aaspai-authx 0.1.4 → 0.1.6

package/dist/index.js

@@ -48,8 +48,8 @@ function loadConfig() {
     cookies: {
       domain: process.env.COOKIE_DOMAIN,
       secure: (process.env.COOKIE_SECURE || "true") === "true",
-      accessTtlMs: 24 * 60 * 60 * 1e3,
-      refreshTtlMs: 7 * 24 * 60 * 60 * 1e3
+      accessTtlMs: 7 * 24 * 60 * 60 * 1e3,
+      refreshTtlMs: 30 * 24 * 60 * 60 * 1e3
     },
     oidc: {
       jwtSecret: process.env.JWT_SECRET
@@ -590,7 +590,7 @@ var AuthAdminService = class {
   }
   async updateUserPassword(userId, newPassword) {
     const hashed = await bcrypt.hash(newPassword, 10);
-    await OrgUser.findOneAndUpdate({ id: userId }, { password: hashed });
+    await OrgUser.findOneAndUpdate({ id: userId }, { passwordHash: hashed });
   }
   // -------------------------------------------------------------------
   // ADMIN TOKEN (self-issued JWT)
@@ -605,11 +605,11 @@ var AuthAdminService = class {
       system: true
     };
     const accessToken = jwt2.sign(payload, process.env.JWT_SECRET, {
-      expiresIn: "1h"
+      expiresIn: "1d"
     });
     this.token = {
       accessToken,
-      exp: now + 3600
+      exp: now + 84800
     };
     return this.token.accessToken;
   }
@@ -634,7 +634,7 @@ var EmailService = class {
       }
     });
   }
-  sign(payload, ttlSec = 60 * 60 * 24) {
+  sign(payload, ttlSec = 60 * 60 * 24 * 30) {
     return jwt3.sign(payload, process.env.EMAIL_JWT_SECRET, {
       expiresIn: ttlSec
     });
@@ -642,11 +642,10 @@ var EmailService = class {
   verify(token) {
     return jwt3.verify(token, process.env.EMAIL_JWT_SECRET);
   }
-  async send(to, subject, html) {
-    console.log("[EmailService] Attempting to send:", { to, subject });
+  async send(to, subject, html, from) {
     try {
       const info = await this.transporter.sendMail({
-        from: process.env.EMAIL_FROM,
+        from: from ? `${from} ` + process.env.EMAIL_FROM : process.env.EMAIL_FROM,
         to,
         subject,
         html
@@ -671,18 +670,6 @@ var EmailService = class {
     }
   }
   canSend(lastEmailSent) {
-    console.log(
-      process.env.EMAIL_PASSWORD,
-      "pssword",
-      process.env.EMAIL_USER,
-      "user",
-      process.env.EMAIL_SECURE,
-      "secure",
-      process.env.EMAIL_PORT,
-      "porat",
-      process.env.EMAIL_HOST,
-      "hosat"
-    );
     const now = Date.now();
     const windowStart = now - this.WINDOW_MINUTES * 60 * 1e3;
     const emailsInWindow = (lastEmailSent || []).map((d) => new Date(d)).filter((d) => d.getTime() >= windowStart);
@@ -696,6 +683,386 @@ var EmailService = class {
   }
 };
 
+// src/templates/email.templates.ts
+var colors = {
+  background: "#0a0a0a",
+  cardBackground: "#111111",
+  cardBorder: "#1a1a1a",
+  accent: "#ffffff",
+  accentMuted: "rgba(255, 255, 255, 0.9)",
+  textPrimary: "#ffffff",
+  textSecondary: "rgba(255, 255, 255, 0.7)",
+  textMuted: "rgba(255, 255, 255, 0.5)",
+  divider: "rgba(255, 255, 255, 0.1)",
+  subtle: "#161616",
+  highlight: "rgba(255, 255, 255, 0.05)"
+};
+var styles = {
+  wrapper: `
+    margin: 0;
+    padding: 40px 20px;
+    background-color: ${colors.background};
+    background-image: 
+      radial-gradient(ellipse at top, rgba(255,255,255,0.03) 0%, transparent 50%),
+      radial-gradient(ellipse at bottom, rgba(255,255,255,0.02) 0%, transparent 50%);
+    min-height: 100vh;
+  `,
+  container: `
+    max-width: 520px;
+    margin: 0 auto;
+    font-family: -apple-system, BlinkMacSystemFont, 'SF Pro Display', 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+    color: ${colors.textPrimary};
+    line-height: 1.7;
+  `,
+  card: `
+    background-color: ${colors.cardBackground};
+    border: 1px solid ${colors.cardBorder};
+    border-radius: 16px;
+    overflow: hidden;
+    box-shadow: 
+      0 0 0 1px rgba(255,255,255,0.05),
+      0 20px 50px -20px rgba(0,0,0,0.5),
+      0 30px 60px -30px rgba(0,0,0,0.3);
+  `,
+  header: `
+    padding: 48px 40px 32px;
+    text-align: center;
+    border-bottom: 1px solid ${colors.divider};
+  `,
+  iconWrapper: `
+    width: 64px;
+    height: 64px;
+    margin: 0 auto 24px;
+    background: linear-gradient(135deg, rgba(255,255,255,0.1) 0%, rgba(255,255,255,0.05) 100%);
+    border: 1px solid rgba(255,255,255,0.1);
+    border-radius: 16px;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    font-size: 28px;
+  `,
+  headerTitle: `
+    color: ${colors.textPrimary};
+    margin: 0;
+    font-size: 24px;
+    font-weight: 600;
+    letter-spacing: -0.5px;
+  `,
+  headerSubtitle: `
+    color: ${colors.textMuted};
+    margin: 8px 0 0;
+    font-size: 14px;
+    font-weight: 400;
+  `,
+  body: `
+    padding: 40px;
+  `,
+  greeting: `
+    margin: 0 0 24px;
+    color: ${colors.textPrimary};
+    font-size: 18px;
+    font-weight: 500;
+  `,
+  paragraph: `
+    margin: 0 0 20px;
+    color: ${colors.textSecondary};
+    font-size: 15px;
+    line-height: 1.7;
+  `,
+  buttonWrapper: `
+    text-align: center;
+    margin: 32px 0;
+  `,
+  button: `
+    display: inline-block;
+    background-color: ${colors.accent};
+    color: #000000 !important;
+    text-decoration: none;
+    padding: 14px 36px;
+    border-radius: 8px;
+    font-weight: 600;
+    font-size: 14px;
+    letter-spacing: 0.3px;
+    transition: all 0.2s ease;
+  `,
+  secondaryButton: `
+    display: inline-block;
+    background-color: transparent;
+    color: ${colors.textPrimary} !important;
+    text-decoration: none;
+    padding: 12px 28px;
+    border-radius: 8px;
+    font-weight: 500;
+    font-size: 14px;
+    border: 1px solid ${colors.divider};
+  `,
+  infoCard: `
+    background-color: ${colors.subtle};
+    border: 1px solid ${colors.divider};
+    border-radius: 12px;
+    padding: 20px 24px;
+    margin: 28px 0;
+  `,
+  infoCardTitle: `
+    margin: 0 0 12px;
+    color: ${colors.textPrimary};
+    font-size: 13px;
+    font-weight: 600;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  `,
+  infoCardText: `
+    margin: 0;
+    color: ${colors.textSecondary};
+    font-size: 14px;
+    line-height: 1.6;
+  `,
+  warningCard: `
+    background: linear-gradient(135deg, rgba(255,180,0,0.1) 0%, rgba(255,140,0,0.05) 100%);
+    border: 1px solid rgba(255,180,0,0.2);
+    border-radius: 12px;
+    padding: 20px 24px;
+    margin: 28px 0;
+  `,
+  warningCardTitle: `
+    margin: 0 0 12px;
+    color: #ffc107;
+    font-size: 13px;
+    font-weight: 600;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  `,
+  warningCardText: `
+    margin: 0;
+    color: rgba(255,255,255,0.7);
+    font-size: 14px;
+    line-height: 1.6;
+  `,
+  successCard: `
+    background: linear-gradient(135deg, rgba(0,255,150,0.1) 0%, rgba(0,200,100,0.05) 100%);
+    border: 1px solid rgba(0,255,150,0.2);
+    border-radius: 12px;
+    padding: 20px 24px;
+    margin: 28px 0;
+  `,
+  successCardTitle: `
+    margin: 0 0 12px;
+    color: #00ff96;
+    font-size: 13px;
+    font-weight: 600;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  `,
+  linkSection: `
+    margin: 32px 0;
+    padding: 20px;
+    background-color: ${colors.subtle};
+    border-radius: 8px;
+    border: 1px solid ${colors.divider};
+  `,
+  linkLabel: `
+    margin: 0 0 8px;
+    color: ${colors.textMuted};
+    font-size: 12px;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  `,
+  linkText: `
+    word-break: break-all;
+    color: ${colors.textSecondary};
+    font-size: 13px;
+    font-family: 'SF Mono', 'Monaco', 'Inconsolata', 'Roboto Mono', monospace;
+    margin: 0;
+  `,
+  divider: `
+    border: none;
+    border-top: 1px solid ${colors.divider};
+    margin: 32px 0;
+  `,
+  footer: `
+    padding: 24px 40px 32px;
+    text-align: center;
+    border-top: 1px solid ${colors.divider};
+  `,
+  footerText: `
+    margin: 0;
+    color: ${colors.textMuted};
+    font-size: 12px;
+    line-height: 1.8;
+  `,
+  footerLink: `
+    color: ${colors.textSecondary};
+    text-decoration: none;
+  `,
+  badge: `
+    display: inline-block;
+    background-color: rgba(255,255,255,0.1);
+    color: ${colors.textSecondary};
+    padding: 4px 12px;
+    border-radius: 20px;
+    font-size: 12px;
+    font-weight: 500;
+    letter-spacing: 0.3px;
+  `,
+  listItem: `
+    color: ${colors.textSecondary};
+    font-size: 14px;
+    margin: 8px 0;
+    padding-left: 8px;
+  `,
+  metaRow: `
+    display: flex;
+    justify-content: space-between;
+    padding: 12px 0;
+    border-bottom: 1px solid ${colors.divider};
+  `,
+  metaLabel: `
+    color: ${colors.textMuted};
+    font-size: 13px;
+  `,
+  metaValue: `
+    color: ${colors.textPrimary};
+    font-size: 13px;
+    font-weight: 500;
+  `
+};
+function buildVerificationEmailTemplate(data) {
+  const { firstName, verificationUrl, expiresIn } = data;
+  return `
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+      <meta charset="UTF-8">
+      <meta name="viewport" content="width=device-width, initial-scale=1.0">
+      <meta name="color-scheme" content="dark">
+      <meta name="supported-color-schemes" content="dark">
+      <title>Verify Your Email</title>
+      <!--[if mso]>
+      <style type="text/css">
+        body, table, td {font-family: Arial, Helvetica, sans-serif !important;}
+      </style>
+      <![endif]-->
+    </head>
+    <body style="${styles.wrapper}">
+      <div style="${styles.container}">
+        <div style="${styles.card}">
+          <!-- Header -->
+          <div style="${styles.header}">
+            <div style="${styles.iconWrapper}">
+              \u2709\uFE0F
+            </div>
+            <h1 style="${styles.headerTitle}">Verify your email</h1>
+            <p style="${styles.headerSubtitle}">One quick step to get started</p>
+          </div>
+          
+          <!-- Body -->
+          <div style="${styles.body}">
+            <p style="${styles.greeting}">Hi ${firstName},</p>
+            
+            <p style="${styles.paragraph}">
+              Thanks for signing up. To complete your registration and unlock all features, 
+              please verify your email address by clicking the button below.
+            </p>
+            
+            <div style="${styles.buttonWrapper}">
+              <a href="${verificationUrl}" style="${styles.button}" target="_blank">
+                Verify Email Address
+              </a>
+            </div>
+            
+            <div style="${styles.infoCard}">
+              <p style="${styles.infoCardTitle}">\u23F1 Time Sensitive</p>
+              <p style="${styles.infoCardText}">
+                This verification link will expire in <strong>${expiresIn}</strong>. 
+                If you didn't create an account, you can safely ignore this email.
+              </p>
+            </div>
+          </div>
+          
+          <!-- Footer -->
+          <div style="${styles.footer}">
+            <p style="${styles.footerText}">
+              This is an automated message \u2014 please do not reply.<br>
+              \xA9 ${(/* @__PURE__ */ new Date()).getFullYear()} All rights reserved.
+            </p>
+          </div>
+        </div>
+      </div>
+    </body>
+    </html>
+  `;
+}
+function buildResetPasswordEmailTemplate(data) {
+  const { firstName, resetUrl, expiresIn } = data;
+  return `
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+      <meta charset="UTF-8">
+      <meta name="viewport" content="width=device-width, initial-scale=1.0">
+      <meta name="color-scheme" content="dark">
+      <meta name="supported-color-schemes" content="dark">
+      <title>Reset Your Password</title>
+    </head>
+    <body style="${styles.wrapper}">
+      <div style="${styles.container}">
+        <div style="${styles.card}">
+          <!-- Header -->
+          <div style="${styles.header}">
+            <div style="${styles.iconWrapper}">
+              \u{1F510}
+            </div>
+            <h1 style="${styles.headerTitle}">Reset your password</h1>
+            <p style="${styles.headerSubtitle}">We received a reset request</p>
+          </div>
+          
+          <!-- Body -->
+          <div style="${styles.body}">
+            <p style="${styles.greeting}">Hi ${firstName},</p>
+            
+            <p style="${styles.paragraph}">
+              We received a request to reset the password for your account. 
+              Click the button below to create a new password.
+            </p>
+            
+            <div style="${styles.buttonWrapper}">
+              <a href="${resetUrl}" style="${styles.button}" target="_blank">
+                Reset Password
+              </a>
+            </div>
+            
+            <div style="${styles.warningCard}">
+              <p style="${styles.warningCardTitle}">\u26A0\uFE0F Security Notice</p>
+              <p style="${styles.warningCardText}">
+                \u2022 This link expires in <strong>${expiresIn}</strong><br>
+                \u2022 This link can only be used once<br>
+                \u2022 If you didn't request this, ignore this email
+              </p>
+            </div>
+            
+            <hr style="${styles.divider}" />
+            
+            <p style="${styles.paragraph}; font-size: 13px; color: ${colors.textMuted};">
+              <strong>Didn't request this?</strong><br>
+              Your password remains unchanged. If you're concerned about your account 
+              security, please contact our support team immediately.
+            </p>
+          </div>
+          
+          <!-- Footer -->
+          <div style="${styles.footer}">
+            <p style="${styles.footerText}">
+              This is an automated message \u2014 please do not reply.<br>
+              \xA9 ${(/* @__PURE__ */ new Date()).getFullYear()} All rights reserved.
+            </p>
+          </div>
+        </div>
+      </div>
+    </body>
+    </html>
+  `;
+}
+
 // src/express/auth.routes.ts
 function createAuthRouter(options = {}) {
   const googleClientId = process.env.GOOGLE_CLIENT_ID;
@@ -717,7 +1084,7 @@ function createAuthRouter(options = {}) {
     // default: secure in prod
     domain: options.cookie?.domain ?? void 0,
     path: options.cookie?.path ?? "/",
-    maxAgeMs: options.cookie?.maxAgeMs ?? 24 * 60 * 60 * 1e3
+    maxAgeMs: options.cookie?.maxAgeMs ?? 30 * 24 * 60 * 60 * 1e3
   };
   r.use(express.json());
   r.use(express.urlencoded({ extended: true }));
@@ -774,6 +1141,7 @@ function createAuthRouter(options = {}) {
       projectId,
       metadata
     } = req.body || {};
+    const COMPANY_NAME = process.env.COMPANY_NAME;
     try {
       const kcUser = await authAdmin.createUserInRealm({
         username: emailAddress,
@@ -802,10 +1170,21 @@ function createAuthRouter(options = {}) {
         emailService: email,
         user,
         subject: "Verify your email",
-        html: buildVerificationTemplate(
-          email.sign({ userId: kcUser.id, email: kcUser.email }),
-          options
-        )
+        // html: buildVerificationTemplate(
+        //   email.sign({ userId: kcUser.id, email: kcUser.email }),
+        //   options,
+        // ),
+        html: buildVerificationEmailTemplate({
+          firstName: user.firstName,
+          verificationUrl: `${getFrontendBaseUrl(options)}/verify-email?token=${email.sign(
+            {
+              userId: user.id,
+              email: user.email
+            }
+          )}`,
+          expiresIn: "1 hour"
+        }),
+        from: COMPANY_NAME
       });
       if (emailResult.rateLimited) {
         return res.status(429).json({
@@ -870,6 +1249,7 @@ function createAuthRouter(options = {}) {
     "/resend-verification-email",
     validateResendEmail,
     async (req, res) => {
+      const COMPANY_NAME = process.env.COMPANY_NAME;
       const user = await OrgUser.findOne({ email: req.body.email });
       if (!user)
         return res.status(404).json({ ok: false, error: "User not found" });
@@ -885,7 +1265,18 @@ function createAuthRouter(options = {}) {
         emailService: email,
         user,
         subject: "Verify your email",
-        html: buildVerificationTemplate(token, options)
+        // html: buildVerificationTemplate(token, options),
+        html: buildVerificationEmailTemplate({
+          firstName: user.firstName,
+          verificationUrl: `${getFrontendBaseUrl(options)}/verify-email?token=${email.sign(
+            {
+              userId: user.id,
+              email: user.email
+            }
+          )}`,
+          expiresIn: "1 hour"
+        }),
+        from: COMPANY_NAME
       });
       if (resendResult.rateLimited) {
         return res.status(429).json({
@@ -898,6 +1289,7 @@ function createAuthRouter(options = {}) {
     }
   );
   r.post("/forgot-password", validateResendEmail, async (req, res) => {
+    const COMPANY_NAME = process.env.COMPANY_NAME;
     const user = await OrgUser.findOne({ email: req.body.email });
     if (!user)
       return res.status(404).json({ ok: false, error: "User not found" });
@@ -914,7 +1306,18 @@ function createAuthRouter(options = {}) {
       emailService: email,
       user,
       subject: "Reset password",
-      html: buildResetTemplate(resetToken, options)
+      // html: buildResetTemplate(resetToken, options),
+      html: buildResetPasswordEmailTemplate({
+        firstName: user.firstName,
+        resetUrl: `${getFrontendBaseUrl(options)}/reset-password?token=${email.sign(
+          {
+            userId: user.id,
+            email: user.email
+          }
+        )}`,
+        expiresIn: "1 hour"
+      }),
+      from: COMPANY_NAME
     });
     if (resetResult.rateLimited) {
       return res.status(429).json({
@@ -927,9 +1330,16 @@ function createAuthRouter(options = {}) {
   });
   r.post("/reset-password", validateResetPassword, async (req, res) => {
     const { token, newPassword } = req.body || {};
+    if (!token || !newPassword) {
+      return res.status(400).json({
+        ok: false,
+        error: "Token and new password are required",
+        code: "MISSING_FIELDS"
+      });
+    }
     try {
       const payload = email.verify(token);
-      const user = await OrgUser.findOne({ keycloakId: payload.userId });
+      const user = await OrgUser.findOne({ id: payload.userId });
       if (!user) {
         return res.status(404).json({ ok: false, error: "User not found" });
       }
@@ -1297,8 +1707,6 @@ function setAuthCookies(res, tokens, cookie) {
   if (cookie.domain) {
     base.domain = cookie.domain;
   }
-  console.log(cookie, "cookie");
-  console.log(base, "base");
   if (tokens?.access_token) {
     res.cookie("access_token", tokens.access_token, base);
   }
@@ -1322,12 +1730,6 @@ function respondWithKeycloakError(res, err, fallback, status = 400) {
   const description = err?.response?.data?.error_description || err?.response?.data?.errorMessage || err?.message || fallback;
   return res.status(status).json({ ok: false, error: description });
 }
-function buildVerificationTemplate(token, options) {
-  return `<a href="${getFrontendBaseUrl(options)}/auth/verify-email?token=${token}">Verify</a>`;
-}
-function buildResetTemplate(token, options) {
-  return `<a href="${getFrontendBaseUrl(options)}/auth/reset-password?token=${token}">Reset</a>`;
-}
 function getFrontendBaseUrl(options) {
   if (options.frontendBaseUrl)
     return options.frontendBaseUrl.replace(/\/$/, "");
@@ -1339,13 +1741,14 @@ async function sendRateLimitedEmail({
   emailService,
   user,
   subject,
-  html
+  html,
+  from
 }) {
   const can = emailService.canSend(user?.lastEmailSent || []);
   if (!can.ok) {
     return { rateLimited: true, waitMs: can.waitMs };
   }
-  await emailService.send(user.email, subject, html);
+  await emailService.send(user.email, subject, html, from);
   user.lastEmailSent = [...user.lastEmailSent || [], /* @__PURE__ */ new Date()];
   await user.save();
   return { rateLimited: false };
@@ -1366,7 +1769,7 @@ function generateTokens(user) {
     type: "user"
   };
   const accessToken = jwt4.sign(accessPayload, process.env.JWT_SECRET, {
-    expiresIn: "1h"
+    expiresIn: "1d"
   });
   const refreshToken = jwt4.sign(
     { sub: user._id.toString() },
@@ -1402,13 +1805,61 @@ function createDashboardRouter(options) {
 }
 
 // src/express/email.routes.ts
-import { Router as Router3 } from "express";
+import express3, { Router as Router3 } from "express";
 function createEmailRouter(options) {
   const r = Router3();
+  const emailService = new EmailService();
+  r.use(express3.json());
+  r.use(express3.urlencoded({ extended: true }));
   r.get(
     "/verify",
     (req, res) => res.json({ ok: true, token: req.query.token })
   );
+  r.post("/send", async (req, res) => {
+    try {
+      const { userId, to, subject, html, from } = req.body ?? {};
+      if (!to || !subject || !html) {
+        return res.status(400).json({
+          ok: false,
+          error: "BAD_REQUEST",
+          message: "`to`, `subject`, and `html` are required."
+        });
+      }
+      if (userId) {
+        const user = await OrgUser.findOne({ id: userId }).lean();
+        if (!user) {
+          return res.status(404).json({
+            ok: false,
+            error: "NOT_FOUND",
+            message: "User not found."
+          });
+        }
+        const can = emailService.canSend(user?.lastEmailSent || []);
+        if (!can.ok) {
+          return res.status(429).json({
+            ok: false,
+            error: can.reason,
+            waitMs: can.waitMs,
+            message: "Too many emails sent recently. Please retry later."
+          });
+        }
+      }
+      await emailService.send(to, subject, html, from);
+      if (userId) {
+        await OrgUser.updateOne(
+          { id: userId },
+          { $push: { lastEmailSent: /* @__PURE__ */ new Date() } }
+        );
+      }
+      return res.json({ ok: true });
+    } catch (err) {
+      return res.status(500).json({
+        ok: false,
+        error: "INTERNAL",
+        message: err?.message ?? "Error"
+      });
+    }
+  });
   return r;
 }
 
@@ -1515,7 +1966,7 @@ function createProjectsRouter(options) {
 // src/express/admin/admin.routes.ts
 import bcrypt3 from "bcryptjs";
 import { randomUUID as randomUUID3 } from "crypto";
-import express3, { Router as Router5 } from "express";
+import express4, { Router as Router5 } from "express";
 
 // src/middlewares/requireRole.ts
 function requireRole(...roles) {
@@ -1578,8 +2029,8 @@ function resolveProjectId(req) {
 }
 function createAdminRouter(_options = {}) {
   const r = Router5();
-  r.use(express3.json());
-  r.use(express3.urlencoded({ extended: true }));
+  r.use(express4.json());
+  r.use(express4.urlencoded({ extended: true }));
   const adminGuards = [requireAuth(), requireRole("platform_admin")];
   r.post(
     "/users",