aloux-iam 0.0.139 → 0.0.141

package/lib/config/utils.js

@@ -1,22 +1,79 @@
-const self = module.exports
+const fs = require("fs");
+const self = module.exports;
 
 self.responseError = async (res, error) => {
-    let obj = error
-    if (!error.code) {
-        obj = {
-            code: 400,
-            title: 'Error',
-            detail: error.message,
-            suggestion: 'Revisar el detalle'
-        }
-    }
-    res.status(obj.code).send(obj)
-}
+  let obj = error;
+  if (!error.code) {
+    obj = {
+      code: 400,
+      title: "Error",
+      detail: error.message,
+      suggestion: "Revisar el detalle",
+    };
+  }
+  res.status(obj.code).send(obj);
+};
 
 self.generatePaginationResponse = async (count, page, itemsPerPage, items) => {
-    const totalPages = Math.ceil(count / itemsPerPage)
-    const currentPage = Math.max(1, Math.min(Number(page), totalPages))
-    const finalCurrentPage = totalPages === 0 ? 1 : currentPage
-    const remainingPages = Math.max(0, totalPages - finalCurrentPage)
-    return { currentPage: finalCurrentPage, totalPages, perPage: Number(itemsPerPage), count, remainingPages, items }
-}
+  const totalPages = Math.ceil(count / itemsPerPage);
+  const currentPage = Math.max(1, Math.min(Number(page), totalPages));
+  const finalCurrentPage = totalPages === 0 ? 1 : currentPage;
+  const remainingPages = Math.max(0, totalPages - finalCurrentPage);
+  return { currentPage: finalCurrentPage, totalPages, perPage: Number(itemsPerPage), count, remainingPages, items };
+};
+
+self.brand = {
+  _cfg: null,
+
+  init(config) {
+    this._cfg = config;
+  },
+
+  _get(key) {
+    if (this._cfg) return this._cfg[key];
+    const APP = process.env.APP;
+    if (APP) return process.env[`${key}_${APP}`] || process.env[key];
+    return process.env[key];
+  },
+
+  name() {
+    return this._get("PROJECT_NAME");
+  },
+
+  template(key) {
+    const path = this._get(key);
+    if (!path) {
+      throw {
+        code: 500,
+        title: "Error de configuración",
+        detail: `Template no encontrado: ${key}`,
+        suggestion: "Verifica que la variable de entorno esté definida",
+        error: new Error(),
+      };
+    }
+    try {
+      let file = fs.readFileSync(path, "utf8");
+      file = file.replace(/\+\+\+brandName\+\+\+/g, this.name() || "");
+      file = file.replace(/\+\+\+brandColor\+\+\+/g, this._get("BRAND_COLOR") || "");
+      file = file.replace(/\+\+\+brandLogo\+\+\+/g, this._get("BRAND_LOGO") || "");
+      return file;
+    } catch (e) {
+      throw {
+        code: 500,
+        title: "Error al leer template",
+        detail: `No se pudo leer el archivo: ${path}`,
+        suggestion: "Verifica que el path del template sea correcto",
+        error: e,
+      };
+    }
+  },
+};
+
+// Gkey
+self.resolveGkey = (business) => {
+  const businessGkey = business.gkey || null;
+  const hasOwnKey    = businessGkey?.status === true;
+
+  if (hasOwnKey) return { gkey: businessGkey, source: "business" };
+  return { gkey: null, source: null };
+};

package/lib/controllers/business.js

@@ -1,7 +1,9 @@
 const Business = require("../models/Business");
+const Company = require("../models/Company");
 const utils = require("../config/utils");
 const AlouxAWS = require("./operationsAWS");
 const errorController = require("../config/utils");
+const { resolveGkey } = require("../config/utils");
 
 const self = module.exports;
 
@@ -11,16 +13,26 @@ self.create = async (req, res) => {
     req.body.lastUpdate = req.body.createdAt;
     req.body.status = "Activo";
 
+    let inheritedGkey = null;
+    if (req.body.data?.useCompanyKey && req.body._company) {
+      const company = await Company.findOne({ _id: req.body._company }).lean();
+      const companyGkey = company?.data?.gkey;
+      if (companyGkey?.status) inheritedGkey = companyGkey;
+    }
+
     if (req.body.environment && req.body.environment.length > 1) {
       for (let i in req.body.environment) {
         const business = new Business(req.body);
         business.environment = req.body.environment[i];
+        if (inheritedGkey) business.gkey = inheritedGkey;
         await business.save();
       }
     } else {
       const business = new Business(req.body);
+      if (inheritedGkey) business.gkey = inheritedGkey;
       await business.save();
     }
+
     await res.status(201).send({});
   } catch (error) {
     await errorController.responseError(res, error);
@@ -250,3 +262,56 @@ self.identity = async (req, res) => {
     await errorController.responseError(res, error);
   }
 };
+
+self.setUseCompanyKey = async (req, res) => {
+  try {
+    const business = await Business.findOne({ _id: req.params.BUSINESS_ID }).lean();
+    if (!business) throw { code: 404, title: "No encontrado", detail: "No existe el negocio" };
+
+    await Business.updateOne(
+      { _id: req.params.BUSINESS_ID },
+      {
+        $unset: { gkey: "" },
+        $set: {
+          "data.useCompanyKey": false,
+          lastUpdate: new Date().getTime(),
+        },
+      }
+    );
+
+    res.status(202).send({ ok: true });
+  } catch (error) {
+    await errorController.responseError(res, error);
+  }
+};
+
+self.inheritKey = async (req, res) => {
+  try {
+    const business = await Business.findOne({ _id: req.params.BUSINESS_ID })
+      .populate("_company")
+      .lean();
+    if (!business) throw { code: 404, title: "No encontrado", detail: "No existe el negocio" };
+
+    const companyGkey = business._company?.data?.gkey;
+    if (!companyGkey?.status) throw {
+      code: 400,
+      title: "Sin llave",
+      detail: "La organización no tiene una llave de Google Cloud configurada",
+    };
+
+    await Business.updateOne(
+      { _id: req.params.BUSINESS_ID },
+      {
+        $set: {
+          gkey: companyGkey,
+          "data.useCompanyKey": true,
+          lastUpdate: new Date().getTime(),
+        },
+      }
+    );
+
+    res.status(202).send({ ok: true });
+  } catch (error) {
+    await errorController.responseError(res, error);
+  }
+};

package/lib/controllers/company.js

@@ -153,3 +153,38 @@ self.identity = async (req, res) => {
     await errorController.responseError(res, error);
   }
 };
+
+self.updateGkey = async (req, res) => {
+  try {
+    const company = await Company.findOne({ _id: req.params.COMPANY_ID });
+    if (!company) throw { code: 404, title: "No encontrado", detail: "No existe la organización" };
+
+    company.data = { ...(company.data || {}), gkey: req.body.gkey };
+    company.lastUpdate = new Date().getTime();
+    company.markModified("data");
+    await company.save();
+
+    res.status(202).send({ ok: true });
+  } catch (error) {
+    await errorController.responseError(res, error);
+  }
+};
+
+self.deleteGkey = async (req, res) => {
+  try {
+    const company = await Company.findOne({ _id: req.params.COMPANY_ID });
+    if (!company) throw { code: 404, title: "No encontrado", detail: "No existe la organización" };
+
+    const newData = { ...(company.data || {}) };
+    delete newData.gkey;
+
+    company.data = newData;
+    company.lastUpdate = new Date().getTime();
+    company.markModified("data");
+    await company.save();
+
+    res.status(200).send({ ok: true });
+  } catch (error) {
+    await errorController.responseError(res, error);
+  }
+};

package/lib/controllers/generatePassword.js

@@ -0,0 +1,13 @@
+const passwordService = require("../services/generatePassword");
+
+const self = module.exports;
+
+self.generate = (req, res) => {
+  try {
+    const length = Number(req.query.length) || 12;
+    const password = passwordService.generatePassword(length);
+    return res.json({ password });
+  } catch (error) {
+    return res.status(500).json({ message: "Error al generar la contraseña", error });
+  }
+};

package/lib/controllers/log.js

@@ -1,5 +1,6 @@
 const Log = require("../models/Log");
 const Label = require("../models/Label");
+const mongoose = require("mongoose");
 const self = module.exports;
 
 self.create = async (req, res) => {
@@ -33,6 +34,7 @@ self.update = async (req, resp) => {
     resp.status(400).send({ error: error.message });
   }
 };
+
 self.status = async (req, resp) => {
   try {
     const _id = req.params.LOG_ID;
@@ -46,22 +48,79 @@ self.status = async (req, resp) => {
     resp.status(400).send({ error: error.message });
   }
 };
+
 self.retrieve = async (req, res) => {
   try {
     const companyId =
       req.header("Company") !== "undefined" ? req.header("Company") : null;
-    let query = { _company: companyId };
 
-    if (req.body.users.length) {
-      query = {
-        _user: { $in: req.body.users },
+    const matchStage = { _company: companyId };
+
+    if (req.body.users?.length) {
+      matchStage._user = {
+        $in: req.body.users.map((id) => new mongoose.Types.ObjectId(id)),
       };
     }
 
-    const consulta = await Log.find(query)
-      .populate([{ path: "_user", select: { name: 1, lastName: 1 } }])
-      .sort({ createdAt: 1 })
-      .lean();
+    if (req.body.dateStart || req.body.dateEnd) {
+      matchStage.createdAt = {};
+      if (req.body.dateStart)
+        matchStage.createdAt.$gte = Number(req.body.dateStart);
+      if (req.body.dateEnd)
+        matchStage.createdAt.$lte = Number(req.body.dateEnd);
+    }
+
+    const [totalCount, byLabel, byDate, byUser] = await Promise.all([
+      Log.countDocuments(matchStage),
+
+      Log.aggregate([
+        { $match: matchStage },
+        { $group: { _id: "$label", count: { $sum: 1 } } },
+        { $sort: { count: -1 } },
+      ]),
+
+      Log.aggregate([
+        { $match: matchStage },
+        {
+          $group: {
+            _id: {
+              $dateToString: {
+                format: "%Y-%m-%d",
+                date: { $toDate: "$createdAt" },
+              },
+            },
+            count: { $sum: 1 },
+          },
+        },
+        { $sort: { _id: 1 } },
+      ]),
+
+      Log.aggregate([
+        { $match: matchStage },
+        { $group: { _id: "$_user", count: { $sum: 1 } } },
+        {
+          $lookup: {
+            from: "users",
+            localField: "_id",
+            foreignField: "_id",
+            as: "user",
+          },
+        },
+        { $unwind: "$user" },
+        {
+          $project: {
+            name: { $concat: ["$user.name", " ", "$user.lastName"] },
+            count: 1,
+          },
+        },
+        { $sort: { count: -1 } },
+      ]),
+    ]);
+
+    const topUsers = byUser.slice(0, 10);
+    const leastUsers = [...byUser]
+      .sort((a, b) => a.count - b.count)
+      .slice(0, 10);
 
     // for (let i in consulta) {
     //   consulta[i].label = consulta[i]._label.label;
@@ -69,14 +128,36 @@ self.retrieve = async (req, res) => {
     // }
 
     const response = {
-      dataset0: { field: "Visualizaciones totales", count: consulta.length },
-      dataset1: processDataset1(consulta),
-      dataset2: processDataset2(consulta),
-      dataset3: processDataset3(consulta),
-      dataset4: processDataset4(consulta),
-      dataset5: processDataset5(consulta),
-      dataset6: processDataset6(consulta),
-      dataset7: processDataset7(consulta),
+      dataset0: { field: "Visualizaciones totales", count: totalCount },
+      dataset1: [],
+      dataset2: {
+        field: "Distribución de acciones",
+        counts: byLabel.map((i) => i.count),
+        operations: byLabel.map((i) => i._id),
+      },
+      dataset3: {
+        field: "Distribución de acciones",
+        items: byLabel.map((i) => ({
+          addGroup: i._id,
+          totalResponse: i.count,
+        })),
+      },
+      dataset4: {
+        field: "Actividad en la plataforma",
+        counts: byDate.map((i) => i.count),
+        actionsName: byDate.map((i) => formatDate(i._id)),
+      },
+      dataset5: [],
+      dataset6: {
+        field: "Usuarios con mas actividad en la plataforma",
+        counts: topUsers.map((i) => i.count),
+        actionsName: topUsers.map((i) => i.name.split(" ")),
+      },
+      dataset7: {
+        field: "Usuarios con menos actividad en la plataforma",
+        counts: leastUsers.map((i) => i.count),
+        actionsName: leastUsers.map((i) => i.name.split(" ")),
+      },
     };
 
     res.status(200).send(response);
@@ -86,8 +167,8 @@ self.retrieve = async (req, res) => {
   }
 };
 
-function formatDate(date) {
-  const day = String(date.getDate()).padStart(2, "0");
+function formatDate(isoDate) {
+  const [year, month, day] = isoDate.split("-");
   const monthNames = [
     "Ene",
     "Feb",
@@ -102,10 +183,9 @@ function formatDate(date) {
     "Nov",
     "Dic",
   ];
-  const month = monthNames[date.getMonth()];
-  const year = date.getFullYear();
-  return `${day} ${month} ${year}`;
+  return `${day} ${monthNames[parseInt(month) - 1]} ${year}`;
 }
+
 function processDataset1(consulta) {
   return consulta.map((item) => {
     return {
@@ -277,4 +357,4 @@ self.count = async (req, res) => {
   } catch (error) {
     res.status(400).send({ error: error.message });
   }
-};
+};

package/lib/controllers/totp.js

@@ -0,0 +1,46 @@
+const Totp = require("../services/totp");
+const utils = require("../config/utils");
+
+const self = module.exports;
+
+self.setup = async (req, res) => {
+  try {
+    const tempToken = req.query.tempToken || req.body?.tempToken;
+    const response = await Totp.setup(tempToken);
+    res.status(200).send(response);
+  } catch (error) {
+    await utils.responseError(res, error);
+  }
+};
+
+self.activate = async (req, res) => {
+  try {
+    const tempToken = req.headers["x-temp-token"] || req.body?.tempToken;
+    const response = await Totp.activate(tempToken, req.body.token);
+    res.status(200).send(response);
+  } catch (error) {
+    await utils.responseError(res, error);
+  }
+};
+
+self.checkLogin = async (req, res) => {
+  try {
+    const { token, tempToken } = req.body;
+    if (!token || !tempToken)
+      return res.status(400).send({ message: "Faltan parámetros" });
+
+    const response = await Totp.checkLogin(token, tempToken, res);
+    res.status(200).send(response);
+  } catch (error) {
+    await utils.responseError(res, error);
+  }
+};
+
+self.adminToggle = async (req, res) => {
+  try {
+    const response = await Totp.adminToggle(req.params.USER_ID, req.body.enabled);
+    res.status(200).send(response);
+  } catch (error) {
+    await utils.responseError(res, error);
+  }
+};

package/lib/controllers/user.js

@@ -6,23 +6,25 @@ const jwt = require("jsonwebtoken");
 const dayjs = require("dayjs");
 const serviceUser = require("../services/user");
 const utils = require("../config/utils");
+const _brand = utils.brand;
 const mongoose = require("mongoose");
 const AWS_SES = require("../services/ses");
 const Business = require("../models/Business");
 const self = module.exports;
 
 self.create = async (req, res) => {
-  // Create a new user
   try {
     let user = await serviceUser.create(req.body);
-    //  Send email to user
     if (process.env.SEND_EMAIL_USER === "true") {
-      let file = fs.readFileSync(process.env.TEMPLATE_ACCOUNT, "utf8");
+      let file = _brand.template("TEMPLATE_ACCOUNT");
       file = file.replace("{{user}}", user.name);
       file = file.replace("{{email}}", req.body.email);
       file = file.replace("{{password}}", req.body.pwd);
-      if (process.env.URL_EMAIL) {
-        file = file.replace("{{urlToken}}", process.env.URL_EMAIL);
+      const app = process.env.APP;
+      const urlEmail = process.env[`URL_EMAIL_${app}`];
+
+      if (urlEmail) {
+        file = file.replaceAll("{{urlToken}}", urlEmail);
       }
       await AWS_SES.sendCustom(
         user.email,
@@ -30,16 +32,9 @@ self.create = async (req, res) => {
         process.env.SUBJECT_EMAIL || "bienvenido"
       );
     }
-
     res.status(201).send(user);
   } catch (error) {
-    utils.responseError(
-      res,
-      error,
-      400,
-      "Error al crear usuario",
-      "Revisa el detalle del error"
-    );
+    utils.responseError(res, error, 400, "Error al crear usuario", "Revisa el detalle del error");
   }
 };
 
@@ -77,22 +72,20 @@ self.status = async (req, resp) => {
 
 self.updatepassword = async (req, resp) => {
   try {
-    const result = await serviceUser.updatepassword(
-      req.body,
-      req.params.USER_ID
-    );
-
-    if(req.body.sendEmail === true){
-
+    const result = await serviceUser.updatepassword(req.body, req.params.USER_ID);
+    if (req.body.sendEmail === true) {
       const _id = req.params.USER_ID;
       let user = await User.findOne({ _id }, { pwd: 0 }).lean();
       if (process.env.SEND_EMAIL_USER === "true") {
-        let file = fs.readFileSync(process.env.TEMPLATE_ACCOUNT, "utf8");
-        file = file.replace("{{user}}", req.user.name);
-        file = file.replace("{{email}}", req.user.email);
+        let file = _brand.template("TEMPLATE_ACCOUNT");
+        file = file.replace("{{user}}", user.name);
+        file = file.replace("{{email}}", user.email);
         file = file.replace("{{password}}", req.body.pwd);
-        if (process.env.URL_EMAIL) {
-          file = file.replace("{{urlToken}}", process.env.URL_EMAIL);
+        const app = process.env.APP;
+        const urlEmail = process.env[`URL_EMAIL_${app}`];
+
+        if (urlEmail) {
+          file = file.replaceAll("{{urlToken}}", urlEmail);
         }
         await AWS_SES.sendCustom(
           user.email,
@@ -101,7 +94,6 @@ self.updatepassword = async (req, resp) => {
         );
       }
     }
-
     resp.status(200).send(result);
   } catch (error) {
     resp.status(400).send({ error: error.message });
@@ -603,16 +595,10 @@ self.generatecode = async () => {
 self.sendcodemail = async (email, code) => {
   try {
     let user = await User.findOne({ email: email }, { name: 1, email: 1 });
-
-    let file = fs.readFileSync(process.env.TEMPLATE_RECOVER_PASSWORD, "utf8");
+    let file = _brand.template("TEMPLATE_RECOVER_PASSWORD");
     file = file.replace("+++user+++", user.name);
     file = file.replace("+++code+++", code);
-
-    return await alouxAWS.sendCustom(
-      user.email,
-      file,
-      "Código de recuperación de contraseña"
-    );
+    return await alouxAWS.sendCustom(user.email, file, "Código de recuperación de contraseña");
   } catch (error) {
     throw new Error("Ocurrio un error al envìar el correo electronico");
   }
@@ -829,18 +815,16 @@ self.validatePhone = async (req, res) => {
 self.sendverifyToken = async (correo, token) => {
   try {
     let user = await User.findOne({ email: correo }, { name: 1, email: 1 });
-
-    let template = fs.readFileSync(process.env.TEMPLATE_VERIFY_EMAIL, "utf8");
+    let template = _brand.template("TEMPLATE_VERIFY_EMAIL");
     template = template.replaceAll("{{name}}", user.name);
     template = template.replaceAll(
       "{{urlVerifyEmail}}",
       process.env.URL_VERIFY_EMAIL + "/?token=" + token
     );
-
     return await alouxAWS.sendCustom(
       user.email,
       template,
-      "Verifica tu cuenta de " + process.env.PROJECT_NAME
+      "Verifica tu cuenta de " + _brand.name()
     );
   } catch (error) {
     throw new Error("Ocurrio un error al envìar el correo electronico");
@@ -897,14 +881,12 @@ self.sendVerifyMailAccountJob = async (data, ban) => {
 self.sendValidateEmail = async (email) => {
   try {
     let user = await User.findOne({ email: email }, { name: 1, email: 1 });
-
-    let file = fs.readFileSync(process.env.TEMPLATE_WELCOME, "utf8");
+    let file = _brand.template("TEMPLATE_WELCOME");
     file = file.replace("+++user+++", user.name);
-
-    return await sesSDK.sendCustom(
+    return await AWS_SES.sendCustom(
       user.email,
       file,
-      "Bienvenido a " + process.env.PROJECT_NAME
+      "Bienvenido a " + _brand.name()
     );
   } catch (error) {
     throw new Error("Ocurrio un error al envìar el correo electronico");

package/lib/router.js

@@ -6,6 +6,8 @@ router.use(fileupload());
 
 const auth = require("./controllers/auth");
 const user = require("./controllers/user");
+const totp = require("./controllers/totp");
+const generatePassword = require("./controllers/generatePassword");
 const menu = require("./controllers/menu");
 const permission = require("./controllers/permission");
 const functions = require("./controllers/functions");
@@ -90,9 +92,18 @@ router.get("/iam/menu/count/all", middleware, menu.count);
 router.post("/iam/retrieve/history", middleware, history.retrieve);
 router.get("/iam/history/:HISTORY_ID", middleware, history.detail);
 
+// IAM / GENERATE PASSWORD
+router.get("/iam/generatePassword", generatePassword.generate);
+
 // Utilities
 router.patch("/iam/add/time/:TOKEN", user.addTimeToken);
 
+// TOTP
+router.post("/iam/totp/verify", totp.checkLogin);
+router.get("/iam/totp/setup", totp.setup);
+router.post("/iam/totp/activate", totp.activate);
+router.put("/iam/user/:USER_ID/totp", middleware, totp.adminToggle);
+
 // IAM / Label
 router.post("/iam/label", middleware, label.create);
 router.patch("/iam/label/:LABEL_ID", middleware, label.update);
@@ -136,6 +147,8 @@ router.patch(
   business.favicon
 );
 router.get("/iam/business/:ID/identity", business.identity);
+router.patch("/iam/business/:BUSINESS_ID/useCompanyKey", middleware, business.setUseCompanyKey);
+router.post("/iam/business/:BUSINESS_ID/inheritKey", middleware, business.inheritKey);
 
 //Company
 router.post("/iam/company", middleware, company.create);
@@ -147,6 +160,8 @@ router.delete("/iam/company/:COMPANY_ID", middleware, company.delete);
 router.patch("/iam/company/:COMPANY_ID/picture", middleware, company.picture);
 router.patch("/iam/company/:COMPANY_ID/favicon", middleware, company.favicon);
 router.get("/iam/company/:ID/identity", company.identity);
+router.put("/iam/company/:COMPANY_ID/gkey", middleware, company.updateGkey);
+router.delete("/iam/company/:COMPANY_ID/gkey", middleware, company.deleteGkey);
 
 router.patch("/iam/company/:COMPANY_ID/picture", middleware, business.picture);
 router.patch("/iam/company/:COMPANY_ID/favicon", middleware, business.favicon);

package/lib/services/auth.js

@@ -8,6 +8,8 @@ const bigQuery = require("../services/bigQuery");
 const bcrypt = require("bcryptjs");
 const dayjs = require("dayjs");
 const fs = require("fs");
+const utils = require("../config/utils");
+const _brand = utils.brand;
 const jwt = require("jsonwebtoken");
 const mongoose = require("mongoose");
 
@@ -86,6 +88,7 @@ self.login = async (body, res) => {
         status: 1,
       }
     ).populate({ path: "_functions", select: { name: 1 } });
+
     if (!userLogin) {
       throw {
         code: 401,
@@ -95,6 +98,7 @@ self.login = async (body, res) => {
         error: new Error(),
       };
     }
+
     const token = await userLogin.generateAuthToken();
 
     res.cookie("token", token, {
@@ -123,10 +127,8 @@ self.login = async (body, res) => {
       throw {
         code: 401,
         title: "Límite de sesiones alcanzado",
-        detail:
-          "Has alcanzado el número máximo de sesiones permitidas para esta cuenta.",
-        suggestion:
-          "Por favor, cierra una de las sesiones activas en dispositivos que no estés usando para iniciar una nueva sesión.",
+        detail: "Has alcanzado el número máximo de sesiones permitidas para esta cuenta.",
+        suggestion: "Por favor, cierra una de las sesiones activas en dispositivos que no estés usando para iniciar una nueva sesión.",
         error: new Error(),
       };
     }
@@ -145,10 +147,8 @@ self.login = async (body, res) => {
         throw {
           code: 401,
           title: "Usuario bloqueado",
-          detail:
-            "Tu cuenta ha sido bloqueada debido a múltiples intentos fallidos de inicio de sesión.",
-          suggestion:
-            "Para reactivar tu cuenta, utiliza la opción de recuperación de contraseña e intenta nuevamente.",
+          detail: "Tu cuenta ha sido bloqueada debido a múltiples intentos fallidos de inicio de sesión.",
+          suggestion: "Para reactivar tu cuenta, utiliza la opción de recuperación de contraseña e intenta nuevamente.",
           error: new Error(),
           status: userLogin.status,
         };
@@ -158,7 +158,6 @@ self.login = async (body, res) => {
     const isPasswordMatch = await bcrypt.compare(pwd, userLogin.pwd);
 
     if (!isPasswordMatch) {
-      //conteo de inicios fallidos
       if (userLogin.validateKey.failedAttempts === process.env.FAILED_ATTEMPS) {
         await User.updateOne({ _id: userLogin._id }, { status: "Bloqueado" });
       } else {
@@ -175,8 +174,23 @@ self.login = async (body, res) => {
         error: new Error(),
       };
     } else {
+      // ── TOTP: si tiene 2FA activo, no emitir token real todavía ──────────────
+      if (userLogin?.data?.totp?.enabled === true) {
+        const tempToken = jwt.sign(
+          { _id: userLogin._id, type: "totp_pending" },
+          process.env.AUTH_SECRET,
+          { expiresIn: "5m" }
+        );
+
+        const needsSetup = !userLogin?.data?.totp?.secret;
+
+        return { requires2FA: true, needsSetup, tempToken };
+      }
+
+      // ── Flujo normal sin TOTP ─────────────────────────────────────────────────
       const token = await userLogin.generateAuthToken();
       let changePwd;
+
       if (!userLogin?.data) {
         userLogin.data.changePwd = false;
         changePwd = false;
@@ -453,34 +467,24 @@ self.generatecode = async () => {
 };
 
 self.sendcodemail = async (email, code, req) => {
-  let file;
-  const user = await User.findOne({ email: email }, { name: 1, email: 1 });
-  if (!req.body.enviroment) {
-    file = fs.readFileSync(process.env.TEMPLATE_RECOVER_PASSWORD, "utf8");
-  } else {
-    file = fs.readFileSync(process.env[req.body.enviroment], "utf8");
-  }
+  const user = await User.findOne({ email }, { name: 1, email: 1 });
+  let file = !req.body.enviroment
+    ? _brand.template("TEMPLATE_RECOVER_PASSWORD")
+    : _brand.template(req.body.enviroment);
   file = file.replace("+++user+++", user.name);
   file = file.replace("+++code+++", code);
-  await ses.sendCustom(
-    user.email,
-    file,
-    "Código de recuperación de contraseña"
-  );
-
+  await ses.sendCustom(user.email, file, "Código de recuperación de contraseña");
   return true;
 };
 
 self.sendcodemailLogin = async (email, code, ban) => {
-  let file;
+  let file = _brand.template("TEMPLATE_LOGIN_CODE");
   if (ban === true) {
-    file = fs.readFileSync(process.env.TEMPLATE_LOGIN_CODE, "utf8");
     file = file.replace("+++user+++", email);
     file = file.replace("+++code+++", code);
     await ses.sendCustom(email, file, "Código inicio de sesión");
   } else {
-    const user = await User.findOne({ email: email }, { name: 1, email: 1 });
-    file = fs.readFileSync(process.env.TEMPLATE_LOGIN_CODE, "utf8");
+    const user = await User.findOne({ email }, { name: 1, email: 1 });
     file = file.replace("+++user+++", user.name);
     file = file.replace("+++code+++", code);
     await ses.sendCustom(user.email, file, "Código inicio de sesión");
@@ -649,16 +653,10 @@ self.resetPassword = async (req, res) => {
 
 self.sendverifyToken = async (correo, token) => {
   let user = await User.findOne({ email: correo }, { name: 1, email: 1 });
-
-  let file = fs.readFileSync(process.env.TEMPLATE_VERIFY_EMAIL, "utf8");
+  let file = _brand.template("TEMPLATE_VERIFY_EMAIL");
   file = file.replace("+++user+++", user.name);
   file = file.replace("+++token+++", token);
-
-  await ses.sendCustom(
-    user.email,
-    file,
-    "Verifica tu cuenta de " + process.env.PROJECT_NAME
-  );
+  await ses.sendCustom(user.email, file, "Verifica tu cuenta de " + _brand.name());
   return true;
 };
 
@@ -686,16 +684,10 @@ self.sendVerifyMailAccountJob = async (data, ban) => {
 };
 
 self.sendValidateEmail = async (email) => {
-  let user = await User.findOne({ email: email }, { name: 1, email: 1 });
-
-  let file = fs.readFileSync(process.env.TEMPLATE_WELCOME, "utf8");
+  let user = await User.findOne({ email }, { name: 1, email: 1 });
+  let file = _brand.template("TEMPLATE_WELCOME");
   file = file.replace("+++user+++", user.name);
-
-  return await ses.sendCustom(
-    user.email,
-    file,
-    "Bienvenido a " + process.env.PROJECT_NAME
-  );
+  return await ses.sendCustom(user.email, file, "Bienvenido a " + _brand.name());
 };
 
 self.verifyMailTokenAccount = async (req, res) => {
@@ -896,23 +888,19 @@ self.createCustomer = async (req, res) => {
 
 self.mailChange = async (newEmail, user) => {
   const code = await self.generatecode();
-
   let time = new Date();
   const sumarMinutos = new Date(time.getTime() + 5 * 60000);
   await User.updateOne(
-    {
-      _id: user._id,
-    },
+    { _id: user._id },
     {
       "validateKey.resetPassword.resetCode": code,
       "validateKey.limitCodeTime": new Date(sumarMinutos).getTime(),
     }
   );
-  let file = fs.readFileSync(process.env.TEMPLATE_CHANGE_MAIL, "utf8");
+  let file = _brand.template("TEMPLATE_CHANGE_MAIL");
   file = file.replace("+++user+++", user.name);
   file = file.replace("+++code+++", code);
   await ses.sendCustom(newEmail, file, "Código para cambio de correo");
-
   return true;
 };
 

package/lib/services/generatePassword.js

@@ -0,0 +1,44 @@
+const self = module.exports;
+
+self.generatePassword = (length = 12) => {
+  const lowercase = "abcdefghijklmnopqrstuvwxyz";
+  const uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+  const numbers = "0123456789";
+  const special = "!@#$%&*";
+  const allChars = lowercase + uppercase + numbers + special;
+
+  let availableChars = allChars.split("");
+  let password = "";
+
+  const getRandomChar = (chars) => {
+    const index = Math.floor(Math.random() * chars.length);
+    const char = chars[index];
+    availableChars = availableChars.filter((c) => c !== char);
+    return char;
+  };
+
+  password += getRandomChar(
+    lowercase.split("").filter((c) => availableChars.includes(c)),
+  );
+  password += getRandomChar(
+    uppercase.split("").filter((c) => availableChars.includes(c)),
+  );
+  password += getRandomChar(
+    numbers.split("").filter((c) => availableChars.includes(c)),
+  );
+  password += getRandomChar(
+    special.split("").filter((c) => availableChars.includes(c)),
+  );
+
+  for (let i = password.length; i < length; i++) {
+    if (availableChars.length === 0) break;
+    const index = Math.floor(Math.random() * availableChars.length);
+    password += availableChars[index];
+    availableChars.splice(index, 1);
+  }
+
+  return password
+    .split("")
+    .sort(() => Math.random() - 0.5)
+    .join("");
+};

package/lib/services/totp.js

@@ -0,0 +1,169 @@
+const speakeasy = require("speakeasy");
+const QRCode = require("qrcode");
+const jwt = require("jsonwebtoken");
+const dayjs = require("dayjs");
+const User = require("../models/User");
+
+const self = module.exports;
+
+// Helper
+
+const verifyTotpToken = (secret, token) =>
+  speakeasy.totp.verify({ secret, encoding: "base32", token, window: 1 });
+
+const verifyTempToken = (tempToken) => {
+  let payload;
+  try {
+    payload = jwt.verify(tempToken, process.env.AUTH_SECRET);
+    if (payload.type !== "totp_pending") throw new Error();
+  } catch {
+    throw {
+      code: 401,
+      title: "Sesión expirada.",
+      detail: "",
+      suggestion: "Vuelve a iniciar sesión",
+      error: new Error(),
+    };
+  }
+  return payload;
+};
+
+// genera QR y guarda el secreto
+self.setup = async (tempToken) => {
+  const payload = verifyTempToken(tempToken);
+
+  const user = await User.findOne({ _id: payload._id });
+
+  if (!user)
+    throw {
+      code: 404,
+      title: "Usuario no encontrado.",
+      detail: "",
+      suggestion: "",
+      error: new Error(),
+    };
+
+  if (!user?.data?.totp?.enabled)
+    throw {
+      code: 403,
+      title: "2FA no habilitado.",
+      detail: "",
+      suggestion: "Contacta al administrador para habilitarlo",
+      error: new Error(),
+    };
+
+  const secret = speakeasy.generateSecret({
+    name: `${process.env.PROJECT_NAME} (${user.email})`,
+    issuer: process.env.PROJECT_NAME,
+    length: 20,
+  });
+
+  const qrCode = await QRCode.toDataURL(secret.otpauth_url);
+
+  await User.updateOne(
+    { _id: user._id },
+    { $set: { "data.totp.secret": secret.base32 } },
+  );
+
+  return { secret: secret.base32, qrCode };
+};
+
+// valida el código tras escanear el QR
+self.activate = async (tempToken, token) => {
+  const payload = verifyTempToken(tempToken);
+
+  const user = await User.findOne({ _id: payload._id });
+
+  if (!user?.data?.totp?.secret)
+    throw {
+      code: 400,
+      title: "QR no generado.",
+      detail: "",
+      suggestion: "Primero genera el QR desde /totp/setup",
+      error: new Error(),
+    };
+
+  if (!verifyTotpToken(user.data.totp.secret, token))
+    throw {
+      code: 400,
+      title: "Código inválido.",
+      detail: "",
+      suggestion:
+        "El código ingresado es incorrecto, verifica que sea el correcto e intenta de nuevo.",
+      error: new Error(),
+    };
+
+  return { message: "TOTP configurado correctamente" };
+};
+
+// valida código en login y emite token real
+self.checkLogin = async (token, tempToken, res) => {
+  const payload = verifyTempToken(tempToken);
+
+  const user = await User.findOne({ _id: payload._id });
+
+  if (!user?.data?.totp?.enabled)
+    throw {
+      code: 400,
+      title: "2FA no está configurado.",
+      detail: "",
+      suggestion: "",
+      error: new Error(),
+    };
+
+  if (!user?.data?.totp?.secret)
+    throw {
+      code: 400,
+      title: "TOTP no configurado.",
+      detail: "",
+      suggestion: "Configura tu app Authenticator primero",
+      error: new Error(),
+    };
+
+  if (!verifyTotpToken(user.data.totp.secret, token))
+    throw {
+      code: 401,
+      title: "Código inválido o expirado.",
+      detail: "",
+      suggestion:
+        "El código ingresado es incorrecto, verifica que sea el correcto e intenta de nuevo.",
+      error: new Error(),
+    };
+
+  user.data.changePwd = user?.data?.changePwd ?? false;
+  user.validateKey.failedAttempts = 0;
+  await user.save();
+
+  const authToken = await user.generateAuthToken();
+
+  res.cookie("token", authToken, {
+    secure: true,
+    httpOnly: true,
+    sameSite: "none",
+    expires: dayjs().add(30, "days").toDate(),
+  });
+
+  return { token: authToken, changePwd: user.data.changePwd };
+};
+
+// admin habilita o deshabilita 2FA de un usuario
+self.adminToggle = async (userId, enabled) => {
+  const user = await User.findOne({ _id: userId });
+
+  if (!user)
+    throw {
+      code: 404,
+      title: "Usuario no encontrado.",
+      detail: "",
+      suggestion: "",
+      error: new Error(),
+    };
+
+  const update = enabled
+    ? { "data.totp.enabled": true }
+    : { "data.totp.enabled": false, "data.totp.secret": null };
+
+  await User.updateOne({ _id: user._id }, { $set: update });
+
+  return { message: enabled ? "2FA habilitado" : "2FA deshabilitado" };
+};

package/lib/swagger.yaml

@@ -1389,4 +1389,212 @@ paths:
                   itemsPerPage: 10
       responses:
         '200':
-          description: ok
+          description: ok
+  #  Generar contraseña
+  /iam/generatePassword:
+    get:
+      summary: Generar contraseña segura
+      tags:
+        - utilities
+      description: >
+        Genera una contraseña aleatoria segura. Garantiza al menos una letra
+        minúscula, una mayúscula, un número y un carácter especial (!@#$%&*).
+        No requiere autenticación.
+      parameters:
+        - name: length
+          in: query
+          required: false
+          description: Longitud de la contraseña (default 12)
+          schema:
+            type: integer
+            default: 12
+            minimum: 4
+      responses:
+        '200':
+          description: Contraseña generada
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  password:
+                    type: string
+                    example: "aB3!xKm9Zq#T"
+  # TOTP
+  /iam/totp/setup:
+    get:
+      summary: Generar QR y secreto TOTP
+      tags:
+        - totp
+      description: >
+        Genera un secreto TOTP y retorna un QR en base64 para escanear con una
+        app Authenticator (Google Authenticator, Authy, etc.).
+        Requiere un token temporal de tipo `totp_pending` obtenido tras el login
+        cuando el usuario tiene 2FA habilitado.
+        El secreto se guarda en el usuario hasta que sea activado con `/totp/activate`.
+      parameters:
+        - name: Authorization
+          in: header
+          required: true
+          description: Bearer {tempToken} — token temporal tipo totp_pending
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Secreto y QR generados correctamente
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  secret:
+                    type: string
+                    description: Secreto en base32
+                    example: "JBSWY3DPEHPK3PXP"
+                  qrCode:
+                    type: string
+                    description: Imagen QR en formato Data URL (base64)
+                    example: "data:image/png;base64,iVBORw0KGgo..."
+        '401':
+          description: Token temporal expirado o inválido
+        '403':
+          description: El usuario no tiene 2FA habilitado
+        '404':
+          description: Usuario no encontrado
+
+  /iam/totp/activate:
+    post:
+      summary: Activar TOTP tras escanear el QR
+      tags:
+        - totp
+      description: >
+        Valida el código OTP generado por la app Authenticator para confirmar
+        que el QR fue escaneado correctamente. Debe llamarse después de `/totp/setup`.
+        Requiere token temporal tipo `totp_pending`.
+      parameters:
+        - name: Authorization
+          in: header
+          required: true
+          description: Bearer {tempToken} — token temporal tipo totp_pending
+          schema:
+            type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              properties:
+                token:
+                  description: Código OTP de 6 dígitos generado por la app Authenticator
+                  type: string
+                  example: "123456"
+              required:
+                - token
+      responses:
+        '200':
+          description: TOTP configurado correctamente
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  message:
+                    type: string
+                    example: "TOTP configurado correctamente"
+        '400':
+          description: QR no generado previamente o código inválido
+        '401':
+          description: Token temporal expirado o inválido
+
+  /iam/totp/verify:
+    post:
+      summary: Verificar código TOTP en el login
+      tags:
+        - totp
+      description: >
+        Segundo paso del login cuando el usuario tiene 2FA activo.
+        Valida el código OTP y, si es correcto, emite el token de sesión real
+        y lo setea como cookie `httpOnly`.
+      parameters:
+        - name: Authorization
+          in: header
+          required: true
+          description: Bearer {tempToken} — token temporal tipo totp_pending
+          schema:
+            type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              properties:
+                token:
+                  description: Código OTP de 6 dígitos generado por la app Authenticator
+                  type: string
+                  example: "123456"
+              required:
+                - token
+      responses:
+        '200':
+          description: Login completado, retorna token de sesión
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  token:
+                    type: string
+                    description: JWT de sesión
+                    example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+                  changePwd:
+                    type: boolean
+                    description: Indica si el usuario debe cambiar su contraseña
+                    example: false
+        '400':
+          description: 2FA no configurado o secreto faltante
+        '401':
+          description: Código inválido o expirado / token temporal inválido
+
+  /iam/user/{USER_ID}/totp:
+    put:
+      summary: Habilitar o deshabilitar 2FA de un usuario (admin)
+      tags:
+        - totp
+      description: >
+        Permite a un administrador habilitar o deshabilitar el 2FA de cualquier usuario.
+        Al deshabilitar, también elimina el secreto TOTP guardado.
+      security:
+        - bearerAuth: []
+      parameters:
+        - name: USER_ID
+          in: path
+          required: true
+          description: ID del usuario a modificar
+          schema:
+            type: string
+            format: ObjectId
+            example: "64371ab1b6dc1417c9c0b812"
+      requestBody:
+        content:
+          application/json:
+            schema:
+              properties:
+                enabled:
+                  type: boolean
+                  description: >
+                    `true` para habilitar 2FA, `false` para deshabilitar
+                    (también borra el secreto)
+                  example: true
+              required:
+                - enabled
+      responses:
+        '200':
+          description: Estado de 2FA actualizado
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  message:
+                    type: string
+                    example: "2FA habilitado"
+        '404':
+          description: Usuario no encontrado

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aloux-iam",
-  "version": "0.0.139",
+  "version": "0.0.141",
   "description": "Aloux IAM for APIs ",
   "main": "index.js",
   "scripts": {
@@ -33,6 +33,8 @@
     "method-override": "^3.0.0",
     "mongodb": "^4.17.x",
     "mongoose": "^6.12.x",
+    "qrcode": "^1.5.4",
+    "speakeasy": "^2.0.0",
     "yamljs": "^0.3.0"
   }
-}
+}