alepha 0.14.2 → 0.14.3

package/src/api/users/entities/sessions.ts

@@ -1,16 +1,16 @@
 import { type Static, t } from "alepha";
-import { $entity, pg } from "alepha/orm";
+import { $entity, db } from "alepha/orm";
 import { users } from "./users.ts";
 
 export const sessions = $entity({
   name: "sessions",
   schema: t.object({
-    id: pg.primaryKey(t.uuid()),
-    version: pg.version(),
-    createdAt: pg.createdAt(),
-    updatedAt: pg.updatedAt(),
+    id: db.primaryKey(t.uuid()),
+    version: db.version(),
+    createdAt: db.createdAt(),
+    updatedAt: db.updatedAt(),
     refreshToken: t.uuid(),
-    userId: pg.ref(t.uuid(), () => users.cols.id),
+    userId: db.ref(t.uuid(), () => users.cols.id),
     expiresAt: t.datetime(),
     ip: t.optional(t.text()),
     userAgent: t.optional(

package/src/api/users/entities/users.ts

@@ -1,17 +1,17 @@
 import { type Static, t } from "alepha";
-import { $entity, pg } from "alepha/orm";
+import { $entity, db } from "alepha/orm";
 
 export const DEFAULT_USER_REALM_NAME = "default";
 
 export const users = $entity({
   name: "users",
   schema: t.object({
-    id: pg.primaryKey(t.uuid()),
-    version: pg.version(),
-    createdAt: pg.createdAt(),
-    updatedAt: pg.updatedAt(),
+    id: db.primaryKey(t.uuid()),
+    version: db.version(),
+    createdAt: db.createdAt(),
+    updatedAt: db.updatedAt(),
 
-    realm: pg.default(t.text(), DEFAULT_USER_REALM_NAME),
+    realm: db.default(t.text(), DEFAULT_USER_REALM_NAME),
 
     username: t.optional(
       t.shortText({
@@ -25,13 +25,13 @@ export const users = $entity({
 
     phoneNumber: t.optional(t.e164()),
 
-    roles: pg.default(t.array(t.string()), []),
+    roles: db.default(t.array(t.string()), []),
     firstName: t.optional(t.string()),
     lastName: t.optional(t.string()),
     picture: t.optional(t.string()),
-    enabled: pg.default(t.boolean(), true),
+    enabled: db.default(t.boolean(), true),
 
-    emailVerified: pg.default(t.boolean(), false),
+    emailVerified: db.default(t.boolean(), false),
   }),
   indexes: [
     { columns: ["realm", "username"], unique: true },

package/src/api/users/index.ts

@@ -4,8 +4,9 @@ import { AlephaApiVerification } from "alepha/api/verifications";
 import { AlephaEmail } from "alepha/email";
 import { AlephaServerCompress } from "alepha/server/compress";
 import { AlephaServerHelmet } from "alepha/server/helmet";
-import { IdentityController } from "./controllers/IdentityController.ts";
-import { SessionController } from "./controllers/SessionController.ts";
+import { AdminIdentityController } from "./controllers/AdminIdentityController.ts";
+import { AdminSessionController } from "./controllers/AdminSessionController.ts";
+import { AdminUserController } from "./controllers/AdminUserController.ts";
 import { UserController } from "./controllers/UserController.ts";
 import { UserRealmController } from "./controllers/UserRealmController.ts";
 import { UserNotifications } from "./notifications/UserNotifications.ts";
@@ -20,8 +21,9 @@ import { UserService } from "./services/UserService.ts";
 // ---------------------------------------------------------------------------------------------------------------------
 
 export * from "./atoms/realmAuthSettingsAtom.ts";
-export * from "./controllers/IdentityController.ts";
-export * from "./controllers/SessionController.ts";
+export * from "./controllers/AdminIdentityController.ts";
+export * from "./controllers/AdminSessionController.ts";
+export * from "./controllers/AdminUserController.ts";
 export * from "./controllers/UserController.ts";
 export * from "./controllers/UserRealmController.ts";
 export * from "./entities/identities.ts";
@@ -78,8 +80,9 @@ export const AlephaApiUsers = $module({
     UserService,
     IdentityService,
     UserController,
-    SessionController,
-    IdentityController,
+    AdminUserController,
+    AdminSessionController,
+    AdminIdentityController,
     UserRealmController,
     UserNotifications,
   ],

package/src/api/users/primitives/$userRealm.ts

@@ -1,7 +1,6 @@
 import { $context } from "alepha";
 import { AlephaApiAudits } from "alepha/api/audits";
 import { AlephaApiFiles } from "alepha/api/files";
-import { AlephaApiJobs } from "alepha/api/jobs";
 import type { Repository } from "alepha/orm";
 import {
   $realm,
@@ -49,22 +48,28 @@ export const $userRealm = (
   const sessionService = alepha.inject(SessionService);
   const securityProvider = alepha.inject(SecurityProvider);
   const userRealmProvider = alepha.inject(UserRealmProvider);
+
   const name = options.realm?.name ?? DEFAULT_USER_REALM_NAME;
 
-  const userRealm = userRealmProvider.register(name, options);
+  options.settings ??= {};
 
-  if (options.modules?.audits) {
-    alepha.with(AlephaApiAudits);
+  if (options.settings.emailRequired) {
+    options.settings.emailEnabled = true;
   }
 
-  if (options.modules?.files) {
-    alepha.with(AlephaApiFiles);
+  if (options.settings.usernameRequired) {
+    options.settings.usernameEnabled = true;
   }
 
-  if (options.modules?.jobs) {
-    alepha.with(AlephaApiJobs);
+  if (options.settings.phoneRequired) {
+    options.settings.phoneEnabled = true;
   }
 
+  const userRealm = userRealmProvider.register(name, options);
+
+  alepha.with(AlephaApiFiles);
+  alepha.with(AlephaApiAudits);
+
   const realm: UserRealmPrimitive = $realm({
     ...options.realm,
     name,

package/src/api/users/services/CredentialService.spec.ts

@@ -0,0 +1,509 @@
+import { Alepha } from "alepha";
+import { AlephaApiVerification } from "alepha/api/verifications";
+import { DateTimeProvider } from "alepha/datetime";
+import { AlephaEmail, MemoryEmailProvider } from "alepha/email";
+import { AlephaSecurity, CryptoProvider } from "alepha/security";
+import { BadRequestError, HttpError } from "alepha/server";
+import { describe, it } from "vitest";
+import {
+  AlephaApiUsers,
+  CredentialService,
+  SessionService,
+  UserService,
+} from "../index.ts";
+
+const setup = async () => {
+  const alepha = Alepha.create({
+    env: { LOG_LEVEL: "error" },
+  });
+
+  alepha.with(AlephaSecurity);
+  alepha.with(AlephaEmail);
+  alepha.with(AlephaApiVerification);
+  alepha.with(AlephaApiUsers);
+
+  await alepha.start();
+
+  const emailProvider = alepha.inject(MemoryEmailProvider);
+  emailProvider.records = [];
+
+  return {
+    alepha,
+    credentialService: alepha.inject(CredentialService),
+    userService: alepha.inject(UserService),
+    sessionService: alepha.inject(SessionService),
+    cryptoProvider: alepha.inject(CryptoProvider),
+    dateTimeProvider: alepha.inject(DateTimeProvider),
+    emailProvider,
+  };
+};
+
+// Helper to extract code from email
+const extractCode = (emailBody: string): string => {
+  const match = emailBody.match(/(\d{6})/);
+  if (!match) throw new Error("Code not found in email");
+  return match[1];
+};
+
+// Helper to create a user with credentials
+const createUserWithCredentials = async (
+  userService: UserService,
+  credentialService: CredentialService,
+  cryptoProvider: CryptoProvider,
+  email: string,
+  password: string,
+) => {
+  const user = await userService.users().create({
+    email,
+    username: email.split("@")[0],
+    roles: ["user"],
+  });
+
+  const hashedPassword = await cryptoProvider.hashPassword(password);
+
+  await credentialService.identities().create({
+    userId: user.id,
+    provider: "credentials",
+    password: hashedPassword,
+  });
+
+  return user;
+};
+
+describe("alepha/api/users - CredentialService", () => {
+  describe("Phase 1: createPasswordResetIntent", () => {
+    it("should create a password reset intent for existing user", async ({
+      expect,
+    }) => {
+      const { credentialService, userService, cryptoProvider, emailProvider } =
+        await setup();
+
+      await createUserWithCredentials(
+        userService,
+        credentialService,
+        cryptoProvider,
+        "reset@example.com",
+        "OldPassword123!",
+      );
+
+      const result =
+        await credentialService.createPasswordResetIntent("reset@example.com");
+
+      expect(result.intentId).toBeDefined();
+      expect(result.expiresAt).toBeDefined();
+
+      // Verify email was sent
+      await expect.poll(() => emailProvider.records.length).toBe(1);
+      expect(emailProvider.records[0].to).toBe("reset@example.com");
+      expect(emailProvider.records[0].subject).toBe("Reset your password");
+    });
+
+    it("should return fake intent for non-existent email (security)", async ({
+      expect,
+    }) => {
+      const { credentialService, emailProvider } = await setup();
+
+      // Should still return a response (security - don't reveal if email exists)
+      const result = await credentialService.createPasswordResetIntent(
+        "nonexistent@example.com",
+      );
+
+      expect(result.intentId).toBeDefined();
+      expect(result.expiresAt).toBeDefined();
+
+      // No email should be sent
+      expect(emailProvider.records.length).toBe(0);
+    });
+
+    it("should return fake intent for user without credentials identity", async ({
+      expect,
+    }) => {
+      const { credentialService, userService, emailProvider } = await setup();
+
+      // Create user without credentials (OAuth-only user)
+      await userService.users().create({
+        email: "oauth@example.com",
+        username: "oauthuser",
+        roles: ["user"],
+      });
+
+      // Should still return a response
+      const result =
+        await credentialService.createPasswordResetIntent("oauth@example.com");
+
+      expect(result.intentId).toBeDefined();
+      expect(result.expiresAt).toBeDefined();
+
+      // No email should be sent
+      expect(emailProvider.records.length).toBe(0);
+    });
+
+    it("should set correct expiration time (10 minutes)", async ({
+      expect,
+    }) => {
+      const {
+        credentialService,
+        userService,
+        cryptoProvider,
+        dateTimeProvider,
+      } = await setup();
+
+      await createUserWithCredentials(
+        userService,
+        credentialService,
+        cryptoProvider,
+        "expiry@example.com",
+        "Password123!",
+      );
+
+      const before = dateTimeProvider.now();
+
+      const result =
+        await credentialService.createPasswordResetIntent("expiry@example.com");
+
+      const expiresAt = dateTimeProvider.of(result.expiresAt);
+      const expectedExpiry = before.add(10, "minutes");
+
+      // Should expire approximately 10 minutes from now
+      expect(expiresAt.diff(expectedExpiry, "seconds")).toBeLessThan(5);
+    });
+  });
+
+  describe("Phase 2: completePasswordReset", () => {
+    it("should complete password reset with valid code", async ({ expect }) => {
+      const {
+        credentialService,
+        userService,
+        sessionService,
+        cryptoProvider,
+        emailProvider,
+      } = await setup();
+
+      await createUserWithCredentials(
+        userService,
+        credentialService,
+        cryptoProvider,
+        "complete@example.com",
+        "OldPassword123!",
+      );
+
+      // Phase 1: Create intent
+      const intent = await credentialService.createPasswordResetIntent(
+        "complete@example.com",
+      );
+
+      // Extract code from email
+      await expect.poll(() => emailProvider.records.length).toBe(1);
+      const code = extractCode(emailProvider.records[0].body);
+
+      // Phase 2: Complete password reset
+      await credentialService.completePasswordReset({
+        intentId: intent.intentId,
+        code,
+        newPassword: "NewPassword456!",
+      });
+
+      // Verify new password works
+      const loggedInUser = await sessionService.login(
+        "credentials",
+        "complete@example.com",
+        "NewPassword456!",
+      );
+
+      expect(loggedInUser?.email).toBe("complete@example.com");
+    });
+
+    it("should reject expired intent (410 Gone)", async ({ expect }) => {
+      const {
+        credentialService,
+        userService,
+        cryptoProvider,
+        dateTimeProvider,
+        emailProvider,
+      } = await setup();
+
+      await createUserWithCredentials(
+        userService,
+        credentialService,
+        cryptoProvider,
+        "expired@example.com",
+        "OldPassword123!",
+      );
+
+      // Create intent
+      const intent = await credentialService.createPasswordResetIntent(
+        "expired@example.com",
+      );
+
+      // Extract code
+      await expect.poll(() => emailProvider.records.length).toBe(1);
+      const code = extractCode(emailProvider.records[0].body);
+
+      // Travel forward 11 minutes (intent expires at 10)
+      dateTimeProvider.travel(11, "minutes");
+
+      // Attempt to complete
+      await expect(
+        credentialService.completePasswordReset({
+          intentId: intent.intentId,
+          code,
+          newPassword: "NewPassword456!",
+        }),
+      ).rejects.toThrow(HttpError);
+    });
+
+    it("should reject invalid intent ID", async ({ expect }) => {
+      const { credentialService } = await setup();
+
+      await expect(
+        credentialService.completePasswordReset({
+          intentId: "550e8400-e29b-41d4-a716-446655440000",
+          code: "123456",
+          newPassword: "NewPassword456!",
+        }),
+      ).rejects.toThrow(HttpError);
+    });
+
+    it("should reject invalid verification code", async ({ expect }) => {
+      const { credentialService, userService, cryptoProvider, emailProvider } =
+        await setup();
+
+      await createUserWithCredentials(
+        userService,
+        credentialService,
+        cryptoProvider,
+        "wrongcode@example.com",
+        "OldPassword123!",
+      );
+
+      const intent = await credentialService.createPasswordResetIntent(
+        "wrongcode@example.com",
+      );
+
+      // Wait for email
+      await expect.poll(() => emailProvider.records.length).toBe(1);
+
+      await expect(
+        credentialService.completePasswordReset({
+          intentId: intent.intentId,
+          code: "000000", // Wrong code
+          newPassword: "NewPassword456!",
+        }),
+      ).rejects.toThrowError(BadRequestError);
+    });
+
+    it("should not allow intent reuse after successful reset", async ({
+      expect,
+    }) => {
+      const { credentialService, userService, cryptoProvider, emailProvider } =
+        await setup();
+
+      await createUserWithCredentials(
+        userService,
+        credentialService,
+        cryptoProvider,
+        "onetime@example.com",
+        "OldPassword123!",
+      );
+
+      const intent = await credentialService.createPasswordResetIntent(
+        "onetime@example.com",
+      );
+
+      // Extract code
+      await expect.poll(() => emailProvider.records.length).toBe(1);
+      const code = extractCode(emailProvider.records[0].body);
+
+      // First completion should succeed
+      await credentialService.completePasswordReset({
+        intentId: intent.intentId,
+        code,
+        newPassword: "NewPassword456!",
+      });
+
+      // Second attempt should fail (intent deleted)
+      await expect(
+        credentialService.completePasswordReset({
+          intentId: intent.intentId,
+          code,
+          newPassword: "AnotherPassword789!",
+        }),
+      ).rejects.toThrow(HttpError);
+    });
+
+    it("should invalidate all existing sessions after password reset", async ({
+      expect,
+    }) => {
+      const {
+        credentialService,
+        userService,
+        sessionService,
+        cryptoProvider,
+        emailProvider,
+      } = await setup();
+
+      const user = await createUserWithCredentials(
+        userService,
+        credentialService,
+        cryptoProvider,
+        "sessions@example.com",
+        "OldPassword123!",
+      );
+
+      // Create a session
+      await sessionService.sessions().create({
+        userId: user.id,
+        refreshToken: crypto.randomUUID(),
+        expiresAt: new Date(Date.now() + 3600000).toISOString(),
+      });
+
+      // Verify session exists
+      const sessionsBefore = await sessionService.sessions().findMany({
+        where: { userId: { eq: user.id } },
+      });
+      expect(sessionsBefore).toHaveLength(1);
+
+      // Create password reset intent
+      const intent = await credentialService.createPasswordResetIntent(
+        "sessions@example.com",
+      );
+
+      // Extract code
+      await expect.poll(() => emailProvider.records.length).toBe(1);
+      const code = extractCode(emailProvider.records[0].body);
+
+      // Complete password reset
+      await credentialService.completePasswordReset({
+        intentId: intent.intentId,
+        code,
+        newPassword: "NewPassword456!",
+      });
+
+      // Verify all sessions are invalidated
+      const sessionsAfter = await sessionService.sessions().findMany({
+        where: { userId: { eq: user.id } },
+      });
+      expect(sessionsAfter).toHaveLength(0);
+    });
+
+    it("should not allow old password after reset", async ({ expect }) => {
+      const {
+        credentialService,
+        userService,
+        sessionService,
+        cryptoProvider,
+        emailProvider,
+      } = await setup();
+
+      await createUserWithCredentials(
+        userService,
+        credentialService,
+        cryptoProvider,
+        "oldpass@example.com",
+        "OldPassword123!",
+      );
+
+      // Verify old password works before reset
+      const beforeReset = await sessionService.login(
+        "credentials",
+        "oldpass@example.com",
+        "OldPassword123!",
+      );
+      expect(beforeReset?.email).toBe("oldpass@example.com");
+
+      // Create intent and reset password
+      const intent = await credentialService.createPasswordResetIntent(
+        "oldpass@example.com",
+      );
+
+      await expect.poll(() => emailProvider.records.length).toBe(1);
+      const code = extractCode(emailProvider.records[0].body);
+
+      await credentialService.completePasswordReset({
+        intentId: intent.intentId,
+        code,
+        newPassword: "NewPassword456!",
+      });
+
+      // Old password should no longer work (login throws error for invalid credentials)
+      await expect(
+        sessionService.login(
+          "credentials",
+          "oldpass@example.com",
+          "OldPassword123!",
+        ),
+      ).rejects.toThrow();
+    });
+  });
+
+  describe("Full password reset flow integration", () => {
+    it("should complete full password reset flow", async ({ expect }) => {
+      const {
+        credentialService,
+        userService,
+        sessionService,
+        cryptoProvider,
+        emailProvider,
+      } = await setup();
+
+      // Create user
+      await createUserWithCredentials(
+        userService,
+        credentialService,
+        cryptoProvider,
+        "fullflow@example.com",
+        "OldPassword123!",
+      );
+
+      // Phase 1: Request password reset
+      const intent = await credentialService.createPasswordResetIntent(
+        "fullflow@example.com",
+      );
+
+      expect(intent.intentId).toBeDefined();
+      expect(intent.expiresAt).toBeDefined();
+
+      // Verify email was sent
+      await expect.poll(() => emailProvider.records.length).toBe(1);
+      expect(emailProvider.records[0].to).toBe("fullflow@example.com");
+      const code = extractCode(emailProvider.records[0].body);
+
+      // Phase 2: Complete password reset
+      await credentialService.completePasswordReset({
+        intentId: intent.intentId,
+        code,
+        newPassword: "NewSecurePassword789!",
+      });
+
+      // Verify new password works
+      const user = await sessionService.login(
+        "credentials",
+        "fullflow@example.com",
+        "NewSecurePassword789!",
+      );
+
+      expect(user?.email).toBe("fullflow@example.com");
+    });
+  });
+
+  describe("Legacy methods (backward compatibility)", () => {
+    it("requestPasswordReset should work as before", async ({ expect }) => {
+      const { credentialService, userService, cryptoProvider, emailProvider } =
+        await setup();
+
+      await createUserWithCredentials(
+        userService,
+        credentialService,
+        cryptoProvider,
+        "legacy@example.com",
+        "OldPassword123!",
+      );
+
+      const result =
+        await credentialService.requestPasswordReset("legacy@example.com");
+
+      expect(result).toBe(true);
+      await expect.poll(() => emailProvider.records.length).toBe(1);
+    });
+  });
+});