ecrs-auth-core 1.0.110 → 1.0.112
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth.service.js +6 -5
- package/package.json +1 -1
package/dist/auth.service.js
CHANGED
|
@@ -82,8 +82,8 @@ let AuthService = class AuthService {
|
|
|
82
82
|
const normalizedEmail = email.trim().toLowerCase();
|
|
83
83
|
const whereClause = {
|
|
84
84
|
email: (0, typeorm_1.ILike)(normalizedEmail),
|
|
85
|
-
deletedBy:
|
|
86
|
-
deletedAt:
|
|
85
|
+
deletedBy: (0, typeorm_1.IsNull)(),
|
|
86
|
+
deletedAt: (0, typeorm_1.IsNull)(),
|
|
87
87
|
status: 1,
|
|
88
88
|
};
|
|
89
89
|
//role-id
|
|
@@ -100,7 +100,6 @@ let AuthService = class AuthService {
|
|
|
100
100
|
else if (moduleId !== undefined && modulearray.includes(moduleId)) {
|
|
101
101
|
whereClause.roleId = (0, typeorm_1.In)([1, 2, 3]);
|
|
102
102
|
}
|
|
103
|
-
console.log(`🔍 Validating user with email: ${normalizedEmail}, moduleId: ${moduleId}, whereClause:`, whereClause);
|
|
104
103
|
const user = await this.userRepo.findOne({ where: whereClause });
|
|
105
104
|
// Always run bcrypt.compare regardless of whether the user was found.
|
|
106
105
|
// This prevents timing-based user enumeration: both paths take the same time.
|
|
@@ -108,13 +107,15 @@ let AuthService = class AuthService {
|
|
|
108
107
|
// const DUMMY_HASH = '$2b$10$abcdefghijklmnopqrstuuABCDEFGHIJKLMNOPQRSTUVWXYZ012345';
|
|
109
108
|
// const hashToCompare = user?.password ?? DUMMY_HASH;
|
|
110
109
|
// const isValid = await bcrypt.compare(password, hashToCompare);
|
|
111
|
-
console.log(`🔐 Comparing password for user ${user?.id}`);
|
|
112
|
-
console.log(`🔐 Comparing password for user ${user?.password}`);
|
|
110
|
+
// console.log(`🔐 Comparing password for user ${user?.id}`);
|
|
111
|
+
// console.log(`🔐 Comparing password for user ${user?.password}`);
|
|
113
112
|
const isValid = user
|
|
114
113
|
? await bcrypt.compare(password, user.password)
|
|
115
114
|
: false;
|
|
116
115
|
// Single generic message — never reveal whether the email exists
|
|
117
116
|
if (!user || !isValid) {
|
|
117
|
+
console.log(`🔍 Validating user with email: ${normalizedEmail}, moduleId: ${moduleId}, whereClause:`, whereClause);
|
|
118
|
+
console.log(`🔐 Comparing password for user ${user?.id}`);
|
|
118
119
|
throw new common_1.UnauthorizedException("Invalid credentials");
|
|
119
120
|
}
|
|
120
121
|
if (clientIp && this.ipRestrictionsRepo) {
|