This commit is contained in:
Bastian Wagner
2026-06-09 09:45:33 +02:00
commit 537c7cbbee
124 changed files with 27283 additions and 0 deletions

View File

@@ -0,0 +1,333 @@
import {
BadRequestException,
ConflictException,
Injectable,
UnauthorizedException,
} from '@nestjs/common';
import { EventEmitter2 } from '@nestjs/event-emitter';
import { JwtService } from '@nestjs/jwt';
import { InjectRepository } from '@nestjs/typeorm';
import { randomBytes, randomUUID, scryptSync, timingSafeEqual } from 'crypto';
import { Repository } from 'typeorm';
import { LoginDto } from './dto/login.dto';
import { RegisterDto } from './dto/register.dto';
import { RefreshTokenDto } from './dto/refresh-token.dto';
import {
AuthTokenResponse,
AuthTokens,
JwtTokenPayload,
PublicUser,
} from './auth.types';
import { AppEvents } from '../events/app-events';
import { RefreshTokenEntity } from './refresh-token.entity';
import { UserEntity } from './user.entity';
@Injectable()
export class AuthService {
private readonly accessTokenExpiresIn = '15m';
private readonly refreshTokenExpiresIn = '7d';
private readonly accessTokenSecret =
process.env.JWT_ACCESS_SECRET ?? 'dev-access-secret';
private readonly refreshTokenSecret =
process.env.JWT_REFRESH_SECRET ?? 'dev-refresh-secret';
constructor(
private readonly eventEmitter: EventEmitter2,
private readonly jwtService: JwtService,
@InjectRepository(UserEntity)
private readonly usersRepository: Repository<UserEntity>,
@InjectRepository(RefreshTokenEntity)
private readonly refreshTokensRepository: Repository<RefreshTokenEntity>,
) {}
async register(
registerDto: RegisterDto,
): Promise<{ message: string; user: PublicUser }> {
const email = this.normalizeEmail(registerDto.email);
const password = this.requirePassword(registerDto.password);
const name = this.normalizeName(registerDto.name);
const existingUser = await this.usersRepository.findOne({
where: { email },
});
if (existingUser) {
throw new ConflictException('Email is already registered.');
}
const verificationToken = this.createToken();
const user = this.usersRepository.create({
id: randomUUID(),
email,
name,
passwordHash: this.hashPassword(password),
verificationToken,
verified: false,
});
const savedUser = await this.usersRepository.save(user);
this.eventEmitter.emit(AppEvents.UserRegistered, {
email,
verificationUrl: this.createVerificationUrl(verificationToken),
});
return {
message: 'Registration successful. Please verify your email address.',
user: this.toPublicUser(savedUser),
};
}
async verifyEmail(
token?: string,
): Promise<{ message: string; user: PublicUser }> {
if (!token) {
throw new BadRequestException('Verification token is required.');
}
const user = await this.usersRepository.findOne({
where: { verificationToken: token },
});
if (!user) {
throw new BadRequestException('Verification token is invalid.');
}
user.verified = true;
user.verificationToken = null;
try {
const savedUser = await this.usersRepository.save(user);
return {
message: 'Email verified successfully.',
user: this.toPublicUser(savedUser),
};
} catch {
throw new BadRequestException('user not saved.')
}
}
async login(loginDto: LoginDto): Promise<AuthTokenResponse> {
const email = this.normalizeEmail(loginDto.email);
const password = this.requirePassword(loginDto.password);
const user = await this.usersRepository.findOne({ where: { email } });
if (!user || !this.passwordMatches(password, user.passwordHash)) {
throw new UnauthorizedException('Invalid email or password.');
}
if (!user.verified) {
throw new UnauthorizedException('Please verify your email before login.');
}
return {
...(await this.createAuthTokens(user)),
user: this.toPublicUser(user),
};
}
async refresh(refreshTokenDto: RefreshTokenDto = {}): Promise<AuthTokenResponse> {
const refreshToken = this.requireRefreshToken(refreshTokenDto.refreshToken);
const payload = this.verifyRefreshToken(refreshToken);
const tokenRecord = await this.refreshTokensRepository.findOne({
where: { jti: payload.jti },
});
if (
!tokenRecord ||
tokenRecord.userId !== payload.sub ||
tokenRecord.expiresAt.getTime() <= Date.now() ||
!this.tokenMatches(refreshToken, tokenRecord.tokenHash)
) {
throw new UnauthorizedException('Refresh token is invalid.');
}
const user = await this.usersRepository.findOne({
where: { id: payload.sub },
});
if (!user || !user.verified) {
throw new UnauthorizedException('Refresh token is invalid.');
}
await this.refreshTokensRepository.delete({ jti: payload.jti });
return {
...(await this.createAuthTokens(user)),
user: this.toPublicUser(user),
};
}
async verifyAccessToken(accessToken: string): Promise<JwtTokenPayload> {
try {
const payload = this.jwtService.verify<JwtTokenPayload>(accessToken, {
secret: this.accessTokenSecret,
});
if (payload.type !== 'access') {
throw new UnauthorizedException('Access token is invalid.');
}
const user = await this.usersRepository.findOne({
where: { id: payload.sub },
});
if (!user || !user.verified) {
throw new UnauthorizedException('Access token is invalid.');
}
return payload;
} catch {
throw new UnauthorizedException('Access token is invalid.');
}
}
async getUserDisplayName(userId: string): Promise<string> {
const user = await this.usersRepository.findOne({
where: { id: userId },
});
if (!user) {
throw new UnauthorizedException('Authenticated user is required.');
}
return user.name || user.email;
}
private normalizeEmail(email?: string): string {
const normalizedEmail = email?.trim().toLowerCase();
if (
!normalizedEmail ||
!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(normalizedEmail)
) {
throw new BadRequestException('A valid email is required.');
}
return normalizedEmail;
}
private normalizeName(name?: string): string | undefined {
const normalizedName = name?.trim();
return normalizedName || undefined;
}
private requirePassword(password?: string): string {
if (!password || password.length < 8) {
throw new BadRequestException(
'Password must contain at least 8 characters.',
);
}
return password;
}
private hashPassword(password: string): string {
const salt = randomBytes(16).toString('hex');
const hash = scryptSync(password, salt, 64).toString('hex');
return `${salt}:${hash}`;
}
private passwordMatches(password: string, passwordHash: string): boolean {
const [salt, storedHash] = passwordHash.split(':');
if (!salt || !storedHash) {
return false;
}
const attemptedHash = scryptSync(password, salt, 64);
const storedHashBuffer = Buffer.from(storedHash, 'hex');
return (
storedHashBuffer.length === attemptedHash.length &&
timingSafeEqual(storedHashBuffer, attemptedHash)
);
}
private async createAuthTokens(user: UserEntity): Promise<AuthTokens> {
const refreshTokenJti = randomUUID();
const accessTokenPayload: JwtTokenPayload = {
sub: user.id,
email: user.email,
type: 'access',
};
const refreshTokenPayload: JwtTokenPayload = {
sub: user.id,
email: user.email,
type: 'refresh',
jti: refreshTokenJti,
};
const accessToken = this.jwtService.sign(accessTokenPayload, {
expiresIn: this.accessTokenExpiresIn,
secret: this.accessTokenSecret,
});
const refreshToken = this.jwtService.sign(refreshTokenPayload, {
expiresIn: this.refreshTokenExpiresIn,
secret: this.refreshTokenSecret,
});
await this.refreshTokensRepository.save(
this.refreshTokensRepository.create({
jti: refreshTokenJti,
userId: user.id,
tokenHash: this.hashToken(refreshToken),
expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
}),
);
return { accessToken, refreshToken };
}
private verifyRefreshToken(refreshToken: string): JwtTokenPayload & {
jti: string;
} {
try {
const payload = this.jwtService.verify<JwtTokenPayload>(refreshToken, {
secret: this.refreshTokenSecret,
});
if (payload.type !== 'refresh' || !payload.jti) {
throw new UnauthorizedException('Refresh token is invalid.');
}
return { ...payload, jti: payload.jti };
} catch {
throw new UnauthorizedException('Refresh token is invalid.');
}
}
private requireRefreshToken(refreshToken?: string): string {
if (!refreshToken) {
throw new BadRequestException('Refresh token is required.');
}
return refreshToken;
}
private hashToken(token: string): string {
const salt = randomBytes(16).toString('hex');
const hash = scryptSync(token, salt, 64).toString('hex');
return `${salt}:${hash}`;
}
private tokenMatches(token: string, tokenHash: string): boolean {
return this.passwordMatches(token, tokenHash);
}
private createToken(): string {
return randomBytes(32).toString('hex');
}
private createVerificationUrl(token: string): string {
const clientUrl = process.env.CLIENT_URL ?? 'http://localhost:4200';
return `${clientUrl}/verify-email?token=${token}`;
}
private toPublicUser(user: UserEntity): PublicUser {
return {
id: user.id,
email: user.email,
name: user.name ?? undefined,
verified: user.verified,
};
}
}