184 lines
6.3 KiB
Go
184 lines
6.3 KiB
Go
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/request_ott.go
|
|
package auth
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"fmt"
|
|
"html"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/awnumar/memguard"
|
|
"go.uber.org/zap"
|
|
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
|
|
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
|
|
)
|
|
|
|
type RequestOTTRequestDTO struct {
|
|
Email string `json:"email"`
|
|
}
|
|
|
|
type RequestOTTResponseDTO struct {
|
|
Message string `json:"message"`
|
|
Success bool `json:"success"`
|
|
}
|
|
|
|
type RequestOTTService interface {
|
|
Execute(ctx context.Context, req *RequestOTTRequestDTO) (*RequestOTTResponseDTO, error)
|
|
}
|
|
|
|
type requestOTTServiceImpl struct {
|
|
config *config.Config
|
|
logger *zap.Logger
|
|
userGetByEmailUC uc_user.UserGetByEmailUseCase
|
|
cache cassandracache.CassandraCacher
|
|
emailer mailgun.Emailer
|
|
}
|
|
|
|
func NewRequestOTTService(
|
|
config *config.Config,
|
|
logger *zap.Logger,
|
|
userGetByEmailUC uc_user.UserGetByEmailUseCase,
|
|
cache cassandracache.CassandraCacher,
|
|
emailer mailgun.Emailer,
|
|
) RequestOTTService {
|
|
return &requestOTTServiceImpl{
|
|
config: config,
|
|
logger: logger.Named("RequestOTTService"),
|
|
userGetByEmailUC: userGetByEmailUC,
|
|
cache: cache,
|
|
emailer: emailer,
|
|
}
|
|
}
|
|
|
|
func (s *requestOTTServiceImpl) Execute(ctx context.Context, req *RequestOTTRequestDTO) (*RequestOTTResponseDTO, error) {
|
|
// Validate request
|
|
if err := s.validateRequestOTTRequest(req); err != nil {
|
|
return nil, err // Returns RFC 9457 ProblemDetail
|
|
}
|
|
|
|
// Create SAGA for OTT request workflow
|
|
saga := transaction.NewSaga("request-ott", s.logger)
|
|
|
|
s.logger.Info("starting OTT request")
|
|
|
|
// Step 1: Normalize email
|
|
email := strings.ToLower(strings.TrimSpace(req.Email))
|
|
|
|
// Step 2: Check if user exists and is verified (read-only, no compensation)
|
|
user, err := s.userGetByEmailUC.Execute(ctx, email)
|
|
if err != nil || user == nil {
|
|
s.logger.Warn("User not found", zap.String("email", validation.MaskEmail(email)))
|
|
// For security, don't reveal if user exists
|
|
return &RequestOTTResponseDTO{
|
|
Message: "If an account exists with this email, you will receive an OTT code shortly.",
|
|
Success: true,
|
|
}, nil
|
|
}
|
|
|
|
// Step 3: Check if email is verified
|
|
if user.SecurityData == nil || !user.SecurityData.WasEmailVerified {
|
|
s.logger.Warn("User email not verified", zap.String("email", validation.MaskEmail(email)))
|
|
return nil, httperror.NewBadRequestError("Email address not verified. Please verify your email before logging in.")
|
|
}
|
|
|
|
// Step 4: Generate 8-digit OTT code
|
|
ottCode := s.generateOTTCode()
|
|
ottCodeBytes := []byte(ottCode)
|
|
defer memguard.WipeBytes(ottCodeBytes) // SECURITY: Wipe OTT code from memory after use
|
|
|
|
// Step 5: Store OTT in cache FIRST (compensate: delete OTT if email fails)
|
|
// CRITICAL: Store OTT before sending email to enable rollback if email fails
|
|
cacheKey := fmt.Sprintf("ott:%s", email)
|
|
if err := s.cache.SetWithExpiry(ctx, cacheKey, []byte(ottCode), 10*time.Minute); err != nil {
|
|
s.logger.Error("Failed to store OTT in cache", zap.Error(err))
|
|
return nil, httperror.NewInternalServerError("Failed to generate login code. Please try again later.")
|
|
}
|
|
|
|
// Register compensation: delete OTT if email sending fails
|
|
cacheKeyCaptured := cacheKey
|
|
saga.AddCompensation(func(ctx context.Context) error {
|
|
s.logger.Info("compensating: deleting OTT due to email failure",
|
|
zap.String("cache_key", cacheKeyCaptured))
|
|
return s.cache.Delete(ctx, cacheKeyCaptured)
|
|
})
|
|
|
|
// Step 6: Send OTT email - MUST succeed or rollback
|
|
if err := s.sendOTTEmail(ctx, email, user.FirstName, ottCode); err != nil {
|
|
s.logger.Error("Failed to send OTT email",
|
|
zap.String("email", validation.MaskEmail(email)),
|
|
zap.Error(err))
|
|
|
|
// Trigger compensation: Delete OTT from cache
|
|
saga.Rollback(ctx)
|
|
return nil, httperror.NewInternalServerError("Failed to send login code email. Please try again later.")
|
|
}
|
|
|
|
s.logger.Info("OTT generated and sent successfully",
|
|
zap.String("email", validation.MaskEmail(email)),
|
|
zap.String("cache_key", cacheKey[:16]+"...")) // Log prefix for security
|
|
|
|
return &RequestOTTResponseDTO{
|
|
Message: "OTT code sent to your email. Please check your inbox.",
|
|
Success: true,
|
|
}, nil
|
|
}
|
|
|
|
func (s *requestOTTServiceImpl) generateOTTCode() string {
|
|
// Generate random 8-digit code for increased entropy
|
|
// 8 digits = 90,000,000 combinations vs 6 digits = 900,000
|
|
b := make([]byte, 4)
|
|
rand.Read(b)
|
|
defer memguard.WipeBytes(b) // SECURITY: Wipe random bytes after use
|
|
|
|
code := int(b[0])<<24 | int(b[1])<<16 | int(b[2])<<8 | int(b[3])
|
|
code = (code % 90000000) + 10000000
|
|
return fmt.Sprintf("%d", code)
|
|
}
|
|
|
|
func (s *requestOTTServiceImpl) sendOTTEmail(ctx context.Context, email, firstName, code string) error {
|
|
subject := "Your MapleFile Login Code"
|
|
sender := s.emailer.GetSenderEmail()
|
|
|
|
// Escape user input to prevent HTML injection
|
|
safeFirstName := html.EscapeString(firstName)
|
|
|
|
htmlContent := fmt.Sprintf(`
|
|
<html>
|
|
<body>
|
|
<h2>Hello %s,</h2>
|
|
<p>Here is your one-time login code for MapleFile:</p>
|
|
<h1 style="color: #4CAF50; font-size: 32px; letter-spacing: 5px;">%s</h1>
|
|
<p>This code will expire in 10 minutes.</p>
|
|
<p>If you didn't request this code, please ignore this email.</p>
|
|
</body>
|
|
</html>
|
|
`, safeFirstName, code)
|
|
|
|
return s.emailer.Send(ctx, sender, subject, email, htmlContent)
|
|
}
|
|
|
|
// validateRequestOTTRequest validates the request OTT request.
|
|
// Returns RFC 9457 ProblemDetail error with field-specific errors.
|
|
func (s *requestOTTServiceImpl) validateRequestOTTRequest(req *RequestOTTRequestDTO) error {
|
|
errors := make(map[string]string)
|
|
|
|
// Validate email using shared validation utility
|
|
if errMsg := validation.ValidateEmail(req.Email); errMsg != "" {
|
|
errors["email"] = errMsg
|
|
}
|
|
|
|
// If there are validation errors, return RFC 9457 error
|
|
if len(errors) > 0 {
|
|
return httperror.NewValidationError(errors)
|
|
}
|
|
|
|
return nil
|
|
}
|