hazo_auth 0.1.0

package/src/lib/services/profile_picture_service.ts

@@ -0,0 +1,215 @@
+// file_description: service for profile picture management including default photo logic, Gravatar, and library photos
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import gravatarUrl from "gravatar-url";
+import { get_profile_picture_config } from "../profile_picture_config.server";
+import { get_ui_sizes_config } from "../ui_sizes_config.server";
+import { get_file_types_config } from "../file_types_config.server";
+import { create_app_logger } from "../app_logger";
+import path from "path";
+import fs from "fs";
+import { map_ui_source_to_db, type ProfilePictureSourceUI } from "./profile_picture_source_mapper";
+
+// section: types
+export type ProfilePictureSource = ProfilePictureSourceUI;
+
+export type DefaultProfilePictureResult = {
+  profile_picture_url: string;
+  profile_source: ProfilePictureSource;
+};
+
+// section: helpers
+/**
+ * Generates Gravatar URL from email address
+ * @param email - User's email address
+ * @param size - Image size in pixels (defaults to config value)
+ * @returns Gravatar URL
+ */
+export function get_gravatar_url(email: string, size?: number): string {
+  const uiSizes = get_ui_sizes_config();
+  const gravatarSize = size || uiSizes.gravatar_size;
+  return gravatarUrl(email, {
+    size: gravatarSize,
+    default: "identicon",
+  });
+}
+
+/**
+ * Gets library photo categories by reading subdirectories
+ * @returns Array of category names
+ */
+export function get_library_categories(): string[] {
+  const config = get_profile_picture_config();
+  const library_path = path.resolve(process.cwd(), "public", config.library_photo_path.replace(/^\//, ""));
+  
+  if (!fs.existsSync(library_path)) {
+    return [];
+  }
+
+  try {
+    const entries = fs.readdirSync(library_path, { withFileTypes: true });
+    return entries
+      .filter((entry) => entry.isDirectory())
+      .map((entry) => entry.name)
+      .sort();
+  } catch (error) {
+    const logger = create_app_logger();
+    const error_message = error instanceof Error ? error.message : "Unknown error";
+    logger.warn("profile_picture_service_read_categories_failed", {
+      filename: "profile_picture_service.ts",
+      line_number: 0,
+      library_path,
+      error: error_message,
+    });
+    return [];
+  }
+}
+
+/**
+ * Gets photos in a specific library category
+ * @param category - Category name
+ * @returns Array of photo URLs (relative to public directory)
+ */
+export function get_library_photos(category: string): string[] {
+  const config = get_profile_picture_config();
+  const category_path = path.resolve(process.cwd(), "public", config.library_photo_path.replace(/^\//, ""), category);
+  
+  if (!fs.existsSync(category_path)) {
+    return [];
+  }
+
+  try {
+    const fileTypes = get_file_types_config();
+    const allowedExtensions = fileTypes.allowed_image_extensions.map(ext => `.${ext.toLowerCase()}`);
+    const entries = fs.readdirSync(category_path, { withFileTypes: true });
+    const photos = entries
+      .filter((entry) => {
+        if (!entry.isFile()) return false;
+        const ext = path.extname(entry.name).toLowerCase();
+        return allowedExtensions.includes(ext);
+      })
+      .map((entry) => `${config.library_photo_path}/${category}/${entry.name}`)
+      .sort();
+    return photos;
+  } catch (error) {
+    const logger = create_app_logger();
+    const error_message = error instanceof Error ? error.message : "Unknown error";
+    logger.warn("profile_picture_service_read_photos_failed", {
+      filename: "profile_picture_service.ts",
+      line_number: 0,
+      category,
+      category_path,
+      error: error_message,
+    });
+    return [];
+  }
+}
+
+/**
+ * Gets default profile picture based on configuration priority
+ * @param user_email - User's email address
+ * @param user_name - User's name (optional)
+ * @returns Default profile picture URL and source, or null if no default available
+ */
+export function get_default_profile_picture(
+  user_email: string,
+  user_name?: string,
+): DefaultProfilePictureResult | null {
+  const config = get_profile_picture_config();
+
+  if (!config.user_photo_default) {
+    return null;
+  }
+
+  const uiSizes = get_ui_sizes_config();
+  
+  // Try priority 1
+  if (config.user_photo_default_priority1 === "gravatar") {
+    const gravatar_url = get_gravatar_url(user_email, uiSizes.gravatar_size);
+    // Note: We can't check if Gravatar actually exists without making a request
+    // For now, we'll always return Gravatar URL and let the browser handle 404
+    return {
+      profile_picture_url: gravatar_url,
+      profile_source: "gravatar",
+    };
+  } else if (config.user_photo_default_priority1 === "library") {
+    const categories = get_library_categories();
+    if (categories.length > 0) {
+      // Use first category, first photo as default
+      const photos = get_library_photos(categories[0]);
+      if (photos.length > 0) {
+        return {
+          profile_picture_url: photos[0],
+          profile_source: "library",
+        };
+      }
+    }
+  }
+
+  // Try priority 2 if priority 1 didn't work (only if priority2 is different from priority1)
+  const priority1 = config.user_photo_default_priority1;
+  const priority2 = config.user_photo_default_priority2;
+  
+  if (priority2 && priority2 !== priority1) {
+    if (priority2 === "gravatar") {
+      const gravatar_url = get_gravatar_url(user_email, uiSizes.gravatar_size);
+      return {
+        profile_picture_url: gravatar_url,
+        profile_source: "gravatar",
+      };
+    } else if (priority2 === "library") {
+      const categories = get_library_categories();
+      if (categories.length > 0) {
+        const photos = get_library_photos(categories[0]);
+        if (photos.length > 0) {
+          return {
+            profile_picture_url: photos[0],
+            profile_source: "library",
+          };
+        }
+      }
+    }
+  }
+
+  // No default photo available
+  return null;
+}
+
+/**
+ * Updates user profile picture in database
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - User ID
+ * @param profile_picture_url - Profile picture URL
+ * @param profile_source - Profile picture source type
+ * @returns Success status
+ */
+export async function update_user_profile_picture(
+  adapter: HazoConnectAdapter,
+  user_id: string,
+  profile_picture_url: string,
+  profile_source: ProfilePictureSource,
+): Promise<{ success: boolean; error?: string }> {
+  try {
+    const users_service = createCrudService(adapter, "hazo_users");
+    const now = new Date().toISOString();
+
+    // Map UI source value to database enum value
+    const db_profile_source = map_ui_source_to_db(profile_source);
+
+    await users_service.updateById(user_id, {
+      profile_picture_url,
+      profile_source: db_profile_source,
+      changed_at: now,
+    });
+
+    return { success: true };
+  } catch (error) {
+    const error_message = error instanceof Error ? error.message : "Unknown error";
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+

package/src/lib/services/profile_picture_source_mapper.ts

@@ -0,0 +1,62 @@
+// file_description: helper to map between UI profile picture source values and database enum values
+// section: types
+/**
+ * UI representation of profile picture source
+ * Used in components and API interfaces
+ */
+export type ProfilePictureSourceUI = "upload" | "library" | "gravatar" | "custom";
+
+/**
+ * Database enum values for profile_source
+ * Must match the CHECK constraint in the database
+ */
+export type ProfilePictureSourceDB = "gravatar" | "custom" | "predefined";
+
+// section: helpers
+/**
+ * Maps UI profile picture source to database enum value
+ * @param uiSource - UI representation of source ("upload", "library", "gravatar", "custom")
+ * @returns Database enum value ("gravatar", "custom", "predefined")
+ */
+export function map_ui_source_to_db(uiSource: ProfilePictureSourceUI): ProfilePictureSourceDB {
+  switch (uiSource) {
+    case "upload":
+      return "custom"; // User uploaded their own photo
+    case "library":
+      return "predefined"; // User selected from predefined library
+    case "gravatar":
+      return "gravatar"; // User's Gravatar
+    case "custom":
+      return "custom"; // Already in database format
+    default:
+      // Fallback to custom for unknown values
+      return "custom";
+  }
+}
+
+/**
+ * Maps database enum value to UI representation
+ * @param dbSource - Database enum value ("gravatar", "custom", "predefined")
+ * @returns UI representation ("upload", "library", "gravatar", "custom")
+ */
+export function map_db_source_to_ui(dbSource: ProfilePictureSourceDB | string | null | undefined): ProfilePictureSourceUI {
+  if (!dbSource) {
+    return "custom"; // Default fallback
+  }
+
+  switch (dbSource) {
+    case "gravatar":
+      return "gravatar";
+    case "custom":
+      return "upload"; // Map custom to upload in UI (user uploaded their own)
+    case "predefined":
+      return "library"; // Map predefined to library in UI (user selected from library)
+    default:
+      // For unknown values, try to return as-is if it matches UI format
+      if (dbSource === "upload" || dbSource === "library") {
+        return dbSource as ProfilePictureSourceUI;
+      }
+      return "custom"; // Fallback
+  }
+}
+

package/src/lib/services/registration_service.ts

@@ -0,0 +1,163 @@
+// file_description: service for user registration operations using hazo_connect
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { randomUUID } from "crypto";
+import { create_token } from "./token_service";
+import { get_default_profile_picture } from "./profile_picture_service";
+import { get_profile_picture_config } from "../profile_picture_config.server";
+import { map_ui_source_to_db } from "./profile_picture_source_mapper";
+import { create_app_logger } from "../app_logger";
+import { send_template_email } from "./email_service";
+
+// section: types
+export type RegistrationData = {
+  email: string;
+  password: string;
+  name?: string;
+};
+
+export type RegistrationResult = {
+  success: boolean;
+  user_id?: string;
+  error?: string;
+};
+
+// section: helpers
+/**
+ * Registers a new user in the database using hazo_connect
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Registration data (email, password, optional name)
+ * @returns Registration result with success status and user_id or error
+ */
+export async function register_user(
+  adapter: HazoConnectAdapter,
+  data: RegistrationData,
+): Promise<RegistrationResult> {
+  try {
+    const { email, password, name } = data;
+
+    // Create CRUD service for hazo_users table
+    const users_service = createCrudService(adapter, "hazo_users");
+
+    // Check if user already exists
+    const existing_users = await users_service.findBy({
+      email_address: email,
+    });
+
+    if (Array.isArray(existing_users) && existing_users.length > 0) {
+      return {
+        success: false,
+        error: "Email address already registered",
+      };
+    }
+
+    // Hash password using argon2
+    const password_hash = await argon2.hash(password);
+
+    // Generate user ID
+    const user_id = randomUUID();
+    const now = new Date().toISOString();
+
+    // Insert user into database using CRUD service
+    const insert_data: Record<string, unknown> = {
+      id: user_id,
+      email_address: email,
+      password_hash: password_hash,
+      email_verified: false,
+      is_active: true,
+      login_attempts: 0,
+      created_at: now,
+      changed_at: now,
+    };
+
+    // Include name if provided
+    if (name) {
+      insert_data.name = name;
+    }
+
+    // Set default profile picture if enabled
+    const profile_picture_config = get_profile_picture_config();
+    if (profile_picture_config.user_photo_default) {
+      const default_photo = get_default_profile_picture(email, name);
+      if (default_photo) {
+        insert_data.profile_picture_url = default_photo.profile_picture_url;
+        // Map UI source value to database enum value
+        insert_data.profile_source = map_ui_source_to_db(default_photo.profile_source);
+      }
+    }
+
+    const inserted_users = await users_service.insert(insert_data);
+
+    // Verify insertion was successful
+    if (!Array.isArray(inserted_users) || inserted_users.length === 0) {
+      return {
+        success: false,
+        error: "Failed to create user account",
+      };
+    }
+
+    // Create email verification token for the new user
+    const token_result = await create_token({
+      adapter,
+      user_id,
+      token_type: "email_verification",
+    });
+
+    if (!token_result.success) {
+      // Log error but don't fail registration - token can be resent later
+      const logger = create_app_logger();
+      const error_message = token_result.error || "Unknown error";
+      logger.error("registration_service_token_creation_failed", {
+        filename: "registration_service.ts",
+        line_number: 0,
+        user_id,
+        error: error_message,
+        note: "This may be due to missing token_type column in hazo_refresh_tokens table. Please ensure migration 001_add_token_type_to_refresh_tokens.sql has been applied.",
+      });
+    } else {
+      const logger = create_app_logger();
+      logger.info("registration_service_token_created", {
+        filename: "registration_service.ts",
+        line_number: 0,
+        user_id,
+      });
+    }
+
+    // Send verification email if token was created successfully
+    if (token_result.success && token_result.raw_token) {
+      const email_result = await send_template_email("email_verification", email, {
+        token: token_result.raw_token,
+        user_email: email,
+        user_name: name,
+      });
+      
+      if (!email_result.success) {
+        const logger = create_app_logger();
+        logger.error("registration_service_email_send_failed", {
+          filename: "registration_service.ts",
+          line_number: 0,
+          user_id,
+          email,
+          error: email_result.error,
+          note: "User registration succeeded but verification email failed to send",
+        });
+      }
+    }
+
+    return {
+      success: true,
+      user_id,
+    };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+

package/src/lib/services/token_service.ts

@@ -0,0 +1,240 @@
+// file_description: shared service for creating and managing tokens in hazo_refresh_tokens table
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import { randomBytes, randomUUID } from "crypto";
+import argon2 from "argon2";
+import { read_config_section } from "../config/config_loader.server";
+import { create_app_logger } from "../app_logger";
+
+// section: types
+export type TokenType = "refresh" | "password_reset" | "email_verification";
+
+export type CreateTokenParams = {
+  adapter: HazoConnectAdapter;
+  user_id: string;
+  token_type: TokenType;
+};
+
+export type CreateTokenResult = {
+  success: boolean;
+  raw_token?: string;
+  error?: string;
+};
+
+// section: helpers
+/**
+ * Gets token expiry hours from hazo_auth_config.ini for a specific token type
+ * Falls back to defaults if config is not found
+ * @param token_type - The type of token (refresh, password_reset, email_verification)
+ * @returns Number of hours until token expires
+ */
+function get_token_expiry_hours(token_type: TokenType): number {
+  const default_expiries: Record<TokenType, number> = {
+    refresh: 720, // 30 days
+    password_reset: 0.167, // 10 minutes
+    email_verification: 48, // 48 hours
+  };
+
+  const logger = create_app_logger();
+  const token_config_section = read_config_section("hazo_auth__tokens");
+
+  // Get expiry from config or environment variable or default
+  const config_key = `${token_type}_expiry_hours`;
+  const env_key = `HAZO_AUTH_${token_type.toUpperCase()}_TOKEN_EXPIRY_HOURS`;
+
+  const expiry_hours =
+    token_config_section?.[config_key] ||
+    process.env[env_key] ||
+    default_expiries[token_type];
+
+  return parseFloat(String(expiry_hours)) || default_expiries[token_type];
+}
+
+/**
+ * Creates a token for a user and stores it in hazo_refresh_tokens table
+ * Invalidates any existing tokens of the same type for the user before creating a new one
+ * @param params - Token creation parameters (adapter, user_id, token_type)
+ * @returns Token creation result with raw_token (for sending to user) or error
+ */
+export async function create_token(
+  params: CreateTokenParams,
+): Promise<CreateTokenResult> {
+  try {
+    const { adapter, user_id, token_type } = params;
+
+    // Create CRUD service for hazo_refresh_tokens table
+    const tokens_service = createCrudService(adapter, "hazo_refresh_tokens");
+
+    // Invalidate any existing tokens of this type for this user
+    // If token_type column doesn't exist, this will fail - catch and continue
+    let existing_tokens: unknown[] = [];
+    try {
+      existing_tokens = (await tokens_service.findBy({
+        user_id: user_id,
+        token_type: token_type,
+      })) as unknown[];
+    } catch (error) {
+      // If token_type column doesn't exist, try without it
+      // This is a fallback for databases that haven't had the migration applied
+      const logger = create_app_logger();
+      const error_message = error instanceof Error ? error.message : "Unknown error";
+      logger.warn("token_service_token_type_column_missing", {
+        filename: "token_service.ts",
+        line_number: 0,
+        user_id,
+        token_type,
+        error: error_message,
+        note: "token_type column may not exist, trying without filter",
+      });
+      // Try to find tokens by user_id only (less precise but works without migration)
+      try {
+        existing_tokens = (await tokens_service.findBy({
+          user_id: user_id,
+        })) as unknown[];
+      } catch (fallbackError) {
+        // If that also fails, log and continue (will just create new token)
+        const fallback_error_message = fallbackError instanceof Error ? fallbackError.message : "Unknown error";
+        logger.warn("token_service_query_existing_tokens_failed", {
+          filename: "token_service.ts",
+          line_number: 0,
+          user_id,
+          error: fallback_error_message,
+          note: "Could not query existing tokens, will create new token anyway",
+        });
+      }
+    }
+
+    if (Array.isArray(existing_tokens) && existing_tokens.length > 0) {
+      // Delete existing tokens (of this type if token_type exists, or all for user if not)
+      for (const token of existing_tokens) {
+        try {
+          await tokens_service.deleteById((token as { id: unknown }).id);
+        } catch (deleteError) {
+          const logger = create_app_logger();
+          const error_message = deleteError instanceof Error ? deleteError.message : "Unknown error";
+          logger.warn("token_service_delete_existing_token_failed", {
+            filename: "token_service.ts",
+            line_number: 0,
+            user_id,
+            token_id: (token as { id: unknown }).id,
+            error: error_message,
+          });
+        }
+      }
+    }
+
+    // Generate a secure random token
+    const raw_token = randomBytes(32).toString("hex");
+
+    // Hash the token before storing
+    const token_hash = await argon2.hash(raw_token);
+
+    // Get expiry hours from config
+    const expiry_hours = get_token_expiry_hours(token_type);
+
+    // Calculate expiration time (convert hours to milliseconds)
+    const expires_at = new Date();
+    expires_at.setTime(expires_at.getTime() + expiry_hours * 60 * 60 * 1000);
+
+    const now = new Date().toISOString();
+
+    // Insert the token into the database
+    // Try with token_type first, fallback to without if column doesn't exist
+    let inserted_tokens: unknown[];
+    try {
+      inserted_tokens = (await tokens_service.insert({
+        id: randomUUID(),
+        user_id: user_id,
+        token_hash: token_hash,
+        token_type: token_type,
+        expires_at: expires_at.toISOString(),
+        created_at: now,
+      })) as unknown[];
+    } catch (error) {
+      // If token_type column doesn't exist, try without it
+      const logger = create_app_logger();
+      const error_message = error instanceof Error ? error.message : "Unknown error";
+      logger.warn("token_service_insert_with_token_type_failed", {
+        filename: "token_service.ts",
+        line_number: 0,
+        user_id,
+        token_type,
+        error: error_message,
+        note: "token_type column may not exist, inserting without it",
+      });
+      // Fallback: insert without token_type (will use default if column exists with default)
+      inserted_tokens = (await tokens_service.insert({
+        id: randomUUID(),
+        user_id: user_id,
+        token_hash: token_hash,
+        expires_at: expires_at.toISOString(),
+        created_at: now,
+      })) as unknown[];
+    }
+
+    // Verify insertion was successful
+    if (!Array.isArray(inserted_tokens) || inserted_tokens.length === 0) {
+      const logger = create_app_logger();
+      const error_msg = `Failed to create ${token_type} token - no rows inserted`;
+      logger.error("token_service_insertion_failed", {
+        filename: "token_service.ts",
+        line_number: 0,
+        user_id,
+        token_type,
+        error: error_msg,
+      });
+      return {
+        success: false,
+        error: error_msg,
+      };
+    }
+
+    const logger = create_app_logger();
+    logger.info("token_service_token_created", {
+      filename: "token_service.ts",
+      line_number: 0,
+      user_id,
+      token_type,
+    });
+    
+    // Log raw token and test URLs in debug mode (logger handles dev mode)
+    logger.debug("token_service_raw_token", {
+      filename: "token_service.ts",
+      line_number: 0,
+      user_id,
+      token_type,
+      raw_token,
+      test_url: token_type === "email_verification" 
+        ? `/verify_email?token=${raw_token}`
+        : token_type === "password_reset"
+        ? `/reset_password?token=${raw_token}`
+        : undefined,
+    });
+
+    return {
+      success: true,
+      raw_token,
+    };
+  } catch (error) {
+    const logger = create_app_logger();
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+    const error_stack = error instanceof Error ? error.stack : undefined;
+
+    logger.error("token_service_create_token_error", {
+      filename: "token_service.ts",
+      line_number: 0,
+      user_id: params.user_id,
+      token_type: params.token_type,
+      error: error_message,
+      error_stack,
+    });
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+