verify email workflow working

2026-02-15 01:16:38 +00:00 · 2024-10-04 23:14:40 -04:00
parent e176295593
commit 76eeb335a3
23 changed files with 16363 additions and 15802 deletions
--- a/server/routers/auth/disable2fa.ts
+++ b/server/routers/auth/disable2fa.ts
@@ -35,36 +35,45 @@ export async function disable2fa(
    const { password } = parsedBody.data;
    const user = req.user as User;

-    const validPassword = await verify(user.passwordHash, password, {
-        memoryCost: 19456,
-        timeCost: 2,
-        outputLen: 32,
-        parallelism: 1,
-    });
-    if (!validPassword) {
-        await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
-        return next(unauthorized());
-    }
+    try {
+        const validPassword = await verify(user.passwordHash, password, {
+            memoryCost: 19456,
+            timeCost: 2,
+            outputLen: 32,
+            parallelism: 1,
+        });
+        if (!validPassword) {
+            await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
+            return next(unauthorized());
+        }

-    if (!user.twoFactorEnabled) {
+        if (!user.twoFactorEnabled) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Two-factor authentication is already disabled",
+                ),
+            );
+        }
+
+        await db
+            .update(users)
+            .set({ twoFactorEnabled: false })
+            .where(eq(users.id, user.id));
+
+        return response<null>(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Two-factor authentication disabled",
+            status: HttpCode.OK,
+        });
+    } catch (error) {
        return next(
            createHttpError(
-                HttpCode.BAD_REQUEST,
-                "Two-factor authentication is already disabled",
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to disable two-factor authentication",
            ),
        );
    }
-
-    await db
-        .update(users)
-        .set({ twoFactorEnabled: false })
-        .where(eq(users.id, user.id));
-
-    return response<null>(res, {
-        data: null,
-        success: true,
-        error: false,
-        message: "Two-factor authentication disabled",
-        status: HttpCode.OK,
-    });
 }
--- a/server/routers/auth/index.ts
+++ b/server/routers/auth/index.ts
@@ -8,4 +8,6 @@ export * from "./verifyOrgAccess";
 export * from "./getUserOrgs";
 export * from "./verifySiteAccess";
 export * from "./verifyResourceAccess";
-export * from "./verifyTargetAccess";
+export * from "./verifyTargetAccess";
+export * from "./verifyEmail";
+export * from "./requestEmailVerificationCode";
--- a/server/routers/auth/login.ts
+++ b/server/routers/auth/login.ts
@@ -4,6 +4,7 @@ import db from "@server/db";
 import { users } from "@server/db/schema";
 import { sendEmail } from "@server/emails";
 import { VerifyEmail } from "@server/emails/templates/verifyEmailCode";
+import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/utils/response";
 import { eq } from "drizzle-orm";
@@ -24,6 +25,7 @@ export type LoginBody = z.infer<typeof loginBodySchema>;

 export type LoginResponse = {
    codeRequested?: boolean;
+    emailVerificationRequired?: boolean;
 };

 export async function login(
@@ -44,95 +46,118 @@ export async function login(

    const { email, password, code } = parsedBody.data;

-    const { session: existingSession } = await verifySession(req);
-    if (existingSession) {
-        return response<null>(res, {
-            data: null,
-            success: true,
-            error: false,
-            message: "Already logged in",
-            status: HttpCode.OK,
-        });
-    }
-
-    const existingUserRes = await db
-        .select()
-        .from(users)
-        .where(eq(users.email, email));
-    if (!existingUserRes || !existingUserRes.length) {
-        return next(
-            createHttpError(
-                HttpCode.BAD_REQUEST,
-                "Username or password is incorrect",
-            ),
-        );
-    }
-
-    const existingUser = existingUserRes[0];
-
-    const validPassword = await verify(existingUser.passwordHash, password, {
-        memoryCost: 19456,
-        timeCost: 2,
-        outputLen: 32,
-        parallelism: 1,
-    });
-    if (!validPassword) {
-        await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
-        return next(
-            createHttpError(
-                HttpCode.BAD_REQUEST,
-                "Username or password is incorrect",
-            ),
-        );
-    }
-
-    if (existingUser.twoFactorEnabled) {
-        if (!code) {
-            return response<{ codeRequested: boolean }>(res, {
-                data: { codeRequested: true },
+    try {
+        const { session: existingSession } = await verifySession(req);
+        if (existingSession) {
+            return response<null>(res, {
+                data: null,
                success: true,
                error: false,
-                message: "Two-factor authentication required",
-                status: HttpCode.ACCEPTED,
+                message: "Already logged in",
+                status: HttpCode.OK,
            });
        }

-        if (!existingUser.twoFactorSecret) {
+        const existingUserRes = await db
+            .select()
+            .from(users)
+            .where(eq(users.email, email));
+        if (!existingUserRes || !existingUserRes.length) {
            return next(
                createHttpError(
-                    HttpCode.INTERNAL_SERVER_ERROR,
-                    "Failed to authenticate user",
+                    HttpCode.BAD_REQUEST,
+                    "Username or password is incorrect",
                ),
            );
        }

-        const validOTP = await new TOTPController().verify(
-            code,
-            decodeHex(existingUser.twoFactorSecret),
-        );
+        const existingUser = existingUserRes[0];

-        if (!validOTP) {
+        const validPassword = await verify(
+            existingUser.passwordHash,
+            password,
+            {
+                memoryCost: 19456,
+                timeCost: 2,
+                outputLen: 32,
+                parallelism: 1,
+            },
+        );
+        if (!validPassword) {
            await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
-                    "The two-factor code you entered is incorrect",
+                    "Username or password is incorrect",
                ),
            );
        }
+
+        if (existingUser.twoFactorEnabled) {
+            if (!code) {
+                return response<{ codeRequested: boolean }>(res, {
+                    data: { codeRequested: true },
+                    success: true,
+                    error: false,
+                    message: "Two-factor authentication required",
+                    status: HttpCode.ACCEPTED,
+                });
+            }
+
+            if (!existingUser.twoFactorSecret) {
+                return next(
+                    createHttpError(
+                        HttpCode.INTERNAL_SERVER_ERROR,
+                        "Failed to authenticate user",
+                    ),
+                );
+            }
+
+            const validOTP = await new TOTPController().verify(
+                code,
+                decodeHex(existingUser.twoFactorSecret),
+            );
+
+            if (!validOTP) {
+                await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "The two-factor code you entered is incorrect",
+                    ),
+                );
+            }
+        }
+
+        const session = await lucia.createSession(existingUser.id, {});
+        res.appendHeader(
+            "Set-Cookie",
+            lucia.createSessionCookie(session.id).serialize(),
+        );
+
+        if (!existingUser.emailVerified) {
+            return response<LoginResponse>(res, {
+                data: { emailVerificationRequired: true },
+                success: true,
+                error: false,
+                message: "Email verification code sent",
+                status: HttpCode.ACCEPTED,
+            });
+        }
+
+        return response<null>(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Logged in successfully",
+            status: HttpCode.OK,
+        });
+    } catch (e) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to authenticate user",
+            ),
+        );
    }
-
-    const session = await lucia.createSession(existingUser.id, {});
-    res.appendHeader(
-        "Set-Cookie",
-        lucia.createSessionCookie(session.id).serialize(),
-    );
-
-    return response<null>(res, {
-        data: null,
-        success: true,
-        error: false,
-        message: "Logged in successfully",
-        status: HttpCode.OK,
-    });
 }
--- a/server/routers/auth/logout.ts
+++ b/server/routers/auth/logout.ts
@@ -3,6 +3,7 @@ import { lucia } from "@server/auth";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/utils/response";
+import logger from "@server/logger";

 export async function logout(
    req: Request,
@@ -20,14 +21,26 @@ export async function logout(
        );
    }

-    await lucia.invalidateSession(sessionId);
-    res.setHeader("Set-Cookie", lucia.createBlankSessionCookie().serialize());
+    try {
+        await lucia.invalidateSession(sessionId);
+        res.setHeader(
+            "Set-Cookie",
+            lucia.createBlankSessionCookie().serialize(),
+        );

-    return response<null>(res, {
-        data: null,
-        success: true,
-        error: false,
-        message: "Logged out successfully",
-        status: HttpCode.OK,
-    });
+        return response<null>(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Logged out successfully",
+            status: HttpCode.OK,
+        });
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to log out",
+            ),
+        );
+    }
 }
--- a/server/routers/auth/requestEmailVerificationCode.ts
+++ b/server/routers/auth/requestEmailVerificationCode.ts
@@ -0,0 +1,50 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { response } from "@server/utils";
+import { User } from "@server/db/schema";
+import { sendEmailVerificationCode } from "./sendEmailVerificationCode";
+
+export type RequestEmailVerificationCodeResponse = {
+    codeSent: boolean;
+};
+
+export async function requestEmailVerificationCode(
+    req: Request,
+    res: Response,
+    next: NextFunction,
+): Promise<any> {
+    try {
+        const user = req.user as User;
+
+        if (user.emailVerified) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Email is already verified",
+                ),
+            );
+        }
+
+        await sendEmailVerificationCode(user.email, user.id);
+
+        return response<RequestEmailVerificationCodeResponse>(res, {
+            data: {
+                codeSent: true,
+            },
+            status: HttpCode.OK,
+            success: true,
+            error: false,
+            message: `Email verification code sent to ${user.email}`,
+        });
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to send email verification code",
+            ),
+        );
+    }
+}
+
+export default requestEmailVerificationCode;
--- a/server/routers/auth/requestTotpSecret.ts
+++ b/server/routers/auth/requestTotpSecret.ts
@@ -43,44 +43,53 @@ export async function requestTotpSecret(

    const user = req.user as User;

-    const validPassword = await verify(user.passwordHash, password, {
-        memoryCost: 19456,
-        timeCost: 2,
-        outputLen: 32,
-        parallelism: 1,
-    });
-    if (!validPassword) {
-        await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
-        return next(unauthorized());
-    }
+    try {
+        const validPassword = await verify(user.passwordHash, password, {
+            memoryCost: 19456,
+            timeCost: 2,
+            outputLen: 32,
+            parallelism: 1,
+        });
+        if (!validPassword) {
+            await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
+            return next(unauthorized());
+        }

-    if (user.twoFactorEnabled) {
+        if (user.twoFactorEnabled) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "User has already enabled two-factor authentication",
+                ),
+            );
+        }
+
+        const hex = crypto.getRandomValues(new Uint8Array(20));
+        const secret = encodeHex(hex);
+        const uri = createTOTPKeyURI(env.APP_NAME, user.email, hex);
+
+        await db
+            .update(users)
+            .set({
+                twoFactorSecret: secret,
+            })
+            .where(eq(users.id, user.id));
+
+        return response<RequestTotpSecretResponse>(res, {
+            data: {
+                secret: uri,
+            },
+            success: true,
+            error: false,
+            message: "TOTP secret generated successfully",
+            status: HttpCode.OK,
+        });
+    } catch (error) {
        return next(
            createHttpError(
-                HttpCode.BAD_REQUEST,
-                "User has already enabled two-factor authentication",
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to generate TOTP secret",
            ),
        );
    }
-
-    const hex = crypto.getRandomValues(new Uint8Array(20));
-    const secret = encodeHex(hex);
-    const uri = createTOTPKeyURI(env.APP_NAME, user.email, hex);
-
-    await db
-        .update(users)
-        .set({
-            twoFactorSecret: secret,
-        })
-        .where(eq(users.id, user.id));
-
-    return response<RequestTotpSecretResponse>(res, {
-        data: {
-            secret: uri,
-        },
-        success: true,
-        error: false,
-        message: "TOTP secret generated successfully",
-        status: HttpCode.OK,
-    });
 }
--- a/server/routers/auth/sendEmailVerificationCode.ts
+++ b/server/routers/auth/sendEmailVerificationCode.ts
@@ -0,0 +1,41 @@
+import { TimeSpan, createDate } from "oslo";
+import { generateRandomString, alphabet } from "oslo/crypto";
+import db from "@server/db";
+import { users, emailVerificationCodes } from "@server/db/schema";
+import { eq } from "drizzle-orm";
+import { sendEmail } from "@server/emails";
+import VerifyEmail from "@server/emails/templates/verifyEmailCode";
+import env from "@server/environment";
+
+export async function sendEmailVerificationCode(
+    email: string,
+    userId: string,
+): Promise<void> {
+    const code = await generateEmailVerificationCode(userId, email);
+
+    await sendEmail(VerifyEmail({ username: email, verificationCode: code }), {
+        to: email,
+        from: env.EMAIL_NOREPLY!,
+        subject: "Verify your email address",
+    });
+}
+
+async function generateEmailVerificationCode(
+    userId: string,
+    email: string,
+): Promise<string> {
+    await db
+        .delete(emailVerificationCodes)
+        .where(eq(emailVerificationCodes.userId, userId));
+
+    const code = generateRandomString(8, alphabet("0-9"));
+
+    await db.insert(emailVerificationCodes).values({
+        userId,
+        email,
+        code,
+        expiresAt: createDate(new TimeSpan(15, "m")).getTime(),
+    });
+
+    return code;
+}
--- a/server/routers/auth/signup.ts
+++ b/server/routers/auth/signup.ts
@@ -10,6 +10,8 @@ import { fromError } from "zod-validation-error";
 import createHttpError from "http-errors";
 import response from "@server/utils/response";
 import { SqliteError } from "better-sqlite3";
+import { sendEmailVerificationCode } from "./sendEmailVerificationCode";
+import logger from "@server/logger";

 export const signupBodySchema = z.object({
    email: z.string().email(),
@@ -28,6 +30,10 @@ export const signupBodySchema = z.object({

 export type SignUpBody = z.infer<typeof signupBodySchema>;

+export type SignUpResponse = {
+    emailVerificationRequired: boolean;
+};
+
 export async function signup(
    req: Request,
    res: Response,
@@ -68,11 +74,15 @@ export async function signup(
            lucia.createSessionCookie(session.id).serialize(),
        );

-        return response<null>(res, {
-            data: null,
+        sendEmailVerificationCode(email, userId);
+
+        return response<SignUpResponse>(res, {
+            data: {
+                emailVerificationRequired: true,
+            },
            success: true,
            error: false,
-            message: "User created successfully",
+            message: `User created successfully. We sent an email to ${email} with a verification code.`,
            status: HttpCode.OK,
        });
    } catch (e) {
--- a/server/routers/auth/verifyEmail.ts
+++ b/server/routers/auth/verifyEmail.ts
@@ -0,0 +1,109 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import HttpCode from "@server/types/HttpCode";
+import { response } from "@server/utils";
+import { db } from "@server/db";
+import { User, emailVerificationCodes, users } from "@server/db/schema";
+import { eq } from "drizzle-orm";
+import { isWithinExpirationDate } from "oslo";
+
+export const verifyEmailBody = z.object({
+    code: z.string(),
+});
+
+export type VerifyEmailBody = z.infer<typeof verifyEmailBody>;
+
+export type VerifyEmailResponse = {
+    valid: boolean;
+};
+
+export async function verifyEmail(
+    req: Request,
+    res: Response,
+    next: NextFunction,
+): Promise<any> {
+    const parsedBody = verifyEmailBody.safeParse(req.body);
+
+    if (!parsedBody.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedBody.error).toString(),
+            ),
+        );
+    }
+
+    const { code } = parsedBody.data;
+
+    const user = req.user as User;
+
+    if (user.emailVerified) {
+        return next(
+            createHttpError(HttpCode.BAD_REQUEST, "Email is already verified"),
+        );
+    }
+
+    try {
+        const valid = await isValidCode(user, code);
+
+        if (valid) {
+            await db
+                .delete(emailVerificationCodes)
+                .where(eq(emailVerificationCodes.userId, user.id));
+
+            await db
+                .update(users)
+                .set({
+                    emailVerified: true,
+                })
+                .where(eq(users.id, user.id));
+        }
+
+        return response<VerifyEmailResponse>(res, {
+            success: true,
+            error: false,
+            message: valid ? "Code is valid" : "Code is invalid",
+            status: HttpCode.OK,
+            data: {
+                valid,
+            },
+        });
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to verify email",
+            ),
+        );
+    }
+}
+
+export default verifyEmail;
+
+async function isValidCode(user: User, code: string): Promise<boolean> {
+    const codeRecord = await db
+        .select()
+        .from(emailVerificationCodes)
+        .where(eq(emailVerificationCodes.userId, user.id))
+        .limit(1);
+
+    if (user.email !== codeRecord[0].email) {
+        return false;
+    }
+
+    if (codeRecord.length === 0) {
+        return false;
+    }
+
+    if (codeRecord[0].code !== code) {
+        return false;
+    }
+
+    if (!isWithinExpirationDate(new Date(codeRecord[0].expiresAt))) {
+        return false;
+    }
+
+    return true;
+}
--- a/server/routers/auth/verifyTotp.ts
+++ b/server/routers/auth/verifyTotp.ts
@@ -58,27 +58,36 @@ export async function verifyTotp(
        );
    }

-    const totpController = new TOTPController();
-    const valid = await totpController.verify(
-        code,
-        decodeHex(user.twoFactorSecret),
-    );
+    try {
+        const totpController = new TOTPController();
+        const valid = await totpController.verify(
+            code,
+            decodeHex(user.twoFactorSecret),
+        );

-    if (valid) {
-        // if valid, enable two-factor authentication; the totp secret is no longer temporary
-        await db
-            .update(users)
-            .set({ twoFactorEnabled: true })
-            .where(eq(users.id, user.id));
+        if (valid) {
+            // if valid, enable two-factor authentication; the totp secret is no longer temporary
+            await db
+                .update(users)
+                .set({ twoFactorEnabled: true })
+                .where(eq(users.id, user.id));
+        }
+
+        return response<{ valid: boolean }>(res, {
+            data: { valid },
+            success: true,
+            error: false,
+            message: valid
+                ? "Code is valid. Two-factor is now enabled"
+                : "Code is invalid",
+            status: HttpCode.OK,
+        });
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to verify two-factor authentication code",
+            ),
+        );
    }
-
-    return response<{ valid: boolean }>(res, {
-        data: { valid },
-        success: true,
-        error: false,
-        message: valid
-            ? "Code is valid. Two-factor is now enabled"
-            : "Code is invalid",
-        status: HttpCode.OK,
-    });
 }