alepha 0.14.2 → 0.14.4

package/src/api/users/services/SessionService.spec.ts

@@ -0,0 +1,301 @@
+import { Alepha } from "alepha";
+import {
+  AlephaSecurity,
+  CryptoProvider,
+  InvalidCredentialsError,
+} from "alepha/security";
+import { describe, it } from "vitest";
+import {
+  AlephaApiUsers,
+  SessionService,
+  UserRealmProvider,
+  UserService,
+} from "../index.ts";
+
+const setup = async (options?: { usernameEnabled?: boolean }) => {
+  const alepha = Alepha.create({
+    env: { LOG_LEVEL: "error" },
+  });
+
+  alepha.with(AlephaSecurity);
+  alepha.with(AlephaApiUsers);
+
+  await alepha.start();
+
+  const sessionService = alepha.inject(SessionService);
+
+  // Configure realm settings if provided
+  if (options?.usernameEnabled) {
+    const userRealmProvider = alepha.inject(UserRealmProvider);
+    userRealmProvider.register("default", {
+      settings: {
+        usernameEnabled: true,
+      } as never,
+    });
+  }
+
+  return {
+    alepha,
+    sessionService,
+    userService: alepha.inject(UserService),
+    cryptoProvider: alepha.inject(CryptoProvider),
+    identities: sessionService.identities(),
+  };
+};
+
+describe("alepha/api/users - SessionService.login", () => {
+  it("should login successfully with valid credentials", async ({ expect }) => {
+    const { sessionService, userService, cryptoProvider, identities } =
+      await setup();
+
+    // Create a test user
+    const user = await userService.users().create({
+      username: "loginsuccessuser",
+      email: "login-success@example.com",
+      roles: ["user"],
+    });
+
+    // Create identity with password
+    const password = "securePassword123!";
+    const hashedPassword = await cryptoProvider.hashPassword(password);
+
+    await identities.create({
+      provider: "local",
+      providerUserId: "login-success@example.com",
+      userId: user.id,
+      password: hashedPassword,
+    });
+
+    // Test login
+    const result = await sessionService.login(
+      "local",
+      "login-success@example.com",
+      password,
+    );
+
+    expect(result?.id).toBe(user.id);
+    expect(result?.email).toBe("login-success@example.com");
+  });
+
+  it("should throw InvalidCredentialsError when identity not found", async ({
+    expect,
+  }) => {
+    const { sessionService } = await setup();
+
+    await expect(
+      sessionService.login("local", "nonexistent@example.com", "password"),
+    ).rejects.toThrowError(InvalidCredentialsError);
+  });
+
+  it("should throw InvalidCredentialsError when password is invalid", async ({
+    expect,
+  }) => {
+    const { sessionService, userService, cryptoProvider, identities } =
+      await setup();
+
+    // Create a test user
+    const user = await userService.users().create({
+      username: "invalidpassworduser",
+      email: "invalid-password@example.com",
+      roles: ["user"],
+    });
+
+    // Create identity with password
+    const hashedPassword = await cryptoProvider.hashPassword("correctPassword");
+
+    await identities.create({
+      provider: "local",
+      providerUserId: "invalid-password@example.com",
+      userId: user.id,
+      password: hashedPassword,
+    });
+
+    // Test login with wrong password
+    await expect(
+      sessionService.login(
+        "local",
+        "invalid-password@example.com",
+        "wrongPassword",
+      ),
+    ).rejects.toThrowError(InvalidCredentialsError);
+  });
+
+  it("should throw InvalidCredentialsError when identity has no password configured", async ({
+    expect,
+  }) => {
+    const { sessionService, userService, identities } = await setup();
+
+    // Create a test user
+    const user = await userService.users().create({
+      username: "nopassworduser",
+      email: "no-password@example.com",
+      roles: ["user"],
+    });
+
+    // Create identity without password
+    await identities.create({
+      provider: "local",
+      providerUserId: "no-password@example.com",
+      userId: user.id,
+      providerData: {}, // No password
+    });
+
+    await expect(
+      sessionService.login("local", "no-password@example.com", "anyPassword"),
+    ).rejects.toThrowError(InvalidCredentialsError);
+  });
+
+  it("should throw InvalidCredentialsError when user is deleted after identity creation", async ({
+    expect,
+  }) => {
+    const { sessionService, userService, cryptoProvider, identities } =
+      await setup();
+
+    // Create a user, then delete them to simulate orphan identity
+    const user = await userService.users().create({
+      username: "orphanidentityuser",
+      email: "orphan-identity@example.com",
+      roles: ["user"],
+    });
+
+    const hashedPassword = await cryptoProvider.hashPassword("password123");
+
+    await identities.create({
+      provider: "local",
+      providerUserId: "orphan-identity@example.com",
+      userId: user.id,
+      password: hashedPassword,
+    });
+
+    // Delete the user to create orphan identity scenario
+    await userService.users().deleteById(user.id);
+
+    await expect(
+      sessionService.login(
+        "local",
+        "orphan-identity@example.com",
+        "password123",
+      ),
+    ).rejects.toThrowError(InvalidCredentialsError);
+  });
+
+  it("should throw InvalidCredentialsError with same message for all failure types", async ({
+    expect,
+  }) => {
+    const { sessionService, userService, cryptoProvider, identities } =
+      await setup();
+
+    // Setup for invalid password test
+    const user = await userService.users().create({
+      username: "sameerroruser",
+      email: "same-error@example.com",
+      roles: ["user"],
+    });
+    const hashedPassword = await cryptoProvider.hashPassword("correctPass");
+    await identities.create({
+      provider: "local",
+      providerUserId: "same-error@example.com",
+      userId: user.id,
+      password: hashedPassword,
+    });
+
+    // Test identity not found
+    try {
+      await sessionService.login("local", "notfound@example.com", "password");
+    } catch (error) {
+      expect(error).toBeInstanceOf(InvalidCredentialsError);
+      expect((error as Error).message).toBe("Invalid credentials");
+    }
+
+    // Test invalid password
+    try {
+      await sessionService.login(
+        "local",
+        "same-error@example.com",
+        "wrongPassword",
+      );
+    } catch (error) {
+      expect(error).toBeInstanceOf(InvalidCredentialsError);
+      expect((error as Error).message).toBe("Invalid credentials");
+    }
+  });
+
+  it("should include random delay to prevent timing attacks", async ({
+    expect,
+  }) => {
+    const { sessionService } = await setup();
+
+    const start = Date.now();
+
+    try {
+      await sessionService.login(
+        "local",
+        "timing-attack@example.com",
+        "password",
+      );
+    } catch {
+      // Expected to fail
+    }
+
+    const elapsed = Date.now() - start;
+
+    // Should take at least 50ms due to random delay
+    expect(elapsed).toBeGreaterThanOrEqual(50);
+  });
+
+  it("should handle different providers correctly", async ({ expect }) => {
+    const { sessionService, userService, cryptoProvider, identities } =
+      await setup({ usernameEnabled: true });
+
+    const user = await userService.users().create({
+      username: "multiprovideruser",
+      email: "multi-provider@example.com",
+      roles: ["user"],
+    });
+
+    // Create identity for 'custom' provider
+    const hashedPassword = await cryptoProvider.hashPassword("customPass");
+    await identities.create({
+      provider: "custom",
+      userId: user.id,
+      password: hashedPassword,
+    });
+
+    // Login with correct provider
+    const result = await sessionService.login(
+      "custom",
+      "multiprovideruser",
+      "customPass",
+    );
+    expect(result?.id).toBe(user.id);
+
+    // Should fail with wrong provider
+    await expect(
+      sessionService.login("local", "custom-user-id", "customPass"),
+    ).rejects.toThrowError(InvalidCredentialsError);
+  });
+
+  it("should handle empty password correctly", async ({ expect }) => {
+    const { sessionService, userService, cryptoProvider, identities } =
+      await setup();
+
+    const user = await userService.users().create({
+      username: "emptypassworduser",
+      email: "empty-password@example.com",
+      roles: ["user"],
+    });
+
+    const hashedPassword = await cryptoProvider.hashPassword("realPassword");
+    await identities.create({
+      provider: "local",
+      providerUserId: "empty-password@example.com",
+      userId: user.id,
+      password: hashedPassword,
+    });
+
+    // Empty password should fail
+    await expect(
+      sessionService.login("local", "empty-password@example.com", ""),
+    ).rejects.toThrowError(InvalidCredentialsError);
+  });
+});

package/src/api/users/services/SessionService.ts

@@ -1,5 +1,6 @@
 import { randomInt } from "node:crypto";
 import { $inject, Alepha } from "alepha";
+import { AuditService } from "alepha/api/audits";
 import type { FileController } from "alepha/api/files";
 import { DateTimeProvider } from "alepha/datetime";
 import { FileSystemProvider } from "alepha/file";
@@ -23,6 +24,7 @@ export class SessionService {
   protected readonly log = $logger();
   protected readonly userRealmProvider = $inject(UserRealmProvider);
   protected readonly fileController = $client<FileController>();
+  protected readonly auditService = $inject(AuditService);
 
   public users(userRealmName?: string) {
     return this.userRealmProvider.userRepository(userRealmName);
@@ -79,6 +81,13 @@ export class SessionService {
           username,
           realm: name,
         });
+
+        await this.auditService.recordAuth("login_failed", {
+          userRealm: name,
+          description: "Invalid login identifier format",
+          metadata: { provider, username },
+        });
+
         throw new InvalidCredentialsError();
       }
 
@@ -89,6 +98,13 @@ export class SessionService {
           username,
           realm: name,
         });
+
+        await this.auditService.recordAuth("login_failed", {
+          userRealm: name,
+          description: "User not found",
+          metadata: { provider, username },
+        });
+
         throw new InvalidCredentialsError();
       }
 
@@ -121,9 +137,26 @@ export class SessionService {
           username,
           realm: name,
         });
+
+        await this.auditService.recordAuth("login_failed", {
+          userRealm: name,
+          resourceId: user.id,
+          description: "Invalid password",
+          metadata: { provider, username },
+        });
+
         throw new InvalidCredentialsError();
       }
 
+      await this.auditService.recordAuth("login", {
+        userId: user.id,
+        userEmail: user.email ?? undefined,
+        userRealm: name,
+        resourceId: user.id,
+        description: `User logged in via ${provider}`,
+        metadata: { provider, username },
+      });
+
       return user;
     } catch (error) {
       if (error instanceof InvalidCredentialsError) {
@@ -204,6 +237,16 @@ export class SessionService {
       userId: session.userId,
     });
 
+    const { name } = this.userRealmProvider.getRealm(userRealmName);
+
+    await this.auditService.recordAuth("token_refresh", {
+      userId: user.id,
+      userEmail: user.email ?? undefined,
+      userRealm: name,
+      sessionId: session.id,
+      description: "Session token refreshed",
+    });
+
     return {
       user,
       expiresIn: expiresAt.unix() - now.unix(),
@@ -213,10 +256,29 @@ export class SessionService {
 
   public async deleteSession(refreshToken: string, userRealmName?: string) {
     this.log.trace("Deleting session");
+
+    // Get session info before deletion for audit
+    const session = await this.sessions(userRealmName)
+      .findOne({
+        where: { refreshToken: { eq: refreshToken } },
+      })
+      .catch(() => undefined);
+
     await this.sessions(userRealmName).deleteOne({
       refreshToken,
     });
     this.log.debug("Session deleted");
+
+    if (session) {
+      const { name } = this.userRealmProvider.getRealm(userRealmName);
+
+      await this.auditService.recordAuth("logout", {
+        userId: session.userId,
+        userRealm: name,
+        sessionId: session.id,
+        description: "User logged out",
+      });
+    }
   }
 
   public async link(
@@ -250,7 +312,19 @@ export class SessionService {
         identityId: identity.id,
         userId: identity.userId,
       });
-      return users.findById(identity.userId);
+
+      const user = await users.findById(identity.userId);
+
+      await this.auditService.recordAuth("login", {
+        userId: user.id,
+        userEmail: user.email ?? undefined,
+        userRealm: realm.name,
+        resourceId: user.id,
+        description: `User logged in via OAuth2 (${provider})`,
+        metadata: { provider, providerUserId: profile.sub },
+      });
+
+      return user;
     }
 
     if (!profile.email) {
@@ -284,6 +358,16 @@ export class SessionService {
         providerUserId: profile.sub,
         userId: existing.id,
       });
+
+      await this.auditService.recordAuth("login", {
+        userId: existing.id,
+        userEmail: existing.email ?? undefined,
+        userRealm: realm.name,
+        resourceId: existing.id,
+        description: `OAuth2 identity linked to existing user (${provider})`,
+        metadata: { provider, providerUserId: profile.sub, linked: true },
+      });
+
       return existing;
     }
 
@@ -338,6 +422,31 @@ export class SessionService {
       username: user.username,
     });
 
+    // Audit: user created via OAuth
+    await this.auditService.recordUser("create", {
+      userId: user.id,
+      userEmail: user.email ?? undefined,
+      userRealm: realm.name,
+      resourceId: user.id,
+      description: `User created via OAuth2 (${provider})`,
+      metadata: {
+        provider,
+        providerUserId: profile.sub,
+        username: user.username,
+        email: user.email,
+      },
+    });
+
+    // Audit: login event
+    await this.auditService.recordAuth("login", {
+      userId: user.id,
+      userEmail: user.email ?? undefined,
+      userRealm: realm.name,
+      resourceId: user.id,
+      description: `First login via OAuth2 (${provider})`,
+      metadata: { provider, providerUserId: profile.sub, firstLogin: true },
+    });
+
     return user;
   }
 }

package/src/api/users/services/UserService.ts

@@ -1,4 +1,5 @@
 import { $inject } from "alepha";
+import { AuditService } from "alepha/api/audits";
 import type { VerificationController } from "alepha/api/verifications";
 import { $logger } from "alepha/logger";
 import { type Page, parseQueryString } from "alepha/orm";
@@ -16,6 +17,7 @@ export class UserService {
   protected readonly verificationController = $client<VerificationController>();
   protected readonly userNotifications = $inject(UserNotifications);
   protected readonly userRealmProvider = $inject(UserRealmProvider);
+  protected readonly auditService = $inject(AuditService);
 
   public users(userRealmName?: string) {
     return this.userRealmProvider.userRepository(userRealmName);
@@ -153,6 +155,17 @@ export class UserService {
     });
 
     this.log.info("Email verified", { email, userId: user.id, type });
+
+    const realm = this.userRealmProvider.getRealm(userRealmName);
+
+    await this.auditService.recordUser("update", {
+      userId: user.id,
+      userEmail: email,
+      userRealm: realm.name,
+      resourceId: user.id,
+      description: "Email verified",
+      metadata: { email, verificationType: type },
+    });
   }
 
   /**
@@ -301,6 +314,17 @@ export class UserService {
       email: user.email,
     });
 
+    await this.auditService.recordUser("create", {
+      userRealm: realm.name,
+      resourceId: user.id,
+      description: "User created",
+      metadata: {
+        username: user.username,
+        email: user.email,
+        roles: user.roles,
+      },
+    });
+
     return user;
   }
 
@@ -313,10 +337,38 @@ export class UserService {
     userRealmName?: string,
   ): Promise<UserEntity> {
     this.log.trace("Updating user", { id, userRealmName });
-    await this.getUserById(id, userRealmName);
+    const before = await this.getUserById(id, userRealmName);
 
     const user = await this.users(userRealmName).updateById(id, data);
     this.log.debug("User updated", { userId: id });
+
+    const realm = this.userRealmProvider.getRealm(userRealmName);
+
+    // Build changes object showing what was updated
+    const changes: Record<string, { from: unknown; to: unknown }> = {};
+    for (const key of Object.keys(data) as (keyof UpdateUser)[]) {
+      if (data[key] !== undefined && before[key] !== data[key]) {
+        changes[key] = { from: before[key], to: data[key] };
+      }
+    }
+
+    // Detect role changes for special handling
+    const isRoleChange =
+      data.roles !== undefined &&
+      JSON.stringify(before.roles) !== JSON.stringify(data.roles);
+
+    await this.auditService.recordUser(
+      isRoleChange ? "role_change" : "update",
+      {
+        userRealm: realm.name,
+        resourceId: user.id,
+        description: isRoleChange
+          ? "User roles changed"
+          : `User updated: ${Object.keys(changes).join(", ")}`,
+        metadata: { changes },
+      },
+    );
+
     return user;
   }
 
@@ -325,9 +377,22 @@ export class UserService {
    */
   public async deleteUser(id: string, userRealmName?: string): Promise<void> {
     this.log.trace("Deleting user", { id, userRealmName });
-    await this.getUserById(id, userRealmName);
+    const user = await this.getUserById(id, userRealmName);
 
     await this.users(userRealmName).deleteById(id);
     this.log.info("User deleted", { userId: id });
+
+    const realm = this.userRealmProvider.getRealm(userRealmName);
+
+    await this.auditService.recordUser("delete", {
+      userRealm: realm.name,
+      resourceId: id,
+      severity: "warning",
+      description: "User deleted",
+      metadata: {
+        username: user.username,
+        email: user.email,
+      },
+    });
   }
 }