Initial commit: Open sourcing all of the Maple Open Technologies code.

2025-12-02 14:33:08 -05:00 · 2025-12-02 14:33:08 -05:00 · 755d54a99d
commit 755d54a99d
2010 changed files with 448675 additions and 0 deletions
--- a/cloud/maplefile-backend/internal/service/auth/resend_verification.go
+++ b/cloud/maplefile-backend/internal/service/auth/resend_verification.go
@ -0,0 +1,199 @@
+// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/resend_verification.go
+package auth
+
+import (
+	"context"
+	"crypto/rand"
+	"fmt"
+	"html"
+	"time"
+
+	"github.com/awnumar/memguard"
+	"go.uber.org/zap"
+
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
+	dom_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/domain/user"
+	uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
+	"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
+)
+
+type ResendVerificationRequestDTO struct {
+	Email string `json:"email"`
+}
+
+type ResendVerificationResponseDTO struct {
+	Message string `json:"message"`
+}
+
+type ResendVerificationService interface {
+	Execute(ctx context.Context, req *ResendVerificationRequestDTO) (*ResendVerificationResponseDTO, error)
+}
+
+type resendVerificationServiceImpl struct {
+	config           *config.Config
+	logger           *zap.Logger
+	userGetByEmailUC uc_user.UserGetByEmailUseCase
+	userUpdateUC     uc_user.UserUpdateUseCase
+	emailer          mailgun.Emailer
+}
+
+func NewResendVerificationService(
+	config *config.Config,
+	logger *zap.Logger,
+	userGetByEmailUC uc_user.UserGetByEmailUseCase,
+	userUpdateUC uc_user.UserUpdateUseCase,
+	emailer mailgun.Emailer,
+) ResendVerificationService {
+	return &resendVerificationServiceImpl{
+		config:           config,
+		logger:           logger.Named("ResendVerificationService"),
+		userGetByEmailUC: userGetByEmailUC,
+		userUpdateUC:     userUpdateUC,
+		emailer:          emailer,
+	}
+}
+
+func (s *resendVerificationServiceImpl) Execute(ctx context.Context, req *ResendVerificationRequestDTO) (*ResendVerificationResponseDTO, error) {
+	// Validate request
+	if err := s.validateResendVerificationRequest(req); err != nil {
+		return nil, err // Returns RFC 9457 ProblemDetail
+	}
+
+	// Create SAGA for resend verification workflow
+	saga := transaction.NewSaga("resend-verification", s.logger)
+
+	s.logger.Info("starting resend verification")
+
+	// Step 1: Get user by email (read-only, no compensation)
+	user, err := s.userGetByEmailUC.Execute(ctx, req.Email)
+	if err != nil || user == nil {
+		s.logger.Warn("User not found for resend verification", zap.String("email", validation.MaskEmail(req.Email)))
+		// Don't reveal if user exists or not for security
+		return &ResendVerificationResponseDTO{
+			Message: "If the email exists and is unverified, a new verification code has been sent.",
+		}, nil
+	}
+
+	// Step 2: Check if email is already verified
+	if user.SecurityData != nil && user.SecurityData.WasEmailVerified {
+		s.logger.Info("Email already verified", zap.String("email", validation.MaskEmail(req.Email)))
+		// Don't reveal that email is already verified for security
+		return &ResendVerificationResponseDTO{
+			Message: "If the email exists and is unverified, a new verification code has been sent.",
+		}, nil
+	}
+
+	// Step 3: Backup old verification data for compensation
+	var oldCode string
+	var oldCodeExpiry time.Time
+	if user.SecurityData != nil {
+		oldCode = user.SecurityData.Code
+		oldCodeExpiry = user.SecurityData.CodeExpiry
+	}
+
+	// Step 4: Generate new verification code
+	verificationCode := s.generateVerificationCode()
+	verificationExpiry := time.Now().Add(24 * time.Hour)
+
+	// Step 5: Update user with new code
+	if user.SecurityData == nil {
+		user.SecurityData = &dom_user.UserSecurityData{}
+	}
+	user.SecurityData.Code = verificationCode
+	user.SecurityData.CodeType = dom_user.UserCodeTypeEmailVerification
+	user.SecurityData.CodeExpiry = verificationExpiry
+	user.ModifiedAt = time.Now()
+
+	// Step 6: Save updated user FIRST (compensate: restore old code if email fails)
+	// CRITICAL: Save new code before sending email to enable rollback if email fails
+	if err := s.userUpdateUC.Execute(ctx, user); err != nil {
+		s.logger.Error("Failed to update user with new verification code", zap.Error(err))
+		return nil, httperror.NewInternalServerError("Failed to update verification code. Please try again later.")
+	}
+
+	// Register compensation: restore old verification code if email fails
+	userCaptured := user
+	oldCodeCaptured := oldCode
+	oldCodeExpiryCaptured := oldCodeExpiry
+	saga.AddCompensation(func(ctx context.Context) error {
+		s.logger.Info("compensating: restoring old verification code due to email failure",
+			zap.String("email", validation.MaskEmail(userCaptured.Email)))
+		userCaptured.SecurityData.Code = oldCodeCaptured
+		userCaptured.SecurityData.CodeExpiry = oldCodeExpiryCaptured
+		userCaptured.ModifiedAt = time.Now()
+		return s.userUpdateUC.Execute(ctx, userCaptured)
+	})
+
+	// Step 7: Send verification email - MUST succeed or rollback
+	if err := s.sendVerificationEmail(ctx, user.Email, user.FirstName, verificationCode); err != nil {
+		s.logger.Error("Failed to send verification email",
+			zap.String("email", validation.MaskEmail(user.Email)),
+			zap.Error(err))
+
+		// Trigger compensation: Restore old verification code
+		saga.Rollback(ctx)
+		return nil, httperror.NewInternalServerError("Failed to send verification email. Please try again later.")
+	}
+
+	s.logger.Info("Verification code resent successfully",
+		zap.String("email", validation.MaskEmail(req.Email)),
+		zap.String("user_id", user.ID.String()))
+
+	return &ResendVerificationResponseDTO{
+		Message: "If the email exists and is unverified, a new verification code has been sent.",
+	}, nil
+}
+
+func (s *resendVerificationServiceImpl) generateVerificationCode() string {
+	// Generate random 8-digit code for increased entropy
+	// 8 digits = 90,000,000 combinations vs 6 digits = 900,000
+	b := make([]byte, 4)
+	rand.Read(b)
+	defer memguard.WipeBytes(b) // SECURITY: Wipe random bytes after use
+	code := int(b[0])<<24 | int(b[1])<<16 | int(b[2])<<8 | int(b[3])
+	code = (code % 90000000) + 10000000
+	return fmt.Sprintf("%d", code)
+}
+
+func (s *resendVerificationServiceImpl) sendVerificationEmail(ctx context.Context, email, firstName, code string) error {
+	subject := "Verify Your MapleFile Account"
+	sender := s.emailer.GetSenderEmail()
+
+	// Escape user input to prevent HTML injection
+	safeFirstName := html.EscapeString(firstName)
+
+	htmlContent := fmt.Sprintf(`
+		<html>
+			<body>
+				<h2>Welcome to MapleFile, %s!</h2>
+				<p>You requested a new verification code. Please verify your email address by entering this code:</p>
+				<h1 style="color: #4CAF50; font-size: 32px; letter-spacing: 5px;">%s</h1>
+				<p>This code will expire in 24 hours.</p>
+				<p>If you didn't request this code, please ignore this email.</p>
+			</body>
+		</html>
+	`, safeFirstName, code)
+
+	return s.emailer.Send(ctx, sender, subject, email, htmlContent)
+}
+
+// validateResendVerificationRequest validates the resend verification request.
+// Returns RFC 9457 ProblemDetail error with field-specific errors.
+func (s *resendVerificationServiceImpl) validateResendVerificationRequest(req *ResendVerificationRequestDTO) error {
+	errors := make(map[string]string)
+
+	// Validate email using shared validation utility
+	if errMsg := validation.ValidateEmail(req.Email); errMsg != "" {
+		errors["email"] = errMsg
+	}
+
+	// If there are validation errors, return RFC 9457 error
+	if len(errors) > 0 {
+		return httperror.NewValidationError(errors)
+	}
+
+	return nil
+}