alepha 0.19.3 → 0.19.4

package/src/api/users/__tests__/SessionService.spec.ts

@@ -7,7 +7,7 @@ import {
   CryptoProvider,
   InvalidCredentialsError,
 } from "alepha/security";
-import { BadRequestError } from "alepha/server";
+import { BadRequestError, UnauthorizedError } from "alepha/server";
 import { describe, it } from "vitest";
 import {
   AlephaApiUsers,
@@ -320,6 +320,32 @@ describe("alepha/api/users - SessionService.login", () => {
     ).rejects.toThrowError(InvalidCredentialsError);
   });
 
+  it("should reject login for disabled user", async ({ expect }) => {
+    const { sessionService, userService, cryptoProvider, identities } =
+      await setup();
+
+    const password = "disabledUserPass123!";
+    const hashedPassword = await cryptoProvider.hashPassword(password);
+
+    const user = await userService.users().create({
+      username: "disableduser",
+      email: "disabled@example.com",
+      roles: ["user"],
+      enabled: false,
+    });
+
+    await identities.create({
+      provider: "local",
+      providerUserId: "disabled@example.com",
+      userId: user.id,
+      password: hashedPassword,
+    });
+
+    await expect(
+      sessionService.login("local", "disabled@example.com", password),
+    ).rejects.toThrowError(InvalidCredentialsError);
+  });
+
   describe("login rate limiting", () => {
     it("should block account after max failed attempts", async ({ expect }) => {
       const { sessionService, userService, cryptoProvider, identities } =
@@ -775,4 +801,119 @@ describe("alepha/api/users - SessionService.link", () => {
 
     expect(result.id).toBe(user.id);
   });
+
+  it("should refuse auto-link when OAuth provider says email_verified is false", async ({
+    expect,
+  }) => {
+    const { sessionService, userService } = await setup();
+
+    await userService.users().create({
+      username: "verifieduser",
+      email: "verified@example.com",
+      roles: ["user"],
+    });
+
+    await expect(
+      sessionService.link("google", {
+        sub: "google-unverified",
+        email: "verified@example.com",
+        name: "Unverified User",
+        email_verified: false,
+      }),
+    ).rejects.toThrowError(BadRequestError);
+  });
+
+  it("should allow auto-link when email_verified is true or undefined", async ({
+    expect,
+  }) => {
+    const { sessionService, userService } = await setup();
+
+    const user = await userService.users().create({
+      username: "linkableuser",
+      email: "linkable@example.com",
+      roles: ["user"],
+    });
+
+    const result = await sessionService.link("google", {
+      sub: "google-verified",
+      email: "linkable@example.com",
+      name: "Verified User",
+      email_verified: true,
+    });
+
+    expect(result.id).toBe(user.id);
+  });
+
+  it("should use defaultRoles from realm settings for new OAuth users", async ({
+    expect,
+  }) => {
+    const { sessionService, alepha } = await setup();
+
+    const realmProvider = alepha.inject(RealmProvider);
+    realmProvider.register("custom-roles", {
+      settings: {
+        registrationAllowed: true,
+        defaultRoles: ["member", "viewer"],
+      } as never,
+    });
+
+    const result = await sessionService.link(
+      "google",
+      {
+        sub: "google-newuser-roles",
+        email: "newuser-roles@example.com",
+        name: "New Role User",
+      },
+      "custom-roles",
+    );
+
+    expect("roles" in result && result.roles).toEqual(["member", "viewer"]);
+  });
+});
+
+describe("alepha/api/users - SessionService.refreshSession", () => {
+  it("should reject refresh for disabled user and delete session", async ({
+    expect,
+  }) => {
+    const { sessionService, userService, cryptoProvider, identities } =
+      await setup();
+
+    const password = "refreshDisabledPass!";
+    const hashedPassword = await cryptoProvider.hashPassword(password);
+
+    const user = await userService.users().create({
+      username: "refreshdisableduser",
+      email: "refresh-disabled@example.com",
+      roles: ["user"],
+    });
+
+    await identities.create({
+      provider: "local",
+      providerUserId: "refresh-disabled@example.com",
+      userId: user.id,
+      password: hashedPassword,
+    });
+
+    // Login to get a session with refresh token
+    await sessionService.login(
+      "local",
+      "refresh-disabled@example.com",
+      password,
+    );
+
+    const { refreshToken } = await sessionService.createSession(user, 3600);
+
+    // Disable the user
+    await userService.users().updateById(user.id, { enabled: false });
+
+    // Refresh should fail with UnauthorizedError
+    await expect(
+      sessionService.refreshSession(refreshToken),
+    ).rejects.toThrowError(UnauthorizedError);
+
+    // Session should be deleted — a second refresh should also fail
+    await expect(
+      sessionService.refreshSession(refreshToken),
+    ).rejects.toThrowError();
+  });
 });

package/src/api/users/atoms/realmAuthSettingsAtom.ts

@@ -70,6 +70,15 @@ export const realmAuthSettingsAtom = $atom({
       description:
         "List of usernames that are automatically promoted to admin role on login",
     }),
+    defaultRoles: t.array(t.string(), {
+      description: "Default roles assigned to newly registered users",
+    }),
+    verifyEmailUrl: t.optional(
+      t.string({
+        description:
+          "Base URL for email verification links (used when verification method is 'link'). Token and email are appended as query params.",
+      }),
+    ),
     passwordPolicy: t.object({
       minLength: t.integer({
         description: "Minimum password length",
@@ -122,7 +131,7 @@ export const realmAuthSettingsAtom = $atom({
     firstNameLastName: "none" as FieldRequirement,
     adminEmails: [],
     adminUsernames: [],
-    // TODO: not implemented yet
+    defaultRoles: ["user"],
     passwordPolicy: {
       minLength: 8,
       requireUppercase: true,

package/src/api/users/controllers/UserController.ts

@@ -1,4 +1,5 @@
 import { $inject, t } from "alepha";
+import { $secure } from "alepha/security";
 import { $action, okSchema } from "alepha/server";
 import { completePasswordResetRequestSchema } from "../schemas/completePasswordResetRequestSchema.ts";
 import { completeRegistrationRequestSchema } from "../schemas/completeRegistrationRequestSchema.ts";
@@ -216,13 +217,7 @@ export class UserController {
           t.enum(["code", "link"], {
             default: "code",
             description:
-              'Verification method: "code" sends a 6-digit code, "link" sends a clickable verification link.',
-          }),
-        ),
-        verifyUrl: t.optional(
-          t.string({
-            description:
-              'Base URL for verification link. Required when method is "link". Token and email will be appended as query params.',
+              'Verification method: "code" sends a 6-digit code, "link" sends a clickable verification link. When using "link", configure verifyEmailUrl in realm settings.',
           }),
         ),
       }),
@@ -240,7 +235,6 @@ export class UserController {
         body.email,
         query.userRealmName,
         method,
-        query.verifyUrl,
       );
 
       return {
@@ -293,6 +287,7 @@ export class UserController {
   public checkEmailVerification = $action({
     path: "/users/email-verification/check",
     group: this.group,
+    use: [$secure()],
     schema: {
       query: t.object({
         email: t.email(),

package/src/api/users/notifications/UserNotifications.ts

@@ -109,6 +109,29 @@ export class UserNotifications {
     }),
   });
 
+  public readonly accountLockout = $notification({
+    category: "security",
+    description:
+      "Email sent to users when their account is temporarily locked due to too many failed login attempts.",
+    critical: true,
+    sensitive: true,
+    email: {
+      subject: "Account temporarily locked",
+      body: (it) => `
+				<h1>Account Temporarily Locked</h1>
+				<p>Hi ${it.email},</p>
+				<p>Your account has been temporarily locked due to too many failed login attempts.</p>
+				<p>If this was you, please wait ${it.lockoutMinutes} minutes before trying again. If you've forgotten your password, you can reset it using the password reset feature.</p>
+				<p>If this wasn't you, someone may be trying to access your account. We recommend changing your password as soon as possible.</p>
+				<p>Best regards,<br>The Team</p>
+			`,
+    },
+    schema: t.object({
+      email: t.string({ format: "email" }),
+      lockoutMinutes: t.number(),
+    }),
+  });
+
   public readonly emailVerificationLink = $notification({
     category: "security",
     description:

package/src/api/users/schemas/loginSchema.ts

@@ -8,7 +8,7 @@ export const loginSchema = t.object({
     description: "Username or email address for login",
   }),
   password: t.text({
-    minLength: 6,
+    minLength: 8,
     description: "User password",
   }),
 });

package/src/api/users/services/CredentialService.ts

@@ -7,6 +7,7 @@ import { $logger } from "alepha/logger";
 import { CryptoProvider } from "alepha/security";
 import { BadRequestError, HttpError } from "alepha/server";
 import { $client } from "alepha/server/links";
+import type { RealmAuthSettings } from "../atoms/realmAuthSettingsAtom.ts";
 import { UserAudits } from "../audits/UserAudits.ts";
 import { UserNotifications } from "../notifications/UserNotifications.ts";
 import { RealmProvider } from "../providers/RealmProvider.ts";
@@ -67,6 +68,38 @@ export class CredentialService {
     return this.realmProvider.identityRepository(userRealmName);
   }
 
+  /**
+   * Validate a password against the realm's password policy.
+   */
+  public validatePasswordPolicy(
+    password: string,
+    policy: RealmAuthSettings["passwordPolicy"],
+  ): void {
+    if (password.length < policy.minLength) {
+      throw new BadRequestError(
+        `Password must be at least ${policy.minLength} characters`,
+      );
+    }
+    if (policy.requireUppercase && !/[A-Z]/.test(password)) {
+      throw new BadRequestError(
+        "Password must contain at least one uppercase letter",
+      );
+    }
+    if (policy.requireLowercase && !/[a-z]/.test(password)) {
+      throw new BadRequestError(
+        "Password must contain at least one lowercase letter",
+      );
+    }
+    if (policy.requireNumbers && !/\d/.test(password)) {
+      throw new BadRequestError("Password must contain at least one number");
+    }
+    if (policy.requireSpecialCharacters && !/[^a-zA-Z0-9]/.test(password)) {
+      throw new BadRequestError(
+        "Password must contain at least one special character",
+      );
+    }
+  }
+
   /**
    * Phase 1: Create a password reset intent.
    *
@@ -90,6 +123,14 @@ export class CredentialService {
       .add(INTENT_TTL_MINUTES, "minutes")
       .toISOString();
 
+    // Check if password reset is allowed for this realm
+    const realm = this.realmProvider.getRealm(userRealmName);
+    const realmSettings = await realm.getSettings();
+    if (realmSettings.resetPasswordAllowed === false) {
+      this.log.debug("Password reset not allowed for realm", { userRealmName });
+      return { intentId, expiresAt };
+    }
+
     // Find user by email (silent fail for security)
     const user = await this.users(userRealmName).findOne({
       where: { email: { eq: email } },
@@ -187,6 +228,11 @@ export class CredentialService {
       });
     }
 
+    // Validate password against realm policy before consuming the verification code
+    const realm = this.realmProvider.getRealm(intent.realmName);
+    const realmSettings = await realm.getSettings();
+    this.validatePasswordPolicy(body.newPassword, realmSettings.passwordPolicy);
+
     // Verify code using verification controller
     const result = await this.verificationController
       .validateVerificationCode({
@@ -233,8 +279,6 @@ export class CredentialService {
       email: intent.email,
     });
 
-    const realm = this.realmProvider.getRealm(intent.realmName);
-
     // Audit: password reset
     await this.userAudits(intent.realmName)?.recordUser("update", {
       userId: intent.userId,
@@ -320,6 +364,11 @@ export class CredentialService {
       throw new BadRequestError("Invalid or expired reset token");
     }
 
+    // Validate password against realm policy
+    const realm = this.realmProvider.getRealm(userRealmName);
+    const realmSettings = await realm.getSettings();
+    this.validatePasswordPolicy(newPassword, realmSettings.passwordPolicy);
+
     // Find user and identity
     const user = await this.users(userRealmName).getOne({
       where: { email: { eq: email } },
@@ -345,8 +394,6 @@ export class CredentialService {
       userId: { eq: user.id },
     });
 
-    const realm = this.realmProvider.getRealm(userRealmName);
-
     // Audit: password reset (legacy method)
     await this.userAudits(userRealmName)?.recordUser("update", {
       userId: user.id,

package/src/api/users/services/RegistrationService.ts

@@ -14,6 +14,7 @@ import { RealmProvider } from "../providers/RealmProvider.ts";
 import type { CompleteRegistrationRequest } from "../schemas/completeRegistrationRequestSchema.ts";
 import type { RegisterRequest } from "../schemas/registerRequestSchema.ts";
 import type { RegistrationIntentResponse } from "../schemas/registrationIntentResponseSchema.ts";
+import { CredentialService } from "./CredentialService.ts";
 
 /**
  * Intent stored in cache during the registration flow.
@@ -46,12 +47,18 @@ export class RegistrationService {
   protected readonly cryptoProvider = $inject(CryptoProvider);
   protected readonly verificationController = $client<VerificationController>();
   protected readonly realmProvider = $inject(RealmProvider);
+  protected readonly credentialService = $inject(CredentialService);
 
   protected readonly intentCache = $cache<RegistrationIntent>({
     name: "api:users:registrations",
     ttl: [INTENT_TTL_MINUTES, "minutes"],
   });
 
+  protected readonly rateLimitCache = $cache<number>({
+    name: "api:users:registration-rate-limit",
+    ttl: [15, "minutes"],
+  });
+
   protected userAudits(realmName?: string) {
     const realm = this.realmProvider.getRealm(realmName);
     if (realm.features.audits) {
@@ -88,6 +95,20 @@ export class RegistrationService {
       userRealmName,
     });
 
+    // IP rate limiting
+    const request = this.alepha.store.get("alepha.http.request");
+    const ipKey = request?.ip ? `register:ip:${request.ip}` : undefined;
+    if (ipKey) {
+      const count = (await this.rateLimitCache.get(ipKey)) ?? 0;
+      if (count >= 10) {
+        this.log.warn("Registration rate limit exceeded", { ip: request?.ip });
+        throw new BadRequestError(
+          "Too many registration attempts, please try again later",
+        );
+      }
+      await this.rateLimitCache.set(ipKey, count + 1);
+    }
+
     const realm = this.realmProvider.getRealm(userRealmName);
     const realmSettings = await realm.getSettings();
 
@@ -138,6 +159,12 @@ export class RegistrationService {
     // Check for existing users (username, email, phone)
     await this.checkUserAvailability(body, userRealmName);
 
+    // Validate password against realm policy
+    this.credentialService.validatePasswordPolicy(
+      body.password,
+      realmSettings.passwordPolicy,
+    );
+
     // Hash the password
     const passwordHash = await this.cryptoProvider.hashPassword(body.password);
 
@@ -279,23 +306,26 @@ export class RegistrationService {
       userRealmName,
     );
 
-    // Atomically delete cache key to prevent replay
-    await this.intentCache.invalidate(body.intentId);
+    const realm = this.realmProvider.getRealm(userRealmName);
+    const realmSettings = await realm.getSettings();
 
     // Create the user
     const user = await userRepository.create({
-      realm: userRealmName,
+      realm: realm.name,
       username: intent.data.username,
       email: intent.data.email,
       phoneNumber: intent.data.phoneNumber,
       firstName: intent.data.firstName,
       lastName: intent.data.lastName,
       picture: intent.data.picture,
-      roles: ["user"],
+      roles: realmSettings.defaultRoles,
       enabled: true,
       emailVerified: intent.requirements.email, // Marked as verified if we verified during registration
     });
 
+    // Invalidate intent after successful creation to allow retry on failure
+    await this.intentCache.invalidate(body.intentId);
+
     // Create credentials identity
     await identityRepository.create({
       userId: user.id,
@@ -309,8 +339,6 @@ export class RegistrationService {
       username: user.username,
     });
 
-    const realm = this.realmProvider.getRealm(userRealmName);
-
     await this.userAudits(userRealmName)?.recordUser("create", {
       userId: user.id,
       userEmail: user.email ?? undefined,
@@ -335,11 +363,12 @@ export class RegistrationService {
     body: Pick<RegisterRequest, "username" | "email" | "phoneNumber">,
     userRealmName?: string,
   ): Promise<void> {
+    const realm = this.realmProvider.getRealm(userRealmName);
     const userRepository = this.realmProvider.userRepository(userRealmName);
 
     if (body.username) {
       const existingUser = await userRepository.findOne({
-        where: { username: { ilike: body.username } },
+        where: { realm: realm.name, username: { ilike: body.username } },
       });
       if (existingUser) {
         this.log.debug("Username already taken", { username: body.username });
@@ -349,7 +378,7 @@ export class RegistrationService {
 
     if (body.email) {
       const existingUser = await userRepository.findOne({
-        where: { email: { eq: body.email } },
+        where: { realm: realm.name, email: { eq: body.email } },
       });
       if (existingUser) {
         this.log.debug("Email already taken", { email: body.email });
@@ -359,7 +388,7 @@ export class RegistrationService {
 
     if (body.phoneNumber) {
       const existingUser = await userRepository.findOne({
-        where: { phoneNumber: { eq: body.phoneNumber } },
+        where: { realm: realm.name, phoneNumber: { eq: body.phoneNumber } },
       });
       if (existingUser) {
         this.log.debug("Phone number already taken", {

package/src/api/users/services/SessionService.ts

@@ -15,6 +15,7 @@ import { $client } from "alepha/server/links";
 import { FileSystemProvider } from "alepha/system";
 import { UserAudits } from "../audits/UserAudits.ts";
 import type { UserEntity } from "../entities/users.ts";
+import { UserNotifications } from "../notifications/UserNotifications.ts";
 import { RealmProvider } from "../providers/RealmProvider.ts";
 
 export class SessionService {
@@ -35,6 +36,14 @@ export class SessionService {
     return undefined;
   }
 
+  protected userNotifications(realmName?: string) {
+    const realm = this.realmProvider.getRealm(realmName);
+    if (realm.features.notifications) {
+      return this.alepha.inject(UserNotifications);
+    }
+    return undefined;
+  }
+
   public users(userRealmName?: string) {
     return this.realmProvider.userRepository(userRealmName);
   }
@@ -141,16 +150,12 @@ export class SessionService {
     // Truncate to leave room for suffix
     candidate = candidate.slice(0, maxLength - 2);
 
-    // Check uniqueness (case-insensitive)
+    // Check uniqueness (case-insensitive exact match)
     const isAvailable = async (name: string) => {
-      const existing = await users.findMany({
-        where: { username: { contains: name } },
-        limit: 1,
+      const existing = await users.findOne({
+        where: { username: { ilike: name } },
       });
-      // Case-insensitive check
-      return !existing.some(
-        (u: any) => u.username?.toLowerCase() === name.toLowerCase(),
-      );
+      return !existing;
     };
 
     if (await isAvailable(candidate)) {
@@ -354,6 +359,23 @@ export class SessionService {
         throw new InvalidCredentialsError();
       }
 
+      // Check if user account is enabled
+      if (!user.enabled) {
+        this.log.warn("Login attempt for disabled account", {
+          userId: user.id,
+          realm: name,
+        });
+
+        await this.userAudits(userRealmName)?.recordAuth("login_failed", {
+          userRealm: name,
+          resourceId: user.id,
+          description: "Login attempt for disabled account",
+          metadata: { provider, username },
+        });
+
+        throw new InvalidCredentialsError();
+      }
+
       // Account rate limit check (per-realm)
       const accountKey = `login:account:${name}:${user.id}`;
       const accountLocked = await this.isLoginLocked(
@@ -445,6 +467,15 @@ export class SessionService {
               metadata: { userId: user.id },
             },
           );
+
+          // Notify user about account lockout
+          if (user.email) {
+            const lockoutMinutes = Math.round(loginRateLimit.windowMs / 60_000);
+            await this.userNotifications(userRealmName)?.accountLockout.push({
+              contact: user.email,
+              variables: { email: user.email, lockoutMinutes },
+            });
+          }
         }
 
         throw new InvalidCredentialsError();
@@ -536,6 +567,16 @@ export class SessionService {
       },
     });
 
+    // Check if user account is still enabled
+    if (!user.enabled) {
+      this.log.warn("Session refresh for disabled account", {
+        userId: user.id,
+        sessionId: session.id,
+      });
+      await this.sessions(userRealmName).deleteById(session.id);
+      throw new UnauthorizedError("Account disabled");
+    }
+
     // Auto-promote to admin if configured (handles "I promote you admin" case)
     await this.ensureAdminRole(user, userRealmName);
 
@@ -636,11 +677,23 @@ export class SessionService {
 
     const existing = await users.findOne({
       where: {
+        realm: realm.name,
         email: profile.email,
       },
     });
 
     if (existing) {
+      // Refuse auto-link if the OAuth provider explicitly says email is not verified
+      if (profile.email_verified === false) {
+        this.log.warn(
+          "OAuth2 profile email not verified by provider, refusing auto-link",
+          { provider, email: profile.email, userId: existing.id },
+        );
+        throw new BadRequestError(
+          "Cannot link account: email not verified by provider",
+        );
+      }
+
       this.log.debug("Linking OAuth2 profile to existing user by email", {
         provider,
         profileSub: profile.sub,
@@ -692,7 +745,7 @@ export class SessionService {
       email: profile.email,
       // we trust the OAuth2 provider
       emailVerified: true,
-      roles: ["user"], // TODO: make default roles configurable via realm settings
+      roles: realmSettings.defaultRoles,
     });
 
     if (profile.picture) {