letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
8cdee9931029767b683917e237fd7eb1172f7e77
pn-new-crm/src/lib/services/portal-auth.service.ts
Matt Ciaccio fc7595faf8 fix(audit-tier-2): error-surface hygiene — toastError + CodedError sweep 
Two mechanical sweeps closing the audit's HIGH §16 + MED §11 findings:

* 38 client components / 56 toast.error sites converted to
  toastError(err) so the new admin error inspector becomes usable from
  user-reported issues — every failed inline-edit, save, send, archive,
  upload, etc. now carries the request-id + error-code (Copy ID action).
* 26 service files / 62 bare-Error throws converted to CodedError or
  the existing AppError subclasses.  Adds new error codes:
  DOCUMENSO_UPSTREAM_ERROR (502), DOCUMENSO_AUTH_FAILURE (502),
  DOCUMENSO_TIMEOUT (504), OCR_UPSTREAM_ERROR (502),
  IMAP_UPSTREAM_ERROR (502), UMAMI_UPSTREAM_ERROR (502),
  UMAMI_NOT_CONFIGURED (409), and INSERT_RETURNING_EMPTY (500) for
  post-insert returning-empty guards.
* Five vitest assertions updated to match the new user-facing wording
  (client-merge "already been merged", expense/interest "couldn't find
  that …", documenso "signing service didn't respond").

Test status: 1168/1168 vitest, tsc clean.

Refs: docs/audit-comprehensive-2026-05-05.md HIGH §16 (auditor-H Issue 1)
+ MED §11 (auditor-G Issue 1).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 20:18:05 +02:00

301 lines
11 KiB
TypeScript
Raw Blame History

import { and, eq, gt, isNull } from 'drizzle-orm';
import { db } from '@/lib/db';
import { clients } from '@/lib/db/schema/clients';
import { ports } from '@/lib/db/schema/ports';
import { portalAuthTokens, portalUsers } from '@/lib/db/schema/portal';
import { systemSettings } from '@/lib/db/schema/system';
import { env } from '@/lib/env';
import { sendEmail } from '@/lib/email';
import { activationEmail, resetEmail } from '@/lib/email/templates/portal-auth';
import {
CodedError,
ConflictError,
NotFoundError,
UnauthorizedError,
ValidationError,
} from '@/lib/errors';
import { logger } from '@/lib/logger';
import { createPortalToken } from '@/lib/portal/auth';
import { hashPassword, hashToken, mintToken, verifyPassword } from '@/lib/portal/passwords';
const ACTIVATION_TOKEN_TTL_HOURS = 72;
const RESET_TOKEN_TTL_MINUTES = 30;
const MIN_PASSWORD_LENGTH = 9;
const PORTAL_ENABLED_KEY = 'client_portal_enabled';
/**
* Per-port toggle for the client portal feature. Default-on so existing
* deployments behave the way they did before this setting existed.
*/
export async function isPortalEnabledForPort(portId: string): Promise<boolean> {
const row = await db.query.systemSettings.findFirst({
where: and(eq(systemSettings.key, PORTAL_ENABLED_KEY), eq(systemSettings.portId, portId)),
});
if (!row) return true;
return row.value === true || row.value === 'true';
}
// ─── Admin-side: invite a client to the portal ───────────────────────────────
export async function createPortalUser(args: {
clientId: string;
portId: string;
email: string;
name?: string;
createdBy: string;
}): Promise<{ portalUserId: string }> {
const normalizedEmail = args.email.toLowerCase().trim();
const client = await db.query.clients.findFirst({
where: and(eq(clients.id, args.clientId), eq(clients.portId, args.portId)),
});
if (!client) throw new NotFoundError('Client');
if (!(await isPortalEnabledForPort(args.portId))) {
throw new ConflictError('Client portal is disabled for this port');
}
// Email uniqueness check is enforced at the DB level too, but we do a
// friendlier preflight so the admin sees a clear conflict error.
const existing = await db.query.portalUsers.findFirst({
where: eq(portalUsers.email, normalizedEmail),
});
if (existing) {
throw new ConflictError(`A portal user already exists for ${normalizedEmail}`);
}
const [user] = await db
.insert(portalUsers)
.values({
portId: args.portId,
clientId: args.clientId,
email: normalizedEmail,
name: args.name ?? client.fullName,
createdBy: args.createdBy,
})
.returning({ id: portalUsers.id });
if (!user) {
throw new CodedError('INSERT_RETURNING_EMPTY', {
internalMessage: 'Failed to create portal user',
});
}
await issueActivationToken(user.id, normalizedEmail, args.portId);
return { portalUserId: user.id };
}
async function issueActivationToken(
portalUserId: string,
email: string,
portId: string,
): Promise<void> {
const { raw, hash } = mintToken();
const expiresAt = new Date(Date.now() + ACTIVATION_TOKEN_TTL_HOURS * 3600 * 1000);
await db.insert(portalAuthTokens).values({
portalUserId,
tokenHash: hash,
type: 'activation',
expiresAt,
});
const port = await db.query.ports.findFirst({ where: eq(ports.id, portId) });
const portName = port?.name ?? 'Port Nimara';
const link = `${env.APP_URL}/portal/activate?token=${encodeURIComponent(raw)}`;
const { subject, html, text } = activationEmail({
portName,
link,
ttlHours: ACTIVATION_TOKEN_TTL_HOURS,
});
try {
await sendEmail(email, subject, html, undefined, text);
} catch (err) {
logger.error({ err, email }, 'Failed to send portal activation email');
// Re-throw - the admin should know if their invite mail bounced.
throw err;
}
}
export async function resendActivation(portalUserId: string, portId: string): Promise<void> {
if (!(await isPortalEnabledForPort(portId))) {
throw new ConflictError('Client portal is disabled for this port');
}
const user = await db.query.portalUsers.findFirst({
where: and(eq(portalUsers.id, portalUserId), eq(portalUsers.portId, portId)),
});
if (!user) throw new NotFoundError('Portal user');
if (user.passwordHash) {
throw new ConflictError('Portal user has already activated their account');
}
await issueActivationToken(user.id, user.email, user.portId);
}
// ─── Activation: client sets their initial password ──────────────────────────
export async function activateAccount(rawToken: string, password: string): Promise<void> {
if (password.length < MIN_PASSWORD_LENGTH) {
throw new ValidationError(`Password must be at least ${MIN_PASSWORD_LENGTH} characters`);
}
const tokenRow = await consumeToken(rawToken, 'activation');
const portalUser = await db.query.portalUsers.findFirst({
where: eq(portalUsers.id, tokenRow.portalUserId),
});
if (!portalUser) throw new ValidationError('Invalid or expired token');
if (!(await isPortalEnabledForPort(portalUser.portId))) {
throw new ValidationError('Client portal is disabled for this port');
}
const passwordHash = await hashPassword(password);
await db
.update(portalUsers)
.set({ passwordHash, updatedAt: new Date() })
.where(eq(portalUsers.id, tokenRow.portalUserId));
}
// ─── Sign in (email + password) ──────────────────────────────────────────────
export async function signIn(args: {
email: string;
password: string;
}): Promise<{ token: string; clientId: string; portId: string; email: string }> {
const normalizedEmail = args.email.toLowerCase().trim();
// Always do the same amount of work regardless of whether the email
// exists, so timing doesn't leak account presence.
const user = await db.query.portalUsers.findFirst({
where: eq(portalUsers.email, normalizedEmail),
});
// Dummy hash with the right shape - used to keep verifyPassword's compute
// cost identical when the user doesn't exist.
const dummyHash =
'0000000000000000000000000000000000000000000000000000000000000000:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000';
const ok = user?.passwordHash
? await verifyPassword(args.password, user.passwordHash)
: (await verifyPassword(args.password, dummyHash), false);
if (!user || !user.isActive || !user.passwordHash || !ok) {
throw new UnauthorizedError('Invalid email or password');
}
// Disabled-port check happens AFTER the credential check so that a wrong
// password on a disabled-port account still surfaces "invalid email or
// password" - we never leak which ports have the portal turned off.
if (!(await isPortalEnabledForPort(user.portId))) {
throw new UnauthorizedError('Invalid email or password');
}
const token = await createPortalToken({
clientId: user.clientId,
portId: user.portId,
email: user.email,
});
await db.update(portalUsers).set({ lastLoginAt: new Date() }).where(eq(portalUsers.id, user.id));
return { token, clientId: user.clientId, portId: user.portId, email: user.email };
}
// ─── Forgot password ─────────────────────────────────────────────────────────
export async function requestPasswordReset(email: string): Promise<void> {
const normalizedEmail = email.toLowerCase().trim();
const user = await db.query.portalUsers.findFirst({
where: eq(portalUsers.email, normalizedEmail),
});
if (!user || !user.isActive) {
// Silently no-op so unknown emails don't leak through timing or
// response shape. Caller surfaces "if the email matches an account…".
logger.debug({ email: normalizedEmail }, 'Password reset for unknown email');
return;
}
// Same silent no-op when the port has the portal disabled - keeps the
// disabled-state from leaking through the public reset endpoint.
if (!(await isPortalEnabledForPort(user.portId))) {
logger.debug({ portId: user.portId }, 'Password reset on disabled-portal port');
return;
}
const { raw, hash } = mintToken();
const expiresAt = new Date(Date.now() + RESET_TOKEN_TTL_MINUTES * 60 * 1000);
await db.insert(portalAuthTokens).values({
portalUserId: user.id,
tokenHash: hash,
type: 'reset',
expiresAt,
});
const port = await db.query.ports.findFirst({ where: eq(ports.id, user.portId) });
const portName = port?.name ?? 'Port Nimara';
const link = `${env.APP_URL}/portal/reset-password?token=${encodeURIComponent(raw)}`;
const { subject, html, text } = resetEmail({
portName,
link,
ttlMinutes: RESET_TOKEN_TTL_MINUTES,
});
try {
await sendEmail(user.email, subject, html, undefined, text);
} catch (err) {
logger.error({ err, email: user.email }, 'Failed to send password-reset email');
// Don't propagate - the public route returns 200 either way.
}
}
export async function resetPassword(rawToken: string, password: string): Promise<void> {
if (password.length < MIN_PASSWORD_LENGTH) {
throw new ValidationError(`Password must be at least ${MIN_PASSWORD_LENGTH} characters`);
}
const tokenRow = await consumeToken(rawToken, 'reset');
const portalUser = await db.query.portalUsers.findFirst({
where: eq(portalUsers.id, tokenRow.portalUserId),
});
if (!portalUser) throw new ValidationError('Invalid or expired token');
if (!(await isPortalEnabledForPort(portalUser.portId))) {
throw new ValidationError('Client portal is disabled for this port');
}
const passwordHash = await hashPassword(password);
await db
.update(portalUsers)
.set({ passwordHash, updatedAt: new Date() })
.where(eq(portalUsers.id, tokenRow.portalUserId));
}
// ─── Token consumption (shared between activation + reset) ───────────────────
async function consumeToken(
rawToken: string,
type: 'activation' | 'reset',
): Promise<{ portalUserId: string }> {
const tokenHash = hashToken(rawToken);
const now = new Date();
const row = await db.query.portalAuthTokens.findFirst({
where: and(
eq(portalAuthTokens.tokenHash, tokenHash),
eq(portalAuthTokens.type, type),
isNull(portalAuthTokens.usedAt),
gt(portalAuthTokens.expiresAt, now),
),
});
if (!row) {
throw new ValidationError('Invalid or expired token');
}
await db.update(portalAuthTokens).set({ usedAt: now }).where(eq(portalAuthTokens.id, row.id));
return { portalUserId: row.portalUserId };
}
// Activation + reset email templates live in src/lib/email/templates/portal-auth.ts
Reference in New Issue View Git Blame Copy Permalink