alepha 0.19.2 → 0.19.4

package/src/api/subscriptions/services/UsageService.ts

@@ -0,0 +1,118 @@
+import { $inject } from "alepha";
+import { CacheProvider } from "alepha/cache";
+import { DateTimeProvider } from "alepha/datetime";
+import { SubscriptionService } from "./SubscriptionService.ts";
+
+// -----------------------------------------------------------------------------------------------------------------
+
+/**
+ * The result of a usage check or increment operation.
+ */
+export interface UsageResult {
+  /**
+   * Whether the operation is allowed given the current usage and limit.
+   */
+  allowed: boolean;
+
+  /**
+   * Current usage count for the period.
+   */
+  current: number;
+
+  /**
+   * The plan limit for the resource. -1 means unlimited.
+   */
+  limit: number;
+
+  /**
+   * Remaining capacity. -1 means unlimited.
+   */
+  remaining: number;
+}
+
+// -----------------------------------------------------------------------------------------------------------------
+
+/**
+ * Tracks and enforces per-organization resource usage limits.
+ *
+ * Usage counters are keyed by `organizationId:resource:YYYY-MM` and stored in the cache.
+ * Limits are resolved from the organization's current subscription plan.
+ */
+export class UsageService {
+  protected readonly cache = $inject(CacheProvider);
+  protected readonly dateTime = $inject(DateTimeProvider);
+  protected readonly subscriptionService = $inject(SubscriptionService);
+
+  /**
+   * Increment a resource counter for the current period and return the usage result.
+   *
+   * @param organizationId The organization to track usage for.
+   * @param resource The resource identifier (e.g., "api_calls", "seats").
+   * @param amount Amount to increment by (default: 1).
+   */
+  public async increment(
+    organizationId: string,
+    resource: string,
+    amount = 1,
+  ): Promise<UsageResult> {
+    const limit = await this.subscriptionService.limit(
+      organizationId,
+      resource,
+    );
+    const key = this.buildKey(organizationId, resource);
+    const current = await this.cache.incr("subscriptions:usage", key, amount);
+    const allowed = limit === -1 || current <= limit;
+    return {
+      allowed,
+      current,
+      limit,
+      remaining: limit === -1 ? -1 : Math.max(0, limit - current),
+    };
+  }
+
+  /**
+   * Get the current usage for a resource without incrementing.
+   *
+   * @param organizationId The organization to query usage for.
+   * @param resource The resource identifier.
+   */
+  public async getUsage(
+    organizationId: string,
+    resource: string,
+  ): Promise<UsageResult> {
+    const limit = await this.subscriptionService.limit(
+      organizationId,
+      resource,
+    );
+    const key = this.buildKey(organizationId, resource);
+    const current = await this.cache.incr("subscriptions:usage", key, 0);
+    return {
+      allowed: limit === -1 || current <= limit,
+      current,
+      limit,
+      remaining: limit === -1 ? -1 : Math.max(0, limit - current),
+    };
+  }
+
+  /**
+   * Reset all usage counters for an organization.
+   *
+   * Used at the start of a new billing period.
+   *
+   * @param organizationId The organization whose counters to reset.
+   */
+  public async resetForPeriod(organizationId: string): Promise<void> {
+    const pattern = this.buildKey(organizationId, "*");
+    await this.cache.invalidateKeys("subscriptions:usage", [pattern]);
+  }
+
+  /**
+   * Build the cache key for a usage counter.
+   *
+   * Format: `organizationId:resource:YYYY-MM`
+   */
+  protected buildKey(organizationId: string, resource: string): string {
+    const period = this.dateTime.now().format("YYYY-MM");
+    return `${organizationId}:${resource}:${period}`;
+  }
+}

package/src/api/users/__tests__/AdminUserController.spec.ts

@@ -4,7 +4,12 @@ import { AlephaOrmPostgres } from "alepha/orm/postgres";
 import { AlephaSecurity, type UserAccountToken } from "alepha/security";
 import { BadRequestError } from "alepha/server";
 import { describe, it } from "vitest";
-import { AdminUserController, AlephaApiUsers, UserService } from "../index.ts";
+import {
+  AdminUserController,
+  AlephaApiUsers,
+  SessionService,
+  UserService,
+} from "../index.ts";
 
 const adminUser: UserAccountToken = {
   id: "00000000-0000-0000-0000-000000000001",
@@ -445,3 +450,77 @@ describe("alepha/api/users - AdminUserController CRUD", () => {
     expect(userIds.indexOf(user2.id)).toBeLessThan(userIds.indexOf(user1.id));
   });
 });
+
+describe("alepha/api/users - AdminUserController delete cleanup", () => {
+  it("should clean up sessions and identities when deleting a user", async ({
+    expect,
+  }) => {
+    const { alepha, controller } = await setup();
+    const sessionService = alepha.inject(SessionService);
+
+    // Arrange: create a user
+    const user = await controller.createUser(
+      {
+        body: {
+          username: "cleanupuser",
+          email: "cleanupuser@example.com",
+        },
+      },
+      asAdmin,
+    );
+
+    // Arrange: create identities for the user (credentials + google)
+    await sessionService.identities().create({
+      userId: user.id,
+      provider: "credentials",
+      providerUserId: user.id,
+    });
+    await sessionService.identities().create({
+      userId: user.id,
+      provider: "google",
+      providerUserId: "google-123",
+    });
+
+    // Arrange: create sessions for the user
+    await sessionService.sessions().create({
+      userId: user.id,
+      refreshToken: "00000000-0000-0000-0000-000000000010",
+      expiresAt: new Date(Date.now() + 3_600_000).toISOString(),
+    });
+    await sessionService.sessions().create({
+      userId: user.id,
+      refreshToken: "00000000-0000-0000-0000-000000000011",
+      expiresAt: new Date(Date.now() + 3_600_000).toISOString(),
+    });
+
+    // Sanity check: sessions and identities exist before deletion
+    const sessionsBefore = await sessionService
+      .sessions()
+      .findMany({ where: { userId: { eq: user.id } } });
+    expect(sessionsBefore.length).toBe(2);
+
+    const identitiesBefore = await sessionService
+      .identities()
+      .findMany({ where: { userId: { eq: user.id } } });
+    expect(identitiesBefore.length).toBe(2);
+
+    // Act: delete the user
+    const result = await controller.deleteUser(
+      { params: { id: user.id } },
+      asAdmin,
+    );
+    expect(result.ok).toBe(true);
+
+    // Assert: sessions for that user should be gone
+    const sessionsAfter = await sessionService
+      .sessions()
+      .findMany({ where: { userId: { eq: user.id } } });
+    expect(sessionsAfter.length).toBe(0);
+
+    // Assert: identities for that user should be gone
+    const identitiesAfter = await sessionService
+      .identities()
+      .findMany({ where: { userId: { eq: user.id } } });
+    expect(identitiesAfter.length).toBe(0);
+  });
+});

package/src/api/users/__tests__/CredentialService.spec.ts

@@ -35,6 +35,9 @@ const setup = async () => {
     features: {
       notifications: true,
     },
+    settings: {
+      resetPasswordAllowed: true,
+    },
   });
 
   const emailProvider = alepha.inject(MemoryEmailProvider);
@@ -499,6 +502,180 @@ describe("alepha/api/users - CredentialService", () => {
     });
   });
 
+  describe("resetPasswordAllowed=false", () => {
+    it("should silently return intent when resetPasswordAllowed is false", async ({
+      expect,
+    }) => {
+      const { alepha, credentialService, userService, cryptoProvider } =
+        await setup();
+
+      // Register a separate realm with resetPasswordAllowed disabled
+      const realmProvider = alepha.inject(RealmProvider);
+      realmProvider.register("no-reset", {
+        features: { notifications: true },
+        settings: { resetPasswordAllowed: false },
+      });
+
+      // Create a user in the no-reset realm
+      const user = await credentialService.users("no-reset").create({
+        email: "noreset@example.com",
+        username: "noresetuser",
+        roles: ["user"],
+      });
+
+      const hashedPassword = await cryptoProvider.hashPassword("Password123!");
+      await credentialService.identities("no-reset").create({
+        userId: user.id,
+        provider: "credentials",
+        password: hashedPassword,
+      });
+
+      // Request password reset - should return an intentId (security: doesn't reveal it's disabled)
+      const result = await credentialService.createPasswordResetIntent(
+        "noreset@example.com",
+        "no-reset",
+      );
+
+      expect(result.intentId).toBeDefined();
+      expect(result.expiresAt).toBeDefined();
+
+      // No email should be sent
+      const emailProvider = alepha.inject(MemoryEmailProvider);
+      expect(emailProvider.records.length).toBe(0);
+
+      // Completing the reset with the returned intentId should fail with 410
+      // because the intent was never actually stored in the cache
+      await expect(
+        credentialService.completePasswordReset({
+          intentId: result.intentId,
+          code: "123456",
+          newPassword: "NewPassword456!",
+        }),
+      ).rejects.toThrow(HttpError);
+    });
+  });
+
+  describe("Password policy enforcement during reset", () => {
+    it("should reject password that violates realm policy", async ({
+      expect,
+    }) => {
+      const { alepha, credentialService, userService, cryptoProvider } =
+        await setup();
+
+      // Register a realm with strict password policy
+      const realmProvider = alepha.inject(RealmProvider);
+      realmProvider.register("strict-policy", {
+        features: { notifications: true },
+        settings: {
+          resetPasswordAllowed: true,
+          passwordPolicy: {
+            minLength: 8,
+            requireUppercase: true,
+            requireLowercase: true,
+            requireNumbers: true,
+            requireSpecialCharacters: false,
+          },
+        },
+      });
+
+      // Create a user in the strict-policy realm
+      const user = await credentialService.users("strict-policy").create({
+        email: "strict@example.com",
+        username: "strictuser",
+        roles: ["user"],
+      });
+
+      const hashedPassword =
+        await cryptoProvider.hashPassword("OldPassword123!");
+      await credentialService.identities("strict-policy").create({
+        userId: user.id,
+        provider: "credentials",
+        password: hashedPassword,
+      });
+
+      // Create intent
+      const intent = await credentialService.createPasswordResetIntent(
+        "strict@example.com",
+        "strict-policy",
+      );
+
+      // Extract code from email
+      const emailProvider = alepha.inject(MemoryEmailProvider);
+      await expect.poll(() => emailProvider.records.length).toBe(1);
+      const code = extractCode(emailProvider.records[0].body);
+
+      // Try to complete with a password that has no uppercase and no numbers
+      await expect(
+        credentialService.completePasswordReset({
+          intentId: intent.intentId,
+          code,
+          newPassword: "alllowercase",
+        }),
+      ).rejects.toThrowError(BadRequestError);
+
+      // The verification code should NOT be consumed - can retry with a valid password
+      await credentialService.completePasswordReset({
+        intentId: intent.intentId,
+        code,
+        newPassword: "ValidRetry123",
+      });
+    });
+
+    it("should accept password that meets realm policy", async ({ expect }) => {
+      const { alepha, credentialService, userService, cryptoProvider } =
+        await setup();
+
+      // Register a realm with strict password policy
+      const realmProvider = alepha.inject(RealmProvider);
+      realmProvider.register("strict-accept", {
+        features: { notifications: true },
+        settings: {
+          resetPasswordAllowed: true,
+          passwordPolicy: {
+            minLength: 8,
+            requireUppercase: true,
+            requireLowercase: true,
+            requireNumbers: true,
+            requireSpecialCharacters: false,
+          },
+        },
+      });
+
+      // Create a user in the strict-accept realm
+      const user = await credentialService.users("strict-accept").create({
+        email: "accept@example.com",
+        username: "acceptuser",
+        roles: ["user"],
+      });
+
+      const hashedPassword =
+        await cryptoProvider.hashPassword("OldPassword123!");
+      await credentialService.identities("strict-accept").create({
+        userId: user.id,
+        provider: "credentials",
+        password: hashedPassword,
+      });
+
+      // Create intent
+      const intent = await credentialService.createPasswordResetIntent(
+        "accept@example.com",
+        "strict-accept",
+      );
+
+      // Extract code from email
+      const emailProvider = alepha.inject(MemoryEmailProvider);
+      await expect.poll(() => emailProvider.records.length).toBe(1);
+      const code = extractCode(emailProvider.records[0].body);
+
+      // Complete with a password that meets the policy
+      await credentialService.completePasswordReset({
+        intentId: intent.intentId,
+        code,
+        newPassword: "ValidPass123",
+      });
+    });
+  });
+
   describe("Legacy methods (backward compatibility)", () => {
     it("requestPasswordReset should work as before", async ({ expect }) => {
       const { credentialService, userService, cryptoProvider, emailProvider } =

package/src/api/users/__tests__/EmailVerification.spec.ts

@@ -3,7 +3,7 @@ import { AlephaApiVerification } from "alepha/api/verifications";
 import { DateTimeProvider } from "alepha/datetime";
 import { AlephaEmail, MemoryEmailProvider } from "alepha/email";
 import { AlephaOrmPostgres } from "alepha/orm/postgres";
-import { AlephaSecurity } from "alepha/security";
+import { AlephaSecurity, currentUserAtom } from "alepha/security";
 import { BadRequestError } from "alepha/server";
 import { describe, it } from "vitest";
 import {
@@ -264,7 +264,7 @@ describe("alepha/api/users - Email Verification", () => {
   });
 
   it("should check email verification status", async ({ expect }) => {
-    const { userService, actions } = await setup();
+    const { alepha, userService, actions } = await setup();
 
     // Create a test user with unverified email
     await userService.users().create({
@@ -282,23 +282,34 @@ describe("alepha/api/users - Email Verification", () => {
       emailVerified: true,
     });
 
-    // Check unverified email
-    const unverifiedResult = await actions.checkEmailVerification({
-      query: { email: "unverified@example.com" },
-    });
-    expect(unverifiedResult.verified).toBe(false);
-
-    // Check verified email
-    const verifiedResult = await actions.checkEmailVerification({
-      query: { email: "verified@example.com" },
-    });
-    expect(verifiedResult.verified).toBe(true);
-
-    // Check non-existent email
-    const nonExistentResult = await actions.checkEmailVerification({
-      query: { email: "nonexistent@example.com" },
+    // checkEmailVerification requires $secure() authentication
+    await alepha.context.run(async () => {
+      alepha.store.set(currentUserAtom, {
+        id: "admin-1",
+        name: "Admin",
+        email: "admin@example.com",
+        realm: "default",
+        roles: ["admin"],
+      });
+
+      // Check unverified email
+      const unverifiedResult = await actions.checkEmailVerification({
+        query: { email: "unverified@example.com" },
+      });
+      expect(unverifiedResult.verified).toBe(false);
+
+      // Check verified email
+      const verifiedResult = await actions.checkEmailVerification({
+        query: { email: "verified@example.com" },
+      });
+      expect(verifiedResult.verified).toBe(true);
+
+      // Check non-existent email
+      const nonExistentResult = await actions.checkEmailVerification({
+        query: { email: "nonexistent@example.com" },
+      });
+      expect(nonExistentResult.verified).toBe(false);
     });
-    expect(nonExistentResult.verified).toBe(false);
   });
 
   it("should respect rate limiting on verification requests", async ({

package/src/api/users/__tests__/PasswordReset.spec.ts

@@ -35,6 +35,9 @@ const setup = async () => {
     features: {
       notifications: true,
     },
+    settings: {
+      resetPasswordAllowed: true,
+    },
   });
 
   const emailProvider = alepha.inject(MemoryEmailProvider);

package/src/api/users/__tests__/RegistrationService.spec.ts

@@ -245,8 +245,9 @@ describe("alepha/api/users - RegistrationService", () => {
         } as never,
       });
 
-      // Create existing user with phone
+      // Create existing user with phone in the same realm
       await userService.users("phone-realm").create({
+        realm: "phone-realm",
         username: "existinguser",
         email: "existing@example.com",
         phoneNumber: "+1234567890",
@@ -488,6 +489,7 @@ describe("alepha/api/users - RegistrationService", () => {
 
       // Simulate another user registering with same email while verification pending
       await userService.users("race-realm").create({
+        realm: "race-realm",
         email: "race@example.com",
         username: "racewinner",
         roles: ["user"],
@@ -644,4 +646,149 @@ describe("alepha/api/users - RegistrationService", () => {
       expect(session?.id).toBe(user.id);
     });
   });
+
+  describe("Password policy enforcement during registration", () => {
+    it("should reject registration when password violates realm policy", async ({
+      expect,
+    }) => {
+      const { registrationService, realmProvider } = await setup();
+
+      realmProvider.register("strict-policy-realm", {
+        settings: {
+          passwordPolicy: {
+            minLength: 10,
+            requireUppercase: true,
+            requireLowercase: false,
+            requireNumbers: false,
+            requireSpecialCharacters: false,
+          },
+        } as never,
+      });
+
+      await expect(
+        registrationService.createRegistrationIntent(
+          {
+            email: "weakpass@example.com",
+            password: "shortpw!",
+          },
+          "strict-policy-realm",
+        ),
+      ).rejects.toThrowError(BadRequestError);
+    });
+
+    it("should accept registration when password meets realm policy", async ({
+      expect,
+    }) => {
+      const { registrationService, realmProvider } = await setup();
+
+      realmProvider.register("strict-policy-realm", {
+        settings: {
+          passwordPolicy: {
+            minLength: 10,
+            requireUppercase: true,
+            requireLowercase: false,
+            requireNumbers: false,
+            requireSpecialCharacters: false,
+          },
+        } as never,
+      });
+
+      const result = await registrationService.createRegistrationIntent(
+        {
+          email: "strongpass@example.com",
+          password: "StrongPass123",
+        },
+        "strict-policy-realm",
+      );
+
+      expect(result.intentId).toBeDefined();
+    });
+  });
+
+  describe("Registration rate limiting", () => {
+    it("should rate limit registration attempts by IP", async ({ expect }) => {
+      const { alepha, registrationService } = await setup();
+
+      await alepha.fork(async () => {
+        alepha.store.set("alepha.http.request", { ip: "10.0.0.1" } as never);
+
+        // Make 10 registration attempts (they may fail for duplicate email, that's fine)
+        for (let i = 0; i < 10; i++) {
+          await registrationService
+            .createRegistrationIntent({
+              email: `ratelimit-${i}@example.com`,
+              password: "SecurePassword123!",
+            })
+            .catch(() => {});
+        }
+
+        // 11th attempt should be rate limited
+        await expect(
+          registrationService.createRegistrationIntent({
+            email: "ratelimit-overflow@example.com",
+            password: "SecurePassword123!",
+          }),
+        ).rejects.toThrowError(BadRequestError);
+      });
+    });
+  });
+
+  describe("Default roles from realm settings", () => {
+    it("should assign defaultRoles from realm settings to new users", async ({
+      expect,
+    }) => {
+      const { registrationService, realmProvider } = await setup();
+
+      realmProvider.register("custom-roles-realm", {
+        settings: {
+          defaultRoles: ["member", "viewer"],
+        } as never,
+      });
+
+      const intent = await registrationService.createRegistrationIntent(
+        {
+          email: "roleuser@example.com",
+          password: "SecurePassword123!",
+        },
+        "custom-roles-realm",
+      );
+
+      const user = await registrationService.completeRegistration({
+        intentId: intent.intentId,
+      });
+
+      expect(user.roles).toEqual(["member", "viewer"]);
+    });
+  });
+
+  describe("Cross-realm email uniqueness", () => {
+    it("should allow same email in different realms", async ({ expect }) => {
+      const { registrationService, userService, realmProvider } = await setup();
+
+      realmProvider.register("realm-a");
+      realmProvider.register("realm-b");
+
+      // Create a user with this email in realm-a directly
+      await userService.users("realm-a").create({
+        realm: "realm-a",
+        email: "shared@example.com",
+        roles: ["user"],
+      });
+
+      // Register a new user with the same email in realm-b via registration flow
+      const intent = await registrationService.createRegistrationIntent(
+        {
+          email: "shared@example.com",
+          password: "SecurePassword123!",
+        },
+        "realm-b",
+      );
+
+      const user = await registrationService.completeRegistration({
+        intentId: intent.intentId,
+      });
+
+      expect(user.email).toBe("shared@example.com");
+    });
+  });
 });