added owasp recommendations to IAM methods

Author: Rykuno

src/lib/server/api/controllers/iam.controller.ts

@@ -90,14 +90,16 @@ export class IamController implements Controller {
 				});
 				return c.json({ status: 'success' });
 			})
-			.post('/email/sendVerification', requireAuth, zValidator('json', updateEmailDto), limiter({ limit: 10, minutes: 60 }), async (c) => {
+			.patch('/email', requireAuth, zValidator('json', updateEmailDto), limiter({ limit: 10, minutes: 60 }), async (c) => {
 				const json = c.req.valid('json');
-				await this.emailVerificationsService.dispatchEmailVerificationToken(c.var.user.id, json.email);
+				await this.emailVerificationsService.dispatchEmailVerificationRequest(c.var.user.id, json.email);
 				return c.json({ message: 'Verification email sent' });
 			})
-			.post('/email/verify', requireAuth, zValidator('json', verifyEmailDto), limiter({ limit: 10, minutes: 60 }), async (c) => {
+			// this could also be named to use custom methods, aka /email:verify
+			// https://cloud.google.com/apis/design/custom_methods
+			.post('/email/verification', requireAuth, zValidator('json', verifyEmailDto), limiter({ limit: 10, minutes: 60 }), async (c) => {
 				const json = c.req.valid('json');
-				await this.emailVerificationsService.processEmailVerificationToken(c.var.user.id, json.token);
+				await this.emailVerificationsService.processEmailVerificationRequest(c.var.user.id, json.token);
 				return c.json({ message: 'Verified and updated' });
 			});
 	}

src/lib/server/api/index.ts

@@ -6,7 +6,6 @@ import { container } from 'tsyringe';
 import { validateAuthSession, verifyOrigin } from './middleware/auth.middleware';
 import { IamController } from './controllers/iam.controller';
 import { config } from './common/config';
-import { UsersController } from './controllers/users.controller';
 
 /* -------------------------------------------------------------------------- */
 /*                               Client Request                               */

src/lib/server/api/infrastructure/database/migrations/0000_sudden_human_fly.sql renamed to src/lib/server/api/infrastructure/database/migrations/0000_nostalgic_skrulls.sql

@@ -1,5 +1,5 @@
 {
-  "id": "2e0c1e11-ed33-45bf-8084-c3200d8f65a8",
+  "id": "2fdb0575-b4b3-4ebb-9ca0-73a655a7fbe7",
   "prevId": "00000000-0000-0000-0000-000000000000",
   "version": "6",
   "dialect": "postgresql",

src/lib/server/api/infrastructure/database/migrations/meta/0000_snapshot.json

@@ -5,8 +5,8 @@
     {
       "idx": 0,
       "version": "6",
-      "when": 1719436322147,
-      "tag": "0000_sudden_human_fly",
+      "when": 1719512747861,
+      "tag": "0000_nostalgic_skrulls",
       "breakpoints": false
     }
   ]

src/lib/server/api/infrastructure/database/migrations/meta/_journal.json

@@ -0,0 +1,18 @@
+<html lang='en'>
+	<head>
+		<meta http-equiv='X-UA-Compatible' content='IE=edge' />
+		<meta name='viewport' content='width=device-width, initial-scale=1.0' />
+		<title>Email Change Request</title>
+	</head>
+	<body>
+		<p class='title'>Email address change notice </p>
+		<p>
+			An update to your email address has been requested. If this is unexpected or you did not perform this action, please login and secure your account.</p>
+	</body>
+	<style>
+		.title { font-size: 24px; font-weight: 700; } .token-text { font-size: 24px; font-weight: 700; margin-top: 8px; }
+		.token-title { font-size: 18px; font-weight: 700; margin-bottom: 0px; }
+		.center { display: flex; justify-content: center; align-items: center; flex-direction: column;}
+		.token-subtext { font-size: 12px; margin-top: 0px; }
+	</style>
+</html>

src/lib/server/api/infrastructure/email-templates/email-change-notice.hbs

@@ -10,7 +10,6 @@
 			Thanks for using example.com. We want to make sure it's really you. Please enter the following
 			verification code when prompted. If you don't have an exmaple.com an account, you can ignore
 			this message.</p>
-		{{!-- <p>{{token}}</p> --}}
 		<div class='center'>
 			<p class="token-title">Verification Code</p>
 			<p class='token-text'>{{token}}</p>

src/lib/server/api/infrastructure/email-templates/email-verification.handlebars renamed to src/lib/server/api/infrastructure/email-templates/email-verification-token.hbs

@@ -26,14 +26,20 @@ export type UpdateUser = Partial<CreateUser>;
 
 @injectable()
 export class UsersRepository implements Repository {
-	constructor(@inject(DatabaseProvider) private db: DatabaseProvider) {}
+	constructor(@inject(DatabaseProvider) private db: DatabaseProvider) { }
 
 	async findOneById(id: string) {
 		return this.db.query.usersTable.findFirst({
 			where: eq(usersTable.id, id)
 		});
 	}
 
+	async findOneByIdOrThrow(id: string) {
+		const user = await this.findOneById(id);
+		if (!user) throw Error('User not found');
+		return user;
+	}
+
 	async findOneByEmail(email: string) {
 		return this.db.query.usersTable.findFirst({
 			where: eq(usersTable.email, email)

src/lib/server/api/infrastructure/email-templates/welcome.handlebars renamed to src/lib/server/api/infrastructure/email-templates/welcome.hbs

@@ -6,24 +6,6 @@ import { TokensService } from './tokens.service';
 import { UsersRepository } from '../repositories/users.repository';
 import { EmailVerificationsRepository } from '../repositories/email-verifications.repository';
 
-/* -------------------------------------------------------------------------- */
-/*                                   Service                                  */
-/* -------------------------------------------------------------------------- */
-/* -------------------------------------------------------------------------- */
-/* ---------------------------------- About --------------------------------- */
-/*
-Services are responsible for handling business logic and data manipulation. 
-They genreally call on repositories or other services to complete a use-case.
-*/
-/* ---------------------------------- Notes --------------------------------- */
-/*
-Services should be kept as clean and simple as possible. 
-
-Create private functions to handle complex logic and keep the public methods as 
-simple as possible. This makes the service easier to read, test and understand.
-*/
-/* -------------------------------------------------------------------------- */
-
 @injectable()
 export class EmailVerificationsService {
   constructor(
@@ -34,29 +16,36 @@ export class EmailVerificationsService {
     @inject(EmailVerificationsRepository) private readonly emailVerificationsRepository: EmailVerificationsRepository,
   ) { }
 
-
-  async dispatchEmailVerificationToken(userId: string, requestedEmail: string) {
+  // These steps follow the process outlined in OWASP's "Changing A User's Email Address" guide.
+  // https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#changing-a-users-registered-email-address
+  async dispatchEmailVerificationRequest(userId: string, requestedEmail: string) {
     // generate a token and expiry
     const { token, expiry, hashedToken } = await this.tokensService.generateTokenWithExpiryAndHash(15, 'm')
+    const user = await this.usersRepository.findOneByIdOrThrow(userId)
 
     // create a new email verification record
     await this.emailVerificationsRepository.create({ requestedEmail, userId, hashedToken, expiresAt: expiry })
 
-    // send the verification email - we don't need to await success and will opt for good-faith since we 
-    // will offer a way to resend the email if it fails
-    this.mailerService.sendEmailVerification({
+    // A confirmation-required email message to the proposed new address, instructing the user to 
+    // confirm the change and providing a link for unexpected situations
+    this.mailerService.sendEmailVerificationToken({
       to: requestedEmail,
       props: {
         token
       }
     })
+
+    // A notification-only email message to the current address, alerting the user to the impending change and 
+    // providing a link for an unexpected situation.
+    this.mailerService.sendEmailChangeNotification({
+      to: user.email,
+      props: null
+    })
   }
 
-  async processEmailVerificationToken(userId: string, token: string) {
+  async processEmailVerificationRequest(userId: string, token: string) {
     const validRecord = await this.findAndBurnEmailVerificationToken(userId, token)
     if (!validRecord) throw BadRequest('Invalid token');
-
-    // burn the token and update the user
     await this.usersRepository.update(userId, { email: validRecord.requestedEmail, verified: true });
   }