199 lines
7.3 KiB
Go
199 lines
7.3 KiB
Go
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/resend_verification.go
|
|
package auth
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"fmt"
|
|
"html"
|
|
"time"
|
|
|
|
"github.com/awnumar/memguard"
|
|
"go.uber.org/zap"
|
|
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
|
|
dom_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/domain/user"
|
|
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/emailer/mailgun"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
|
|
)
|
|
|
|
type ResendVerificationRequestDTO struct {
|
|
Email string `json:"email"`
|
|
}
|
|
|
|
type ResendVerificationResponseDTO struct {
|
|
Message string `json:"message"`
|
|
}
|
|
|
|
type ResendVerificationService interface {
|
|
Execute(ctx context.Context, req *ResendVerificationRequestDTO) (*ResendVerificationResponseDTO, error)
|
|
}
|
|
|
|
type resendVerificationServiceImpl struct {
|
|
config *config.Config
|
|
logger *zap.Logger
|
|
userGetByEmailUC uc_user.UserGetByEmailUseCase
|
|
userUpdateUC uc_user.UserUpdateUseCase
|
|
emailer mailgun.Emailer
|
|
}
|
|
|
|
func NewResendVerificationService(
|
|
config *config.Config,
|
|
logger *zap.Logger,
|
|
userGetByEmailUC uc_user.UserGetByEmailUseCase,
|
|
userUpdateUC uc_user.UserUpdateUseCase,
|
|
emailer mailgun.Emailer,
|
|
) ResendVerificationService {
|
|
return &resendVerificationServiceImpl{
|
|
config: config,
|
|
logger: logger.Named("ResendVerificationService"),
|
|
userGetByEmailUC: userGetByEmailUC,
|
|
userUpdateUC: userUpdateUC,
|
|
emailer: emailer,
|
|
}
|
|
}
|
|
|
|
func (s *resendVerificationServiceImpl) Execute(ctx context.Context, req *ResendVerificationRequestDTO) (*ResendVerificationResponseDTO, error) {
|
|
// Validate request
|
|
if err := s.validateResendVerificationRequest(req); err != nil {
|
|
return nil, err // Returns RFC 9457 ProblemDetail
|
|
}
|
|
|
|
// Create SAGA for resend verification workflow
|
|
saga := transaction.NewSaga("resend-verification", s.logger)
|
|
|
|
s.logger.Info("starting resend verification")
|
|
|
|
// Step 1: Get user by email (read-only, no compensation)
|
|
user, err := s.userGetByEmailUC.Execute(ctx, req.Email)
|
|
if err != nil || user == nil {
|
|
s.logger.Warn("User not found for resend verification", zap.String("email", validation.MaskEmail(req.Email)))
|
|
// Don't reveal if user exists or not for security
|
|
return &ResendVerificationResponseDTO{
|
|
Message: "If the email exists and is unverified, a new verification code has been sent.",
|
|
}, nil
|
|
}
|
|
|
|
// Step 2: Check if email is already verified
|
|
if user.SecurityData != nil && user.SecurityData.WasEmailVerified {
|
|
s.logger.Info("Email already verified", zap.String("email", validation.MaskEmail(req.Email)))
|
|
// Don't reveal that email is already verified for security
|
|
return &ResendVerificationResponseDTO{
|
|
Message: "If the email exists and is unverified, a new verification code has been sent.",
|
|
}, nil
|
|
}
|
|
|
|
// Step 3: Backup old verification data for compensation
|
|
var oldCode string
|
|
var oldCodeExpiry time.Time
|
|
if user.SecurityData != nil {
|
|
oldCode = user.SecurityData.Code
|
|
oldCodeExpiry = user.SecurityData.CodeExpiry
|
|
}
|
|
|
|
// Step 4: Generate new verification code
|
|
verificationCode := s.generateVerificationCode()
|
|
verificationExpiry := time.Now().Add(24 * time.Hour)
|
|
|
|
// Step 5: Update user with new code
|
|
if user.SecurityData == nil {
|
|
user.SecurityData = &dom_user.UserSecurityData{}
|
|
}
|
|
user.SecurityData.Code = verificationCode
|
|
user.SecurityData.CodeType = dom_user.UserCodeTypeEmailVerification
|
|
user.SecurityData.CodeExpiry = verificationExpiry
|
|
user.ModifiedAt = time.Now()
|
|
|
|
// Step 6: Save updated user FIRST (compensate: restore old code if email fails)
|
|
// CRITICAL: Save new code before sending email to enable rollback if email fails
|
|
if err := s.userUpdateUC.Execute(ctx, user); err != nil {
|
|
s.logger.Error("Failed to update user with new verification code", zap.Error(err))
|
|
return nil, httperror.NewInternalServerError("Failed to update verification code. Please try again later.")
|
|
}
|
|
|
|
// Register compensation: restore old verification code if email fails
|
|
userCaptured := user
|
|
oldCodeCaptured := oldCode
|
|
oldCodeExpiryCaptured := oldCodeExpiry
|
|
saga.AddCompensation(func(ctx context.Context) error {
|
|
s.logger.Info("compensating: restoring old verification code due to email failure",
|
|
zap.String("email", validation.MaskEmail(userCaptured.Email)))
|
|
userCaptured.SecurityData.Code = oldCodeCaptured
|
|
userCaptured.SecurityData.CodeExpiry = oldCodeExpiryCaptured
|
|
userCaptured.ModifiedAt = time.Now()
|
|
return s.userUpdateUC.Execute(ctx, userCaptured)
|
|
})
|
|
|
|
// Step 7: Send verification email - MUST succeed or rollback
|
|
if err := s.sendVerificationEmail(ctx, user.Email, user.FirstName, verificationCode); err != nil {
|
|
s.logger.Error("Failed to send verification email",
|
|
zap.String("email", validation.MaskEmail(user.Email)),
|
|
zap.Error(err))
|
|
|
|
// Trigger compensation: Restore old verification code
|
|
saga.Rollback(ctx)
|
|
return nil, httperror.NewInternalServerError("Failed to send verification email. Please try again later.")
|
|
}
|
|
|
|
s.logger.Info("Verification code resent successfully",
|
|
zap.String("email", validation.MaskEmail(req.Email)),
|
|
zap.String("user_id", user.ID.String()))
|
|
|
|
return &ResendVerificationResponseDTO{
|
|
Message: "If the email exists and is unverified, a new verification code has been sent.",
|
|
}, nil
|
|
}
|
|
|
|
func (s *resendVerificationServiceImpl) generateVerificationCode() string {
|
|
// Generate random 8-digit code for increased entropy
|
|
// 8 digits = 90,000,000 combinations vs 6 digits = 900,000
|
|
b := make([]byte, 4)
|
|
rand.Read(b)
|
|
defer memguard.WipeBytes(b) // SECURITY: Wipe random bytes after use
|
|
code := int(b[0])<<24 | int(b[1])<<16 | int(b[2])<<8 | int(b[3])
|
|
code = (code % 90000000) + 10000000
|
|
return fmt.Sprintf("%d", code)
|
|
}
|
|
|
|
func (s *resendVerificationServiceImpl) sendVerificationEmail(ctx context.Context, email, firstName, code string) error {
|
|
subject := "Verify Your MapleFile Account"
|
|
sender := s.emailer.GetSenderEmail()
|
|
|
|
// Escape user input to prevent HTML injection
|
|
safeFirstName := html.EscapeString(firstName)
|
|
|
|
htmlContent := fmt.Sprintf(`
|
|
<html>
|
|
<body>
|
|
<h2>Welcome to MapleFile, %s!</h2>
|
|
<p>You requested a new verification code. Please verify your email address by entering this code:</p>
|
|
<h1 style="color: #4CAF50; font-size: 32px; letter-spacing: 5px;">%s</h1>
|
|
<p>This code will expire in 24 hours.</p>
|
|
<p>If you didn't request this code, please ignore this email.</p>
|
|
</body>
|
|
</html>
|
|
`, safeFirstName, code)
|
|
|
|
return s.emailer.Send(ctx, sender, subject, email, htmlContent)
|
|
}
|
|
|
|
// validateResendVerificationRequest validates the resend verification request.
|
|
// Returns RFC 9457 ProblemDetail error with field-specific errors.
|
|
func (s *resendVerificationServiceImpl) validateResendVerificationRequest(req *ResendVerificationRequestDTO) error {
|
|
errors := make(map[string]string)
|
|
|
|
// Validate email using shared validation utility
|
|
if errMsg := validation.ValidateEmail(req.Email); errMsg != "" {
|
|
errors["email"] = errMsg
|
|
}
|
|
|
|
// If there are validation errors, return RFC 9457 error
|
|
if len(errors) > 0 {
|
|
return httperror.NewValidationError(errors)
|
|
}
|
|
|
|
return nil
|
|
}
|