npm - alepha - Versions diffs - 0.19.1 → 0.19.3 - Mend

alepha 0.19.1 → 0.19.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (531) hide show

package/src/api/users/primitives/$realm.ts CHANGED Viewed

@@ -63,7 +63,7 @@ export const $realm = (options: RealmOptions = {}): RealmPrimitive => {
   // Merge features with defaults
   const features: RealmFeatures = {
-    sessionPurge: false,
+    jobs: false,
     notifications: false,
     apiKeys: false,
     parameters: false,
@@ -95,7 +95,7 @@ export const $realm = (options: RealmOptions = {}): RealmPrimitive => {
     alepha.with(UserAudits);
   }
-  if (features.sessionPurge) {
+  if (features.jobs) {
     alepha.with(UserJobs);
   }
@@ -227,11 +227,13 @@ export const $realm = (options: RealmOptions = {}): RealmPrimitive => {
 export interface RealmFeatures {
   /**
-   * Enable session purge functionality for cleaning up expired sessions.
+   * Will enable Job module.
+   *
+   * - Enable session purge functionality for cleaning up expired sessions.
    *
    * @default false
    */
-  sessionPurge?: boolean;
+  jobs?: boolean;
   /**
    * Enable notification system for password reset, verification emails, etc.

package/src/api/users/providers/RealmProvider.ts CHANGED Viewed

@@ -43,7 +43,7 @@ export class RealmProvider {
     // Merge features with defaults
     const features: RealmFeatures = {
-      sessionPurge: false,
+      jobs: false,
       notifications: false,
       apiKeys: false,
       parameters: false,

package/src/api/users/services/RegistrationService.ts CHANGED Viewed

@@ -339,7 +339,7 @@ export class RegistrationService {
     if (body.username) {
       const existingUser = await userRepository.findOne({
-        where: { username: { eq: body.username } },
+        where: { username: { ilike: body.username } },
       });
       if (existingUser) {
         this.log.debug("Username already taken", { username: body.username });

package/src/api/users/services/SessionService.ts CHANGED Viewed

@@ -9,7 +9,7 @@ import {
   InvalidCredentialsError,
   type UserAccount,
 } from "alepha/security";
-import { UnauthorizedError } from "alepha/server";
+import { BadRequestError, UnauthorizedError } from "alepha/server";
 import type { OAuth2Profile } from "alepha/server/auth";
 import { $client } from "alepha/server/links";
 import { FileSystemProvider } from "alepha/system";
@@ -98,6 +98,78 @@ export class SessionService {
     return true;
   }
+  /**
+   * Generate a unique username from an OAuth profile.
+   *
+   * 1. Extract candidate from email prefix
+   * 2. Sanitize against realm's usernameRegExp (strip invalid chars, truncate)
+   * 3. Check case-insensitive uniqueness, append suffix (2, 3, ...) if taken
+   * 4. Fall back to "user" + random 6-char alphanumeric if all else fails
+   */
+  protected async generateUniqueUsername(
+    profile: OAuth2Profile,
+    realmSettings: any,
+    users: any,
+  ): Promise<string> {
+    const maxLength = 30;
+    const maxSuffixAttempts = 10;
+    // Extract candidate from email or profile name
+    let candidate = profile.email?.split("@")[0] ?? profile.name ?? "";
+    // Strip characters not allowed in usernames (keep alphanumeric, underscore, dot, hyphen)
+    candidate = candidate.replace(/[^a-zA-Z0-9_.-]/g, "");
+    // If realm has a custom regex, further sanitize
+    if (realmSettings?.usernameRegExp) {
+      try {
+        const regex = new RegExp(realmSettings.usernameRegExp);
+        if (!regex.test(candidate)) {
+          // Strip to basic alphanumeric as safe fallback
+          candidate = candidate.replace(/[^a-zA-Z0-9_]/g, "");
+        }
+      } catch {
+        // Invalid regex, continue with sanitized candidate
+      }
+    }
+    // Ensure minimum length
+    if (candidate.length < 3) {
+      candidate = `user${candidate}`;
+    }
+    // Truncate to leave room for suffix
+    candidate = candidate.slice(0, maxLength - 2);
+    // Check uniqueness (case-insensitive)
+    const isAvailable = async (name: string) => {
+      const existing = await users.findMany({
+        where: { username: { contains: name } },
+        limit: 1,
+      });
+      // Case-insensitive check
+      return !existing.some(
+        (u: any) => u.username?.toLowerCase() === name.toLowerCase(),
+      );
+    };
+    if (await isAvailable(candidate)) {
+      return candidate;
+    }
+    // Try with numeric suffix
+    for (let i = 2; i <= maxSuffixAttempts + 1; i++) {
+      const withSuffix = `${candidate}${i}`;
+      if (withSuffix.length <= maxLength && (await isAvailable(withSuffix))) {
+        return withSuffix;
+      }
+    }
+    // Final fallback: random username
+    const random = Math.random().toString(36).slice(2, 8);
+    return `user${random}`;
+  }
   /**
    * Random delay to prevent timing attacks (50-200ms)
    * Uses cryptographically secure random number generation
@@ -222,7 +294,7 @@ export class SessionService {
             throw new InvalidCredentialsError();
           }
         }
-        where.username = username;
+        where.username = { ilike: username };
       } else if (settings.email !== "none" && isEmail) {
         where.email = username;
       } else if (settings.phoneNumber !== "none" && isPhone) {
@@ -596,12 +668,27 @@ export class SessionService {
       return existing;
     }
-    // TODO: check usernames for uniqueness, add suffix if needed (e.g. john.doe1)
-    // TODO: username must match a-zA-Z0-9._-
+    const realmSettings = await realm.getSettings();
+    const adminEmails = realmSettings?.adminEmails ?? [];
+    const isAdmin = profile.email && adminEmails.includes(profile.email);
+    if (realmSettings?.registrationAllowed === false && !isAdmin) {
+      this.log.warn("Registration not allowed for realm via OAuth2", {
+        provider,
+        userRealmName,
+      });
+      throw new BadRequestError("Account doesn't exist");
+    }
+    const username = await this.generateUniqueUsername(
+      profile,
+      realmSettings,
+      users,
+    );
     const user = await users.create({
       realm: realm.name,
-      username: profile.email.split("@")[0],
+      username,
       email: profile.email,
       // we trust the OAuth2 provider
       emailVerified: true,

package/src/api/users/services/UserService.ts CHANGED Viewed

@@ -276,7 +276,7 @@ export class UserService {
     // Check for existing user based on provided unique fields
     if (data.username) {
       const existingUser = await this.users(userRealmName).findOne({
-        where: { username: { eq: data.username } },
+        where: { username: { ilike: data.username } },
       });
       if (existingUser) {

package/src/api/verifications/{jobs → __tests__}/VerificationJobs.spec.ts RENAMED Viewed

@@ -23,6 +23,8 @@ describe("VerificationJobs", () => {
     const time = alepha.inject(DateTimeProvider);
     const jobs = alepha.inject(VerificationJobs);
+    await db.verifications.deleteMany({ target: { eq: "hello@mail.com" } });
     const entry = {
       type: "link",
       target: "hello@mail.com",
@@ -36,12 +38,12 @@ describe("VerificationJobs", () => {
     await db.verifications.create({
       ...entry,
-      createdAt: time.now().subtract(1, "days").toISOString(),
+      createdAt: time.now().subtract(2, "days").toISOString(),
     });
     await db.verifications.create({
       ...entry,
-      createdAt: time.now().subtract(2, "days").toISOString(),
+      createdAt: time.now().subtract(3, "days").toISOString(),
     });
     expect(await db.verifications.count()).toBe(3);

package/src/api/verifications/parameters/VerificationParameters.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { $atom, $use, type Static } from "alepha";
+import { $atom, $state, type Static } from "alepha";
 import {
   type VerificationSettings,
   verificationSettingsSchema,
@@ -41,7 +41,7 @@ declare module "alepha" {
 // ---------------------------------------------------------------------------------------------------------------------
 export class VerificationParameters {
-  protected readonly options = $use(verificationOptions);
+  protected readonly options = $state(verificationOptions);
   public get<K extends keyof VerificationSettings>(
     key: K,

package/src/billing/__tests__/BillingService.spec.ts ADDED Viewed

@@ -0,0 +1,136 @@
+import { Alepha } from "alepha";
+import { AlephaOrmPostgres } from "alepha/orm/postgres";
+import { describe, it } from "vitest";
+import { AlephaBilling } from "../index.ts";
+import { BillingService } from "../services/BillingService.ts";
+describe("BillingService", () => {
+  it("should create an intent in 'created' status", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const billing = alepha.inject(BillingService);
+    await alepha.start();
+    const intent = await billing.createIntent(1500, "eur");
+    expect(intent.amount).toBe(1500);
+    expect(intent.currency).toBe("eur");
+    expect(intent.status).toBe("created");
+  });
+  it("should create a session and transition to 'processing'", async ({
+    expect,
+  }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const billing = alepha.inject(BillingService);
+    await alepha.start();
+    const intent = await billing.createIntent(1500, "eur");
+    const session = await billing.createSession(
+      intent.id,
+      "https://example.com/return",
+    );
+    expect(session.url).toContain("/billing/mock-checkout/");
+    expect(session.intentId).toBe(intent.id);
+  });
+  it("should capture an authorized intent", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const billing = alepha.inject(BillingService);
+    await alepha.start();
+    const intent = await billing.createIntent(1500, "eur");
+    await billing.createSession(intent.id, "https://example.com", true);
+    await billing.handleWebhookEvent(intent.id, "authorized");
+    const captured = await billing.capture(intent.id);
+    expect(captured.status).toBe("captured");
+  });
+  it("should void an authorized intent", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const billing = alepha.inject(BillingService);
+    await alepha.start();
+    const intent = await billing.createIntent(1500, "eur");
+    await billing.createSession(intent.id, "https://example.com", true);
+    await billing.handleWebhookEvent(intent.id, "authorized");
+    const voided = await billing.void(intent.id);
+    expect(voided.status).toBe("voided");
+  });
+  it("should refund a captured intent", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const billing = alepha.inject(BillingService);
+    await alepha.start();
+    const intent = await billing.createIntent(1500, "eur");
+    await billing.createSession(intent.id, "https://example.com");
+    await billing.handleWebhookEvent(intent.id, "captured");
+    const refund = await billing.refund(intent.id, 500, "Customer request");
+    expect(refund.amount).toBe(500);
+    expect(refund.status).toBe("completed");
+  });
+  it("should record a cash payment directly as captured", async ({
+    expect,
+  }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const billing = alepha.inject(BillingService);
+    await alepha.start();
+    const intent = await billing.recordCashPayment(1500, "eur", {
+      orderId: "order-1",
+    });
+    expect(intent.status).toBe("captured");
+    expect(intent.metadata).toEqual({ orderId: "order-1" });
+  });
+  it("should cancel a created intent", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const billing = alepha.inject(BillingService);
+    await alepha.start();
+    const intent = await billing.createIntent(1500, "eur");
+    const cancelled = await billing.cancel(intent.id);
+    expect(cancelled.status).toBe("cancelled");
+  });
+  it("should reject capture from wrong status", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const billing = alepha.inject(BillingService);
+    await alepha.start();
+    const intent = await billing.createIntent(1500, "eur");
+    await expect(billing.capture(intent.id)).rejects.toThrowError();
+  });
+  it("should reject refund from wrong status", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const billing = alepha.inject(BillingService);
+    await alepha.start();
+    const intent = await billing.createIntent(1500, "eur");
+    await expect(billing.refund(intent.id, 500)).rejects.toThrowError();
+  });
+  it("should reject void from wrong status", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const billing = alepha.inject(BillingService);
+    await alepha.start();
+    const intent = await billing.createIntent(1500, "eur");
+    await expect(billing.void(intent.id)).rejects.toThrowError();
+  });
+  it("should reject cancel from wrong status", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const billing = alepha.inject(BillingService);
+    await alepha.start();
+    const intent = await billing.createIntent(1500, "eur");
+    await billing.createSession(intent.id, "https://example.com");
+    await expect(billing.cancel(intent.id)).rejects.toThrowError();
+  });
+});

package/src/billing/__tests__/PaymentMethodService.spec.ts ADDED Viewed

@@ -0,0 +1,78 @@
+import { randomUUID } from "node:crypto";
+import { Alepha } from "alepha";
+import { AlephaOrmPostgres } from "alepha/orm/postgres";
+import { describe, it } from "vitest";
+import { AlephaBilling } from "../index.ts";
+import { PaymentMethodService } from "../services/PaymentMethodService.ts";
+describe("PaymentMethodService", () => {
+  const userId = randomUUID();
+  const userId2 = randomUUID();
+  const orgId = randomUUID();
+  it("should add a payment method", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const service = alepha.inject(PaymentMethodService);
+    await alepha.start();
+    const method = await service.addPaymentMethod(userId, orgId, "tok_visa");
+    expect(method.type).toBe("card");
+    expect(method.last4).toBe("4242");
+    expect(method.isDefault).toBe(true);
+  });
+  it("should list payment methods for a user", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const service = alepha.inject(PaymentMethodService);
+    await alepha.start();
+    await service.addPaymentMethod(userId, orgId, "tok_visa");
+    await service.addPaymentMethod(userId, orgId, "tok_mastercard");
+    const methods = await service.listPaymentMethods(userId);
+    expect(methods).toHaveLength(2);
+  });
+  it("should remove a payment method", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const service = alepha.inject(PaymentMethodService);
+    await alepha.start();
+    const method = await service.addPaymentMethod(userId, orgId, "tok_visa");
+    await service.removePaymentMethod(method.id, userId);
+    const methods = await service.listPaymentMethods(userId);
+    expect(methods).toHaveLength(0);
+  });
+  it("should set a default payment method", async ({ expect }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const service = alepha.inject(PaymentMethodService);
+    await alepha.start();
+    const method1 = await service.addPaymentMethod(userId, orgId, "tok_visa");
+    const method2 = await service.addPaymentMethod(
+      userId,
+      orgId,
+      "tok_mastercard",
+    );
+    await service.setDefault(method1.id, userId);
+    const methods = await service.listPaymentMethods(userId);
+    const defaultMethod = methods.find((m) => m.isDefault);
+    expect(defaultMethod?.id).toBe(method1.id);
+  });
+  it("should reject removing another user's payment method", async ({
+    expect,
+  }) => {
+    const alepha = Alepha.create().with(AlephaOrmPostgres).with(AlephaBilling);
+    const service = alepha.inject(PaymentMethodService);
+    await alepha.start();
+    const method = await service.addPaymentMethod(userId, orgId, "tok_visa");
+    await expect(
+      service.removePaymentMethod(method.id, userId2),
+    ).rejects.toThrowError();
+  });
+});

package/src/billing/controllers/AdminBillingController.ts ADDED Viewed

@@ -0,0 +1,149 @@
+import { $inject, t } from "alepha";
+import { $secure } from "alepha/security";
+import { $action, okSchema } from "alepha/server";
+import {
+  captureIntentSchema,
+  intentQuerySchema,
+  intentResourceSchema,
+  recordCashSchema,
+  refundIntentSchema,
+} from "../schemas/intentSchemas.ts";
+import { refundResourceSchema } from "../schemas/refundSchemas.ts";
+import { BillingService } from "../services/BillingService.ts";
+export class AdminBillingController {
+  protected readonly url = "/admin/billing";
+  protected readonly group = "admin:billing";
+  protected readonly billing = $inject(BillingService);
+  /**
+   * List payment intents with pagination and filtering.
+   */
+  public readonly listIntents = $action({
+    path: `${this.url}/intents`,
+    group: this.group,
+    use: [$secure({ permissions: ["billing:read"] })],
+    description: "List payment intents",
+    schema: {
+      query: intentQuerySchema,
+      response: t.page(intentResourceSchema),
+    },
+    handler: ({ query }) => this.billing.findIntents(query),
+  });
+  /**
+   * Get a payment intent by ID.
+   */
+  public readonly getIntent = $action({
+    path: `${this.url}/intents/:id`,
+    group: this.group,
+    use: [$secure({ permissions: ["billing:read"] })],
+    description: "Get payment intent details",
+    schema: {
+      params: t.object({ id: t.uuid() }),
+      response: intentResourceSchema,
+    },
+    handler: ({ params }) => this.billing.getIntent(params.id),
+  });
+  /**
+   * Capture an authorized intent.
+   */
+  public readonly captureIntent = $action({
+    method: "POST",
+    path: `${this.url}/intents/:id/capture`,
+    group: this.group,
+    use: [$secure({ permissions: ["billing:write"] })],
+    description: "Capture an authorized payment intent",
+    schema: {
+      params: t.object({ id: t.uuid() }),
+      body: captureIntentSchema,
+      response: intentResourceSchema,
+    },
+    handler: ({ params, body }) => this.billing.capture(params.id, body.amount),
+  });
+  /**
+   * Void an authorized intent.
+   */
+  public readonly voidIntent = $action({
+    method: "POST",
+    path: `${this.url}/intents/:id/void`,
+    group: this.group,
+    use: [$secure({ permissions: ["billing:write"] })],
+    description: "Void an authorized payment intent",
+    schema: {
+      params: t.object({ id: t.uuid() }),
+      response: intentResourceSchema,
+    },
+    handler: ({ params }) => this.billing.void(params.id),
+  });
+  /**
+   * Refund a captured intent.
+   */
+  public readonly refundIntent = $action({
+    method: "POST",
+    path: `${this.url}/intents/:id/refund`,
+    group: this.group,
+    use: [$secure({ permissions: ["billing:write"] })],
+    description: "Issue partial or full refund",
+    schema: {
+      params: t.object({ id: t.uuid() }),
+      body: refundIntentSchema,
+      response: refundResourceSchema,
+    },
+    handler: ({ params, body }) =>
+      this.billing.refund(params.id, body.amount, body.reason),
+  });
+  /**
+   * Cancel a created intent.
+   */
+  public readonly cancelIntent = $action({
+    method: "POST",
+    path: `${this.url}/intents/:id/cancel`,
+    group: this.group,
+    use: [$secure({ permissions: ["billing:write"] })],
+    description: "Cancel a created payment intent",
+    schema: {
+      params: t.object({ id: t.uuid() }),
+      response: intentResourceSchema,
+    },
+    handler: ({ params }) => this.billing.cancel(params.id),
+  });
+  /**
+   * Record a cash payment.
+   */
+  public readonly recordCash = $action({
+    method: "POST",
+    path: `${this.url}/cash`,
+    group: this.group,
+    use: [$secure({ permissions: ["billing:write"] })],
+    description: "Record a cash payment",
+    schema: {
+      body: recordCashSchema,
+      response: intentResourceSchema,
+    },
+    handler: ({ body }) =>
+      this.billing.recordCashPayment(body.amount, body.currency, body.metadata),
+  });
+  /**
+   * PSP webhook endpoint (not under /admin, no auth — verified by provider).
+   */
+  public readonly webhook = $action({
+    method: "POST",
+    path: "/billing/webhook",
+    group: this.group,
+    description: "PSP webhook endpoint",
+    schema: {
+      response: okSchema,
+    },
+    handler: async (request) => {
+      await this.billing.handleWebhook(request.raw.web!.req);
+      return { ok: true };
+    },
+  });
+}