create-tigra 1.1.0 → 2.0.1

package/template/server/src/modules/auth/auth.service.ts

@@ -1,329 +1,286 @@
-/**
- * Authentication Service
- * 
- * Business logic for authentication operations.
- * Handles registration, login, token refresh, and logout.
- * 
- * @see /mnt/project/02-general-rules.md
- */
-
-import bcrypt from 'bcryptjs';
-import jwt from 'jsonwebtoken';
-import { env } from '../../config/env.js';
-import logger from '../../libs/logger.js';
-import {
-    ConflictError,
-    UnauthorizedError,
-} from '../../utils/errors.js';
-import * as authRepo from './auth.repo.js';
-import type {
-    AuthResponse,
-    TokenResponse,
-    JwtPayload,
-    JwtRefreshPayload,
-} from './auth.types.js';
-import type { RegisterInput, LoginInput } from './auth.schemas.js';
-
-/**
- * Password hashing rounds
- */
-const BCRYPT_ROUNDS = 10;
-
-/**
- * Parse JWT expiration string to seconds
- * 
- * @param expiration - Expiration string (e.g., '15m', '7d')
- * @returns Expiration in seconds
- */
-function parseExpiration(expiration: string): number {
-    const match = expiration.match(/^(\d+)([smhd])$/);
-    if (!match) {
-        throw new Error(`Invalid expiration format: ${expiration}`);
-    }
-
-    const value = parseInt(match[1]!);
-    const unit = match[2]!;
-
-    const multipliers: Record<string, number> = {
-        s: 1,
-        m: 60,
-        h: 3600,
-        d: 86400,
-    };
-
-    return value * multipliers[unit]!;
-}
-
-/**
- * Generate access token
- * 
- * @param userId - User ID
- * @param email - User email
- * @param role - User role
- * @returns JWT access token
- */
-function generateAccessToken(
-    userId: string,
-    email: string,
-    role: string
-): string {
-    const payload: JwtPayload = {
-        userId,
-        email,
-        role: role as 'USER' | 'ADMIN',
-    };
-
-    return jwt.sign(payload, env.JWT_SECRET, {
-        expiresIn: env.JWT_ACCESS_EXPIRATION,
-        issuer: env.JWT_ISSUER,
-    } as jwt.SignOptions);
-}
-
-/**
- * Generate refresh token
- * 
- * @param userId - User ID
- * @param sessionId - Session ID
- * @returns JWT refresh token
- */
-function generateRefreshToken(userId: string, sessionId: string): string {
-    const payload: JwtRefreshPayload = {
-        userId,
-        sessionId,
-    };
-
-    return jwt.sign(payload, env.JWT_SECRET, {
-        expiresIn: env.JWT_REFRESH_EXPIRATION,
-        issuer: env.JWT_ISSUER,
-    } as jwt.SignOptions);
-}
-
-/**
- * Register a new user
- * 
- * @param data - Registration data
- * @returns User and tokens
- * @throws ConflictError if email already exists
- */
-export async function register(data: RegisterInput): Promise<AuthResponse> {
-    try {
-        // Check if user already exists
-        const existingUser = await authRepo.findUserByEmail(data.email);
-        if (existingUser) {
-            throw new ConflictError('Email already registered');
-        }
-
-        // Hash password
-        const hashedPassword = await bcrypt.hash(data.password, BCRYPT_ROUNDS);
-
-        // Create user
-        const user = await authRepo.createUser({
-            email: data.email,
-            password: hashedPassword,
-            name: data.name,
-        });
-
-        // Generate tokens
-        const accessToken = generateAccessToken(user.id, user.email, user.role);
-        const sessionId = `session_${Date.now()}_${user.id}`;
-        const refreshToken = generateRefreshToken(user.id, sessionId);
-
-        // Calculate refresh token expiration
-        const expiresInSeconds = parseExpiration(env.JWT_REFRESH_EXPIRATION);
-        const expiresAt = new Date(Date.now() + expiresInSeconds * 1000);
-
-        // Create session
-        await authRepo.createSession({
-            userId: user.id,
-            refreshToken,
-            expiresAt,
-        });
-
-        logger.info({ userId: user.id, email: user.email }, 'User registered');
-
-        return {
-            user,
-            tokens: {
-                accessToken,
-                refreshToken,
-                expiresIn: parseExpiration(env.JWT_ACCESS_EXPIRATION),
-            },
-        };
-    } catch (error) {
-        logger.error({ error, email: data.email }, 'Registration failed');
-        throw error;
-    }
-}
-
-/**
- * Login user
- * 
- * @param data - Login credentials
- * @returns User and tokens
- * @throws UnauthorizedError if credentials are invalid
- */
-export async function login(data: LoginInput): Promise<AuthResponse> {
-    try {
-        // Find user with password
-        const userWithPassword = await authRepo.findUserByEmailWithPassword(
-            data.email
-        );
-
-        if (!userWithPassword) {
-            throw new UnauthorizedError('Invalid email or password');
-        }
-
-        // Verify password
-        const isPasswordValid = await bcrypt.compare(
-            data.password,
-            userWithPassword.password
-        );
-
-        if (!isPasswordValid) {
-            throw new UnauthorizedError('Invalid email or password');
-        }
-
-        // Get user without password
-        const user = await authRepo.findUserById(userWithPassword.id);
-        if (!user) {
-            throw new UnauthorizedError('User not found');
-        }
-
-        // Generate tokens
-        const accessToken = generateAccessToken(user.id, user.email, user.role);
-        const sessionId = `session_${Date.now()}_${user.id}`;
-        const refreshToken = generateRefreshToken(user.id, sessionId);
-
-        // Calculate refresh token expiration
-        const expiresInSeconds = parseExpiration(env.JWT_REFRESH_EXPIRATION);
-        const expiresAt = new Date(Date.now() + expiresInSeconds * 1000);
-
-        // Create session
-        await authRepo.createSession({
-            userId: user.id,
-            refreshToken,
-            expiresAt,
-        });
-
-        logger.info({ userId: user.id, email: user.email }, 'User logged in');
-
-        return {
-            user,
-            tokens: {
-                accessToken,
-                refreshToken,
-                expiresIn: parseExpiration(env.JWT_ACCESS_EXPIRATION),
-            },
-        };
-    } catch (error) {
-        logger.error({ error, email: data.email }, 'Login failed');
-        throw error;
-    }
-}
-
-/**
- * Refresh access token
- * 
- * @param refreshToken - Refresh token
- * @returns New access and refresh tokens
- * @throws UnauthorizedError if token is invalid or expired
- */
-export async function refreshTokens(
-    refreshToken: string
-): Promise<TokenResponse> {
-    try {
-        // Find session
-        const session = await authRepo.findSessionByToken(refreshToken);
-        if (!session) {
-            throw new UnauthorizedError('Invalid refresh token');
-        }
-
-        // Check if session expired
-        if (session.expiresAt < new Date()) {
-            await authRepo.deleteSession(refreshToken);
-            throw new UnauthorizedError('Refresh token expired');
-        }
-
-        // Verify JWT token
-        let payload: JwtRefreshPayload;
-        try {
-            payload = jwt.verify(refreshToken, env.JWT_SECRET, {
-                issuer: env.JWT_ISSUER,
-            }) as JwtRefreshPayload;
-        } catch (error) {
-            await authRepo.deleteSession(refreshToken);
-            throw new UnauthorizedError('Invalid refresh token');
-        }
-
-        // Generate new tokens
-        const newAccessToken = generateAccessToken(
-            session.user.id,
-            session.user.email,
-            session.user.role
-        );
-        const sessionId = `session_${Date.now()}_${session.user.id}`;
-        const newRefreshToken = generateRefreshToken(session.user.id, sessionId);
-
-        // Calculate new expiration
-        const expiresInSeconds = parseExpiration(env.JWT_REFRESH_EXPIRATION);
-        const expiresAt = new Date(Date.now() + expiresInSeconds * 1000);
-
-        // Update session with new refresh token
-        await authRepo.updateSession(refreshToken, newRefreshToken, expiresAt);
-
-        logger.info({ userId: session.user.id }, 'Tokens refreshed');
-
-        return {
-            accessToken: newAccessToken,
-            refreshToken: newRefreshToken,
-            expiresIn: parseExpiration(env.JWT_ACCESS_EXPIRATION),
-        };
-    } catch (error) {
-        logger.error({ error }, 'Token refresh failed');
-        throw error;
-    }
-}
-
-/**
- * Logout user
- * 
- * Deletes the session associated with the refresh token.
- * 
- * @param refreshToken - Refresh token
- */
-export async function logout(refreshToken: string): Promise<void> {
-    try {
-        await authRepo.deleteSession(refreshToken);
-        logger.info('User logged out');
-    } catch (error) {
-        // Ignore errors if session doesn't exist
-        logger.warn({ error }, 'Logout failed - session may not exist');
-    }
-}
-
-/**
- * Verify access token
- * 
- * @param token - Access token
- * @returns JWT payload
- * @throws UnauthorizedError if token is invalid
- */
-export async function verifyAccessToken(token: string): Promise<JwtPayload> {
-    try {
-        const payload = jwt.verify(token, env.JWT_SECRET, {
-            issuer: env.JWT_ISSUER,
-        }) as JwtPayload;
-
-        return payload;
-    } catch (error) {
-        if (error instanceof jwt.TokenExpiredError) {
-            throw new UnauthorizedError('Access token expired');
-        }
-        if (error instanceof jwt.JsonWebTokenError) {
-            throw new UnauthorizedError('Invalid access token');
-        }
-        throw new UnauthorizedError('Token verification failed');
-    }
-}
-
-
+import { signAccessToken, generateRefreshToken, getRefreshTokenExpiresAt } from '@libs/auth.js';
+import { hashPassword, verifyPassword } from '@libs/password.js';
+import {
+  ConflictError,
+  UnauthorizedError,
+  NotFoundError,
+} from '@shared/errors/errors.js';
+import type { UserRole } from '@shared/types/index.js';
+import * as authRepo from './auth.repo.js';
+import { sessionRepository } from './session.repo.js';
+import type { RegisterInput, LoginInput } from './auth.schemas.js';
+
+// Account lockout configuration
+const LOCKOUT_THRESHOLDS = [
+  { attempts: 5, durationMs: 15 * 60 * 1000 },   // 5 failures → 15 min
+  { attempts: 10, durationMs: 30 * 60 * 1000 },   // 10 failures → 30 min
+  { attempts: 15, durationMs: 60 * 60 * 1000 },   // 15+ failures → 1 hour
+];
+
+function getLockoutDuration(failedAttempts: number): number | null {
+  for (let i = LOCKOUT_THRESHOLDS.length - 1; i >= 0; i--) {
+    if (failedAttempts >= LOCKOUT_THRESHOLDS[i].attempts) {
+      return LOCKOUT_THRESHOLDS[i].durationMs;
+    }
+  }
+  return null;
+}
+
+interface SanitizedUser {
+  id: string;
+  email: string;
+  firstName: string;
+  lastName: string;
+  avatarUrl: string | null;
+  role: UserRole;
+  isActive: boolean;
+  createdAt: string;
+  updatedAt: string;
+}
+
+interface AuthResult {
+  user: SanitizedUser;
+  accessToken: string;
+  refreshToken: string;
+}
+
+function sanitizeUser(user: {
+  id: string;
+  email: string;
+  firstName: string;
+  lastName: string;
+  avatarUrl?: string | null;
+  role: UserRole;
+  isActive: boolean;
+  createdAt: Date;
+  updatedAt: Date;
+  password: string;
+}): SanitizedUser {
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  const { password: _password, createdAt, updatedAt, avatarUrl, ...rest } = user;
+  return {
+    ...rest,
+    avatarUrl: avatarUrl ?? null,
+    createdAt: createdAt.toISOString(),
+    updatedAt: updatedAt.toISOString(),
+  };
+}
+
+export async function register(
+  input: RegisterInput,
+  deviceInfo?: string,
+  ipAddress?: string,
+): Promise<AuthResult> {
+  const existingUser = await authRepo.findUserByEmail(input.email);
+  if (existingUser) {
+    throw new ConflictError('Email already registered', 'EMAIL_ALREADY_EXISTS');
+  }
+
+  const hashedPassword = await hashPassword(input.password);
+
+  const user = await authRepo.createUser({
+    email: input.email,
+    password: hashedPassword,
+    firstName: input.firstName,
+    lastName: input.lastName,
+  });
+
+  const accessToken = signAccessToken({
+    userId: user.id,
+    role: user.role,
+  });
+  const refreshToken = generateRefreshToken();
+  const refreshTokenExpiresAt = getRefreshTokenExpiresAt();
+
+  await authRepo.createRefreshToken({
+    token: refreshToken,
+    userId: user.id,
+    expiresAt: refreshTokenExpiresAt,
+  });
+
+  await sessionRepository.createSession({
+    userId: user.id,
+    deviceInfo,
+    ipAddress,
+    expiresAt: refreshTokenExpiresAt,
+  });
+
+  return {
+    user: sanitizeUser(user),
+    accessToken,
+    refreshToken,
+  };
+}
+
+export async function login(
+  input: LoginInput,
+  deviceInfo?: string,
+  ipAddress?: string,
+): Promise<AuthResult> {
+  const user = await authRepo.findUserByEmail(input.email);
+  if (!user) {
+    throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
+  }
+
+  // Generic error for disabled accounts — prevent info leakage
+  if (!user.isActive) {
+    throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
+  }
+
+  // Check account lockout
+  if (user.lockedUntil && user.lockedUntil > new Date()) {
+    throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
+  }
+
+  const { valid, needsRehash } = await verifyPassword(input.password, user.password);
+
+  if (!valid) {
+    // Increment failed attempts
+    const newAttempts = user.failedLoginAttempts + 1;
+    await authRepo.incrementFailedAttempts(user.id);
+
+    // Check if we need to lock the account
+    const lockDuration = getLockoutDuration(newAttempts);
+    if (lockDuration) {
+      await authRepo.setAccountLock(user.id, new Date(Date.now() + lockDuration));
+    }
+
+    throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
+  }
+
+  // Successful login — reset failed attempts
+  if (user.failedLoginAttempts > 0 || user.lockedUntil) {
+    await authRepo.resetFailedAttempts(user.id);
+  }
+
+  // Transparent rehash: upgrade bcrypt → argon2id
+  if (needsRehash) {
+    const newHash = await hashPassword(input.password);
+    await authRepo.updateUserPassword(user.id, newHash);
+  }
+
+  const accessToken = signAccessToken({
+    userId: user.id,
+    role: user.role,
+  });
+  const refreshToken = generateRefreshToken();
+  const refreshTokenExpiresAt = getRefreshTokenExpiresAt();
+
+  await authRepo.createRefreshToken({
+    token: refreshToken,
+    userId: user.id,
+    expiresAt: refreshTokenExpiresAt,
+  });
+
+  await sessionRepository.createSession({
+    userId: user.id,
+    deviceInfo,
+    ipAddress,
+    expiresAt: refreshTokenExpiresAt,
+  });
+
+  return {
+    user: sanitizeUser(user),
+    accessToken,
+    refreshToken,
+  };
+}
+
+export async function refresh(refreshToken: string): Promise<{ accessToken: string; refreshToken: string }> {
+  const storedToken = await authRepo.findRefreshToken(refreshToken);
+  if (!storedToken) {
+    throw new UnauthorizedError('Invalid refresh token', 'INVALID_REFRESH_TOKEN');
+  }
+
+  if (new Date() > storedToken.expiresAt) {
+    await authRepo.deleteRefreshToken(refreshToken);
+    throw new UnauthorizedError('Refresh token expired', 'REFRESH_TOKEN_EXPIRED');
+  }
+
+  const user = await authRepo.findUserById(storedToken.userId);
+  if (!user || !user.isActive) {
+    throw new UnauthorizedError('User not found or disabled', 'INVALID_REFRESH_TOKEN');
+  }
+
+  const newAccessToken = signAccessToken({
+    userId: user.id,
+    role: user.role,
+  });
+  const newRefreshToken = generateRefreshToken();
+
+  // Atomic rotation: delete old + create new in a single transaction.
+  // Returns false if old token was already consumed by a concurrent request.
+  const rotated = await authRepo.rotateRefreshToken(refreshToken, {
+    token: newRefreshToken,
+    userId: user.id,
+    expiresAt: getRefreshTokenExpiresAt(),
+  });
+
+  if (!rotated) {
+    throw new UnauthorizedError('Refresh token already used', 'INVALID_REFRESH_TOKEN');
+  }
+
+  return {
+    accessToken: newAccessToken,
+    refreshToken: newRefreshToken,
+  };
+}
+
+export async function logout(refreshToken: string): Promise<void> {
+  try {
+    // Find the token before deleting so we can match the corresponding session
+    const storedToken = await authRepo.findRefreshToken(refreshToken);
+    await authRepo.deleteRefreshToken(refreshToken);
+
+    if (storedToken) {
+      // Match session by creation time — token and session are created together during login
+      const sessions = await sessionRepository.getUserSessions(storedToken.userId);
+      const tokenCreatedMs = storedToken.createdAt.getTime();
+      const matchingSession = sessions.find(
+        (s) => Math.abs(s.createdAt.getTime() - tokenCreatedMs) < 5000,
+      );
+
+      if (matchingSession) {
+        await sessionRepository.deleteSession(matchingSession.id);
+      }
+    }
+  } catch {
+    // Token may already be deleted by concurrent request or cleanup job
+  }
+}
+
+export async function getCurrentUser(userId: string): Promise<SanitizedUser> {
+  const user = await authRepo.findUserById(userId);
+  if (!user) {
+    throw new NotFoundError('User not found', 'USER_NOT_FOUND');
+  }
+
+  return sanitizeUser(user);
+}
+
+interface SessionInfo {
+  id: string;
+  deviceInfo: string | null;
+  ipAddress: string | null;
+  lastActiveAt: string;
+  expiresAt: string;
+  createdAt: string;
+}
+
+export async function getUserSessions(userId: string): Promise<SessionInfo[]> {
+  const sessions = await sessionRepository.getUserSessions(userId);
+  return sessions.map((session) => ({
+    id: session.id,
+    deviceInfo: session.deviceInfo,
+    ipAddress: session.ipAddress,
+    lastActiveAt: session.lastActiveAt.toISOString(),
+    expiresAt: session.expiresAt.toISOString(),
+    createdAt: session.createdAt.toISOString(),
+  }));
+}
+
+export async function logoutAllSessions(userId: string): Promise<number> {
+  const sessionCount = await sessionRepository.deleteAllUserSessions(userId);
+  await authRepo.deleteRefreshTokensByUserId(userId);
+  return sessionCount;
+}