Phase 3.4: backend self-managed auth cutover
All backend auth now goes through our own token service — Firebase Auth
dependency is fully removed from auth paths. FCM (firebase-admin messaging)
is still used for push.
Schema:
- auth_sessions (multi-device refresh tokens, bcrypt-hashed)
- otp_requests (Fazpass reference + rate-limit history)
- customers.email + google_sub + apple_sub (social identity)
- control_center_users.password_hash + failed_login_count + lockout_until
- firebase_uid columns made nullable (drop in later cleanup migration)
- 6 new app_config keys for OTP + CC lockout tuning
Services:
- password.service.js — bcrypt cost 12 + complexity (min 8, digit + upper +
lower)
- token.service.js — JWT HS256 access (1h) + opaque refresh (30d, bcrypt-
hashed, rotated on use); session_id claim pre-wires future Valkey-based
instant revocation; revokeSession + revokeAllSessionsForUser helpers
- social-identity.service.js — Google via google-auth-library, Apple via
jwks-rsa + jsonwebtoken
- otp.service.js — Fazpass stub (generates locally, logs the code) clearly
marked for replacement once real API docs arrive; rate-limit + resend
cooldown + verify-attempts all configurable via app_config
- auth.service.js — orchestrator: signInAnonymous, completeCustomer/Mitra-
PhoneSignIn, signInWithGoogle, signInWithApple, signInCcUser, refresh,
logout; reject-on-existing for identity conflicts
- cc-user.service.js — email+password helpers + lockout counters
Routes & middleware:
- authenticate middleware now verifies our JWT and attaches
request.auth = { userType, userId, sessionId }
- WebSocket handshake verifies our JWT (no more Firebase lookup)
- All existing routes updated to use request.auth.userId instead of
request.firebaseUser.uid
- New public routes:
/api/shared/auth/anonymous /refresh /logout
/api/client/auth/otp/request /otp/verify /google /apple /me /profile
/api/mitra/auth/otp/request /otp/verify /me
- New internal routes:
/internal/auth/login /refresh /logout /me (httpOnly cookie refresh)
/internal/control-center-users (accepts plain password, bcrypt-hashed)
/internal/control-center-users/me/password (self-service change)
/internal/control-center-users/:id/password (admin forced reset)
- Deleted legacy customer.routes.js (anonymous + link handled by auth now)
- app.internal.js: @fastify/cookie + CORS credentials for CC httpOnly cookie
Config:
- AUTH_JWT_SECRET + ACCESS_TOKEN_TTL_SECONDS + REFRESH_TOKEN_TTL_DAYS env
- FAZPASS_* env vars (TBD until real API docs)
- GOOGLE_OAUTH_CLIENT_IDS, APPLE_SERVICES_ID/TEAM_ID/KEY_ID/PRIVATE_KEY
- ADMIN_EMAIL + ADMIN_PASSWORD for seed
- CC_ORIGIN for internal-app CORS origin allowlist
Dependencies:
- Added: bcrypt, jsonwebtoken, jwks-rsa, google-auth-library, @fastify/cookie
- Kept: firebase-admin (messaging only)
Still outstanding: Fazpass API integration (stub in place), Apple Developer
prereqs for end-to-end iOS testing, client_app/mitra_app/control_center auth
flow rewrites.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,17 +1,127 @@
|
||||
import { authenticate } from '../../plugins/auth.js'
|
||||
import { getCcUserByFirebaseUid } from '../../services/cc-user.service.js'
|
||||
import { getCcUserById } from '../../services/cc-user.service.js'
|
||||
import {
|
||||
signInCcUser,
|
||||
refreshTokens,
|
||||
logout,
|
||||
} from '../../services/auth.service.js'
|
||||
import { UserType } from '../../constants.js'
|
||||
|
||||
export const internalAuthRoutes = async (app) => {
|
||||
app.post('/verify', { preHandler: authenticate }, async (request, reply) => {
|
||||
const user = await getCcUserByFirebaseUid(request.firebaseUser.uid)
|
||||
if (!user) {
|
||||
return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'FORBIDDEN', message: 'Not a control center user' },
|
||||
})
|
||||
}
|
||||
// Attach to request for downstream permission checks
|
||||
request.ccUser = user
|
||||
return reply.send({ success: true, data: user })
|
||||
const REFRESH_COOKIE_NAME = 'cc_refresh_token'
|
||||
|
||||
const extractDeviceInfo = (request) => ({
|
||||
user_agent: request.headers['user-agent'] || null,
|
||||
ip: request.ip || null,
|
||||
})
|
||||
|
||||
const sendAuthError = (reply, err) => reply.code(err.statusCode || 500).send({
|
||||
success: false,
|
||||
error: { code: err.code || 'INTERNAL', message: err.message },
|
||||
})
|
||||
|
||||
const cookieOpts = () => ({
|
||||
httpOnly: true,
|
||||
secure: process.env.NODE_ENV === 'production',
|
||||
sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
|
||||
path: '/',
|
||||
})
|
||||
|
||||
const setRefreshCookie = (reply, refreshToken, expiresAt) => {
|
||||
reply.setCookie(REFRESH_COOKIE_NAME, refreshToken, {
|
||||
...cookieOpts(),
|
||||
expires: new Date(expiresAt),
|
||||
})
|
||||
}
|
||||
|
||||
const clearRefreshCookie = (reply) => {
|
||||
reply.clearCookie(REFRESH_COOKIE_NAME, cookieOpts())
|
||||
}
|
||||
|
||||
export const internalAuthRoutes = async (app) => {
|
||||
app.post('/login', async (request, reply) => {
|
||||
const { email, password } = request.body || {}
|
||||
if (!email || !password) {
|
||||
return reply.code(422).send({
|
||||
success: false,
|
||||
error: { code: 'VALIDATION_ERROR', message: 'email and password are required' },
|
||||
})
|
||||
}
|
||||
try {
|
||||
const { tokens, profile } = await signInCcUser({
|
||||
email,
|
||||
password,
|
||||
deviceInfo: extractDeviceInfo(request),
|
||||
})
|
||||
setRefreshCookie(reply, tokens.refresh_token, tokens.refresh_token_expires_at)
|
||||
return reply.send({
|
||||
success: true,
|
||||
data: {
|
||||
access_token: tokens.access_token,
|
||||
access_token_expires_in: tokens.access_token_expires_in,
|
||||
profile,
|
||||
},
|
||||
})
|
||||
} catch (err) {
|
||||
return sendAuthError(reply, err)
|
||||
}
|
||||
})
|
||||
|
||||
app.post('/refresh', async (request, reply) => {
|
||||
const refreshToken = request.cookies?.[REFRESH_COOKIE_NAME]
|
||||
if (!refreshToken) {
|
||||
return reply.code(401).send({
|
||||
success: false,
|
||||
error: { code: 'REFRESH_MISSING', message: 'Refresh token missing' },
|
||||
})
|
||||
}
|
||||
try {
|
||||
const { tokens, profile } = await refreshTokens({
|
||||
refreshToken,
|
||||
deviceInfo: extractDeviceInfo(request),
|
||||
})
|
||||
setRefreshCookie(reply, tokens.refresh_token, tokens.refresh_token_expires_at)
|
||||
return reply.send({
|
||||
success: true,
|
||||
data: {
|
||||
access_token: tokens.access_token,
|
||||
access_token_expires_in: tokens.access_token_expires_in,
|
||||
profile,
|
||||
},
|
||||
})
|
||||
} catch (err) {
|
||||
clearRefreshCookie(reply)
|
||||
return sendAuthError(reply, err)
|
||||
}
|
||||
})
|
||||
|
||||
app.post('/logout', { preHandler: authenticate }, async (request, reply) => {
|
||||
await logout({ sessionId: request.auth.sessionId })
|
||||
clearRefreshCookie(reply)
|
||||
return reply.send({ success: true })
|
||||
})
|
||||
|
||||
app.get('/me', { preHandler: authenticate }, async (request, reply) => {
|
||||
if (request.auth.userType !== UserType.CC_USER) {
|
||||
return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'FORBIDDEN', message: 'Control center account required' },
|
||||
})
|
||||
}
|
||||
const user = await getCcUserById(request.auth.userId)
|
||||
if (!user) {
|
||||
return reply.code(404).send({
|
||||
success: false,
|
||||
error: { code: 'NOT_FOUND', message: 'Control center account not found' },
|
||||
})
|
||||
}
|
||||
return reply.send({
|
||||
success: true,
|
||||
data: {
|
||||
id: user.id,
|
||||
email: user.email,
|
||||
display_name: user.display_name,
|
||||
role: user.role,
|
||||
},
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
@@ -1,33 +1,54 @@
|
||||
import { authenticate, requirePermission } from '../../plugins/auth.js'
|
||||
import { getCcUserByFirebaseUid, createCcUser, listCcUsers } from '../../services/cc-user.service.js'
|
||||
import {
|
||||
getCcUserById,
|
||||
createCcUserWithPassword,
|
||||
listCcUsers,
|
||||
updateCcUserPasswordHash,
|
||||
} from '../../services/cc-user.service.js'
|
||||
import {
|
||||
hashPassword,
|
||||
verifyPassword,
|
||||
validatePasswordComplexity,
|
||||
} from '../../services/password.service.js'
|
||||
import { UserType } from '../../constants.js'
|
||||
|
||||
const attachCcUser = async (request, reply) => {
|
||||
const user = await getCcUserByFirebaseUid(request.firebaseUser.uid)
|
||||
if (request.auth?.userType !== UserType.CC_USER) {
|
||||
return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
}
|
||||
const user = await getCcUserById(request.auth.userId)
|
||||
if (!user) return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
request.ccUser = user
|
||||
}
|
||||
|
||||
const sendValidation = (reply, err) => reply.code(err.statusCode || 422).send({
|
||||
success: false,
|
||||
error: { code: err.code || 'VALIDATION_ERROR', message: err.message },
|
||||
})
|
||||
|
||||
export const ccUserRoutes = async (app) => {
|
||||
// Create CC user (with initial password)
|
||||
app.post('/', {
|
||||
preHandler: [authenticate, attachCcUser, requirePermission('control_center_users', 'create')],
|
||||
}, async (request, reply) => {
|
||||
const { email, display_name, role_id } = request.body ?? {}
|
||||
if (!email || !display_name || !role_id) {
|
||||
return reply.code(422).send({ success: false, error: { code: 'VALIDATION_ERROR', message: 'email, display_name, and role_id are required' } })
|
||||
const { email, display_name, role_id, password } = request.body ?? {}
|
||||
if (!email || !display_name || !role_id || !password) {
|
||||
return reply.code(422).send({
|
||||
success: false,
|
||||
error: { code: 'VALIDATION_ERROR', message: 'email, display_name, role_id, and password are required' },
|
||||
})
|
||||
}
|
||||
|
||||
// Create Firebase user with temporary password — admin will share credentials verbally
|
||||
const { initFirebase } = await import('../../plugins/firebase.js')
|
||||
const admin = (await import('firebase-admin')).default
|
||||
initFirebase()
|
||||
|
||||
const tempPassword = Math.random().toString(36).slice(-10) + 'A1!'
|
||||
const firebaseUser = await admin.auth().createUser({ email, password: tempPassword })
|
||||
|
||||
const user = await createCcUser({ firebase_uid: firebaseUser.uid, email, display_name, role_id })
|
||||
try {
|
||||
validatePasswordComplexity(password)
|
||||
} catch (err) {
|
||||
return sendValidation(reply, err)
|
||||
}
|
||||
const passwordHash = await hashPassword(password)
|
||||
const user = await createCcUserWithPassword({ email, display_name, role_id, password_hash: passwordHash })
|
||||
return reply.code(201).send({ success: true, data: user })
|
||||
})
|
||||
|
||||
// List CC users
|
||||
app.get('/', {
|
||||
preHandler: [authenticate, attachCcUser, requirePermission('control_center_users', 'read')],
|
||||
}, async (request, reply) => {
|
||||
@@ -35,4 +56,53 @@ export const ccUserRoutes = async (app) => {
|
||||
const result = await listCcUsers({ page: Number(page), limit: Number(limit) })
|
||||
return reply.send({ success: true, data: result })
|
||||
})
|
||||
|
||||
// Self-service password change
|
||||
app.patch('/me/password', {
|
||||
preHandler: [authenticate, attachCcUser],
|
||||
}, async (request, reply) => {
|
||||
const { current_password, new_password } = request.body || {}
|
||||
if (!current_password || !new_password) {
|
||||
return reply.code(422).send({
|
||||
success: false,
|
||||
error: { code: 'VALIDATION_ERROR', message: 'current_password and new_password are required' },
|
||||
})
|
||||
}
|
||||
const ok = await verifyPassword(current_password, request.ccUser.password_hash)
|
||||
if (!ok) {
|
||||
return reply.code(401).send({
|
||||
success: false,
|
||||
error: { code: 'INVALID_CREDENTIALS', message: 'Current password is incorrect' },
|
||||
})
|
||||
}
|
||||
try {
|
||||
validatePasswordComplexity(new_password)
|
||||
} catch (err) {
|
||||
return sendValidation(reply, err)
|
||||
}
|
||||
const hash = await hashPassword(new_password)
|
||||
await updateCcUserPasswordHash(request.ccUser.id, hash)
|
||||
return reply.send({ success: true })
|
||||
})
|
||||
|
||||
// Admin-forced password reset
|
||||
app.patch('/:id/password', {
|
||||
preHandler: [authenticate, attachCcUser, requirePermission('control_center_users', 'update')],
|
||||
}, async (request, reply) => {
|
||||
const { new_password } = request.body || {}
|
||||
if (!new_password) {
|
||||
return reply.code(422).send({
|
||||
success: false,
|
||||
error: { code: 'VALIDATION_ERROR', message: 'new_password is required' },
|
||||
})
|
||||
}
|
||||
try {
|
||||
validatePasswordComplexity(new_password)
|
||||
} catch (err) {
|
||||
return sendValidation(reply, err)
|
||||
}
|
||||
const hash = await hashPassword(new_password)
|
||||
await updateCcUserPasswordHash(request.params.id, hash)
|
||||
return reply.send({ success: true })
|
||||
})
|
||||
}
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
import { authenticate, requirePermission } from '../../plugins/auth.js'
|
||||
import { getCcUserByFirebaseUid } from '../../services/cc-user.service.js'
|
||||
import { getCcUserById } from '../../services/cc-user.service.js'
|
||||
import { UserType } from '../../constants.js'
|
||||
import {
|
||||
getAnonymityConfig, setAnonymityConfig,
|
||||
getMaxCustomersPerMitra, setMaxCustomersPerMitra,
|
||||
@@ -11,7 +12,10 @@ import {
|
||||
} from '../../services/config.service.js'
|
||||
|
||||
const attachCcUser = async (request, reply) => {
|
||||
const user = await getCcUserByFirebaseUid(request.firebaseUser.uid)
|
||||
if (request.auth?.userType !== UserType.CC_USER) {
|
||||
return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
}
|
||||
const user = await getCcUserById(request.auth.userId)
|
||||
if (!user) return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
request.ccUser = user
|
||||
}
|
||||
|
||||
@@ -1,13 +1,14 @@
|
||||
import { authenticate, requirePermission } from '../../plugins/auth.js'
|
||||
import { getCcUserByFirebaseUid } from '../../services/cc-user.service.js'
|
||||
import { getCcUserById } from '../../services/cc-user.service.js'
|
||||
import { getMitraActivityLog, getMitraActivitySummary } from '../../services/mitra-activity.service.js'
|
||||
import { UserType } from '../../constants.js'
|
||||
|
||||
const attachCcUser = async (request, reply) => {
|
||||
const user = await getCcUserByFirebaseUid(request.firebaseUser.uid)
|
||||
if (!user) return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'FORBIDDEN', message: 'Not a control center user' },
|
||||
})
|
||||
if (request.auth?.userType !== UserType.CC_USER) {
|
||||
return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
}
|
||||
const user = await getCcUserById(request.auth.userId)
|
||||
if (!user) return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
request.ccUser = user
|
||||
}
|
||||
|
||||
|
||||
@@ -1,10 +1,14 @@
|
||||
import { authenticate, requirePermission } from '../../plugins/auth.js'
|
||||
import { getCcUserByFirebaseUid } from '../../services/cc-user.service.js'
|
||||
import { getCcUserById } from '../../services/cc-user.service.js'
|
||||
import { createMitra, listMitras, updateMitraStatus } from '../../services/mitra.service.js'
|
||||
import { getOnlineMitras, getOnlineLogs } from '../../services/mitra-status.service.js'
|
||||
import { UserType } from '../../constants.js'
|
||||
|
||||
const attachCcUser = async (request, reply) => {
|
||||
const user = await getCcUserByFirebaseUid(request.firebaseUser.uid)
|
||||
if (request.auth?.userType !== UserType.CC_USER) {
|
||||
return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
}
|
||||
const user = await getCcUserById(request.auth.userId)
|
||||
if (!user) return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
request.ccUser = user
|
||||
}
|
||||
|
||||
@@ -1,9 +1,13 @@
|
||||
import { authenticate, requirePermission } from '../../plugins/auth.js'
|
||||
import { getCcUserByFirebaseUid } from '../../services/cc-user.service.js'
|
||||
import { getCcUserById } from '../../services/cc-user.service.js'
|
||||
import { listRoles } from '../../services/roles.service.js'
|
||||
import { UserType } from '../../constants.js'
|
||||
|
||||
const attachCcUser = async (request, reply) => {
|
||||
const user = await getCcUserByFirebaseUid(request.firebaseUser.uid)
|
||||
if (request.auth?.userType !== UserType.CC_USER) {
|
||||
return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
}
|
||||
const user = await getCcUserById(request.auth.userId)
|
||||
if (!user) return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
request.ccUser = user
|
||||
}
|
||||
|
||||
@@ -1,11 +1,15 @@
|
||||
import { authenticate, requirePermission } from '../../plugins/auth.js'
|
||||
import { getCcUserByFirebaseUid } from '../../services/cc-user.service.js'
|
||||
import { getCcUserById } from '../../services/cc-user.service.js'
|
||||
import { listSessions, getSessionById, rerouteSession } from '../../services/session.service.js'
|
||||
import { getSessionSensitivityLog } from '../../services/sensitivity.service.js'
|
||||
import { getDashboardStats } from '../../services/dashboard.service.js'
|
||||
import { UserType } from '../../constants.js'
|
||||
|
||||
const attachCcUser = async (request, reply) => {
|
||||
const user = await getCcUserByFirebaseUid(request.firebaseUser.uid)
|
||||
if (request.auth?.userType !== UserType.CC_USER) {
|
||||
return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
}
|
||||
const user = await getCcUserById(request.auth.userId)
|
||||
if (!user) return reply.code(403).send({ success: false, error: { code: 'FORBIDDEN', message: 'Not a control center user' } })
|
||||
request.ccUser = user
|
||||
}
|
||||
|
||||
@@ -1,25 +1,134 @@
|
||||
import { authenticate } from '../../plugins/auth.js'
|
||||
import { getOrCreateCustomer, getCustomerByFirebaseUid, updateCustomerDisplayName } from '../../services/customer.service.js'
|
||||
import { getCustomerById, updateCustomerDisplayName } from '../../services/customer.service.js'
|
||||
import {
|
||||
completeCustomerPhoneSignIn,
|
||||
signInWithGoogle,
|
||||
signInWithApple,
|
||||
} from '../../services/auth.service.js'
|
||||
import { requestOtp, verifyOtp } from '../../services/otp.service.js'
|
||||
import { UserType } from '../../constants.js'
|
||||
|
||||
const extractDeviceInfo = (request) => ({
|
||||
user_agent: request.headers['user-agent'] || null,
|
||||
ip: request.ip || null,
|
||||
})
|
||||
|
||||
const sendAuthError = (reply, err) => reply.code(err.statusCode || 500).send({
|
||||
success: false,
|
||||
error: { code: err.code || 'INTERNAL', message: err.message },
|
||||
})
|
||||
|
||||
export const clientAuthRoutes = async (app) => {
|
||||
app.post('/verify', { preHandler: authenticate }, async (request, reply) => {
|
||||
const { uid, phone_number, name } = request.firebaseUser
|
||||
const customer = await getOrCreateCustomer({
|
||||
firebase_uid: uid,
|
||||
phone: phone_number || null,
|
||||
display_name: name || null,
|
||||
})
|
||||
return reply.send({ success: true, data: customer })
|
||||
// --- Phone OTP ---
|
||||
|
||||
app.post('/otp/request', async (request, reply) => {
|
||||
const { phone, channel } = request.body || {}
|
||||
try {
|
||||
const result = await requestOtp({
|
||||
phone,
|
||||
userType: UserType.CUSTOMER,
|
||||
ipAddress: request.ip,
|
||||
channel,
|
||||
})
|
||||
return reply.send({ success: true, data: result })
|
||||
} catch (err) {
|
||||
return sendAuthError(reply, err)
|
||||
}
|
||||
})
|
||||
|
||||
app.patch('/profile', { preHandler: authenticate }, async (request, reply) => {
|
||||
const customer = await getCustomerByFirebaseUid(request.firebaseUser.uid)
|
||||
app.post('/otp/verify', async (request, reply) => {
|
||||
const { otp_request_id, code, anonymous_customer_id } = request.body || {}
|
||||
try {
|
||||
const { phone, user_type } = await verifyOtp({ otpRequestId: otp_request_id, code })
|
||||
if (user_type !== UserType.CUSTOMER) {
|
||||
return reply.code(400).send({
|
||||
success: false,
|
||||
error: { code: 'WRONG_FLOW', message: 'This OTP was issued for a different user type' },
|
||||
})
|
||||
}
|
||||
const { tokens, profile } = await completeCustomerPhoneSignIn({
|
||||
phone,
|
||||
anonymousCustomerId: anonymous_customer_id || null,
|
||||
deviceInfo: extractDeviceInfo(request),
|
||||
})
|
||||
return reply.send({ success: true, data: { ...tokens, profile } })
|
||||
} catch (err) {
|
||||
return sendAuthError(reply, err)
|
||||
}
|
||||
})
|
||||
|
||||
// --- Google ---
|
||||
|
||||
app.post('/google', async (request, reply) => {
|
||||
const { id_token, anonymous_customer_id } = request.body || {}
|
||||
if (!id_token) {
|
||||
return reply.code(422).send({
|
||||
success: false,
|
||||
error: { code: 'VALIDATION_ERROR', message: 'id_token is required' },
|
||||
})
|
||||
}
|
||||
try {
|
||||
const { tokens, profile } = await signInWithGoogle({
|
||||
idToken: id_token,
|
||||
anonymousCustomerId: anonymous_customer_id || null,
|
||||
deviceInfo: extractDeviceInfo(request),
|
||||
})
|
||||
return reply.send({ success: true, data: { ...tokens, profile } })
|
||||
} catch (err) {
|
||||
return sendAuthError(reply, err)
|
||||
}
|
||||
})
|
||||
|
||||
// --- Apple ---
|
||||
|
||||
app.post('/apple', async (request, reply) => {
|
||||
const { id_token, anonymous_customer_id } = request.body || {}
|
||||
if (!id_token) {
|
||||
return reply.code(422).send({
|
||||
success: false,
|
||||
error: { code: 'VALIDATION_ERROR', message: 'id_token is required' },
|
||||
})
|
||||
}
|
||||
try {
|
||||
const { tokens, profile } = await signInWithApple({
|
||||
idToken: id_token,
|
||||
anonymousCustomerId: anonymous_customer_id || null,
|
||||
deviceInfo: extractDeviceInfo(request),
|
||||
})
|
||||
return reply.send({ success: true, data: { ...tokens, profile } })
|
||||
} catch (err) {
|
||||
return sendAuthError(reply, err)
|
||||
}
|
||||
})
|
||||
|
||||
// --- Current user profile ---
|
||||
|
||||
app.get('/me', { preHandler: authenticate }, async (request, reply) => {
|
||||
if (request.auth.userType !== UserType.CUSTOMER) {
|
||||
return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'FORBIDDEN', message: 'Customer account required' },
|
||||
})
|
||||
}
|
||||
const customer = await getCustomerById(request.auth.userId)
|
||||
if (!customer) {
|
||||
return reply.code(404).send({
|
||||
success: false,
|
||||
error: { code: 'NOT_FOUND', message: 'Customer account not found' },
|
||||
})
|
||||
}
|
||||
return reply.send({ success: true, data: customer })
|
||||
})
|
||||
|
||||
// --- Update display name ---
|
||||
|
||||
app.patch('/profile', { preHandler: authenticate }, async (request, reply) => {
|
||||
if (request.auth.userType !== UserType.CUSTOMER) {
|
||||
return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'FORBIDDEN', message: 'Customer account required' },
|
||||
})
|
||||
}
|
||||
const { display_name } = request.body || {}
|
||||
if (!display_name || typeof display_name !== 'string' || display_name.trim().length === 0) {
|
||||
return reply.code(422).send({
|
||||
@@ -27,7 +136,7 @@ export const clientAuthRoutes = async (app) => {
|
||||
error: { code: 'VALIDATION_ERROR', message: 'display_name is required' },
|
||||
})
|
||||
}
|
||||
const updated = await updateCustomerDisplayName(customer.id, display_name.trim())
|
||||
const updated = await updateCustomerDisplayName(request.auth.userId, display_name.trim())
|
||||
return reply.send({ success: true, data: updated })
|
||||
})
|
||||
}
|
||||
|
||||
@@ -1,13 +1,19 @@
|
||||
import { authenticate } from '../../plugins/auth.js'
|
||||
import { getCustomerByFirebaseUid } from '../../services/customer.service.js'
|
||||
import { getCustomerById } from '../../services/customer.service.js'
|
||||
import { createPairingRequest, cancelPairingRequest } from '../../services/pairing.service.js'
|
||||
import { getActiveSessionByCustomer, getActiveSessionByCustomerWithUnread, endSession, getCustomerHistory } from '../../services/session.service.js'
|
||||
import { getPricingForCustomer, isValidTier, isCustomerEligibleForFreeTrial, getFreeTrial } from '../../services/pricing.service.js'
|
||||
import { requestExtension } from '../../services/extension.service.js'
|
||||
import { EndedBy, TopicSensitivity } from '../../constants.js'
|
||||
import { EndedBy, TopicSensitivity, UserType } from '../../constants.js'
|
||||
|
||||
const resolveCustomer = async (request, reply) => {
|
||||
const customer = await getCustomerByFirebaseUid(request.firebaseUser.uid)
|
||||
if (request.auth?.userType !== UserType.CUSTOMER) {
|
||||
return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'FORBIDDEN', message: 'Customer account required' },
|
||||
})
|
||||
}
|
||||
const customer = await getCustomerById(request.auth.userId)
|
||||
if (!customer) {
|
||||
return reply.code(404).send({
|
||||
success: false,
|
||||
|
||||
@@ -1,32 +0,0 @@
|
||||
import { authenticate } from '../../plugins/auth.js'
|
||||
import { createAnonymousCustomer, linkCustomerAccount } from '../../services/customer.service.js'
|
||||
|
||||
export const customerRoutes = async (app) => {
|
||||
app.post('/anonymous', { preHandler: authenticate }, async (request, reply) => {
|
||||
const { display_name } = request.body ?? {}
|
||||
if (!display_name?.trim()) {
|
||||
return reply.code(422).send({
|
||||
success: false,
|
||||
error: { code: 'DISPLAY_NAME_REQUIRED', message: 'Display name is required' },
|
||||
})
|
||||
}
|
||||
const firebase_uid = request.firebaseUser.uid
|
||||
const customer = await createAnonymousCustomer({ display_name: display_name.trim(), firebase_uid })
|
||||
return reply.code(201).send({ success: true, data: customer })
|
||||
})
|
||||
|
||||
app.post('/link', { preHandler: authenticate }, async (request, reply) => {
|
||||
const { customer_id } = request.body ?? {}
|
||||
const firebase_uid = request.firebaseUser.uid
|
||||
|
||||
if (!customer_id) {
|
||||
return reply.code(422).send({
|
||||
success: false,
|
||||
error: { code: 'VALIDATION_ERROR', message: 'customer_id is required' },
|
||||
})
|
||||
}
|
||||
|
||||
const customer = await linkCustomerAccount({ customer_id, firebase_uid })
|
||||
return reply.send({ success: true, data: customer })
|
||||
})
|
||||
}
|
||||
@@ -1,44 +1,75 @@
|
||||
import { authenticate } from '../../plugins/auth.js'
|
||||
import { getMitraByFirebaseUid, getMitraByPhone, setMitraFirebaseUid } from '../../services/mitra.service.js'
|
||||
import { getMitraById } from '../../services/mitra.service.js'
|
||||
import { completeMitraPhoneSignIn } from '../../services/auth.service.js'
|
||||
import { requestOtp, verifyOtp } from '../../services/otp.service.js'
|
||||
import { UserType } from '../../constants.js'
|
||||
|
||||
const extractDeviceInfo = (request) => ({
|
||||
user_agent: request.headers['user-agent'] || null,
|
||||
ip: request.ip || null,
|
||||
})
|
||||
|
||||
const sendAuthError = (reply, err) => reply.code(err.statusCode || 500).send({
|
||||
success: false,
|
||||
error: { code: err.code || 'INTERNAL', message: err.message },
|
||||
})
|
||||
|
||||
export const mitraAuthRoutes = async (app) => {
|
||||
app.post('/verify', { preHandler: authenticate }, async (request, reply) => {
|
||||
const { uid, phone_number } = request.firebaseUser
|
||||
|
||||
// First try lookup by firebase_uid (returning user)
|
||||
let mitra = await getMitraByFirebaseUid(uid)
|
||||
|
||||
// First-time login: link firebase_uid to mitra record via phone number
|
||||
if (!mitra && phone_number) {
|
||||
mitra = await getMitraByPhone(phone_number)
|
||||
if (mitra) {
|
||||
await setMitraFirebaseUid(mitra.id, uid)
|
||||
}
|
||||
app.post('/otp/request', async (request, reply) => {
|
||||
const { phone, channel } = request.body || {}
|
||||
try {
|
||||
const result = await requestOtp({
|
||||
phone,
|
||||
userType: UserType.MITRA,
|
||||
ipAddress: request.ip,
|
||||
channel,
|
||||
})
|
||||
return reply.send({ success: true, data: result })
|
||||
} catch (err) {
|
||||
return sendAuthError(reply, err)
|
||||
}
|
||||
})
|
||||
|
||||
app.post('/otp/verify', async (request, reply) => {
|
||||
const { otp_request_id, code } = request.body || {}
|
||||
try {
|
||||
const { phone, user_type } = await verifyOtp({ otpRequestId: otp_request_id, code })
|
||||
if (user_type !== UserType.MITRA) {
|
||||
return reply.code(400).send({
|
||||
success: false,
|
||||
error: { code: 'WRONG_FLOW', message: 'This OTP was issued for a different user type' },
|
||||
})
|
||||
}
|
||||
const { tokens, profile } = await completeMitraPhoneSignIn({
|
||||
phone,
|
||||
deviceInfo: extractDeviceInfo(request),
|
||||
})
|
||||
if (!profile.is_active) {
|
||||
return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'ACCOUNT_INACTIVE', message: 'Account is inactive. Contact your administrator.' },
|
||||
})
|
||||
}
|
||||
return reply.send({ success: true, data: { ...tokens, profile } })
|
||||
} catch (err) {
|
||||
return sendAuthError(reply, err)
|
||||
}
|
||||
})
|
||||
|
||||
app.get('/me', { preHandler: authenticate }, async (request, reply) => {
|
||||
if (request.auth.userType !== UserType.MITRA) {
|
||||
return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'FORBIDDEN', message: 'Mitra account required' },
|
||||
})
|
||||
}
|
||||
const mitra = await getMitraById(request.auth.userId)
|
||||
if (!mitra) {
|
||||
return reply.code(404).send({
|
||||
success: false,
|
||||
error: { code: 'ACCOUNT_NOT_FOUND', message: 'Account not found. Contact your administrator.' },
|
||||
error: { code: 'NOT_FOUND', message: 'Mitra account not found' },
|
||||
})
|
||||
}
|
||||
|
||||
if (!mitra.is_active) {
|
||||
return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'ACCOUNT_INACTIVE', message: 'Account is inactive. Contact your administrator.' },
|
||||
})
|
||||
}
|
||||
|
||||
return reply.send({
|
||||
success: true,
|
||||
data: {
|
||||
id: mitra.id,
|
||||
display_name: mitra.display_name,
|
||||
phone: mitra.phone,
|
||||
is_active: mitra.is_active,
|
||||
created_at: mitra.created_at,
|
||||
},
|
||||
})
|
||||
return reply.send({ success: true, data: mitra })
|
||||
})
|
||||
}
|
||||
|
||||
@@ -1,12 +1,18 @@
|
||||
import { authenticate } from '../../plugins/auth.js'
|
||||
import { getMitraByFirebaseUid } from '../../services/mitra.service.js'
|
||||
import { getMitraById } from '../../services/mitra.service.js'
|
||||
import { acceptPairingRequest, declinePairingRequest, getSessionStatus, getPendingRequestsForMitra } from '../../services/pairing.service.js'
|
||||
import { getActiveSessionsByMitra, getActiveSessionsByMitraWithUnread, endSession, getMitraHistory } from '../../services/session.service.js'
|
||||
import { respondToExtension } from '../../services/extension.service.js'
|
||||
import { EndedBy } from '../../constants.js'
|
||||
import { EndedBy, UserType } from '../../constants.js'
|
||||
|
||||
const resolveMitra = async (request, reply) => {
|
||||
const mitra = await getMitraByFirebaseUid(request.firebaseUser.uid)
|
||||
if (request.auth?.userType !== UserType.MITRA) {
|
||||
return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'FORBIDDEN', message: 'Mitra account required' },
|
||||
})
|
||||
}
|
||||
const mitra = await getMitraById(request.auth.userId)
|
||||
if (!mitra) {
|
||||
return reply.code(404).send({
|
||||
success: false,
|
||||
|
||||
@@ -1,11 +1,17 @@
|
||||
import { authenticate } from '../../plugins/auth.js'
|
||||
import { getMitraByFirebaseUid } from '../../services/mitra.service.js'
|
||||
import { getMitraById } from '../../services/mitra.service.js'
|
||||
import * as mitraStatusService from '../../services/mitra-status.service.js'
|
||||
import { UserType } from '../../constants.js'
|
||||
|
||||
export const mitraStatusRoutes = async (app) => {
|
||||
// Resolve mitra from Firebase token
|
||||
const resolveMitra = async (request, reply) => {
|
||||
const mitra = await getMitraByFirebaseUid(request.firebaseUser.uid)
|
||||
if (request.auth?.userType !== UserType.MITRA) {
|
||||
return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'FORBIDDEN', message: 'Mitra account required' },
|
||||
})
|
||||
}
|
||||
const mitra = await getMitraById(request.auth.userId)
|
||||
if (!mitra) {
|
||||
return reply.code(404).send({
|
||||
success: false,
|
||||
|
||||
54
backend/src/routes/public/shared.auth.routes.js
Normal file
54
backend/src/routes/public/shared.auth.routes.js
Normal file
@@ -0,0 +1,54 @@
|
||||
import { authenticate } from '../../plugins/auth.js'
|
||||
import {
|
||||
signInAnonymous,
|
||||
refreshTokens,
|
||||
logout,
|
||||
} from '../../services/auth.service.js'
|
||||
|
||||
const extractDeviceInfo = (request) => ({
|
||||
user_agent: request.headers['user-agent'] || null,
|
||||
ip: request.ip || null,
|
||||
})
|
||||
|
||||
const sendAuthError = (reply, err) => reply.code(err.statusCode || 500).send({
|
||||
success: false,
|
||||
error: { code: err.code || 'INTERNAL', message: err.message },
|
||||
})
|
||||
|
||||
export const sharedAuthRoutes = async (app) => {
|
||||
// Issue an anonymous customer session
|
||||
app.post('/anonymous', async (request, reply) => {
|
||||
try {
|
||||
const { tokens, profile } = await signInAnonymous({ deviceInfo: extractDeviceInfo(request) })
|
||||
return reply.code(201).send({ success: true, data: { ...tokens, profile } })
|
||||
} catch (err) {
|
||||
return sendAuthError(reply, err)
|
||||
}
|
||||
})
|
||||
|
||||
// Rotate refresh token
|
||||
app.post('/refresh', async (request, reply) => {
|
||||
const { refresh_token } = request.body || {}
|
||||
if (!refresh_token) {
|
||||
return reply.code(422).send({
|
||||
success: false,
|
||||
error: { code: 'VALIDATION_ERROR', message: 'refresh_token is required' },
|
||||
})
|
||||
}
|
||||
try {
|
||||
const { tokens, profile } = await refreshTokens({
|
||||
refreshToken: refresh_token,
|
||||
deviceInfo: extractDeviceInfo(request),
|
||||
})
|
||||
return reply.send({ success: true, data: { ...tokens, profile } })
|
||||
} catch (err) {
|
||||
return sendAuthError(reply, err)
|
||||
}
|
||||
})
|
||||
|
||||
// Logout — revoke current session
|
||||
app.post('/logout', { preHandler: authenticate }, async (request, reply) => {
|
||||
await logout({ sessionId: request.auth.sessionId })
|
||||
return reply.send({ success: true })
|
||||
})
|
||||
}
|
||||
@@ -1,6 +1,4 @@
|
||||
import { authenticate } from '../../plugins/auth.js'
|
||||
import { getCustomerByFirebaseUid } from '../../services/customer.service.js'
|
||||
import { getMitraByFirebaseUid } from '../../services/mitra.service.js'
|
||||
import { getMessages } from '../../services/chat.service.js'
|
||||
import { getSessionClosures } from '../../services/closure.service.js'
|
||||
import { registerDeviceToken } from '../../services/notification.service.js'
|
||||
@@ -11,22 +9,14 @@ import { TopicSensitivity, UserType } from '../../constants.js'
|
||||
const sql = getDb()
|
||||
|
||||
const resolveUser = async (request, reply) => {
|
||||
const customer = await getCustomerByFirebaseUid(request.firebaseUser.uid)
|
||||
if (customer) {
|
||||
request.userType = UserType.CUSTOMER
|
||||
request.userId = customer.id
|
||||
return
|
||||
if (request.auth?.userType !== UserType.CUSTOMER && request.auth?.userType !== UserType.MITRA) {
|
||||
return reply.code(403).send({
|
||||
success: false,
|
||||
error: { code: 'FORBIDDEN', message: 'Customer or mitra account required' },
|
||||
})
|
||||
}
|
||||
const mitra = await getMitraByFirebaseUid(request.firebaseUser.uid)
|
||||
if (mitra) {
|
||||
request.userType = UserType.MITRA
|
||||
request.userId = mitra.id
|
||||
return
|
||||
}
|
||||
return reply.code(404).send({
|
||||
success: false,
|
||||
error: { code: 'ACCOUNT_NOT_FOUND', message: 'Account not found' },
|
||||
})
|
||||
request.userType = request.auth.userType
|
||||
request.userId = request.auth.userId
|
||||
}
|
||||
|
||||
// Verify session belongs to the authenticated user
|
||||
|
||||
Reference in New Issue
Block a user