import { Injectable, UnauthorizedException, ConflictException, Logger, Inject, BadRequestException, } from '@nestjs/common'; import { JwtService } from '@nestjs/jwt'; import { ConfigService } from '@nestjs/config'; import * as argon2 from 'argon2'; import { UserRepository, USER_REPOSITORY } from '@domain/ports/out/user.repository'; import { User, UserRole } from '@domain/entities/user.entity'; import { OrganizationRepository, ORGANIZATION_REPOSITORY } from '@domain/ports/out/organization.repository'; import { Organization, OrganizationType } from '@domain/entities/organization.entity'; import { v4 as uuidv4 } from 'uuid'; import { DEFAULT_ORG_ID } from '@infrastructure/persistence/typeorm/seeds/test-organizations.seed'; import { RegisterOrganizationDto } from '../dto/auth-login.dto'; export interface JwtPayload { sub: string; // user ID email: string; role: string; organizationId: string; type: 'access' | 'refresh'; } @Injectable() export class AuthService { private readonly logger = new Logger(AuthService.name); constructor( @Inject(USER_REPOSITORY) private readonly userRepository: UserRepository, @Inject(ORGANIZATION_REPOSITORY) private readonly organizationRepository: OrganizationRepository, private readonly jwtService: JwtService, private readonly configService: ConfigService ) {} /** * Register a new user */ async register( email: string, password: string, firstName: string, lastName: string, organizationId?: string, organizationData?: RegisterOrganizationDto, invitationRole?: string ): Promise<{ accessToken: string; refreshToken: string; user: any }> { this.logger.log(`Registering new user: ${email}`); const existingUser = await this.userRepository.findByEmail(email); if (existingUser) { throw new ConflictException('User with this email already exists'); } const passwordHash = await argon2.hash(password, { type: argon2.argon2id, memoryCost: 65536, // 64 MB timeCost: 3, parallelism: 4, }); // Determine organization ID: // 1. If organizationId is provided (invited user), use it // 2. If organizationData is provided (new user), create a new organization // 3. Otherwise, use default organization const finalOrganizationId = await this.resolveOrganizationId(organizationId, organizationData); // Determine role: use invitation role if provided, otherwise default to USER const userRole = invitationRole ? (invitationRole as UserRole) : UserRole.USER; const user = User.create({ id: uuidv4(), organizationId: finalOrganizationId, email, passwordHash, firstName, lastName, role: userRole, }); const savedUser = await this.userRepository.save(user); const tokens = await this.generateTokens(savedUser); this.logger.log(`User registered successfully: ${email}`); return { ...tokens, user: { id: savedUser.id, email: savedUser.email, firstName: savedUser.firstName, lastName: savedUser.lastName, role: savedUser.role, organizationId: savedUser.organizationId, }, }; } /** * Login user with email and password */ async login( email: string, password: string ): Promise<{ accessToken: string; refreshToken: string; user: any }> { this.logger.log(`Login attempt for: ${email}`); const user = await this.userRepository.findByEmail(email); if (!user) { throw new UnauthorizedException('Invalid credentials'); } if (!user.isActive) { throw new UnauthorizedException('User account is inactive'); } const isPasswordValid = await argon2.verify(user.passwordHash, password); if (!isPasswordValid) { throw new UnauthorizedException('Invalid credentials'); } const tokens = await this.generateTokens(user); this.logger.log(`User logged in successfully: ${email}`); return { ...tokens, user: { id: user.id, email: user.email, firstName: user.firstName, lastName: user.lastName, role: user.role, organizationId: user.organizationId, }, }; } /** * Refresh access token using refresh token */ async refreshAccessToken( refreshToken: string ): Promise<{ accessToken: string; refreshToken: string }> { try { const payload = await this.jwtService.verifyAsync(refreshToken, { secret: this.configService.get('JWT_SECRET'), }); if (payload.type !== 'refresh') { throw new UnauthorizedException('Invalid token type'); } const user = await this.userRepository.findById(payload.sub); if (!user || !user.isActive) { throw new UnauthorizedException('User not found or inactive'); } const tokens = await this.generateTokens(user); this.logger.log(`Access token refreshed for user: ${user.email}`); return tokens; } catch (error: any) { this.logger.error(`Token refresh failed: ${error?.message || 'Unknown error'}`); throw new UnauthorizedException('Invalid or expired refresh token'); } } /** * Validate user from JWT payload */ async validateUser(payload: JwtPayload): Promise { const user = await this.userRepository.findById(payload.sub); if (!user || !user.isActive) { return null; } return user; } /** * Generate access and refresh tokens */ private async generateTokens(user: User): Promise<{ accessToken: string; refreshToken: string }> { const accessPayload: JwtPayload = { sub: user.id, email: user.email, role: user.role, organizationId: user.organizationId, type: 'access', }; const refreshPayload: JwtPayload = { sub: user.id, email: user.email, role: user.role, organizationId: user.organizationId, type: 'refresh', }; const [accessToken, refreshToken] = await Promise.all([ this.jwtService.signAsync(accessPayload, { expiresIn: this.configService.get('JWT_ACCESS_EXPIRATION', '15m'), }), this.jwtService.signAsync(refreshPayload, { expiresIn: this.configService.get('JWT_REFRESH_EXPIRATION', '7d'), }), ]); return { accessToken, refreshToken }; } /** * Resolve organization ID for registration * 1. If organizationId is provided (invited user), validate and use it * 2. If organizationData is provided (new user), create a new organization * 3. Otherwise, throw an error (both are required) */ private async resolveOrganizationId( organizationId?: string, organizationData?: RegisterOrganizationDto ): Promise { // Case 1: Invited user - organizationId is provided if (organizationId) { this.logger.log(`Using existing organization for invited user: ${organizationId}`); // Validate that the organization exists const organization = await this.organizationRepository.findById(organizationId); if (!organization) { throw new BadRequestException('Invalid organization ID - organization does not exist'); } if (!organization.isActive) { throw new BadRequestException('Organization is not active'); } return organizationId; } // Case 2: New user - create a new organization if (organizationData) { this.logger.log(`Creating new organization for user registration: ${organizationData.name}`); // Check if organization name already exists const existingOrg = await this.organizationRepository.findByName(organizationData.name); if (existingOrg) { throw new ConflictException('An organization with this name already exists'); } // Check if SCAC code already exists (for carriers) if (organizationData.scac) { const existingScac = await this.organizationRepository.findBySCAC(organizationData.scac); if (existingScac) { throw new ConflictException('An organization with this SCAC code already exists'); } } // Create new organization const newOrganization = Organization.create({ id: uuidv4(), name: organizationData.name, type: organizationData.type, scac: organizationData.scac, address: { street: organizationData.street, city: organizationData.city, state: organizationData.state, postalCode: organizationData.postalCode, country: organizationData.country, }, documents: [], isActive: true, }); const savedOrganization = await this.organizationRepository.save(newOrganization); this.logger.log(`New organization created: ${savedOrganization.id} - ${savedOrganization.name}`); return savedOrganization.id; } // Case 3: Neither provided - error throw new BadRequestException( 'Either organizationId (for invited users) or organization data (for new users) must be provided' ); } }