import type { FastifyPluginAsync } from 'fastify' import { eq } from 'drizzle-orm' import bcrypt from 'bcrypt' import { RegisterSchema, LoginSchema } from '@forte/shared/schemas' import { users } from '../../db/schema/users.js' import { companies } from '../../db/schema/stores.js' const SALT_ROUNDS = 10 export const authRoutes: FastifyPluginAsync = async (app) => { // Rate limit auth routes — 10 attempts per 15 minutes per IP const rateLimitConfig = { config: { rateLimit: { max: 10, timeWindow: '15 minutes', }, }, } app.post('/auth/register', rateLimitConfig, async (request, reply) => { const parsed = RegisterSchema.safeParse(request.body) if (!parsed.success) { return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 }, }) } const { email, password, firstName, lastName, role } = parsed.data const companyId = request.companyId // Validate that the company exists if (!companyId) { return reply.status(400).send({ error: { message: 'Company ID is required (x-company-id header)', statusCode: 400 }, }) } const [company] = await app.db .select({ id: companies.id }) .from(companies) .where(eq(companies.id, companyId)) .limit(1) if (!company) { return reply.status(400).send({ error: { message: 'Invalid company', statusCode: 400 }, }) } // Email is globally unique across all companies const existing = await app.db .select({ id: users.id }) .from(users) .where(eq(users.email, email)) .limit(1) if (existing.length > 0) { return reply.status(409).send({ error: { message: 'User with this email already exists', statusCode: 409 }, }) } const passwordHash = await bcrypt.hash(password, SALT_ROUNDS) const [user] = await app.db .insert(users) .values({ companyId, email, passwordHash, firstName, lastName, role, }) .returning({ id: users.id, email: users.email, firstName: users.firstName, lastName: users.lastName, role: users.role, createdAt: users.createdAt, }) const token = app.jwt.sign({ id: user.id, companyId, role: user.role, }) request.log.info({ userId: user.id, email: user.email, companyId }, 'User registered') return reply.status(201).send({ user, token }) }) app.post('/auth/login', rateLimitConfig, async (request, reply) => { const parsed = LoginSchema.safeParse(request.body) if (!parsed.success) { return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 }, }) } const { email, password } = parsed.data // Email is globally unique — company is derived from the user record const [user] = await app.db .select() .from(users) .where(eq(users.email, email)) .limit(1) if (!user) { request.log.warn({ email }, 'Login failed — unknown email') return reply.status(401).send({ error: { message: 'Invalid email or password', statusCode: 401 }, }) } const valid = await bcrypt.compare(password, user.passwordHash) if (!valid) { request.log.warn({ email, userId: user.id }, 'Login failed — wrong password') return reply.status(401).send({ error: { message: 'Invalid email or password', statusCode: 401 }, }) } const token = app.jwt.sign({ id: user.id, companyId: user.companyId, role: user.role, }) request.log.info({ userId: user.id, email }, 'User logged in') return reply.send({ user: { id: user.id, email: user.email, firstName: user.firstName, lastName: user.lastName, role: user.role, }, token, }) }) // Change own password app.post('/auth/change-password', { preHandler: [app.authenticate] }, async (request, reply) => { const { currentPassword, newPassword } = request.body as { currentPassword?: string; newPassword?: string } if (!currentPassword || !newPassword) { return reply.status(400).send({ error: { message: 'currentPassword and newPassword are required', statusCode: 400 } }) } if (newPassword.length < 12) { return reply.status(400).send({ error: { message: 'Password must be at least 12 characters', statusCode: 400 } }) } const [user] = await app.db.select().from(users).where(eq(users.id, request.user.id)).limit(1) if (!user) return reply.status(404).send({ error: { message: 'User not found', statusCode: 404 } }) const valid = await bcrypt.compare(currentPassword, user.passwordHash) if (!valid) { return reply.status(401).send({ error: { message: 'Current password is incorrect', statusCode: 401 } }) } const newHash = await bcrypt.hash(newPassword, SALT_ROUNDS) await app.db.update(users).set({ passwordHash: newHash, updatedAt: new Date() }).where(eq(users.id, request.user.id)) request.log.info({ userId: request.user.id }, 'Password changed') return reply.send({ message: 'Password changed' }) }) // Admin: generate password reset token for a user app.post('/auth/reset-password/:userId', { preHandler: [app.authenticate, app.requirePermission('users.admin')] }, async (request, reply) => { const { userId } = request.params as { userId: string } const [user] = await app.db.select({ id: users.id, email: users.email }).from(users).where(eq(users.id, userId)).limit(1) if (!user) return reply.status(404).send({ error: { message: 'User not found', statusCode: 404 } }) // Generate a signed reset token that expires in 1 hour const resetToken = app.jwt.sign({ userId: user.id, purpose: 'password-reset' } as any, { expiresIn: '1h' }) const resetLink = `${process.env.APP_URL ?? 'http://localhost:5173'}/reset-password?token=${resetToken}` request.log.info({ userId, generatedBy: request.user.id }, 'Password reset link generated') return reply.send({ resetLink, expiresIn: '1 hour' }) }) // Reset password with token app.post('/auth/reset-password', async (request, reply) => { const { token, newPassword } = request.body as { token?: string; newPassword?: string } if (!token || !newPassword) { return reply.status(400).send({ error: { message: 'token and newPassword are required', statusCode: 400 } }) } if (newPassword.length < 12) { return reply.status(400).send({ error: { message: 'Password must be at least 12 characters', statusCode: 400 } }) } try { const payload = app.jwt.verify<{ userId: string; purpose: string }>(token) if (payload.purpose !== 'password-reset') { return reply.status(400).send({ error: { message: 'Invalid reset token', statusCode: 400 } }) } const newHash = await bcrypt.hash(newPassword, SALT_ROUNDS) await app.db.update(users).set({ passwordHash: newHash, updatedAt: new Date() }).where(eq(users.id, payload.userId)) request.log.info({ userId: payload.userId }, 'Password reset via token') return reply.send({ message: 'Password reset successfully' }) } catch { return reply.status(400).send({ error: { message: 'Invalid or expired reset token', statusCode: 400 } }) } }) // Get current user profile app.get('/auth/me', { preHandler: [app.authenticate] }, async (request, reply) => { const [user] = await app.db .select({ id: users.id, email: users.email, firstName: users.firstName, lastName: users.lastName, role: users.role, createdAt: users.createdAt, }) .from(users) .where(eq(users.id, request.user.id)) .limit(1) if (!user) return reply.status(404).send({ error: { message: 'User not found', statusCode: 404 } }) return reply.send(user) }) // Update current user profile app.patch('/auth/me', { preHandler: [app.authenticate] }, async (request, reply) => { const { firstName, lastName } = request.body as { firstName?: string; lastName?: string } const updates: Record = { updatedAt: new Date() } if (firstName) updates.firstName = firstName if (lastName) updates.lastName = lastName const [user] = await app.db .update(users) .set(updates) .where(eq(users.id, request.user.id)) .returning({ id: users.id, email: users.email, firstName: users.firstName, lastName: users.lastName, role: users.role, }) return reply.send(user) }) }