prostgles-server 4.2.202 → 4.2.204

package/lib/Auth/AuthHandler.ts

@@ -1,35 +1,24 @@
-import {
-  AnyObject,
-  AuthFailure,
-  AuthGuardLocation,
-  AuthGuardLocationResponse,
-  AuthResponse,
-  AuthSocketSchema,
-  CHANNELS,
-} from "prostgles-types";
+import { AnyObject, AuthResponse, CHANNELS } from "prostgles-types";
 import { PRGLIOSocket } from "../DboBuilder/DboBuilder";
 import { DBOFullyTyped } from "../DBSchemaBuilder";
 import { removeExpressRoute } from "../FileManager/FileManager";
 import { DB, DBHandlerServer, Prostgles } from "../Prostgles";
 import {
-  Auth,
+  AuthConfig,
   AuthClientRequest,
   AuthResult,
   AuthResultWithSID,
   BasicSession,
   ExpressReq,
-  ExpressRes,
-  LoginClientInfo,
-  LoginParams,
-  LoginResponse,
 } from "./AuthTypes";
-import { getProviders } from "./setAuthProviders";
+import { LoginResponseHandler } from "./endpoints/setLoginRequestHandler";
+import { getClientAuth } from "./getClientAuth";
+import { login } from "./login";
 import { setupAuthRoutes } from "./setupAuthRoutes";
 import { getClientRequestIPsInfo } from "./utils/getClientRequestIPsInfo";
 import { getReturnUrl } from "./utils/getReturnUrl";
 import { getSidAndUserFromRequest } from "./utils/getSidAndUserFromRequest";
-import type { Response } from "express";
-import { LoginResponseHandler } from "./endpoints/setLoginRequestHandler";
+import { throttledReject } from "./utils/throttledReject";
 
 export { getClientRequestIPsInfo };
 export const HTTP_FAIL_CODES = {
@@ -48,7 +37,7 @@ export const HTTP_SUCCESS_CODES = {
 
 export const AUTH_ROUTES_AND_PARAMS = {
   login: "/login",
-  loginWithProvider: "/auth",
+  loginWithProvider: "/oauth",
   emailRegistration: "/register",
   returnUrlParamName: "returnURL",
   sidKeyName: "session_id",
@@ -62,7 +51,7 @@ export const AUTH_ROUTES_AND_PARAMS = {
 
 export class AuthHandler {
   protected readonly prostgles: Prostgles;
-  protected readonly opts: Auth;
+  protected readonly opts: AuthConfig;
   dbo: DBHandlerServer;
   db: DB;
 
@@ -98,7 +87,7 @@ export class AuthHandler {
   isUserRoute = (pathname: string) => {
     const { login, logoutGetPath, magicLinksRoute, loginWithProvider } = AUTH_ROUTES_AND_PARAMS;
     const pubRoutes = [
-      ...(this.opts.expressConfig?.publicRoutes || []),
+      ...(this.opts.loginSignupConfig?.publicRoutes || []),
       login,
       logoutGetPath,
       magicLinksRoute,
@@ -116,42 +105,43 @@ export class AuthHandler {
   ) => {
     const { sid, expires } = cookie;
     const { res, req } = r;
-    if (sid) {
-      const maxAgeOneDay = 60 * 60 * 24; // 24 hours;
-      type CD = { maxAge: number } | { expires: Date };
-      let cookieDuration: CD = {
-        maxAge: maxAgeOneDay,
-      };
-      if (expires && Number.isFinite(expires) && !isNaN(+new Date(expires))) {
-        // const maxAge = (+new Date(expires)) - Date.now();
-        cookieDuration = { expires: new Date(expires) };
-        const days = (+cookieDuration.expires - Date.now()) / (24 * 60 * 60e3);
-        if (days >= 400) {
-          console.warn(`Cookie expiration is higher than the Chrome 400 day limit: ${days}days`);
-        }
-      }
+    if (!sid) {
+      throw "no sid";
+    }
 
-      const cookieOpts = {
-        ...cookieDuration,
-        httpOnly: true, // The cookie only accessible by the web server
-        //signed: true // Indicates if the cookie should be signed
-        secure: true,
-        sameSite: "strict" as const,
-        ...(this.opts.expressConfig?.cookieOptions || {}),
-      };
-      const cookieData = sid;
-      res.cookie(this.sidKeyName, cookieData, cookieOpts);
-      const successURL = getReturnUrl(req) || "/";
-      res.redirect(successURL);
-    } else {
-      throw "no user or session";
+    const maxAgeOneDay = 60 * 60 * 24; // 24 hours;
+    type CD = { maxAge: number } | { expires: Date };
+    let cookieDuration: CD = {
+      maxAge: maxAgeOneDay,
+    };
+
+    if (expires && Number.isFinite(expires) && !isNaN(+new Date(expires))) {
+      cookieDuration = { expires: new Date(expires) };
+      const days = (+cookieDuration.expires - Date.now()) / (24 * 60 * 60e3);
+      if (days >= 400) {
+        console.warn(`Cookie expiration is higher than the Chrome 400 day limit: ${days}days`);
+      }
     }
+
+    const cookieOpts = {
+      ...cookieDuration,
+      // The cookie only accessible by the web server
+      httpOnly: true,
+      //signed: true
+      secure: true,
+      sameSite: "strict" as const,
+      ...(this.opts.loginSignupConfig?.cookieOptions ?? {}),
+    };
+    const cookieData = sid;
+    res.cookie(this.sidKeyName, cookieData, cookieOpts);
+    const successURL = getReturnUrl(req) || "/";
+    res.redirect(successURL);
   };
 
   getUserAndHandleError = async (localParams: AuthClientRequest): Promise<AuthResultWithSID> => {
     const sid = this.getSID(localParams);
     if (!sid) return { sid };
-    const handlerError = (code: AuthFailure["code"]) => {
+    const handlerError = (code: AuthResponse.AuthFailure["code"]) => {
       if (localParams.httpReq) {
         localParams.res
           .status(HTTP_FAIL_CODES.BAD_REQUEST)
@@ -160,7 +150,7 @@ export class AuthHandler {
       throw code;
     };
     try {
-      const userOrErrorCode = await this.throttledFunc(async () => {
+      const userOrErrorCode = await throttledReject(async () => {
         return this.opts.getUser(
           this.validateSid(sid),
           this.dbo as DBOFullyTyped,
@@ -186,7 +176,7 @@ export class AuthHandler {
   init = setupAuthRoutes.bind(this);
 
   destroy = () => {
-    const app = this.opts.expressConfig?.app;
+    const app = this.opts.loginSignupConfig?.app;
     const {
       login,
       logoutGetPath,
@@ -211,111 +201,13 @@ export class AuthHandler {
     ]);
   };
 
-  throttledFunc = <T>(func: () => Promise<T>, throttle = 500): Promise<T> => {
-    return new Promise(async (resolve, reject) => {
-      let result: T,
-        error: any,
-        finished = false;
-
-      /**
-       * Throttle reject response times to prevent timing attacks
-       */
-      const interval = setInterval(() => {
-        if (finished) {
-          clearInterval(interval);
-          if (error) {
-            reject(error);
-          } else {
-            resolve(result);
-          }
-        }
-      }, throttle);
-
-      try {
-        result = await func();
-        resolve(result);
-        clearInterval(interval);
-      } catch (err) {
-        console.log(err);
-        error = err;
-      }
-
-      finished = true;
-    });
-  };
-
-  loginThrottledAndValidate = async (
-    params: LoginParams,
-    client: LoginClientInfo
-  ): Promise<LoginResponse> => {
-    if (!this.opts.login) throw "Auth login config missing";
-    const { responseThrottle = 500 } = this.opts;
-    return this.throttledFunc(async () => {
-      const result = await this.opts.login?.(params, this.dbo as DBOFullyTyped, this.db, client);
-
-      if (!result) {
-        return "server-error";
-      }
-      if (typeof result === "string") return result;
-
-      const { sid, expires } = result.session;
-      if (!sid) {
-        // return withServerError("Invalid sid");
-        return "server-error";
-      }
-      if (sid && (typeof sid !== "string" || typeof expires !== "number")) {
-        // return withServerError(
-        //   "Bad login result type. \nExpecting: undefined | null | { sid: string; expires: number }"
-        // );
-        return "server-error";
-      }
-      if (expires < Date.now()) {
-        // return withServerError(
-        //   "auth.login() is returning an expired session. Can only login with a session.expires greater than Date.now()"
-        // );
-        return "server-error";
-      }
-
-      return result;
-    }, responseThrottle);
-  };
-
-  loginThrottledAndSetCookie = async (
-    req: ExpressReq,
-    res: LoginResponseHandler,
-    loginParams: LoginParams
-  ) => {
-    const start = Date.now();
-    const errCodeOrSession = await this.loginThrottledAndValidate(
-      loginParams,
-      getClientRequestIPsInfo({ httpReq: req, res })
-    );
-    const loginResponse =
-      typeof errCodeOrSession === "string" ?
-        {
-          session: undefined,
-          response: { success: false, code: errCodeOrSession } as const,
-        }
-      : errCodeOrSession;
-    await this.prostgles.opts.onLog?.({
-      type: "auth",
-      command: "login",
-      success: !!loginResponse.session,
-      duration: Date.now() - start,
-      sid: loginResponse.session?.sid,
-      socketId: undefined,
-    });
-    if (!loginResponse.session) {
-      return res.status(HTTP_FAIL_CODES.BAD_REQUEST).json(loginResponse.response);
-    }
-    this.setCookieAndGoToReturnURLIFSet(loginResponse.session, { req, res });
-  };
+  login = login.bind(this);
 
   /**
    * Will return first sid value found in:
-   *  Bearer header
-   *  http cookie
-   *  query params
+   *  - Bearer header
+   *  - http cookie
+   *  - query params
    * Based on sid names in auth
    */
   getSID(maybeClientReq: AuthClientRequest | undefined): string | undefined {
@@ -385,7 +277,10 @@ export class AuthHandler {
     session: BasicSession | undefined
   ): boolean => {
     const hasExpired = Boolean(session && session.expires <= Date.now());
-    if (this.opts.expressConfig?.publicRoutes && !this.opts.expressConfig.disableSocketAuthGuard) {
+    if (
+      this.opts.loginSignupConfig?.publicRoutes &&
+      !this.opts.loginSignupConfig.disableSocketAuthGuard
+    ) {
       const error = "Session has expired";
       if (hasExpired) {
         if (session?.onExpiration === "redirect")
@@ -399,68 +294,5 @@ export class AuthHandler {
     return Boolean(session && !hasExpired);
   };
 
-  getClientAuth = async (
-    clientReq: AuthClientRequest
-  ): Promise<{ auth: AuthSocketSchema; userData: AuthResultWithSID }> => {
-    let pathGuard = false;
-    if (this.opts.expressConfig?.publicRoutes && !this.opts.expressConfig.disableSocketAuthGuard) {
-      pathGuard = true;
-
-      /**
-       * Due to SPA nature of some clients, we need to check if the connected client ends up on a protected route
-       */
-      if (clientReq.socket) {
-        const { socket } = clientReq;
-        socket.removeAllListeners(CHANNELS.AUTHGUARD);
-        socket.on(
-          CHANNELS.AUTHGUARD,
-          async (
-            params: AuthGuardLocation,
-            cb = (_err: any, _res?: AuthGuardLocationResponse) => {
-              /** EMPTY */
-            }
-          ) => {
-            try {
-              const { pathname, origin } =
-                typeof params === "string" ? (JSON.parse(params) as AuthGuardLocation) : params;
-              if (pathname && typeof pathname !== "string") {
-                console.warn("Invalid pathname provided for AuthGuardLocation: ", pathname);
-              }
-
-              /** These origins  */
-              const IGNORED_API_ORIGINS = ["file://"];
-              if (
-                !IGNORED_API_ORIGINS.includes(origin) &&
-                pathname &&
-                typeof pathname === "string" &&
-                this.isUserRoute(pathname) &&
-                !(await this.getUserFromRequest({ socket }))
-              ) {
-                cb(null, { shouldReload: true });
-              } else {
-                cb(null, { shouldReload: false });
-              }
-            } catch (err) {
-              console.error("AUTHGUARD err: ", err);
-              cb(err);
-            }
-          }
-        );
-      }
-    }
-
-    const userData = await this.getSidAndUserFromRequest(clientReq);
-    const { email } = this.opts.expressConfig?.registrations ?? {};
-    const auth: AuthSocketSchema = {
-      providers: getProviders.bind(this)(),
-      register: email && {
-        type: email.signupType,
-        url: AUTH_ROUTES_AND_PARAMS.emailRegistration,
-      },
-      user: userData.clientUser,
-      loginType: email?.signupType ?? "withPassword",
-      pathGuard,
-    };
-    return { auth, userData };
-  };
+  getClientAuth = getClientAuth.bind(this);
 }

package/lib/Auth/AuthTypes.ts

@@ -13,12 +13,12 @@ import type {
 import type { MicrosoftStrategyOptions } from "passport-microsoft";
 import {
   AnyObject,
-  AuthFailure,
   AuthRequest,
   AuthResponse,
   FieldFilter,
   IdentityProvider,
   UserLike,
+  AuthSocketSchema,
 } from "prostgles-types";
 import { DBOFullyTyped } from "../DBSchemaBuilder";
 import { PRGLIOSocket } from "../DboBuilder/DboBuilderTypes";
@@ -96,58 +96,43 @@ export type Email = {
   attachments?: { filename: string; content: string }[] | Mail.Attachment[];
 };
 
-type EmailWithoutTo = Omit<Email, "to">;
-
-type MagicLinkAuthResponse =
-  | AuthResponse.MagicLinkAuthFailure["code"]
-  | { response: AuthResponse.MagicLinkAuthSuccess; email: EmailWithoutTo };
-
 type PasswordRegisterResponse =
-  | AuthResponse.PasswordRegisterFailure["code"]
-  | { response: AuthResponse.PasswordRegisterSuccess; email: EmailWithoutTo };
+  | AuthResponse.PasswordRegisterFailure
+  | AuthResponse.PasswordRegisterSuccess;
+
+/**
+ * Users have to provide an email and a password.
+ * Account should be activated after email confirmation
+ */
+export type SignupWithEmailAndPassword = {
+  /**
+   * Defaults to 8
+   */
+  minPasswordLength?: number;
 
-export type EmailProvider =
-  | {
-      signupType: "withMagicLink";
-      onRegister: (data: {
-        email: string;
-        magicLinkUrlPath: string;
-        clientInfo: LoginClientInfo;
-        req: ExpressReq;
-      }) => Awaitable<MagicLinkAuthResponse>;
-      smtp: SMTPConfig;
-    }
-  | {
-      /**
-       * Users have to provide an email and a password.
-       * Account should be activated after email confirmation
-       */
-      signupType: "withPassword";
-      /**
-       * Defaults to 8
-       */
-      minPasswordLength?: number;
-      /**
-       * Called when the user has registered
-       */
-      onRegister: (data: {
-        email: string;
-        password: string;
-        confirmationUrlPath: string;
-        clientInfo: LoginClientInfo;
-        req: ExpressReq;
-      }) => Awaitable<PasswordRegisterResponse>;
-      smtp: SMTPConfig;
+  /**
+   * Called when the user has registered
+   */
+  onRegister: (data: {
+    email: string;
+    /**
+     * Password after validation
+     */
+    password: string;
+    clientInfo: LoginClientInfo;
+    confirmationUrlPath: string;
+    req: ExpressReq;
+  }) => Awaitable<PasswordRegisterResponse>;
 
-      /**
-       * Called after the user has clicked the URL to confirm their email address
-       */
-      onEmailConfirmation: (data: {
-        confirmationCode: string;
-        clientInfo: LoginClientInfo;
-        req: ExpressReq;
-      }) => Awaitable<AuthFailure["code"] | (AuthResponse.AuthSuccess & { redirect_to?: string })>;
-    };
+  /**
+   * Called after the user has clicked the URL to confirm their email address
+   */
+  onEmailConfirmation: (data: {
+    confirmationCode: string;
+    clientInfo: LoginClientInfo;
+    req: ExpressReq;
+  }) => Awaitable<AuthResponse.AuthFailure | (AuthResponse.AuthSuccess & { redirect_to?: string })>;
+};
 
 export type AuthProviderUserData =
   | {
@@ -185,10 +170,8 @@ export type RegistrationData =
     }
   | AuthProviderUserData;
 
-export type AuthRegistrationConfig<S> = {
-  email?: EmailProvider;
-
-  OAuthProviders?: ThirdPartyProviders;
+export type LoginWithOAuthConfig<S> = {
+  OAuthProviders: ThirdPartyProviders;
 
   /**
    * Required for social login callback
@@ -205,7 +188,9 @@ export type AuthRegistrationConfig<S> = {
     req: ExpressReq;
     res: ExpressRes;
     clientInfo: LoginClientInfo;
-  }) => Promise<{ error: string } | { ok: true }>;
+  }) => Promise<
+    AuthResponse.OAuthRegisterSuccess | AuthResponse.OAuthRegisterFailure | AuthResponse.AuthFailure
+  >;
 
   /**
    * Used to identify abuse
@@ -256,7 +241,7 @@ export type AuthResultWithSID<SU = SessionUser> =
     });
 
 export type AuthResult<SU = SessionUser> = SU | undefined;
-export type AuthResultOrError<SU = SessionUser> = AuthFailure["code"] | AuthResult<SU>;
+export type AuthResultOrError<SU = SessionUser> = AuthResponse.AuthFailure["code"] | AuthResult<SU>;
 
 export type AuthRequestParams<S, SUser extends SessionUser> = {
   db: DB;
@@ -264,7 +249,7 @@ export type AuthRequestParams<S, SUser extends SessionUser> = {
   getUser: () => Promise<AuthResultWithSID<SUser>>;
 };
 
-export type Auth<S = void, SUser extends SessionUser = SessionUser> = {
+export type AuthConfig<S = void, SUser extends SessionUser = SessionUser> = {
   /**
    * Name of the cookie or socket hadnshake query param that represents the session id.
    * Defaults to "session_id"
@@ -291,15 +276,7 @@ export type Auth<S = void, SUser extends SessionUser = SessionUser> = {
    *  /logout
    *  /magic-link/:id
    */
-  expressConfig?: ExpressConfig<S, SUser>;
-
-  login?: (
-    params: LoginParams,
-    dbo: DBOFullyTyped<S>,
-    db: DB,
-    client: LoginClientInfo
-  ) => Awaitable<LoginResponse>;
-  logout?: (sid: string | undefined, dbo: DBOFullyTyped<S>, db: DB) => Awaitable<any>;
+  loginSignupConfig?: LoginSignupConfig<S, SUser>;
 
   /**
    * Response time rounding in milliseconds to prevent timing attacks on login. Login response time should always be a multiple of this value. Defaults to 500 milliseconds
@@ -321,20 +298,23 @@ export type Auth<S = void, SUser extends SessionUser = SessionUser> = {
 export type LoginResponse =
   | {
       session: BasicSession;
-      response?: AuthResponse.PasswordLoginSuccess | AuthResponse.MagicLinkAuthSuccess;
+      response?: AuthResponse.PasswordLoginSuccess | AuthResponse.OAuthRegisterSuccess;
     }
+  | {
+      session?: undefined;
+      response: AuthResponse.MagicLinkAuthSuccess;
+    }
+  | AuthResponse.OAuthRegisterFailure["code"]
   | AuthResponse.PasswordLoginFailure["code"]
   | AuthResponse.MagicLinkAuthFailure["code"];
 
 export type LoginParams =
   | ({
       type: "username";
-      signupType: undefined | EmailProvider["signupType"];
-      magicLinkUrlPath: undefined | string;
     } & AuthRequest.LoginData)
-  | ({ type: "provider" } & AuthProviderUserData);
+  | ({ type: "OAuth" } & AuthProviderUserData);
 
-export type ExpressConfig<S, SUser extends SessionUser> = {
+export type LoginSignupConfig<S, SUser extends SessionUser> = {
   /**
    * Express app instance. If provided Prostgles will attempt to set sidKeyName to user cookie
    */
@@ -386,7 +366,27 @@ export type ExpressConfig<S, SUser extends SessionUser> = {
     | { session?: undefined; response: AuthResponse.MagicLinkAuthFailure }
   >;
 
-  registrations?: AuthRegistrationConfig<S>;
+  signupWithEmailAndPassword?: SignupWithEmailAndPassword;
+
+  loginWithOAuth?: LoginWithOAuthConfig<S>;
+
+  /**
+   * Used to hint to the client which login mode is available
+   * Defaults to username and password
+   */
+  localLoginMode?: AuthSocketSchema["loginType"];
+
+  /**
+   * If provided then the user will be able to login with a username and password
+   */
+  login: (
+    params: LoginParams,
+    dbo: DBOFullyTyped<S>,
+    db: DB,
+    client: LoginClientInfo
+  ) => Awaitable<LoginResponse>;
+
+  logout: (sid: string | undefined, dbo: DBOFullyTyped<S>, db: DB) => Awaitable<void>;
 };
 
 type ExpressMiddleware<S, SUser extends SessionUser> = (

package/lib/Auth/endpoints/setCatchAllRequestHandler.ts

@@ -3,14 +3,19 @@ import { AuthClientRequest } from "../AuthTypes";
 import { AUTH_ROUTES_AND_PARAMS, AuthHandler, HTTP_FAIL_CODES } from "../AuthHandler";
 import { getReturnUrl } from "../utils/getReturnUrl";
 import { DBOFullyTyped } from "../../DBSchemaBuilder";
+import { throttledReject } from "../utils/throttledReject";
 
 export function setCatchAllRequestHandler(this: AuthHandler, app: e.Express) {
   const onLogout = async (req: Request, res: Response) => {
     const sid = this.validateSid(req.cookies?.[this.sidKeyName]);
     if (sid) {
       try {
-        await this.throttledFunc(() => {
-          return this.opts.logout?.(req.cookies?.[this.sidKeyName], this.dbo as any, this.db);
+        await throttledReject(async () => {
+          return this.opts.loginSignupConfig?.logout(
+            req.cookies?.[this.sidKeyName],
+            this.dbo as DBOFullyTyped,
+            this.db
+          );
         });
       } catch (err) {
         console.error(err);
@@ -20,7 +25,7 @@ export function setCatchAllRequestHandler(this: AuthHandler, app: e.Express) {
   };
 
   const requestHandler: RequestHandler = async (req, res, next) => {
-    const { onGetRequestOK } = this.opts.expressConfig ?? {};
+    const { onGetRequestOK } = this.opts.loginSignupConfig ?? {};
     const clientReq: AuthClientRequest = { httpReq: req, res };
     const getUser = async () => {
       const userOrCode = await this.getUserAndHandleError(clientReq);
@@ -103,5 +108,4 @@ export function setCatchAllRequestHandler(this: AuthHandler, app: e.Express) {
   };
 
   app.get(AUTH_ROUTES_AND_PARAMS.catchAll, requestHandler);
-  return requestHandler;
 }

package/lib/Auth/endpoints/setConfirmEmailRequestHandler.ts

@@ -1,21 +1,19 @@
 import type { Request, Response } from "express";
-import { AuthFailure, AuthResponse } from "prostgles-types";
+import e from "express";
+import { AuthResponse } from "prostgles-types";
 import { AUTH_ROUTES_AND_PARAMS, AuthHandler, HTTP_FAIL_CODES } from "../AuthHandler";
-import { AuthRegistrationConfig } from "../AuthTypes";
+import { SignupWithEmailAndPassword } from "../AuthTypes";
 import { getClientRequestIPsInfo } from "../utils/getClientRequestIPsInfo";
-import e from "express";
+import { throttledReject } from "../utils/throttledReject";
 
 export function setConfirmEmailRequestHandler(
   this: AuthHandler,
-  emailAuthConfig: Extract<
-    Required<AuthRegistrationConfig<void>>["email"],
-    { signupType: "withPassword" }
-  >,
+  emailAuthConfig: SignupWithEmailAndPassword,
   app: e.Express
 ) {
   const requestHandler = async (
     req: Request,
-    res: Response<AuthFailure | AuthResponse.AuthSuccess>
+    res: Response<AuthResponse.AuthFailure | AuthResponse.AuthSuccess>
   ) => {
     const { id } = req.params;
     try {
@@ -23,17 +21,15 @@ export function setConfirmEmailRequestHandler(
         return res.send({ success: false, code: "something-went-wrong", message: "Invalid code" });
       }
       const { httpReq, ...clientInfo } = getClientRequestIPsInfo({ httpReq: req, res });
-      const response = await this.throttledFunc(async () =>
+      const response = await throttledReject(async () =>
         emailAuthConfig.onEmailConfirmation({
           confirmationCode: id,
           clientInfo,
           req: httpReq,
         })
       );
-      if (typeof response === "string") {
-        return res
-          .status(HTTP_FAIL_CODES.BAD_REQUEST)
-          .json({ success: false, code: "something-went-wrong" });
+      if (!response.success) {
+        return res.status(HTTP_FAIL_CODES.BAD_REQUEST).json(response);
       }
 
       /**