Initial commit: Open sourcing all of the Maple Open Technologies code.
This commit is contained in:
commit
755d54a99d
2010 changed files with 448675 additions and 0 deletions
184
cloud/maplefile-backend/internal/service/auth/request_ott.go
Normal file
184
cloud/maplefile-backend/internal/service/auth/request_ott.go
Normal file
|
|
@ -0,0 +1,184 @@
|
|||
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/request_ott.go
|
||||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"html"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/awnumar/memguard"
|
||||
"go.uber.org/zap"
|
||||
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
|
||||
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
|
||||
)
|
||||
|
||||
type RequestOTTRequestDTO struct {
|
||||
Email string `json:"email"`
|
||||
}
|
||||
|
||||
type RequestOTTResponseDTO struct {
|
||||
Message string `json:"message"`
|
||||
Success bool `json:"success"`
|
||||
}
|
||||
|
||||
type RequestOTTService interface {
|
||||
Execute(ctx context.Context, req *RequestOTTRequestDTO) (*RequestOTTResponseDTO, error)
|
||||
}
|
||||
|
||||
type requestOTTServiceImpl struct {
|
||||
config *config.Config
|
||||
logger *zap.Logger
|
||||
userGetByEmailUC uc_user.UserGetByEmailUseCase
|
||||
cache cassandracache.CassandraCacher
|
||||
emailer mailgun.Emailer
|
||||
}
|
||||
|
||||
func NewRequestOTTService(
|
||||
config *config.Config,
|
||||
logger *zap.Logger,
|
||||
userGetByEmailUC uc_user.UserGetByEmailUseCase,
|
||||
cache cassandracache.CassandraCacher,
|
||||
emailer mailgun.Emailer,
|
||||
) RequestOTTService {
|
||||
return &requestOTTServiceImpl{
|
||||
config: config,
|
||||
logger: logger.Named("RequestOTTService"),
|
||||
userGetByEmailUC: userGetByEmailUC,
|
||||
cache: cache,
|
||||
emailer: emailer,
|
||||
}
|
||||
}
|
||||
|
||||
func (s *requestOTTServiceImpl) Execute(ctx context.Context, req *RequestOTTRequestDTO) (*RequestOTTResponseDTO, error) {
|
||||
// Validate request
|
||||
if err := s.validateRequestOTTRequest(req); err != nil {
|
||||
return nil, err // Returns RFC 9457 ProblemDetail
|
||||
}
|
||||
|
||||
// Create SAGA for OTT request workflow
|
||||
saga := transaction.NewSaga("request-ott", s.logger)
|
||||
|
||||
s.logger.Info("starting OTT request")
|
||||
|
||||
// Step 1: Normalize email
|
||||
email := strings.ToLower(strings.TrimSpace(req.Email))
|
||||
|
||||
// Step 2: Check if user exists and is verified (read-only, no compensation)
|
||||
user, err := s.userGetByEmailUC.Execute(ctx, email)
|
||||
if err != nil || user == nil {
|
||||
s.logger.Warn("User not found", zap.String("email", validation.MaskEmail(email)))
|
||||
// For security, don't reveal if user exists
|
||||
return &RequestOTTResponseDTO{
|
||||
Message: "If an account exists with this email, you will receive an OTT code shortly.",
|
||||
Success: true,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// Step 3: Check if email is verified
|
||||
if user.SecurityData == nil || !user.SecurityData.WasEmailVerified {
|
||||
s.logger.Warn("User email not verified", zap.String("email", validation.MaskEmail(email)))
|
||||
return nil, httperror.NewBadRequestError("Email address not verified. Please verify your email before logging in.")
|
||||
}
|
||||
|
||||
// Step 4: Generate 8-digit OTT code
|
||||
ottCode := s.generateOTTCode()
|
||||
ottCodeBytes := []byte(ottCode)
|
||||
defer memguard.WipeBytes(ottCodeBytes) // SECURITY: Wipe OTT code from memory after use
|
||||
|
||||
// Step 5: Store OTT in cache FIRST (compensate: delete OTT if email fails)
|
||||
// CRITICAL: Store OTT before sending email to enable rollback if email fails
|
||||
cacheKey := fmt.Sprintf("ott:%s", email)
|
||||
if err := s.cache.SetWithExpiry(ctx, cacheKey, []byte(ottCode), 10*time.Minute); err != nil {
|
||||
s.logger.Error("Failed to store OTT in cache", zap.Error(err))
|
||||
return nil, httperror.NewInternalServerError("Failed to generate login code. Please try again later.")
|
||||
}
|
||||
|
||||
// Register compensation: delete OTT if email sending fails
|
||||
cacheKeyCaptured := cacheKey
|
||||
saga.AddCompensation(func(ctx context.Context) error {
|
||||
s.logger.Info("compensating: deleting OTT due to email failure",
|
||||
zap.String("cache_key", cacheKeyCaptured))
|
||||
return s.cache.Delete(ctx, cacheKeyCaptured)
|
||||
})
|
||||
|
||||
// Step 6: Send OTT email - MUST succeed or rollback
|
||||
if err := s.sendOTTEmail(ctx, email, user.FirstName, ottCode); err != nil {
|
||||
s.logger.Error("Failed to send OTT email",
|
||||
zap.String("email", validation.MaskEmail(email)),
|
||||
zap.Error(err))
|
||||
|
||||
// Trigger compensation: Delete OTT from cache
|
||||
saga.Rollback(ctx)
|
||||
return nil, httperror.NewInternalServerError("Failed to send login code email. Please try again later.")
|
||||
}
|
||||
|
||||
s.logger.Info("OTT generated and sent successfully",
|
||||
zap.String("email", validation.MaskEmail(email)),
|
||||
zap.String("cache_key", cacheKey[:16]+"...")) // Log prefix for security
|
||||
|
||||
return &RequestOTTResponseDTO{
|
||||
Message: "OTT code sent to your email. Please check your inbox.",
|
||||
Success: true,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *requestOTTServiceImpl) generateOTTCode() string {
|
||||
// Generate random 8-digit code for increased entropy
|
||||
// 8 digits = 90,000,000 combinations vs 6 digits = 900,000
|
||||
b := make([]byte, 4)
|
||||
rand.Read(b)
|
||||
defer memguard.WipeBytes(b) // SECURITY: Wipe random bytes after use
|
||||
|
||||
code := int(b[0])<<24 | int(b[1])<<16 | int(b[2])<<8 | int(b[3])
|
||||
code = (code % 90000000) + 10000000
|
||||
return fmt.Sprintf("%d", code)
|
||||
}
|
||||
|
||||
func (s *requestOTTServiceImpl) sendOTTEmail(ctx context.Context, email, firstName, code string) error {
|
||||
subject := "Your MapleFile Login Code"
|
||||
sender := s.emailer.GetSenderEmail()
|
||||
|
||||
// Escape user input to prevent HTML injection
|
||||
safeFirstName := html.EscapeString(firstName)
|
||||
|
||||
htmlContent := fmt.Sprintf(`
|
||||
<html>
|
||||
<body>
|
||||
<h2>Hello %s,</h2>
|
||||
<p>Here is your one-time login code for MapleFile:</p>
|
||||
<h1 style="color: #4CAF50; font-size: 32px; letter-spacing: 5px;">%s</h1>
|
||||
<p>This code will expire in 10 minutes.</p>
|
||||
<p>If you didn't request this code, please ignore this email.</p>
|
||||
</body>
|
||||
</html>
|
||||
`, safeFirstName, code)
|
||||
|
||||
return s.emailer.Send(ctx, sender, subject, email, htmlContent)
|
||||
}
|
||||
|
||||
// validateRequestOTTRequest validates the request OTT request.
|
||||
// Returns RFC 9457 ProblemDetail error with field-specific errors.
|
||||
func (s *requestOTTServiceImpl) validateRequestOTTRequest(req *RequestOTTRequestDTO) error {
|
||||
errors := make(map[string]string)
|
||||
|
||||
// Validate email using shared validation utility
|
||||
if errMsg := validation.ValidateEmail(req.Email); errMsg != "" {
|
||||
errors["email"] = errMsg
|
||||
}
|
||||
|
||||
// If there are validation errors, return RFC 9457 error
|
||||
if len(errors) > 0 {
|
||||
return httperror.NewValidationError(errors)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue