alepha 0.19.3 → 0.19.4

package/dist/api/users/index.js

@@ -168,6 +168,8 @@ const realmAuthSettingsAtom = $atom({
 		resetPasswordAllowed: t.boolean({ description: "Enable forgot password functionality" }),
 		adminEmails: t.array(t.email(), { description: "List of email addresses that are automatically promoted to admin role on login" }),
 		adminUsernames: t.array(t.text(), { description: "List of usernames that are automatically promoted to admin role on login" }),
+		defaultRoles: t.array(t.string(), { description: "Default roles assigned to newly registered users" }),
+		verifyEmailUrl: t.optional(t.string({ description: "Base URL for email verification links (used when verification method is 'link'). Token and email are appended as query params." })),
 		passwordPolicy: t.object({
 			minLength: t.integer({
 				description: "Minimum password length",
@@ -209,6 +211,7 @@ const realmAuthSettingsAtom = $atom({
 		firstNameLastName: "none",
 		adminEmails: [],
 		adminUsernames: [],
+		defaultRoles: ["user"],
 		passwordPolicy: {
 			minLength: 8,
 			requireUppercase: true,
@@ -723,6 +726,27 @@ var UserNotifications = class {
 			expiresInMinutes: t.number()
 		})
 	});
+	accountLockout = $notification({
+		category: "security",
+		description: "Email sent to users when their account is temporarily locked due to too many failed login attempts.",
+		critical: true,
+		sensitive: true,
+		email: {
+			subject: "Account temporarily locked",
+			body: (it) => `
+				<h1>Account Temporarily Locked</h1>
+				<p>Hi ${it.email},</p>
+				<p>Your account has been temporarily locked due to too many failed login attempts.</p>
+				<p>If this was you, please wait ${it.lockoutMinutes} minutes before trying again. If you've forgotten your password, you can reset it using the password reset feature.</p>
+				<p>If this wasn't you, someone may be trying to access your account. We recommend changing your password as soon as possible.</p>
+				<p>Best regards,<br>The Team</p>
+			`
+		},
+		schema: t.object({
+			email: t.string({ format: "email" }),
+			lockoutMinutes: t.number()
+		})
+	});
 	emailVerificationLink = $notification({
 		category: "security",
 		description: "Email sent to users with a link to verify their email address.",
@@ -776,7 +800,7 @@ var UserService = class {
 	* @param method - The verification method: "code" (default) or "link".
 	* @param verifyUrl - Base URL for verification link (required when method is "link").
 	*/
-	async requestEmailVerification(email, userRealmName, method = "code", verifyUrl) {
+	async requestEmailVerification(email, userRealmName, method = "code") {
 		this.log.trace("Requesting email verification", {
 			email,
 			userRealmName,
@@ -800,10 +824,12 @@ var UserService = class {
 				body: { target: email }
 			});
 			if (method === "link") {
-				const url = new URL(verifyUrl || "/verify-email", "http://localhost");
+				const realmSettings = await this.realmProvider.getRealm(userRealmName).getSettings();
+				const baseUrl = realmSettings.verifyEmailUrl ?? "/verify-email";
+				const url = new URL(baseUrl, "http://localhost");
 				url.searchParams.set("email", email);
 				url.searchParams.set("token", verification.token);
-				const fullVerifyUrl = verifyUrl ? `${verifyUrl}${url.search}` : url.pathname + url.search;
+				const fullVerifyUrl = realmSettings.verifyEmailUrl ? `${baseUrl}${url.search}` : url.pathname + url.search;
 				await this.userNotifications(userRealmName)?.emailVerificationLink.push({
 					contact: email,
 					variables: {
@@ -936,27 +962,37 @@ var UserService = class {
 			userRealmName
 		});
 		const realm = this.realmProvider.getRealm(userRealmName);
+		const realmSettings = await realm.getSettings();
 		if (data.username) {
-			if (await this.users(userRealmName).findOne({ where: { username: { ilike: data.username } } })) {
+			if (await this.users(userRealmName).findOne({ where: {
+				realm: realm.name,
+				username: { ilike: data.username }
+			} })) {
 				this.log.debug("Username already taken", { username: data.username });
 				throw new BadRequestError("User with this username already exists");
 			}
 		}
 		if (data.email) {
-			if (await this.users(userRealmName).findOne({ where: { email: { eq: data.email } } })) {
+			if (await this.users(userRealmName).findOne({ where: {
+				realm: realm.name,
+				email: { eq: data.email }
+			} })) {
 				this.log.debug("Email already taken", { email: data.email });
 				throw new BadRequestError("User with this email already exists");
 			}
 		}
 		if (data.phoneNumber) {
-			if (await this.users(userRealmName).findOne({ where: { phoneNumber: { eq: data.phoneNumber } } })) {
+			if (await this.users(userRealmName).findOne({ where: {
+				realm: realm.name,
+				phoneNumber: { eq: data.phoneNumber }
+			} })) {
 				this.log.debug("Phone number already taken", { phoneNumber: data.phoneNumber });
 				throw new BadRequestError("User with this phone number already exists");
 			}
 		}
 		const user = await this.users(userRealmName).create({
 			...data,
-			roles: data.roles ?? ["user"],
+			roles: data.roles ?? realmSettings.defaultRoles,
 			realm: realm.name
 		});
 		this.log.info("User created", {
@@ -1011,6 +1047,8 @@ var UserService = class {
 			userRealmName
 		});
 		const user = await this.getUserById(id, userRealmName);
+		await this.realmProvider.sessionRepository(userRealmName).deleteMany({ userId: { eq: id } });
+		await this.realmProvider.identityRepository(userRealmName).deleteMany({ userId: { eq: id } });
 		await this.users(userRealmName).deleteById(id);
 		this.log.info("User deleted", { userId: id });
 		const realm = this.realmProvider.getRealm(userRealmName);
@@ -1282,6 +1320,16 @@ var CredentialService = class {
 		return this.realmProvider.identityRepository(userRealmName);
 	}
 	/**
+	* Validate a password against the realm's password policy.
+	*/
+	validatePasswordPolicy(password, policy) {
+		if (password.length < policy.minLength) throw new BadRequestError(`Password must be at least ${policy.minLength} characters`);
+		if (policy.requireUppercase && !/[A-Z]/.test(password)) throw new BadRequestError("Password must contain at least one uppercase letter");
+		if (policy.requireLowercase && !/[a-z]/.test(password)) throw new BadRequestError("Password must contain at least one lowercase letter");
+		if (policy.requireNumbers && !/\d/.test(password)) throw new BadRequestError("Password must contain at least one number");
+		if (policy.requireSpecialCharacters && !/[^a-zA-Z0-9]/.test(password)) throw new BadRequestError("Password must contain at least one special character");
+	}
+	/**
 	* Phase 1: Create a password reset intent.
 	*
 	* Validates the email, checks for existing user with credentials,
@@ -1298,6 +1346,13 @@ var CredentialService = class {
 		});
 		const intentId = randomUUID();
 		const expiresAt = this.dateTimeProvider.now().add(INTENT_TTL_MINUTES$1, "minutes").toISOString();
+		if ((await this.realmProvider.getRealm(userRealmName).getSettings()).resetPasswordAllowed === false) {
+			this.log.debug("Password reset not allowed for realm", { userRealmName });
+			return {
+				intentId,
+				expiresAt
+			};
+		}
 		const user = await this.users(userRealmName).findOne({ where: { email: { eq: email } } });
 		if (!user) {
 			this.log.debug("Password reset requested for non-existent email", { email });
@@ -1369,6 +1424,9 @@ var CredentialService = class {
 				message: "Invalid or expired password reset intent"
 			});
 		}
+		const realm = this.realmProvider.getRealm(intent.realmName);
+		const realmSettings = await realm.getSettings();
+		this.validatePasswordPolicy(body.newPassword, realmSettings.passwordPolicy);
 		if ((await this.verificationController.validateVerificationCode({
 			params: { type: "code" },
 			body: {
@@ -1396,7 +1454,6 @@ var CredentialService = class {
 			userId: intent.userId,
 			email: intent.email
 		});
-		const realm = this.realmProvider.getRealm(intent.realmName);
 		await this.userAudits(intent.realmName)?.recordUser("update", {
 			userId: intent.userId,
 			userEmail: intent.email,
@@ -1447,6 +1504,9 @@ var CredentialService = class {
 		}).catch(() => {
 			throw new BadRequestError("Invalid or expired reset token");
 		})).alreadyVerified) throw new BadRequestError("Invalid or expired reset token");
+		const realm = this.realmProvider.getRealm(userRealmName);
+		const realmSettings = await realm.getSettings();
+		this.validatePasswordPolicy(newPassword, realmSettings.passwordPolicy);
 		const user = await this.users(userRealmName).getOne({ where: { email: { eq: email } } });
 		const identity = await this.identities(userRealmName).getOne({ where: {
 			userId: { eq: user.id },
@@ -1455,7 +1515,6 @@ var CredentialService = class {
 		const hashedPassword = await this.cryptoProvider.hashPassword(newPassword);
 		await this.identities(userRealmName).updateById(identity.id, { password: hashedPassword });
 		await this.sessions(userRealmName).deleteMany({ userId: { eq: user.id } });
-		const realm = this.realmProvider.getRealm(userRealmName);
 		await this.userAudits(userRealmName)?.recordUser("update", {
 			userId: user.id,
 			userEmail: email,
@@ -1484,10 +1543,15 @@ var RegistrationService = class {
 	cryptoProvider = $inject(CryptoProvider);
 	verificationController = $client();
 	realmProvider = $inject(RealmProvider);
+	credentialService = $inject(CredentialService);
 	intentCache = $cache({
 		name: "api:users:registrations",
 		ttl: [INTENT_TTL_MINUTES, "minutes"]
 	});
+	rateLimitCache = $cache({
+		name: "api:users:registration-rate-limit",
+		ttl: [15, "minutes"]
+	});
 	userAudits(realmName) {
 		if (this.realmProvider.getRealm(realmName).features.audits) return this.alepha.inject(UserAudits);
 	}
@@ -1507,6 +1571,16 @@ var RegistrationService = class {
 			username: body.username,
 			userRealmName
 		});
+		const request = this.alepha.store.get("alepha.http.request");
+		const ipKey = request?.ip ? `register:ip:${request.ip}` : void 0;
+		if (ipKey) {
+			const count = await this.rateLimitCache.get(ipKey) ?? 0;
+			if (count >= 10) {
+				this.log.warn("Registration rate limit exceeded", { ip: request?.ip });
+				throw new BadRequestError("Too many registration attempts, please try again later");
+			}
+			await this.rateLimitCache.set(ipKey, count + 1);
+		}
 		const realmSettings = await this.realmProvider.getRealm(userRealmName).getSettings();
 		if (realmSettings?.registrationAllowed === false) {
 			this.log.warn("Registration not allowed for realm", { userRealmName });
@@ -1537,6 +1611,7 @@ var RegistrationService = class {
 			throw new BadRequestError("Phone number is required");
 		}
 		await this.checkUserAvailability(body, userRealmName);
+		this.credentialService.validatePasswordPolicy(body.password, realmSettings.passwordPolicy);
 		const passwordHash = await this.cryptoProvider.hashPassword(body.password);
 		const requirements = {
 			email: realmSettings?.verifyEmailRequired === true && !!body.email,
@@ -1620,19 +1695,21 @@ var RegistrationService = class {
 			email: intent.data.email,
 			phoneNumber: intent.data.phoneNumber
 		}, userRealmName);
-		await this.intentCache.invalidate(body.intentId);
+		const realm = this.realmProvider.getRealm(userRealmName);
+		const realmSettings = await realm.getSettings();
 		const user = await userRepository.create({
-			realm: userRealmName,
+			realm: realm.name,
 			username: intent.data.username,
 			email: intent.data.email,
 			phoneNumber: intent.data.phoneNumber,
 			firstName: intent.data.firstName,
 			lastName: intent.data.lastName,
 			picture: intent.data.picture,
-			roles: ["user"],
+			roles: realmSettings.defaultRoles,
 			enabled: true,
 			emailVerified: intent.requirements.email
 		});
+		await this.intentCache.invalidate(body.intentId);
 		await identityRepository.create({
 			userId: user.id,
 			provider: "credentials",
@@ -1643,7 +1720,6 @@ var RegistrationService = class {
 			email: user.email,
 			username: user.username
 		});
-		const realm = this.realmProvider.getRealm(userRealmName);
 		await this.userAudits(userRealmName)?.recordUser("create", {
 			userId: user.id,
 			userEmail: user.email ?? void 0,
@@ -1663,21 +1739,31 @@ var RegistrationService = class {
 	* Check if username, email, and phone are available.
 	*/
 	async checkUserAvailability(body, userRealmName) {
+		const realm = this.realmProvider.getRealm(userRealmName);
 		const userRepository = this.realmProvider.userRepository(userRealmName);
 		if (body.username) {
-			if (await userRepository.findOne({ where: { username: { ilike: body.username } } })) {
+			if (await userRepository.findOne({ where: {
+				realm: realm.name,
+				username: { ilike: body.username }
+			} })) {
 				this.log.debug("Username already taken", { username: body.username });
 				throw new ConflictError("User with this username already exists");
 			}
 		}
 		if (body.email) {
-			if (await userRepository.findOne({ where: { email: { eq: body.email } } })) {
+			if (await userRepository.findOne({ where: {
+				realm: realm.name,
+				email: { eq: body.email }
+			} })) {
 				this.log.debug("Email already taken", { email: body.email });
 				throw new ConflictError("User with this email already exists");
 			}
 		}
 		if (body.phoneNumber) {
-			if (await userRepository.findOne({ where: { phoneNumber: { eq: body.phoneNumber } } })) {
+			if (await userRepository.findOne({ where: {
+				realm: realm.name,
+				phoneNumber: { eq: body.phoneNumber }
+			} })) {
 				this.log.debug("Phone number already taken", { phoneNumber: body.phoneNumber });
 				throw new ConflictError("User with this phone number already exists");
 			}
@@ -1924,9 +2010,8 @@ var UserController = class {
 				userRealmName: t.optional(t.string()),
 				method: t.optional(t.enum(["code", "link"], {
 					default: "code",
-					description: "Verification method: \"code\" sends a 6-digit code, \"link\" sends a clickable verification link."
-				})),
-				verifyUrl: t.optional(t.string({ description: "Base URL for verification link. Required when method is \"link\". Token and email will be appended as query params." }))
+					description: "Verification method: \"code\" sends a 6-digit code, \"link\" sends a clickable verification link. When using \"link\", configure verifyEmailUrl in realm settings."
+				}))
 			}),
 			body: t.object({ email: t.email() }),
 			response: t.object({
@@ -1936,7 +2021,7 @@ var UserController = class {
 		},
 		handler: async ({ body, query }) => {
 			const method = query.method ?? "code";
-			await this.userService.requestEmailVerification(body.email, query.userRealmName, method, query.verifyUrl);
+			await this.userService.requestEmailVerification(body.email, query.userRealmName, method);
 			return {
 				success: true,
 				message: method === "link" ? "If an account exists with this email, a verification link has been sent." : "If an account exists with this email, a verification code has been sent."
@@ -1975,6 +2060,7 @@ var UserController = class {
 	checkEmailVerification = $action({
 		path: "/users/email-verification/check",
 		group: this.group,
+		use: [$secure()],
 		schema: {
 			query: t.object({
 				email: t.email(),
@@ -2039,6 +2125,9 @@ var SessionService = class SessionService {
 	userAudits(realmName) {
 		if (this.realmProvider.getRealm(realmName).features.audits) return this.alepha.inject(UserAudits);
 	}
+	userNotifications(realmName) {
+		if (this.realmProvider.getRealm(realmName).features.notifications) return this.alepha.inject(UserNotifications);
+	}
 	users(userRealmName) {
 		return this.realmProvider.userRepository(userRealmName);
 	}
@@ -2103,10 +2192,7 @@ var SessionService = class SessionService {
 		if (candidate.length < 3) candidate = `user${candidate}`;
 		candidate = candidate.slice(0, maxLength - 2);
 		const isAvailable = async (name) => {
-			return !(await users.findMany({
-				where: { username: { contains: name } },
-				limit: 1
-			})).some((u) => u.username?.toLowerCase() === name.toLowerCase());
+			return !await users.findOne({ where: { username: { ilike: name } } });
 		};
 		if (await isAvailable(candidate)) return candidate;
 		for (let i = 2; i <= maxSuffixAttempts + 1; i++) {
@@ -2240,6 +2326,22 @@ var SessionService = class SessionService {
 				}
 				throw new InvalidCredentialsError();
 			}
+			if (!user.enabled) {
+				this.log.warn("Login attempt for disabled account", {
+					userId: user.id,
+					realm: name
+				});
+				await this.userAudits(userRealmName)?.recordAuth("login_failed", {
+					userRealm: name,
+					resourceId: user.id,
+					description: "Login attempt for disabled account",
+					metadata: {
+						provider,
+						username
+					}
+				});
+				throw new InvalidCredentialsError();
+			}
 			const accountKey = `login:account:${name}:${user.id}`;
 			if (await this.isLoginLocked(accountKey, loginRateLimit.accountMaxAttempts)) {
 				this.log.warn("Login blocked — account rate limit exceeded", {
@@ -2285,13 +2387,25 @@ var SessionService = class SessionService {
 						metadata: { ip: request?.ip }
 					});
 				}
-				if (await this.recordFailedLogin(accountKey, loginRateLimit.accountMaxAttempts, loginRateLimit.windowMs)) await this.userAudits(userRealmName)?.record("security", "rate_limited", {
-					userRealm: name,
-					resourceId: user.id,
-					success: false,
-					description: "Account temporarily locked due to too many failed login attempts",
-					metadata: { userId: user.id }
-				});
+				if (await this.recordFailedLogin(accountKey, loginRateLimit.accountMaxAttempts, loginRateLimit.windowMs)) {
+					await this.userAudits(userRealmName)?.record("security", "rate_limited", {
+						userRealm: name,
+						resourceId: user.id,
+						success: false,
+						description: "Account temporarily locked due to too many failed login attempts",
+						metadata: { userId: user.id }
+					});
+					if (user.email) {
+						const lockoutMinutes = Math.round(loginRateLimit.windowMs / 6e4);
+						await this.userNotifications(userRealmName)?.accountLockout.push({
+							contact: user.email,
+							variables: {
+								email: user.email,
+								lockoutMinutes
+							}
+						});
+					}
+				}
 				throw new InvalidCredentialsError();
 			}
 			await this.userAudits(userRealmName)?.recordAuth("login", {
@@ -2352,6 +2466,14 @@ var SessionService = class SessionService {
 			throw new UnauthorizedError("Session expired");
 		}
 		const user = await this.users(userRealmName).getOne({ where: { id: { eq: session.userId } } });
+		if (!user.enabled) {
+			this.log.warn("Session refresh for disabled account", {
+				userId: user.id,
+				sessionId: session.id
+			});
+			await this.sessions(userRealmName).deleteById(session.id);
+			throw new UnauthorizedError("Account disabled");
+		}
 		await this.ensureAdminRole(user, userRealmName);
 		this.log.debug("Session refreshed", {
 			sessionId: session.id,
@@ -2422,8 +2544,19 @@ var SessionService = class SessionService {
 				...profile
 			};
 		}
-		const existing = await users.findOne({ where: { email: profile.email } });
+		const existing = await users.findOne({ where: {
+			realm: realm.name,
+			email: profile.email
+		} });
 		if (existing) {
+			if (profile.email_verified === false) {
+				this.log.warn("OAuth2 profile email not verified by provider, refusing auto-link", {
+					provider,
+					email: profile.email,
+					userId: existing.id
+				});
+				throw new BadRequestError("Cannot link account: email not verified by provider");
+			}
 			this.log.debug("Linking OAuth2 profile to existing user by email", {
 				provider,
 				profileSub: profile.sub,
@@ -2466,7 +2599,7 @@ var SessionService = class SessionService {
 			username,
 			email: profile.email,
 			emailVerified: true,
-			roles: ["user"]
+			roles: realmSettings.defaultRoles
 		});
 		if (profile.picture) {
 			this.log.debug("Fetching user profile picture from OAuth2 provider", {
@@ -2645,7 +2778,7 @@ const loginSchema = t.object({
 		description: "Username or email address for login"
 	}),
 	password: t.text({
-		minLength: 6,
+		minLength: 8,
 		description: "User password"
 	})
 });