hazo_auth 4.2.0 → 4.4.0

package/cli-src/lib/services/password_change_service.ts

@@ -0,0 +1,154 @@
+// file_description: service for changing user password using hazo_connect
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import argon2 from "argon2";
+import { get_password_requirements_config } from "../password_requirements_config.server.js";
+import { send_template_email } from "./email_service.js";
+import { create_app_logger } from "../app_logger.js";
+
+// section: types
+export type PasswordChangeData = {
+  current_password: string;
+  new_password: string;
+};
+
+export type PasswordChangeResult = {
+  success: boolean;
+  error?: string;
+};
+
+// section: helpers
+/**
+ * Changes a user's password
+ * Verifies the current password, validates the new password, and updates the password hash
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - The user ID to update
+ * @param data - Password change data (current_password, new_password)
+ * @returns Password change result with success status or error
+ */
+export async function change_password(
+  adapter: HazoConnectAdapter,
+  user_id: string,
+  data: PasswordChangeData,
+): Promise<PasswordChangeResult> {
+  try {
+    const { current_password, new_password } = data;
+
+    // Create CRUD service for hazo_users table
+    const users_service = createCrudService(adapter, "hazo_users");
+
+    // Get current user data
+    const users = await users_service.findBy({
+      id: user_id,
+    });
+
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: false,
+        error: "User not found",
+      };
+    }
+
+    const user = users[0];
+    const password_hash = user.password_hash as string;
+    const email = user.email_address as string;
+    const user_name = user.name as string | undefined;
+
+    // Verify current password
+    try {
+      const is_valid = await argon2.verify(password_hash, current_password);
+      if (!is_valid) {
+        return {
+          success: false,
+          error: "Current password is incorrect",
+        };
+      }
+    } catch (error) {
+      return {
+        success: false,
+        error: "Failed to verify current password",
+      };
+    }
+
+    // Get password requirements from config
+    const password_requirements = get_password_requirements_config();
+
+    // Validate new password
+    if (!new_password || new_password.length < password_requirements.minimum_length) {
+      return {
+        success: false,
+        error: `Password must be at least ${password_requirements.minimum_length} characters long`,
+      };
+    }
+
+    if (password_requirements.require_uppercase && !/[A-Z]/.test(new_password)) {
+      return {
+        success: false,
+        error: "Password must contain at least one uppercase letter",
+      };
+    }
+
+    if (password_requirements.require_lowercase && !/[a-z]/.test(new_password)) {
+      return {
+        success: false,
+        error: "Password must contain at least one lowercase letter",
+      };
+    }
+
+    if (password_requirements.require_number && !/[0-9]/.test(new_password)) {
+      return {
+        success: false,
+        error: "Password must contain at least one number",
+      };
+    }
+
+    if (password_requirements.require_special && !/[^A-Za-z0-9]/.test(new_password)) {
+      return {
+        success: false,
+        error: "Password must contain at least one special character",
+      };
+    }
+
+    // Hash the new password
+    const new_password_hash = await argon2.hash(new_password);
+
+    // Update password hash in database
+    const now = new Date().toISOString();
+    await users_service.updateById(user_id, {
+      password_hash: new_password_hash,
+      changed_at: now,
+    });
+
+    // Send password changed notification email
+    const email_result = await send_template_email("password_changed", email, {
+      user_email: email,
+      user_name: user_name,
+    });
+    
+    if (!email_result.success) {
+      const logger = create_app_logger();
+      logger.error("password_change_service_email_failed", {
+        filename: "password_change_service.ts",
+        line_number: 0,
+        user_id,
+        email,
+        error: email_result.error,
+        note: "Password was changed successfully but notification email failed to send",
+      });
+    }
+
+    return {
+      success: true,
+    };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+

package/cli-src/lib/services/password_reset_service.ts

@@ -0,0 +1,418 @@
+// file_description: service for password reset operations using hazo_connect
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import { create_token } from "./token_service.js";
+import argon2 from "argon2";
+import { create_app_logger } from "../app_logger.js";
+import { send_template_email } from "./email_service.js";
+
+// section: types
+export type PasswordResetRequestData = {
+  email: string;
+};
+
+export type PasswordResetRequestResult = {
+  success: boolean;
+  error?: string;
+  /** True if the user doesn't have a password set (Google-only user) */
+  no_password_set?: boolean;
+};
+
+export type PasswordResetData = {
+  token: string;
+  new_password: string;
+  minimum_length?: number; // Optional: if not provided, defaults to 8
+};
+
+export type PasswordResetResult = {
+  success: boolean;
+  user_id?: string;
+  email?: string;
+  error?: string;
+};
+
+export type PasswordResetTokenValidationData = {
+  token: string;
+};
+
+export type PasswordResetTokenValidationResult = {
+  success: boolean;
+  error?: string;
+};
+
+// section: helpers
+/**
+ * Requests a password reset for a user by email
+ * Generates a secure token, hashes it, and stores it in hazo_refresh_tokens with token_type = 'password_reset'
+ * Invalidates any existing password reset tokens for the user before creating a new one
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Password reset request data (email)
+ * @returns Password reset request result with success status or error
+ */
+export async function request_password_reset(
+  adapter: HazoConnectAdapter,
+  data: PasswordResetRequestData,
+): Promise<PasswordResetRequestResult> {
+  try {
+    const { email } = data;
+
+    // Create CRUD service for hazo_users table
+    const users_service = createCrudService(adapter, "hazo_users");
+
+    // Find user by email
+    const users = await users_service.findBy({
+      email_address: email,
+    });
+
+    // If user not found, return success anyway (to prevent email enumeration)
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: true,
+      };
+    }
+
+    const user = users[0];
+    const user_id = user.id as string;
+
+    // Check if user has a password set (Google-only users don't have a password)
+    const password_hash = user.password_hash as string;
+    if (!password_hash || password_hash === "") {
+      // User doesn't have a password - they need to set one via My Settings after logging in with Google
+      // Return success to prevent email enumeration, but include flag for UI handling
+      return {
+        success: true,
+        no_password_set: true,
+      };
+    }
+
+    // Create password reset token using shared token service
+    const token_result = await create_token({
+      adapter,
+      user_id,
+      token_type: "password_reset",
+    });
+
+    if (!token_result.success) {
+      return {
+        success: false,
+        error: token_result.error || "Failed to create password reset token",
+      };
+    }
+
+    // Send password reset email if token was created successfully
+    if (token_result.raw_token) {
+      const email_result = await send_template_email("forgot_password", email, {
+        token: token_result.raw_token,
+        user_email: email,
+        user_name: user.name as string | undefined,
+      });
+      
+      if (!email_result.success) {
+        const logger = create_app_logger();
+        logger.error("password_reset_service_email_send_failed", {
+          filename: "password_reset_service.ts",
+          line_number: 0,
+          user_id,
+          email,
+          error: email_result.error,
+          note: "Password reset token created but email failed to send",
+        });
+      }
+    }
+
+    return {
+      success: true,
+    };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+
+/**
+ * Validates a password reset token without resetting the password
+ * Verifies the token exists and checks if it has expired
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Token validation data (token)
+ * @returns Token validation result with success status or error
+ */
+export async function validate_password_reset_token(
+  adapter: HazoConnectAdapter,
+  data: PasswordResetTokenValidationData,
+): Promise<PasswordResetTokenValidationResult> {
+  try {
+    const { token } = data;
+
+    // Create CRUD service for hazo_refresh_tokens table
+    const tokens_service = createCrudService(adapter, "hazo_refresh_tokens");
+
+    // Find all password reset tokens
+    // If token_type column doesn't exist, query all tokens and filter manually
+    let all_tokens: unknown[] = [];
+    try {
+      all_tokens = (await tokens_service.findBy({
+        token_type: "password_reset",
+      })) as unknown[];
+    } catch (error) {
+      // If token_type column doesn't exist, get all tokens and we'll verify each one
+      const logger = create_app_logger();
+      const error_message = error instanceof Error ? error.message : "Unknown error";
+      logger.warn("password_reset_service_token_type_column_missing", {
+        filename: "password_reset_service.ts",
+        line_number: 0,
+        error: error_message,
+        note: "token_type column may not exist, querying all tokens",
+      });
+      try {
+        // Query all tokens (will need to verify each one)
+        all_tokens = (await tokens_service.findBy({})) as unknown[];
+      } catch (fallbackError) {
+        const fallback_error_message = fallbackError instanceof Error ? fallbackError.message : "Unknown error";
+        logger.error("password_reset_service_query_tokens_failed", {
+          filename: "password_reset_service.ts",
+          line_number: 0,
+          error: fallback_error_message,
+        });
+        return {
+          success: false,
+          error: "Invalid or expired reset token",
+        };
+      }
+    }
+
+    if (!Array.isArray(all_tokens) || all_tokens.length === 0) {
+      return {
+        success: false,
+        error: "Invalid or expired reset token",
+      };
+    }
+
+    // Find the matching token by verifying the hash
+    let matching_token = null;
+
+    for (const stored_token of all_tokens) {
+      try {
+        const token_hash = (stored_token as { token_hash: string }).token_hash;
+        const is_valid = await argon2.verify(token_hash, token);
+
+        if (is_valid) {
+          matching_token = stored_token;
+          break;
+        }
+      } catch {
+        // Continue to next token if verification fails
+        continue;
+      }
+    }
+
+    if (!matching_token) {
+      return {
+        success: false,
+        error: "Invalid or expired reset token",
+      };
+    }
+
+    // Check if token has expired
+    const expires_at = new Date((matching_token as { expires_at: string }).expires_at);
+    const now = new Date();
+
+    if (expires_at < now) {
+      return {
+        success: false,
+        error: "Reset token has expired",
+      };
+    }
+
+    return {
+      success: true,
+    };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+
+/**
+ * Resets a user's password using a password reset token
+ * Verifies the token, checks expiration, updates password, and deletes the token
+ * @param adapter - The hazo_connect adapter instance
+ * @param data - Password reset data (token, new_password)
+ * @returns Password reset result with success status, user_id, email, or error
+ */
+export async function reset_password(
+  adapter: HazoConnectAdapter,
+  data: PasswordResetData,
+): Promise<PasswordResetResult> {
+  try {
+    const { token, new_password, minimum_length = 8 } = data;
+
+    // Validate password
+    if (!new_password || new_password.length < minimum_length) {
+      return {
+        success: false,
+        error: `Password must be at least ${minimum_length} character${minimum_length === 1 ? "" : "s"} long`,
+      };
+    }
+
+    // Create CRUD service for hazo_refresh_tokens table
+    const tokens_service = createCrudService(adapter, "hazo_refresh_tokens");
+
+    // Find all password reset tokens
+    // If token_type column doesn't exist, query all tokens and filter manually
+    let all_tokens: unknown[] = [];
+    try {
+      all_tokens = (await tokens_service.findBy({
+        token_type: "password_reset",
+      })) as unknown[];
+    } catch (error) {
+      // If token_type column doesn't exist, get all tokens and we'll verify each one
+      const logger = create_app_logger();
+      const error_message = error instanceof Error ? error.message : "Unknown error";
+      logger.warn("password_reset_service_token_type_column_missing", {
+        filename: "password_reset_service.ts",
+        line_number: 0,
+        error: error_message,
+        note: "token_type column may not exist, querying all tokens",
+      });
+      try {
+        // Query all tokens (will need to verify each one)
+        all_tokens = (await tokens_service.findBy({})) as unknown[];
+      } catch (fallbackError) {
+        const fallback_error_message = fallbackError instanceof Error ? fallbackError.message : "Unknown error";
+        logger.error("password_reset_service_query_tokens_failed", {
+          filename: "password_reset_service.ts",
+          line_number: 0,
+          error: fallback_error_message,
+        });
+        return {
+          success: false,
+          error: "Invalid or expired reset token",
+        };
+      }
+    }
+
+    if (!Array.isArray(all_tokens) || all_tokens.length === 0) {
+      return {
+        success: false,
+        error: "Invalid or expired reset token",
+      };
+    }
+
+    // Find the matching token by verifying the hash
+    let matching_token = null;
+    let user_id: string | null = null;
+
+    for (const stored_token of all_tokens) {
+      try {
+        const token_hash = (stored_token as { token_hash: string }).token_hash;
+        const is_valid = await argon2.verify(token_hash, token);
+
+        if (is_valid) {
+          matching_token = stored_token;
+          user_id = (stored_token as { user_id: string }).user_id;
+          break;
+        }
+      } catch {
+        // Continue to next token if verification fails
+        continue;
+      }
+    }
+
+    if (!matching_token || !user_id) {
+      return {
+        success: false,
+        error: "Invalid or expired reset token",
+      };
+    }
+
+    // Check if token has expired
+    const expires_at = new Date((matching_token as { expires_at: string }).expires_at);
+    const now = new Date();
+
+    if (expires_at < now) {
+      // Delete expired token
+      await tokens_service.deleteById((matching_token as { id: unknown }).id);
+
+      return {
+        success: false,
+        error: "Reset token has expired",
+      };
+    }
+
+    // Get user email before updating
+    const users_service = createCrudService(adapter, "hazo_users");
+    const users = await users_service.findBy({
+      id: user_id,
+    });
+
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: false,
+        error: "User not found",
+      };
+    }
+
+    const user = users[0];
+    const email = user.email_address as string;
+
+    // Hash the new password
+    const password_hash = await argon2.hash(new_password);
+
+    // Update user's password
+    const now_iso = new Date().toISOString();
+    await users_service.updateById(
+      user_id,
+      {
+        password_hash: password_hash,
+        changed_at: now_iso,
+      },
+    );
+
+    // Delete the used token
+    await tokens_service.deleteById((matching_token as { id: unknown }).id);
+
+    // Send password changed notification email
+    const email_result = await send_template_email("password_changed", email, {
+      user_email: email,
+      user_name: user.name as string | undefined,
+    });
+    
+    if (!email_result.success) {
+      const logger = create_app_logger();
+      logger.error("password_reset_service_password_changed_email_failed", {
+        filename: "password_reset_service.ts",
+        line_number: 0,
+        user_id,
+        email,
+        error: email_result.error,
+        note: "Password was reset successfully but notification email failed to send",
+      });
+    }
+
+    return {
+      success: true,
+      user_id,
+      email,
+    };
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+

package/cli-src/lib/services/profile_picture_remove_service.ts

@@ -0,0 +1,120 @@
+// file_description: service for removing profile pictures (deleting files and clearing database)
+// section: imports
+import type { HazoConnectAdapter } from "hazo_connect";
+import { createCrudService } from "hazo_connect/server";
+import { map_db_source_to_ui } from "./profile_picture_source_mapper.js";
+import { get_profile_picture_config } from "../profile_picture_config.server.js";
+import { create_app_logger } from "../app_logger.js";
+import fs from "fs";
+import path from "path";
+
+// section: types
+export type RemoveProfilePictureResult = {
+  success: boolean;
+  error?: string;
+};
+
+// section: helpers
+/**
+ * Removes user profile picture
+ * - If source is "upload": deletes the uploaded file and clears profile_picture_url and profile_source
+ * - If source is "gravatar" or "library": clears profile_picture_url and profile_source
+ * @param adapter - The hazo_connect adapter instance
+ * @param user_id - User ID
+ * @returns Remove result with success status or error
+ */
+export async function remove_user_profile_picture(
+  adapter: HazoConnectAdapter,
+  user_id: string,
+): Promise<RemoveProfilePictureResult> {
+  try {
+    const users_service = createCrudService(adapter, "hazo_users");
+
+    // Get current user data
+    const users = await users_service.findBy({
+      id: user_id,
+    });
+
+    if (!Array.isArray(users) || users.length === 0) {
+      return {
+        success: false,
+        error: "User not found",
+      };
+    }
+
+    const current_user = users[0];
+    const profile_picture_url = (current_user.profile_picture_url as string) || null;
+    const profile_source_db = (current_user.profile_source as string) || null;
+
+    if (!profile_picture_url || !profile_source_db) {
+      // No profile picture to remove
+      return {
+        success: true,
+      };
+    }
+
+    // Map database source to UI source
+    const profile_source_ui = map_db_source_to_ui(profile_source_db);
+
+    // If source is "upload", delete the file
+    if (profile_source_ui === "upload") {
+      try {
+        const config = get_profile_picture_config();
+
+        if (config.upload_photo_path) {
+          // Extract filename from URL (e.g., /api/hazo_auth/profile_picture/user_id.jpg)
+          const fileName = profile_picture_url.split("/").pop();
+
+          if (fileName && fileName.startsWith(user_id)) {
+            // Resolve upload path
+            const uploadPath = path.isAbsolute(config.upload_photo_path)
+              ? config.upload_photo_path
+              : path.resolve(process.cwd(), config.upload_photo_path);
+
+            const filePath = path.join(uploadPath, fileName);
+
+            // Delete file if it exists
+            if (fs.existsSync(filePath)) {
+              fs.unlinkSync(filePath);
+            }
+          }
+        }
+      } catch (error) {
+        // Log error but continue with database update
+        const logger = create_app_logger();
+        const error_message = error instanceof Error ? error.message : "Unknown error";
+        logger.warn("profile_picture_remove_file_delete_failed", {
+          filename: "profile_picture_remove_service.ts",
+          line_number: 0,
+          user_id,
+          profile_picture_url,
+          error: error_message,
+        });
+        // Don't fail the request if file deletion fails - still clear the database
+      }
+    }
+
+    // Clear profile picture URL and source in database
+    // Note: profile_source has a CHECK constraint, so we'll set it to null
+    // If the database doesn't allow null, we may need to handle it differently
+    const update_data: Record<string, unknown> = {
+      changed_at: new Date().toISOString(),
+      profile_picture_url: null,
+      profile_source: null,
+    };
+
+    await users_service.updateById(user_id, update_data);
+
+    return {
+      success: true,
+    };
+  } catch (error) {
+    const error_message = error instanceof Error ? error.message : "Unknown error";
+
+    return {
+      success: false,
+      error: error_message,
+    };
+  }
+}
+