create-tigra 2.8.0 → 3.0.0

package/template/server/src/modules/auth/auth.service.ts

@@ -21,6 +21,18 @@ const PASSWORD_RESET_TTL = 3600; // 1 hour in seconds
 const PASSWORD_RESET_PREFIX = 'pw-reset:';
 const PASSWORD_RESET_USER_PREFIX = 'pw-reset-user:';
 
+// --- Account lockout (scoped to email + IP) ---
+// Failed-login attempts are tracked in Redis keyed by the (email, IP) PAIR.
+// Keying by email alone let anyone lock a victim out remotely by spamming bad
+// passwords at the victim's email (lockout DoS). Scoped to email+IP, an
+// attacker only ever locks out their own address; distributed attempts are
+// still throttled by the per-IP rate limit on the login route.
+// Redis failures fail OPEN (no lockout) — consistent with ip-block.ts:
+// availability over lockout, and rate limiting still applies.
+const LOGIN_FAIL_PREFIX = 'login-fail:';
+const LOGIN_LOCK_PREFIX = 'login-lock:';
+const LOGIN_FAIL_WINDOW_SECONDS = 60 * 60; // failed attempts expire after 1 hour
+
 // Account lockout configuration
 const LOCKOUT_THRESHOLDS = [
   { attempts: 5, durationMs: 15 * 60 * 1000 },   // 5 failures → 15 min
@@ -37,6 +49,55 @@ function getLockoutDuration(failedAttempts: number): number | null {
   return null;
 }
 
+function lockoutKey(prefix: string, email: string, ipAddress?: string): string {
+  return `${prefix}${email.toLowerCase()}:${ipAddress ?? 'unknown'}`;
+}
+
+async function isLoginLocked(email: string, ipAddress?: string): Promise<boolean> {
+  try {
+    const locked = await getRedis().exists(lockoutKey(LOGIN_LOCK_PREFIX, email, ipAddress));
+    return locked === 1;
+  } catch {
+    return false; // fail open — Redis down must not block all logins
+  }
+}
+
+async function recordFailedLogin(email: string, ipAddress?: string): Promise<void> {
+  try {
+    const redis = getRedis();
+    const failKey = lockoutKey(LOGIN_FAIL_PREFIX, email, ipAddress);
+
+    const attempts = await redis.incr(failKey);
+    if (attempts === 1) {
+      await redis.expire(failKey, LOGIN_FAIL_WINDOW_SECONDS);
+    }
+
+    const lockDurationMs = getLockoutDuration(attempts);
+    if (lockDurationMs) {
+      await redis.set(
+        lockoutKey(LOGIN_LOCK_PREFIX, email, ipAddress),
+        '1',
+        'EX',
+        Math.ceil(lockDurationMs / 1000),
+      );
+    }
+  } catch {
+    // Non-critical: don't break the login error path if tracking fails
+    logger.warn('[AUTH] Failed to record failed login attempt');
+  }
+}
+
+async function clearFailedLogins(email: string, ipAddress?: string): Promise<void> {
+  try {
+    await getRedis().del(
+      lockoutKey(LOGIN_FAIL_PREFIX, email, ipAddress),
+      lockoutKey(LOGIN_LOCK_PREFIX, email, ipAddress),
+    );
+  } catch {
+    // Non-critical: keys expire on their own
+  }
+}
+
 interface SanitizedUser {
   id: string;
   email: string;
@@ -167,12 +228,23 @@ export async function login(
       throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
     }
 
+    // Same email+IP lockout as the normal path — the restore flow must not be
+    // a brute-force side door around the lockout.
+    if (await isLoginLocked(input.email, ipAddress)) {
+      throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
+    }
+
     // Verify password before restoring — don't restore on wrong password
     const validPassword = await verifyPassword(input.password, deletedUser.password);
     if (!validPassword) {
+      await recordFailedLogin(input.email, ipAddress);
       throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
     }
 
+    // Successful restore-login — clear the email+IP failure counter, same as
+    // the normal path.
+    await clearFailedLogins(input.email, ipAddress);
+
     // Restore account: clears deletedAt, sets isActive = true, resets lockout
     await authRepo.restoreUser(deletedUser.id);
     user = { ...deletedUser, deletedAt: null, isActive: true, failedLoginAttempts: 0, lockedUntil: null };
@@ -184,7 +256,14 @@ export async function login(
       throw new ForbiddenError('Account is not activated. Please verify your account.', 'ACCOUNT_NOT_ACTIVE');
     }
 
-    // Check account lockout
+    // Check account lockout — scoped to this email+IP pair (Redis), so an
+    // attacker spamming bad passwords only locks out their OWN address and
+    // cannot remotely lock the real user out (lockout DoS).
+    if (await isLoginLocked(input.email, ipAddress)) {
+      throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
+    }
+
+    // DB-level lock (legacy data or manual admin lock) is still honored.
     if (user.lockedUntil && user.lockedUntil > new Date()) {
       throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
     }
@@ -192,20 +271,13 @@ export async function login(
     const valid = await verifyPassword(input.password, user.password);
 
     if (!valid) {
-      // Increment failed attempts
-      const newAttempts = user.failedLoginAttempts + 1;
-      await authRepo.incrementFailedAttempts(user.id);
-
-      // Check if we need to lock the account
-      const lockDuration = getLockoutDuration(newAttempts);
-      if (lockDuration) {
-        await authRepo.setAccountLock(user.id, new Date(Date.now() + lockDuration));
-      }
-
+      await recordFailedLogin(input.email, ipAddress);
       throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
     }
 
-    // Successful login — reset failed attempts
+    // Successful login — clear the email+IP failure counter and any stale
+    // DB-level lockout state from before lockout moved to Redis.
+    await clearFailedLogins(input.email, ipAddress);
     if (user.failedLoginAttempts > 0 || user.lockedUntil) {
       await authRepo.resetFailedAttempts(user.id);
     }
@@ -274,6 +346,25 @@ export async function refresh(refreshToken: string): Promise<{ accessToken: stri
   });
 
   if (!rotated) {
+    // REUSE DETECTED: the token existed when we looked it up but was consumed
+    // by a concurrent request before we could rotate it — two parties presented
+    // the same single-use token. We cannot tell which one is the attacker, and
+    // whichever redeemed it first already holds a freshly rotated valid token.
+    // Revoke the entire token family: every refresh token and session for this
+    // user. Both legit client and attacker must re-authenticate.
+    //
+    // NOTE: this covers the *detectable* reuse path. Refresh tokens are opaque
+    // random UUIDs (no JWT claims), so a token that is not found in the DB at
+    // all (deleted in an earlier rotation) cannot be attributed to a user, and
+    // the initial not-found lookup above can only reject it. Full replay
+    // attribution would require tombstoning consumed tokens (e.g. a revokedAt
+    // column) instead of deleting them — a schema change out of scope here.
+    logger.warn(
+      { userId: user.id },
+      '[AUTH] Refresh token reuse detected — revoking all sessions and refresh tokens for user',
+    );
+    await authRepo.deleteRefreshTokensByUserId(user.id);
+    await sessionRepository.deleteAllUserSessions(user.id);
     throw new UnauthorizedError('Refresh token already used', 'INVALID_REFRESH_TOKEN');
   }
 

package/template/server/src/test/setup.ts

@@ -1,6 +1,10 @@
 import { vi } from 'vitest';
 
-// Mock environment variables for testing
+// Mock environment variables for testing.
+// This setup file runs BEFORE any test file is imported (vitest setupFiles),
+// so these must form a COMPLETE valid env: src/config/env.ts validates on
+// import and calls process.exit(1) on failure, killing the whole suite before
+// a single test runs.
 process.env.NODE_ENV = 'test';
 process.env.DATABASE_URL = 'mysql://test:test@localhost:3306/test_db';
 process.env.REDIS_URL = 'redis://localhost:6379';
@@ -9,6 +13,9 @@ process.env.JWT_ACCESS_EXPIRY = '15m';
 process.env.JWT_REFRESH_EXPIRY = '7d';
 process.env.PORT = '3000';
 process.env.HOST = '0.0.0.0';
+// REQUIRE_USER_VERIFICATION defaults to 'true', and env.ts exits when it is
+// enabled without RESEND_API_KEY. Tests don't send email — disable it.
+process.env.REQUIRE_USER_VERIFICATION = 'false';
 
 // Test user data
 export const testUsers = {
@@ -59,15 +66,28 @@ export const testUsers = {
   },
 };
 
-// Test refresh token data
+// Test refresh token data — fields must match the Prisma RefreshToken model
+// exactly (id, token, userId, sessionId, expiresAt, createdAt)
 export const testRefreshToken = {
   id: 'test-token-id-1',
   token: 'test-refresh-token-uuid',
   userId: testUsers.validUser.id,
+  sessionId: null,
   expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days from now
   createdAt: new Date(),
 };
 
+// Test session data — fields must match the Prisma Session model exactly
+export const testSession = {
+  id: 'test-session-id-1',
+  userId: testUsers.validUser.id,
+  deviceInfo: null,
+  ipAddress: null,
+  lastActiveAt: new Date('2024-01-01T00:00:00Z'),
+  expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
+  createdAt: new Date('2024-01-01T00:00:00Z'),
+};
+
 // Reset all mocks before each test
 export const resetMocks = (): void => {
   vi.clearAllMocks();

package/template/server/vitest.config.ts

@@ -1,43 +1,43 @@
-import { defineConfig } from 'vitest/config';
-import { resolve } from 'path';
-
-export default defineConfig({
-  test: {
-    globals: true,
-    environment: 'node',
-    coverage: {
-      provider: 'v8',
-      reporter: ['text', 'json', 'html', 'lcov'],
-      exclude: [
-        'node_modules/**',
-        'dist/**',
-        '**/*.config.ts',
-        '**/*.config.js',
-        '**/test/**',
-        '**/__tests__/**',
-        'prisma/**',
-        'scripts/**',
-      ],
-      thresholds: {
-        lines: 80,
-        functions: 80,
-        branches: 80,
-        statements: 80,
-      },
-    },
-    setupFiles: ['./src/test/setup.ts'],
-    include: ['**/__tests__/**/*.test.ts', '**/*.test.ts'],
-    exclude: ['node_modules', 'dist'],
-    testTimeout: 10000,
-    hookTimeout: 10000,
-  },
-  resolve: {
-    alias: {
-      '@': resolve(__dirname, './src'),
-      '@modules': resolve(__dirname, './src/modules'),
-      '@libs': resolve(__dirname, './src/libs'),
-      '@config': resolve(__dirname, './src/config'),
-      '@shared': resolve(__dirname, './src/shared'),
-    },
-  },
-});
+import { defineConfig } from 'vitest/config';
+import { resolve } from 'path';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'node',
+    coverage: {
+      provider: 'v8',
+      reporter: ['text', 'json', 'html', 'lcov'],
+      exclude: [
+        'node_modules/**',
+        'dist/**',
+        '**/*.config.ts',
+        '**/*.config.js',
+        '**/test/**',
+        '**/__tests__/**',
+        'prisma/**',
+        'scripts/**',
+      ],
+      thresholds: {
+        lines: 80,
+        functions: 80,
+        branches: 80,
+        statements: 80,
+      },
+    },
+    setupFiles: ['./src/test/setup.ts'],
+    include: ['**/__tests__/**/*.test.ts', '**/*.test.ts'],
+    exclude: ['node_modules', 'dist'],
+    testTimeout: 10000,
+    hookTimeout: 10000,
+  },
+  resolve: {
+    alias: {
+      '@': resolve(__dirname, './src'),
+      '@modules': resolve(__dirname, './src/modules'),
+      '@libs': resolve(__dirname, './src/libs'),
+      '@config': resolve(__dirname, './src/config'),
+      '@shared': resolve(__dirname, './src/shared'),
+    },
+  },
+});