impl(api): verify email and reset password handlers in confirmationCode.

Author: mmoehabb

packages/models/tests/subscriptions.test.ts

@@ -58,7 +58,9 @@ describe("transactions", () => {
 
       const res = await subscriptions.find({ users: [u1.id, u3.id] });
       expect(res.total).to.eq(3);
-      expect(res.list).to.deep.members([subs[0], subs[1], subs[4]]);
+      for (const sub of [subs[0], subs[1], subs[4]]) {
+        expect(res.list).to.deep.contain(sub);
+      }
     });
   });
 

packages/types/src/confirmationCode.ts

@@ -47,3 +47,20 @@ export type VerifyPhoneCodePayload = {
   code: number;
   method: IUser.NotificationMethodLiteral;
 };
+
+export type SendCodeEmailPayload = {
+  email: string;
+};
+
+export type ConfirmPasswordCodePayload = {
+  userId: number;
+  code: number;
+};
+
+export type ConfirmPasswordCodeApiResponse = {
+  token: string;
+};
+
+export type VerifyEmailPayload = {
+  code: number;
+};

packages/types/src/token.ts

@@ -37,6 +37,11 @@ export type AuthTokenEmail = {
   user: number;
 };
 
+export type CodeEmail = {
+  type: Type.VerifyEmail | Type.ForgetPassword;
+  user: number;
+};
+
 export type VerifyEmailJwtPayload = {
   type: Type.VerifyEmail;
   user: number;

packages/utils/src/constants.ts

@@ -85,7 +85,7 @@ export const NOTIFICATION_METHOD_TO_PURPOSE: Record<
   [IUser.NotificationMethod.Telegram]: IConfirmationCode.Purpose.VerifyTelegram,
 };
 
-export const NOTIFICATION_METHOD_LITERAL_TO_NOTIFICATION_METHOD: Record<
+export const NOTIFICATION_METHOD_LITERAL_TO_ENUM: Record<
   IUser.NotificationMethodLiteral,
   IUser.NotificationMethod
 > = {

services/server/fixtures/db.ts

@@ -88,7 +88,12 @@ export async function user(payload?: Partial<IUser.CreatePayload>) {
     name: payload?.name || faker.internet.username(),
     password: hashPassword(payload?.password || "Password@8"),
     birthYear: payload?.birthYear || faker.number.int({ min: 2000, max: 2024 }),
-    role: payload?.role || (sample(Object.values(IUser.Role)) as IUser.Role),
+    role:
+      payload?.role ||
+      (sample(
+        Object.values(IUser.Role).filter((i) => typeof i === "number")
+      ) as IUser.Role),
+    verifiedEmail: payload?.verifiedEmail || false,
   });
 }
 

services/server/src/handlers/confirmationCode.ts

@@ -1,29 +1,32 @@
 import {
-  bad,
+  emailAlreadyVerified,
   expiredVerificationCode,
   forbidden,
   invalidVerificationCode,
+  notfound,
   unresolvedPhone,
 } from "@/lib/error";
 import { confirmationCodes, knex, users } from "@litespace/models";
 import { IConfirmationCode, IUser } from "@litespace/types";
 import {
-  CONFIRMATION_CODE_VALIDITY_MINUTES,
   isUser,
+  CONFIRMATION_CODE_VALIDITY_MINUTES,
   NOTIFICATION_METHOD_LITERAL_TO_KAFKA_TOPIC,
-  NOTIFICATION_METHOD_LITERAL_TO_NOTIFICATION_METHOD,
+  NOTIFICATION_METHOD_LITERAL_TO_ENUM,
   NOTIFICATION_METHOD_LITERAL_TO_PURPOSE,
 } from "@litespace/utils";
 import { NextFunction, Request, Response } from "express";
 import zod from "zod";
 import dayjs from "@/lib/dayjs";
 import safeRequest from "express-async-handler";
 import { first } from "lodash";
-import { generateConfirmationCode } from "@/lib/confirmationCodes";
+import { generateConfirmationCode, selectPhone } from "@/lib/confirmationCodes";
 import { messenger } from "@/lib/messenger";
-import { withPhone } from "@/lib/user";
 import { producer } from "@/lib/kafka";
-import { unionOfLiterals } from "@/validation/utils";
+import { id, unionOfLiterals, email } from "@/validation/utils";
+import { sendBackgroundMessage } from "@/workers";
+import { jwtSecret } from "@/constants";
+import { encodeAuthJwt } from "@litespace/auth";
 
 const method = unionOfLiterals<IUser.NotificationMethodLiteral>([
   "whatsapp",
@@ -40,6 +43,17 @@ const verifyNotificationMethodCodePayload = zod.object({
   method,
 });
 
+const sendCodePayload = zod.object({ email });
+
+const confirmPasswordCodePayload = zod.object({
+  userId: id,
+  code: zod.number(),
+});
+
+const verifyEmailPayload = zod.object({
+  code: zod.number(),
+});
+
 async function sendVerifyPhoneCode(
   req: Request,
   res: Response,
@@ -51,21 +65,22 @@ async function sendVerifyPhoneCode(
 
   const payload: IConfirmationCode.SendVerifyPhoneCodePayload =
     sendVerifyNotificationMethodCodePayload.parse(req.body);
-  const { valid, update, phone } = withPhone(user.phone, payload.phone);
 
-  if (!valid || !phone) return next(bad("Invalid or missing phone number"));
-  if (update) await users.update(user.id, { phone });
+  const phone = selectPhone(user.phone, payload.phone);
+  if (phone instanceof Error) return next(phone);
+  if (!user.phone) await users.update(user.id, { phone });
 
   const purpose = NOTIFICATION_METHOD_LITERAL_TO_PURPOSE[payload.method];
 
-  // Remove any confirmation code that blongs to the current user under the same
+  // Remove any confirmation code that belongs to the current user under the same
   // purpose. This way users will only have one code under a given purpose at
-  // any given point of time.
+  // any point of time.
   await confirmationCodes.delete({
     users: [user.id],
     purposes: [purpose],
   });
 
+  // Store the new code in the db
   const code = await confirmationCodes.create({
     userId: user.id,
     purpose,
@@ -76,13 +91,14 @@ async function sendVerifyPhoneCode(
       .toISOString(),
   });
 
+  // If the method is telegram; we need to resolve the number first with telegram Api
   const resolvedPhone =
     payload.method !== "telegram" ||
     (await messenger.telegram.resolvePhone({ phone }).then((phone) => !!phone));
   if (!resolvedPhone) return next(unresolvedPhone());
 
+  // Send the notification using Kafka Producer
   const topic = NOTIFICATION_METHOD_LITERAL_TO_KAFKA_TOPIC[payload.method];
-
   await producer.send({
     topic,
     messages: [
@@ -136,8 +152,7 @@ async function verifyPhoneCode(
       user.id,
       {
         verifiedPhone: true,
-        notificationMethod:
-          NOTIFICATION_METHOD_LITERAL_TO_NOTIFICATION_METHOD[method],
+        notificationMethod: NOTIFICATION_METHOD_LITERAL_TO_ENUM[method],
         verifiedWhatsApp,
         verifiedTelegram,
       },
@@ -148,7 +163,175 @@ async function verifyPhoneCode(
   res.sendStatus(200);
 }
 
+/**
+ * This handler generates a random code, sets it in the database
+ * and sends it to the user by mail.
+ */
+async function sendForgottenPasswordCode(
+  req: Request,
+  res: Response,
+  next: NextFunction
+) {
+  const { email }: IConfirmationCode.SendCodeEmailPayload =
+    sendCodePayload.parse(req.body);
+
+  const user = await users.findByEmail(email);
+  if (!user) return next(notfound.user());
+
+  // Remove any confirmation code that belongs to the current user
+  // under the same purpose
+  await confirmationCodes.delete({
+    users: [user.id],
+    purposes: [IConfirmationCode.Purpose.ResetPassword],
+  });
+
+  // Generate and store the new code in the db
+  const { code } = await confirmationCodes.create({
+    userId: user.id,
+    purpose: IConfirmationCode.Purpose.ResetPassword,
+    code: generateConfirmationCode(),
+    expiresAt: dayjs
+      .utc()
+      .add(CONFIRMATION_CODE_VALIDITY_MINUTES, "minutes")
+      .toISOString(),
+  });
+
+  if (user) {
+    sendBackgroundMessage({
+      type: "send-forget-password-code-email",
+      payload: { email: user.email, code },
+    });
+  }
+
+  res.status(200).send();
+}
+
+/**
+ * This handler gets a userId and code from users, verify the validity of the code
+ * and generates, then send, a token, to the user, in order to be able to reset
+ * the password.
+ */
+async function confirmForgottenPasswordCode(
+  req: Request,
+  res: Response,
+  next: NextFunction
+) {
+  const { userId, code }: IConfirmationCode.ConfirmPasswordCodePayload =
+    confirmPasswordCodePayload.parse(req.body);
+
+  const user = await users.findById(userId);
+  if (!user) return next(notfound.user());
+
+  // Check if the code is valid (exists in the db)
+  const found = (
+    await confirmationCodes.find({
+      userId: user.id,
+      purpose: IConfirmationCode.Purpose.ResetPassword,
+    })
+  )[0];
+
+  // TODO: count the number of tries, then block using this handler for while
+  // for this specific userId, after a specific number of tries.
+  if (!found || found.code !== code) return next(invalidVerificationCode());
+
+  // Ensure the code is not expired
+  if (dayjs.utc(found.expiresAt).isBefore(dayjs.utc())) {
+    await confirmationCodes.deleteById({ id: found.id });
+    return next(expiredVerificationCode());
+  }
+
+  // This token should be used by frontend reset password page
+  // in order to be able to change the password
+  const token = encodeAuthJwt(userId, jwtSecret);
+
+  // Remove the confirmation code for more data integridy and security
+  await confirmationCodes.deleteById({ id: found.id });
+
+  const response: IConfirmationCode.ConfirmPasswordCodeApiResponse = { token };
+  res.status(200).json(response);
+}
+
+async function sendEmailVerificationCode(
+  req: Request,
+  res: Response,
+  next: NextFunction
+) {
+  const user = req.user;
+  const allowed = isUser(user);
+  if (!allowed) return next(forbidden());
+
+  if (user.verifiedEmail) return next(emailAlreadyVerified());
+
+  // Generate and store the new code in the db
+  const { code } = await confirmationCodes.create({
+    userId: user.id,
+    purpose: IConfirmationCode.Purpose.VerifyEmail,
+    code: generateConfirmationCode(),
+    expiresAt: dayjs
+      .utc()
+      .add(CONFIRMATION_CODE_VALIDITY_MINUTES, "minutes")
+      .toISOString(),
+  });
+
+  sendBackgroundMessage({
+    type: "send-user-verification-code-email",
+    payload: {
+      code,
+      email: user.email,
+    },
+  });
+
+  res.status(200).send();
+}
+
+/**
+ * Despite the name, this function verify the email in the db as well
+ */
+async function confirmEmailVerificationCode(
+  req: Request,
+  res: Response,
+  next: NextFunction
+) {
+  const user = req.user;
+  const allowed = isUser(user);
+  if (!allowed) return next(forbidden());
+
+  if (user.verifiedEmail) return next(emailAlreadyVerified());
+
+  // get the code from the payload and verify it
+  const { code }: IConfirmationCode.VerifyEmailPayload =
+    verifyEmailPayload.parse(req.body);
+
+  const found = (
+    await confirmationCodes.find({
+      userId: user.id,
+      purpose: IConfirmationCode.Purpose.VerifyEmail,
+    })
+  )[0];
+
+  // TODO: count the number of tries, then block using this handler for while
+  // for this specific userId, after a specific number of tries.
+  if (!found || found.code !== code) return next(invalidVerificationCode());
+
+  // Ensure the code is not expired
+  if (dayjs.utc(found.expiresAt).isBefore(dayjs.utc())) {
+    await confirmationCodes.deleteById({ id: found.id });
+    return next(expiredVerificationCode());
+  }
+
+  // update the database to mark the email as verified
+  await users.update(user.id, { verifiedEmail: true });
+
+  res.status(200).send();
+}
+
 export default {
   sendVerifyPhoneCode: safeRequest(sendVerifyPhoneCode),
   verifyPhoneCode: safeRequest(verifyPhoneCode),
+
+  sendForgottenPasswordCode: safeRequest(sendForgottenPasswordCode),
+  confirmForgottenPasswordCode: safeRequest(confirmForgottenPasswordCode),
+
+  sendEmailVerificationCode: safeRequest(sendEmailVerificationCode),
+  confirmEmailVerificationCode: safeRequest(confirmEmailVerificationCode),
 };