npm - hazo_auth - Versions diffs - 1.2.0 → 1.4.0 - Mend

hazo_auth 1.2.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/dist/lib/services/password_reset_service.js ADDED Viewed

@@ -0,0 +1,318 @@
+import { createCrudService } from "hazo_connect/server";
+import { create_token } from "hazo_auth/lib/services/token_service";
+import argon2 from "argon2";
+import { create_app_logger } from "hazo_auth/lib/app_logger";
+import { send_template_email } from "hazo_auth/lib/services/email_service";
+// section: helpers
+/**
+ * Requests a password reset for a user by email
+ * Generates a secure token, hashes it, and stores it in hazo_refresh_tokens with token_type = 'password_reset'
+ * Invalidates any existing password reset tokens for the user before creating a new one
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Password reset request data (email)
+ * @returns Password reset request result with success status or error
+ */
+export async function request_password_reset(adapter, data) {
+    try {
+        const { email } = data;
+        // Create CRUD service for hazo_users table
+        const users_service = createCrudService(adapter, "hazo_users");
+        // Find user by email
+        const users = await users_service.findBy({
+            email_address: email,
+        });
+        // If user not found, return success anyway (to prevent email enumeration)
+        if (!Array.isArray(users) || users.length === 0) {
+            return {
+                success: true,
+            };
+        }
+        const user = users[0];
+        const user_id = user.id;
+        // Create password reset token using shared token service
+        const token_result = await create_token({
+            adapter,
+            user_id,
+            token_type: "password_reset",
+        });
+        if (!token_result.success) {
+            return {
+                success: false,
+                error: token_result.error || "Failed to create password reset token",
+            };
+        }
+        // Send password reset email if token was created successfully
+        if (token_result.raw_token) {
+            const email_result = await send_template_email("forgot_password", email, {
+                token: token_result.raw_token,
+                user_email: email,
+                user_name: user.name,
+            });
+            if (!email_result.success) {
+                const logger = create_app_logger();
+                logger.error("password_reset_service_email_send_failed", {
+                    filename: "password_reset_service.ts",
+                    line_number: 0,
+                    user_id,
+                    email,
+                    error: email_result.error,
+                    note: "Password reset token created but email failed to send",
+                });
+            }
+        }
+        return {
+            success: true,
+        };
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        return {
+            success: false,
+            error: error_message,
+        };
+    }
+}
+/**
+ * Validates a password reset token without resetting the password
+ * Verifies the token exists and checks if it has expired
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Token validation data (token)
+ * @returns Token validation result with success status or error
+ */
+export async function validate_password_reset_token(adapter, data) {
+    try {
+        const { token } = data;
+        // Create CRUD service for hazo_refresh_tokens table
+        const tokens_service = createCrudService(adapter, "hazo_refresh_tokens");
+        // Find all password reset tokens
+        // If token_type column doesn't exist, query all tokens and filter manually
+        let all_tokens = [];
+        try {
+            all_tokens = (await tokens_service.findBy({
+                token_type: "password_reset",
+            }));
+        }
+        catch (error) {
+            // If token_type column doesn't exist, get all tokens and we'll verify each one
+            const logger = create_app_logger();
+            const error_message = error instanceof Error ? error.message : "Unknown error";
+            logger.warn("password_reset_service_token_type_column_missing", {
+                filename: "password_reset_service.ts",
+                line_number: 0,
+                error: error_message,
+                note: "token_type column may not exist, querying all tokens",
+            });
+            try {
+                // Query all tokens (will need to verify each one)
+                all_tokens = (await tokens_service.findBy({}));
+            }
+            catch (fallbackError) {
+                const fallback_error_message = fallbackError instanceof Error ? fallbackError.message : "Unknown error";
+                logger.error("password_reset_service_query_tokens_failed", {
+                    filename: "password_reset_service.ts",
+                    line_number: 0,
+                    error: fallback_error_message,
+                });
+                return {
+                    success: false,
+                    error: "Invalid or expired reset token",
+                };
+            }
+        }
+        if (!Array.isArray(all_tokens) || all_tokens.length === 0) {
+            return {
+                success: false,
+                error: "Invalid or expired reset token",
+            };
+        }
+        // Find the matching token by verifying the hash
+        let matching_token = null;
+        for (const stored_token of all_tokens) {
+            try {
+                const token_hash = stored_token.token_hash;
+                const is_valid = await argon2.verify(token_hash, token);
+                if (is_valid) {
+                    matching_token = stored_token;
+                    break;
+                }
+            }
+            catch (_a) {
+                // Continue to next token if verification fails
+                continue;
+            }
+        }
+        if (!matching_token) {
+            return {
+                success: false,
+                error: "Invalid or expired reset token",
+            };
+        }
+        // Check if token has expired
+        const expires_at = new Date(matching_token.expires_at);
+        const now = new Date();
+        if (expires_at < now) {
+            return {
+                success: false,
+                error: "Reset token has expired",
+            };
+        }
+        return {
+            success: true,
+        };
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        return {
+            success: false,
+            error: error_message,
+        };
+    }
+}
+/**
+ * Resets a user's password using a password reset token
+ * Verifies the token, checks expiration, updates password, and deletes the token
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Password reset data (token, new_password)
+ * @returns Password reset result with success status, user_id, email, or error
+ */
+export async function reset_password(adapter, data) {
+    try {
+        const { token, new_password, minimum_length = 8 } = data;
+        // Validate password
+        if (!new_password || new_password.length < minimum_length) {
+            return {
+                success: false,
+                error: `Password must be at least ${minimum_length} character${minimum_length === 1 ? "" : "s"} long`,
+            };
+        }
+        // Create CRUD service for hazo_refresh_tokens table
+        const tokens_service = createCrudService(adapter, "hazo_refresh_tokens");
+        // Find all password reset tokens
+        // If token_type column doesn't exist, query all tokens and filter manually
+        let all_tokens = [];
+        try {
+            all_tokens = (await tokens_service.findBy({
+                token_type: "password_reset",
+            }));
+        }
+        catch (error) {
+            // If token_type column doesn't exist, get all tokens and we'll verify each one
+            const logger = create_app_logger();
+            const error_message = error instanceof Error ? error.message : "Unknown error";
+            logger.warn("password_reset_service_token_type_column_missing", {
+                filename: "password_reset_service.ts",
+                line_number: 0,
+                error: error_message,
+                note: "token_type column may not exist, querying all tokens",
+            });
+            try {
+                // Query all tokens (will need to verify each one)
+                all_tokens = (await tokens_service.findBy({}));
+            }
+            catch (fallbackError) {
+                const fallback_error_message = fallbackError instanceof Error ? fallbackError.message : "Unknown error";
+                logger.error("password_reset_service_query_tokens_failed", {
+                    filename: "password_reset_service.ts",
+                    line_number: 0,
+                    error: fallback_error_message,
+                });
+                return {
+                    success: false,
+                    error: "Invalid or expired reset token",
+                };
+            }
+        }
+        if (!Array.isArray(all_tokens) || all_tokens.length === 0) {
+            return {
+                success: false,
+                error: "Invalid or expired reset token",
+            };
+        }
+        // Find the matching token by verifying the hash
+        let matching_token = null;
+        let user_id = null;
+        for (const stored_token of all_tokens) {
+            try {
+                const token_hash = stored_token.token_hash;
+                const is_valid = await argon2.verify(token_hash, token);
+                if (is_valid) {
+                    matching_token = stored_token;
+                    user_id = stored_token.user_id;
+                    break;
+                }
+            }
+            catch (_a) {
+                // Continue to next token if verification fails
+                continue;
+            }
+        }
+        if (!matching_token || !user_id) {
+            return {
+                success: false,
+                error: "Invalid or expired reset token",
+            };
+        }
+        // Check if token has expired
+        const expires_at = new Date(matching_token.expires_at);
+        const now = new Date();
+        if (expires_at < now) {
+            // Delete expired token
+            await tokens_service.deleteById(matching_token.id);
+            return {
+                success: false,
+                error: "Reset token has expired",
+            };
+        }
+        // Get user email before updating
+        const users_service = createCrudService(adapter, "hazo_users");
+        const users = await users_service.findBy({
+            id: user_id,
+        });
+        if (!Array.isArray(users) || users.length === 0) {
+            return {
+                success: false,
+                error: "User not found",
+            };
+        }
+        const user = users[0];
+        const email = user.email_address;
+        // Hash the new password
+        const password_hash = await argon2.hash(new_password);
+        // Update user's password
+        const now_iso = new Date().toISOString();
+        await users_service.updateById(user_id, {
+            password_hash: password_hash,
+            changed_at: now_iso,
+        });
+        // Delete the used token
+        await tokens_service.deleteById(matching_token.id);
+        // Send password changed notification email
+        const email_result = await send_template_email("password_changed", email, {
+            user_email: email,
+            user_name: user.name,
+        });
+        if (!email_result.success) {
+            const logger = create_app_logger();
+            logger.error("password_reset_service_password_changed_email_failed", {
+                filename: "password_reset_service.ts",
+                line_number: 0,
+                user_id,
+                email,
+                error: email_result.error,
+                note: "Password was reset successfully but notification email failed to send",
+            });
+        }
+        return {
+            success: true,
+            user_id,
+            email,
+        };
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        return {
+            success: false,
+            error: error_message,
+        };
+    }
+}

package/dist/lib/services/profile_picture_remove_service.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { HazoConnectAdapter } from "hazo_connect";
+export type RemoveProfilePictureResult = {
+    success: boolean;
+    error?: string;
+};
+/**
+ * Removes user profile picture
+ * - If source is "upload": deletes the uploaded file and clears profile_picture_url and profile_source
+ * - If source is "gravatar" or "library": clears profile_picture_url and profile_source
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - User ID
+ * @returns Remove result with success status or error
+ */
+export declare function remove_user_profile_picture(adapter: HazoConnectAdapter, user_id: string): Promise<RemoveProfilePictureResult>;
+//# sourceMappingURL=profile_picture_remove_service.d.ts.map

package/dist/lib/services/profile_picture_remove_service.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"profile_picture_remove_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/profile_picture_remove_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AASvD,MAAM,MAAM,0BAA0B,GAAG;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF;;;;;;;GAOG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,0BAA0B,CAAC,CA0FrC"}

package/dist/lib/services/profile_picture_remove_service.js ADDED Viewed

@@ -0,0 +1,94 @@
+import { createCrudService } from "hazo_connect/server";
+import { map_db_source_to_ui } from "hazo_auth/lib/services/profile_picture_source_mapper";
+import { get_profile_picture_config } from "hazo_auth/lib/profile_picture_config.server";
+import { create_app_logger } from "hazo_auth/lib/app_logger";
+import fs from "fs";
+import path from "path";
+// section: helpers
+/**
+ * Removes user profile picture
+ * - If source is "upload": deletes the uploaded file and clears profile_picture_url and profile_source
+ * - If source is "gravatar" or "library": clears profile_picture_url and profile_source
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - User ID
+ * @returns Remove result with success status or error
+ */
+export async function remove_user_profile_picture(adapter, user_id) {
+    try {
+        const users_service = createCrudService(adapter, "hazo_users");
+        // Get current user data
+        const users = await users_service.findBy({
+            id: user_id,
+        });
+        if (!Array.isArray(users) || users.length === 0) {
+            return {
+                success: false,
+                error: "User not found",
+            };
+        }
+        const current_user = users[0];
+        const profile_picture_url = current_user.profile_picture_url || null;
+        const profile_source_db = current_user.profile_source || null;
+        if (!profile_picture_url || !profile_source_db) {
+            // No profile picture to remove
+            return {
+                success: true,
+            };
+        }
+        // Map database source to UI source
+        const profile_source_ui = map_db_source_to_ui(profile_source_db);
+        // If source is "upload", delete the file
+        if (profile_source_ui === "upload") {
+            try {
+                const config = get_profile_picture_config();
+                if (config.upload_photo_path) {
+                    // Extract filename from URL (e.g., /api/hazo_auth/profile_picture/user_id.jpg)
+                    const fileName = profile_picture_url.split("/").pop();
+                    if (fileName && fileName.startsWith(user_id)) {
+                        // Resolve upload path
+                        const uploadPath = path.isAbsolute(config.upload_photo_path)
+                            ? config.upload_photo_path
+                            : path.resolve(process.cwd(), config.upload_photo_path);
+                        const filePath = path.join(uploadPath, fileName);
+                        // Delete file if it exists
+                        if (fs.existsSync(filePath)) {
+                            fs.unlinkSync(filePath);
+                        }
+                    }
+                }
+            }
+            catch (error) {
+                // Log error but continue with database update
+                const logger = create_app_logger();
+                const error_message = error instanceof Error ? error.message : "Unknown error";
+                logger.warn("profile_picture_remove_file_delete_failed", {
+                    filename: "profile_picture_remove_service.ts",
+                    line_number: 0,
+                    user_id,
+                    profile_picture_url,
+                    error: error_message,
+                });
+                // Don't fail the request if file deletion fails - still clear the database
+            }
+        }
+        // Clear profile picture URL and source in database
+        // Note: profile_source has a CHECK constraint, so we'll set it to null
+        // If the database doesn't allow null, we may need to handle it differently
+        const update_data = {
+            changed_at: new Date().toISOString(),
+            profile_picture_url: null,
+            profile_source: null,
+        };
+        await users_service.updateById(user_id, update_data);
+        return {
+            success: true,
+        };
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        return {
+            success: false,
+            error: error_message,
+        };
+    }
+}

package/dist/lib/services/profile_picture_service.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import type { HazoConnectAdapter } from "hazo_connect";
+import { type ProfilePictureSourceUI } from "hazo_auth/lib/services/profile_picture_source_mapper";
+export type ProfilePictureSource = ProfilePictureSourceUI;
+export type DefaultProfilePictureResult = {
+    profile_picture_url: string;
+    profile_source: ProfilePictureSource;
+};
+/**
+ * Generates Gravatar URL from email address
+ * @param email - User's email address
+ * @param size - Image size in pixels (defaults to config value)
+ * @returns Gravatar URL
+ */
+export declare function get_gravatar_url(email: string, size?: number): string;
+/**
+ * Gets library photo categories by reading subdirectories
+ * @returns Array of category names
+ */
+export declare function get_library_categories(): string[];
+/**
+ * Gets photos in a specific library category
+ * @param category - Category name
+ * @returns Array of photo URLs (relative to public directory)
+ */
+export declare function get_library_photos(category: string): string[];
+/**
+ * Gets default profile picture based on configuration priority
+ * @param user_email - User's email address
+ * @param user_name - User's name (optional)
+ * @returns Default profile picture URL and source, or null if no default available
+ */
+export declare function get_default_profile_picture(user_email: string, user_name?: string): DefaultProfilePictureResult | null;
+/**
+ * Updates user profile picture in database
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - User ID
+ * @param profile_picture_url - Profile picture URL
+ * @param profile_source - Profile picture source type
+ * @returns Success status
+ */
+export declare function update_user_profile_picture(adapter: HazoConnectAdapter, user_id: string, profile_picture_url: string, profile_source: ProfilePictureSource): Promise<{
+    success: boolean;
+    error?: string;
+}>;
+//# sourceMappingURL=profile_picture_service.d.ts.map

package/dist/lib/services/profile_picture_service.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"profile_picture_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/profile_picture_service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AASvD,OAAO,EAAuB,KAAK,sBAAsB,EAAE,MAAM,sDAAsD,CAAC;AAGxH,MAAM,MAAM,oBAAoB,GAAG,sBAAsB,CAAC;AAE1D,MAAM,MAAM,2BAA2B,GAAG;IACxC,mBAAmB,EAAE,MAAM,CAAC;IAC5B,cAAc,EAAE,oBAAoB,CAAC;CACtC,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAOrE;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAyBjD;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAiC7D;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CACzC,UAAU,EAAE,MAAM,EAClB,SAAS,CAAC,EAAE,MAAM,GACjB,2BAA2B,GAAG,IAAI,CA2DpC;AAED;;;;;;;GAOG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,MAAM,EAC3B,cAAc,EAAE,oBAAoB,GACnC,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsB/C"}

package/dist/lib/services/profile_picture_service.js ADDED Viewed

@@ -0,0 +1,183 @@
+import { createCrudService } from "hazo_connect/server";
+import gravatarUrl from "gravatar-url";
+import { get_profile_picture_config } from "hazo_auth/lib/profile_picture_config.server";
+import { get_ui_sizes_config } from "hazo_auth/lib/ui_sizes_config.server";
+import { get_file_types_config } from "hazo_auth/lib/file_types_config.server";
+import { create_app_logger } from "hazo_auth/lib/app_logger";
+import path from "path";
+import fs from "fs";
+import { map_ui_source_to_db } from "hazo_auth/lib/services/profile_picture_source_mapper";
+// section: helpers
+/**
+ * Generates Gravatar URL from email address
+ * @param email - User's email address
+ * @param size - Image size in pixels (defaults to config value)
+ * @returns Gravatar URL
+ */
+export function get_gravatar_url(email, size) {
+    const uiSizes = get_ui_sizes_config();
+    const gravatarSize = size || uiSizes.gravatar_size;
+    return gravatarUrl(email, {
+        size: gravatarSize,
+        default: "identicon",
+    });
+}
+/**
+ * Gets library photo categories by reading subdirectories
+ * @returns Array of category names
+ */
+export function get_library_categories() {
+    const config = get_profile_picture_config();
+    const library_path = path.resolve(process.cwd(), "public", config.library_photo_path.replace(/^\//, ""));
+    if (!fs.existsSync(library_path)) {
+        return [];
+    }
+    try {
+        const entries = fs.readdirSync(library_path, { withFileTypes: true });
+        return entries
+            .filter((entry) => entry.isDirectory())
+            .map((entry) => entry.name)
+            .sort();
+    }
+    catch (error) {
+        const logger = create_app_logger();
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        logger.warn("profile_picture_service_read_categories_failed", {
+            filename: "profile_picture_service.ts",
+            line_number: 0,
+            library_path,
+            error: error_message,
+        });
+        return [];
+    }
+}
+/**
+ * Gets photos in a specific library category
+ * @param category - Category name
+ * @returns Array of photo URLs (relative to public directory)
+ */
+export function get_library_photos(category) {
+    const config = get_profile_picture_config();
+    const category_path = path.resolve(process.cwd(), "public", config.library_photo_path.replace(/^\//, ""), category);
+    if (!fs.existsSync(category_path)) {
+        return [];
+    }
+    try {
+        const fileTypes = get_file_types_config();
+        const allowedExtensions = fileTypes.allowed_image_extensions.map(ext => `.${ext.toLowerCase()}`);
+        const entries = fs.readdirSync(category_path, { withFileTypes: true });
+        const photos = entries
+            .filter((entry) => {
+            if (!entry.isFile())
+                return false;
+            const ext = path.extname(entry.name).toLowerCase();
+            return allowedExtensions.includes(ext);
+        })
+            .map((entry) => `${config.library_photo_path}/${category}/${entry.name}`)
+            .sort();
+        return photos;
+    }
+    catch (error) {
+        const logger = create_app_logger();
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        logger.warn("profile_picture_service_read_photos_failed", {
+            filename: "profile_picture_service.ts",
+            line_number: 0,
+            category,
+            category_path,
+            error: error_message,
+        });
+        return [];
+    }
+}
+/**
+ * Gets default profile picture based on configuration priority
+ * @param user_email - User's email address
+ * @param user_name - User's name (optional)
+ * @returns Default profile picture URL and source, or null if no default available
+ */
+export function get_default_profile_picture(user_email, user_name) {
+    const config = get_profile_picture_config();
+    if (!config.user_photo_default) {
+        return null;
+    }
+    const uiSizes = get_ui_sizes_config();
+    // Try priority 1
+    if (config.user_photo_default_priority1 === "gravatar") {
+        const gravatar_url = get_gravatar_url(user_email, uiSizes.gravatar_size);
+        // Note: We can't check if Gravatar actually exists without making a request
+        // For now, we'll always return Gravatar URL and let the browser handle 404
+        return {
+            profile_picture_url: gravatar_url,
+            profile_source: "gravatar",
+        };
+    }
+    else if (config.user_photo_default_priority1 === "library") {
+        const categories = get_library_categories();
+        if (categories.length > 0) {
+            // Use first category, first photo as default
+            const photos = get_library_photos(categories[0]);
+            if (photos.length > 0) {
+                return {
+                    profile_picture_url: photos[0],
+                    profile_source: "library",
+                };
+            }
+        }
+    }
+    // Try priority 2 if priority 1 didn't work (only if priority2 is different from priority1)
+    const priority1 = config.user_photo_default_priority1;
+    const priority2 = config.user_photo_default_priority2;
+    if (priority2 && priority2 !== priority1) {
+        if (priority2 === "gravatar") {
+            const gravatar_url = get_gravatar_url(user_email, uiSizes.gravatar_size);
+            return {
+                profile_picture_url: gravatar_url,
+                profile_source: "gravatar",
+            };
+        }
+        else if (priority2 === "library") {
+            const categories = get_library_categories();
+            if (categories.length > 0) {
+                const photos = get_library_photos(categories[0]);
+                if (photos.length > 0) {
+                    return {
+                        profile_picture_url: photos[0],
+                        profile_source: "library",
+                    };
+                }
+            }
+        }
+    }
+    // No default photo available
+    return null;
+}
+/**
+ * Updates user profile picture in database
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - User ID
+ * @param profile_picture_url - Profile picture URL
+ * @param profile_source - Profile picture source type
+ * @returns Success status
+ */
+export async function update_user_profile_picture(adapter, user_id, profile_picture_url, profile_source) {
+    try {
+        const users_service = createCrudService(adapter, "hazo_users");
+        const now = new Date().toISOString();
+        // Map UI source value to database enum value
+        const db_profile_source = map_ui_source_to_db(profile_source);
+        await users_service.updateById(user_id, {
+            profile_picture_url,
+            profile_source: db_profile_source,
+            changed_at: now,
+        });
+        return { success: true };
+    }
+    catch (error) {
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        return {
+            success: false,
+            error: error_message,
+        };
+    }
+}