feat: add auth service with user, session, and API key management
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
158
src/server/services/auth.service.ts
Normal file
158
src/server/services/auth.service.ts
Normal file
@@ -0,0 +1,158 @@
|
|||||||
|
import { randomBytes } from "node:crypto";
|
||||||
|
import { count, eq } from "drizzle-orm";
|
||||||
|
import { db as prodDb } from "../../db/index.ts";
|
||||||
|
import { apiKeys, sessions, users } from "../../db/schema.ts";
|
||||||
|
|
||||||
|
type Db = typeof prodDb;
|
||||||
|
|
||||||
|
// ── User Management ──────────────────────────────────────────────────
|
||||||
|
|
||||||
|
export async function createUser(
|
||||||
|
db: Db = prodDb,
|
||||||
|
username: string,
|
||||||
|
password: string,
|
||||||
|
) {
|
||||||
|
const passwordHash = await Bun.password.hash(password);
|
||||||
|
return db.insert(users).values({ username, passwordHash }).returning().get();
|
||||||
|
}
|
||||||
|
|
||||||
|
export async function verifyPassword(
|
||||||
|
db: Db = prodDb,
|
||||||
|
username: string,
|
||||||
|
password: string,
|
||||||
|
) {
|
||||||
|
const user = db
|
||||||
|
.select()
|
||||||
|
.from(users)
|
||||||
|
.where(eq(users.username, username))
|
||||||
|
.get();
|
||||||
|
|
||||||
|
if (!user) return null;
|
||||||
|
|
||||||
|
const valid = await Bun.password.verify(password, user.passwordHash);
|
||||||
|
return valid ? user : null;
|
||||||
|
}
|
||||||
|
|
||||||
|
export function getUserCount(db: Db = prodDb): number {
|
||||||
|
const result = db.select({ value: count() }).from(users).get();
|
||||||
|
return result?.value ?? 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
export async function changePassword(
|
||||||
|
db: Db = prodDb,
|
||||||
|
username: string,
|
||||||
|
currentPassword: string,
|
||||||
|
newPassword: string,
|
||||||
|
): Promise<boolean> {
|
||||||
|
const user = await verifyPassword(db, username, currentPassword);
|
||||||
|
if (!user) return false;
|
||||||
|
|
||||||
|
const newHash = await Bun.password.hash(newPassword);
|
||||||
|
db.update(users)
|
||||||
|
.set({ passwordHash: newHash })
|
||||||
|
.where(eq(users.id, user.id))
|
||||||
|
.run();
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// ── Session Management ───────────────────────────────────────────────
|
||||||
|
|
||||||
|
export function createSession(
|
||||||
|
db: Db = prodDb,
|
||||||
|
userId: number,
|
||||||
|
expiryDays = 30,
|
||||||
|
) {
|
||||||
|
const id = randomBytes(32).toString("hex");
|
||||||
|
const expiresAt = new Date(Date.now() + expiryDays * 24 * 60 * 60 * 1000);
|
||||||
|
|
||||||
|
return db
|
||||||
|
.insert(sessions)
|
||||||
|
.values({ id, userId, expiresAt })
|
||||||
|
.returning()
|
||||||
|
.get();
|
||||||
|
}
|
||||||
|
|
||||||
|
export function getSession(db: Db = prodDb, sessionId: string) {
|
||||||
|
const session = db
|
||||||
|
.select()
|
||||||
|
.from(sessions)
|
||||||
|
.where(eq(sessions.id, sessionId))
|
||||||
|
.get();
|
||||||
|
|
||||||
|
if (!session) return null;
|
||||||
|
|
||||||
|
if (session.expiresAt < new Date()) {
|
||||||
|
db.delete(sessions).where(eq(sessions.id, sessionId)).run();
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
return session;
|
||||||
|
}
|
||||||
|
|
||||||
|
export function deleteSession(db: Db = prodDb, sessionId: string) {
|
||||||
|
db.delete(sessions).where(eq(sessions.id, sessionId)).run();
|
||||||
|
}
|
||||||
|
|
||||||
|
export function refreshSession(
|
||||||
|
db: Db = prodDb,
|
||||||
|
sessionId: string,
|
||||||
|
expiryDays = 30,
|
||||||
|
) {
|
||||||
|
const expiresAt = new Date(Date.now() + expiryDays * 24 * 60 * 60 * 1000);
|
||||||
|
db.update(sessions)
|
||||||
|
.set({ expiresAt })
|
||||||
|
.where(eq(sessions.id, sessionId))
|
||||||
|
.run();
|
||||||
|
}
|
||||||
|
|
||||||
|
// ── API Key Management ───────────────────────────────────────────────
|
||||||
|
|
||||||
|
export async function createApiKey(db: Db = prodDb, name: string) {
|
||||||
|
const rawKey = randomBytes(32).toString("hex");
|
||||||
|
const keyHash = await Bun.password.hash(rawKey);
|
||||||
|
const keyPrefix = rawKey.slice(0, 8);
|
||||||
|
|
||||||
|
const record = db
|
||||||
|
.insert(apiKeys)
|
||||||
|
.values({ name, keyHash, keyPrefix })
|
||||||
|
.returning()
|
||||||
|
.get();
|
||||||
|
|
||||||
|
return { ...record, rawKey };
|
||||||
|
}
|
||||||
|
|
||||||
|
export async function verifyApiKey(
|
||||||
|
db: Db = prodDb,
|
||||||
|
rawKey: string,
|
||||||
|
): Promise<boolean> {
|
||||||
|
const prefix = rawKey.slice(0, 8);
|
||||||
|
const candidates = db
|
||||||
|
.select()
|
||||||
|
.from(apiKeys)
|
||||||
|
.where(eq(apiKeys.keyPrefix, prefix))
|
||||||
|
.all();
|
||||||
|
|
||||||
|
for (const candidate of candidates) {
|
||||||
|
const valid = await Bun.password.verify(rawKey, candidate.keyHash);
|
||||||
|
if (valid) return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
export function listApiKeys(db: Db = prodDb) {
|
||||||
|
return db
|
||||||
|
.select({
|
||||||
|
id: apiKeys.id,
|
||||||
|
name: apiKeys.name,
|
||||||
|
keyPrefix: apiKeys.keyPrefix,
|
||||||
|
createdAt: apiKeys.createdAt,
|
||||||
|
})
|
||||||
|
.from(apiKeys)
|
||||||
|
.all();
|
||||||
|
}
|
||||||
|
|
||||||
|
export function deleteApiKey(db: Db = prodDb, id: number) {
|
||||||
|
db.delete(apiKeys).where(eq(apiKeys.id, id)).run();
|
||||||
|
}
|
||||||
171
tests/services/auth.service.test.ts
Normal file
171
tests/services/auth.service.test.ts
Normal file
@@ -0,0 +1,171 @@
|
|||||||
|
import { beforeEach, describe, expect, it } from "bun:test";
|
||||||
|
import {
|
||||||
|
changePassword,
|
||||||
|
createApiKey,
|
||||||
|
createSession,
|
||||||
|
createUser,
|
||||||
|
deleteApiKey,
|
||||||
|
deleteSession,
|
||||||
|
getSession,
|
||||||
|
getUserCount,
|
||||||
|
listApiKeys,
|
||||||
|
verifyApiKey,
|
||||||
|
verifyPassword,
|
||||||
|
} from "../../src/server/services/auth.service.ts";
|
||||||
|
import { createTestDb } from "../helpers/db.ts";
|
||||||
|
|
||||||
|
describe("Auth Service", () => {
|
||||||
|
let db: ReturnType<typeof createTestDb>;
|
||||||
|
|
||||||
|
beforeEach(() => {
|
||||||
|
db = createTestDb();
|
||||||
|
});
|
||||||
|
|
||||||
|
describe("User Management", () => {
|
||||||
|
it("creates a user with hashed password (hash !== plaintext)", async () => {
|
||||||
|
const user = await createUser(db, "admin", "secret123");
|
||||||
|
|
||||||
|
expect(user).toBeDefined();
|
||||||
|
expect(user.id).toBeGreaterThan(0);
|
||||||
|
expect(user.username).toBe("admin");
|
||||||
|
expect(user.passwordHash).not.toBe("secret123");
|
||||||
|
expect(user.passwordHash.length).toBeGreaterThan(0);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("verifies correct password returns user", async () => {
|
||||||
|
await createUser(db, "admin", "secret123");
|
||||||
|
const user = await verifyPassword(db, "admin", "secret123");
|
||||||
|
|
||||||
|
expect(user).not.toBeNull();
|
||||||
|
expect(user!.username).toBe("admin");
|
||||||
|
});
|
||||||
|
|
||||||
|
it("rejects incorrect password returns null", async () => {
|
||||||
|
await createUser(db, "admin", "secret123");
|
||||||
|
const user = await verifyPassword(db, "admin", "wrongpassword");
|
||||||
|
|
||||||
|
expect(user).toBeNull();
|
||||||
|
});
|
||||||
|
|
||||||
|
it("getUserCount returns 0 then 1", async () => {
|
||||||
|
const countBefore = getUserCount(db);
|
||||||
|
expect(countBefore).toBe(0);
|
||||||
|
|
||||||
|
await createUser(db, "admin", "secret123");
|
||||||
|
|
||||||
|
const countAfter = getUserCount(db);
|
||||||
|
expect(countAfter).toBe(1);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("changes password successfully", async () => {
|
||||||
|
await createUser(db, "admin", "oldpass");
|
||||||
|
const changed = await changePassword(db, "admin", "oldpass", "newpass");
|
||||||
|
expect(changed).toBe(true);
|
||||||
|
|
||||||
|
// Verify new password works
|
||||||
|
const user = await verifyPassword(db, "admin", "newpass");
|
||||||
|
expect(user).not.toBeNull();
|
||||||
|
|
||||||
|
// Verify old password no longer works
|
||||||
|
const oldAttempt = await verifyPassword(db, "admin", "oldpass");
|
||||||
|
expect(oldAttempt).toBeNull();
|
||||||
|
});
|
||||||
|
|
||||||
|
it("rejects password change with wrong current password", async () => {
|
||||||
|
await createUser(db, "admin", "secret123");
|
||||||
|
const changed = await changePassword(
|
||||||
|
db,
|
||||||
|
"admin",
|
||||||
|
"wrongcurrent",
|
||||||
|
"newpass",
|
||||||
|
);
|
||||||
|
expect(changed).toBe(false);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
describe("Session Management", () => {
|
||||||
|
it("creates and retrieves a session (id length is 64 hex chars)", async () => {
|
||||||
|
const user = await createUser(db, "admin", "secret123");
|
||||||
|
const session = createSession(db, user.id);
|
||||||
|
|
||||||
|
expect(session).toBeDefined();
|
||||||
|
expect(session.id).toHaveLength(64);
|
||||||
|
expect(session.userId).toBe(user.id);
|
||||||
|
expect(session.expiresAt).toBeInstanceOf(Date);
|
||||||
|
|
||||||
|
const retrieved = getSession(db, session.id);
|
||||||
|
expect(retrieved).not.toBeNull();
|
||||||
|
expect(retrieved!.id).toBe(session.id);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("returns null for expired session (expiryDays = -1)", async () => {
|
||||||
|
const user = await createUser(db, "admin", "secret123");
|
||||||
|
const session = createSession(db, user.id, -1);
|
||||||
|
|
||||||
|
const retrieved = getSession(db, session.id);
|
||||||
|
expect(retrieved).toBeNull();
|
||||||
|
});
|
||||||
|
|
||||||
|
it("deletes a session", async () => {
|
||||||
|
const user = await createUser(db, "admin", "secret123");
|
||||||
|
const session = createSession(db, user.id);
|
||||||
|
|
||||||
|
deleteSession(db, session.id);
|
||||||
|
|
||||||
|
const retrieved = getSession(db, session.id);
|
||||||
|
expect(retrieved).toBeNull();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
describe("API Key Management", () => {
|
||||||
|
it("creates key and returns raw key once (length > 16, prefix matches first 8 chars)", async () => {
|
||||||
|
const result = await createApiKey(db, "test-key");
|
||||||
|
|
||||||
|
expect(result).toBeDefined();
|
||||||
|
expect(result.rawKey).toBeDefined();
|
||||||
|
expect(result.rawKey.length).toBeGreaterThan(16);
|
||||||
|
expect(result.keyPrefix).toBe(result.rawKey.slice(0, 8));
|
||||||
|
expect(result.name).toBe("test-key");
|
||||||
|
});
|
||||||
|
|
||||||
|
it("verifies valid key returns true", async () => {
|
||||||
|
const result = await createApiKey(db, "test-key");
|
||||||
|
const isValid = await verifyApiKey(db, result.rawKey);
|
||||||
|
|
||||||
|
expect(isValid).toBe(true);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("rejects invalid key returns false", async () => {
|
||||||
|
await createApiKey(db, "test-key");
|
||||||
|
const isValid = await verifyApiKey(db, "invalidkey12345678");
|
||||||
|
|
||||||
|
expect(isValid).toBe(false);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("deletes key so it is no longer valid", async () => {
|
||||||
|
const result = await createApiKey(db, "test-key");
|
||||||
|
deleteApiKey(db, result.id);
|
||||||
|
|
||||||
|
const isValid = await verifyApiKey(db, result.rawKey);
|
||||||
|
expect(isValid).toBe(false);
|
||||||
|
});
|
||||||
|
|
||||||
|
it("listApiKeys returns keys without hashes", async () => {
|
||||||
|
await createApiKey(db, "key-one");
|
||||||
|
await createApiKey(db, "key-two");
|
||||||
|
|
||||||
|
const keys = listApiKeys(db);
|
||||||
|
expect(keys).toHaveLength(2);
|
||||||
|
expect(keys[0].name).toBe("key-one");
|
||||||
|
expect(keys[1].name).toBe("key-two");
|
||||||
|
// Ensure no hash is exposed
|
||||||
|
for (const key of keys) {
|
||||||
|
expect(key).toHaveProperty("id");
|
||||||
|
expect(key).toHaveProperty("name");
|
||||||
|
expect(key).toHaveProperty("keyPrefix");
|
||||||
|
expect(key).toHaveProperty("createdAt");
|
||||||
|
expect(key).not.toHaveProperty("keyHash");
|
||||||
|
}
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
Reference in New Issue
Block a user