@solidstarters/solid-core 1.2.157 → 1.2.158

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solidstarters/solid-core",
-  "version": "1.2.157",
+  "version": "1.2.158",
   "description": "This module is a NestJS module containing all the required core providers required by a Solid application",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -38,6 +38,7 @@
     "@aws-sdk/s3-request-presigner": "^3.828.0",
     "@elasticemail/elasticemail-client": "^4.0.23",
     "@hapi/joi": "^17.1.1",
+    "@nest-lab/throttler-storage-redis": "^1.1.0",
     "@nestjs/schedule": "^6.0.0",
     "@nestjs/throttler": "^6.4.0",
     "amqplib": "^0.10.4",

package/src/config/cache.options.ts

@@ -1,7 +1,7 @@
 import { CacheModuleAsyncOptions } from '@nestjs/cache-manager';
 import { ConfigModule, ConfigService } from '@nestjs/config';
 import { redisStore } from 'cache-manager-redis-store';
-import { isNumber } from 'class-validator';
+import { isRedisConfigured } from 'src/helpers/environment.helper';
 
 export const RedisOptions: CacheModuleAsyncOptions = {
     isGlobal: true,
@@ -29,8 +29,3 @@ async function createRedisStore(configService: ConfigService<Record<string, unkn
     });
 }
 
-function isRedisConfigured(configService: ConfigService): boolean {
-    const host = configService.get<string>('REDIS_HOST');
-    const port = configService.get<string>('REDIS_PORT');
-    return host && port && isNumber(parseInt(port));
-}

package/src/constants/error-messages.ts

@@ -28,7 +28,7 @@ export const ERROR_MESSAGES = {
     GOOGLE_OAUTH_PROFILE_FETCH_FAILED: 'Failed to fetch user profile from Google OAuth service',
     LOGOUT_FAILED: 'Logout failed due to an unexpected error.',
 
-    INVALID_CREDENTIALS: 'Invalid username or password specified.',
+    INVALID_CREDENTIALS: 'Invalid credentials',
     LOGIN_FAILED: 'Login Failed',
     OLD_PASSWORD_INCORRECT: 'You have specified an incorrect old password.',
     INVALID_NEW_PASSWORD: 'Invalid new password.',

package/src/controllers/authentication.controller.ts

@@ -25,7 +25,7 @@ export class AuthenticationController {
     constructor(private readonly authService: AuthenticationService) { }
 
     @Public()
-    @SkipThrottle({ login: false }) //Enable the login throttle only 
+    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @Post('register')
     signUp(@Body() signUpDto: SignUpDto) {
         return this.authService.signUp(signUpDto);
@@ -39,7 +39,7 @@ export class AuthenticationController {
 
     @Public()
     // @UseGuards(LocalAuthGuard)
-    @SkipThrottle({ login: false }) //Enable the login throttle only
+    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @HttpCode(HttpStatus.OK) // by default @Post does 201, we wanted 200 - hence using @HttpCode(HttpStatus.OK)
     @Post('authenticate')
     async signIn(
@@ -62,7 +62,7 @@ export class AuthenticationController {
     }
 
     @Public()
-    @SkipThrottle({ login: false }) //Enable the login throttle only
+    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @HttpCode(HttpStatus.OK) // changed since the default is 201
     @Post('refresh-tokens')
     refreshTokens(@Body() refreshTokenDto: RefreshTokenDto) {
@@ -70,14 +70,14 @@ export class AuthenticationController {
     }
 
     @Public()
-    @SkipThrottle({ login: false }) //Enable the login throttle only
+    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @Post('initiate/forgot-password')
     initiateForgotPassword(@Body() initiateForgotPasswordDto: InitiateForgotPasswordDto) {
         return this.authService.initiateForgotPassword(initiateForgotPasswordDto);
     }
 
     @Public()
-    @SkipThrottle({ login: false }) //Enable the login throttle only
+    @SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
     @Post('confirm/forgot-password')
     confirmForgotPassword(@Body() confirmForgotPasswordDto: ConfirmForgotPasswordDto) {
         return this.authService.confirmForgotPassword(confirmForgotPasswordDto);

package/src/helpers/environment.helper.ts

@@ -1,7 +1,16 @@
+import { ConfigService } from "@nestjs/config";
+import { isNumber } from 'class-validator';
+
 export function parseBooleanEnv(key: string, defaultValue: boolean = false): boolean {
     const value = process.env[key];
     if (value === undefined) {
         return defaultValue;
     }
     return value.toLowerCase() === 'true';
+}
+
+export function isRedisConfigured(configService: ConfigService): boolean {
+    const host = configService.get<string>('REDIS_HOST');
+    const port = configService.get<string>('REDIS_PORT');
+    return host && port && isNumber(parseInt(port));
 }

package/src/seeders/module-metadata-seeder.service.ts

@@ -584,6 +584,8 @@ export class ModuleMetadataSeederService {
             return;
         }
         for (let j = 0; j < listOfValuesDto.length; j++) {
+            const listOfValueDto = listOfValuesDto[j];
+            listOfValueDto['module'] = await this.moduleMetadataService.findOneByUserKey(listOfValueDto.moduleUserKey);
             await this.listOfValuesService.upsert(listOfValuesDto[j]);
         }
     }

package/src/services/authentication.service.ts

@@ -126,7 +126,7 @@ export class AuthenticationService {
         const user = await this.resolveUser(signInDto.username, signInDto.email);
 
         if (!user) {
-            throw new UnauthorizedException(ERROR_MESSAGES.USER_NOT_FOUND);
+            throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
         if (!user.active) {
             throw new UnauthorizedException(ERROR_MESSAGES.USER_NOT_ACTIVE);
@@ -136,7 +136,7 @@ export class AuthenticationService {
             user.password,
         );
         if (!isEqual) {
-            throw new UnauthorizedException(ERROR_MESSAGES.PASSWORD_INCORRECT);
+            throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
 
         return user;
@@ -759,25 +759,31 @@ export class AuthenticationService {
         // });
         const user = await this.resolveUser(initiateForgotPasswordDto.username, initiateForgotPasswordDto.email);
 
+        let isValidUser = true // Instead of throwing exceptions we will simply return success message, this is to avoid user enumeration attacks.
         if (!user) {
-            throw new NotFoundException(ERROR_MESSAGES.INVALID_CREDENTIALS);
+            isValidUser = false            
+            // throw new NotFoundException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
         if (!user.active) {
-            throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
+            isValidUser = false
+            // throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
 
         // 2. Validate if user has used a provider which is "local", only then it makes sense for us to initiate the forgot password routine. 
         if (user.lastLoginProvider !== 'local') {
-            throw new BadRequestException(ERROR_MESSAGES.INVALID_CREDENTIALS);
+            isValidUser = false
+            // throw new BadRequestException(ERROR_MESSAGES.INVALID_CREDENTIALS);
         }
 
         // 3. Generate a 6 digit validation token, we send this token to the user over their email & mobile number (controlled using configuration).
         // 4. Save this validation token in new fields on the user record. 
-        const { token, expiresAt } = this.generateForgotPasswordToken();
-        user.verificationTokenOnForgotPassword = token;
-        user.verificationTokenOnForgotPasswordExpiresAt = expiresAt;
-        await this.userRepository.save(user);
-        this.notifyUserOnForgotPassword(user);
+        if (isValidUser) {
+            const { token, expiresAt } = this.generateForgotPasswordToken();
+            user.verificationTokenOnForgotPassword = token;
+            user.verificationTokenOnForgotPasswordExpiresAt = expiresAt;
+            await this.userRepository.save(user);
+            this.notifyUserOnForgotPassword(user);
+        }
 
         // 5. Return. 
         return {
@@ -788,8 +794,8 @@ export class AuthenticationService {
             data: {
                 user: {
                     email: user.email,
-                    mobile: user.mobile,
-                    username: user.username,
+                    // mobile: user.mobile,
+                    // username: user.username,
                 },
             }
         }
@@ -841,8 +847,8 @@ export class AuthenticationService {
         return this.dataSource.transaction(async (m) => {
             // Resolve the user id first (by username/email), but DON'T check the token in JS.
             const user = await this.resolveUserByVerificationToken(confirmForgotPasswordDto.verificationToken);
-            if (!user) throw new NotFoundException(ERROR_MESSAGES.INVALID_CREDENTIALS);
-            if (user.lastLoginProvider !== 'local') throw new BadRequestException(ERROR_MESSAGES.INVALID_CREDENTIALS);
+            if (!user) throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
+            if (user.lastLoginProvider !== 'local') throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
             if (!user.active) throw new UnauthorizedException(ERROR_MESSAGES.INVALID_CREDENTIALS);
 
             // 1) Atomically consume the token (only one request can succeed)

package/src/services/list-of-values.service.ts

@@ -43,7 +43,7 @@ export class ListOfValuesService extends CRUDService<ListOfValues> {
   async findAll(): Promise<ListOfValues[]> {
     return await this.repo.find();
   }
-  
+
   async upsert(updateListOfValuesDto: any) {
     // First check if module already exists using name
     const existingListOfValue = await this.repo.findOne({

package/src/solid-core.module.ts

@@ -281,6 +281,8 @@ import { Three60WhatsappQueueSubscriber } from './jobs/three60-whatsapp-subscrib
 import { Three60WhatsappQueuePublisherDatabase } from './jobs/database/three60-whatsapp-publisher-database.service';
 import { Three60WhatsappQueueSubscriberDatabase } from './jobs/database/three60-whatsapp-subscriber-database.service';
 import { Three60WhatsappService } from './services/whatsapp/Three60WhatsappService';
+import { ThrottlerStorageRedisService } from '@nest-lab/throttler-storage-redis/src/throttler-storage-redis.service';
+import { isRedisConfigured } from './helpers/environment.helper';
 
 
 @Global()
@@ -356,13 +358,18 @@ import { Three60WhatsappService } from './services/whatsapp/Three60WhatsappServi
     HttpModule,
     ConfigModule,
     ClsModule,
-    ThrottlerModule.forRoot({
-      throttlers: [
+    ThrottlerModule.forRootAsync({
+      imports: [ConfigModule],
+      inject: [ConfigService],
+      useFactory: (configService: ConfigService) => ({
+        throttlers: [
         { name: 'short', ttl: seconds(10),  limit: 10 },
         { name: 'login', ttl: seconds(10),  limit: 5  },
         { name: 'burst', ttl: seconds(1),  limit: 100 },
         { name: 'sustained', ttl: seconds(300), limit: 500 },
-      ],
+        ],
+        storage: isRedisConfigured(configService) ? new ThrottlerStorageRedisService(`redis://${configService.get<string>('REDIS_HOST')}:${configService.get<string>('REDIS_PORT')}`) : undefined,
+      }),
     }),
   ],
   controllers: [