Phase 3.4: backend self-managed auth cutover

All backend auth now goes through our own token service — Firebase Auth dependency is fully removed from auth paths. FCM (firebase-admin messaging) is still used for push. Schema: - auth_sessions (multi-device refresh tokens, bcrypt-hashed) - otp_requests (Fazpass reference + rate-limit history) - customers.email + google_sub + apple_sub (social identity) - control_center_users.password_hash + failed_login_count + lockout_until - firebase_uid columns made nullable (drop in later cleanup migration) - 6 new app_config keys for OTP + CC lockout tuning Services: - password.service.js — bcrypt cost 12 + complexity (min 8, digit + upper + lower) - token.service.js — JWT HS256 access (1h) + opaque refresh (30d, bcrypt- hashed, rotated on use); session_id claim pre-wires future Valkey-based instant revocation; revokeSession + revokeAllSessionsForUser helpers - social-identity.service.js — Google via google-auth-library, Apple via jwks-rsa + jsonwebtoken - otp.service.js — Fazpass stub (generates locally, logs the code) clearly marked for replacement once real API docs arrive; rate-limit + resend cooldown + verify-attempts all configurable via app_config - auth.service.js — orchestrator: signInAnonymous, completeCustomer/Mitra- PhoneSignIn, signInWithGoogle, signInWithApple, signInCcUser, refresh, logout; reject-on-existing for identity conflicts - cc-user.service.js — email+password helpers + lockout counters Routes & middleware: - authenticate middleware now verifies our JWT and attaches request.auth = { userType, userId, sessionId } - WebSocket handshake verifies our JWT (no more Firebase lookup) - All existing routes updated to use request.auth.userId instead of request.firebaseUser.uid - New public routes: /api/shared/auth/anonymous /refresh /logout /api/client/auth/otp/request /otp/verify /google /apple /me /profile /api/mitra/auth/otp/request /otp/verify /me - New internal routes: /internal/auth/login /refresh /logout /me (httpOnly cookie refresh) /internal/control-center-users (accepts plain password, bcrypt-hashed) /internal/control-center-users/me/password (self-service change) /internal/control-center-users/:id/password (admin forced reset) - Deleted legacy customer.routes.js (anonymous + link handled by auth now) - app.internal.js: @fastify/cookie + CORS credentials for CC httpOnly cookie Config: - AUTH_JWT_SECRET + ACCESS_TOKEN_TTL_SECONDS + REFRESH_TOKEN_TTL_DAYS env - FAZPASS_* env vars (TBD until real API docs) - GOOGLE_OAUTH_CLIENT_IDS, APPLE_SERVICES_ID/TEAM_ID/KEY_ID/PRIVATE_KEY - ADMIN_EMAIL + ADMIN_PASSWORD for seed - CC_ORIGIN for internal-app CORS origin allowlist Dependencies: - Added: bcrypt, jsonwebtoken, jwks-rsa, google-auth-library, @fastify/cookie - Kept: firebase-admin (messaging only) Still outstanding: Fazpass API integration (stub in place), Apple Developer prereqs for end-to-end iOS testing, client_app/mitra_app/control_center auth flow rewrites. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 11:43:25 +08:00
parent 780cade3db
commit f860ab6c85
29 changed files with 1423 additions and 310 deletions
--- a/backend/src/routes/public/client.auth.routes.js
+++ b/backend/src/routes/public/client.auth.routes.js
@@ -1,25 +1,134 @@
 import { authenticate } from '../../plugins/auth.js'
-import { getOrCreateCustomer, getCustomerByFirebaseUid, updateCustomerDisplayName } from '../../services/customer.service.js'
+import { getCustomerById, updateCustomerDisplayName } from '../../services/customer.service.js'
+import {
+  completeCustomerPhoneSignIn,
+  signInWithGoogle,
+  signInWithApple,
+} from '../../services/auth.service.js'
+import { requestOtp, verifyOtp } from '../../services/otp.service.js'
+import { UserType } from '../../constants.js'
+
+const extractDeviceInfo = (request) => ({
+  user_agent: request.headers['user-agent'] || null,
+  ip: request.ip || null,
+})
+
+const sendAuthError = (reply, err) => reply.code(err.statusCode || 500).send({
+  success: false,
+  error: { code: err.code || 'INTERNAL', message: err.message },
+})

 export const clientAuthRoutes = async (app) => {
-  app.post('/verify', { preHandler: authenticate }, async (request, reply) => {
-    const { uid, phone_number, name } = request.firebaseUser
-    const customer = await getOrCreateCustomer({
-      firebase_uid: uid,
-      phone: phone_number || null,
-      display_name: name || null,
-    })
-    return reply.send({ success: true, data: customer })
+  // --- Phone OTP ---
+
+  app.post('/otp/request', async (request, reply) => {
+    const { phone, channel } = request.body || {}
+    try {
+      const result = await requestOtp({
+        phone,
+        userType: UserType.CUSTOMER,
+        ipAddress: request.ip,
+        channel,
+      })
+      return reply.send({ success: true, data: result })
+    } catch (err) {
+      return sendAuthError(reply, err)
+    }
  })

-  app.patch('/profile', { preHandler: authenticate }, async (request, reply) => {
-    const customer = await getCustomerByFirebaseUid(request.firebaseUser.uid)
+  app.post('/otp/verify', async (request, reply) => {
+    const { otp_request_id, code, anonymous_customer_id } = request.body || {}
+    try {
+      const { phone, user_type } = await verifyOtp({ otpRequestId: otp_request_id, code })
+      if (user_type !== UserType.CUSTOMER) {
+        return reply.code(400).send({
+          success: false,
+          error: { code: 'WRONG_FLOW', message: 'This OTP was issued for a different user type' },
+        })
+      }
+      const { tokens, profile } = await completeCustomerPhoneSignIn({
+        phone,
+        anonymousCustomerId: anonymous_customer_id || null,
+        deviceInfo: extractDeviceInfo(request),
+      })
+      return reply.send({ success: true, data: { ...tokens, profile } })
+    } catch (err) {
+      return sendAuthError(reply, err)
+    }
+  })
+
+  // --- Google ---
+
+  app.post('/google', async (request, reply) => {
+    const { id_token, anonymous_customer_id } = request.body || {}
+    if (!id_token) {
+      return reply.code(422).send({
+        success: false,
+        error: { code: 'VALIDATION_ERROR', message: 'id_token is required' },
+      })
+    }
+    try {
+      const { tokens, profile } = await signInWithGoogle({
+        idToken: id_token,
+        anonymousCustomerId: anonymous_customer_id || null,
+        deviceInfo: extractDeviceInfo(request),
+      })
+      return reply.send({ success: true, data: { ...tokens, profile } })
+    } catch (err) {
+      return sendAuthError(reply, err)
+    }
+  })
+
+  // --- Apple ---
+
+  app.post('/apple', async (request, reply) => {
+    const { id_token, anonymous_customer_id } = request.body || {}
+    if (!id_token) {
+      return reply.code(422).send({
+        success: false,
+        error: { code: 'VALIDATION_ERROR', message: 'id_token is required' },
+      })
+    }
+    try {
+      const { tokens, profile } = await signInWithApple({
+        idToken: id_token,
+        anonymousCustomerId: anonymous_customer_id || null,
+        deviceInfo: extractDeviceInfo(request),
+      })
+      return reply.send({ success: true, data: { ...tokens, profile } })
+    } catch (err) {
+      return sendAuthError(reply, err)
+    }
+  })
+
+  // --- Current user profile ---
+
+  app.get('/me', { preHandler: authenticate }, async (request, reply) => {
+    if (request.auth.userType !== UserType.CUSTOMER) {
+      return reply.code(403).send({
+        success: false,
+        error: { code: 'FORBIDDEN', message: 'Customer account required' },
+      })
+    }
+    const customer = await getCustomerById(request.auth.userId)
    if (!customer) {
      return reply.code(404).send({
        success: false,
        error: { code: 'NOT_FOUND', message: 'Customer account not found' },
      })
    }
+    return reply.send({ success: true, data: customer })
+  })
+
+  // --- Update display name ---
+
+  app.patch('/profile', { preHandler: authenticate }, async (request, reply) => {
+    if (request.auth.userType !== UserType.CUSTOMER) {
+      return reply.code(403).send({
+        success: false,
+        error: { code: 'FORBIDDEN', message: 'Customer account required' },
+      })
+    }
    const { display_name } = request.body || {}
    if (!display_name || typeof display_name !== 'string' || display_name.trim().length === 0) {
      return reply.code(422).send({
@@ -27,7 +136,7 @@ export const clientAuthRoutes = async (app) => {
        error: { code: 'VALIDATION_ERROR', message: 'display_name is required' },
      })
    }
-    const updated = await updateCustomerDisplayName(customer.id, display_name.trim())
+    const updated = await updateCustomerDisplayName(request.auth.userId, display_name.trim())
    return reply.send({ success: true, data: updated })
  })
 }
--- a/backend/src/routes/public/client.chat.routes.js
+++ b/backend/src/routes/public/client.chat.routes.js
@@ -1,13 +1,19 @@
 import { authenticate } from '../../plugins/auth.js'
-import { getCustomerByFirebaseUid } from '../../services/customer.service.js'
+import { getCustomerById } from '../../services/customer.service.js'
 import { createPairingRequest, cancelPairingRequest } from '../../services/pairing.service.js'
 import { getActiveSessionByCustomer, getActiveSessionByCustomerWithUnread, endSession, getCustomerHistory } from '../../services/session.service.js'
 import { getPricingForCustomer, isValidTier, isCustomerEligibleForFreeTrial, getFreeTrial } from '../../services/pricing.service.js'
 import { requestExtension } from '../../services/extension.service.js'
-import { EndedBy, TopicSensitivity } from '../../constants.js'
+import { EndedBy, TopicSensitivity, UserType } from '../../constants.js'

 const resolveCustomer = async (request, reply) => {
-  const customer = await getCustomerByFirebaseUid(request.firebaseUser.uid)
+  if (request.auth?.userType !== UserType.CUSTOMER) {
+    return reply.code(403).send({
+      success: false,
+      error: { code: 'FORBIDDEN', message: 'Customer account required' },
+    })
+  }
+  const customer = await getCustomerById(request.auth.userId)
  if (!customer) {
    return reply.code(404).send({
      success: false,
--- a/backend/src/routes/public/customer.routes.js
+++ b/backend/src/routes/public/customer.routes.js
@@ -1,32 +0,0 @@
-import { authenticate } from '../../plugins/auth.js'
-import { createAnonymousCustomer, linkCustomerAccount } from '../../services/customer.service.js'
-
-export const customerRoutes = async (app) => {
-  app.post('/anonymous', { preHandler: authenticate }, async (request, reply) => {
-    const { display_name } = request.body ?? {}
-    if (!display_name?.trim()) {
-      return reply.code(422).send({
-        success: false,
-        error: { code: 'DISPLAY_NAME_REQUIRED', message: 'Display name is required' },
-      })
-    }
-    const firebase_uid = request.firebaseUser.uid
-    const customer = await createAnonymousCustomer({ display_name: display_name.trim(), firebase_uid })
-    return reply.code(201).send({ success: true, data: customer })
-  })
-
-  app.post('/link', { preHandler: authenticate }, async (request, reply) => {
-    const { customer_id } = request.body ?? {}
-    const firebase_uid = request.firebaseUser.uid
-
-    if (!customer_id) {
-      return reply.code(422).send({
-        success: false,
-        error: { code: 'VALIDATION_ERROR', message: 'customer_id is required' },
-      })
-    }
-
-    const customer = await linkCustomerAccount({ customer_id, firebase_uid })
-    return reply.send({ success: true, data: customer })
-  })
-}
--- a/backend/src/routes/public/mitra.auth.routes.js
+++ b/backend/src/routes/public/mitra.auth.routes.js
@@ -1,44 +1,75 @@
 import { authenticate } from '../../plugins/auth.js'
-import { getMitraByFirebaseUid, getMitraByPhone, setMitraFirebaseUid } from '../../services/mitra.service.js'
+import { getMitraById } from '../../services/mitra.service.js'
+import { completeMitraPhoneSignIn } from '../../services/auth.service.js'
+import { requestOtp, verifyOtp } from '../../services/otp.service.js'
+import { UserType } from '../../constants.js'
+
+const extractDeviceInfo = (request) => ({
+  user_agent: request.headers['user-agent'] || null,
+  ip: request.ip || null,
+})
+
+const sendAuthError = (reply, err) => reply.code(err.statusCode || 500).send({
+  success: false,
+  error: { code: err.code || 'INTERNAL', message: err.message },
+})

 export const mitraAuthRoutes = async (app) => {
-  app.post('/verify', { preHandler: authenticate }, async (request, reply) => {
-    const { uid, phone_number } = request.firebaseUser
-
-    // First try lookup by firebase_uid (returning user)
-    let mitra = await getMitraByFirebaseUid(uid)
-
-    // First-time login: link firebase_uid to mitra record via phone number
-    if (!mitra && phone_number) {
-      mitra = await getMitraByPhone(phone_number)
-      if (mitra) {
-        await setMitraFirebaseUid(mitra.id, uid)
-      }
+  app.post('/otp/request', async (request, reply) => {
+    const { phone, channel } = request.body || {}
+    try {
+      const result = await requestOtp({
+        phone,
+        userType: UserType.MITRA,
+        ipAddress: request.ip,
+        channel,
+      })
+      return reply.send({ success: true, data: result })
+    } catch (err) {
+      return sendAuthError(reply, err)
    }
+  })

+  app.post('/otp/verify', async (request, reply) => {
+    const { otp_request_id, code } = request.body || {}
+    try {
+      const { phone, user_type } = await verifyOtp({ otpRequestId: otp_request_id, code })
+      if (user_type !== UserType.MITRA) {
+        return reply.code(400).send({
+          success: false,
+          error: { code: 'WRONG_FLOW', message: 'This OTP was issued for a different user type' },
+        })
+      }
+      const { tokens, profile } = await completeMitraPhoneSignIn({
+        phone,
+        deviceInfo: extractDeviceInfo(request),
+      })
+      if (!profile.is_active) {
+        return reply.code(403).send({
+          success: false,
+          error: { code: 'ACCOUNT_INACTIVE', message: 'Account is inactive. Contact your administrator.' },
+        })
+      }
+      return reply.send({ success: true, data: { ...tokens, profile } })
+    } catch (err) {
+      return sendAuthError(reply, err)
+    }
+  })
+
+  app.get('/me', { preHandler: authenticate }, async (request, reply) => {
+    if (request.auth.userType !== UserType.MITRA) {
+      return reply.code(403).send({
+        success: false,
+        error: { code: 'FORBIDDEN', message: 'Mitra account required' },
+      })
+    }
+    const mitra = await getMitraById(request.auth.userId)
    if (!mitra) {
      return reply.code(404).send({
        success: false,
-        error: { code: 'ACCOUNT_NOT_FOUND', message: 'Account not found. Contact your administrator.' },
+        error: { code: 'NOT_FOUND', message: 'Mitra account not found' },
      })
    }
-
-    if (!mitra.is_active) {
-      return reply.code(403).send({
-        success: false,
-        error: { code: 'ACCOUNT_INACTIVE', message: 'Account is inactive. Contact your administrator.' },
-      })
-    }
-
-    return reply.send({
-      success: true,
-      data: {
-        id: mitra.id,
-        display_name: mitra.display_name,
-        phone: mitra.phone,
-        is_active: mitra.is_active,
-        created_at: mitra.created_at,
-      },
-    })
+    return reply.send({ success: true, data: mitra })
  })
 }
--- a/backend/src/routes/public/mitra.chat.routes.js
+++ b/backend/src/routes/public/mitra.chat.routes.js
@@ -1,12 +1,18 @@
 import { authenticate } from '../../plugins/auth.js'
-import { getMitraByFirebaseUid } from '../../services/mitra.service.js'
+import { getMitraById } from '../../services/mitra.service.js'
 import { acceptPairingRequest, declinePairingRequest, getSessionStatus, getPendingRequestsForMitra } from '../../services/pairing.service.js'
 import { getActiveSessionsByMitra, getActiveSessionsByMitraWithUnread, endSession, getMitraHistory } from '../../services/session.service.js'
 import { respondToExtension } from '../../services/extension.service.js'
-import { EndedBy } from '../../constants.js'
+import { EndedBy, UserType } from '../../constants.js'

 const resolveMitra = async (request, reply) => {
-  const mitra = await getMitraByFirebaseUid(request.firebaseUser.uid)
+  if (request.auth?.userType !== UserType.MITRA) {
+    return reply.code(403).send({
+      success: false,
+      error: { code: 'FORBIDDEN', message: 'Mitra account required' },
+    })
+  }
+  const mitra = await getMitraById(request.auth.userId)
  if (!mitra) {
    return reply.code(404).send({
      success: false,
--- a/backend/src/routes/public/mitra.status.routes.js
+++ b/backend/src/routes/public/mitra.status.routes.js
@@ -1,11 +1,17 @@
 import { authenticate } from '../../plugins/auth.js'
-import { getMitraByFirebaseUid } from '../../services/mitra.service.js'
+import { getMitraById } from '../../services/mitra.service.js'
 import * as mitraStatusService from '../../services/mitra-status.service.js'
+import { UserType } from '../../constants.js'

 export const mitraStatusRoutes = async (app) => {
-  // Resolve mitra from Firebase token
  const resolveMitra = async (request, reply) => {
-    const mitra = await getMitraByFirebaseUid(request.firebaseUser.uid)
+    if (request.auth?.userType !== UserType.MITRA) {
+      return reply.code(403).send({
+        success: false,
+        error: { code: 'FORBIDDEN', message: 'Mitra account required' },
+      })
+    }
+    const mitra = await getMitraById(request.auth.userId)
    if (!mitra) {
      return reply.code(404).send({
        success: false,
--- a/backend/src/routes/public/shared.auth.routes.js
+++ b/backend/src/routes/public/shared.auth.routes.js
@@ -0,0 +1,54 @@
+import { authenticate } from '../../plugins/auth.js'
+import {
+  signInAnonymous,
+  refreshTokens,
+  logout,
+} from '../../services/auth.service.js'
+
+const extractDeviceInfo = (request) => ({
+  user_agent: request.headers['user-agent'] || null,
+  ip: request.ip || null,
+})
+
+const sendAuthError = (reply, err) => reply.code(err.statusCode || 500).send({
+  success: false,
+  error: { code: err.code || 'INTERNAL', message: err.message },
+})
+
+export const sharedAuthRoutes = async (app) => {
+  // Issue an anonymous customer session
+  app.post('/anonymous', async (request, reply) => {
+    try {
+      const { tokens, profile } = await signInAnonymous({ deviceInfo: extractDeviceInfo(request) })
+      return reply.code(201).send({ success: true, data: { ...tokens, profile } })
+    } catch (err) {
+      return sendAuthError(reply, err)
+    }
+  })
+
+  // Rotate refresh token
+  app.post('/refresh', async (request, reply) => {
+    const { refresh_token } = request.body || {}
+    if (!refresh_token) {
+      return reply.code(422).send({
+        success: false,
+        error: { code: 'VALIDATION_ERROR', message: 'refresh_token is required' },
+      })
+    }
+    try {
+      const { tokens, profile } = await refreshTokens({
+        refreshToken: refresh_token,
+        deviceInfo: extractDeviceInfo(request),
+      })
+      return reply.send({ success: true, data: { ...tokens, profile } })
+    } catch (err) {
+      return sendAuthError(reply, err)
+    }
+  })
+
+  // Logout — revoke current session
+  app.post('/logout', { preHandler: authenticate }, async (request, reply) => {
+    await logout({ sessionId: request.auth.sessionId })
+    return reply.send({ success: true })
+  })
+}
--- a/backend/src/routes/public/shared.chat.routes.js
+++ b/backend/src/routes/public/shared.chat.routes.js
@@ -1,6 +1,4 @@
 import { authenticate } from '../../plugins/auth.js'
-import { getCustomerByFirebaseUid } from '../../services/customer.service.js'
-import { getMitraByFirebaseUid } from '../../services/mitra.service.js'
 import { getMessages } from '../../services/chat.service.js'
 import { getSessionClosures } from '../../services/closure.service.js'
 import { registerDeviceToken } from '../../services/notification.service.js'
@@ -11,22 +9,14 @@ import { TopicSensitivity, UserType } from '../../constants.js'
 const sql = getDb()

 const resolveUser = async (request, reply) => {
-  const customer = await getCustomerByFirebaseUid(request.firebaseUser.uid)
-  if (customer) {
-    request.userType = UserType.CUSTOMER
-    request.userId = customer.id
-    return
+  if (request.auth?.userType !== UserType.CUSTOMER && request.auth?.userType !== UserType.MITRA) {
+    return reply.code(403).send({
+      success: false,
+      error: { code: 'FORBIDDEN', message: 'Customer or mitra account required' },
+    })
  }
-  const mitra = await getMitraByFirebaseUid(request.firebaseUser.uid)
-  if (mitra) {
-    request.userType = UserType.MITRA
-    request.userId = mitra.id
-    return
-  }
-  return reply.code(404).send({
-    success: false,
-    error: { code: 'ACCOUNT_NOT_FOUND', message: 'Account not found' },
-  })
+  request.userType = request.auth.userType
+  request.userId = request.auth.userId
 }

 // Verify session belongs to the authenticated user