hazo_auth 1.4.2 → 1.6.0

package/src/lib/services/email_verification_service.ts

@@ -1,270 +0,0 @@
-// file_description: service for email verification operations using hazo_connect
-// section: imports
-import type { HazoConnectAdapter } from "hazo_connect";
-import { createCrudService } from "hazo_connect/server";
-import argon2 from "argon2";
-import { create_token } from "./token_service";
-import { send_template_email } from "./email_service";
-import { create_app_logger } from "../app_logger";
-
-// section: types
-export type EmailVerificationTokenData = {
-  token: string;
-};
-
-export type EmailVerificationResult = {
-  success: boolean;
-  user_id?: string;
-  email?: string;
-  error?: string;
-};
-
-export type ResendVerificationData = {
-  email: string;
-};
-
-export type ResendVerificationResult = {
-  success: boolean;
-  error?: string;
-};
-
-// section: helpers
-/**
- * Verifies an email verification token
- * Updates email_verified to true in hazo_users and deletes the token
- * @param adapter - The hazo_connect adapter instance
- * @param data - Email verification token data (token)
- * @returns Email verification result with success status, user_id, email, or error
- */
-export async function verify_email_token(
-  adapter: HazoConnectAdapter,
-  data: EmailVerificationTokenData,
-): Promise<EmailVerificationResult> {
-  try {
-    const { token } = data;
-
-    // Create CRUD service for hazo_refresh_tokens table
-    const tokens_service = createCrudService(adapter, "hazo_refresh_tokens");
-
-    // Find all email verification tokens
-    // If token_type column doesn't exist, query all tokens and filter manually
-    let all_tokens: unknown[] = [];
-    try {
-      all_tokens = (await tokens_service.findBy({
-        token_type: "email_verification",
-      })) as unknown[];
-    } catch (error) {
-      // If token_type column doesn't exist, get all tokens and we'll verify each one
-      const logger = create_app_logger();
-      const error_message = error instanceof Error ? error.message : "Unknown error";
-      logger.warn("email_verification_service_token_type_column_missing", {
-        filename: "email_verification_service.ts",
-        line_number: 0,
-        error: error_message,
-        note: "token_type column may not exist, querying all tokens",
-      });
-      try {
-        // Query all tokens (will need to verify each one)
-        all_tokens = (await tokens_service.findBy({})) as unknown[];
-      } catch (fallbackError) {
-        const fallback_error_message = fallbackError instanceof Error ? fallbackError.message : "Unknown error";
-        logger.error("email_verification_service_query_tokens_failed", {
-          filename: "email_verification_service.ts",
-          line_number: 0,
-          error: fallback_error_message,
-        });
-        return {
-          success: false,
-          error: "Invalid or expired verification token",
-        };
-      }
-    }
-
-    if (!Array.isArray(all_tokens) || all_tokens.length === 0) {
-      return {
-        success: false,
-        error: "Invalid or expired verification token",
-      };
-    }
-
-    // Find the matching token by verifying the hash
-    let matching_token = null;
-    let user_id: string | null = null;
-
-    for (const stored_token of all_tokens) {
-      try {
-        const token_hash = (stored_token as { token_hash: string }).token_hash;
-        const is_valid = await argon2.verify(token_hash, token);
-
-        if (is_valid) {
-          matching_token = stored_token;
-          user_id = (stored_token as { user_id: string }).user_id;
-          break;
-        }
-      } catch {
-        // Continue to next token if verification fails
-        continue;
-      }
-    }
-
-    if (!matching_token || !user_id) {
-      return {
-        success: false,
-        error: "Invalid or expired verification token",
-      };
-    }
-
-    // Check if token has expired
-    const expires_at = new Date((matching_token as { expires_at: string }).expires_at);
-    const now = new Date();
-
-    if (expires_at < now) {
-      // Delete expired token
-      await tokens_service.deleteById((matching_token as { id: string }).id);
-
-      return {
-        success: false,
-        error: "Verification token has expired",
-      };
-    }
-
-    // Get user email before updating
-    const users_service = createCrudService(adapter, "hazo_users");
-    const users = await users_service.findBy({
-      id: user_id,
-    });
-
-    if (!Array.isArray(users) || users.length === 0) {
-      return {
-        success: false,
-        error: "User not found",
-      };
-    }
-
-    const user = users[0];
-    const email = user.email_address as string;
-
-    // Update user's email_verified status
-    const now_iso = new Date().toISOString();
-    await users_service.updateById(
-      user_id,
-      {
-        email_verified: true,
-        changed_at: now_iso,
-      },
-    );
-
-    // Delete the used token
-    await tokens_service.deleteById((matching_token as { id: string }).id);
-
-    return {
-      success: true,
-      user_id,
-      email,
-    };
-  } catch (error) {
-    const error_message =
-      error instanceof Error ? error.message : "Unknown error";
-
-    return {
-      success: false,
-      error: error_message,
-    };
-  }
-}
-
-/**
- * Resends an email verification token for a user
- * Creates a new email verification token and stores it in hazo_refresh_tokens
- * Invalidates any existing email verification tokens for the user before creating a new one
- * @param adapter - The hazo_connect adapter instance
- * @param data - Resend verification data (email)
- * @returns Resend verification result with success status or error
- */
-export async function resend_verification_email(
-  adapter: HazoConnectAdapter,
-  data: ResendVerificationData,
-): Promise<ResendVerificationResult> {
-  try {
-    const { email } = data;
-
-    // Create CRUD service for hazo_users table
-    const users_service = createCrudService(adapter, "hazo_users");
-
-    // Find user by email
-    const users = await users_service.findBy({
-      email_address: email,
-    });
-
-    // If user not found, return success anyway (to prevent email enumeration)
-    if (!Array.isArray(users) || users.length === 0) {
-      return {
-        success: true,
-      };
-    }
-
-    const user = users[0];
-    const user_id = user.id as string;
-
-    // Check if email is already verified
-    if (user.email_verified === true) {
-      return {
-        success: true,
-      };
-    }
-
-    // Create email verification token using shared token service
-    const token_result = await create_token({
-      adapter,
-      user_id,
-      token_type: "email_verification",
-    });
-
-    if (!token_result.success) {
-      return {
-        success: false,
-        error: token_result.error || "Failed to create email verification token",
-      };
-    }
-
-    // Send verification email if token was created successfully
-    if (token_result.raw_token) {
-      const email_result = await send_template_email("email_verification", email, {
-        token: token_result.raw_token,
-        user_email: email,
-        user_name: user.name as string | undefined,
-      });
-      
-      if (!email_result.success) {
-        const logger = create_app_logger();
-        logger.error("email_verification_service_email_send_failed", {
-          filename: "email_verification_service.ts",
-          line_number: 0,
-          user_id,
-          email,
-          error: email_result.error,
-          note: "Verification token created but email failed to send",
-        });
-        
-        // Return error if email sending failed (this is a technical error, not a security issue)
-        return {
-          success: false,
-          error: email_result.error || "Failed to send verification email",
-        };
-      }
-    }
-
-    return {
-      success: true,
-    };
-  } catch (error) {
-    const error_message =
-      error instanceof Error ? error.message : "Unknown error";
-
-    return {
-      success: false,
-      error: error_message,
-    };
-  }
-}
-

package/src/lib/services/index.ts

@@ -1,15 +0,0 @@
-// file_description: barrel export for all services
-// section: service_exports
-export * from "./email_service";
-export * from "./email_verification_service";
-export * from "./login_service";
-export * from "./password_change_service";
-export * from "./password_reset_service";
-export * from "./profile_picture_remove_service";
-export * from "./profile_picture_service";
-export * from "./profile_picture_source_mapper";
-export * from "./registration_service";
-export * from "./token_service";
-export * from "./user_profiles_service";
-export * from "./user_update_service";
-

package/src/lib/services/login_service.ts

@@ -1,134 +0,0 @@
-// file_description: service for user login operations using hazo_connect
-// section: imports
-import type { HazoConnectAdapter } from "hazo_connect";
-import { createCrudService } from "hazo_connect/server";
-import argon2 from "argon2";
-import { create_app_logger } from "../app_logger";
-import { sanitize_error_for_user } from "../utils/error_sanitizer";
-import { get_filename, get_line_number } from "../utils/api_route_helpers";
-
-// section: types
-export type LoginData = {
-  email: string;
-  password: string;
-};
-
-export type LoginResult = {
-  success: boolean;
-  user_id?: string;
-  error?: string;
-  email_not_verified?: boolean;
-  stored_url_on_logon?: string | null;
-};
-
-// section: helpers
-/**
- * Authenticates a user by verifying email and password against hazo_users table
- * @param adapter - The hazo_connect adapter instance
- * @param data - Login data (email, password)
- * @returns Login result with success status and user_id or error
- */
-export async function authenticate_user(
-  adapter: HazoConnectAdapter,
-  data: LoginData,
-): Promise<LoginResult> {
-  try {
-    const { email, password } = data;
-
-    // Create CRUD service for hazo_users table
-    const users_service = createCrudService(adapter, "hazo_users");
-
-    // Find user by email
-    const users = await users_service.findBy({
-      email_address: email,
-    });
-
-    // Check if user exists
-    if (!Array.isArray(users) || users.length === 0) {
-      return {
-        success: false,
-        error: "Invalid email or password",
-      };
-    }
-
-    const user = users[0];
-
-    // Check if user is active
-    if (user.is_active === false) {
-      return {
-        success: false,
-        error: "Account is inactive. Please contact support.",
-      };
-    }
-
-    // Verify password using argon2
-    const password_hash = user.password_hash as string;
-    const is_password_valid = await argon2.verify(password_hash, password);
-
-    if (!is_password_valid) {
-      // Increment login attempts on failed password
-      const current_attempts = (user.login_attempts as number) || 0;
-      const now = new Date().toISOString();
-
-      await users_service.updateById(
-        user.id,
-        {
-          login_attempts: current_attempts + 1,
-          changed_at: now,
-        }
-      );
-
-      return {
-        success: false,
-        error: "Invalid email or password",
-      };
-    }
-
-    // Check if email is verified
-    const email_verified = user.email_verified as boolean;
-    if (!email_verified) {
-      return {
-        success: false,
-        error: "Email address not verified. Please verify your email before logging in.",
-        email_not_verified: true,
-      };
-    }
-
-    // Password is valid and email is verified - update last_logon and reset login_attempts
-    const now = new Date().toISOString();
-    await users_service.updateById(
-      user.id,
-      {
-        last_logon: now,
-        login_attempts: 0,
-        changed_at: now,
-        url_on_logon: null, // Clear the stored redirect URL after successful login
-      }
-    );
-
-    return {
-      success: true,
-      user_id: user.id as string,
-      stored_url_on_logon: user.url_on_logon as string | null | undefined,
-    };
-  } catch (error) {
-    const logger = create_app_logger();
-    const user_friendly_error = sanitize_error_for_user(error, {
-      logToConsole: true,
-      logToLogger: true,
-      logger,
-      context: {
-        filename: "login_service.ts",
-        line_number: get_line_number(),
-        email: data.email,
-        operation: "authenticate_user",
-      },
-    });
-
-    return {
-      success: false,
-      error: user_friendly_error,
-    };
-  }
-}
-

package/src/lib/services/password_change_service.ts

@@ -1,154 +0,0 @@
-// file_description: service for changing user password using hazo_connect
-// section: imports
-import type { HazoConnectAdapter } from "hazo_connect";
-import { createCrudService } from "hazo_connect/server";
-import argon2 from "argon2";
-import { get_password_requirements_config } from "../password_requirements_config.server";
-import { send_template_email } from "./email_service";
-import { create_app_logger } from "../app_logger";
-
-// section: types
-export type PasswordChangeData = {
-  current_password: string;
-  new_password: string;
-};
-
-export type PasswordChangeResult = {
-  success: boolean;
-  error?: string;
-};
-
-// section: helpers
-/**
- * Changes a user's password
- * Verifies the current password, validates the new password, and updates the password hash
- * @param adapter - The hazo_connect adapter instance
- * @param user_id - The user ID to update
- * @param data - Password change data (current_password, new_password)
- * @returns Password change result with success status or error
- */
-export async function change_password(
-  adapter: HazoConnectAdapter,
-  user_id: string,
-  data: PasswordChangeData,
-): Promise<PasswordChangeResult> {
-  try {
-    const { current_password, new_password } = data;
-
-    // Create CRUD service for hazo_users table
-    const users_service = createCrudService(adapter, "hazo_users");
-
-    // Get current user data
-    const users = await users_service.findBy({
-      id: user_id,
-    });
-
-    if (!Array.isArray(users) || users.length === 0) {
-      return {
-        success: false,
-        error: "User not found",
-      };
-    }
-
-    const user = users[0];
-    const password_hash = user.password_hash as string;
-    const email = user.email_address as string;
-    const user_name = user.name as string | undefined;
-
-    // Verify current password
-    try {
-      const is_valid = await argon2.verify(password_hash, current_password);
-      if (!is_valid) {
-        return {
-          success: false,
-          error: "Current password is incorrect",
-        };
-      }
-    } catch (error) {
-      return {
-        success: false,
-        error: "Failed to verify current password",
-      };
-    }
-
-    // Get password requirements from config
-    const password_requirements = get_password_requirements_config();
-
-    // Validate new password
-    if (!new_password || new_password.length < password_requirements.minimum_length) {
-      return {
-        success: false,
-        error: `Password must be at least ${password_requirements.minimum_length} characters long`,
-      };
-    }
-
-    if (password_requirements.require_uppercase && !/[A-Z]/.test(new_password)) {
-      return {
-        success: false,
-        error: "Password must contain at least one uppercase letter",
-      };
-    }
-
-    if (password_requirements.require_lowercase && !/[a-z]/.test(new_password)) {
-      return {
-        success: false,
-        error: "Password must contain at least one lowercase letter",
-      };
-    }
-
-    if (password_requirements.require_number && !/[0-9]/.test(new_password)) {
-      return {
-        success: false,
-        error: "Password must contain at least one number",
-      };
-    }
-
-    if (password_requirements.require_special && !/[^A-Za-z0-9]/.test(new_password)) {
-      return {
-        success: false,
-        error: "Password must contain at least one special character",
-      };
-    }
-
-    // Hash the new password
-    const new_password_hash = await argon2.hash(new_password);
-
-    // Update password hash in database
-    const now = new Date().toISOString();
-    await users_service.updateById(user_id, {
-      password_hash: new_password_hash,
-      changed_at: now,
-    });
-
-    // Send password changed notification email
-    const email_result = await send_template_email("password_changed", email, {
-      user_email: email,
-      user_name: user_name,
-    });
-    
-    if (!email_result.success) {
-      const logger = create_app_logger();
-      logger.error("password_change_service_email_failed", {
-        filename: "password_change_service.ts",
-        line_number: 0,
-        user_id,
-        email,
-        error: email_result.error,
-        note: "Password was changed successfully but notification email failed to send",
-      });
-    }
-
-    return {
-      success: true,
-    };
-  } catch (error) {
-    const error_message =
-      error instanceof Error ? error.message : "Unknown error";
-
-    return {
-      success: false,
-      error: error_message,
-    };
-  }
-}
-