aaspai-authx 0.1.9 → 0.2.1

package/LICENSE

@@ -1,3 +1,3 @@
-MIT License
-
+MIT License
+
 (See standard MIT text)

package/dist/express/index.cjs

@@ -261,7 +261,18 @@ var OrgUserSchema = new import_mongoose2.default.Schema(
     lastEmailSent: { type: [Date], default: [] },
     lastPasswordReset: { type: Date },
     metadata: { type: [MetadataSchema], default: [] },
-    passwordHash: { type: String }
+    passwordHash: { type: String },
+    /**
+     * Optional auth provider list to distinguish how the user is allowed to authenticate.
+     * Example values: ['password'], ['google'], ['password', 'google'].
+     * This lets us enforce correct behavior when users mix email/password and Google login.
+     */
+    providers: { type: [String], default: void 0 },
+    /**
+     * Optional provider-specific IDs for linking external accounts.
+     */
+    googleId: { type: String },
+    githubId: { type: Number }
   },
   { timestamps: true, collection: "users" }
 );
@@ -418,8 +429,8 @@ function isPasswordStrong(v) {
 }
 function validateSignup(req, res, next) {
   const { firstName, lastName, email, password, projectId, metadata } = req.body || {};
-  if (!firstName || !lastName)
-    return res.status(400).json({ error: "firstName,lastName required" });
+  if (!firstName)
+    return res.status(400).json({ error: "firstName required" });
   if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
   if (!isPasswordStrong(password))
     return res.status(400).json({ error: "weak password" });
@@ -447,6 +458,25 @@ function validateResendEmail(req, res, next) {
   if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
   next();
 }
+function validateProfileUpdate(req, res, next) {
+  const { firstName, lastName } = req.body || {};
+  if (firstName == null && lastName == null) {
+    return res.status(400).json({ error: "firstName or lastName required" });
+  }
+  if (firstName !== void 0 && typeof firstName !== "string") {
+    return res.status(400).json({ error: "firstName must be string" });
+  }
+  if (lastName !== void 0 && typeof lastName !== "string") {
+    return res.status(400).json({ error: "lastName must be string" });
+  }
+  if (typeof firstName === "string" && !firstName.trim()) {
+    return res.status(400).json({ error: "firstName required" });
+  }
+  if (typeof lastName === "string" && !lastName.trim()) {
+    return res.status(400).json({ error: "lastName required" });
+  }
+  next();
+}
 function validateSendInvite(req, res, next) {
   const { email, role } = req.body || {};
   if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
@@ -1049,6 +1079,10 @@ function buildResetPasswordEmailTemplate(data) {
 }
 
 // src/express/auth.routes.ts
+var EMAIL_VERIFICATION_TTL_SEC = 24 * 60 * 60;
+var EMAIL_VERIFICATION_EXPIRES_IN = "24 hours";
+var PASSWORD_RESET_TTL_SEC = 24 * 60 * 60;
+var PASSWORD_RESET_EXPIRES_IN = "24 hours";
 function createAuthRouter(options = {}) {
   const googleClientId = process.env.GOOGLE_CLIENT_ID;
   const googleClientSecret = process.env.GOOGLE_CLIENT_SECRET;
@@ -1080,13 +1114,23 @@ function createAuthRouter(options = {}) {
   r.post("/login", validateLogin, async (req, res) => {
     const { email: emailAddress, password } = req.body || {};
     try {
-      const user = await OrgUser.findOne({ email: emailAddress }).select("+password").lean();
+      const userDoc = await OrgUser.findOne({ email: emailAddress }).select(
+        "+password"
+      );
+      const user = userDoc?.toObject();
       if (!user) {
         return res.status(400).json({
           error: "Invalid email or password",
           code: "INVALID_CREDENTIALS"
         });
       }
+      const providers = user.providers;
+      if (Array.isArray(providers) && providers.includes("google") && !providers.includes("password")) {
+        return res.status(400).json({
+          error: "This account is configured for Google login. Please continue with Google or link a password in your account settings.",
+          code: "OAUTH_ONLY_ACCOUNT"
+        });
+      }
       if (!user.emailVerified) {
         return res.status(400).json({
           error: "Please verify your email before logging in.",
@@ -1147,7 +1191,10 @@ function createAuthRouter(options = {}) {
           projectId,
           metadata,
           roles: ["platform_user"],
-          emailVerified: false
+          emailVerified: false,
+          // Mark that this user can log in with password. This will be used
+          // to enforce correct behavior when mixing with Google login.
+          providers: ["password"]
         },
         { upsert: true, new: true, setDefaultsOnInsert: true }
       );
@@ -1165,9 +1212,10 @@ function createAuthRouter(options = {}) {
             {
               userId: user.id,
               email: user.email
-            }
+            },
+            EMAIL_VERIFICATION_TTL_SEC
           )}`,
-          expiresIn: "1 hour"
+          expiresIn: EMAIL_VERIFICATION_EXPIRES_IN
         }),
         from: COMPANY_NAME
       });
@@ -1190,6 +1238,33 @@ function createAuthRouter(options = {}) {
   r.get("/me", requireAuth(), (req, res) => {
     return res.json(req.user || null);
   });
+  r.put("/me", requireAuth(), validateProfileUpdate, async (req, res) => {
+    const session = req.user;
+    if (!session?.userId) {
+      return res.status(401).json({ ok: false, error: "Unauthorized" });
+    }
+    const { firstName, lastName } = req.body || {};
+    const updates = {};
+    if (typeof firstName === "string") updates.firstName = firstName.trim();
+    if (typeof lastName === "string") updates.lastName = lastName.trim();
+    try {
+      const userDoc = await OrgUser.findOneAndUpdate(
+        { id: session.userId },
+        { $set: updates },
+        { new: true }
+      );
+      if (!userDoc) {
+        return res.status(404).json({ ok: false, error: "User not found" });
+      }
+      const user = userDoc.toObject();
+      const tokens = generateTokens(user);
+      setAuthCookies(res, tokens, cookieConfig);
+      return res.json({ ok: true, user: toUserResponse(user) });
+    } catch (err) {
+      console.error("Update profile error:", err);
+      return res.status(500).json({ ok: false, error: "Internal server error" });
+    }
+  });
   r.post("/logout", async (_req, res) => {
     const clearOptions = buildClearCookieOptions(cookieConfig);
     res.clearCookie("access_token", clearOptions);
@@ -1245,7 +1320,7 @@ function createAuthRouter(options = {}) {
       const token = email.sign({
         email: user.email,
         userId: user.id
-      });
+      }, EMAIL_VERIFICATION_TTL_SEC);
       const resendResult = await sendRateLimitedEmail({
         emailService: email,
         user,
@@ -1253,13 +1328,8 @@ function createAuthRouter(options = {}) {
         // html: buildVerificationTemplate(token, options),
         html: buildVerificationEmailTemplate({
           firstName: user.firstName,
-          verificationUrl: `${getFrontendBaseUrl(options)}/verify-email?token=${email.sign(
-            {
-              userId: user.id,
-              email: user.email
-            }
-          )}`,
-          expiresIn: "1 hour"
+          verificationUrl: `${getFrontendBaseUrl(options)}/verify-email?token=${token}`,
+          expiresIn: EMAIL_VERIFICATION_EXPIRES_IN
         }),
         from: COMPANY_NAME
       });
@@ -1285,7 +1355,7 @@ function createAuthRouter(options = {}) {
         firstName: user.firstName,
         lastName: user.lastName
       },
-      60 * 60
+      PASSWORD_RESET_TTL_SEC
     );
     const resetResult = await sendRateLimitedEmail({
       emailService: email,
@@ -1294,13 +1364,8 @@ function createAuthRouter(options = {}) {
       // html: buildResetTemplate(resetToken, options),
       html: buildResetPasswordEmailTemplate({
         firstName: user.firstName,
-        resetUrl: `${getFrontendBaseUrl(options)}/reset-password?token=${email.sign(
-          {
-            userId: user.id,
-            email: user.email
-          }
-        )}`,
-        expiresIn: "1 hour"
+        resetUrl: `${getFrontendBaseUrl(options)}/reset-password?token=${resetToken}`,
+        expiresIn: PASSWORD_RESET_EXPIRES_IN
       }),
       from: COMPANY_NAME
     });
@@ -1469,7 +1534,9 @@ function createAuthRouter(options = {}) {
     }
     const stateData = {
       redirectTo: req.query.redirectTo || "",
-      projectId: req.query.projectId || process.env.DEFAULT_PROJECT_ID || ""
+      projectId: req.query.projectId || process.env.DEFAULT_PROJECT_ID || "",
+      metadata: req.query.metadata || "",
+      mode: req.query.mode || ""
     };
     const state = encodeURIComponent(JSON.stringify(stateData));
     const params = new URLSearchParams({
@@ -1490,7 +1557,7 @@ function createAuthRouter(options = {}) {
       return res.status(500).json({ error: "Google login not configured" });
     }
     const code = String(req.query.code || "");
-    let stateData = { redirectTo: "", projectId: "" };
+    let stateData = { redirectTo: "", projectId: "", metadata: "", mode: "" };
     try {
       if (req.query.state) {
         stateData = JSON.parse(decodeURIComponent(String(req.query.state)));
@@ -1499,12 +1566,24 @@ function createAuthRouter(options = {}) {
       console.error("Failed to parse state:", err);
     }
     const { redirectTo, projectId } = stateData;
-    console.log(
-      "Parsed state - redirectTo:",
-      redirectTo,
-      "projectId:",
-      projectId
-    );
+    const stateMetadataRaw = stateData?.metadata;
+    const extraMetadata = [];
+    if (stateMetadataRaw) {
+      try {
+        const parsed = typeof stateMetadataRaw === "string" ? JSON.parse(stateMetadataRaw) : stateMetadataRaw;
+        if (Array.isArray(parsed)) {
+          for (const item of parsed) {
+            if (item?.key != null) extraMetadata.push(item);
+          }
+        } else if (parsed && typeof parsed === "object") {
+          for (const [key, value] of Object.entries(parsed)) {
+            extraMetadata.push({ key, value });
+          }
+        }
+      } catch (e) {
+        console.warn("Failed to parse google state metadata:", e);
+      }
+    }
     if (!code) {
       return res.status(400).json({ ok: false, error: "Missing authorization code" });
     }
@@ -1536,9 +1615,9 @@ function createAuthRouter(options = {}) {
       }
       const emailVerified = decoded.email_verified ?? true;
       const firstName = decoded.given_name || "";
-      const lastName = decoded.family_name || "";
-      let user = await OrgUser.findOne({ email: email2 }).lean();
-      if (!user) {
+      const lastName = decoded.family_name || firstName || (typeof email2 === "string" ? email2.split("@")[0] : "") || "User";
+      let userDoc = await OrgUser.findOne({ email: email2 });
+      if (!userDoc) {
         const finalProjectId = projectId || process.env.DEFAULT_PROJECT_ID;
         if (!finalProjectId) {
           console.error("No projectId available for new user");
@@ -1552,11 +1631,46 @@ function createAuthRouter(options = {}) {
           emailVerified,
           roles: ["platform_user"],
           projectId: finalProjectId,
-          metadata: []
-          // you can also store googleId: decoded.sub
+          metadata: [...extraMetadata || []],
+          providers: ["google"],
+          googleId: decoded.sub
         });
-        user = created.toObject();
+        userDoc = created;
+      } else {
+        const providers = userDoc.providers;
+        if (Array.isArray(providers) && providers.includes("password") && !providers.includes("google")) {
+          const errorRedirect = (redirectTo || googleDefaultRedirect) + (redirectTo?.includes("?") ? "&" : "?") + "error=google_not_linked";
+          return res.redirect(errorRedirect);
+        }
+        if (!providers || providers.length === 0) {
+          const errorRedirect = (redirectTo || googleDefaultRedirect) + (redirectTo?.includes("?") ? "&" : "?") + "error=google_not_linked";
+          return res.redirect(errorRedirect);
+        }
+        try {
+          const current = new Map(
+            (userDoc.metadata || []).map((m) => [
+              m.key,
+              m.value
+            ])
+          );
+          for (const item of extraMetadata || []) {
+            if (item?.key != null) current.set(item.key, item.value);
+          }
+          userDoc.metadata = Array.from(current.entries()).map(
+            ([key, value]) => ({ key, value })
+          );
+        } catch (e) {
+          console.warn("Failed to merge metadata onto existing user:", e);
+        }
+        if (!providers.includes("google")) {
+          userDoc.providers = [...providers, "google"];
+        }
+        if (!userDoc.googleId) {
+          userDoc.googleId = decoded.sub;
+        }
+        await userDoc.save();
       }
+      const user = userDoc.toObject();
       const tokens = generateTokens(user);
       setAuthCookies(res, tokens, cookieConfig);
       if (user.projectId) {
@@ -1992,7 +2106,7 @@ function generateTokens(user) {
     expiresIn: "1d"
   });
   const refreshToken = import_jsonwebtoken4.default.sign(
-    { sub: user.id.toString() },
+    { sub: user._id.toString() },
     process.env.JWT_SECRET,
     { expiresIn: "30d" }
   );