hazo_auth 1.2.0 → 1.4.0

package/dist/lib/services/email_verification_service.js

@@ -0,0 +1,208 @@
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { create_token } from "hazo_auth/lib/services/token_service";
+import { send_template_email } from "hazo_auth/lib/services/email_service";
+import { create_app_logger } from "hazo_auth/lib/app_logger";
+// section: helpers
+/**
+ * Verifies an email verification token
+ * Updates email_verified to true in hazo_users and deletes the token
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Email verification token data (token)
+ * @returns Email verification result with success status, user_id, email, or error
+ */
+export async function verify_email_token(adapter, data) {
+    try {
+        const { token } = data;
+        // Create CRUD service for hazo_refresh_tokens table
+        const tokens_service = createCrudService(adapter, "hazo_refresh_tokens");
+        // Find all email verification tokens
+        // If token_type column doesn't exist, query all tokens and filter manually
+        let all_tokens = [];
+        try {
+            all_tokens = (await tokens_service.findBy({
+                token_type: "email_verification",
+            }));
+        }
+        catch (error) {
+            // If token_type column doesn't exist, get all tokens and we'll verify each one
+            const logger = create_app_logger();
+            const error_message = error instanceof Error ? error.message : "Unknown error";
+            logger.warn("email_verification_service_token_type_column_missing", {
+                filename: "email_verification_service.ts",
+                line_number: 0,
+                error: error_message,
+                note: "token_type column may not exist, querying all tokens",
+            });
+            try {
+                // Query all tokens (will need to verify each one)
+                all_tokens = (await tokens_service.findBy({}));
+            }
+            catch (fallbackError) {
+                const fallback_error_message = fallbackError instanceof Error ? fallbackError.message : "Unknown error";
+                logger.error("email_verification_service_query_tokens_failed", {
+                    filename: "email_verification_service.ts",
+                    line_number: 0,
+                    error: fallback_error_message,
+                });
+                return {
+                    success: false,
+                    error: "Invalid or expired verification token",
+                };
+            }
+        }
+        if (!Array.isArray(all_tokens) || all_tokens.length === 0) {
+            return {
+                success: false,
+                error: "Invalid or expired verification token",
+            };
+        }
+        // Find the matching token by verifying the hash
+        let matching_token = null;
+        let user_id = null;
+        for (const stored_token of all_tokens) {
+            try {
+                const token_hash = stored_token.token_hash;
+                const is_valid = await argon2.verify(token_hash, token);
+                if (is_valid) {
+                    matching_token = stored_token;
+                    user_id = stored_token.user_id;
+                    break;
+                }
+            }
+            catch (_a) {
+                // Continue to next token if verification fails
+                continue;
+            }
+        }
+        if (!matching_token || !user_id) {
+            return {
+                success: false,
+                error: "Invalid or expired verification token",
+            };
+        }
+        // Check if token has expired
+        const expires_at = new Date(matching_token.expires_at);
+        const now = new Date();
+        if (expires_at < now) {
+            // Delete expired token
+            await tokens_service.deleteById(matching_token.id);
+            return {
+                success: false,
+                error: "Verification token has expired",
+            };
+        }
+        // Get user email before updating
+        const users_service = createCrudService(adapter, "hazo_users");
+        const users = await users_service.findBy({
+            id: user_id,
+        });
+        if (!Array.isArray(users) || users.length === 0) {
+            return {
+                success: false,
+                error: "User not found",
+            };
+        }
+        const user = users[0];
+        const email = user.email_address;
+        // Update user's email_verified status
+        const now_iso = new Date().toISOString();
+        await users_service.updateById(user_id, {
+            email_verified: true,
+            changed_at: now_iso,
+        });
+        // Delete the used token
+        await tokens_service.deleteById(matching_token.id);
+        return {
+            success: true,
+            user_id,
+            email,
+        };
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        return {
+            success: false,
+            error: error_message,
+        };
+    }
+}
+/**
+ * Resends an email verification token for a user
+ * Creates a new email verification token and stores it in hazo_refresh_tokens
+ * Invalidates any existing email verification tokens for the user before creating a new one
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Resend verification data (email)
+ * @returns Resend verification result with success status or error
+ */
+export async function resend_verification_email(adapter, data) {
+    try {
+        const { email } = data;
+        // Create CRUD service for hazo_users table
+        const users_service = createCrudService(adapter, "hazo_users");
+        // Find user by email
+        const users = await users_service.findBy({
+            email_address: email,
+        });
+        // If user not found, return success anyway (to prevent email enumeration)
+        if (!Array.isArray(users) || users.length === 0) {
+            return {
+                success: true,
+            };
+        }
+        const user = users[0];
+        const user_id = user.id;
+        // Check if email is already verified
+        if (user.email_verified === true) {
+            return {
+                success: true,
+            };
+        }
+        // Create email verification token using shared token service
+        const token_result = await create_token({
+            adapter,
+            user_id,
+            token_type: "email_verification",
+        });
+        if (!token_result.success) {
+            return {
+                success: false,
+                error: token_result.error || "Failed to create email verification token",
+            };
+        }
+        // Send verification email if token was created successfully
+        if (token_result.raw_token) {
+            const email_result = await send_template_email("email_verification", email, {
+                token: token_result.raw_token,
+                user_email: email,
+                user_name: user.name,
+            });
+            if (!email_result.success) {
+                const logger = create_app_logger();
+                logger.error("email_verification_service_email_send_failed", {
+                    filename: "email_verification_service.ts",
+                    line_number: 0,
+                    user_id,
+                    email,
+                    error: email_result.error,
+                    note: "Verification token created but email failed to send",
+                });
+                // Return error if email sending failed (this is a technical error, not a security issue)
+                return {
+                    success: false,
+                    error: email_result.error || "Failed to send verification email",
+                };
+            }
+        }
+        return {
+            success: true,
+        };
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        return {
+            success: false,
+            error: error_message,
+        };
+    }
+}

package/dist/lib/services/index.d.ts

@@ -0,0 +1,13 @@
+export * from "./email_service";
+export * from "./email_verification_service";
+export * from "./login_service";
+export * from "./password_change_service";
+export * from "./password_reset_service";
+export * from "./profile_picture_remove_service";
+export * from "./profile_picture_service";
+export * from "./profile_picture_source_mapper";
+export * from "./registration_service";
+export * from "./token_service";
+export * from "./user_profiles_service";
+export * from "./user_update_service";
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/services/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/services/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iBAAiB,CAAC;AAChC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC"}

package/dist/lib/services/index.js

@@ -0,0 +1,14 @@
+// file_description: barrel export for all services
+// section: service_exports
+export * from "./email_service";
+export * from "./email_verification_service";
+export * from "./login_service";
+export * from "./password_change_service";
+export * from "./password_reset_service";
+export * from "./profile_picture_remove_service";
+export * from "./profile_picture_service";
+export * from "./profile_picture_source_mapper";
+export * from "./registration_service";
+export * from "./token_service";
+export * from "./user_profiles_service";
+export * from "./user_update_service";

package/dist/lib/services/login_service.d.ts

@@ -0,0 +1,20 @@
+import type { HazoConnectAdapter } from "hazo_connect";
+export type LoginData = {
+    email: string;
+    password: string;
+};
+export type LoginResult = {
+    success: boolean;
+    user_id?: string;
+    error?: string;
+    email_not_verified?: boolean;
+    stored_url_on_logon?: string | null;
+};
+/**
+ * Authenticates a user by verifying email and password against hazo_users table
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Login data (email, password)
+ * @returns Login result with success status and user_id or error
+ */
+export declare function authenticate_user(adapter: HazoConnectAdapter, data: LoginData): Promise<LoginResult>;
+//# sourceMappingURL=login_service.d.ts.map

package/dist/lib/services/login_service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/login_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAQvD,MAAM,MAAM,SAAS,GAAG;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACrC,CAAC;AAGF;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,SAAS,GACd,OAAO,CAAC,WAAW,CAAC,CAmGtB"}

package/dist/lib/services/login_service.js

@@ -0,0 +1,94 @@
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { create_app_logger } from "hazo_auth/lib/app_logger";
+import { sanitize_error_for_user } from "hazo_auth/lib/utils/error_sanitizer";
+import { get_line_number } from "hazo_auth/lib/utils/api_route_helpers";
+// section: helpers
+/**
+ * Authenticates a user by verifying email and password against hazo_users table
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Login data (email, password)
+ * @returns Login result with success status and user_id or error
+ */
+export async function authenticate_user(adapter, data) {
+    try {
+        const { email, password } = data;
+        // Create CRUD service for hazo_users table
+        const users_service = createCrudService(adapter, "hazo_users");
+        // Find user by email
+        const users = await users_service.findBy({
+            email_address: email,
+        });
+        // Check if user exists
+        if (!Array.isArray(users) || users.length === 0) {
+            return {
+                success: false,
+                error: "Invalid email or password",
+            };
+        }
+        const user = users[0];
+        // Check if user is active
+        if (user.is_active === false) {
+            return {
+                success: false,
+                error: "Account is inactive. Please contact support.",
+            };
+        }
+        // Verify password using argon2
+        const password_hash = user.password_hash;
+        const is_password_valid = await argon2.verify(password_hash, password);
+        if (!is_password_valid) {
+            // Increment login attempts on failed password
+            const current_attempts = user.login_attempts || 0;
+            const now = new Date().toISOString();
+            await users_service.updateById(user.id, {
+                login_attempts: current_attempts + 1,
+                changed_at: now,
+            });
+            return {
+                success: false,
+                error: "Invalid email or password",
+            };
+        }
+        // Check if email is verified
+        const email_verified = user.email_verified;
+        if (!email_verified) {
+            return {
+                success: false,
+                error: "Email address not verified. Please verify your email before logging in.",
+                email_not_verified: true,
+            };
+        }
+        // Password is valid and email is verified - update last_logon and reset login_attempts
+        const now = new Date().toISOString();
+        await users_service.updateById(user.id, {
+            last_logon: now,
+            login_attempts: 0,
+            changed_at: now,
+            url_on_logon: null, // Clear the stored redirect URL after successful login
+        });
+        return {
+            success: true,
+            user_id: user.id,
+            stored_url_on_logon: user.url_on_logon,
+        };
+    }
+    catch (error) {
+        const logger = create_app_logger();
+        const user_friendly_error = sanitize_error_for_user(error, {
+            logToConsole: true,
+            logToLogger: true,
+            logger,
+            context: {
+                filename: "login_service.ts",
+                line_number: get_line_number(),
+                email: data.email,
+                operation: "authenticate_user",
+            },
+        });
+        return {
+            success: false,
+            error: user_friendly_error,
+        };
+    }
+}

package/dist/lib/services/password_change_service.d.ts

@@ -0,0 +1,19 @@
+import type { HazoConnectAdapter } from "hazo_connect";
+export type PasswordChangeData = {
+    current_password: string;
+    new_password: string;
+};
+export type PasswordChangeResult = {
+    success: boolean;
+    error?: string;
+};
+/**
+ * Changes a user's password
+ * Verifies the current password, validates the new password, and updates the password hash
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user ID to update
+ * @param data - Password change data (current_password, new_password)
+ * @returns Password change result with success status or error
+ */
+export declare function change_password(adapter: HazoConnectAdapter, user_id: string, data: PasswordChangeData): Promise<PasswordChangeResult>;
+//# sourceMappingURL=password_change_service.d.ts.map

package/dist/lib/services/password_change_service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password_change_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/password_change_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAQvD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,kBAAkB,GACvB,OAAO,CAAC,oBAAoB,CAAC,CAuH/B"}

package/dist/lib/services/password_change_service.js

@@ -0,0 +1,118 @@
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { get_password_requirements_config } from "hazo_auth/lib/password_requirements_config.server";
+import { send_template_email } from "hazo_auth/lib/services/email_service";
+import { create_app_logger } from "hazo_auth/lib/app_logger";
+// section: helpers
+/**
+ * Changes a user's password
+ * Verifies the current password, validates the new password, and updates the password hash
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user ID to update
+ * @param data - Password change data (current_password, new_password)
+ * @returns Password change result with success status or error
+ */
+export async function change_password(adapter, user_id, data) {
+    try {
+        const { current_password, new_password } = data;
+        // Create CRUD service for hazo_users table
+        const users_service = createCrudService(adapter, "hazo_users");
+        // Get current user data
+        const users = await users_service.findBy({
+            id: user_id,
+        });
+        if (!Array.isArray(users) || users.length === 0) {
+            return {
+                success: false,
+                error: "User not found",
+            };
+        }
+        const user = users[0];
+        const password_hash = user.password_hash;
+        const email = user.email_address;
+        const user_name = user.name;
+        // Verify current password
+        try {
+            const is_valid = await argon2.verify(password_hash, current_password);
+            if (!is_valid) {
+                return {
+                    success: false,
+                    error: "Current password is incorrect",
+                };
+            }
+        }
+        catch (error) {
+            return {
+                success: false,
+                error: "Failed to verify current password",
+            };
+        }
+        // Get password requirements from config
+        const password_requirements = get_password_requirements_config();
+        // Validate new password
+        if (!new_password || new_password.length < password_requirements.minimum_length) {
+            return {
+                success: false,
+                error: `Password must be at least ${password_requirements.minimum_length} characters long`,
+            };
+        }
+        if (password_requirements.require_uppercase && !/[A-Z]/.test(new_password)) {
+            return {
+                success: false,
+                error: "Password must contain at least one uppercase letter",
+            };
+        }
+        if (password_requirements.require_lowercase && !/[a-z]/.test(new_password)) {
+            return {
+                success: false,
+                error: "Password must contain at least one lowercase letter",
+            };
+        }
+        if (password_requirements.require_number && !/[0-9]/.test(new_password)) {
+            return {
+                success: false,
+                error: "Password must contain at least one number",
+            };
+        }
+        if (password_requirements.require_special && !/[^A-Za-z0-9]/.test(new_password)) {
+            return {
+                success: false,
+                error: "Password must contain at least one special character",
+            };
+        }
+        // Hash the new password
+        const new_password_hash = await argon2.hash(new_password);
+        // Update password hash in database
+        const now = new Date().toISOString();
+        await users_service.updateById(user_id, {
+            password_hash: new_password_hash,
+            changed_at: now,
+        });
+        // Send password changed notification email
+        const email_result = await send_template_email("password_changed", email, {
+            user_email: email,
+            user_name: user_name,
+        });
+        if (!email_result.success) {
+            const logger = create_app_logger();
+            logger.error("password_change_service_email_failed", {
+                filename: "password_change_service.ts",
+                line_number: 0,
+                user_id,
+                email,
+                error: email_result.error,
+                note: "Password was changed successfully but notification email failed to send",
+            });
+        }
+        return {
+            success: true,
+        };
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        return {
+            success: false,
+            error: error_message,
+        };
+    }
+}

package/dist/lib/services/password_reset_service.d.ts

@@ -0,0 +1,52 @@
+import type { HazoConnectAdapter } from "hazo_connect";
+export type PasswordResetRequestData = {
+    email: string;
+};
+export type PasswordResetRequestResult = {
+    success: boolean;
+    error?: string;
+};
+export type PasswordResetData = {
+    token: string;
+    new_password: string;
+    minimum_length?: number;
+};
+export type PasswordResetResult = {
+    success: boolean;
+    user_id?: string;
+    email?: string;
+    error?: string;
+};
+export type PasswordResetTokenValidationData = {
+    token: string;
+};
+export type PasswordResetTokenValidationResult = {
+    success: boolean;
+    error?: string;
+};
+/**
+ * Requests a password reset for a user by email
+ * Generates a secure token, hashes it, and stores it in hazo_refresh_tokens with token_type = 'password_reset'
+ * Invalidates any existing password reset tokens for the user before creating a new one
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Password reset request data (email)
+ * @returns Password reset request result with success status or error
+ */
+export declare function request_password_reset(adapter: HazoConnectAdapter, data: PasswordResetRequestData): Promise<PasswordResetRequestResult>;
+/**
+ * Validates a password reset token without resetting the password
+ * Verifies the token exists and checks if it has expired
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Token validation data (token)
+ * @returns Token validation result with success status or error
+ */
+export declare function validate_password_reset_token(adapter: HazoConnectAdapter, data: PasswordResetTokenValidationData): Promise<PasswordResetTokenValidationResult>;
+/**
+ * Resets a user's password using a password reset token
+ * Verifies the token, checks expiration, updates password, and deletes the token
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Password reset data (token, new_password)
+ * @returns Password reset result with success status, user_id, email, or error
+ */
+export declare function reset_password(adapter: HazoConnectAdapter, data: PasswordResetData): Promise<PasswordResetResult>;
+//# sourceMappingURL=password_reset_service.d.ts.map

package/dist/lib/services/password_reset_service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password_reset_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/password_reset_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAQvD,MAAM,MAAM,wBAAwB,GAAG;IACrC,KAAK,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,gCAAgC,GAAG;IAC7C,KAAK,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,MAAM,MAAM,kCAAkC,GAAG;IAC/C,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF;;;;;;;GAOG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,wBAAwB,GAC7B,OAAO,CAAC,0BAA0B,CAAC,CAqErC;AAED;;;;;;GAMG;AACH,wBAAsB,6BAA6B,CACjD,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,gCAAgC,GACrC,OAAO,CAAC,kCAAkC,CAAC,CAgG7C;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,kBAAkB,EAC3B,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC,mBAAmB,CAAC,CAiK9B"}