securepool 1.0.0

package/packages/application/src/services/AuthService.ts

@@ -0,0 +1,323 @@
+import crypto from "crypto";
+import { User, AuditLog, AuditAction, RefreshToken } from "@securepool/core";
+import { IUserRepository } from "../interfaces/IUserRepository";
+import { IPasswordHasher } from "../interfaces/IPasswordHasher";
+import { ITokenService } from "../interfaces/ITokenService";
+import { ITokenRepository } from "../interfaces/ITokenRepository";
+import { IOtpService } from "../interfaces/IOtpService";
+import { IAuditLogRepository } from "../interfaces/IAuditLogRepository";
+import { IEmailService } from "../interfaces/IEmailService";
+
+function normalizeEmail(raw: string): string {
+  return raw.trim().toLowerCase();
+}
+
+export class AuthService {
+  constructor(
+    private readonly userRepository: IUserRepository,
+    private readonly passwordHasher: IPasswordHasher,
+    private readonly tokenService: ITokenService,
+    private readonly tokenRepository: ITokenRepository,
+    private readonly otpService?: IOtpService,
+    private readonly auditLogRepository?: IAuditLogRepository,
+    private readonly emailService?: IEmailService,
+  ) {}
+
+  // Helper: generate tokens and save refresh token to DB
+  private async generateAndSaveTokens(
+    userId: string,
+    tenantId: string,
+  ): Promise<{ accessToken: string; refreshToken: string }> {
+    const accessToken = await this.tokenService.generateAccessToken(userId, tenantId);
+    const refreshToken = await this.tokenService.generateRefreshToken(userId);
+
+    // Save refresh token to DB so it can be looked up on refresh
+    await this.tokenRepository.save(new RefreshToken(
+      crypto.randomUUID(),
+      userId,
+      refreshToken, // stored as-is; looked up by exact match
+      new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days
+      false,
+    ));
+
+    return { accessToken, refreshToken };
+  }
+
+  // Step 1: Validate + send OTP (does NOT create user yet)
+  async register(
+    rawEmail: string,
+    password: string,
+    tenantId: string,
+  ): Promise<{ email: string }> {
+    const email = normalizeEmail(rawEmail);
+
+    const existing = await this.userRepository.findByEmail(email, tenantId);
+    if (existing) {
+      throw new Error("User with this email already exists");
+    }
+
+    if (!this.otpService) throw new Error("OTP service is not configured");
+
+    const passwordHash = await this.passwordHasher.hash(password);
+
+    const pendingKey = `pending:${tenantId}:${email}`;
+    const code = await this.otpService.generate(pendingKey, {
+      email,
+      passwordHash,
+      tenantId,
+    });
+
+    if (this.emailService) {
+      await this.emailService.sendOtp(email, code);
+    }
+
+    return { email };
+  }
+
+  // Step 2: Verify OTP → create user → return tokens
+  async verifyEmail(
+    rawEmail: string,
+    code: string,
+    tenantId: string,
+  ): Promise<{ accessToken: string; refreshToken: string }> {
+    const email = normalizeEmail(rawEmail);
+
+    if (!this.otpService) throw new Error("OTP service is not configured");
+
+    const existing = await this.userRepository.findByEmail(email, tenantId);
+    if (existing) {
+      throw new Error("User already exists. Please login instead.");
+    }
+
+    const pendingKey = `pending:${tenantId}:${email}`;
+    const result = await this.otpService.verify(pendingKey, code);
+
+    if (!result.metadata?.passwordHash) {
+      throw new Error("Registration data not found. Please register again.");
+    }
+
+    const user = new User(
+      crypto.randomUUID(),
+      tenantId,
+      email,
+      result.metadata.passwordHash,
+      true,
+      new Date(),
+    );
+    await this.userRepository.create(user);
+
+    const tokens = await this.generateAndSaveTokens(user.id, tenantId);
+
+    if (this.auditLogRepository) {
+      await this.auditLogRepository.log(new AuditLog(
+        crypto.randomUUID(), user.id, tenantId,
+        AuditAction.REGISTER, "unknown", { email }, new Date(),
+      ));
+    }
+
+    return tokens;
+  }
+
+  // Login
+  async login(
+    rawEmail: string,
+    password: string,
+    tenantId: string,
+    ip: string,
+  ): Promise<{ accessToken: string; refreshToken: string }> {
+    const email = normalizeEmail(rawEmail);
+
+    const user = await this.userRepository.findByEmail(email, tenantId);
+    if (!user || !user.passwordHash) {
+      throw new Error("Invalid email or password");
+    }
+
+    const isValid = await this.passwordHasher.compare(password, user.passwordHash);
+    if (!isValid) {
+      if (this.auditLogRepository) {
+        await this.auditLogRepository.log(new AuditLog(
+          crypto.randomUUID(), user.id, tenantId,
+          AuditAction.LOGIN_FAILED, ip, { email }, new Date(),
+        ));
+      }
+      throw new Error("Invalid email or password");
+    }
+
+    if (!user.isVerified) {
+      throw new Error("Email not verified. Please verify your email first.");
+    }
+
+    const tokens = await this.generateAndSaveTokens(user.id, tenantId);
+
+    if (this.auditLogRepository) {
+      await this.auditLogRepository.log(new AuditLog(
+        crypto.randomUUID(), user.id, tenantId,
+        AuditAction.LOGIN_SUCCESS, ip, { email }, new Date(),
+      ));
+    }
+
+    return tokens;
+  }
+
+  // Google SSO login
+  async loginWithGoogle(
+    googleUser: { email: string; name: string; googleId: string },
+    tenantId: string,
+    ip: string,
+  ): Promise<{ accessToken: string; refreshToken: string }> {
+    const email = normalizeEmail(googleUser.email);
+
+    let user = await this.userRepository.findByEmail(email, tenantId);
+
+    if (!user) {
+      user = new User(
+        crypto.randomUUID(), tenantId, email,
+        null, true, new Date(),
+      );
+      await this.userRepository.create(user);
+    }
+
+    const tokens = await this.generateAndSaveTokens(user.id, tenantId);
+
+    if (this.auditLogRepository) {
+      await this.auditLogRepository.log(new AuditLog(
+        crypto.randomUUID(), user.id, tenantId,
+        AuditAction.LOGIN_SUCCESS, ip,
+        { provider: "google", googleId: googleUser.googleId }, new Date(),
+      ));
+    }
+
+    return tokens;
+  }
+
+  // Request OTP (for OTP login)
+  async requestOtp(rawEmail: string, tenantId: string): Promise<string> {
+    const email = normalizeEmail(rawEmail);
+
+    if (!this.otpService) throw new Error("OTP service is not configured");
+
+    const user = await this.userRepository.findByEmail(email, tenantId);
+    if (!user) throw new Error("User not found");
+
+    const code = await this.otpService.generate(user.id);
+
+    if (this.emailService) {
+      await this.emailService.sendOtp(email, code);
+    }
+
+    if (this.auditLogRepository) {
+      await this.auditLogRepository.log(new AuditLog(
+        crypto.randomUUID(), user.id, tenantId,
+        AuditAction.OTP_GENERATED, "unknown", { email }, new Date(),
+      ));
+    }
+
+    return code;
+  }
+
+  // Verify OTP (for OTP login)
+  async verifyOtp(
+    rawEmail: string, code: string, tenantId: string, ip: string,
+  ): Promise<{ accessToken: string; refreshToken: string }> {
+    const email = normalizeEmail(rawEmail);
+
+    if (!this.otpService) throw new Error("OTP service is not configured");
+
+    const user = await this.userRepository.findByEmail(email, tenantId);
+    if (!user) throw new Error("User not found");
+
+    await this.otpService.verify(user.id, code);
+
+    // OTP proves email ownership - ensure user is verified
+    if (!user.isVerified) {
+      user.isVerified = true;
+      await this.userRepository.update(user);
+    }
+
+    const tokens = await this.generateAndSaveTokens(user.id, tenantId);
+
+    if (this.auditLogRepository) {
+      await this.auditLogRepository.log(new AuditLog(
+        crypto.randomUUID(), user.id, tenantId,
+        AuditAction.OTP_VERIFIED, ip, { email }, new Date(),
+      ));
+    }
+
+    return tokens;
+  }
+
+  // Forgot password - sends OTP to email
+  async forgotPassword(rawEmail: string, tenantId: string): Promise<void> {
+    const email = normalizeEmail(rawEmail);
+
+    if (!this.otpService) throw new Error("OTP service is not configured");
+
+    const user = await this.userRepository.findByEmail(email, tenantId);
+    if (!user) throw new Error("User not found");
+
+    const code = await this.otpService.generate(user.id);
+
+    if (this.emailService) {
+      await this.emailService.sendOtp(email, code);
+    }
+
+    if (this.auditLogRepository) {
+      await this.auditLogRepository.log(new AuditLog(
+        crypto.randomUUID(), user.id, tenantId,
+        AuditAction.PASSWORD_RESET, "unknown",
+        { email, step: "otp_sent" }, new Date(),
+      ));
+    }
+  }
+
+  // Reset password - verify OTP + set new password
+  async resetPassword(
+    rawEmail: string, code: string, newPassword: string, tenantId: string,
+  ): Promise<void> {
+    const email = normalizeEmail(rawEmail);
+
+    if (!this.otpService) throw new Error("OTP service is not configured");
+
+    const user = await this.userRepository.findByEmail(email, tenantId);
+    if (!user) throw new Error("User not found");
+
+    await this.otpService.verify(user.id, code);
+
+    user.passwordHash = await this.passwordHasher.hash(newPassword);
+    await this.userRepository.update(user);
+
+    if (this.auditLogRepository) {
+      await this.auditLogRepository.log(new AuditLog(
+        crypto.randomUUID(), user.id, tenantId,
+        AuditAction.PASSWORD_RESET, "unknown",
+        { email, step: "password_changed" }, new Date(),
+      ));
+    }
+  }
+
+  // Change password (authenticated, requires old password)
+  async changePassword(
+    userId: string, oldPassword: string, newPassword: string, tenantId: string,
+  ): Promise<void> {
+    const user = await this.userRepository.findById(userId);
+    if (!user || !user.passwordHash) {
+      throw new Error("User not found");
+    }
+
+    const isValid = await this.passwordHasher.compare(oldPassword, user.passwordHash);
+    if (!isValid) {
+      throw new Error("Current password is incorrect");
+    }
+
+    user.passwordHash = await this.passwordHasher.hash(newPassword);
+    await this.userRepository.update(user);
+
+    if (this.auditLogRepository) {
+      await this.auditLogRepository.log(new AuditLog(
+        crypto.randomUUID(), user.id, tenantId,
+        AuditAction.PASSWORD_RESET, "unknown",
+        { step: "password_changed_by_user" }, new Date(),
+      ));
+    }
+  }
+}

package/packages/application/src/services/RefreshTokenService.ts

@@ -0,0 +1,53 @@
+import crypto from "crypto";
+import { RefreshToken } from "@securepool/core";
+import { ITokenRepository } from "../interfaces/ITokenRepository";
+import { ITokenService } from "../interfaces/ITokenService";
+
+export class RefreshTokenService {
+  constructor(
+    private readonly tokenRepository: ITokenRepository,
+    private readonly tokenService: ITokenService,
+  ) {}
+
+  async refresh(
+    oldToken: string,
+  ): Promise<{ accessToken: string; refreshToken: string }> {
+    // Find the refresh token by exact match (tokenHash stores the raw token)
+    const existingToken = await this.tokenRepository.findByTokenHash(oldToken);
+
+    if (!existingToken) {
+      throw new Error("Invalid refresh token");
+    }
+
+    if (existingToken.isRevoked) {
+      throw new Error("Refresh token has been revoked");
+    }
+
+    if (existingToken.expiresAt < new Date()) {
+      throw new Error("Refresh token has expired");
+    }
+
+    // Revoke old token (rotation)
+    await this.tokenRepository.revoke(existingToken.id);
+
+    // Generate new token pair
+    const accessToken = await this.tokenService.generateAccessToken(
+      existingToken.userId,
+      "default", // tenantId from the original token
+    );
+    const newRefreshToken = await this.tokenService.generateRefreshToken(
+      existingToken.userId,
+    );
+
+    // Save new refresh token to DB
+    await this.tokenRepository.save(new RefreshToken(
+      crypto.randomUUID(),
+      existingToken.userId,
+      newRefreshToken,
+      new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days
+      false,
+    ));
+
+    return { accessToken, refreshToken: newRefreshToken };
+  }
+}

package/packages/application/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist"
+  },
+  "include": ["src"]
+}

package/packages/core/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "@securepool/core",
+  "version": "1.0.0",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist"
+  },
+  "devDependencies": {
+    "typescript": "^5.5.0"
+  }
+}

package/packages/core/src/entities/AuditLog.ts

@@ -0,0 +1,11 @@
+export class AuditLog {
+  constructor(
+    public id: string,
+    public userId: string,
+    public tenantId: string,
+    public action: string,
+    public ip: string,
+    public metadata: Record<string, unknown>,
+    public timestamp: Date,
+  ) {}
+}

package/packages/core/src/entities/OtpCode.ts

@@ -0,0 +1,10 @@
+export class OtpCode {
+  constructor(
+    public id: string,
+    public userId: string,
+    public code: string,
+    public expiresAt: Date,
+    public attempts: number,
+    public metadata?: Record<string, string>,
+  ) {}
+}

package/packages/core/src/entities/RefreshToken.ts

@@ -0,0 +1,9 @@
+export class RefreshToken {
+  constructor(
+    public id: string,
+    public userId: string,
+    public tokenHash: string,
+    public expiresAt: Date,
+    public isRevoked: boolean,
+  ) {}
+}

package/packages/core/src/entities/Role.ts

@@ -0,0 +1,6 @@
+export class Role {
+  constructor(
+    public id: string,
+    public name: string,
+  ) {}
+}

package/packages/core/src/entities/Session.ts

@@ -0,0 +1,10 @@
+export class Session {
+  constructor(
+    public id: string,
+    public userId: string,
+    public device: string,
+    public ip: string,
+    public createdAt: Date,
+    public isActive: boolean,
+  ) {}
+}

package/packages/core/src/entities/Tenant.ts

@@ -0,0 +1,7 @@
+export class Tenant {
+  constructor(
+    public id: string,
+    public name: string,
+    public createdAt: Date,
+  ) {}
+}

package/packages/core/src/entities/User.ts

@@ -0,0 +1,10 @@
+export class User {
+  constructor(
+    public id: string,
+    public tenantId: string,
+    public email: string,
+    public passwordHash: string | null,
+    public isVerified: boolean,
+    public createdAt: Date,
+  ) {}
+}

package/packages/core/src/entities/UserRole.ts

@@ -0,0 +1,6 @@
+export class UserRole {
+  constructor(
+    public userId: string,
+    public roleId: string,
+  ) {}
+}

package/packages/core/src/enums/index.ts

@@ -0,0 +1,22 @@
+export enum RoleType {
+  ADMIN = "ADMIN",
+  USER = "USER",
+  MODERATOR = "MODERATOR",
+}
+
+export enum AuthProvider {
+  EMAIL = "EMAIL",
+  GOOGLE = "GOOGLE",
+  OTP = "OTP",
+}
+
+export enum AuditAction {
+  LOGIN_SUCCESS = "LOGIN_SUCCESS",
+  LOGIN_FAILED = "LOGIN_FAILED",
+  REGISTER = "REGISTER",
+  PASSWORD_RESET = "PASSWORD_RESET",
+  TOKEN_REFRESH = "TOKEN_REFRESH",
+  LOGOUT = "LOGOUT",
+  OTP_GENERATED = "OTP_GENERATED",
+  OTP_VERIFIED = "OTP_VERIFIED",
+}

package/packages/core/src/index.ts

@@ -0,0 +1,10 @@
+export { User } from "./entities/User";
+export { Role } from "./entities/Role";
+export { UserRole } from "./entities/UserRole";
+export { OtpCode } from "./entities/OtpCode";
+export { RefreshToken } from "./entities/RefreshToken";
+export { Session } from "./entities/Session";
+export { Tenant } from "./entities/Tenant";
+export { AuditLog } from "./entities/AuditLog";
+
+export { RoleType, AuthProvider, AuditAction } from "./enums";

package/packages/core/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist"
+  },
+  "include": ["src"]
+}

package/packages/infrastructure/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@securepool/infrastructure",
+  "version": "1.0.0",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "@securepool/core": "1.0.0",
+    "@securepool/application": "1.0.0",
+    "bcrypt": "^5.1.1",
+    "jsonwebtoken": "^9.0.2",
+    "google-auth-library": "^9.14.0",
+    "nodemailer": "^6.9.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.5.0",
+    "@types/bcrypt": "^5.0.2",
+    "@types/jsonwebtoken": "^9.0.7",
+    "@types/nodemailer": "^6.4.0"
+  }
+}

package/packages/infrastructure/src/email/NodemailerEmailService.ts

@@ -0,0 +1,55 @@
+import nodemailer, { Transporter } from "nodemailer";
+import { IEmailService } from "@securepool/application";
+
+export interface EmailConfig {
+  host: string;
+  port: number;
+  secure: boolean;
+  auth: {
+    user: string;
+    pass: string;
+  };
+  from: string;
+}
+
+export class NodemailerEmailService implements IEmailService {
+  private transporter: Transporter;
+  private from: string;
+
+  constructor(config: EmailConfig) {
+    this.from = config.from;
+    this.transporter = nodemailer.createTransport({
+      host: config.host,
+      port: config.port,
+      secure: config.secure,
+      auth: {
+        user: config.auth.user,
+        pass: config.auth.pass,
+      },
+    });
+  }
+
+  async sendOtp(to: string, code: string): Promise<void> {
+    await this.transporter.sendMail({
+      from: `"SecurePool Auth" <${this.from}>`,
+      to,
+      subject: "Your SecurePool OTP Code",
+      text: `Your OTP code is: ${code}\n\nThis code expires in 5 minutes. Do not share it with anyone.`,
+      html: `
+        <div style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 480px; margin: 0 auto; padding: 40px 20px;">
+          <div style="background: #1e293b; border-radius: 12px; padding: 40px; text-align: center;">
+            <h2 style="color: #f1f5f9; margin: 0 0 8px;">SecurePool</h2>
+            <p style="color: #94a3b8; font-size: 14px; margin: 0 0 32px;">Your one-time verification code</p>
+            <div style="background: #0f172a; border-radius: 8px; padding: 20px; margin: 0 0 24px;">
+              <span style="font-size: 36px; font-weight: 700; letter-spacing: 8px; color: #3b82f6;">${code}</span>
+            </div>
+            <p style="color: #64748b; font-size: 13px; margin: 0;">
+              This code expires in <strong style="color: #94a3b8;">5 minutes</strong>.<br/>
+              If you didn't request this, ignore this email.
+            </p>
+          </div>
+        </div>
+      `,
+    });
+  }
+}

package/packages/infrastructure/src/google/GoogleAuthServiceImpl.ts

@@ -0,0 +1,28 @@
+import { OAuth2Client } from "google-auth-library";
+import { IGoogleAuthService } from "@securepool/application";
+
+export class GoogleAuthServiceImpl implements IGoogleAuthService {
+  private client: OAuth2Client;
+
+  constructor(private clientId: string) {
+    this.client = new OAuth2Client(clientId);
+  }
+
+  async verifyToken(token: string): Promise<{ email: string; name: string; googleId: string }> {
+    const ticket = await this.client.verifyIdToken({
+      idToken: token,
+      audience: this.clientId,
+    });
+
+    const payload = ticket.getPayload();
+    if (!payload || !payload.email) {
+      throw new Error("Invalid Google token");
+    }
+
+    return {
+      email: payload.email,
+      name: payload.name || "",
+      googleId: payload.sub,
+    };
+  }
+}

package/packages/infrastructure/src/hashing/BcryptHasher.ts

@@ -0,0 +1,18 @@
+import bcrypt from "bcrypt";
+import { IPasswordHasher } from "@securepool/application";
+
+export class BcryptHasher implements IPasswordHasher {
+  private saltRounds: number;
+
+  constructor(saltRounds: number = 12) {
+    this.saltRounds = saltRounds;
+  }
+
+  async hash(password: string): Promise<string> {
+    return bcrypt.hash(password, this.saltRounds);
+  }
+
+  async compare(password: string, hash: string): Promise<boolean> {
+    return bcrypt.compare(password, hash);
+  }
+}

package/packages/infrastructure/src/index.ts

@@ -0,0 +1,6 @@
+export { JwtTokenService } from "./jwt/JwtTokenService";
+export { BcryptHasher } from "./hashing/BcryptHasher";
+export { OtpServiceImpl } from "./otp/OtpServiceImpl";
+export { GoogleAuthServiceImpl } from "./google/GoogleAuthServiceImpl";
+export { NodemailerEmailService } from "./email/NodemailerEmailService";
+export type { EmailConfig } from "./email/NodemailerEmailService";