX, RECOVERY_REDIS_PREFIX } from '../services/ProfileAuthService';
+import { ProfileContext } from '../types';
+import {
+    RegisterInput, registerTransformers, registerValidators,
+    LoginInput, loginTransformers, loginValidators,
+    ConfirmEmailInput,
+    ForgotPasswordInput, forgotPasswordTransformers, forgotPasswordValidators,
+    RecoverPasswordInput, recoverPasswordTransformers, recoverPasswordValidators,
+    SendTokenPayload,
+    confirmEmailValidators
+} from '../dto';
+
+export interface AuthResolverDependencies<TContext extends ProfileContext = ProfileContext> {
+    authService: ProfileAuthService;
+    userType: any;
+    onUserCreated?: (user: any, ctx: TContext) => Promise<void>;
+    onLogin?: (user: any, ctx: TContext) => Promise<void>;
+    onLogout?: (user: any, ctx: TContext) => Promise<void>;
+    onEmailConfirmed?: (user: any, ctx: TContext) => Promise<void>;
+    onPasswordRecovered?: (user: any, ctx: TContext) => Promise<void>;
+    logTelegramBot?: { sendError: (msg: string) => Promise<any> };
+}
+
+export function createAuthResolver<TContext extends ProfileContext = ProfileContext>(deps: AuthResolverDependencies<TContext>) {
+    const {
+        authService,
+        onUserCreated,
+        onLogin,
+        onLogout,
+        onEmailConfirmed,
+        onPasswordRecovered,
+        logTelegramBot,
+        userType
+    } = deps;
+
+    @Resolver(() => userType)
+    class AuthResolver {
+        @TransformArgs(registerTransformers, { arg: 'input' })
+        @ValidateArgs(registerValidators, { arg: 'input', tKey: 'register' })
+        @Mutation(() => StatusPayload)
+        async register(@Arg('input') input: RegisterInput, @Ctx() ctx: TContext) {
+            const { t } = ctx;
+            if (await authService.db.isEmailTaken(input.email)) {
+                throw new Error(t('validation:auth.emailExists'));
+            }
+
+            const passwordHash = await authService.hashPassword(input.password);
+            const user = await authService.db.createUser({
+                email: input.email,
+                passwordHash,
+            });
+
+            if (onUserCreated) await onUserCreated(user, ctx);
+            if (logTelegramBot) await logTelegramBot.sendError(`Новый пользователь ${input.email}`);
+
+            // Создаем сессию
+            const userAgent = decodeURI(ctx.req.get('user-agent') || '');
+            await ctx.req.session.create({
+                userId: user.id,
+                ip: ctx.req.ip,
+                userAgent: userAgent.slice(0, 500),
+            });
+
+            return { ok: true };
+        }
+
+        @TransformArgs(loginTransformers, { arg: 'input' })
+        @ValidateArgs(loginValidators, { arg: 'input', tKey: 'register' })
+        @Mutation(() => StatusPayload)
+        async login(@Arg('input') input: LoginInput, @Ctx() ctx: TContext) {
+            const { t } = ctx;
+            const user = await authService.db.findUserByEmail(input.email);
+            if (!user) throw new Error(t('validation:user.notFound'));
+
+            if (user.isBanned) throw new Error(t('validation:user.banned'));
+
+            const isPasswordOk = await authService.verifyPassword(user.password!, input.password);
+            if (!isPasswordOk) throw new Error(t('validation:login.wrongPassword'));
+
+            const userAgent = decodeURI(ctx.req.get('user-agent') || '');
+            await ctx.req.session.create({
+                userId: user.id,
+                ip: ctx.req.ip,
+                userAgent: userAgent.slice(0, 500),
+            });
+
+            if (onLogin) await onLogin(user, ctx);
+            if (logTelegramBot) {
+                await logTelegramBot.sendError(
+                    `${user.email || user.urlSlug} вошел(ла) на сайт`
+                );
+            }
+
+            return { ok: true };
+        }
+
+        @Authorized()
+        @Mutation(() => StatusPayload)
+        async logout(@Ctx() ctx: TContext) {
+            const { user } = ctx;
+            if (onLogout) await onLogout(user, ctx);
+            if (logTelegramBot) {
+                await logTelegramBot.sendError(
+                    `${user && (user.email || user.urlSlug)} разлогинился(лась)`
+                );
+            }
+            await ctx.req.session.destroy();
+            return { ok: true };
+        }
+
+        @ValidateArgs(confirmEmailValidators, { arg: 'input', tKey: 'confirmEmail' })
+        @Mutation(() => StatusPayload)
+        async confirmEmail(@Arg('input') input: ConfirmEmailInput, @Ctx() ctx: TContext) {
+            const user = await authService.getUserByToken(CONFIRMATION_REDIS_PREFIX, input.token);
+            if (!user) throw new Error(ctx.t('validation:error.wrongCode'));
+
+            user.isEmailConfirmed = true;
+            await user.save();
+            await authService.removeTokenFromRedis(CONFIRMATION_REDIS_PREFIX, user, input.token);
+
+            const userAgent = decodeURI(ctx.req.get('user-agent') || '');
+            await ctx.req.session.create({
+                userId: user.id,
+                ip: ctx.req.ip,
+                userAgent: userAgent.slice(0, 500),
+            });
+
+            if (onEmailConfirmed) await onEmailConfirmed(user, ctx);
+            if (logTelegramBot) {
+                await logTelegramBot.sendError(`${user.email || user.urlSlug} подтвердил(а) email`);
+            }
+
+            return { ok: true };
+        }
+
+        @TransformArgs(forgotPasswordTransformers, { arg: 'input' })
+        @ValidateArgs(forgotPasswordValidators, { arg: 'input', tKey: 'forgot' })
+        @Mutation(() => SendTokenPayload)
+        async forgotPassword(@Arg('input') input: ForgotPasswordInput, @Ctx() ctx: TContext) {
+            const { t } = ctx;
+            const user = await authService.db.findUserByEmail(input.email);
+            if (!user) throw new Error(t('validation:forgot.errors.notRegistered'));
+
+            const res = await authService.sendLink(user, 'recovery');
+
+            if (logTelegramBot) {
+                await logTelegramBot.sendError(`${user.email || user.urlSlug} запросил(а) восстановление пароля`);
+            }
+
+            return {
+                confirmationLinkIsSent: res.ok,
+                limitExpiresAt: res.limitExpiresAt,
+            };
+        }
+
+        @TransformArgs(recoverPasswordTransformers, { arg: 'input' })
+        @ValidateArgs(recoverPasswordValidators, { arg: 'input', tKey: 'recover' })
+        @Mutation(() => StatusPayload)
+        async recoverPassword(@Arg('input') input: RecoverPasswordInput, @Ctx() ctx: TContext) {
+            const user = await authService.getUserByToken(RECOVERY_REDIS_PREFIX, input.token);
+            if (!user) throw new Error(ctx.t('validation:error.wrongCode'));
+
+            user.password = await authService.hashPassword(input.password);
+            user.isTempPassword = false;
+            await user.save();
+            await authService.removeTokenFromRedis(RECOVERY_REDIS_PREFIX, user, input.token);
+
+            const userAgent = decodeURI(ctx.req.get('user-agent') || '');
+            await ctx.req.session.create({
+                userId: user.id,
+                ip: ctx.req.ip,
+                userAgent: userAgent.slice(0, 500),
+            });
+
+            if (onPasswordRecovered) await onPasswordRecovered(user, ctx);
+            if (logTelegramBot) {
+                await logTelegramBot.sendError(`${user.email || user.urlSlug} восстановил(а) пароль`);
+            }
+
+            return { ok: true };
+        }
+    }
+
+    return AuthResolver;
+}

package/src/resolvers/ProfileResolver.ts

@@ -0,0 +1,107 @@
+import {
+    Arg,
+    Authorized,
+    Ctx,
+    Mutation,
+    Resolver,
+    UnauthorizedError,
+} from 'type-graphql';
+import { StatusPayload } from '@os-team/graphql-utils';
+import { TransformArgs } from '@os-team/graphql-transformers';
+import { ValidateArgs } from '@os-team/graphql-validators';
+import { ProfileAuthService } from '../services/ProfileAuthService';
+import { ProfileContext } from '../types';
+import {
+    UpdateEmailInput, updateEmailTransformers, updateEmailValidators,
+    UpdatePasswordInput, updatePasswordTransformers, updatePasswordValidators,
+    UpdateProfileInput, updateProfileTransformers, updateProfileValidators,
+} from '../dto';
+
+export interface ProfileResolverDependencies {
+    authService: ProfileAuthService;
+    userType: any;
+}
+
+export function createProfileResolver<TContext extends ProfileContext = ProfileContext>(deps: ProfileResolverDependencies) {
+    const { authService, userType } = deps;
+
+    @Resolver(() => userType)
+    class ProfileResolver {
+        @Authorized()
+        @TransformArgs(updateEmailTransformers, { arg: 'input' })
+        @ValidateArgs(updateEmailValidators, { arg: 'input', tKey: 'updateEmail' })
+        @Mutation(() => StatusPayload)
+        async updateEmail(@Arg('input') input: UpdateEmailInput, @Ctx() ctx: TContext) {
+            const { user, t } = ctx;
+            if (!user) throw new UnauthorizedError();
+
+            if (await authService.db.isEmailTaken(input.email, user.id)) {
+                throw new Error(t('validation:updateEmail.emailExists'));
+            }
+
+            user.email = input.email;
+            user.isEmailConfirmed = false;
+            await user.save();
+
+            return { ok: true };
+        }
+
+        @Authorized()
+        @TransformArgs(updatePasswordTransformers, { arg: 'input' })
+        @ValidateArgs(updatePasswordValidators, { arg: 'input', tKey: 'updatePassword' })
+        @Mutation(() => StatusPayload)
+        async updatePassword(@Arg('input') input: UpdatePasswordInput, @Ctx() ctx: TContext) {
+            const { user, t } = ctx;
+            if (!user) throw new UnauthorizedError();
+
+            const isOldPasswordOk = await authService.verifyPassword(user.password!, input.oldPassword);
+            if (!isOldPasswordOk) throw new Error(t('validation:updatePassword.wrongPassword'));
+
+            user.password = await authService.hashPassword(input.password);
+            user.isTempPassword = false;
+            await user.save();
+
+            return { ok: true };
+        }
+
+        @Authorized()
+        @TransformArgs(updateProfileTransformers, { arg: 'input' })
+        @ValidateArgs(updateProfileValidators, { arg: 'input', tKey: 'updateProfile' })
+        @Mutation(() => userType)
+        async updateProfile(@Arg('input') input: UpdateProfileInput, @Ctx() ctx: TContext) {
+            const { user } = ctx;
+            if (!user) throw new UnauthorizedError();
+
+            user.name = input.name;
+            await user.save();
+
+            return user;
+        }
+
+        @Authorized()
+        @Mutation(() => StatusPayload)
+        async toggleEmailNotification(@Ctx() ctx: TContext) {
+            const { user } = ctx;
+            if (!user) throw new UnauthorizedError();
+
+            user.isEmailNotificationEnabled = !user.isEmailNotificationEnabled;
+            await user.save();
+
+            return { ok: true };
+        }
+
+        @Authorized()
+        @Mutation(() => StatusPayload)
+        async toggleTelegramNotification(@Ctx() ctx: TContext) {
+            const { user } = ctx;
+            if (!user) throw new UnauthorizedError();
+
+            user.isTelegramNotificationEnabled = !user.isTelegramNotificationEnabled;
+            await user.save();
+
+            return { ok: true };
+        }
+    }
+
+    return ProfileResolver;
+}

package/src/services/ProfileAuthService.ts

@@ -0,0 +1,122 @@
+import argon2 from 'argon2';
+import { Redis } from 'ioredis';
+import { AuthUser, ProfileAuthConfig, ProfileDbAdapter } from '../types';
+import { ProfileEmailService } from './ProfileEmailService';
+
+export const CONFIRMATION_REDIS_PREFIX = 'conf';
+export const RECOVERY_REDIS_PREFIX = 'rec';
+export const TOKEN_REDIS_POSTFIX = 'token';
+export const LAST_SENT_AT_REDIS_POSTFIX = 'lastSentAt';
+
+export class ProfileAuthService {
+  public db: ProfileDbAdapter;
+
+  public email: ProfileEmailService;
+
+  public redis: Redis;
+
+  public config: ProfileAuthConfig;
+
+  constructor(
+    db: ProfileDbAdapter,
+    email: ProfileEmailService,
+    redis: Redis,
+    config: ProfileAuthConfig
+  ) {
+    this.db = db;
+    this.email = email;
+    this.redis = redis;
+    this.config = config;
+  }
+
+  async hashPassword(password: string): Promise<string> {
+    return argon2.hash(password, { type: argon2.argon2id });
+  }
+
+  async verifyPassword(hash: string, password: string): Promise<boolean> {
+    return argon2.verify(hash, password);
+  }
+
+  private getLimitMs() {
+    return this.config.resendEmailLimitSeconds * 1000;
+  }
+
+  async setTokenToRedis(
+    prefix: string,
+    user: AuthUser,
+    token: string,
+    ttlMinutes: number
+  ) {
+    const exSeconds = ttlMinutes * 60;
+
+    // token -> userId
+    await this.redis.setex(`${prefix}:${token}`, exSeconds, user.id.toString());
+
+    // userId -> token
+    await this.redis.setex(
+      `${prefix}:${user.id}:${TOKEN_REDIS_POSTFIX}`,
+      exSeconds,
+      token
+    );
+
+    // lastSentAt
+    await this.redis.psetex(
+      `${prefix}:${user.id}:${LAST_SENT_AT_REDIS_POSTFIX}`,
+      this.getLimitMs(),
+      Date.now().toString()
+    );
+  }
+
+  async sendLink(user: AuthUser, type: 'confirmation' | 'recovery') {
+    const prefix =
+      type === 'confirmation'
+        ? CONFIRMATION_REDIS_PREFIX
+        : RECOVERY_REDIS_PREFIX;
+    const ttlMinutes =
+      type === 'confirmation'
+        ? this.config.confirmationTokenLifetimeMinutes
+        : this.config.recoveryTokenLifetimeMinutes;
+
+    // Check limit
+    const lastSentAtStr = await this.redis.get(
+      `${prefix}:${user.id}:${LAST_SENT_AT_REDIS_POSTFIX}`
+    );
+    const lastSentAt = Number(lastSentAtStr) || 0;
+    const expiresAt = lastSentAt + this.getLimitMs();
+    const expiresIn = expiresAt - Date.now();
+
+    if (expiresIn > 0) return { ok: false, limitExpiresAt: expiresAt };
+
+    // Generate token (6 digits as in original code)
+    let token = '';
+    for (let i = 0; i < 6; i++) {
+      token += Math.floor(Math.random() * 10);
+    }
+
+    await this.setTokenToRedis(prefix, user, token, ttlMinutes);
+    const ok = await this.email.sendToken(user, type, token);
+
+    return { ok, limitExpiresAt: Date.now() + this.getLimitMs() };
+  }
+
+  async getUserByToken(
+    prefix: string,
+    token: string
+  ): Promise<AuthUser | null> {
+    const userIdStr = await this.redis.get(`${prefix}:${token}`);
+    if (!userIdStr) return null;
+
+    const userId = Number(userIdStr);
+    if (isNaN(userId)) return null;
+
+    return this.db.findUserById(userId);
+  }
+
+  async removeTokenFromRedis(prefix: string, user: AuthUser, token: string) {
+    await this.redis.del(
+      `${prefix}:${token}`,
+      `${prefix}:${user.id}:${TOKEN_REDIS_POSTFIX}`,
+      `${prefix}:${user.id}:${LAST_SENT_AT_REDIS_POSTFIX}`
+    );
+  }
+}

package/src/services/ProfileEmailService.ts

@@ -0,0 +1,158 @@
+import AwsSes from '@os-team/aws-ses';
+import pug from 'pug';
+import path from 'path';
+import {
+  AuthUser,
+  EmailConfig,
+  ProfileEmailTemplate,
+  ProfileLocales,
+} from '../types';
+
+export type EmailType = 'auth' | 'activity' | 'info' | 'admin' | 'other';
+
+export class ProfileEmailService {
+  private ses: AwsSes;
+
+  private config: EmailConfig;
+
+  private locales: ProfileLocales;
+
+  constructor(config: EmailConfig, locales: ProfileLocales) {
+    this.ses = new AwsSes({ region: 'eu-west-1' });
+    this.config = config;
+    this.locales = locales;
+  }
+
+  private getWebsiteUrl() {
+    return this.config.websiteUrl || `https://${this.config.domain}`;
+  }
+
+  private render(templateName: string, vars: any) {
+    const templatePath = path.resolve(
+      this.config.templateDir,
+      `${templateName}.pug`
+    );
+    return pug.renderFile(templatePath, {
+      domain: this.config.domain,
+      websiteUrl: this.getWebsiteUrl(),
+      primaryBrandColor: this.config.primaryBrandColor,
+      logoUrl: this.config.logoUrl || '',
+      ...vars,
+    });
+  }
+
+  private getFrom(type: EmailType) {
+    const { domain } = this.config;
+    const username = this.config.fromEmailUsername;
+
+    switch (type) {
+      case 'auth':
+        return `${domain} <${username}@auth.${domain}>`;
+      case 'activity':
+        return `${domain} <${username}@a.${domain}>`;
+      case 'info':
+        return `${domain} <${username}@i.${domain}>`;
+      case 'admin':
+        return `${domain} <${username}@admin.${domain}>`;
+      default:
+        return `${domain} <${username}@o.${domain}>`;
+    }
+  }
+
+  async send(
+    to: string,
+    subject: string,
+    template: string,
+    vars: any,
+    type: EmailType = 'other'
+  ) {
+    const html = this.render(template, vars);
+    const from = this.getFrom(type);
+
+    return this.ses.send({
+      Destination: { ToAddresses: [to] },
+      Message: {
+        Subject: { Data: subject, Charset: 'UTF-8' },
+        Body: { Html: { Data: html, Charset: 'UTF-8' } },
+      },
+      Source: from,
+    });
+  }
+
+  async sendToken(
+    user: AuthUser,
+    type: 'confirmation' | 'recovery',
+    token: string
+  ) {
+    if (!user.email) return false;
+
+    const isConfirm = type === 'confirmation';
+    const emailLocales = isConfirm
+      ? this.locales.email.confirmEmail
+      : this.locales.email.forgotPassword;
+
+    const template = isConfirm
+      ? ProfileEmailTemplate.CONFIRM_EMAIL
+      : ProfileEmailTemplate.FORGOT_PASSWORD;
+
+    return this.send(
+      user.email,
+      emailLocales.subject,
+      template,
+      {
+        header: emailLocales.header,
+        text: emailLocales.text,
+        linkTitle: emailLocales.linkTitle,
+        linkHref: `${this.getWebsiteUrl()}/${type}?token=${token}&email=${
+          user.email
+        }`,
+        confirmationToken: token,
+      },
+      'auth'
+    );
+  }
+
+  async sendTemporaryPassword(user: AuthUser, tempPassword: string) {
+    if (!user.email) return false;
+
+    const emailLocales = this.locales.email.tempPassword;
+
+    return this.send(
+      user.email,
+      emailLocales.subject,
+      ProfileEmailTemplate.TEMP_PASSWORD,
+      {
+        header: emailLocales.header.replace('{{tempPassword}}', tempPassword),
+        text: emailLocales.text,
+        linkTitle: emailLocales.linkTitle,
+        linkHref: this.getWebsiteUrl(),
+      },
+      'auth'
+    );
+  }
+
+  /* Generic method for any custom project emails */
+  async sendGenericEmail(
+    user: AuthUser,
+    subject: string,
+    text: string,
+    type: EmailType = 'info',
+    vars: any = {}
+  ) {
+    if (!user.email) return false;
+
+    return this.send(
+      user.email,
+      subject,
+      ProfileEmailTemplate.GENERIC_NOTIFICATION,
+      {
+        header: subject,
+        text,
+        linkTitle: 'Go to Website',
+        linkHref: this.getWebsiteUrl(),
+        ...vars,
+      },
+      type
+    );
+  }
+}