Solvro · qamarq · Feb 17, 2025 · Feb 16, 2025 · Feb 16, 2025 · Feb 16, 2025
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 > Welcome to the repository of the Solvro project, a student organization at the Wrocław University of Science and Technology!
 
-[![Welcome Page](https://i.imgur.com/PSnVCNN.png)](https://planer.solvro.pl)
+[![Welcome Page](https://i.imgur.com/dVjBfjS.png)](https://planer.solvro.pl)
 
 ## 🎯 Project Goal
 

diff --git a/backend/adonisrc.ts b/backend/adonisrc.ts
@@ -44,6 +44,7 @@ export default defineConfig({
     },
     () => import("@adonisjs/mail/mail_provider"),
     () => import("@adonisjs/shield/shield_provider"),
+    () => import("@adonisjs/limiter/limiter_provider"),
   ],
 
   /*

diff --git a/backend/app/controllers/auth_controller.ts b/backend/app/controllers/auth_controller.ts
@@ -1,65 +1,149 @@
-import assert from "node:assert";
+import { DateTime } from "luxon";
+import crypto from "node:crypto";
 
 import { HttpContext } from "@adonisjs/core/http";
+import mail from "@adonisjs/mail/services/main";
 
 import User from "#models/user";
+import { getOtpValidator, verifyOtpValidator } from "#validators/otp";
 
 import { createClient } from "../usos/usos_client.js";
 
 export default class AuthController {
-  async store({ request, response, auth }: HttpContext) {
-    /**
-     * Step 1: Get credentials from the request body
-     */
+  async loginWithUSOS({ request, response, auth }: HttpContext) {
     const { accessToken, accessSecret } = request.only([
       "accessToken",
       "accessSecret",
     ]) as { accessToken: string; accessSecret: string };
-    try {
-      const usosClient = createClient({
-        token: accessToken,
-        secret: accessSecret,
+    const usosClient = createClient({
+      token: accessToken,
+      secret: accessSecret,
+    });
+    const profile = await usosClient.get<{
+      id: string;
+      student_number: string;
+      first_name: string;
+      last_name: string;
+      photo_urls: Record<string, string>;
+    }>("users/user?fields=id|student_number|first_name|last_name|photo_urls");
+    const user = await User.updateOrCreate(
+      { studentNumber: profile.student_number },
+      {
+        usosId: profile.id,
+        firstName: profile.first_name,
+        lastName: profile.last_name,
+        avatar: profile.photo_urls["50x50"],
+        verified: true,
+      },
+    );
+
+    await auth.use("jwt").generate(user);
+
+    return response.ok({
+      ...user.serialize(),
+    });
+  }
+
+  async getOTP({ request, response }: HttpContext) {
+    const data = request.all();
+    const { email } = await getOtpValidator.validate(data);
+    const studentNumber = email.split("@")[0];
+    let user = await User.findBy("studentNumber", studentNumber);
+    if (user === null) {
+      user = await User.create({
+        usos_id: "",
+        studentNumber,
+        firstName: "",
+        lastName: "",
+        avatar: "",
+        verified: false,
       });
-      const profile = await usosClient.get<{
-        id: string;
-        student_number: string;
-        first_name: string;
-        last_name: string;
-      }>("users/user?fields=id|student_number|first_name|last_name");
-      let user = await User.findBy("usos_id", profile.id);
-      if (user === null) {
-        user = await User.create({
-          usos_id: profile.id,
-          studentNumber: profile.student_number,
-          firstName: profile.first_name,
-          lastName: profile.last_name,
-        });
-      }
+    }
 
-      await auth.use("jwt").generate(user);
+    const otp = crypto.randomInt(100000, 999999);
+    user.otpCode = otp.toString();
+    user.otpAttempts = 0;
+    user.otpExpire = DateTime.now().plus({ minutes: 15 });
+    await user.save();
 
-      return response.ok({
-        ...user.serialize(),
+    await mail.send((message) => {
+      message
+        .from("Solvro Planer <planer@solvro.pl>")
+        .to(email)
+        .subject("Zweryfikuj adres email")
+        .text(`Twój kod weryfikacyjny to: ${otp}`)
+        .html(`<h1>Twój kod weryfikacyjny to: ${otp}</h1>`);
+    });
+
+    return response.ok({
+      success: true,
+      message: "Wysłano kod weryfikacyjny",
+    });
+  }
+
+  async verifyOTP({ request, response, auth }: HttpContext) {
+    const data = request.all();
+    const { email, otp } = await verifyOtpValidator.validate(data);
+    const user = await User.query()
+      .where("studentNumber", email.split("@")[0])
+      .where("otp_expire", ">", new Date())
+      .first();
+    if (user === null) {
+      return response.unauthorized({
+        message: "Logowanie nieudane.",
+        error: "Invalid OTP",
       });
-    } catch (error) {
-      assert(error instanceof Error);
+    }
+
+    if (user.blocked) {
       return response.unauthorized({
-        message: "Login failed.",
-        error: error.message,
+        message:
+          "Twoje konto zostało zablokowane na logowanie OTP. Skontaktuj się z administratorem.",
+        error: "User is blocked",
       });
     }
-  }
-  async destroy({ response }: HttpContext) {
-    try {
-      response.clearCookie("token");
-
-      return response.ok({ message: "Successfully logged out" });
-    } catch (error) {
-      assert(error instanceof Error);
-      return response.internalServerError({
-        message: "Logout failed",
-        error: error.message,
+
+    if (user.otpCode !== otp.toString()) {
+      user.otpAttempts += 1;
+      await user.save();
+      if (user.otpAttempts >= 5) {
+        user.otpCode = null;
+        user.otpExpire = null;
+        user.blocked = true;
+        await user.save();
+        return response.unauthorized({
+          message:
+            "Logowanie nieudane. Twoje konto zostało zablokowane na logowanie poprzez OTP.",
+          error: "Too many attempts",
+        });
+      }
+      return response.unauthorized({
+        message: "Logowanie nieudane.",
+        error: "Invalid OTP",
       });
     }
+
+    await auth.use("jwt").generate(user);
+
+    let isNewAccount = false;
+    if (user.verified === false) {
+      isNewAccount = true;
+    }
+    user.verified = true;
+    user.otpCode = null;
+    user.otpExpire = null;
+    await user.save();
+
+    return response.ok({
+      success: true,
+      user: user.serialize(),
+      isNewAccount,
+    });
+  }
+
+  async logout({ response }: HttpContext) {
+    response.clearCookie("token");
+
+    return response.ok({ message: "Successfully logged out" });
   }
 }
diff --git a/backend/app/exceptions/handler.ts b/backend/app/exceptions/handler.ts
@@ -13,6 +13,12 @@ export default class HttpExceptionHandler extends ExceptionHandler {
    * response to the client
    */
   async handle(error: unknown, ctx: HttpContext) {
+    if (error instanceof Error) {
+      return ctx.response.status(500).send({
+        message: "Internal server error",
+        error: error.message,
+      });
+    }
     return super.handle(error, ctx);
   }
 

diff --git a/backend/app/models/user.ts b/backend/app/models/user.ts
@@ -26,8 +26,21 @@ export default class User extends compose(BaseModel, AuthFinder) {
   @column()
   declare studentNumber: string;
   @column()
+  declare avatar: string | null;
+  @column()
   declare allowNotifications: boolean;
 
+  @column()
+  declare otpCode: string | null;
+  @column()
+  declare otpAttempts: number;
+  @column()
+  declare otpExpire: DateTime | null;
+  @column()
+  declare verified: boolean;
+  @column()
+  declare blocked: boolean;
+
   @hasMany(() => Schedule)
   declare schedules: HasMany<typeof Schedule>;
 

diff --git a/backend/app/validators/otp.ts b/backend/app/validators/otp.ts
@@ -0,0 +1,14 @@
+import vine from "@vinejs/vine";
+
+export const getOtpValidator = vine.compile(
+  vine.object({
+    email: vine.string().email().endsWith("@student.pwr.edu.pl"),
+  }),
+);
+
+export const verifyOtpValidator = vine.compile(
+  vine.object({
+    email: vine.string().email().endsWith("@student.pwr.edu.pl"),
+    otp: vine.string().fixedLength(6),
+  }),
+);
diff --git a/backend/app/validators/user.ts b/backend/app/validators/user.ts
@@ -2,6 +2,9 @@ import vine from "@vinejs/vine";
 
 export const createUserValidator = vine.compile(
   vine.object({
-    allowNotifications: vine.boolean(),
+    allowNotifications: vine.boolean().optional(),
+    avatar: vine.string().optional(),
+    firstName: vine.string().optional(),
+    lastName: vine.string().optional(),
   }),
 );
diff --git a/backend/commands/notifications.ts b/backend/commands/notifications.ts
@@ -25,8 +25,10 @@ async function sendEmail(userNotifications: Map<string, string[]>) {
     `;
       await mail.send((message) => {
         message
+          .from("Planer Solvro <planer@solvro.pl>")
           .to(`${studentNumber}@student.pwr.edu.pl`)
-          .subject("Planer - nastąpiły zmiany w twoich planach")
+          .subject("Nastąpiły zmiany w twoich planach")
+          .text("Nastąpiły zmiany w twoich planach")
           .html(htmlContent);
       });
     }

diff --git a/backend/config/limiter.ts b/backend/config/limiter.ts
@@ -0,0 +1,28 @@
+import { defineConfig, stores } from "@adonisjs/limiter";
+
+import env from "#start/env";
+
+const limiterConfig = defineConfig({
+  default: env.get("LIMITER_STORE"),
+  stores: {
+    /**
+     * Database store to save rate limiting data inside a
+     * MYSQL or PostgreSQL database.
+     */
+    database: stores.database({
+      tableName: "rate_limits",
+    }),
+
+    /**
+     * Memory store could be used during
+     * testing
+     */
+    memory: stores.memory({}),
+  },
+});
+
+export default limiterConfig;
+
+declare module "@adonisjs/limiter/types" {
+  export interface LimitersList extends InferLimiters<typeof limiterConfig> {}
+}
diff --git a/backend/config/session.ts b/backend/config/session.ts
@@ -17,7 +17,7 @@ const sessionConfig = defineConfig({
    * Define how long to keep the session data alive without
    * any activity.
    */
-  age: "2h",
+  age: "24h",
 
   /**
    * Configuration for session cookie and the

diff --git a/backend/database/migrations/1739705422939_prepare_users_table_to_otp.ts b/backend/database/migrations/1739705422939_prepare_users_table_to_otp.ts
@@ -0,0 +1,29 @@
+import { BaseSchema } from "@adonisjs/lucid/schema";
+
+export default class extends BaseSchema {
+  protected tableName = "users";
+
+  async up() {
+    this.schema.alterTable(this.tableName, (table) => {
+      table.string("avatar").defaultTo(null);
+      table.boolean("verified").defaultTo(true);
+      table.string("otp_code").defaultTo(null);
+      table.integer("otp_attempts").defaultTo(0);
+      table.dateTime("otp_expire").defaultTo(null);
+      table.boolean("blocked").defaultTo(false);
+      table.dropUnique(["usos_id"]);
+    });
+  }
+
+  async down() {
+    this.schema.alterTable(this.tableName, (table) => {
+      table.dropColumn("avatar");
+      table.dropColumn("verified");
+      table.dropColumn("otp_code");
+      table.dropColumn("otp_attempts");
+      table.dropColumn("otp_expire");
+      table.dropColumn("blocked");
+      table.unique(["usos_id"]);
+    });
+  }
+}
diff --git a/backend/database/migrations/1739748322405_create_rate_limits_table.ts b/backend/database/migrations/1739748322405_create_rate_limits_table.ts
@@ -0,0 +1,17 @@
+import { BaseSchema } from "@adonisjs/lucid/schema";
+
+export default class extends BaseSchema {
+  protected tableName = "rate_limits";
+
+  async up() {
+    this.schema.createTable(this.tableName, (table) => {
+      table.string("key", 255).notNullable().primary();
+      table.integer("points", 9).notNullable().defaultTo(0);
+      table.bigint("expire").unsigned();
+    });
+  }
+
+  async down() {
+    this.schema.dropTable(this.tableName);
+  }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -44,6 +44,7 @@ export default defineConfig({ @@
         },
         () => import("@adonisjs/mail/mail_provider"),
         () => import("@adonisjs/shield/shield_provider"),
+        () => import("@adonisjs/limiter/limiter_provider"),
       ],
       /*
@@ Expand Down @@