letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(portal): replace magic-link with email/password + admin-initiated activation
All checks were successful
Build & Push Docker Images / lint (pull_request) Successful in 1m0s
Details
Build & Push Docker Images / build-and-push (pull_request) Has been skipped
Details

Browse Source 
The client portal no longer uses passwordless / magic-link sign-in. Each
client now has a `portal_users` row with a scrypt-hashed password,
created by an admin from the client detail page; the admin's invite
mails an activation link that the client uses to set their own password.
Forgot-password is wired through the same token mechanism.

Schema (migration `0009_outgoing_rumiko_fujikawa.sql`):

- `portal_users` — one per client account, separate from the CRM
  `users` table (better-auth) so the auth realms stay isolated. Email
  is globally unique, password is null until activation.
- `portal_auth_tokens` — single-use activation / reset tokens. Stores
  only the SHA-256 hash so a DB compromise never leaks live tokens.

Services:

- `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps;
  uses node:crypto), token mint+hash helpers.
- `src/lib/services/portal-auth.service.ts` — createPortalUser,
  resendActivation, activateAccount, signIn (timing-safe),
  requestPasswordReset, resetPassword. Auth failures throw the new
  UnauthorizedError (401); enumeration-safe behaviour everywhere.

Routes:

- POST /api/portal/auth/sign-in — sets the existing portal JWT cookie.
- POST /api/portal/auth/forgot-password — always 200.
- POST /api/portal/auth/reset-password — token + new password.
- POST /api/portal/auth/activate — token + initial password.
- POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`).
- Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link).

UI:

- /portal/login — replaced email-only magic-link form with email +
  password + "forgot password" link.
- /portal/forgot-password, /portal/reset-password, /portal/activate — new.
- New shared `PasswordSetForm` component used by activate + reset.
- New `PortalInviteButton` rendered on the client detail header.

Email send:

- `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are
  set (gmail app-password or marina-server creds, configured via env).
- `SMTP_FROM` env var lets the sender address be overridden without
  pinning it to `noreply@${SMTP_HOST}`.

Tests:

- Smoke spec 17 (client-portal) updated to the new flow: 7/7 green.
- Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to
  match the post-refactor client + invoice forms (drop companyName,
  use OwnerPicker + billingEmail).
- Vitest 652/652 still green; type-check clean.

Drops the dead `requestMagicLink` from portal.service.ts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
2026-04-26 15:34:02 +02:00
parent 4da8ed3ae4
commit 475b051e29
33 changed files with 10129 additions and 331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

286
src/lib/services/portal-auth.service.ts Normal file
View File

@@ -0,0 +1,286 @@
import { and, eq, gt, isNull } from 'drizzle-orm';
import { db } from '@/lib/db';
import { clients } from '@/lib/db/schema/clients';
import { ports } from '@/lib/db/schema/ports';
import { portalAuthTokens, portalUsers } from '@/lib/db/schema/portal';
import { env } from '@/lib/env';
import { sendEmail } from '@/lib/email';
import { ConflictError, NotFoundError, UnauthorizedError, ValidationError } from '@/lib/errors';
import { logger } from '@/lib/logger';
import { createPortalToken } from '@/lib/portal/auth';
import { hashPassword, hashToken, mintToken, verifyPassword } from '@/lib/portal/passwords';
const ACTIVATION_TOKEN_TTL_HOURS = 72;
const RESET_TOKEN_TTL_MINUTES = 30;
const MIN_PASSWORD_LENGTH = 12;
// ─── Admin-side: invite a client to the portal ───────────────────────────────
export async function createPortalUser(args: {
clientId: string;
portId: string;
email: string;
name?: string;
createdBy: string;
}): Promise<{ portalUserId: string }> {
const normalizedEmail = args.email.toLowerCase().trim();
const client = await db.query.clients.findFirst({
where: and(eq(clients.id, args.clientId), eq(clients.portId, args.portId)),
});
if (!client) throw new NotFoundError('Client');
// Email uniqueness check is enforced at the DB level too, but we do a
// friendlier preflight so the admin sees a clear conflict error.
const existing = await db.query.portalUsers.findFirst({
where: eq(portalUsers.email, normalizedEmail),
});
if (existing) {
throw new ConflictError(`A portal user already exists for ${normalizedEmail}`);
}
const [user] = await db
.insert(portalUsers)
.values({
portId: args.portId,
clientId: args.clientId,
email: normalizedEmail,
name: args.name ?? client.fullName,
createdBy: args.createdBy,
})
.returning({ id: portalUsers.id });
if (!user) {
throw new Error('Failed to create portal user');
}
await issueActivationToken(user.id, normalizedEmail, args.portId);
return { portalUserId: user.id };
}
async function issueActivationToken(
portalUserId: string,
email: string,
portId: string,
): Promise<void> {
const { raw, hash } = mintToken();
const expiresAt = new Date(Date.now() + ACTIVATION_TOKEN_TTL_HOURS * 3600 * 1000);
await db.insert(portalAuthTokens).values({
portalUserId,
tokenHash: hash,
type: 'activation',
expiresAt,
});
const port = await db.query.ports.findFirst({ where: eq(ports.id, portId) });
const portName = port?.name ?? 'Port Nimara';
const link = `${env.APP_URL}/portal/activate?token=${encodeURIComponent(raw)}`;
const subject = `Activate your ${portName} client portal account`;
const html = activationEmailHtml({ portName, link, ttlHours: ACTIVATION_TOKEN_TTL_HOURS });
try {
await sendEmail(email, subject, html);
} catch (err) {
logger.error({ err, email }, 'Failed to send portal activation email');
// Re-throw — the admin should know if their invite mail bounced.
throw err;
}
}
export async function resendActivation(portalUserId: string, portId: string): Promise<void> {
const user = await db.query.portalUsers.findFirst({
where: and(eq(portalUsers.id, portalUserId), eq(portalUsers.portId, portId)),
});
if (!user) throw new NotFoundError('Portal user');
if (user.passwordHash) {
throw new ConflictError('Portal user has already activated their account');
}
await issueActivationToken(user.id, user.email, user.portId);
}
// ─── Activation: client sets their initial password ──────────────────────────
export async function activateAccount(rawToken: string, password: string): Promise<void> {
if (password.length < MIN_PASSWORD_LENGTH) {
throw new ValidationError(`Password must be at least ${MIN_PASSWORD_LENGTH} characters`);
}
const tokenRow = await consumeToken(rawToken, 'activation');
const passwordHash = await hashPassword(password);
await db
.update(portalUsers)
.set({ passwordHash, updatedAt: new Date() })
.where(eq(portalUsers.id, tokenRow.portalUserId));
}
// ─── Sign in (email + password) ──────────────────────────────────────────────
export async function signIn(args: {
email: string;
password: string;
}): Promise<{ token: string; clientId: string; portId: string; email: string }> {
const normalizedEmail = args.email.toLowerCase().trim();
// Always do the same amount of work regardless of whether the email
// exists, so timing doesn't leak account presence.
const user = await db.query.portalUsers.findFirst({
where: eq(portalUsers.email, normalizedEmail),
});
// Dummy hash with the right shape — used to keep verifyPassword's compute
// cost identical when the user doesn't exist.
const dummyHash =
'0000000000000000000000000000000000000000000000000000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000';
const ok = user?.passwordHash
? await verifyPassword(args.password, user.passwordHash)
: (await verifyPassword(args.password, dummyHash), false);
if (!user || !user.isActive || !user.passwordHash || !ok) {
throw new UnauthorizedError('Invalid email or password');
}
const token = await createPortalToken({
clientId: user.clientId,
portId: user.portId,
email: user.email,
});
await db.update(portalUsers).set({ lastLoginAt: new Date() }).where(eq(portalUsers.id, user.id));
return { token, clientId: user.clientId, portId: user.portId, email: user.email };
}
// ─── Forgot password ─────────────────────────────────────────────────────────
export async function requestPasswordReset(email: string): Promise<void> {
const normalizedEmail = email.toLowerCase().trim();
const user = await db.query.portalUsers.findFirst({
where: eq(portalUsers.email, normalizedEmail),
});
if (!user || !user.isActive) {
// Silently no-op so unknown emails don't leak through timing or
// response shape. Caller surfaces "if the email matches an account…".
logger.debug({ email: normalizedEmail }, 'Password reset for unknown email');
return;
}
const { raw, hash } = mintToken();
const expiresAt = new Date(Date.now() + RESET_TOKEN_TTL_MINUTES * 60 * 1000);
await db.insert(portalAuthTokens).values({
portalUserId: user.id,
tokenHash: hash,
type: 'reset',
expiresAt,
});
const port = await db.query.ports.findFirst({ where: eq(ports.id, user.portId) });
const portName = port?.name ?? 'Port Nimara';
const link = `${env.APP_URL}/portal/reset-password?token=${encodeURIComponent(raw)}`;
try {
await sendEmail(
user.email,
`Reset your ${portName} client portal password`,
resetEmailHtml({ portName, link, ttlMinutes: RESET_TOKEN_TTL_MINUTES }),
);
} catch (err) {
logger.error({ err, email: user.email }, 'Failed to send password-reset email');
// Don't propagate — the public route returns 200 either way.
}
}
export async function resetPassword(rawToken: string, password: string): Promise<void> {
if (password.length < MIN_PASSWORD_LENGTH) {
throw new ValidationError(`Password must be at least ${MIN_PASSWORD_LENGTH} characters`);
}
const tokenRow = await consumeToken(rawToken, 'reset');
const passwordHash = await hashPassword(password);
await db
.update(portalUsers)
.set({ passwordHash, updatedAt: new Date() })
.where(eq(portalUsers.id, tokenRow.portalUserId));
}
// ─── Token consumption (shared between activation + reset) ───────────────────
async function consumeToken(
rawToken: string,
type: 'activation' | 'reset',
): Promise<{ portalUserId: string }> {
const tokenHash = hashToken(rawToken);
const now = new Date();
const row = await db.query.portalAuthTokens.findFirst({
where: and(
eq(portalAuthTokens.tokenHash, tokenHash),
eq(portalAuthTokens.type, type),
isNull(portalAuthTokens.usedAt),
gt(portalAuthTokens.expiresAt, now),
),
});
if (!row) {
throw new ValidationError('Invalid or expired token');
}
await db.update(portalAuthTokens).set({ usedAt: now }).where(eq(portalAuthTokens.id, row.id));
return { portalUserId: row.portalUserId };
}
// ─── Email templates ─────────────────────────────────────────────────────────
function activationEmailHtml(args: { portName: string; link: string; ttlHours: number }): string {
return `
<!DOCTYPE html>
<html><body style="font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#f5f5f5;padding:40px 0;margin:0;">
<div style="max-width:480px;margin:0 auto;background:#fff;border-radius:8px;overflow:hidden;box-shadow:0 2px 8px rgba(0,0,0,0.08);">
<div style="background:#1e2844;padding:32px 40px;text-align:center;">
<h1 style="color:#fff;margin:0;font-size:22px;font-weight:600;">${args.portName}</h1>
<p style="color:#9ca3af;margin:6px 0 0;font-size:14px;">Client Portal</p>
</div>
<div style="padding:40px;">
<p style="color:#374151;font-size:16px;margin:0 0 16px;">Welcome,</p>
<p style="color:#6b7280;font-size:15px;line-height:1.6;margin:0 0 32px;">
You've been invited to access the ${args.portName} client portal. Click the button below to set your password and activate your account. The link expires in ${args.ttlHours} hours.
</p>
<div style="text-align:center;margin:0 0 32px;">
<a href="${args.link}" style="display:inline-block;background:#1e2844;color:#fff;text-decoration:none;padding:14px 32px;border-radius:6px;font-size:15px;font-weight:500;">Activate account</a>
</div>
<p style="color:#9ca3af;font-size:13px;margin:0;line-height:1.5;">If the button doesn't work, paste this link into your browser:<br/><a href="${args.link}" style="color:#1e2844;word-break:break-all;">${args.link}</a></p>
</div>
</div>
</body></html>
`;
}
function resetEmailHtml(args: { portName: string; link: string; ttlMinutes: number }): string {
return `
<!DOCTYPE html>
<html><body style="font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#f5f5f5;padding:40px 0;margin:0;">
<div style="max-width:480px;margin:0 auto;background:#fff;border-radius:8px;overflow:hidden;box-shadow:0 2px 8px rgba(0,0,0,0.08);">
<div style="background:#1e2844;padding:32px 40px;text-align:center;">
<h1 style="color:#fff;margin:0;font-size:22px;font-weight:600;">${args.portName}</h1>
<p style="color:#9ca3af;margin:6px 0 0;font-size:14px;">Password reset</p>
</div>
<div style="padding:40px;">
<p style="color:#374151;font-size:16px;margin:0 0 16px;">Hello,</p>
<p style="color:#6b7280;font-size:15px;line-height:1.6;margin:0 0 32px;">
We received a request to reset your client portal password. Click the button below to choose a new one. The link expires in ${args.ttlMinutes} minutes. If you didn't request this, you can ignore this email.
</p>
<div style="text-align:center;margin:0 0 32px;">
<a href="${args.link}" style="display:inline-block;background:#1e2844;color:#fff;text-decoration:none;padding:14px 32px;border-radius:6px;font-size:15px;font-weight:500;">Reset password</a>
</div>
<p style="color:#9ca3af;font-size:13px;margin:0;line-height:1.5;">If the button doesn't work, paste this link into your browser:<br/><a href="${args.link}" style="color:#1e2844;word-break:break-all;">${args.link}</a></p>
</div>
</div>
</body></html>
`;
}