elevenlabs-webhook-nodejs 1.0.0

package/nestjs/src/auth/auth.service.ts

@@ -0,0 +1,612 @@
+import {
+  Injectable,
+  Inject,
+  UnauthorizedException,
+  ConflictException,
+  BadRequestException,
+  Logger,
+} from '@nestjs/common';
+import { JwtService } from '@nestjs/jwt';
+import { ConfigService } from '@nestjs/config';
+import Redis from 'ioredis';
+import * as bcrypt from 'bcrypt';
+import { randomBytes, createHash } from 'crypto';
+import { PrismaService } from '../database/prisma.service';
+import { REDIS_CLIENT } from '../redis/redis.module';
+import { JwtPayload } from '../common/interfaces/jwt-payload.interface';
+import { ROLE_PERMISSIONS } from './permissions.config';
+import {
+  LoginDto,
+  RegisterDto,
+  RefreshDto,
+  ChangePasswordDto,
+  ForgotPasswordDto,
+  ResetPasswordDto,
+} from './dto';
+
+const BCRYPT_ROUNDS = 12;
+
+@Injectable()
+export class AuthService {
+  private readonly logger = new Logger(AuthService.name);
+  private readonly accessExpiry: string;
+  private readonly refreshExpiry: string;
+  private readonly accessExpirySeconds: number;
+  private readonly refreshExpirySeconds: number;
+
+  constructor(
+    private readonly prisma: PrismaService,
+    private readonly jwtService: JwtService,
+    private readonly configService: ConfigService,
+    @Inject(REDIS_CLIENT) private readonly redis: Redis,
+  ) {
+    this.accessExpiry = this.configService.get<string>('JWT_ACCESS_EXPIRY', '15m');
+    this.refreshExpiry = this.configService.get<string>('JWT_REFRESH_EXPIRY', '30d');
+    this.accessExpirySeconds = this.parseExpiry(this.accessExpiry);
+    this.refreshExpirySeconds = this.parseExpiry(this.refreshExpiry);
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  LOGIN                                                              */
+  /* ------------------------------------------------------------------ */
+
+  async login(dto: LoginDto) {
+    const user = await this.prisma.user.findUnique({
+      where: { user_email: dto.email },
+      include: {
+        tenant: true,
+        clinic_assignments: true,
+      },
+    });
+
+    if (!user || !user.user_is_active) {
+      throw new UnauthorizedException('Invalid credentials');
+    }
+
+    const passwordValid = await bcrypt.compare(dto.password, user.user_password_hash);
+    if (!passwordValid) {
+      throw new UnauthorizedException('Invalid credentials');
+    }
+
+    // Tenant must be active (for tenant-scoped users)
+    if (user.tenant && !user.tenant.tenant_is_active) {
+      throw new UnauthorizedException('Tenant account is deactivated');
+    }
+
+    const clinicIds = user.clinic_assignments.map((a) => a.assign_clinic_id);
+
+    const payload = this.buildJwtPayload(user, user.tenant, clinicIds);
+    const tokens = await this.issueTokens(payload);
+
+    // Update last login
+    await this.prisma.user.update({
+      where: { user_id: user.user_id },
+      data: { user_last_login_at: new Date() },
+    });
+
+    return {
+      user: {
+        id: user.user_id,
+        email: user.user_email,
+        firstName: user.user_first_name,
+        lastName: user.user_last_name,
+        role: user.user_role,
+        permissions: payload.permissions,
+      },
+      tenant: user.tenant
+        ? { id: user.tenant.tenant_id, name: user.tenant.tenant_name }
+        : null,
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken,
+    };
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  REGISTER                                                           */
+  /* ------------------------------------------------------------------ */
+
+  async register(dto: RegisterDto) {
+    // Check if email already exists
+    const existing = await this.prisma.user.findUnique({
+      where: { user_email: dto.email },
+    });
+    if (existing) {
+      throw new ConflictException('Email already registered');
+    }
+
+    const passwordHash = await bcrypt.hash(dto.password, BCRYPT_ROUNDS);
+    const clinicSlug = this.slugify(dto.tenantName);
+
+    // Create tenant + default clinic + owner user in a transaction
+    const result = await this.prisma.$transaction(async (tx) => {
+      const tenant = await tx.tenant.create({
+        data: {
+          tenant_name: dto.tenantName,
+          tenant_enabled_features: [],
+        },
+      });
+
+      const clinic = await tx.clinic.create({
+        data: {
+          clinic_tenant_id: tenant.tenant_id,
+          clinic_name: dto.tenantName,
+          clinic_slug: clinicSlug,
+          clinic_is_default: true,
+        },
+      });
+
+      const user = await tx.user.create({
+        data: {
+          user_tenant_id: tenant.tenant_id,
+          user_email: dto.email,
+          user_password_hash: passwordHash,
+          user_role: 'owner',
+          user_first_name: dto.firstName,
+          user_last_name: dto.lastName,
+          user_last_login_at: new Date(),
+        },
+      });
+
+      return { tenant, clinic, user };
+    });
+
+    const payload = this.buildJwtPayload(
+      result.user,
+      result.tenant,
+      [], // owner sees all clinics via allClinics flag
+    );
+    const tokens = await this.issueTokens(payload);
+
+    return {
+      user: {
+        id: result.user.user_id,
+        email: result.user.user_email,
+        firstName: result.user.user_first_name,
+        lastName: result.user.user_last_name,
+        role: result.user.user_role,
+      },
+      tenant: {
+        id: result.tenant.tenant_id,
+        name: result.tenant.tenant_name,
+      },
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken,
+    };
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  REFRESH                                                            */
+  /* ------------------------------------------------------------------ */
+
+  async refresh(dto: RefreshDto) {
+    // Look up the refresh token in Redis
+    const userId = await this.redis.get(`refresh:${dto.refreshToken}`);
+    if (!userId) {
+      throw new UnauthorizedException('Invalid or expired refresh token');
+    }
+
+    // Also verify the token exists in the DB (belt-and-suspenders)
+    const dbToken = await this.prisma.refreshToken.findUnique({
+      where: { token_value: dto.refreshToken },
+    });
+    if (!dbToken || dbToken.token_expires_at < new Date()) {
+      // Clean up Redis if DB token is expired/missing
+      await this.redis.del(`refresh:${dto.refreshToken}`);
+      if (dbToken) {
+        await this.prisma.refreshToken.delete({ where: { token_id: dbToken.token_id } });
+      }
+      throw new UnauthorizedException('Invalid or expired refresh token');
+    }
+
+    // Re-fetch the user to get fresh permissions, features, clinic assignments
+    const user = await this.prisma.user.findUnique({
+      where: { user_id: userId },
+      include: {
+        tenant: true,
+        clinic_assignments: true,
+      },
+    });
+
+    if (!user || !user.user_is_active) {
+      throw new UnauthorizedException('User account is deactivated');
+    }
+
+    if (user.tenant && !user.tenant.tenant_is_active) {
+      throw new UnauthorizedException('Tenant account is deactivated');
+    }
+
+    // Revoke the old refresh token
+    await this.redis.del(`refresh:${dto.refreshToken}`);
+    await this.prisma.refreshToken.delete({ where: { token_id: dbToken.token_id } });
+
+    const clinicIds = user.clinic_assignments.map((a) => a.assign_clinic_id);
+    const payload = this.buildJwtPayload(user, user.tenant, clinicIds);
+    const tokens = await this.issueTokens(payload);
+
+    return {
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken,
+    };
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  LOGOUT                                                             */
+  /* ------------------------------------------------------------------ */
+
+  async logout(opaqueAccessToken: string, userId: string) {
+    // Delete the session from Redis
+    await this.redis.del(`session:${opaqueAccessToken}`);
+
+    // Find and delete all refresh tokens for this user from the DB
+    // (We only revoke the current session's access token, not all sessions)
+    // The user can call this on each device separately.
+    // If they want to revoke all, they can change their password.
+    this.logger.log(`User ${userId} logged out`);
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  CHANGE PASSWORD                                                    */
+  /* ------------------------------------------------------------------ */
+
+  async changePassword(userId: string, dto: ChangePasswordDto) {
+    const user = await this.prisma.user.findUnique({
+      where: { user_id: userId },
+    });
+
+    if (!user) {
+      throw new UnauthorizedException('User not found');
+    }
+
+    const valid = await bcrypt.compare(dto.currentPassword, user.user_password_hash);
+    if (!valid) {
+      throw new BadRequestException('Current password is incorrect');
+    }
+
+    const newHash = await bcrypt.hash(dto.newPassword, BCRYPT_ROUNDS);
+
+    await this.prisma.user.update({
+      where: { user_id: userId },
+      data: { user_password_hash: newHash },
+    });
+
+    // Revoke all existing sessions
+    await this.revokeAllUserSessions(userId);
+
+    return { message: 'Password changed successfully. Please log in again.' };
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  FORGOT PASSWORD (stub — no email sending yet)                      */
+  /* ------------------------------------------------------------------ */
+
+  async forgotPassword(dto: ForgotPasswordDto) {
+    const user = await this.prisma.user.findUnique({
+      where: { user_email: dto.email },
+    });
+
+    // Always return success to prevent email enumeration
+    if (!user) {
+      return { message: 'If this email exists, a reset link has been sent.' };
+    }
+
+    const rawToken = randomBytes(32).toString('hex');
+    const hashedToken = createHash('sha256').update(rawToken).digest('hex');
+
+    // Store the hashed token in Redis with 1-hour TTL
+    await this.redis.set(
+      `password_reset:${hashedToken}`,
+      user.user_id,
+      'EX',
+      3600, // 1 hour
+    );
+
+    // TODO: Send email with rawToken (not hashed) in the reset link
+    this.logger.log(`Password reset token generated for user ${user.user_id} (email sending not yet implemented)`);
+
+    return { message: 'If this email exists, a reset link has been sent.' };
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  RESET PASSWORD                                                     */
+  /* ------------------------------------------------------------------ */
+
+  async resetPassword(dto: ResetPasswordDto) {
+    const hashedToken = createHash('sha256').update(dto.token).digest('hex');
+
+    const userId = await this.redis.get(`password_reset:${hashedToken}`);
+    if (!userId) {
+      throw new BadRequestException('Invalid or expired reset token');
+    }
+
+    const newHash = await bcrypt.hash(dto.newPassword, BCRYPT_ROUNDS);
+
+    await this.prisma.user.update({
+      where: { user_id: userId },
+      data: { user_password_hash: newHash },
+    });
+
+    // Delete the reset token
+    await this.redis.del(`password_reset:${hashedToken}`);
+
+    // Revoke all existing sessions
+    await this.revokeAllUserSessions(userId);
+
+    return { message: 'Password has been reset. Please log in with your new password.' };
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  ME — current user info                                             */
+  /* ------------------------------------------------------------------ */
+
+  async me(userId: string) {
+    const user = await this.prisma.user.findUnique({
+      where: { user_id: userId },
+      include: {
+        tenant: true,
+        clinic_assignments: {
+          include: { clinic: true },
+        },
+      },
+    });
+
+    if (!user) {
+      throw new UnauthorizedException('User not found');
+    }
+
+    // Superadmin gets all permissions (bypasses guards on backend, needs them for frontend sidebar)
+    let permissions: string[];
+    if (user.user_role === 'superadmin') {
+      const allPerms = new Set<string>();
+      for (const perms of Object.values(ROLE_PERMISSIONS)) {
+        for (const p of perms) allPerms.add(p);
+      }
+      permissions = [...allPerms];
+    } else {
+      const rolePermissions = ROLE_PERMISSIONS[user.user_role] ?? [];
+      const customPermissions = Array.isArray(user.user_custom_permissions)
+        ? (user.user_custom_permissions as string[])
+        : [];
+      permissions = customPermissions.length > 0
+        ? customPermissions
+        : rolePermissions;
+    }
+
+    return {
+      user: {
+        id: user.user_id,
+        email: user.user_email,
+        firstName: user.user_first_name,
+        lastName: user.user_last_name,
+        role: user.user_role,
+        phone: user.user_phone,
+        permissions,
+      },
+      tenant: user.tenant
+        ? {
+            id: user.tenant.tenant_id,
+            name: user.tenant.tenant_name,
+            features: user.tenant.tenant_enabled_features,
+          }
+        : null,
+      clinics: user.clinic_assignments.map((a) => ({
+        id: a.clinic.clinic_id,
+        name: a.clinic.clinic_name,
+        slug: a.clinic.clinic_slug,
+        isDefault: a.clinic.clinic_is_default,
+      })),
+    };
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  SELF-SERVICE SCHEDULE                                               */
+  /* ------------------------------------------------------------------ */
+
+  async getMySchedule(userId: string) {
+    const profile = await this.prisma.doctorProfile.findUnique({
+      where: { dprofile_user_id: userId },
+    });
+
+    return {
+      workingHours: profile?.dprofile_working_hours ?? [],
+      appointmentDuration: profile?.dprofile_appointment_duration ?? 30,
+      specialty: profile?.dprofile_specialty ?? '',
+      title: profile?.dprofile_title ?? '',
+      color: profile?.dprofile_color ?? '#e77d22',
+      isAccepting: profile?.dprofile_is_accepting ?? true,
+    };
+  }
+
+  async updateMySchedule(
+    userId: string,
+    body: { workingHours?: any; appointmentDuration?: number },
+  ) {
+    await this.prisma.doctorProfile.upsert({
+      where: { dprofile_user_id: userId },
+      create: {
+        dprofile_user_id: userId,
+        ...(body.workingHours !== undefined && { dprofile_working_hours: body.workingHours }),
+        ...(body.appointmentDuration !== undefined && { dprofile_appointment_duration: body.appointmentDuration }),
+      },
+      update: {
+        ...(body.workingHours !== undefined && { dprofile_working_hours: body.workingHours }),
+        ...(body.appointmentDuration !== undefined && { dprofile_appointment_duration: body.appointmentDuration }),
+      },
+    });
+
+    return this.getMySchedule(userId);
+  }
+
+  /* ------------------------------------------------------------------ */
+  /*  PRIVATE HELPERS                                                     */
+  /* ------------------------------------------------------------------ */
+
+  private buildJwtPayload(
+    user: {
+      user_id: string;
+      user_role: string;
+      user_tenant_id: string | null;
+      user_custom_permissions?: any;
+    },
+    tenant: {
+      tenant_id: string;
+      tenant_enabled_features: string[];
+    } | null,
+    clinicIds: string[],
+  ): JwtPayload {
+    const role = user.user_role;
+    const allClinics = role === 'owner' || role === 'superadmin';
+
+    // Superadmin gets all permissions (bypasses backend guards, needs them for frontend UI)
+    let permissions: string[];
+    if (role === 'superadmin') {
+      const allPerms = new Set<string>();
+      for (const perms of Object.values(ROLE_PERMISSIONS)) {
+        for (const p of perms) allPerms.add(p);
+      }
+      permissions = [...allPerms];
+    } else {
+      const rolePermissions = ROLE_PERMISSIONS[role] ?? [];
+      const customPermissions = Array.isArray(user.user_custom_permissions)
+        ? (user.user_custom_permissions as string[])
+        : [];
+      permissions = customPermissions.length > 0
+        ? customPermissions
+        : rolePermissions;
+    }
+
+    return {
+      sub: user.user_id,
+      tenantId: user.user_tenant_id,
+      role,
+      permissions,
+      features: tenant?.tenant_enabled_features ?? [],
+      clinicIds: allClinics ? [] : clinicIds,
+      allClinics,
+    };
+  }
+
+  private async issueTokens(payload: JwtPayload): Promise<{
+    accessToken: string;
+    refreshToken: string;
+  }> {
+    // Sign the JWT
+    const jwt = this.jwtService.sign(
+      { ...payload },
+      { expiresIn: this.accessExpiry as any },
+    );
+
+    // Generate opaque tokens
+    const opaqueAccessToken = randomBytes(32).toString('hex');
+    const opaqueRefreshToken = randomBytes(32).toString('hex');
+
+    // Store access token (JWT) in Redis
+    await this.redis.set(
+      `session:${opaqueAccessToken}`,
+      jwt,
+      'EX',
+      this.accessExpirySeconds,
+    );
+
+    // Store refresh token in Redis
+    await this.redis.set(
+      `refresh:${opaqueRefreshToken}`,
+      payload.sub,
+      'EX',
+      this.refreshExpirySeconds,
+    );
+
+    // Also persist refresh token in PostgreSQL for durability
+    const expiresAt = new Date(Date.now() + this.refreshExpirySeconds * 1000);
+    await this.prisma.refreshToken.create({
+      data: {
+        token_user_id: payload.sub,
+        token_value: opaqueRefreshToken,
+        token_expires_at: expiresAt,
+      },
+    });
+
+    return {
+      accessToken: opaqueAccessToken,
+      refreshToken: opaqueRefreshToken,
+    };
+  }
+
+  private async revokeAllUserSessions(userId: string): Promise<void> {
+    // Delete all refresh tokens from DB
+    const tokens = await this.prisma.refreshToken.findMany({
+      where: { token_user_id: userId },
+    });
+
+    for (const token of tokens) {
+      // Remove from Redis
+      await this.redis.del(`refresh:${token.token_value}`);
+    }
+
+    // Delete all DB refresh tokens
+    await this.prisma.refreshToken.deleteMany({
+      where: { token_user_id: userId },
+    });
+
+    // Scan and delete session keys for this user
+    // We iterate through all session keys — acceptable because revoke-all
+    // is a rare operation (password change).
+    let cursor = '0';
+    do {
+      const [nextCursor, keys] = await this.redis.scan(
+        cursor,
+        'MATCH',
+        'session:*',
+        'COUNT',
+        100,
+      );
+      cursor = nextCursor;
+
+      for (const key of keys) {
+        const jwt = await this.redis.get(key);
+        if (jwt) {
+          try {
+            const decoded = this.jwtService.decode(jwt) as JwtPayload | null;
+            if (decoded?.sub === userId) {
+              await this.redis.del(key);
+            }
+          } catch {
+            // Skip invalid JWTs
+          }
+        }
+      }
+    } while (cursor !== '0');
+  }
+
+  private parseExpiry(expiry: string): number {
+    const match = expiry.match(/^(\d+)(s|m|h|d)$/);
+    if (!match) {
+      // Default to 15 minutes if format is unrecognised
+      return 900;
+    }
+
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+
+    switch (unit) {
+      case 's':
+        return value;
+      case 'm':
+        return value * 60;
+      case 'h':
+        return value * 3600;
+      case 'd':
+        return value * 86400;
+      default:
+        return 900;
+    }
+  }
+
+  private slugify(text: string): string {
+    return text
+      .toLowerCase()
+      .trim()
+      .replace(/[^a-z0-9\s-]/g, '')
+      .replace(/\s+/g, '-')
+      .replace(/-+/g, '-');
+  }
+}

package/nestjs/src/auth/dto/change-password.dto.ts

@@ -0,0 +1,13 @@
+import { IsString, MinLength } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';
+
+export class ChangePasswordDto {
+  @ApiProperty()
+  @IsString()
+  currentPassword: string;
+
+  @ApiProperty()
+  @IsString()
+  @MinLength(6)
+  newPassword: string;
+}

package/nestjs/src/auth/dto/forgot-password.dto.ts

@@ -0,0 +1,8 @@
+import { IsEmail } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';
+
+export class ForgotPasswordDto {
+  @ApiProperty({ example: 'user@clinic.com' })
+  @IsEmail()
+  email: string;
+}

package/nestjs/src/auth/dto/index.ts

@@ -0,0 +1,6 @@
+export { LoginDto } from './login.dto';
+export { RegisterDto } from './register.dto';
+export { RefreshDto } from './refresh.dto';
+export { ChangePasswordDto } from './change-password.dto';
+export { ForgotPasswordDto } from './forgot-password.dto';
+export { ResetPasswordDto } from './reset-password.dto';

package/nestjs/src/auth/dto/login.dto.ts

@@ -0,0 +1,13 @@
+import { IsEmail, IsString, MinLength } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';
+
+export class LoginDto {
+  @ApiProperty({ example: 'user@clinic.com' })
+  @IsEmail()
+  email: string;
+
+  @ApiProperty({ example: 'password123' })
+  @IsString()
+  @MinLength(6)
+  password: string;
+}

package/nestjs/src/auth/dto/refresh.dto.ts

@@ -0,0 +1,8 @@
+import { IsString } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';
+
+export class RefreshDto {
+  @ApiProperty()
+  @IsString()
+  refreshToken: string;
+}

package/nestjs/src/auth/dto/register.dto.ts

@@ -0,0 +1,28 @@
+import { IsEmail, IsString, MinLength } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';
+
+export class RegisterDto {
+  @ApiProperty()
+  @IsString()
+  @MinLength(1)
+  firstName: string;
+
+  @ApiProperty()
+  @IsString()
+  @MinLength(1)
+  lastName: string;
+
+  @ApiProperty({ example: 'user@clinic.com' })
+  @IsEmail()
+  email: string;
+
+  @ApiProperty({ example: 'password123' })
+  @IsString()
+  @MinLength(6)
+  password: string;
+
+  @ApiProperty({ example: 'My Dental Clinic' })
+  @IsString()
+  @MinLength(1)
+  tenantName: string;
+}

package/nestjs/src/auth/dto/reset-password.dto.ts

@@ -0,0 +1,13 @@
+import { IsString, MinLength } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';
+
+export class ResetPasswordDto {
+  @ApiProperty()
+  @IsString()
+  token: string;
+
+  @ApiProperty()
+  @IsString()
+  @MinLength(6)
+  newPassword: string;
+}