mapleopentech/monorepo
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit: Open sourcing all of the Maple Open Technologies code.

Browse source
This commit is contained in:
Bartlomiej Mika 2025-12-02 14:33:08 -05:00
commit 755d54a99d
2010 changed files with 448675 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

222
cloud/maplefile-backend/internal/service/auth/complete_login.go Normal file
View file

@ -0,0 +1,222 @@
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/complete_login.go
package auth
import (
"bytes"
"context"
"encoding/base64"
"fmt"
"strings"
"time"
"github.com/awnumar/memguard"
"go.uber.org/zap"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/hash"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/jwt"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
)
type CompleteLoginRequestDTO struct {
Email string `json:"email"`
ChallengeID string `json:"challengeId"`
DecryptedData string `json:"decryptedData"`
}
type CompleteLoginResponseDTO struct {
Message string `json:"message"`
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
AccessTokenExpiryDate string `json:"access_token_expiry_date"`
RefreshTokenExpiryDate string `json:"refresh_token_expiry_date"`
Username string `json:"username"`
}
type CompleteLoginService interface {
Execute(ctx context.Context, req *CompleteLoginRequestDTO) (*CompleteLoginResponseDTO, error)
}
type completeLoginServiceImpl struct {
config *config.Config
logger *zap.Logger
auditLogger auditlog.AuditLogger
userGetByEmailUC uc_user.UserGetByEmailUseCase
cache cassandracache.CassandraCacher
jwtProvider jwt.JWTProvider
}
func NewCompleteLoginService(
config *config.Config,
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
cache cassandracache.CassandraCacher,
jwtProvider jwt.JWTProvider,
) CompleteLoginService {
return &completeLoginServiceImpl{
config: config,
logger: logger.Named("CompleteLoginService"),
auditLogger: auditLogger,
userGetByEmailUC: userGetByEmailUC,
cache: cache,
jwtProvider: jwtProvider,
}
}
func (s *completeLoginServiceImpl) Execute(ctx context.Context, req *CompleteLoginRequestDTO) (*CompleteLoginResponseDTO, error) {
// Validate request
if err := s.validateCompleteLoginRequest(req); err != nil {
return nil, err // Returns RFC 9457 ProblemDetail
}
// Create SAGA for complete login workflow
saga := transaction.NewSaga("complete-login", s.logger)
s.logger.Info("starting login completion")
// Step 1: Normalize email
email := strings.ToLower(strings.TrimSpace(req.Email))
// Step 2: Get the original challenge from cache
challengeKey := fmt.Sprintf("challenge:%s", req.ChallengeID)
originalChallenge, err := s.cache.Get(ctx, challengeKey)
if err != nil || originalChallenge == nil {
s.logger.Warn("Challenge not found", zap.String("challenge_id", req.ChallengeID))
s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginFailure, auditlog.OutcomeFailure,
validation.MaskEmail(email), "", map[string]string{
"reason": "challenge_expired",
})
return nil, httperror.NewUnauthorizedError("Invalid or expired login challenge. Please request a new login code.")
}
defer memguard.WipeBytes(originalChallenge) // SECURITY: Wipe challenge from memory
// Step 3: Decode and verify decrypted data matches challenge
decryptedData, err := base64.StdEncoding.DecodeString(req.DecryptedData)
if err != nil {
s.logger.Warn("Failed to decode decrypted data", zap.Error(err))
return nil, httperror.NewBadRequestError("Invalid encrypted data format.")
}
defer memguard.WipeBytes(decryptedData) // SECURITY: Wipe decrypted data from memory
if !bytes.Equal(decryptedData, originalChallenge) {
s.logger.Warn("Challenge verification failed", zap.String("email", validation.MaskEmail(email)))
s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginFailure, auditlog.OutcomeFailure,
validation.MaskEmail(email), "", map[string]string{
"reason": "challenge_verification_failed",
})
return nil, httperror.NewUnauthorizedError("Challenge verification failed. Incorrect password or encryption keys.")
}
// Step 4: Get user (read-only, no compensation)
user, err := s.userGetByEmailUC.Execute(ctx, email)
if err != nil || user == nil {
s.logger.Error("User not found", zap.String("email", validation.MaskEmail(email)))
return nil, httperror.NewUnauthorizedError("Invalid email or password.")
}
// Step 5: Generate JWT token pair
accessToken, accessExpiry, refreshToken, refreshExpiry, err := s.jwtProvider.GenerateJWTTokenPair(
user.ID.String(),
s.config.JWT.AccessTokenDuration,
s.config.JWT.RefreshTokenDuration,
)
if err != nil {
s.logger.Error("Failed to generate JWT tokens", zap.Error(err))
return nil, httperror.NewInternalServerError("Failed to generate authentication tokens. Please try again.")
}
// Step 6: Store refresh token FIRST (compensate: delete refresh token)
// CRITICAL: Store refresh token before deleting challenge to prevent login failure
// SECURITY: Hash refresh token to prevent token leakage via cache key inspection
refreshTokenHash := hash.HashToken(refreshToken)
refreshKey := fmt.Sprintf("refresh:%s", refreshTokenHash)
if err := s.cache.SetWithExpiry(ctx, refreshKey, []byte(user.ID.String()), s.config.JWT.RefreshTokenDuration); err != nil {
s.logger.Error("Failed to store refresh token", zap.Error(err))
return nil, httperror.NewInternalServerError("Failed to store authentication session. Please try again.")
}
// Register compensation: delete refresh token if challenge deletion fails
refreshKeyCaptured := refreshKey
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Info("compensating: deleting refresh token",
zap.String("refresh_key", refreshKeyCaptured))
return s.cache.Delete(ctx, refreshKeyCaptured)
})
// Step 7: Clear challenge from cache (one-time use) (compensate: restore challenge)
challengeKeyCaptured := challengeKey
originalChallengeCaptured := originalChallenge
if err := s.cache.Delete(ctx, challengeKey); err != nil {
s.logger.Error("Failed to delete challenge",
zap.String("challenge_key", challengeKey),
zap.Error(err))
// Trigger compensation: Delete refresh token
saga.Rollback(ctx)
return nil, httperror.NewInternalServerError("Login failed. Please try again.")
}
// Register compensation: restore challenge with reduced TTL (5 minutes for retry)
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Info("compensating: restoring challenge",
zap.String("challenge_key", challengeKeyCaptured))
// Restore with reduced TTL (5 minutes) to allow user retry
return s.cache.SetWithExpiry(ctx, challengeKeyCaptured, originalChallengeCaptured, 5*time.Minute)
})
s.logger.Info("Login completed successfully",
zap.String("user_id", user.ID.String()),
zap.String("email", validation.MaskEmail(email)),
zap.String("refresh_token", refreshToken[:16]+"...")) // Log prefix for security
// Audit log successful login
s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginSuccess, auditlog.OutcomeSuccess,
validation.MaskEmail(email), "", map[string]string{
"user_id": user.ID.String(),
})
return &CompleteLoginResponseDTO{
Message: "Login successful",
AccessToken: accessToken,
RefreshToken: refreshToken,
AccessTokenExpiryDate: accessExpiry.Format(time.RFC3339),
RefreshTokenExpiryDate: refreshExpiry.Format(time.RFC3339),
Username: user.Email,
}, nil
}
// validateCompleteLoginRequest validates the complete login request.
// Returns RFC 9457 ProblemDetail error with field-specific errors.
func (s *completeLoginServiceImpl) validateCompleteLoginRequest(req *CompleteLoginRequestDTO) error {
errors := make(map[string]string)
// Validate email using shared validation utility
if errMsg := validation.ValidateEmail(req.Email); errMsg != "" {
errors["email"] = errMsg
}
// Validate challengeId
challengeId := strings.TrimSpace(req.ChallengeID)
if challengeId == "" {
errors["challengeId"] = "Challenge ID is required"
}
// Validate decryptedData
decryptedData := strings.TrimSpace(req.DecryptedData)
if decryptedData == "" {
errors["decryptedData"] = "Decrypted challenge data is required"
}
// If there are validation errors, return RFC 9457 error
if len(errors) > 0 {
return httperror.NewValidationError(errors)
}
return nil
}

121
cloud/maplefile-backend/internal/service/auth/provider.go Normal file
View file

@ -0,0 +1,121 @@
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/provider.go
package auth
import (
"go.uber.org/zap"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/jwt"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
)
// ProvideRegisterService provides the register service
func ProvideRegisterService(
config *config.Config,
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
userCreateUC uc_user.UserCreateUseCase,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
userDeleteByIDUC uc_user.UserDeleteByIDUseCase,
emailer mailgun.Emailer,
) RegisterService {
return NewRegisterService(config, logger, auditLogger, userCreateUC, userGetByEmailUC, userDeleteByIDUC, emailer)
}
// ProvideVerifyEmailService provides the verify email service
func ProvideVerifyEmailService(
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
userGetByVerificationCodeUC uc_user.UserGetByVerificationCodeUseCase,
userUpdateUC uc_user.UserUpdateUseCase,
) VerifyEmailService {
return NewVerifyEmailService(logger, auditLogger, userGetByVerificationCodeUC, userUpdateUC)
}
// ProvideResendVerificationService provides the resend verification service
func ProvideResendVerificationService(
config *config.Config,
logger *zap.Logger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
userUpdateUC uc_user.UserUpdateUseCase,
emailer mailgun.Emailer,
) ResendVerificationService {
return NewResendVerificationService(config, logger, userGetByEmailUC, userUpdateUC, emailer)
}
// ProvideRequestOTTService provides the request OTT service
func ProvideRequestOTTService(
config *config.Config,
logger *zap.Logger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
cache cassandracache.CassandraCacher,
emailer mailgun.Emailer,
) RequestOTTService {
return NewRequestOTTService(config, logger, userGetByEmailUC, cache, emailer)
}
// ProvideVerifyOTTService provides the verify OTT service
func ProvideVerifyOTTService(
logger *zap.Logger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
cache cassandracache.CassandraCacher,
) VerifyOTTService {
return NewVerifyOTTService(logger, userGetByEmailUC, cache)
}
// ProvideCompleteLoginService provides the complete login service
func ProvideCompleteLoginService(
config *config.Config,
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
cache cassandracache.CassandraCacher,
jwtProvider jwt.JWTProvider,
) CompleteLoginService {
return NewCompleteLoginService(config, logger, auditLogger, userGetByEmailUC, cache, jwtProvider)
}
// ProvideRefreshTokenService provides the refresh token service
func ProvideRefreshTokenService(
cfg *config.Config,
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
cache cassandracache.CassandraCacher,
jwtProvider jwt.JWTProvider,
userGetByIDUC uc_user.UserGetByIDUseCase,
) RefreshTokenService {
return NewRefreshTokenService(cfg, logger, auditLogger, cache, jwtProvider, userGetByIDUC)
}
// ProvideRecoveryInitiateService provides the recovery initiate service
func ProvideRecoveryInitiateService(
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
cache cassandracache.CassandraCacher,
) RecoveryInitiateService {
return NewRecoveryInitiateService(logger, auditLogger, userGetByEmailUC, cache)
}
// ProvideRecoveryVerifyService provides the recovery verify service
func ProvideRecoveryVerifyService(
logger *zap.Logger,
cache cassandracache.CassandraCacher,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
) RecoveryVerifyService {
return NewRecoveryVerifyService(logger, cache, userGetByEmailUC)
}
// ProvideRecoveryCompleteService provides the recovery complete service
func ProvideRecoveryCompleteService(
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
userUpdateUC uc_user.UserUpdateUseCase,
cache cassandracache.CassandraCacher,
) RecoveryCompleteService {
return NewRecoveryCompleteService(logger, auditLogger, userGetByEmailUC, userUpdateUC, cache)
}

251
cloud/maplefile-backend/internal/service/auth/recovery_complete.go Normal file
View file

@ -0,0 +1,251 @@
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/recovery_complete.go
package auth
import (
"context"
"encoding/base64"
"fmt"
"time"
"github.com/awnumar/memguard"
"go.uber.org/zap"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/domain/crypto"
dom_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/domain/user"
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
)
type RecoveryCompleteRequestDTO struct {
RecoveryToken string `json:"recovery_token"`
NewSalt string `json:"new_salt"`
NewPublicKey string `json:"new_public_key"`
NewEncryptedMasterKey string `json:"new_encrypted_master_key"`
NewEncryptedPrivateKey string `json:"new_encrypted_private_key"`
NewEncryptedRecoveryKey string `json:"new_encrypted_recovery_key"`
NewMasterKeyEncryptedWithRecoveryKey string `json:"new_master_key_encrypted_with_recovery_key"`
}
type RecoveryCompleteResponseDTO struct {
Message string `json:"message"`
Success bool `json:"success"`
}
type RecoveryCompleteService interface {
Execute(ctx context.Context, req *RecoveryCompleteRequestDTO) (*RecoveryCompleteResponseDTO, error)
}
type recoveryCompleteServiceImpl struct {
logger *zap.Logger
auditLogger auditlog.AuditLogger
userGetByEmailUC uc_user.UserGetByEmailUseCase
userUpdateUC uc_user.UserUpdateUseCase
cache cassandracache.CassandraCacher
}
func NewRecoveryCompleteService(
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
userUpdateUC uc_user.UserUpdateUseCase,
cache cassandracache.CassandraCacher,
) RecoveryCompleteService {
return &recoveryCompleteServiceImpl{
logger: logger.Named("RecoveryCompleteService"),
auditLogger: auditLogger,
userGetByEmailUC: userGetByEmailUC,
userUpdateUC: userUpdateUC,
cache: cache,
}
}
func (s *recoveryCompleteServiceImpl) Execute(ctx context.Context, req *RecoveryCompleteRequestDTO) (*RecoveryCompleteResponseDTO, error) {
// Create SAGA for recovery completion workflow
saga := transaction.NewSaga("recovery-complete", s.logger)
s.logger.Info("starting recovery completion")
// Step 1: Validate recovery token from cache
tokenKey := fmt.Sprintf("recovery_token:%s", req.RecoveryToken)
emailBytes, err := s.cache.Get(ctx, tokenKey)
if err != nil || emailBytes == nil {
s.logger.Warn("Recovery token not found or expired")
return nil, fmt.Errorf("invalid or expired recovery token")
}
email := string(emailBytes)
// Step 2: Get user by email and backup current credentials
user, err := s.userGetByEmailUC.Execute(ctx, email)
if err != nil || user == nil {
s.logger.Error("User not found during recovery completion", zap.String("email", validation.MaskEmail(email)))
return nil, fmt.Errorf("recovery completion failed")
}
// Backup current credentials for compensation (deep copy)
var oldSecurityData *dom_user.UserSecurityData
if user.SecurityData != nil {
// Create a deep copy of security data
oldSecurityData = &dom_user.UserSecurityData{
PasswordSalt: make([]byte, len(user.SecurityData.PasswordSalt)),
PublicKey: user.SecurityData.PublicKey,
EncryptedMasterKey: user.SecurityData.EncryptedMasterKey,
EncryptedPrivateKey: user.SecurityData.EncryptedPrivateKey,
EncryptedRecoveryKey: user.SecurityData.EncryptedRecoveryKey,
MasterKeyEncryptedWithRecoveryKey: user.SecurityData.MasterKeyEncryptedWithRecoveryKey,
}
copy(oldSecurityData.PasswordSalt, user.SecurityData.PasswordSalt)
}
// Decode new encryption keys from base64
// SECURITY: All decoded key material is wiped from memory after use
newSalt, err := base64.StdEncoding.DecodeString(req.NewSalt)
if err != nil {
return nil, fmt.Errorf("invalid salt format")
}
defer memguard.WipeBytes(newSalt)
newPublicKey, err := base64.StdEncoding.DecodeString(req.NewPublicKey)
if err != nil {
return nil, fmt.Errorf("invalid public key format")
}
defer memguard.WipeBytes(newPublicKey)
newEncryptedMasterKey, err := base64.StdEncoding.DecodeString(req.NewEncryptedMasterKey)
if err != nil {
return nil, fmt.Errorf("invalid encrypted master key format")
}
defer memguard.WipeBytes(newEncryptedMasterKey)
newEncryptedPrivateKey, err := base64.StdEncoding.DecodeString(req.NewEncryptedPrivateKey)
if err != nil {
return nil, fmt.Errorf("invalid encrypted private key format")
}
defer memguard.WipeBytes(newEncryptedPrivateKey)
newEncryptedRecoveryKey, err := base64.StdEncoding.DecodeString(req.NewEncryptedRecoveryKey)
if err != nil {
return nil, fmt.Errorf("invalid encrypted recovery key format")
}
defer memguard.WipeBytes(newEncryptedRecoveryKey)
newMasterKeyEncryptedWithRecovery, err := base64.StdEncoding.DecodeString(req.NewMasterKeyEncryptedWithRecoveryKey)
if err != nil {
return nil, fmt.Errorf("invalid master key encrypted with recovery format")
}
defer memguard.WipeBytes(newMasterKeyEncryptedWithRecovery)
// Update user's encryption keys
if user.SecurityData == nil {
user.SecurityData = &dom_user.UserSecurityData{}
}
// Parse the encrypted keys into their proper structures
// Format: nonce (24 bytes) + ciphertext (remaining bytes)
// Update password salt
user.SecurityData.PasswordSalt = newSalt
// Update public key (critical for login challenge encryption)
user.SecurityData.PublicKey = crypto.PublicKey{
Key: newPublicKey,
}
// Update encrypted master key
if len(newEncryptedMasterKey) > 24 {
user.SecurityData.EncryptedMasterKey = crypto.EncryptedMasterKey{
Nonce: newEncryptedMasterKey[:24],
Ciphertext: newEncryptedMasterKey[24:],
KeyVersion: 1,
}
}
// Update encrypted private key
if len(newEncryptedPrivateKey) > 24 {
user.SecurityData.EncryptedPrivateKey = crypto.EncryptedPrivateKey{
Nonce: newEncryptedPrivateKey[:24],
Ciphertext: newEncryptedPrivateKey[24:],
}
}
// Update encrypted recovery key
if len(newEncryptedRecoveryKey) > 24 {
user.SecurityData.EncryptedRecoveryKey = crypto.EncryptedRecoveryKey{
Nonce: newEncryptedRecoveryKey[:24],
Ciphertext: newEncryptedRecoveryKey[24:],
}
}
// Update master key encrypted with recovery key
if len(newMasterKeyEncryptedWithRecovery) > 24 {
user.SecurityData.MasterKeyEncryptedWithRecoveryKey = crypto.MasterKeyEncryptedWithRecoveryKey{
Nonce: newMasterKeyEncryptedWithRecovery[:24],
Ciphertext: newMasterKeyEncryptedWithRecovery[24:],
}
}
// Update user's modified timestamp
user.ModifiedAt = time.Now()
// Step 3: Save updated user with new credentials (compensate: restore old credentials)
// CRITICAL: This must succeed before token deletion to prevent account takeover
if err := s.userUpdateUC.Execute(ctx, user); err != nil {
s.logger.Error("Failed to update user with new keys", zap.Error(err))
return nil, fmt.Errorf("failed to complete recovery")
}
// Register compensation: restore old credentials if token deletion fails
userCaptured := user
oldSecurityDataCaptured := oldSecurityData
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Warn("compensating: restoring old credentials",
zap.String("user_id", userCaptured.ID.String()))
// Restore old security data
userCaptured.SecurityData = oldSecurityDataCaptured
userCaptured.ModifiedAt = time.Now()
if err := s.userUpdateUC.Execute(ctx, userCaptured); err != nil {
s.logger.Error("Failed to restore old credentials during compensation",
zap.String("user_id", userCaptured.ID.String()),
zap.Error(err))
return fmt.Errorf("compensation failed: %w", err)
}
s.logger.Info("old credentials restored successfully during compensation",
zap.String("user_id", userCaptured.ID.String()))
return nil
})
// Step 4: Clear recovery token (one-time use) - MUST succeed to prevent reuse
// CRITICAL: If this fails, recovery token could be reused for account takeover
tokenKeyCaptured := tokenKey
if err := s.cache.Delete(ctx, tokenKeyCaptured); err != nil {
s.logger.Error("Failed to delete recovery token - SECURITY RISK",
zap.String("token_key", tokenKeyCaptured),
zap.Error(err))
// Trigger compensation: Restore old credentials
saga.Rollback(ctx)
return nil, fmt.Errorf("failed to invalidate recovery token - please contact support")
}
s.logger.Info("Recovery completion successful",
zap.String("email", validation.MaskEmail(email)),
zap.String("user_id", user.ID.String()))
// Audit log recovery completion
s.auditLogger.LogAuth(ctx, auditlog.EventTypeRecoveryCompleted, auditlog.OutcomeSuccess,
validation.MaskEmail(email), "", map[string]string{
"user_id": user.ID.String(),
})
return &RecoveryCompleteResponseDTO{
Message: "Account recovery completed successfully. You can now log in with your new credentials.",
Success: true,
}, nil
}

133
cloud/maplefile-backend/internal/service/auth/recovery_initiate.go Normal file
View file

@ -0,0 +1,133 @@
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/recovery_initiate.go
package auth
import (
"context"
"crypto/rand"
"encoding/base64"
"fmt"
"strings"
"time"
"github.com/awnumar/memguard"
"github.com/gocql/gocql"
"go.uber.org/zap"
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
)
type RecoveryInitiateRequestDTO struct {
Email string `json:"email"`
Method string `json:"method"` // "recovery_key"
}
type RecoveryInitiateResponseDTO struct {
Message string `json:"message"`
SessionID string `json:"session_id"`
EncryptedChallenge string `json:"encrypted_challenge"`
}
type RecoveryInitiateService interface {
Execute(ctx context.Context, req *RecoveryInitiateRequestDTO) (*RecoveryInitiateResponseDTO, error)
}
type recoveryInitiateServiceImpl struct {
logger *zap.Logger
auditLogger auditlog.AuditLogger
userGetByEmailUC uc_user.UserGetByEmailUseCase
cache cassandracache.CassandraCacher
}
func NewRecoveryInitiateService(
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
cache cassandracache.CassandraCacher,
) RecoveryInitiateService {
return &recoveryInitiateServiceImpl{
logger: logger.Named("RecoveryInitiateService"),
auditLogger: auditLogger,
userGetByEmailUC: userGetByEmailUC,
cache: cache,
}
}
func (s *recoveryInitiateServiceImpl) Execute(ctx context.Context, req *RecoveryInitiateRequestDTO) (*RecoveryInitiateResponseDTO, error) {
// Normalize email
email := strings.ToLower(strings.TrimSpace(req.Email))
// Verify user exists
user, err := s.userGetByEmailUC.Execute(ctx, email)
if err != nil || user == nil {
// For security, don't reveal if user exists or not
s.logger.Warn("User not found for recovery", zap.String("email", validation.MaskEmail(email)))
// Generate fake session ID and challenge to prevent timing attacks and enumeration
// This ensures the response looks identical whether the user exists or not
fakeSessionID := gocql.TimeUUID().String()
fakeChallenge := make([]byte, 32)
if _, err := rand.Read(fakeChallenge); err != nil {
// Fallback to zeros if random fails (extremely unlikely)
fakeChallenge = make([]byte, 32)
}
defer memguard.WipeBytes(fakeChallenge) // SECURITY: Wipe fake challenge from memory
fakeEncryptedChallenge := base64.StdEncoding.EncodeToString(fakeChallenge)
return &RecoveryInitiateResponseDTO{
Message: "Recovery initiated. Please decrypt the challenge with your recovery key.",
SessionID: fakeSessionID,
EncryptedChallenge: fakeEncryptedChallenge,
}, nil
}
// Generate recovery session ID
sessionID := gocql.TimeUUID().String()
// Generate random challenge (32 bytes)
challenge := make([]byte, 32)
if _, err := rand.Read(challenge); err != nil {
s.logger.Error("Failed to generate recovery challenge", zap.Error(err))
return nil, fmt.Errorf("failed to initiate recovery")
}
defer memguard.WipeBytes(challenge) // SECURITY: Wipe challenge from memory after use
// Store recovery challenge in cache (30 minute expiry)
challengeKey := fmt.Sprintf("recovery_challenge:%s", sessionID)
if err := s.cache.SetWithExpiry(ctx, challengeKey, challenge, 30*time.Minute); err != nil {
s.logger.Error("Failed to store recovery challenge", zap.Error(err))
return nil, fmt.Errorf("failed to initiate recovery")
}
// Store email associated with recovery session
emailKey := fmt.Sprintf("recovery_email:%s", sessionID)
if err := s.cache.SetWithExpiry(ctx, emailKey, []byte(email), 30*time.Minute); err != nil {
s.logger.Error("Failed to store recovery email", zap.Error(err))
// Continue anyway
}
// NOTE: In a real implementation with recovery key encryption:
// - We would retrieve the user's encrypted recovery key
// - Encrypt the challenge with it
// - The client would decrypt with their recovery key
// For now, return base64-encoded challenge (frontend will handle encryption)
encryptedChallenge := base64.StdEncoding.EncodeToString(challenge)
s.logger.Info("Recovery initiated successfully",
zap.String("email", validation.MaskEmail(email)),
zap.String("session_id", sessionID))
// Audit log recovery initiation
s.auditLogger.LogAuth(ctx, auditlog.EventTypeRecoveryInitiated, auditlog.OutcomeSuccess,
validation.MaskEmail(email), "", map[string]string{
"session_id": sessionID,
})
return &RecoveryInitiateResponseDTO{
Message: "Recovery initiated. Please decrypt the challenge with your recovery key.",
SessionID: sessionID,
EncryptedChallenge: encryptedChallenge,
}, nil
}

177
cloud/maplefile-backend/internal/service/auth/recovery_verify.go Normal file
View file

@ -0,0 +1,177 @@
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/recovery_verify.go
package auth
import (
"bytes"
"context"
"crypto/rand"
"encoding/base64"
"fmt"
"time"
"github.com/awnumar/memguard"
"go.uber.org/zap"
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
)
type RecoveryVerifyRequestDTO struct {
SessionID string `json:"session_id"`
DecryptedChallenge string `json:"decrypted_challenge"`
}
type RecoveryVerifyResponseDTO struct {
Message string `json:"message"`
RecoveryToken string `json:"recovery_token"`
CanResetCredentials bool `json:"can_reset_credentials"`
MasterKeyEncryptedWithRecoveryKey string `json:"master_key_encrypted_with_recovery_key"`
}
type RecoveryVerifyService interface {
Execute(ctx context.Context, req *RecoveryVerifyRequestDTO) (*RecoveryVerifyResponseDTO, error)
}
type recoveryVerifyServiceImpl struct {
logger *zap.Logger
cache cassandracache.CassandraCacher
userGetByEmailUC uc_user.UserGetByEmailUseCase
}
func NewRecoveryVerifyService(
logger *zap.Logger,
cache cassandracache.CassandraCacher,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
) RecoveryVerifyService {
return &recoveryVerifyServiceImpl{
logger: logger.Named("RecoveryVerifyService"),
cache: cache,
userGetByEmailUC: userGetByEmailUC,
}
}
func (s *recoveryVerifyServiceImpl) Execute(ctx context.Context, req *RecoveryVerifyRequestDTO) (*RecoveryVerifyResponseDTO, error) {
// Create SAGA for recovery verify workflow
saga := transaction.NewSaga("recovery-verify", s.logger)
s.logger.Info("starting recovery verification")
// Step 1: Get the original challenge from cache
challengeKey := fmt.Sprintf("recovery_challenge:%s", req.SessionID)
originalChallenge, err := s.cache.Get(ctx, challengeKey)
if err != nil || originalChallenge == nil {
s.logger.Warn("Recovery challenge not found or expired", zap.String("session_id", req.SessionID))
return nil, fmt.Errorf("invalid or expired recovery session")
}
defer memguard.WipeBytes(originalChallenge) // SECURITY: Wipe challenge from memory
// Step 2: Decode the decrypted challenge from base64
decryptedChallenge, err := base64.StdEncoding.DecodeString(req.DecryptedChallenge)
if err != nil {
s.logger.Warn("Failed to decode decrypted challenge", zap.Error(err))
return nil, fmt.Errorf("invalid decrypted challenge format")
}
defer memguard.WipeBytes(decryptedChallenge) // SECURITY: Wipe decrypted challenge from memory
// Step 3: Verify that decrypted challenge matches original
if !bytes.Equal(decryptedChallenge, originalChallenge) {
s.logger.Warn("Recovery challenge verification failed", zap.String("session_id", req.SessionID))
return nil, fmt.Errorf("challenge verification failed")
}
// Step 4: Generate recovery token (random secure token)
tokenBytes := make([]byte, 32)
if _, err := rand.Read(tokenBytes); err != nil {
s.logger.Error("Failed to generate recovery token", zap.Error(err))
return nil, fmt.Errorf("failed to generate recovery token")
}
defer memguard.WipeBytes(tokenBytes) // SECURITY: Wipe token bytes from memory
recoveryToken := base64.URLEncoding.EncodeToString(tokenBytes)
// Step 5: Get email associated with recovery session (read-only, no compensation)
emailKey := fmt.Sprintf("recovery_email:%s", req.SessionID)
email, err := s.cache.Get(ctx, emailKey)
if err != nil || email == nil {
s.logger.Error("Recovery email not found", zap.String("session_id", req.SessionID))
return nil, fmt.Errorf("recovery session invalid")
}
// Step 5b: Fetch user to get their encrypted master key with recovery key
user, err := s.userGetByEmailUC.Execute(ctx, string(email))
if err != nil || user == nil {
s.logger.Error("User not found for recovery", zap.String("email", validation.MaskEmail(string(email))))
return nil, fmt.Errorf("user not found")
}
// Validate user has the required key data
if user.SecurityData == nil ||
user.SecurityData.MasterKeyEncryptedWithRecoveryKey.Ciphertext == nil ||
user.SecurityData.MasterKeyEncryptedWithRecoveryKey.Nonce == nil {
s.logger.Error("User missing master key encrypted with recovery key",
zap.String("email", validation.MaskEmail(string(email))))
return nil, fmt.Errorf("account recovery data not available")
}
// Combine nonce + ciphertext for transmission (matches frontend expectation)
// Format: nonce (24 bytes) || ciphertext (variable length)
nonce := user.SecurityData.MasterKeyEncryptedWithRecoveryKey.Nonce
ciphertext := user.SecurityData.MasterKeyEncryptedWithRecoveryKey.Ciphertext
combined := make([]byte, len(nonce)+len(ciphertext))
copy(combined[:len(nonce)], nonce)
copy(combined[len(nonce):], ciphertext)
defer memguard.WipeBytes(combined) // SECURITY: Wipe combined key data from memory
// Encode the combined data to base64 for transmission
masterKeyEncryptedWithRecoveryKeyBase64 := base64.StdEncoding.EncodeToString(combined)
// Step 6: Store recovery token FIRST (compensate: delete recovery token)
// CRITICAL: Store recovery token before deleting challenge to prevent flow interruption
tokenKey := fmt.Sprintf("recovery_token:%s", recoveryToken)
if err := s.cache.SetWithExpiry(ctx, tokenKey, email, 15*time.Minute); err != nil {
s.logger.Error("Failed to store recovery token", zap.Error(err))
return nil, fmt.Errorf("failed to complete recovery verification")
}
// Register compensation: delete recovery token if challenge deletion fails
tokenKeyCaptured := tokenKey
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Info("compensating: deleting recovery token",
zap.String("token_key", tokenKeyCaptured))
return s.cache.Delete(ctx, tokenKeyCaptured)
})
// Step 7: Clear recovery challenge (one-time use) (compensate: restore challenge)
challengeKeyCaptured := challengeKey
originalChallengeCaptured := originalChallenge
if err := s.cache.Delete(ctx, challengeKey); err != nil {
s.logger.Error("Failed to delete recovery challenge",
zap.String("challenge_key", challengeKey),
zap.Error(err))
// Trigger compensation: Delete recovery token
saga.Rollback(ctx)
return nil, fmt.Errorf("failed to delete recovery challenge: %w", err)
}
// Register compensation: restore challenge with reduced TTL (15 minutes for retry)
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Info("compensating: restoring recovery challenge",
zap.String("challenge_key", challengeKeyCaptured))
// Restore with same TTL (15 minutes) to allow user retry
return s.cache.SetWithExpiry(ctx, challengeKeyCaptured, originalChallengeCaptured, 15*time.Minute)
})
s.logger.Info("Recovery verification successful",
zap.String("session_id", req.SessionID),
zap.String("email", validation.MaskEmail(string(email))),
zap.String("recovery_token", recoveryToken[:16]+"...")) // Log prefix for security
return &RecoveryVerifyResponseDTO{
Message: "Recovery challenge verified successfully. You can now reset your credentials.",
RecoveryToken: recoveryToken,
CanResetCredentials: true,
MasterKeyEncryptedWithRecoveryKey: masterKeyEncryptedWithRecoveryKeyBase64,
}, nil
}

177
cloud/maplefile-backend/internal/service/auth/refresh_token.go Normal file
View file

@ -0,0 +1,177 @@
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/refresh_token.go
package auth
import (
"context"
"fmt"
"time"
"github.com/gocql/gocql"
"go.uber.org/zap"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/hash"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/jwt"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
)
type RefreshTokenRequestDTO struct {
RefreshToken string `json:"value"`
}
type RefreshTokenResponseDTO struct {
Message string `json:"message"`
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
AccessTokenExpiryDate string `json:"access_token_expiry_date"`
RefreshTokenExpiryDate string `json:"refresh_token_expiry_date"`
Username string `json:"username"`
}
type RefreshTokenService interface {
Execute(ctx context.Context, req *RefreshTokenRequestDTO) (*RefreshTokenResponseDTO, error)
}
type refreshTokenServiceImpl struct {
config *config.Config
logger *zap.Logger
auditLogger auditlog.AuditLogger
cache cassandracache.CassandraCacher
jwtProvider jwt.JWTProvider
userGetByIDUC uc_user.UserGetByIDUseCase
}
func NewRefreshTokenService(
config *config.Config,
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
cache cassandracache.CassandraCacher,
jwtProvider jwt.JWTProvider,
userGetByIDUC uc_user.UserGetByIDUseCase,
) RefreshTokenService {
return &refreshTokenServiceImpl{
config: config,
logger: logger.Named("RefreshTokenService"),
auditLogger: auditLogger,
cache: cache,
jwtProvider: jwtProvider,
userGetByIDUC: userGetByIDUC,
}
}
func (s *refreshTokenServiceImpl) Execute(ctx context.Context, req *RefreshTokenRequestDTO) (*RefreshTokenResponseDTO, error) {
// Create SAGA for token refresh workflow
saga := transaction.NewSaga("refresh-token", s.logger)
s.logger.Info("starting token refresh")
// Step 1: Validate refresh token JWT
userID, err := s.jwtProvider.ProcessJWTToken(req.RefreshToken)
if err != nil {
s.logger.Warn("Invalid refresh token JWT", zap.Error(err))
return nil, fmt.Errorf("invalid refresh token")
}
// Step 2: Check if refresh token exists in cache
// SECURITY: Hash refresh token to match how it was stored (prevents token leakage via cache keys)
refreshTokenHash := hash.HashToken(req.RefreshToken)
refreshKey := fmt.Sprintf("refresh:%s", refreshTokenHash)
cachedUserID, err := s.cache.Get(ctx, refreshKey)
if err != nil || cachedUserID == nil {
s.logger.Warn("Refresh token not found in cache", zap.String("user_id", userID))
return nil, fmt.Errorf("refresh token not found or expired")
}
// Step 3: Verify user IDs match
if string(cachedUserID) != userID {
s.logger.Warn("User ID mismatch", zap.String("jwt_user_id", userID), zap.String("cached_user_id", string(cachedUserID)))
return nil, fmt.Errorf("invalid refresh token")
}
// Step 4: Generate new token pair (token rotation for security)
newAccessToken, accessExpiry, newRefreshToken, refreshExpiry, err := s.jwtProvider.GenerateJWTTokenPair(
userID,
s.config.JWT.AccessTokenDuration,
s.config.JWT.RefreshTokenDuration,
)
if err != nil {
s.logger.Error("Failed to generate new tokens", zap.Error(err))
return nil, fmt.Errorf("failed to generate new tokens")
}
// Step 5: Store NEW refresh token FIRST (compensate: delete new token)
// CRITICAL: Store new token before deleting old token to prevent lockout
// SECURITY: Hash new refresh token to prevent token leakage via cache key inspection
newRefreshTokenHash := hash.HashToken(newRefreshToken)
newRefreshKey := fmt.Sprintf("refresh:%s", newRefreshTokenHash)
if err := s.cache.SetWithExpiry(ctx, newRefreshKey, []byte(userID), s.config.JWT.RefreshTokenDuration); err != nil {
s.logger.Error("Failed to store new refresh token", zap.Error(err))
return nil, fmt.Errorf("failed to store new refresh token")
}
// Register compensation: if deletion of old token fails, delete new token
newRefreshKeyCaptured := newRefreshKey
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Info("compensating: deleting new refresh token",
zap.String("new_refresh_key", newRefreshKeyCaptured))
return s.cache.Delete(ctx, newRefreshKeyCaptured)
})
// Step 6: Delete old refresh token from cache (compensate: restore old token)
oldRefreshKeyCaptured := refreshKey
oldUserIDCaptured := userID
if err := s.cache.Delete(ctx, refreshKey); err != nil {
s.logger.Error("Failed to delete old refresh token",
zap.String("refresh_key", refreshKey),
zap.Error(err))
// Trigger compensation: Delete new token (restore consistency)
saga.Rollback(ctx)
return nil, fmt.Errorf("failed to delete old refresh token: %w", err)
}
// Register compensation: restore old token with reduced TTL (1 hour grace period)
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Info("compensating: restoring old refresh token",
zap.String("old_refresh_key", oldRefreshKeyCaptured))
// Restore with reduced TTL (1 hour) to allow user retry without long-lived old token
return s.cache.SetWithExpiry(ctx, oldRefreshKeyCaptured, []byte(oldUserIDCaptured), 1*time.Hour)
})
// Step 7: Get user to retrieve username/email (read-only, no compensation needed)
userUUID, err := gocql.ParseUUID(userID)
if err != nil {
s.logger.Error("Invalid user ID", zap.Error(err))
// No rollback needed for UUID parsing error (tokens already rotated successfully)
return nil, fmt.Errorf("invalid user ID")
}
user, err := s.userGetByIDUC.Execute(ctx, userUUID)
if err != nil || user == nil {
s.logger.Error("User not found", zap.String("user_id", userID), zap.Error(err))
// No rollback needed for user lookup error (tokens already rotated successfully)
return nil, fmt.Errorf("user not found")
}
s.logger.Info("Token refreshed successfully",
zap.String("user_id", userID),
zap.String("new_refresh_token", newRefreshToken[:16]+"...")) // Log prefix only for security
// Audit log token refresh
s.auditLogger.LogAuth(ctx, auditlog.EventTypeTokenRefresh, auditlog.OutcomeSuccess,
"", "", map[string]string{
"user_id": userID,
})
return &RefreshTokenResponseDTO{
Message: "Token refreshed successfully",
AccessToken: newAccessToken,
RefreshToken: newRefreshToken,
AccessTokenExpiryDate: accessExpiry.Format(time.RFC3339),
RefreshTokenExpiryDate: refreshExpiry.Format(time.RFC3339),
Username: user.Email,
}, nil
}

390
cloud/maplefile-backend/internal/service/auth/register.go Normal file
View file

@ -0,0 +1,390 @@
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/register.go
package auth
import (
"context"
"crypto/rand"
"encoding/base64"
"encoding/hex"
"fmt"
"html"
"net/mail"
"strings"
"time"
"github.com/awnumar/memguard"
"github.com/gocql/gocql"
"go.uber.org/zap"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/domain/crypto"
dom_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/domain/user"
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
)
type RegisterRequestDTO struct {
BetaAccessCode string `json:"beta_access_code"`
Email string `json:"email"`
FirstName string `json:"first_name"`
LastName string `json:"last_name"`
Phone string `json:"phone"`
Country string `json:"country"`
Timezone string `json:"timezone"`
PasswordSalt string `json:"salt"`
KDFAlgorithm string `json:"kdf_algorithm"`
KDFIterations int `json:"kdf_iterations"`
KDFMemory int `json:"kdf_memory"`
KDFParallelism int `json:"kdf_parallelism"`
KDFSaltLength int `json:"kdf_salt_length"`
KDFKeyLength int `json:"kdf_key_length"`
EncryptedMasterKey string `json:"encryptedMasterKey"`
PublicKey string `json:"publicKey"`
EncryptedPrivateKey string `json:"encryptedPrivateKey"`
EncryptedRecoveryKey string `json:"encryptedRecoveryKey"`
MasterKeyEncryptedWithRecoveryKey string `json:"masterKeyEncryptedWithRecoveryKey"`
AgreeTermsOfService bool `json:"agree_terms_of_service"`
AgreePromotions bool `json:"agree_promotions"`
AgreeToTrackingAcrossThirdPartyAppsAndServices bool `json:"agree_to_tracking_across_third_party_apps_and_services"`
}
type RegisterResponseDTO struct {
Message string `json:"message"`
UserID string `json:"user_id"`
}
type RegisterService interface {
Execute(ctx context.Context, req *RegisterRequestDTO) (*RegisterResponseDTO, error)
}
type registerServiceImpl struct {
config *config.Config
logger *zap.Logger
auditLogger auditlog.AuditLogger
userCreateUC uc_user.UserCreateUseCase
userGetByEmailUC uc_user.UserGetByEmailUseCase
userDeleteByIDUC uc_user.UserDeleteByIDUseCase
emailer mailgun.Emailer
}
func NewRegisterService(
config *config.Config,
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
userCreateUC uc_user.UserCreateUseCase,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
userDeleteByIDUC uc_user.UserDeleteByIDUseCase,
emailer mailgun.Emailer,
) RegisterService {
return &registerServiceImpl{
config: config,
logger: logger.Named("RegisterService"),
auditLogger: auditLogger,
userCreateUC: userCreateUC,
userGetByEmailUC: userGetByEmailUC,
userDeleteByIDUC: userDeleteByIDUC,
emailer: emailer,
}
}
func (s *registerServiceImpl) Execute(ctx context.Context, req *RegisterRequestDTO) (*RegisterResponseDTO, error) {
// Validate request first - backend is the single source of truth for validation
if err := s.validateRegisterRequest(req); err != nil {
return nil, err // Returns RFC 9457 ProblemDetail
}
// Create SAGA for user registration workflow
saga := transaction.NewSaga("register", s.logger)
s.logger.Info("starting user registration")
// Step 1: Check if user already exists (read-only, no compensation)
existingUser, err := s.userGetByEmailUC.Execute(ctx, req.Email)
if err == nil && existingUser != nil {
s.logger.Warn("User already exists", zap.String("email", validation.MaskEmail(req.Email)))
return nil, httperror.NewConflictError("User with this email already exists")
}
// Step 2: Generate verification code
verificationCode := s.generateVerificationCode()
verificationExpiry := time.Now().Add(24 * time.Hour)
// Step 3: Parse E2EE keys from base64
passwordSalt, err := s.decodeBase64(req.PasswordSalt)
if err != nil {
return nil, fmt.Errorf("invalid password salt: %w", err)
}
encryptedMasterKey, err := s.decodeBase64(req.EncryptedMasterKey)
if err != nil {
return nil, fmt.Errorf("invalid encrypted master key: %w", err)
}
publicKey, err := s.decodeBase64(req.PublicKey)
if err != nil {
return nil, fmt.Errorf("invalid public key: %w", err)
}
encryptedPrivateKey, err := s.decodeBase64(req.EncryptedPrivateKey)
if err != nil {
return nil, fmt.Errorf("invalid encrypted private key: %w", err)
}
encryptedRecoveryKey, err := s.decodeBase64(req.EncryptedRecoveryKey)
if err != nil {
return nil, fmt.Errorf("invalid encrypted recovery key: %w", err)
}
masterKeyEncryptedWithRecoveryKey, err := s.decodeBase64(req.MasterKeyEncryptedWithRecoveryKey)
if err != nil {
return nil, fmt.Errorf("invalid master key encrypted with recovery key: %w", err)
}
// Step 4: Create user object
user := &dom_user.User{
ID: gocql.TimeUUID(),
Email: req.Email,
FirstName: req.FirstName,
LastName: req.LastName,
Name: req.FirstName + " " + req.LastName,
LexicalName: req.LastName + ", " + req.FirstName,
Role: dom_user.UserRoleIndividual,
Status: dom_user.UserStatusActive,
Timezone: req.Timezone,
ProfileData: &dom_user.UserProfileData{
Phone: req.Phone,
Country: req.Country,
Timezone: req.Timezone,
AgreeTermsOfService: req.AgreeTermsOfService,
AgreePromotions: req.AgreePromotions,
AgreeToTrackingAcrossThirdPartyAppsAndServices: req.AgreeToTrackingAcrossThirdPartyAppsAndServices,
},
SecurityData: &dom_user.UserSecurityData{
WasEmailVerified: false,
Code: verificationCode,
CodeType: dom_user.UserCodeTypeEmailVerification,
CodeExpiry: verificationExpiry,
PasswordSalt: passwordSalt,
KDFParams: crypto.KDFParams{
Algorithm: req.KDFAlgorithm, // Use the algorithm from the request (PBKDF2-SHA256 or argon2id)
Iterations: uint32(req.KDFIterations),
Memory: uint32(req.KDFMemory),
Parallelism: uint8(req.KDFParallelism),
SaltLength: uint32(req.KDFSaltLength),
KeyLength: uint32(req.KDFKeyLength),
},
EncryptedMasterKey: crypto.EncryptedMasterKey{
Nonce: encryptedMasterKey[:24],
Ciphertext: encryptedMasterKey[24:],
KeyVersion: 1,
},
PublicKey: crypto.PublicKey{
Key: publicKey,
},
EncryptedPrivateKey: crypto.EncryptedPrivateKey{
Nonce: encryptedPrivateKey[:24],
Ciphertext: encryptedPrivateKey[24:],
},
EncryptedRecoveryKey: crypto.EncryptedRecoveryKey{
Nonce: encryptedRecoveryKey[:24],
Ciphertext: encryptedRecoveryKey[24:],
},
MasterKeyEncryptedWithRecoveryKey: crypto.MasterKeyEncryptedWithRecoveryKey{
Nonce: masterKeyEncryptedWithRecoveryKey[:24],
Ciphertext: masterKeyEncryptedWithRecoveryKey[24:],
},
},
CreatedAt: time.Now(),
ModifiedAt: time.Now(),
}
// Step 5: Save user to database FIRST (compensate: delete user if email fails)
// CRITICAL: Create user before sending email to enable rollback if email fails
if err := s.userCreateUC.Execute(ctx, user); err != nil {
s.logger.Error("Failed to create user", zap.Error(err))
return nil, fmt.Errorf("failed to create user: %w", err)
}
// Register compensation: delete user if email sending fails
userIDCaptured := user.ID
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Info("compensating: deleting user due to email failure",
zap.String("user_id", userIDCaptured.String()),
zap.String("email", validation.MaskEmail(req.Email)))
return s.userDeleteByIDUC.Execute(ctx, userIDCaptured)
})
// Step 6: Send verification email - MUST succeed or rollback
// NOTE: Default tags are NOT created server-side due to E2EE
// The client must create default tags after first login using the user's master key
if err := s.sendVerificationEmail(ctx, req.Email, req.FirstName, verificationCode); err != nil {
s.logger.Error("Failed to send verification email",
zap.String("email", validation.MaskEmail(req.Email)),
zap.Error(err))
// Trigger compensation: Delete user from database
saga.Rollback(ctx)
return nil, fmt.Errorf("failed to send verification email, please try again later")
}
s.logger.Info("User registered successfully",
zap.String("user_id", user.ID.String()),
zap.String("email", validation.MaskEmail(req.Email)))
// Audit log successful registration
s.auditLogger.LogAuth(ctx, auditlog.EventTypeAccountCreated, auditlog.OutcomeSuccess,
validation.MaskEmail(req.Email), "", map[string]string{
"user_id": user.ID.String(),
})
return &RegisterResponseDTO{
Message: "Registration successful. Please check your email to verify your account.",
UserID: user.ID.String(),
}, nil
}
func (s *registerServiceImpl) generateVerificationCode() string {
// Generate random 8-digit code for increased entropy
// 8 digits = 90,000,000 combinations vs 6 digits = 900,000
b := make([]byte, 4)
rand.Read(b)
defer memguard.WipeBytes(b) // SECURITY: Wipe random bytes after use
code := int(b[0])<<24 | int(b[1])<<16 | int(b[2])<<8 | int(b[3])
code = (code % 90000000) + 10000000
return fmt.Sprintf("%d", code)
}
func (s *registerServiceImpl) decodeBase64(encoded string) ([]byte, error) {
// Try base64 first
decoded, err := base64.StdEncoding.DecodeString(encoded)
if err == nil {
return decoded, nil
}
// If base64 fails, try hex encoding (some clients send hex)
if hexDecoded, hexErr := hex.DecodeString(encoded); hexErr == nil {
return hexDecoded, nil
}
// Return original base64 error
return nil, err
}
func (s *registerServiceImpl) sendVerificationEmail(ctx context.Context, email, firstName, code string) error {
subject := "Verify Your MapleFile Account"
sender := s.emailer.GetSenderEmail()
// Escape user input to prevent HTML injection
safeFirstName := html.EscapeString(firstName)
htmlContent := fmt.Sprintf(`
<html>
<body>
<h2>Welcome to MapleFile, %s!</h2>
<p>Thank you for registering. Please verify your email address by entering this code:</p>
<h1 style="color: #4CAF50; font-size: 32px; letter-spacing: 5px;">%s</h1>
<p>This code will expire in 24 hours.</p>
<p>If you didn't create this account, please ignore this email.</p>
</body>
</html>
`, safeFirstName, code)
return s.emailer.Send(ctx, sender, subject, email, htmlContent)
}
// validateRegisterRequest validates all registration fields.
// Returns RFC 9457 ProblemDetail error with field-specific errors.
func (s *registerServiceImpl) validateRegisterRequest(req *RegisterRequestDTO) error {
errors := make(map[string]string)
// Validate beta access code
if strings.TrimSpace(req.BetaAccessCode) == "" {
errors["beta_access_code"] = "Beta access code is required"
}
// Validate first name
if strings.TrimSpace(req.FirstName) == "" {
errors["first_name"] = "First name is required"
} else if len(req.FirstName) > 100 {
errors["first_name"] = "First name must be less than 100 characters"
}
// Validate last name
if strings.TrimSpace(req.LastName) == "" {
errors["last_name"] = "Last name is required"
} else if len(req.LastName) > 100 {
errors["last_name"] = "Last name must be less than 100 characters"
}
// Validate email
email := strings.TrimSpace(req.Email)
if email == "" {
errors["email"] = "Email is required"
} else {
// Use Go's mail package for proper email validation
if _, err := mail.ParseAddress(email); err != nil {
errors["email"] = "Please enter a valid email address"
}
}
// Validate phone
if strings.TrimSpace(req.Phone) == "" {
errors["phone"] = "Phone number is required"
}
// Validate timezone
if strings.TrimSpace(req.Timezone) == "" {
errors["timezone"] = "Timezone is required"
}
// Validate encryption data - these are critical for E2EE
// Use user-friendly error messages instead of technical field names
if strings.TrimSpace(req.PasswordSalt) == "" {
errors["password"] = "Master password is required for encryption setup"
}
if strings.TrimSpace(req.EncryptedMasterKey) == "" {
errors["password"] = "Master password is required for encryption setup"
}
if strings.TrimSpace(req.PublicKey) == "" {
errors["password"] = "Master password is required for encryption setup"
}
if strings.TrimSpace(req.EncryptedPrivateKey) == "" {
errors["password"] = "Master password is required for encryption setup"
}
if strings.TrimSpace(req.EncryptedRecoveryKey) == "" {
errors["password"] = "Master password is required for encryption setup"
}
if strings.TrimSpace(req.MasterKeyEncryptedWithRecoveryKey) == "" {
errors["password"] = "Master password is required for encryption setup"
}
// Validate KDF parameters - use user-friendly message
if req.KDFAlgorithm == "" {
errors["password"] = "Master password is required for encryption setup"
}
if req.KDFIterations <= 0 {
errors["password"] = "Master password is required for encryption setup"
}
// Validate terms agreement
if !req.AgreeTermsOfService {
errors["agree_terms_of_service"] = "You must agree to the terms of service to register"
}
// If there are validation errors, return RFC 9457 error
if len(errors) > 0 {
return httperror.NewValidationError(errors)
}
return nil
}

184
cloud/maplefile-backend/internal/service/auth/request_ott.go Normal file
View file

@ -0,0 +1,184 @@
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/request_ott.go
package auth
import (
"context"
"crypto/rand"
"fmt"
"html"
"strings"
"time"
"github.com/awnumar/memguard"
"go.uber.org/zap"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
)
type RequestOTTRequestDTO struct {
Email string `json:"email"`
}
type RequestOTTResponseDTO struct {
Message string `json:"message"`
Success bool `json:"success"`
}
type RequestOTTService interface {
Execute(ctx context.Context, req *RequestOTTRequestDTO) (*RequestOTTResponseDTO, error)
}
type requestOTTServiceImpl struct {
config *config.Config
logger *zap.Logger
userGetByEmailUC uc_user.UserGetByEmailUseCase
cache cassandracache.CassandraCacher
emailer mailgun.Emailer
}
func NewRequestOTTService(
config *config.Config,
logger *zap.Logger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
cache cassandracache.CassandraCacher,
emailer mailgun.Emailer,
) RequestOTTService {
return &requestOTTServiceImpl{
config: config,
logger: logger.Named("RequestOTTService"),
userGetByEmailUC: userGetByEmailUC,
cache: cache,
emailer: emailer,
}
}
func (s *requestOTTServiceImpl) Execute(ctx context.Context, req *RequestOTTRequestDTO) (*RequestOTTResponseDTO, error) {
// Validate request
if err := s.validateRequestOTTRequest(req); err != nil {
return nil, err // Returns RFC 9457 ProblemDetail
}
// Create SAGA for OTT request workflow
saga := transaction.NewSaga("request-ott", s.logger)
s.logger.Info("starting OTT request")
// Step 1: Normalize email
email := strings.ToLower(strings.TrimSpace(req.Email))
// Step 2: Check if user exists and is verified (read-only, no compensation)
user, err := s.userGetByEmailUC.Execute(ctx, email)
if err != nil || user == nil {
s.logger.Warn("User not found", zap.String("email", validation.MaskEmail(email)))
// For security, don't reveal if user exists
return &RequestOTTResponseDTO{
Message: "If an account exists with this email, you will receive an OTT code shortly.",
Success: true,
}, nil
}
// Step 3: Check if email is verified
if user.SecurityData == nil || !user.SecurityData.WasEmailVerified {
s.logger.Warn("User email not verified", zap.String("email", validation.MaskEmail(email)))
return nil, httperror.NewBadRequestError("Email address not verified. Please verify your email before logging in.")
}
// Step 4: Generate 8-digit OTT code
ottCode := s.generateOTTCode()
ottCodeBytes := []byte(ottCode)
defer memguard.WipeBytes(ottCodeBytes) // SECURITY: Wipe OTT code from memory after use
// Step 5: Store OTT in cache FIRST (compensate: delete OTT if email fails)
// CRITICAL: Store OTT before sending email to enable rollback if email fails
cacheKey := fmt.Sprintf("ott:%s", email)
if err := s.cache.SetWithExpiry(ctx, cacheKey, []byte(ottCode), 10*time.Minute); err != nil {
s.logger.Error("Failed to store OTT in cache", zap.Error(err))
return nil, httperror.NewInternalServerError("Failed to generate login code. Please try again later.")
}
// Register compensation: delete OTT if email sending fails
cacheKeyCaptured := cacheKey
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Info("compensating: deleting OTT due to email failure",
zap.String("cache_key", cacheKeyCaptured))
return s.cache.Delete(ctx, cacheKeyCaptured)
})
// Step 6: Send OTT email - MUST succeed or rollback
if err := s.sendOTTEmail(ctx, email, user.FirstName, ottCode); err != nil {
s.logger.Error("Failed to send OTT email",
zap.String("email", validation.MaskEmail(email)),
zap.Error(err))
// Trigger compensation: Delete OTT from cache
saga.Rollback(ctx)
return nil, httperror.NewInternalServerError("Failed to send login code email. Please try again later.")
}
s.logger.Info("OTT generated and sent successfully",
zap.String("email", validation.MaskEmail(email)),
zap.String("cache_key", cacheKey[:16]+"...")) // Log prefix for security
return &RequestOTTResponseDTO{
Message: "OTT code sent to your email. Please check your inbox.",
Success: true,
}, nil
}
func (s *requestOTTServiceImpl) generateOTTCode() string {
// Generate random 8-digit code for increased entropy
// 8 digits = 90,000,000 combinations vs 6 digits = 900,000
b := make([]byte, 4)
rand.Read(b)
defer memguard.WipeBytes(b) // SECURITY: Wipe random bytes after use
code := int(b[0])<<24 | int(b[1])<<16 | int(b[2])<<8 | int(b[3])
code = (code % 90000000) + 10000000
return fmt.Sprintf("%d", code)
}
func (s *requestOTTServiceImpl) sendOTTEmail(ctx context.Context, email, firstName, code string) error {
subject := "Your MapleFile Login Code"
sender := s.emailer.GetSenderEmail()
// Escape user input to prevent HTML injection
safeFirstName := html.EscapeString(firstName)
htmlContent := fmt.Sprintf(`
<html>
<body>
<h2>Hello %s,</h2>
<p>Here is your one-time login code for MapleFile:</p>
<h1 style="color: #4CAF50; font-size: 32px; letter-spacing: 5px;">%s</h1>
<p>This code will expire in 10 minutes.</p>
<p>If you didn't request this code, please ignore this email.</p>
</body>
</html>
`, safeFirstName, code)
return s.emailer.Send(ctx, sender, subject, email, htmlContent)
}
// validateRequestOTTRequest validates the request OTT request.
// Returns RFC 9457 ProblemDetail error with field-specific errors.
func (s *requestOTTServiceImpl) validateRequestOTTRequest(req *RequestOTTRequestDTO) error {
errors := make(map[string]string)
// Validate email using shared validation utility
if errMsg := validation.ValidateEmail(req.Email); errMsg != "" {
errors["email"] = errMsg
}
// If there are validation errors, return RFC 9457 error
if len(errors) > 0 {
return httperror.NewValidationError(errors)
}
return nil
}

199
cloud/maplefile-backend/internal/service/auth/resend_verification.go Normal file
View file

@ -0,0 +1,199 @@
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/resend_verification.go
package auth
import (
"context"
"crypto/rand"
"fmt"
"html"
"time"
"github.com/awnumar/memguard"
"go.uber.org/zap"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
dom_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/domain/user"
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
)
type ResendVerificationRequestDTO struct {
Email string `json:"email"`
}
type ResendVerificationResponseDTO struct {
Message string `json:"message"`
}
type ResendVerificationService interface {
Execute(ctx context.Context, req *ResendVerificationRequestDTO) (*ResendVerificationResponseDTO, error)
}
type resendVerificationServiceImpl struct {
config *config.Config
logger *zap.Logger
userGetByEmailUC uc_user.UserGetByEmailUseCase
userUpdateUC uc_user.UserUpdateUseCase
emailer mailgun.Emailer
}
func NewResendVerificationService(
config *config.Config,
logger *zap.Logger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
userUpdateUC uc_user.UserUpdateUseCase,
emailer mailgun.Emailer,
) ResendVerificationService {
return &resendVerificationServiceImpl{
config: config,
logger: logger.Named("ResendVerificationService"),
userGetByEmailUC: userGetByEmailUC,
userUpdateUC: userUpdateUC,
emailer: emailer,
}
}
func (s *resendVerificationServiceImpl) Execute(ctx context.Context, req *ResendVerificationRequestDTO) (*ResendVerificationResponseDTO, error) {
// Validate request
if err := s.validateResendVerificationRequest(req); err != nil {
return nil, err // Returns RFC 9457 ProblemDetail
}
// Create SAGA for resend verification workflow
saga := transaction.NewSaga("resend-verification", s.logger)
s.logger.Info("starting resend verification")
// Step 1: Get user by email (read-only, no compensation)
user, err := s.userGetByEmailUC.Execute(ctx, req.Email)
if err != nil || user == nil {
s.logger.Warn("User not found for resend verification", zap.String("email", validation.MaskEmail(req.Email)))
// Don't reveal if user exists or not for security
return &ResendVerificationResponseDTO{
Message: "If the email exists and is unverified, a new verification code has been sent.",
}, nil
}
// Step 2: Check if email is already verified
if user.SecurityData != nil && user.SecurityData.WasEmailVerified {
s.logger.Info("Email already verified", zap.String("email", validation.MaskEmail(req.Email)))
// Don't reveal that email is already verified for security
return &ResendVerificationResponseDTO{
Message: "If the email exists and is unverified, a new verification code has been sent.",
}, nil
}
// Step 3: Backup old verification data for compensation
var oldCode string
var oldCodeExpiry time.Time
if user.SecurityData != nil {
oldCode = user.SecurityData.Code
oldCodeExpiry = user.SecurityData.CodeExpiry
}
// Step 4: Generate new verification code
verificationCode := s.generateVerificationCode()
verificationExpiry := time.Now().Add(24 * time.Hour)
// Step 5: Update user with new code
if user.SecurityData == nil {
user.SecurityData = &dom_user.UserSecurityData{}
}
user.SecurityData.Code = verificationCode
user.SecurityData.CodeType = dom_user.UserCodeTypeEmailVerification
user.SecurityData.CodeExpiry = verificationExpiry
user.ModifiedAt = time.Now()
// Step 6: Save updated user FIRST (compensate: restore old code if email fails)
// CRITICAL: Save new code before sending email to enable rollback if email fails
if err := s.userUpdateUC.Execute(ctx, user); err != nil {
s.logger.Error("Failed to update user with new verification code", zap.Error(err))
return nil, httperror.NewInternalServerError("Failed to update verification code. Please try again later.")
}
// Register compensation: restore old verification code if email fails
userCaptured := user
oldCodeCaptured := oldCode
oldCodeExpiryCaptured := oldCodeExpiry
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Info("compensating: restoring old verification code due to email failure",
zap.String("email", validation.MaskEmail(userCaptured.Email)))
userCaptured.SecurityData.Code = oldCodeCaptured
userCaptured.SecurityData.CodeExpiry = oldCodeExpiryCaptured
userCaptured.ModifiedAt = time.Now()
return s.userUpdateUC.Execute(ctx, userCaptured)
})
// Step 7: Send verification email - MUST succeed or rollback
if err := s.sendVerificationEmail(ctx, user.Email, user.FirstName, verificationCode); err != nil {
s.logger.Error("Failed to send verification email",
zap.String("email", validation.MaskEmail(user.Email)),
zap.Error(err))
// Trigger compensation: Restore old verification code
saga.Rollback(ctx)
return nil, httperror.NewInternalServerError("Failed to send verification email. Please try again later.")
}
s.logger.Info("Verification code resent successfully",
zap.String("email", validation.MaskEmail(req.Email)),
zap.String("user_id", user.ID.String()))
return &ResendVerificationResponseDTO{
Message: "If the email exists and is unverified, a new verification code has been sent.",
}, nil
}
func (s *resendVerificationServiceImpl) generateVerificationCode() string {
// Generate random 8-digit code for increased entropy
// 8 digits = 90,000,000 combinations vs 6 digits = 900,000
b := make([]byte, 4)
rand.Read(b)
defer memguard.WipeBytes(b) // SECURITY: Wipe random bytes after use
code := int(b[0])<<24 | int(b[1])<<16 | int(b[2])<<8 | int(b[3])
code = (code % 90000000) + 10000000
return fmt.Sprintf("%d", code)
}
func (s *resendVerificationServiceImpl) sendVerificationEmail(ctx context.Context, email, firstName, code string) error {
subject := "Verify Your MapleFile Account"
sender := s.emailer.GetSenderEmail()
// Escape user input to prevent HTML injection
safeFirstName := html.EscapeString(firstName)
htmlContent := fmt.Sprintf(`
<html>
<body>
<h2>Welcome to MapleFile, %s!</h2>
<p>You requested a new verification code. Please verify your email address by entering this code:</p>
<h1 style="color: #4CAF50; font-size: 32px; letter-spacing: 5px;">%s</h1>
<p>This code will expire in 24 hours.</p>
<p>If you didn't request this code, please ignore this email.</p>
</body>
</html>
`, safeFirstName, code)
return s.emailer.Send(ctx, sender, subject, email, htmlContent)
}
// validateResendVerificationRequest validates the resend verification request.
// Returns RFC 9457 ProblemDetail error with field-specific errors.
func (s *resendVerificationServiceImpl) validateResendVerificationRequest(req *ResendVerificationRequestDTO) error {
errors := make(map[string]string)
// Validate email using shared validation utility
if errMsg := validation.ValidateEmail(req.Email); errMsg != "" {
errors["email"] = errMsg
}
// If there are validation errors, return RFC 9457 error
if len(errors) > 0 {
return httperror.NewValidationError(errors)
}
return nil
}

127
cloud/maplefile-backend/internal/service/auth/verify_email.go Normal file
View file

@ -0,0 +1,127 @@
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/verify_email.go
package auth
import (
"context"
"fmt"
"strings"
"time"
"go.uber.org/zap"
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
)
type VerifyEmailRequestDTO struct {
Code string `json:"code"`
}
type VerifyEmailResponseDTO struct {
Message string `json:"message"`
Success bool `json:"success"`
UserRole int8 `json:"user_role"`
}
type VerifyEmailService interface {
Execute(ctx context.Context, req *VerifyEmailRequestDTO) (*VerifyEmailResponseDTO, error)
}
type verifyEmailServiceImpl struct {
logger *zap.Logger
auditLogger auditlog.AuditLogger
userGetByVerificationCodeUC uc_user.UserGetByVerificationCodeUseCase
userUpdateUC uc_user.UserUpdateUseCase
}
func NewVerifyEmailService(
logger *zap.Logger,
auditLogger auditlog.AuditLogger,
userGetByVerificationCodeUC uc_user.UserGetByVerificationCodeUseCase,
userUpdateUC uc_user.UserUpdateUseCase,
) VerifyEmailService {
return &verifyEmailServiceImpl{
logger: logger.Named("VerifyEmailService"),
auditLogger: auditLogger,
userGetByVerificationCodeUC: userGetByVerificationCodeUC,
userUpdateUC: userUpdateUC,
}
}
func (s *verifyEmailServiceImpl) Execute(ctx context.Context, req *VerifyEmailRequestDTO) (*VerifyEmailResponseDTO, error) {
// Validate request
if err := s.validateVerifyEmailRequest(req); err != nil {
return nil, err // Returns RFC 9457 ProblemDetail
}
// Get user by verification code
user, err := s.userGetByVerificationCodeUC.Execute(ctx, req.Code)
if err != nil || user == nil {
s.logger.Warn("Invalid verification code attempted")
return nil, httperror.NewNotFoundError("Verification code not found or has already been used")
}
// Check if code has expired
if time.Now().After(user.SecurityData.CodeExpiry) {
s.logger.Warn("Verification code expired",
zap.String("user_id", user.ID.String()),
zap.Time("expiry", user.SecurityData.CodeExpiry))
return nil, httperror.NewBadRequestError("Verification code has expired. Please request a new verification email.")
}
// Update user to mark as verified
user.SecurityData.WasEmailVerified = true
user.SecurityData.Code = ""
user.SecurityData.CodeExpiry = time.Time{}
user.ModifiedAt = time.Now()
if err := s.userUpdateUC.Execute(ctx, user); err != nil {
s.logger.Error("Failed to update user", zap.Error(err))
return nil, httperror.NewInternalServerError(fmt.Sprintf("Failed to verify email: %v", err))
}
s.logger.Info("Email verified successfully", zap.String("user_id", user.ID.String()))
// Audit log email verification
s.auditLogger.LogAuth(ctx, auditlog.EventTypeEmailVerified, auditlog.OutcomeSuccess,
validation.MaskEmail(user.Email), "", map[string]string{
"user_id": user.ID.String(),
})
return &VerifyEmailResponseDTO{
Message: "Email verified successfully. You can now log in.",
Success: true,
UserRole: user.Role,
}, nil
}
// validateVerifyEmailRequest validates the verify email request.
// Returns RFC 9457 ProblemDetail error with field-specific errors.
func (s *verifyEmailServiceImpl) validateVerifyEmailRequest(req *VerifyEmailRequestDTO) error {
errors := make(map[string]string)
// Validate verification code
code := strings.TrimSpace(req.Code)
if code == "" {
errors["code"] = "Verification code is required"
} else if len(code) != 8 {
errors["code"] = "Verification code must be 8 digits"
} else {
// Validate that code is numeric
for _, c := range code {
if c < '0' || c > '9' {
errors["code"] = "Verification code must contain only numbers"
break
}
}
}
// If there are validation errors, return RFC 9457 error
if len(errors) > 0 {
return httperror.NewValidationError(errors)
}
return nil
}

221
cloud/maplefile-backend/internal/service/auth/verify_ott.go Normal file
View file

@ -0,0 +1,221 @@
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/verify_ott.go
package auth
import (
"context"
"crypto/rand"
"crypto/subtle"
"encoding/base64"
"fmt"
"strings"
"time"
"github.com/awnumar/memguard"
"github.com/gocql/gocql"
"go.uber.org/zap"
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/crypto"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
)
type VerifyOTTRequestDTO struct {
Email string `json:"email"`
OTT string `json:"ott"`
}
type VerifyOTTResponseDTO struct {
Message string `json:"message"`
ChallengeID string `json:"challengeId"`
EncryptedChallenge string `json:"encryptedChallenge"`
Salt string `json:"salt"`
EncryptedMasterKey string `json:"encryptedMasterKey"`
EncryptedPrivateKey string `json:"encryptedPrivateKey"`
PublicKey string `json:"publicKey"`
// KDFAlgorithm specifies which key derivation algorithm to use.
// Values: "PBKDF2-SHA256" (web frontend) or "argon2id" (native app legacy)
KDFAlgorithm string `json:"kdfAlgorithm"`
}
type VerifyOTTService interface {
Execute(ctx context.Context, req *VerifyOTTRequestDTO) (*VerifyOTTResponseDTO, error)
}
type verifyOTTServiceImpl struct {
logger *zap.Logger
userGetByEmailUC uc_user.UserGetByEmailUseCase
cache cassandracache.CassandraCacher
}
func NewVerifyOTTService(
logger *zap.Logger,
userGetByEmailUC uc_user.UserGetByEmailUseCase,
cache cassandracache.CassandraCacher,
) VerifyOTTService {
return &verifyOTTServiceImpl{
logger: logger.Named("VerifyOTTService"),
userGetByEmailUC: userGetByEmailUC,
cache: cache,
}
}
func (s *verifyOTTServiceImpl) Execute(ctx context.Context, req *VerifyOTTRequestDTO) (*VerifyOTTResponseDTO, error) {
// Validate request
if err := s.validateVerifyOTTRequest(req); err != nil {
return nil, err // Returns RFC 9457 ProblemDetail
}
// Create SAGA for OTT verification workflow
saga := transaction.NewSaga("verify-ott", s.logger)
s.logger.Info("starting OTT verification")
// Step 1: Normalize email
email := strings.ToLower(strings.TrimSpace(req.Email))
// Step 2: Get OTT from cache
cacheKey := fmt.Sprintf("ott:%s", email)
cachedOTT, err := s.cache.Get(ctx, cacheKey)
if err != nil || cachedOTT == nil {
s.logger.Warn("OTT not found in cache", zap.String("email", validation.MaskEmail(email)))
return nil, httperror.NewUnauthorizedError("Invalid or expired verification code. Please request a new code.")
}
defer memguard.WipeBytes(cachedOTT) // SECURITY: Wipe OTT from memory after use
// Step 3: Verify OTT matches using constant-time comparison
// CWE-208: Prevents timing attacks by ensuring comparison takes same time regardless of match
if subtle.ConstantTimeCompare(cachedOTT, []byte(req.OTT)) != 1 {
s.logger.Warn("OTT mismatch", zap.String("email", validation.MaskEmail(email)))
return nil, httperror.NewUnauthorizedError("Incorrect verification code. Please check the code and try again.")
}
// Step 4: Get user to retrieve encrypted keys (read-only, no compensation)
user, err := s.userGetByEmailUC.Execute(ctx, email)
if err != nil || user == nil {
s.logger.Error("User not found after OTT verification", zap.String("email", validation.MaskEmail(email)), zap.Error(err))
return nil, httperror.NewUnauthorizedError("User account not found. Please contact support.")
}
// Step 5: Generate random challenge (32 bytes)
challenge := make([]byte, 32)
if _, err := rand.Read(challenge); err != nil {
s.logger.Error("Failed to generate challenge", zap.Error(err))
return nil, httperror.NewInternalServerError("Failed to generate security challenge. Please try again.")
}
defer memguard.WipeBytes(challenge) // SECURITY: Wipe challenge from memory after use
// Step 6: Generate challenge ID
challengeID := gocql.TimeUUID().String()
// Step 7: Store challenge in cache FIRST (compensate: delete challenge)
// CRITICAL: Store challenge before deleting OTT to prevent lockout
challengeKey := fmt.Sprintf("challenge:%s", challengeID)
if err := s.cache.SetWithExpiry(ctx, challengeKey, challenge, 5*time.Minute); err != nil {
s.logger.Error("Failed to store challenge", zap.Error(err))
return nil, httperror.NewInternalServerError("Failed to store security challenge. Please try again.")
}
// Register compensation: delete challenge if OTT deletion fails
challengeKeyCaptured := challengeKey
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Info("compensating: deleting challenge",
zap.String("challenge_key", challengeKeyCaptured))
return s.cache.Delete(ctx, challengeKeyCaptured)
})
// Step 8: Delete OTT from cache (one-time use) (compensate: restore OTT)
cacheKeyCaptured := cacheKey
cachedOTTCaptured := cachedOTT
if err := s.cache.Delete(ctx, cacheKey); err != nil {
s.logger.Error("Failed to delete OTT",
zap.String("cache_key", cacheKey),
zap.Error(err))
// Trigger compensation: Delete challenge
saga.Rollback(ctx)
return nil, httperror.NewInternalServerError("Verification failed. Please try again.")
}
// Register compensation: restore OTT with reduced TTL (5 minutes for retry)
saga.AddCompensation(func(ctx context.Context) error {
s.logger.Info("compensating: restoring OTT",
zap.String("cache_key", cacheKeyCaptured))
// Restore with reduced TTL (5 minutes) to allow user retry
return s.cache.SetWithExpiry(ctx, cacheKeyCaptured, cachedOTTCaptured, 5*time.Minute)
})
// Encrypt the challenge with the user's public key using NaCl sealed box
encryptedChallengeBytes, err := crypto.EncryptWithPublicKey(challenge, user.SecurityData.PublicKey.Key)
if err != nil {
s.logger.Error("Failed to encrypt challenge", zap.Error(err))
return nil, httperror.NewInternalServerError("Failed to encrypt security challenge. Please try again.")
}
defer memguard.WipeBytes(encryptedChallengeBytes) // SECURITY: Wipe encrypted challenge after encoding
encryptedChallenge := base64.StdEncoding.EncodeToString(encryptedChallengeBytes)
s.logger.Info("OTT verified successfully",
zap.String("email", validation.MaskEmail(email)),
zap.String("challenge_id", challengeID),
zap.String("challenge_key", challengeKey[:16]+"...")) // Log prefix for security
// Prepare user's encrypted keys for frontend
salt := base64.StdEncoding.EncodeToString(user.SecurityData.PasswordSalt)
encryptedMasterKey := base64.StdEncoding.EncodeToString(append(user.SecurityData.EncryptedMasterKey.Nonce, user.SecurityData.EncryptedMasterKey.Ciphertext...))
encryptedPrivateKey := base64.StdEncoding.EncodeToString(append(user.SecurityData.EncryptedPrivateKey.Nonce, user.SecurityData.EncryptedPrivateKey.Ciphertext...))
publicKey := base64.StdEncoding.EncodeToString(user.SecurityData.PublicKey.Key)
// Get KDF algorithm from user's security data
kdfAlgorithm := user.SecurityData.KDFParams.Algorithm
if kdfAlgorithm == "" {
// Default to argon2id for backward compatibility with old accounts
kdfAlgorithm = "argon2id"
}
return &VerifyOTTResponseDTO{
Message: "OTT verified. Please decrypt the challenge with your master key.",
ChallengeID: challengeID,
EncryptedChallenge: encryptedChallenge,
Salt: salt,
EncryptedMasterKey: encryptedMasterKey,
EncryptedPrivateKey: encryptedPrivateKey,
PublicKey: publicKey,
KDFAlgorithm: kdfAlgorithm,
}, nil
}
// validateVerifyOTTRequest validates the verify OTT request.
// Returns RFC 9457 ProblemDetail error with field-specific errors.
func (s *verifyOTTServiceImpl) validateVerifyOTTRequest(req *VerifyOTTRequestDTO) error {
errors := make(map[string]string)
// Validate email using shared validation utility
if errMsg := validation.ValidateEmail(req.Email); errMsg != "" {
errors["email"] = errMsg
}
// Validate OTT code
ott := strings.TrimSpace(req.OTT)
if ott == "" {
errors["ott"] = "Verification code is required"
} else if len(ott) != 8 {
errors["ott"] = "Verification code must be 8 digits"
} else {
// Check if all characters are digits
for _, c := range ott {
if c < '0' || c > '9' {
errors["ott"] = "Verification code must contain only numbers"
break
}
}
}
// If there are validation errors, return RFC 9457 error
if len(errors) > 0 {
return httperror.NewValidationError(errors)
}
return nil
}