Makespace
diff --git a/‎src/authentication/auth-routes.ts‎
Lines changed: 30 additions & 4 deletions b/‎src/authentication/auth-routes.ts‎
Lines changed: 30 additions & 4 deletions
diff --git a/‎src/authentication/get-user-from-session.ts‎
Lines changed: 1 addition & 0 deletions b/‎src/authentication/get-user-from-session.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/authentication/handlers.ts‎
Lines changed: 82 additions & 20 deletions b/‎src/authentication/handlers.ts‎
Lines changed: 82 additions & 20 deletions
diff --git a/‎src/authentication/index.ts‎
Lines changed: 1 addition & 0 deletions b/‎src/authentication/index.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/authentication/magic-link.ts‎
Lines changed: 53 additions & 4 deletions b/‎src/authentication/magic-link.ts‎
Lines changed: 53 additions & 4 deletions
diff --git a/‎src/authentication/send-email-verification.ts‎
Lines changed: 66 additions & 0 deletions b/‎src/authentication/send-email-verification.ts‎
Lines changed: 66 additions & 0 deletions
@@ -1,19 +1,45 @@
 import {Dependencies} from '../dependencies';
-import {Safe, safe} from '../types/html';
+import {Config} from '../configuration';
+import {html, Safe, safe} from '../types/html';
 import {Route, get, post} from '../types/route';
-import {auth, landing, callback, invalidLink, logIn, logOut} from './handlers';
+import {
+  auth,
+  landing,
+  callback,
+  invalidLink,
+  logIn,
+  logOut,
+  verifyEmailCallback,
+} from './handlers';
 
 export const logInPath: Safe = safe('/log-in');
 const invalidLinkPath = '/auth/invalid-magic-link';
+const invalidVerificationLinkPath = '/auth/invalid-email-verification-link';
 
-export const authRoutes = (deps: Dependencies): ReadonlyArray<Route> => {
+export const authRoutes = (
+  deps: Dependencies,
+  conf: Config
+): ReadonlyArray<Route> => {
   return [
     get(logInPath, logIn(deps)),
     get('/log-out', logOut),
     post('/auth', auth),
     get('/auth', (_req, res) => res.redirect(logInPath)),
-    get('/auth/landing', landing),
+    get('/auth/landing', landing('/auth/callback')),
     get('/auth/callback', callback(invalidLinkPath)),
     get(invalidLinkPath, invalidLink(logInPath)),
+    get('/auth/verify-email/landing', landing('/auth/verify-email/callback')),
+    get(
+      '/auth/verify-email/callback',
+      verifyEmailCallback(deps, conf, invalidVerificationLinkPath)
+    ),
+    get(
+      invalidVerificationLinkPath,
+      invalidLink(
+        logInPath,
+        html`The verification link you have used is (no longer) valid. Go
+          back to the <a href=${logInPath}>log in</a> page.`
+      )
+    ),
   ];
 };
@@ -26,6 +26,7 @@ export const getUserFromSession =
       ),
       E.map(session => ({
         emailAddress: session.passport.user.emailAddress,
+        primaryEmailAddress: session.passport.user.primaryEmailAddress,
         memberNumber: session.passport.user.memberNumber,
       })),
       O.fromEither
 
@@ -4,22 +4,25 @@ import {pipe} from 'fp-ts/lib/function';
 import {parseEmailAddressFromBody} from './parse-email-address-from-body';
 import * as E from 'fp-ts/Either';
 import * as O from 'fp-ts/Option';
+import * as TE from 'fp-ts/TaskEither';
 import {publish} from 'pubsub-js';
 import passport from 'passport';
-import {magicLink} from './magic-link';
+import {emailVerificationLink, magicLink} from './magic-link';
 import {logInPage} from './log-in-page';
 import {checkYourMailPage} from './check-your-mail';
 import {oopsPage, isolatedPageTemplate} from '../templates';
 import {StatusCodes} from 'http-status-codes';
 import {getUserFromSession} from './get-user-from-session';
 import {Dependencies} from '../dependencies';
+import {Config} from '../configuration';
 import {
   html,
   HtmlSubstitution,
   CompleteHtmlDocument,
   sanitizeString,
   safe,
 } from '../types/html';
+import {verifyEmail} from '../commands/members/verify-email';
 
 export const logIn =
   (deps: Dependencies) =>
@@ -58,37 +61,96 @@ export const auth = (req: Request, res: Response<CompleteHtmlDocument>) => {
 };
 
 export const invalidLink =
-  (logInPath: HtmlSubstitution) =>
+  (linkPath: HtmlSubstitution, copy?: HtmlSubstitution) =>
   (req: Request, res: Response<CompleteHtmlDocument>) => {
     res
       .status(StatusCodes.UNAUTHORIZED)
       .send(
         oopsPage(
-          html`The link you have used is (no longer) valid. Go back to the
-            <a href=${logInPath}>log in</a> page.`
+          copy ??
+            html`The link you have used is (no longer) valid. Go back to the
+              <a href=${linkPath}>log in</a> page.`
         )
       );
   };
 
-export const landing = (req: Request, res: Response<CompleteHtmlDocument>) => {
-  const index = req.originalUrl.indexOf('?');
-  const suffix = index === -1 ? '' : req.originalUrl.slice(index);
-  const url = '/auth/callback' + suffix;
-  res.status(StatusCodes.OK).send(
-    isolatedPageTemplate(sanitizeString('Redirecting...'))(html`
-      <!doctype html>
-      <html>
-        <head>
-          <meta http-equiv="refresh" content="0; url='${safe(url)}'" />
-        </head>
-        <body></body>
-      </html>
-    `)
-  );
-};
+export const landing =
+  (callbackPath: string) =>
+  (req: Request, res: Response<CompleteHtmlDocument>) => {
+    const index = req.originalUrl.indexOf('?');
+    const suffix = index === -1 ? '' : req.originalUrl.slice(index);
+    const url = callbackPath + suffix;
+    res.status(StatusCodes.OK).send(
+      isolatedPageTemplate(sanitizeString('Redirecting...'))(html`
+        <!doctype html>
+        <html>
+          <head>
+            <meta http-equiv="refresh" content="0; url='${safe(url)}'" />
+          </head>
+          <body></body>
+        </html>
+      `)
+    );
+  };
 
 export const callback = (invalidLinkPath: string) =>
   passport.authenticate(magicLink.name, {
     failureRedirect: invalidLinkPath,
     successRedirect: '/',
   }) as RequestHandler;
+
+export const verifyEmailCallback =
+  (deps: Dependencies, conf: Config, invalidLinkPath: string): RequestHandler =>
+  (req, res) => {
+    pipe(
+      req.query,
+      emailVerificationLink.decodeFromQuery(deps.logger, conf),
+      E.match(
+        error => {
+          deps.logger.info(
+            {error},
+            'Failed to decode email verification link'
+          );
+          res.redirect(invalidLinkPath);
+        },
+        payload => {
+          const input = {
+            memberNumber: payload.memberNumber,
+            email: payload.emailAddress,
+          };
+          const resource = verifyEmail.resource(input);
+          void pipe(
+            deps.getResourceEvents(resource),
+            TE.chain(({events, version}) => {
+              const event = verifyEmail.process({
+                command: {
+                  ...input,
+                  actor: {tag: 'system'},
+                },
+                events,
+              });
+              if (O.isNone(event)) {
+                return TE.right(undefined);
+              }
+              return pipe(
+                deps.commitEvent(resource, version)(event.value),
+                TE.map(() => undefined)
+              );
+            }),
+            TE.match(
+              failure => {
+                deps.logger.error(
+                  {failure},
+                  'Failed to verify member email from callback'
+                );
+                res.redirect(invalidLinkPath);
+              },
+              () => {
+                res.redirect('/me');
+              }
+            )
+          )();
+        }
+      )
+    );
+  };
@@ -1,4 +1,5 @@
 export {magicLink} from './magic-link';
+export {emailVerificationLink} from './magic-link';
 export {authRoutes} from './auth-routes';
 export {getUserFromSession} from './get-user-from-session';
 export {startMagicLinkEmailPubSub} from './start-magic-link-email-pub-sub';
 
@@ -6,16 +6,44 @@ import {Strategy as CustomStrategy} from 'passport-custom';
 import jwt from 'jsonwebtoken';
 import {Config} from '../configuration';
 import {Dependencies} from '../dependencies';
+import {EmailAddressCodec} from '../types';
 import {User} from '../types/user';
 import {logPassThru} from '../util';
 import {Logger} from 'pino';
 
+const LoginTokenPayload = t.strict({
+  purpose: t.literal('log-in'),
+  user: User,
+});
+
+const VerifyEmailTokenPayload = t.strict({
+  purpose: t.literal('verify-email'),
+  memberNumber: t.number,
+  emailAddress: EmailAddressCodec,
+});
+
+export type VerifyEmailTokenPayload = t.TypeOf<typeof VerifyEmailTokenPayload>;
+
+const createSignedToken =
+  (conf: Config) =>
+  (payload: object): string =>
+    jwt.sign(payload, conf.TOKEN_SECRET, {expiresIn: '10m'});
+
 const createMagicLink = (conf: Config) => (user: User) =>
   pipe(
-    jwt.sign(user, conf.TOKEN_SECRET, {expiresIn: '10m'}),
+    LoginTokenPayload.encode({purpose: 'log-in', user}),
+    createSignedToken(conf),
     token => `${conf.PUBLIC_URL}/auth/landing?token=${token}`
   );
 
+const createEmailVerificationLink =
+  (conf: Config) => (payload: VerifyEmailTokenPayload) =>
+    pipe(
+      VerifyEmailTokenPayload.encode(payload),
+      createSignedToken(conf),
+      token => `${conf.PUBLIC_URL}/auth/verify-email/landing?token=${token}`
+    );
+
 const MagicLinkQuery = t.strict({
   token: t.string,
 });
@@ -26,14 +54,30 @@ const verifyToken = (token: string, secret: Config['TOKEN_SECRET']) =>
     failure('Could not verify token')
   );
 
-const decodeMagicLinkFromQuery =
+const decodeTokenFromQuery =
   (logger: Logger, conf: Config) => (input: unknown) =>
     pipe(
       input,
       logPassThru(logger, 'Attempting to decode magic link from query'), // Logging is required as a basic form of auth enumeration detection.
       MagicLinkQuery.decode,
-      E.chainW(({token}) => verifyToken(token, conf.TOKEN_SECRET)),
-      E.chainW(User.decode)
+      E.chainW(({token}) => verifyToken(token, conf.TOKEN_SECRET))
+    );
+
+export const decodeMagicLinkFromQuery =
+  (logger: Logger, conf: Config) => (input: unknown) =>
+    pipe(
+      input,
+      decodeTokenFromQuery(logger, conf),
+      E.chainW(LoginTokenPayload.decode),
+      E.map(payload => payload.user)
+    );
+
+export const decodeEmailVerificationFromQuery =
+  (logger: Logger, conf: Config) => (input: unknown) =>
+    pipe(
+      input,
+      decodeTokenFromQuery(logger, conf),
+      E.chainW(VerifyEmailTokenPayload.decode)
     );
 
 const strategy = (deps: Dependencies, conf: Config) => {
@@ -60,3 +104,8 @@ export const magicLink = {
   strategy,
   create: createMagicLink,
 };
+
+export const emailVerificationLink = {
+  create: createEmailVerificationLink,
+  decodeFromQuery: decodeEmailVerificationFromQuery,
+};
@@ -0,0 +1,66 @@
+import * as TE from 'fp-ts/TaskEither';
+import {pipe} from 'fp-ts/lib/function';
+import mjml2html from 'mjml';
+import {Config} from '../configuration';
+import {Dependencies} from '../dependencies';
+import {Email, EmailAddress, Failure} from '../types';
+import {emailVerificationLink} from './magic-link';
+
+const toEmail =
+  (emailAddress: EmailAddress) =>
+  (verificationLink: string): Email => ({
+    recipient: emailAddress,
+    subject: 'Verify your Makespace email address',
+    text: `
+      Hi,
+
+      Verify this email address for your Makespace account by opening the link below:
+
+      ${verificationLink}
+    `,
+    html: mjml2html(`
+    <mjml>
+      <mj-body width="800px">
+        <mj-section background-color="#fa990e">
+          <mj-column>
+            <mj-text align="center" color="#111" font-size="40px">MakeSpace</mj-text>
+            <mj-text font-style="italic" align="center" color="#111" font-size="30px">Member App</mj-text>
+          </mj-column>
+        </mj-section>
+        <mj-section>
+          <mj-column width="400px">
+            <mj-text font-size="20px" line-height="1.3" color="#111" align="center">
+              Verify this email address for your Makespace account
+            </mj-text>
+            <mj-button
+              color="#111"
+              background-color="#7FC436"
+              href="${verificationLink}"
+              font-weight="800"
+            >
+              Verify email
+            </mj-button>
+          </mj-column>
+        </mj-section>
+      </mj-body>
+    </mjml>
+    `).html,
+  });
+
+export const sendEmailVerification = (
+  deps: Pick<Dependencies, 'sendEmail' | 'rateLimitSendingOfEmails'>,
+  conf: Config
+) => (memberNumber: number, emailAddress: EmailAddress): TE.TaskEither<Failure, string> => {
+  const email = toEmail(emailAddress)(
+    emailVerificationLink.create(conf)({
+      purpose: 'verify-email',
+      memberNumber,
+      emailAddress,
+    })
+  );
+  return pipe(
+    deps.rateLimitSendingOfEmails(email),
+    TE.chain(deps.sendEmail),
+    TE.map(() => `Sent email verification to ${emailAddress}`)
+  );
+};
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`export {magicLink} from './magic-link';`
	`2`	`+export {emailVerificationLink} from './magic-link';`
`2`	`3`	`export {authRoutes} from './auth-routes';`
`3`	`4`	`export {getUserFromSession} from './get-user-from-session';`
`4`	`5`	`export {startMagicLinkEmailPubSub} from './start-magic-link-email-pub-sub';`