David/xpeditis2.0
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3a43558d47
xpeditis2.0/apps/backend/src/application/auth/auth.service.ts
David 2da0f0210d fix organisation
2025-11-30 18:58:12 +01:00

315 lines
9.3 KiB
TypeScript
Raw Blame History

import {
Injectable,
UnauthorizedException,
ConflictException,
Logger,
Inject,
BadRequestException,
} from '@nestjs/common';
import { JwtService } from '@nestjs/jwt';
import { ConfigService } from '@nestjs/config';
import * as argon2 from 'argon2';
import { UserRepository, USER_REPOSITORY } from '@domain/ports/out/user.repository';
import { User, UserRole } from '@domain/entities/user.entity';
import { OrganizationRepository, ORGANIZATION_REPOSITORY } from '@domain/ports/out/organization.repository';
import { Organization, OrganizationType } from '@domain/entities/organization.entity';
import { v4 as uuidv4 } from 'uuid';
import { DEFAULT_ORG_ID } from '@infrastructure/persistence/typeorm/seeds/test-organizations.seed';
import { RegisterOrganizationDto } from '../dto/auth-login.dto';
export interface JwtPayload {
sub: string; // user ID
email: string;
role: string;
organizationId: string;
type: 'access' | 'refresh';
}
@Injectable()
export class AuthService {
private readonly logger = new Logger(AuthService.name);
constructor(
@Inject(USER_REPOSITORY)
private readonly userRepository: UserRepository,
@Inject(ORGANIZATION_REPOSITORY)
private readonly organizationRepository: OrganizationRepository,
private readonly jwtService: JwtService,
private readonly configService: ConfigService
) {}
/**
* Register a new user
*/
async register(
email: string,
password: string,
firstName: string,
lastName: string,
organizationId?: string,
organizationData?: RegisterOrganizationDto,
invitationRole?: string
): Promise<{ accessToken: string; refreshToken: string; user: any }> {
this.logger.log(`Registering new user: ${email}`);
const existingUser = await this.userRepository.findByEmail(email);
if (existingUser) {
throw new ConflictException('User with this email already exists');
}
const passwordHash = await argon2.hash(password, {
type: argon2.argon2id,
memoryCost: 65536, // 64 MB
timeCost: 3,
parallelism: 4,
});
// Determine organization ID:
// 1. If organizationId is provided (invited user), use it
// 2. If organizationData is provided (new user), create a new organization
// 3. Otherwise, use default organization
const finalOrganizationId = await this.resolveOrganizationId(organizationId, organizationData);
// Determine role:
// - If invitation role is provided (invited user), use it
// - If organizationData is provided (new organization creator), make them MANAGER
// - Otherwise, default to USER
let userRole: UserRole;
if (invitationRole) {
userRole = invitationRole as UserRole;
} else if (organizationData) {
// User creating a new organization becomes MANAGER
userRole = UserRole.MANAGER;
} else {
// Default to USER for other cases
userRole = UserRole.USER;
}
const user = User.create({
id: uuidv4(),
organizationId: finalOrganizationId,
email,
passwordHash,
firstName,
lastName,
role: userRole,
});
const savedUser = await this.userRepository.save(user);
const tokens = await this.generateTokens(savedUser);
this.logger.log(`User registered successfully: ${email}`);
return {
...tokens,
user: {
id: savedUser.id,
email: savedUser.email,
firstName: savedUser.firstName,
lastName: savedUser.lastName,
role: savedUser.role,
organizationId: savedUser.organizationId,
},
};
}
/**
* Login user with email and password
*/
async login(
email: string,
password: string
): Promise<{ accessToken: string; refreshToken: string; user: any }> {
this.logger.log(`Login attempt for: ${email}`);
const user = await this.userRepository.findByEmail(email);
if (!user) {
throw new UnauthorizedException('Invalid credentials');
}
if (!user.isActive) {
throw new UnauthorizedException('User account is inactive');
}
const isPasswordValid = await argon2.verify(user.passwordHash, password);
if (!isPasswordValid) {
throw new UnauthorizedException('Invalid credentials');
}
const tokens = await this.generateTokens(user);
this.logger.log(`User logged in successfully: ${email}`);
return {
...tokens,
user: {
id: user.id,
email: user.email,
firstName: user.firstName,
lastName: user.lastName,
role: user.role,
organizationId: user.organizationId,
},
};
}
/**
* Refresh access token using refresh token
*/
async refreshAccessToken(
refreshToken: string
): Promise<{ accessToken: string; refreshToken: string }> {
try {
const payload = await this.jwtService.verifyAsync<JwtPayload>(refreshToken, {
secret: this.configService.get('JWT_SECRET'),
});
if (payload.type !== 'refresh') {
throw new UnauthorizedException('Invalid token type');
}
const user = await this.userRepository.findById(payload.sub);
if (!user || !user.isActive) {
throw new UnauthorizedException('User not found or inactive');
}
const tokens = await this.generateTokens(user);
this.logger.log(`Access token refreshed for user: ${user.email}`);
return tokens;
} catch (error: any) {
this.logger.error(`Token refresh failed: ${error?.message || 'Unknown error'}`);
throw new UnauthorizedException('Invalid or expired refresh token');
}
}
/**
* Validate user from JWT payload
*/
async validateUser(payload: JwtPayload): Promise<User | null> {
const user = await this.userRepository.findById(payload.sub);
if (!user || !user.isActive) {
return null;
}
return user;
}
/**
* Generate access and refresh tokens
*/
private async generateTokens(user: User): Promise<{ accessToken: string; refreshToken: string }> {
const accessPayload: JwtPayload = {
sub: user.id,
email: user.email,
role: user.role,
organizationId: user.organizationId,
type: 'access',
};
const refreshPayload: JwtPayload = {
sub: user.id,
email: user.email,
role: user.role,
organizationId: user.organizationId,
type: 'refresh',
};
const [accessToken, refreshToken] = await Promise.all([
this.jwtService.signAsync(accessPayload, {
expiresIn: this.configService.get('JWT_ACCESS_EXPIRATION', '15m'),
}),
this.jwtService.signAsync(refreshPayload, {
expiresIn: this.configService.get('JWT_REFRESH_EXPIRATION', '7d'),
}),
]);
return { accessToken, refreshToken };
}
/**
* Resolve organization ID for registration
* 1. If organizationId is provided (invited user), validate and use it
* 2. If organizationData is provided (new user), create a new organization
* 3. Otherwise, throw an error (both are required)
*/
private async resolveOrganizationId(
organizationId?: string,
organizationData?: RegisterOrganizationDto
): Promise<string> {
// Case 1: Invited user - organizationId is provided
if (organizationId) {
this.logger.log(`Using existing organization for invited user: ${organizationId}`);
// Validate that the organization exists
const organization = await this.organizationRepository.findById(organizationId);
if (!organization) {
throw new BadRequestException('Invalid organization ID - organization does not exist');
}
if (!organization.isActive) {
throw new BadRequestException('Organization is not active');
}
return organizationId;
}
// Case 2: New user - create a new organization
if (organizationData) {
this.logger.log(`Creating new organization for user registration: ${organizationData.name}`);
// Check if organization name already exists
const existingOrg = await this.organizationRepository.findByName(organizationData.name);
if (existingOrg) {
throw new ConflictException('An organization with this name already exists');
}
// Check if SCAC code already exists (for carriers)
if (organizationData.scac) {
const existingScac = await this.organizationRepository.findBySCAC(organizationData.scac);
if (existingScac) {
throw new ConflictException('An organization with this SCAC code already exists');
}
}
// Create new organization
const newOrganization = Organization.create({
id: uuidv4(),
name: organizationData.name,
type: organizationData.type,
scac: organizationData.scac,
address: {
street: organizationData.street,
city: organizationData.city,
state: organizationData.state,
postalCode: organizationData.postalCode,
country: organizationData.country,
},
documents: [],
isActive: true,
});
const savedOrganization = await this.organizationRepository.save(newOrganization);
this.logger.log(`New organization created: ${savedOrganization.id} - ${savedOrganization.name}`);
return savedOrganization.id;
}
// Case 3: Neither provided - error
throw new BadRequestException(
'Either organizationId (for invited users) or organization data (for new users) must be provided'
);
}
}
Reference in New Issue View Git Blame Copy Permalink