// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/complete_login.go package auth import ( "bytes" "context" "encoding/base64" "fmt" "strings" "time" "github.com/awnumar/memguard" "go.uber.org/zap" "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config" uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user" "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog" "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror" "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/hash" "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/jwt" "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache" "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction" "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation" ) type CompleteLoginRequestDTO struct { Email string `json:"email"` ChallengeID string `json:"challengeId"` DecryptedData string `json:"decryptedData"` } type CompleteLoginResponseDTO struct { Message string `json:"message"` AccessToken string `json:"access_token"` RefreshToken string `json:"refresh_token"` AccessTokenExpiryDate string `json:"access_token_expiry_date"` RefreshTokenExpiryDate string `json:"refresh_token_expiry_date"` Username string `json:"username"` } type CompleteLoginService interface { Execute(ctx context.Context, req *CompleteLoginRequestDTO) (*CompleteLoginResponseDTO, error) } type completeLoginServiceImpl struct { config *config.Config logger *zap.Logger auditLogger auditlog.AuditLogger userGetByEmailUC uc_user.UserGetByEmailUseCase cache cassandracache.CassandraCacher jwtProvider jwt.JWTProvider } func NewCompleteLoginService( config *config.Config, logger *zap.Logger, auditLogger auditlog.AuditLogger, userGetByEmailUC uc_user.UserGetByEmailUseCase, cache cassandracache.CassandraCacher, jwtProvider jwt.JWTProvider, ) CompleteLoginService { return &completeLoginServiceImpl{ config: config, logger: logger.Named("CompleteLoginService"), auditLogger: auditLogger, userGetByEmailUC: userGetByEmailUC, cache: cache, jwtProvider: jwtProvider, } } func (s *completeLoginServiceImpl) Execute(ctx context.Context, req *CompleteLoginRequestDTO) (*CompleteLoginResponseDTO, error) { // Validate request if err := s.validateCompleteLoginRequest(req); err != nil { return nil, err // Returns RFC 9457 ProblemDetail } // Create SAGA for complete login workflow saga := transaction.NewSaga("complete-login", s.logger) s.logger.Info("starting login completion") // Step 1: Normalize email email := strings.ToLower(strings.TrimSpace(req.Email)) // Step 2: Get the original challenge from cache challengeKey := fmt.Sprintf("challenge:%s", req.ChallengeID) originalChallenge, err := s.cache.Get(ctx, challengeKey) if err != nil || originalChallenge == nil { s.logger.Warn("Challenge not found", zap.String("challenge_id", req.ChallengeID)) s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginFailure, auditlog.OutcomeFailure, validation.MaskEmail(email), "", map[string]string{ "reason": "challenge_expired", }) return nil, httperror.NewUnauthorizedError("Invalid or expired login challenge. Please request a new login code.") } defer memguard.WipeBytes(originalChallenge) // SECURITY: Wipe challenge from memory // Step 3: Decode and verify decrypted data matches challenge decryptedData, err := base64.StdEncoding.DecodeString(req.DecryptedData) if err != nil { s.logger.Warn("Failed to decode decrypted data", zap.Error(err)) return nil, httperror.NewBadRequestError("Invalid encrypted data format.") } defer memguard.WipeBytes(decryptedData) // SECURITY: Wipe decrypted data from memory if !bytes.Equal(decryptedData, originalChallenge) { s.logger.Warn("Challenge verification failed", zap.String("email", validation.MaskEmail(email))) s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginFailure, auditlog.OutcomeFailure, validation.MaskEmail(email), "", map[string]string{ "reason": "challenge_verification_failed", }) return nil, httperror.NewUnauthorizedError("Challenge verification failed. Incorrect password or encryption keys.") } // Step 4: Get user (read-only, no compensation) user, err := s.userGetByEmailUC.Execute(ctx, email) if err != nil || user == nil { s.logger.Error("User not found", zap.String("email", validation.MaskEmail(email))) return nil, httperror.NewUnauthorizedError("Invalid email or password.") } // Step 5: Generate JWT token pair accessToken, accessExpiry, refreshToken, refreshExpiry, err := s.jwtProvider.GenerateJWTTokenPair( user.ID.String(), s.config.JWT.AccessTokenDuration, s.config.JWT.RefreshTokenDuration, ) if err != nil { s.logger.Error("Failed to generate JWT tokens", zap.Error(err)) return nil, httperror.NewInternalServerError("Failed to generate authentication tokens. Please try again.") } // Step 6: Store refresh token FIRST (compensate: delete refresh token) // CRITICAL: Store refresh token before deleting challenge to prevent login failure // SECURITY: Hash refresh token to prevent token leakage via cache key inspection refreshTokenHash := hash.HashToken(refreshToken) refreshKey := fmt.Sprintf("refresh:%s", refreshTokenHash) if err := s.cache.SetWithExpiry(ctx, refreshKey, []byte(user.ID.String()), s.config.JWT.RefreshTokenDuration); err != nil { s.logger.Error("Failed to store refresh token", zap.Error(err)) return nil, httperror.NewInternalServerError("Failed to store authentication session. Please try again.") } // Register compensation: delete refresh token if challenge deletion fails refreshKeyCaptured := refreshKey saga.AddCompensation(func(ctx context.Context) error { s.logger.Info("compensating: deleting refresh token", zap.String("refresh_key", refreshKeyCaptured)) return s.cache.Delete(ctx, refreshKeyCaptured) }) // Step 7: Clear challenge from cache (one-time use) (compensate: restore challenge) challengeKeyCaptured := challengeKey originalChallengeCaptured := originalChallenge if err := s.cache.Delete(ctx, challengeKey); err != nil { s.logger.Error("Failed to delete challenge", zap.String("challenge_key", challengeKey), zap.Error(err)) // Trigger compensation: Delete refresh token saga.Rollback(ctx) return nil, httperror.NewInternalServerError("Login failed. Please try again.") } // Register compensation: restore challenge with reduced TTL (5 minutes for retry) saga.AddCompensation(func(ctx context.Context) error { s.logger.Info("compensating: restoring challenge", zap.String("challenge_key", challengeKeyCaptured)) // Restore with reduced TTL (5 minutes) to allow user retry return s.cache.SetWithExpiry(ctx, challengeKeyCaptured, originalChallengeCaptured, 5*time.Minute) }) s.logger.Info("Login completed successfully", zap.String("user_id", user.ID.String()), zap.String("email", validation.MaskEmail(email)), zap.String("refresh_token", refreshToken[:16]+"...")) // Log prefix for security // Audit log successful login s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginSuccess, auditlog.OutcomeSuccess, validation.MaskEmail(email), "", map[string]string{ "user_id": user.ID.String(), }) return &CompleteLoginResponseDTO{ Message: "Login successful", AccessToken: accessToken, RefreshToken: refreshToken, AccessTokenExpiryDate: accessExpiry.Format(time.RFC3339), RefreshTokenExpiryDate: refreshExpiry.Format(time.RFC3339), Username: user.Email, }, nil } // validateCompleteLoginRequest validates the complete login request. // Returns RFC 9457 ProblemDetail error with field-specific errors. func (s *completeLoginServiceImpl) validateCompleteLoginRequest(req *CompleteLoginRequestDTO) error { errors := make(map[string]string) // Validate email using shared validation utility if errMsg := validation.ValidateEmail(req.Email); errMsg != "" { errors["email"] = errMsg } // Validate challengeId challengeId := strings.TrimSpace(req.ChallengeID) if challengeId == "" { errors["challengeId"] = "Challenge ID is required" } // Validate decryptedData decryptedData := strings.TrimSpace(req.DecryptedData) if decryptedData == "" { errors["decryptedData"] = "Decrypted challenge data is required" } // If there are validation errors, return RFC 9457 error if len(errors) > 0 { return httperror.NewValidationError(errors) } return nil }