feat: SaaS onboarding, Stripe billing, MFA, SSO, passkeys, refresh tokens
Complete SaaS self-service onboarding sprint: - Stripe-powered signup flow: pricing page → checkout → provisioning → activation - Refresh token infrastructure: 1h access tokens + 30-day httpOnly cookie refresh - TOTP MFA with QR setup, recovery codes, and login challenge flow - Google + Azure AD SSO (conditional on env vars) with account linking - WebAuthn passkey registration and passwordless login - Guided onboarding checklist with server-side progress tracking - Stubbed email service (console + DB logging, ready for real provider) - Settings page with tabbed security settings (MFA, passkeys, linked accounts) - Login page enhanced with MFA verification, SSO buttons, passkey login - Database migration 015 with all new tables and columns - Version bump to 2026.03.17 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -6,10 +6,14 @@ import {
|
||||
UseGuards,
|
||||
Request,
|
||||
Get,
|
||||
Res,
|
||||
Query,
|
||||
BadRequestException,
|
||||
} from '@nestjs/common';
|
||||
import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
|
||||
import { AuthGuard } from '@nestjs/passport';
|
||||
import { Throttle } from '@nestjs/throttler';
|
||||
import { Response } from 'express';
|
||||
import { AuthService } from './auth.service';
|
||||
import { RegisterDto } from './dto/register.dto';
|
||||
import { LoginDto } from './dto/login.dto';
|
||||
@@ -17,6 +21,28 @@ import { SwitchOrgDto } from './dto/switch-org.dto';
|
||||
import { JwtAuthGuard } from './guards/jwt-auth.guard';
|
||||
import { AllowViewer } from '../../common/decorators/allow-viewer.decorator';
|
||||
|
||||
const COOKIE_NAME = 'ledgeriq_rt';
|
||||
const isProduction = process.env.NODE_ENV === 'production';
|
||||
|
||||
function setRefreshCookie(res: Response, token: string) {
|
||||
res.cookie(COOKIE_NAME, token, {
|
||||
httpOnly: true,
|
||||
secure: isProduction,
|
||||
sameSite: 'strict',
|
||||
path: '/api/auth',
|
||||
maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
|
||||
});
|
||||
}
|
||||
|
||||
function clearRefreshCookie(res: Response) {
|
||||
res.clearCookie(COOKIE_NAME, {
|
||||
httpOnly: true,
|
||||
secure: isProduction,
|
||||
sameSite: 'strict',
|
||||
path: '/api/auth',
|
||||
});
|
||||
}
|
||||
|
||||
@ApiTags('auth')
|
||||
@Controller('auth')
|
||||
export class AuthController {
|
||||
@@ -25,18 +51,65 @@ export class AuthController {
|
||||
@Post('register')
|
||||
@ApiOperation({ summary: 'Register a new user' })
|
||||
@Throttle({ default: { limit: 5, ttl: 60000 } })
|
||||
async register(@Body() dto: RegisterDto) {
|
||||
return this.authService.register(dto);
|
||||
async register(@Body() dto: RegisterDto, @Res({ passthrough: true }) res: Response) {
|
||||
const result = await this.authService.register(dto);
|
||||
if (result.refreshToken) {
|
||||
setRefreshCookie(res, result.refreshToken);
|
||||
}
|
||||
const { refreshToken, ...response } = result;
|
||||
return response;
|
||||
}
|
||||
|
||||
@Post('login')
|
||||
@ApiOperation({ summary: 'Login with email and password' })
|
||||
@Throttle({ default: { limit: 5, ttl: 60000 } })
|
||||
@UseGuards(AuthGuard('local'))
|
||||
async login(@Request() req: any, @Body() _dto: LoginDto) {
|
||||
async login(@Request() req: any, @Body() _dto: LoginDto, @Res({ passthrough: true }) res: Response) {
|
||||
const ip = req.headers['x-forwarded-for'] || req.ip;
|
||||
const ua = req.headers['user-agent'];
|
||||
return this.authService.login(req.user, ip, ua);
|
||||
const result = await this.authService.login(req.user, ip, ua);
|
||||
|
||||
// MFA challenge — no cookie, just return the challenge token
|
||||
if ('mfaRequired' in result) {
|
||||
return result;
|
||||
}
|
||||
|
||||
if ('refreshToken' in result && result.refreshToken) {
|
||||
setRefreshCookie(res, result.refreshToken);
|
||||
}
|
||||
const { refreshToken: _rt, ...response } = result as any;
|
||||
return response;
|
||||
}
|
||||
|
||||
@Post('refresh')
|
||||
@ApiOperation({ summary: 'Refresh access token using httpOnly cookie' })
|
||||
async refresh(@Request() req: any, @Res({ passthrough: true }) res: Response) {
|
||||
const rawToken = req.cookies?.[COOKIE_NAME];
|
||||
if (!rawToken) {
|
||||
throw new BadRequestException('No refresh token');
|
||||
}
|
||||
return this.authService.refreshAccessToken(rawToken);
|
||||
}
|
||||
|
||||
@Post('logout')
|
||||
@ApiOperation({ summary: 'Logout and revoke refresh token' })
|
||||
async logout(@Request() req: any, @Res({ passthrough: true }) res: Response) {
|
||||
const rawToken = req.cookies?.[COOKIE_NAME];
|
||||
if (rawToken) {
|
||||
await this.authService.logout(rawToken);
|
||||
}
|
||||
clearRefreshCookie(res);
|
||||
return { success: true };
|
||||
}
|
||||
|
||||
@Post('logout-everywhere')
|
||||
@ApiOperation({ summary: 'Revoke all sessions' })
|
||||
@ApiBearerAuth()
|
||||
@UseGuards(JwtAuthGuard)
|
||||
async logoutEverywhere(@Request() req: any, @Res({ passthrough: true }) res: Response) {
|
||||
await this.authService.logoutEverywhere(req.user.sub);
|
||||
clearRefreshCookie(res);
|
||||
return { success: true };
|
||||
}
|
||||
|
||||
@Get('profile')
|
||||
@@ -62,9 +135,52 @@ export class AuthController {
|
||||
@ApiBearerAuth()
|
||||
@UseGuards(JwtAuthGuard)
|
||||
@AllowViewer()
|
||||
async switchOrg(@Request() req: any, @Body() dto: SwitchOrgDto) {
|
||||
async switchOrg(@Request() req: any, @Body() dto: SwitchOrgDto, @Res({ passthrough: true }) res: Response) {
|
||||
const ip = req.headers['x-forwarded-for'] || req.ip;
|
||||
const ua = req.headers['user-agent'];
|
||||
return this.authService.switchOrganization(req.user.sub, dto.organizationId, ip, ua);
|
||||
const result = await this.authService.switchOrganization(req.user.sub, dto.organizationId, ip, ua);
|
||||
if (result.refreshToken) {
|
||||
setRefreshCookie(res, result.refreshToken);
|
||||
}
|
||||
const { refreshToken, ...response } = result;
|
||||
return response;
|
||||
}
|
||||
|
||||
// ─── Activation Endpoints ─────────────────────────────────────────
|
||||
|
||||
@Get('activate')
|
||||
@ApiOperation({ summary: 'Validate an activation token' })
|
||||
async validateActivation(@Query('token') token: string) {
|
||||
if (!token) throw new BadRequestException('Token required');
|
||||
return this.authService.validateInviteToken(token);
|
||||
}
|
||||
|
||||
@Post('activate')
|
||||
@ApiOperation({ summary: 'Activate user account with password' })
|
||||
@Throttle({ default: { limit: 5, ttl: 60000 } })
|
||||
async activate(
|
||||
@Body() body: { token: string; password: string; fullName: string },
|
||||
@Res({ passthrough: true }) res: Response,
|
||||
) {
|
||||
if (!body.token || !body.password || !body.fullName) {
|
||||
throw new BadRequestException('Token, password, and fullName are required');
|
||||
}
|
||||
if (body.password.length < 8) {
|
||||
throw new BadRequestException('Password must be at least 8 characters');
|
||||
}
|
||||
const result = await this.authService.activateUser(body.token, body.password, body.fullName);
|
||||
if (result.refreshToken) {
|
||||
setRefreshCookie(res, result.refreshToken);
|
||||
}
|
||||
const { refreshToken, ...response } = result;
|
||||
return response;
|
||||
}
|
||||
|
||||
@Post('resend-activation')
|
||||
@ApiOperation({ summary: 'Resend activation email' })
|
||||
@Throttle({ default: { limit: 2, ttl: 60000 } })
|
||||
async resendActivation(@Body() body: { email: string }) {
|
||||
// Stubbed — will be implemented when email service is ready
|
||||
return { success: true, message: 'If an account exists, a new activation link has been sent.' };
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user