rama/halobestie-clone
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
48a1f8eb657dc710ca77c0f25b4852933d755da7
halobestie-clone/backend/src/services/auth.service.js
ramadhan sjamsani a48f108fc0 Phase 4 §2.1: anonymous → existing-user merge breadcrumb 
Adds `customers.account_belongs_to UUID NULL` and refactors customer
sign-in (phone/Google/Apple) so an anon row that re-verifies into an
existing customer no longer 409s. Instead the anon row stays intact
with a breadcrumb pointing at the real customer; tokens are issued
for the existing user. Actual data reconciliation onto the existing
row (chat_sessions, customer_transactions, payment_sessions,
pairing_failures) is deferred.

Backend
- migrate.js: ADD COLUMN account_belongs_to UUID REFERENCES customers(id)
  ON DELETE SET NULL.
- customer.service.js: stampAccountBelongsTo helper; account_belongs_to
  exposed in CUSTOMER_SELECT.
- auth.service.js: new shared resolveCustomerForIdentity (4-case logic);
  normalizeIdentityConflict + IDENTITY_ALREADY_LINKED 409 deleted;
  completeCustomerPhoneSignIn / signInWithGoogle / signInWithApple all
  route through the shared helper.
- client.auth.routes.js: new resolveAnonymousCustomerId picks the anon
  prefix ONLY from a verified Bearer JWT — closes the UUID-leak attack
  where a tamper-able body field could mis-route someone else's
  transactions. /otp/verify, /google, /apple all use it; the body field
  `anonymous_customer_id` is no longer accepted on any of them.
- test/services/auth.service.test.js: 9 Vitest cases covering phone +
  Google + Apple, all 4 logic cases + multi-merge accumulation.

Customer app
- auth_notifier.dart::verifyOtp: drop `skipAuth: true` and the dead
  body field so ApiClient auto-attaches the anon's Bearer from
  AuthBridge. Survives the AuthOtpSentData state transition (the
  earlier `_currentAnonymousCustomerId()` state-drop bug is bypassed by
  sourcing the id from the bridge instead of state).
- Google + Apple client paths remain unchanged (gated on provider
  creds; mirror this fix when wiring lands).

Docs
- flow_customer.mermaid.md: new §2.1 sub-section with the merge
  diagram, schema note, replaces-current-behaviour paragraph, and
  Bearer-only security callout.
- phase3.4-testing.md: §1.5 line 76 simplified (no more per-path
  split); new §1.5.1 with the 5-step operator scenario + DB invariants
  + curl recipe + Vitest pointer; new §1.5.2 covering Google/Apple
  parity (deferred client work flagged).

Verification (against live dev backend, before this commit):
- Vitest: 9/9 in auth.service.test.js; 49/51 overall (2 unrelated
  pre-existing failures in session-timer.service.test.js).
- Operator Node smoke: 14/14 in the §1.5.1 scenario; 11/11 in the
  Bearer-precedence cases.
- Real-device UI walkthrough on SM-A530F still pending — see resume
  memory `project_phase4_2_1_resume_test`.

Sister WIP bundled in migrate.js + customer.service.js: `usp_seen`
column + `markCustomerUspSeen` helper (Phase 4 USP one-time gate, was
already uncommitted in the working tree).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 23:57:53 +08:00

227 lines
7.1 KiB
JavaScript
Raw Blame History

import crypto from 'node:crypto'
import {
getCustomerById,
getCustomerByPhone,
getCustomerByGoogleSub,
getCustomerByAppleSub,
createAnonymousCustomerV2,
createCustomerWithIdentity,
upgradeCustomerIdentity,
stampAccountBelongsTo,
} from './customer.service.js'
import {
getMitraByPhone,
getMitraById,
createMitra,
} from './mitra.service.js'
import {
getCcUserByEmail,
getCcUserById,
incrementCcUserFailedLogin,
resetCcUserFailedLogin,
} from './cc-user.service.js'
import { verifyGoogleIdToken, verifyAppleIdToken } from './social-identity.service.js'
import { verifyPassword } from './password.service.js'
import { issueTokens, refreshTokens as rotateRefresh, revokeSession } from './token.service.js'
import { getCcLoginLockoutConfig } from './config.service.js'
import { UserType } from '../constants.js'
const generateAnonymousDisplayName = () => {
const n = crypto.randomInt(1000, 10000)
return `Teman Anonim #${n}`
}
export class AuthError extends Error {
constructor(message, code, statusCode) {
super(message)
this.code = code
this.statusCode = statusCode
}
}
// Phase 4 §2.1 — shared identity-resolution path used by phone/Google/Apple
// sign-ins. Three branches:
//
// 1. existing identity row + anon prefix points at a different row
// → stamp `account_belongs_to` on the anon row and return the existing
// row. The anon row stays intact so its prior chat_sessions /
// customer_transactions FKs remain valid; reconciliation onto the
// existing customer is replayable later via the breadcrumb.
// 2. existing identity row (no anon, or anon id == existing.id)
// → return existing as-is.
// 3. no existing row + anon prefix
// → upgrade the anon row in place (set identity fields, preserve
// display_name etc. via COALESCE).
// 4. no existing row + no anon
// → create a fresh identified customer with display_name=null (client
// routes to the set-display-name screen).
//
// `identityFields` is the set of columns added by either upgrade or create
// (phone, google_sub+email, apple_sub+email). display_name=null is appended
// automatically for the create case.
const resolveCustomerForIdentity = async ({ existing, anonymousCustomerId, identityFields }) => {
if (existing) {
if (anonymousCustomerId && existing.id !== anonymousCustomerId) {
await stampAccountBelongsTo(anonymousCustomerId, existing.id)
}
return existing
}
if (anonymousCustomerId) {
return await upgradeCustomerIdentity(anonymousCustomerId, identityFields)
}
return await createCustomerWithIdentity({ ...identityFields, display_name: null })
}
// --- Anonymous ---
export const signInAnonymous = async ({ deviceInfo } = {}) => {
const customer = await createAnonymousCustomerV2({
display_name: generateAnonymousDisplayName(),
})
const tokens = await issueTokens({
userType: UserType.CUSTOMER,
userId: customer.id,
deviceInfo,
})
return { tokens, profile: customer }
}
// --- Phone OTP — Customer (Phase 4 §2.1 merge breadcrumb) ---
export const completeCustomerPhoneSignIn = async ({ phone, anonymousCustomerId, deviceInfo }) => {
const existing = await getCustomerByPhone(phone)
const customer = await resolveCustomerForIdentity({
existing,
anonymousCustomerId,
identityFields: { phone },
})
const tokens = await issueTokens({
userType: UserType.CUSTOMER,
userId: customer.id,
deviceInfo,
})
return { tokens, profile: customer }
}
// --- Phone OTP — Mitra ---
export const completeMitraPhoneSignIn = async ({ phone, deviceInfo }) => {
let mitra = await getMitraByPhone(phone)
if (!mitra) {
mitra = await createMitra({ phone, display_name: phone })
}
const tokens = await issueTokens({
userType: UserType.MITRA,
userId: mitra.id,
deviceInfo,
})
return { tokens, profile: mitra }
}
// --- Google (customer only) — Phase 4 §2.1 merge breadcrumb ---
//
// We don't pull display_name from Google; the anon's display_name is
// preserved via upgradeCustomerIdentity's COALESCE.
export const signInWithGoogle = async ({ idToken, anonymousCustomerId, deviceInfo }) => {
const google = await verifyGoogleIdToken(idToken)
const existing = await getCustomerByGoogleSub(google.sub)
const customer = await resolveCustomerForIdentity({
existing,
anonymousCustomerId,
identityFields: { google_sub: google.sub, email: google.email },
})
const tokens = await issueTokens({
userType: UserType.CUSTOMER,
userId: customer.id,
deviceInfo,
})
return { tokens, profile: customer }
}
// --- Apple (customer only) — Phase 4 §2.1 merge breadcrumb ---
export const signInWithApple = async ({ idToken, anonymousCustomerId, deviceInfo }) => {
const apple = await verifyAppleIdToken(idToken)
const existing = await getCustomerByAppleSub(apple.sub)
const customer = await resolveCustomerForIdentity({
existing,
anonymousCustomerId,
identityFields: { apple_sub: apple.sub, email: apple.email },
})
const tokens = await issueTokens({
userType: UserType.CUSTOMER,
userId: customer.id,
deviceInfo,
})
return { tokens, profile: customer }
}
// --- Control center email/password ---
export const signInCcUser = async ({ email, password, deviceInfo }) => {
const user = await getCcUserByEmail(email)
// Constant-time response — same branch for "not found" vs "wrong password" OR lockout
if (!user) {
throw new AuthError('Invalid credentials', 'INVALID_CREDENTIALS', 401)
}
// Lockout check
if (user.lockout_until && new Date(user.lockout_until) > new Date()) {
throw new AuthError(
`Account locked until ${user.lockout_until}. Try again later.`,
'ACCOUNT_LOCKED', 423,
)
}
const ok = await verifyPassword(password, user.password_hash)
if (!ok) {
const { max_attempts, lockout_minutes } = await getCcLoginLockoutConfig()
await incrementCcUserFailedLogin(user.id, lockout_minutes, max_attempts)
throw new AuthError('Invalid credentials', 'INVALID_CREDENTIALS', 401)
}
await resetCcUserFailedLogin(user.id)
const tokens = await issueTokens({
userType: UserType.CC_USER,
userId: user.id,
deviceInfo,
})
return {
tokens,
profile: {
id: user.id,
email: user.email,
display_name: user.display_name,
role: user.role,
},
}
}
// --- Refresh ---
export const refreshTokens = async ({ refreshToken, deviceInfo }) => {
const result = await rotateRefresh({ refreshToken, deviceInfo })
let profile = null
if (result.user_type === UserType.CUSTOMER) {
profile = await getCustomerById(result.user_id)
} else if (result.user_type === UserType.MITRA) {
profile = await getMitraById(result.user_id)
} else if (result.user_type === UserType.CC_USER) {
const ccUser = await getCcUserById(result.user_id)
profile = ccUser ? {
id: ccUser.id,
email: ccUser.email,
display_name: ccUser.display_name,
role: ccUser.role,
} : null
}
return { tokens: result, profile }
}
// --- Logout ---
export const logout = async ({ sessionId }) => {
if (!sessionId) return
await revokeSession(sessionId)
}
Reference in New Issue View Git Blame Copy Permalink