feat: add auth service with user, session, and API key management

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 13:20:27 +02:00
parent 32c7b41ce5
commit 7c4fa9d9d2
2 changed files with 329 additions and 0 deletions
--- a/src/server/services/auth.service.ts
+++ b/src/server/services/auth.service.ts
@@ -0,0 +1,158 @@
+import { randomBytes } from "node:crypto";
+import { count, eq } from "drizzle-orm";
+import { db as prodDb } from "../../db/index.ts";
+import { apiKeys, sessions, users } from "../../db/schema.ts";
+
+type Db = typeof prodDb;
+
+// ── User Management ──────────────────────────────────────────────────
+
+export async function createUser(
+	db: Db = prodDb,
+	username: string,
+	password: string,
+) {
+	const passwordHash = await Bun.password.hash(password);
+	return db.insert(users).values({ username, passwordHash }).returning().get();
+}
+
+export async function verifyPassword(
+	db: Db = prodDb,
+	username: string,
+	password: string,
+) {
+	const user = db
+		.select()
+		.from(users)
+		.where(eq(users.username, username))
+		.get();
+
+	if (!user) return null;
+
+	const valid = await Bun.password.verify(password, user.passwordHash);
+	return valid ? user : null;
+}
+
+export function getUserCount(db: Db = prodDb): number {
+	const result = db.select({ value: count() }).from(users).get();
+	return result?.value ?? 0;
+}
+
+export async function changePassword(
+	db: Db = prodDb,
+	username: string,
+	currentPassword: string,
+	newPassword: string,
+): Promise<boolean> {
+	const user = await verifyPassword(db, username, currentPassword);
+	if (!user) return false;
+
+	const newHash = await Bun.password.hash(newPassword);
+	db.update(users)
+		.set({ passwordHash: newHash })
+		.where(eq(users.id, user.id))
+		.run();
+
+	return true;
+}
+
+// ── Session Management ───────────────────────────────────────────────
+
+export function createSession(
+	db: Db = prodDb,
+	userId: number,
+	expiryDays = 30,
+) {
+	const id = randomBytes(32).toString("hex");
+	const expiresAt = new Date(Date.now() + expiryDays * 24 * 60 * 60 * 1000);
+
+	return db
+		.insert(sessions)
+		.values({ id, userId, expiresAt })
+		.returning()
+		.get();
+}
+
+export function getSession(db: Db = prodDb, sessionId: string) {
+	const session = db
+		.select()
+		.from(sessions)
+		.where(eq(sessions.id, sessionId))
+		.get();
+
+	if (!session) return null;
+
+	if (session.expiresAt < new Date()) {
+		db.delete(sessions).where(eq(sessions.id, sessionId)).run();
+		return null;
+	}
+
+	return session;
+}
+
+export function deleteSession(db: Db = prodDb, sessionId: string) {
+	db.delete(sessions).where(eq(sessions.id, sessionId)).run();
+}
+
+export function refreshSession(
+	db: Db = prodDb,
+	sessionId: string,
+	expiryDays = 30,
+) {
+	const expiresAt = new Date(Date.now() + expiryDays * 24 * 60 * 60 * 1000);
+	db.update(sessions)
+		.set({ expiresAt })
+		.where(eq(sessions.id, sessionId))
+		.run();
+}
+
+// ── API Key Management ───────────────────────────────────────────────
+
+export async function createApiKey(db: Db = prodDb, name: string) {
+	const rawKey = randomBytes(32).toString("hex");
+	const keyHash = await Bun.password.hash(rawKey);
+	const keyPrefix = rawKey.slice(0, 8);
+
+	const record = db
+		.insert(apiKeys)
+		.values({ name, keyHash, keyPrefix })
+		.returning()
+		.get();
+
+	return { ...record, rawKey };
+}
+
+export async function verifyApiKey(
+	db: Db = prodDb,
+	rawKey: string,
+): Promise<boolean> {
+	const prefix = rawKey.slice(0, 8);
+	const candidates = db
+		.select()
+		.from(apiKeys)
+		.where(eq(apiKeys.keyPrefix, prefix))
+		.all();
+
+	for (const candidate of candidates) {
+		const valid = await Bun.password.verify(rawKey, candidate.keyHash);
+		if (valid) return true;
+	}
+
+	return false;
+}
+
+export function listApiKeys(db: Db = prodDb) {
+	return db
+		.select({
+			id: apiKeys.id,
+			name: apiKeys.name,
+			keyPrefix: apiKeys.keyPrefix,
+			createdAt: apiKeys.createdAt,
+		})
+		.from(apiKeys)
+		.all();
+}
+
+export function deleteApiKey(db: Db = prodDb, id: number) {
+	db.delete(apiKeys).where(eq(apiKeys.id, id)).run();
+}
--- a/tests/services/auth.service.test.ts
+++ b/tests/services/auth.service.test.ts
@@ -0,0 +1,171 @@
+import { beforeEach, describe, expect, it } from "bun:test";
+import {
+	changePassword,
+	createApiKey,
+	createSession,
+	createUser,
+	deleteApiKey,
+	deleteSession,
+	getSession,
+	getUserCount,
+	listApiKeys,
+	verifyApiKey,
+	verifyPassword,
+} from "../../src/server/services/auth.service.ts";
+import { createTestDb } from "../helpers/db.ts";
+
+describe("Auth Service", () => {
+	let db: ReturnType<typeof createTestDb>;
+
+	beforeEach(() => {
+		db = createTestDb();
+	});
+
+	describe("User Management", () => {
+		it("creates a user with hashed password (hash !== plaintext)", async () => {
+			const user = await createUser(db, "admin", "secret123");
+
+			expect(user).toBeDefined();
+			expect(user.id).toBeGreaterThan(0);
+			expect(user.username).toBe("admin");
+			expect(user.passwordHash).not.toBe("secret123");
+			expect(user.passwordHash.length).toBeGreaterThan(0);
+		});
+
+		it("verifies correct password returns user", async () => {
+			await createUser(db, "admin", "secret123");
+			const user = await verifyPassword(db, "admin", "secret123");
+
+			expect(user).not.toBeNull();
+			expect(user!.username).toBe("admin");
+		});
+
+		it("rejects incorrect password returns null", async () => {
+			await createUser(db, "admin", "secret123");
+			const user = await verifyPassword(db, "admin", "wrongpassword");
+
+			expect(user).toBeNull();
+		});
+
+		it("getUserCount returns 0 then 1", async () => {
+			const countBefore = getUserCount(db);
+			expect(countBefore).toBe(0);
+
+			await createUser(db, "admin", "secret123");
+
+			const countAfter = getUserCount(db);
+			expect(countAfter).toBe(1);
+		});
+
+		it("changes password successfully", async () => {
+			await createUser(db, "admin", "oldpass");
+			const changed = await changePassword(db, "admin", "oldpass", "newpass");
+			expect(changed).toBe(true);
+
+			// Verify new password works
+			const user = await verifyPassword(db, "admin", "newpass");
+			expect(user).not.toBeNull();
+
+			// Verify old password no longer works
+			const oldAttempt = await verifyPassword(db, "admin", "oldpass");
+			expect(oldAttempt).toBeNull();
+		});
+
+		it("rejects password change with wrong current password", async () => {
+			await createUser(db, "admin", "secret123");
+			const changed = await changePassword(
+				db,
+				"admin",
+				"wrongcurrent",
+				"newpass",
+			);
+			expect(changed).toBe(false);
+		});
+	});
+
+	describe("Session Management", () => {
+		it("creates and retrieves a session (id length is 64 hex chars)", async () => {
+			const user = await createUser(db, "admin", "secret123");
+			const session = createSession(db, user.id);
+
+			expect(session).toBeDefined();
+			expect(session.id).toHaveLength(64);
+			expect(session.userId).toBe(user.id);
+			expect(session.expiresAt).toBeInstanceOf(Date);
+
+			const retrieved = getSession(db, session.id);
+			expect(retrieved).not.toBeNull();
+			expect(retrieved!.id).toBe(session.id);
+		});
+
+		it("returns null for expired session (expiryDays = -1)", async () => {
+			const user = await createUser(db, "admin", "secret123");
+			const session = createSession(db, user.id, -1);
+
+			const retrieved = getSession(db, session.id);
+			expect(retrieved).toBeNull();
+		});
+
+		it("deletes a session", async () => {
+			const user = await createUser(db, "admin", "secret123");
+			const session = createSession(db, user.id);
+
+			deleteSession(db, session.id);
+
+			const retrieved = getSession(db, session.id);
+			expect(retrieved).toBeNull();
+		});
+	});
+
+	describe("API Key Management", () => {
+		it("creates key and returns raw key once (length > 16, prefix matches first 8 chars)", async () => {
+			const result = await createApiKey(db, "test-key");
+
+			expect(result).toBeDefined();
+			expect(result.rawKey).toBeDefined();
+			expect(result.rawKey.length).toBeGreaterThan(16);
+			expect(result.keyPrefix).toBe(result.rawKey.slice(0, 8));
+			expect(result.name).toBe("test-key");
+		});
+
+		it("verifies valid key returns true", async () => {
+			const result = await createApiKey(db, "test-key");
+			const isValid = await verifyApiKey(db, result.rawKey);
+
+			expect(isValid).toBe(true);
+		});
+
+		it("rejects invalid key returns false", async () => {
+			await createApiKey(db, "test-key");
+			const isValid = await verifyApiKey(db, "invalidkey12345678");
+
+			expect(isValid).toBe(false);
+		});
+
+		it("deletes key so it is no longer valid", async () => {
+			const result = await createApiKey(db, "test-key");
+			deleteApiKey(db, result.id);
+
+			const isValid = await verifyApiKey(db, result.rawKey);
+			expect(isValid).toBe(false);
+		});
+
+		it("listApiKeys returns keys without hashes", async () => {
+			await createApiKey(db, "key-one");
+			await createApiKey(db, "key-two");
+
+			const keys = listApiKeys(db);
+			expect(keys).toHaveLength(2);
+			expect(keys[0].name).toBe("key-one");
+			expect(keys[1].name).toBe("key-two");
+			// Ensure no hash is exposed
+			for (const key of keys) {
+				expect(key).toHaveProperty("id");
+				expect(key).toHaveProperty("name");
+				expect(key).toHaveProperty("keyPrefix");
+				expect(key).toHaveProperty("createdAt");
+				expect(key).not.toHaveProperty("keyHash");
+			}
+		});
+	});
+});