hazo_auth 0.1.0

package/src/lib/services/email_verification_service.ts

@@ -0,0 +1,264 @@
+// file_description: service for email verification operations using hazo_connect
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { create_token } from "./token_service";
+import { send_template_email } from "./email_service";
+import { create_app_logger } from "../app_logger";
+
+// section: types
+export type EmailVerificationTokenData = {
+  token: string;
+};
+
+export type EmailVerificationResult = {
+  success: boolean;
+  user_id?: string;
+  email?: string;
+  error?: string;
+};
+
+export type ResendVerificationData = {
+  email: string;
+};
+
+export type ResendVerificationResult = {
+  success: boolean;
+  error?: string;
+};
+
+// section: helpers
+/**
+ * Verifies an email verification token
+ * Updates email_verified to true in hazo_users and deletes the token
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Email verification token data (token)
+ * @returns Email verification result with success status, user_id, email, or error
+ */
+export async function verify_email_token(
+  adapter: HazoConnectAdapter,
+  data: EmailVerificationTokenData,
+): Promise<EmailVerificationResult> {
+  try {
+    const { token } = data;
+
+    // Create CRUD service for hazo_refresh_tokens table
+    const tokens_service = createCrudService(adapter, "hazo_refresh_tokens");
+
+    // Find all email verification tokens
+    // If token_type column doesn't exist, query all tokens and filter manually
+    let all_tokens: unknown[] = [];
+    try {
+      all_tokens = (await tokens_service.findBy({
+        token_type: "email_verification",
+      })) as unknown[];
+    } catch (error) {
+      // If token_type column doesn't exist, get all tokens and we'll verify each one
+      const logger = create_app_logger();
+      const error_message = error instanceof Error ? error.message : "Unknown error";
+      logger.warn("email_verification_service_token_type_column_missing", {
+        filename: "email_verification_service.ts",
+        line_number: 0,
+        error: error_message,
+        note: "token_type column may not exist, querying all tokens",
+      });
+      try {
+        // Query all tokens (will need to verify each one)
+        all_tokens = (await tokens_service.findBy({})) as unknown[];
+      } catch (fallbackError) {
+        const fallback_error_message = fallbackError instanceof Error ? fallbackError.message : "Unknown error";
+        logger.error("email_verification_service_query_tokens_failed", {
+          filename: "email_verification_service.ts",
+          line_number: 0,
+          error: fallback_error_message,
+        });
+        return {
+          success: false,
+          error: "Invalid or expired verification token",
+        };
+      }
+    }
+
+    if (!Array.isArray(all_tokens) || all_tokens.length === 0) {
+      return {
+        success: false,
+        error: "Invalid or expired verification token",
+      };
+    }
+
+    // Find the matching token by verifying the hash
+    let matching_token = null;
+    let user_id: string | null = null;
+
+    for (const stored_token of all_tokens) {
+      try {
+        const token_hash = (stored_token as { token_hash: string }).token_hash;
+        const is_valid = await argon2.verify(token_hash, token);
+
+        if (is_valid) {
+          matching_token = stored_token;
+          user_id = (stored_token as { user_id: string }).user_id;
+          break;
+        }
+      } catch {
+        // Continue to next token if verification fails
+        continue;
+      }
+    }
+
+    if (!matching_token || !user_id) {
+      return {
+        success: false,
+        error: "Invalid or expired verification token",
+      };
+    }
+
+    // Check if token has expired
+    const expires_at = new Date((matching_token as { expires_at: string }).expires_at);
+    const now = new Date();
+
+    if (expires_at < now) {
+      // Delete expired token
+      await tokens_service.deleteById((matching_token as { id: string }).id);
+
+      return {
+        success: false,
+        error: "Verification token has expired",
+      };
+    }
+
+    // Get user email before updating
+    const users_service = createCrudService(adapter, "hazo_users");
+    const users = await users_service.findBy({
+      id: user_id,
+    });
+
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: false,
+        error: "User not found",
+      };
+    }
+
+    const user = users[0];
+    const email = user.email_address as string;
+
+    // Update user's email_verified status
+    const now_iso = new Date().toISOString();
+    await users_service.updateById(
+      user_id,
+      {
+        email_verified: true,
+        changed_at: now_iso,
+      },
+    );
+
+    // Delete the used token
+    await tokens_service.deleteById((matching_token as { id: string }).id);
+
+    return {
+      success: true,
+      user_id,
+      email,
+    };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+
+/**
+ * Resends an email verification token for a user
+ * Creates a new email verification token and stores it in hazo_refresh_tokens
+ * Invalidates any existing email verification tokens for the user before creating a new one
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Resend verification data (email)
+ * @returns Resend verification result with success status or error
+ */
+export async function resend_verification_email(
+  adapter: HazoConnectAdapter,
+  data: ResendVerificationData,
+): Promise<ResendVerificationResult> {
+  try {
+    const { email } = data;
+
+    // Create CRUD service for hazo_users table
+    const users_service = createCrudService(adapter, "hazo_users");
+
+    // Find user by email
+    const users = await users_service.findBy({
+      email_address: email,
+    });
+
+    // If user not found, return success anyway (to prevent email enumeration)
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: true,
+      };
+    }
+
+    const user = users[0];
+    const user_id = user.id as string;
+
+    // Check if email is already verified
+    if (user.email_verified === true) {
+      return {
+        success: true,
+      };
+    }
+
+    // Create email verification token using shared token service
+    const token_result = await create_token({
+      adapter,
+      user_id,
+      token_type: "email_verification",
+    });
+
+    if (!token_result.success) {
+      return {
+        success: false,
+        error: token_result.error || "Failed to create email verification token",
+      };
+    }
+
+    // Send verification email if token was created successfully
+    if (token_result.raw_token) {
+      const email_result = await send_template_email("email_verification", email, {
+        token: token_result.raw_token,
+        user_email: email,
+        user_name: user.name as string | undefined,
+      });
+      
+      if (!email_result.success) {
+        const logger = create_app_logger();
+        logger.error("email_verification_service_email_send_failed", {
+          filename: "email_verification_service.ts",
+          line_number: 0,
+          user_id,
+          email,
+          error: email_result.error,
+          note: "Verification token created but email failed to send",
+        });
+      }
+    }
+
+    return {
+      success: true,
+    };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+

package/src/lib/services/login_service.ts

@@ -0,0 +1,118 @@
+// file_description: service for user login operations using hazo_connect
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+
+// section: types
+export type LoginData = {
+  email: string;
+  password: string;
+};
+
+export type LoginResult = {
+  success: boolean;
+  user_id?: string;
+  error?: string;
+  email_not_verified?: boolean;
+};
+
+// section: helpers
+/**
+ * Authenticates a user by verifying email and password against hazo_users table
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Login data (email, password)
+ * @returns Login result with success status and user_id or error
+ */
+export async function authenticate_user(
+  adapter: HazoConnectAdapter,
+  data: LoginData,
+): Promise<LoginResult> {
+  try {
+    const { email, password } = data;
+
+    // Create CRUD service for hazo_users table
+    const users_service = createCrudService(adapter, "hazo_users");
+
+    // Find user by email
+    const users = await users_service.findBy({
+      email_address: email,
+    });
+
+    // Check if user exists
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: false,
+        error: "Invalid email or password",
+      };
+    }
+
+    const user = users[0];
+
+    // Check if user is active
+    if (user.is_active === false) {
+      return {
+        success: false,
+        error: "Account is inactive. Please contact support.",
+      };
+    }
+
+    // Verify password using argon2
+    const password_hash = user.password_hash as string;
+    const is_password_valid = await argon2.verify(password_hash, password);
+
+    if (!is_password_valid) {
+      // Increment login attempts on failed password
+      const current_attempts = (user.login_attempts as number) || 0;
+      const now = new Date().toISOString();
+
+      await users_service.updateById(
+        user.id,
+        {
+          login_attempts: current_attempts + 1,
+          changed_at: now,
+        }
+      );
+
+      return {
+        success: false,
+        error: "Invalid email or password",
+      };
+    }
+
+    // Check if email is verified
+    const email_verified = user.email_verified as boolean;
+    if (!email_verified) {
+      return {
+        success: false,
+        error: "Email address not verified. Please verify your email before logging in.",
+        email_not_verified: true,
+      };
+    }
+
+    // Password is valid and email is verified - update last_logon and reset login_attempts
+    const now = new Date().toISOString();
+    await users_service.updateById(
+      user.id,
+      {
+        last_logon: now,
+        login_attempts: 0,
+        changed_at: now,
+      }
+    );
+
+    return {
+      success: true,
+      user_id: user.id as string,
+    };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+

package/src/lib/services/password_change_service.ts

@@ -0,0 +1,154 @@
+// file_description: service for changing user password using hazo_connect
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { get_password_requirements_config } from "../password_requirements_config.server";
+import { send_template_email } from "./email_service";
+import { create_app_logger } from "../app_logger";
+
+// section: types
+export type PasswordChangeData = {
+  current_password: string;
+  new_password: string;
+};
+
+export type PasswordChangeResult = {
+  success: boolean;
+  error?: string;
+};
+
+// section: helpers
+/**
+ * Changes a user's password
+ * Verifies the current password, validates the new password, and updates the password hash
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user ID to update
+ * @param data - Password change data (current_password, new_password)
+ * @returns Password change result with success status or error
+ */
+export async function change_password(
+  adapter: HazoConnectAdapter,
+  user_id: string,
+  data: PasswordChangeData,
+): Promise<PasswordChangeResult> {
+  try {
+    const { current_password, new_password } = data;
+
+    // Create CRUD service for hazo_users table
+    const users_service = createCrudService(adapter, "hazo_users");
+
+    // Get current user data
+    const users = await users_service.findBy({
+      id: user_id,
+    });
+
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: false,
+        error: "User not found",
+      };
+    }
+
+    const user = users[0];
+    const password_hash = user.password_hash as string;
+    const email = user.email_address as string;
+    const user_name = user.name as string | undefined;
+
+    // Verify current password
+    try {
+      const is_valid = await argon2.verify(password_hash, current_password);
+      if (!is_valid) {
+        return {
+          success: false,
+          error: "Current password is incorrect",
+        };
+      }
+    } catch (error) {
+      return {
+        success: false,
+        error: "Failed to verify current password",
+      };
+    }
+
+    // Get password requirements from config
+    const password_requirements = get_password_requirements_config();
+
+    // Validate new password
+    if (!new_password || new_password.length < password_requirements.minimum_length) {
+      return {
+        success: false,
+        error: `Password must be at least ${password_requirements.minimum_length} characters long`,
+      };
+    }
+
+    if (password_requirements.require_uppercase && !/[A-Z]/.test(new_password)) {
+      return {
+        success: false,
+        error: "Password must contain at least one uppercase letter",
+      };
+    }
+
+    if (password_requirements.require_lowercase && !/[a-z]/.test(new_password)) {
+      return {
+        success: false,
+        error: "Password must contain at least one lowercase letter",
+      };
+    }
+
+    if (password_requirements.require_number && !/[0-9]/.test(new_password)) {
+      return {
+        success: false,
+        error: "Password must contain at least one number",
+      };
+    }
+
+    if (password_requirements.require_special && !/[^A-Za-z0-9]/.test(new_password)) {
+      return {
+        success: false,
+        error: "Password must contain at least one special character",
+      };
+    }
+
+    // Hash the new password
+    const new_password_hash = await argon2.hash(new_password);
+
+    // Update password hash in database
+    const now = new Date().toISOString();
+    await users_service.updateById(user_id, {
+      password_hash: new_password_hash,
+      changed_at: now,
+    });
+
+    // Send password changed notification email
+    const email_result = await send_template_email("password_changed", email, {
+      user_email: email,
+      user_name: user_name,
+    });
+    
+    if (!email_result.success) {
+      const logger = create_app_logger();
+      logger.error("password_change_service_email_failed", {
+        filename: "password_change_service.ts",
+        line_number: 0,
+        user_id,
+        email,
+        error: email_result.error,
+        note: "Password was changed successfully but notification email failed to send",
+      });
+    }
+
+    return {
+      success: true,
+    };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+