Merge pull request #25 from headlines-toolkit/harden_auth_impl

Harden auth impl

Author: fulleni

.env.example

@@ -6,7 +6,21 @@
 # The application cannot start without a database connection.
 # DATABASE_URL="mongodb://user:password@localhost:27017/ht_api_db"
 
+# REQUIRED: A secure, randomly generated secret for signing JWTs.
+# The application cannot start without this.
+# Generate a secure key using: dart pub global run dcli_scripts create_key
+# JWT_SECRET_KEY="your-super-secret-and-long-jwt-key"
+
 # REQUIRED FOR PRODUCTION: The specific origin URL of your web client.
 # This allows the client (e.g., the HT Dashboard) to make requests to the API.
 # For local development, this can be left unset as 'localhost' is allowed by default.
-# CORS_ALLOWED_ORIGIN="https://your-dashboard.com"
+# CORS_ALLOWED_ORIGIN="https://your-dashboard.com"
+
+# REQUIRED FOR PRODUCTION: The issuer URL for JWTs.
+# Defaults to 'http://localhost:8080' for local development if not set.
+# For production, this MUST be the public URL of your API.
+# JWT_ISSUER="https://api.your-domain.com"
+
+# OPTIONAL: The expiry duration for JWTs in hours.
+# Defaults to 1 hour if not set.
+# JWT_EXPIRY_HOURS="24"

lib/src/config/app_dependencies.dart

@@ -6,6 +6,8 @@ import 'package:ht_api/src/services/dashboard_summary_service.dart';
 import 'package:ht_api/src/services/database_seeding_service.dart';
 import 'package:ht_api/src/services/default_user_preference_limit_service.dart';
 import 'package:ht_api/src/services/jwt_auth_token_service.dart';
+import 'package:ht_api/src/services/mongodb_token_blacklist_service.dart';
+import 'package:ht_api/src/services/mongodb_verification_code_storage_service.dart';
 import 'package:ht_api/src/services/token_blacklist_service.dart';
 import 'package:ht_api/src/services/user_preference_limit_service.dart';
 import 'package:ht_api/src/services/verification_code_storage_service.dart';
@@ -169,15 +171,19 @@ class AppDependencies {
       emailRepository = const HtEmailRepository(emailClient: emailClient);
 
       // 5. Initialize Services
-      tokenBlacklistService = InMemoryTokenBlacklistService(
-        log: Logger('InMemoryTokenBlacklistService'),
+      tokenBlacklistService = MongoDbTokenBlacklistService(
+        connectionManager: _mongoDbConnectionManager,
+        log: Logger('MongoDbTokenBlacklistService'),
       );
       authTokenService = JwtAuthTokenService(
         userRepository: userRepository,
         blacklistService: tokenBlacklistService,
         log: Logger('JwtAuthTokenService'),
       );
-      verificationCodeStorageService = InMemoryVerificationCodeStorageService();
+      verificationCodeStorageService = MongoDbVerificationCodeStorageService(
+        connectionManager: _mongoDbConnectionManager,
+        log: Logger('MongoDbVerificationCodeStorageService'),
+      );
       permissionService = const PermissionService();
       authService = AuthService(
         userRepository: userRepository,

lib/src/config/environment_config.dart

@@ -78,6 +78,24 @@ abstract final class EnvironmentConfig {
     return dbUrl;
   }
 
+  /// Retrieves the JWT secret key from the environment.
+  ///
+  /// The value is read from the `JWT_SECRET_KEY` environment variable.
+  ///
+  /// Throws a [StateError] if the `JWT_SECRET_KEY` environment variable is not
+  /// set, as the application cannot function without it.
+  static String get jwtSecretKey {
+    final jwtKey = _env['JWT_SECRET_KEY'];
+    if (jwtKey == null || jwtKey.isEmpty) {
+      _log.severe('JWT_SECRET_KEY not found in environment variables.');
+      throw StateError(
+        'FATAL: JWT_SECRET_KEY environment variable is not set. '
+        'The application cannot start without a JWT secret.',
+      );
+    }
+    return jwtKey;
+  }
+
   /// Retrieves the current environment mode (e.g., 'development').
   ///
   /// The value is read from the `ENV` environment variable.
@@ -90,4 +108,20 @@ abstract final class EnvironmentConfig {
   /// This is used to configure CORS for production environments.
   /// Returns `null` if the variable is not set.
   static String? get corsAllowedOrigin => _env['CORS_ALLOWED_ORIGIN'];
+
+  /// Retrieves the JWT issuer URL from the environment.
+  ///
+  /// The value is read from the `JWT_ISSUER` environment variable.
+  /// Defaults to 'http://localhost:8080' if not set.
+  static String get jwtIssuer =>
+      _env['JWT_ISSUER'] ?? 'http://localhost:8080';
+
+  /// Retrieves the JWT expiry duration in hours from the environment.
+  ///
+  /// The value is read from the `JWT_EXPIRY_HOURS` environment variable.
+  /// Defaults to 1 hour if not set or if parsing fails.
+  static Duration get jwtExpiryDuration {
+    final hours = int.tryParse(_env['JWT_EXPIRY_HOURS'] ?? '1');
+    return Duration(hours: hours ?? 1);
+  }
 }

lib/src/middlewares/authentication_middleware.dart

@@ -1,6 +1,9 @@
 import 'package:dart_frog/dart_frog.dart';
 import 'package:ht_api/src/services/auth_token_service.dart';
 import 'package:ht_shared/ht_shared.dart';
+import 'package:logging/logging.dart';
+
+final _log = Logger('AuthMiddleware');
 
 /// Middleware to handle authentication by verifying Bearer tokens.
 ///
@@ -17,69 +20,69 @@ import 'package:ht_shared/ht_shared.dart';
 Middleware authenticationProvider() {
   return (handler) {
     return (context) async {
-      print('[AuthMiddleware] Entered.');
+      _log.finer('Entered.');
       // Read the interface type
       AuthTokenService tokenService;
       try {
-        print('[AuthMiddleware] Attempting to read AuthTokenService...');
+        _log.finer('Attempting to read AuthTokenService...');
         tokenService = context.read<AuthTokenService>();
-        print('[AuthMiddleware] Successfully read AuthTokenService.');
+        _log.finer('Successfully read AuthTokenService.');
       } catch (e, s) {
-        print('[AuthMiddleware] FAILED to read AuthTokenService: $e\n$s');
+        _log.severe('FAILED to read AuthTokenService.', e, s);
         // Re-throw the error to be caught by the main error handler
         rethrow;
       }
       User? user;
 
       // Extract the Authorization header
-      print('[AuthMiddleware] Attempting to read Authorization header...');
+      _log.finer('Attempting to read Authorization header...');
       final authHeader = context.request.headers['Authorization'];
-      print('[AuthMiddleware] Authorization header value: $authHeader');
+      _log.finer('Authorization header value: $authHeader');
 
       if (authHeader != null && authHeader.startsWith('Bearer ')) {
         // Extract the token string
         final token = authHeader.substring(7); // Length of 'Bearer '
-        print('[AuthMiddleware] Extracted Bearer token.');
+        _log.finer('Extracted Bearer token.');
         try {
-          print('[AuthMiddleware] Attempting to validate token...');
+          _log.finer('Attempting to validate token...');
           // Validate the token using the service
           user = await tokenService.validateToken(token);
-          print(
-            '[AuthMiddleware] Token validation returned: ${user?.id ?? 'null'}',
+          _log.finer(
+            'Token validation returned: ${user?.id ?? 'null'}',
           );
           if (user != null) {
-            print(
-              '[AuthMiddleware] Authentication successful for user: ${user.id}',
-            );
+            _log.info('Authentication successful for user: ${user.id}');
           } else {
-            print(
-              '[AuthMiddleware] Invalid token provided (validateToken returned null).',
+            _log.warning(
+              'Invalid token provided (validateToken returned null).',
             );
             // Optional: Could throw UnauthorizedException here if *all* routes
             // using this middleware strictly require a valid token.
             // However, providing null allows routes to handle optional auth.
           }
         } on HtHttpException catch (e) {
           // Log token validation errors from the service
-          print('Token validation failed: $e');
+          _log.warning('Token validation failed.', e);
           // Let the error propagate if needed, or handle specific cases.
           // For now, we treat validation errors as resulting in no user.
           user = null; // Keep user null if HtHttpException occurred
         } catch (e, s) {
           // Catch unexpected errors during validation
-          print(
-            '[AuthMiddleware] Unexpected error during token validation: $e\n$s',
+          _log.severe(
+            'Unexpected error during token validation.',
+            e,
+            s,
           );
           user = null; // Keep user null if unexpected error occurred
         }
       } else {
-        print('[AuthMiddleware] No valid Bearer token found in header.');
+        _log.finer('No valid Bearer token found in header.');
       }
 
       // Provide the User object (or null) into the context
       // This makes `context.read<User?>()` available downstream.
-      print(
-        '[AuthMiddleware] Providing User (${user?.id ?? 'null'}) to context.',
+      _log.finer(
+        'Providing User (${user?.id ?? 'null'}) to context.',
       );
       return handler(context.provide<User?>(() => user));
     };
@@ -96,14 +99,14 @@ Middleware requireAuthentication() {
     return (context) {
       final user = context.read<User?>();
       if (user == null) {
-        print(
+        _log.warning(
           'Authentication required but no valid user found. Denying access.',
         );
         // Throwing allows the central errorHandler to create the 401 response.
         throw const UnauthorizedException('Authentication required.');
       }
       // If user exists, proceed to the handler
-      print('Authentication check passed for user: ${user.id}');
+      _log.info('Authentication check passed for user: ${user.id}');
       return handler(context.provide<User>(() => user));
     };
   };

lib/src/middlewares/authorization_middleware.dart

@@ -2,6 +2,9 @@ import 'package:dart_frog/dart_frog.dart';
 import 'package:ht_api/src/rbac/permission_service.dart';
 import 'package:ht_api/src/registry/model_registry.dart';
 import 'package:ht_shared/ht_shared.dart';
+import 'package:logging/logging.dart';
+
+final _log = Logger('AuthorizationMiddleware');
 
 /// {@template authorization_middleware}
 /// Middleware to enforce role-based permissions and model-specific access rules.
@@ -81,9 +84,9 @@ Middleware authorizationMiddleware() {
           final permission = requiredPermissionConfig.permission;
           if (permission == null) {
             // This indicates a configuration error in ModelRegistry
-            print(
-              '[AuthorizationMiddleware] Configuration Error: specificPermission '
-              'type requires a permission string for model "$modelName", method "$method".',
+            _log.severe(
+              'Configuration Error: specificPermission type requires a '
+              'permission string for model "$modelName", method "$method".',
             );
             throw const OperationFailedException(
               'Internal Server Error: Authorization configuration error.',
@@ -97,9 +100,9 @@ Middleware authorizationMiddleware() {
         case RequiredPermissionType.unsupported:
           // This action is explicitly marked as not supported via this generic route.
           // Return Method Not Allowed.
-          print(
-            '[AuthorizationMiddleware] Action for model "$modelName", method "$method" '
-            'is marked as unsupported via generic route.',
+          _log.warning(
+            'Action for model "$modelName", method "$method" is marked as '
+            'unsupported via generic route.',
           );
           // Throw ForbiddenException to be caught by the errorHandler
           throw ForbiddenException(

lib/src/middlewares/error_handler.dart

@@ -7,6 +7,9 @@ import 'package:dart_frog/dart_frog.dart';
 import 'package:ht_api/src/config/environment_config.dart';
 import 'package:ht_shared/ht_shared.dart';
 import 'package:json_annotation/json_annotation.dart';
+import 'package:logging/logging.dart';
+
+final _log = Logger('ErrorHandler');
 
 /// Middleware that catches errors and converts them into
 /// standardized JSON responses.
@@ -20,7 +23,7 @@ Middleware errorHandler() {
       } on HtHttpException catch (e, stackTrace) {
         // Handle specific HtHttpExceptions from the client/repository layers
         final statusCode = _mapExceptionToStatusCode(e);
-        print('HtHttpException Caught: $e\n$stackTrace'); // Log for debugging
+        _log.warning('HtHttpException Caught', e, stackTrace);
         return _jsonErrorResponse(
           statusCode: statusCode,
           exception: e,
@@ -32,23 +35,23 @@ Middleware errorHandler() {
         final message =
             'Invalid request body: Field "$field" has an '
             'invalid value or is missing. ${e.message}';
-        print('CheckedFromJsonException Caught: $e\n$stackTrace');
+        _log.warning('CheckedFromJsonException Caught', e, stackTrace);
         return _jsonErrorResponse(
           statusCode: HttpStatus.badRequest, // 400
           exception: InvalidInputException(message),
           context: context,
         );
       } on FormatException catch (e, stackTrace) {
         // Handle data format/parsing errors (often indicates bad client input)
-        print('FormatException Caught: $e\n$stackTrace'); // Log for debugging
+        _log.warning('FormatException Caught', e, stackTrace);
         return _jsonErrorResponse(
           statusCode: HttpStatus.badRequest, // 400
           exception: InvalidInputException('Invalid data format: ${e.message}'),
           context: context,
         );
       } catch (e, stackTrace) {
         // Handle any other unexpected errors
-        print('Unhandled Exception Caught: $e\n$stackTrace');
+        _log.severe('Unhandled Exception Caught', e, stackTrace);
         return _jsonErrorResponse(
           statusCode: HttpStatus.internalServerError, // 500
           exception: const UnknownException(

lib/src/services/database_seeding_service.dart

@@ -1,3 +1,5 @@
+import 'package:ht_api/src/services/mongodb_token_blacklist_service.dart';
+import 'package:ht_api/src/services/mongodb_verification_code_storage_service.dart';
 import 'package:ht_shared/ht_shared.dart';
 import 'package:logging/logging.dart';
 import 'package:mongo_dart/mongo_dart.dart';
@@ -143,6 +145,48 @@ class DatabaseSeedingService {
         name: 'sources_text_index',
       );
 
+      // --- TTL and Unique Indexes via runCommand ---
+      // The following indexes are created using the generic `runCommand` because
+      // they require specific options not exposed by the simpler `createIndex`
+      // helper method in the `mongo_dart` library.
+      // Specifically, `expireAfterSeconds` is needed for TTL indexes.
+
+      // Indexes for the verification codes collection
+      await _db.runCommand({
+        'createIndexes': kVerificationCodesCollection,
+        'indexes': [
+          {
+            // This is a TTL (Time-To-Live) index. MongoDB will automatically
+            // delete documents from this collection when the `expiresAt` field's
+            // value is older than the specified number of seconds (0).
+            'key': {'expiresAt': 1},
+            'name': 'expiresAt_ttl_index',
+            'expireAfterSeconds': 0,
+          },
+          {
+            // This ensures that each email can only have one pending
+            // verification code at a time, preventing duplicates.
+            'key': {'email': 1},
+            'name': 'email_unique_index',
+            'unique': true,
+          }
+        ]
+      });
+
+      // Index for the token blacklist collection
+      await _db.runCommand({
+        'createIndexes': kBlacklistedTokensCollection,
+        'indexes': [
+          {
+            // This is a TTL index. MongoDB will automatically delete documents
+            // (blacklisted tokens) when the `expiry` field's value is past.
+            'key': {'expiry': 1},
+            'name': 'expiry_ttl_index',
+            'expireAfterSeconds': 0,
+          }
+        ]
+      });
+
       _log.info('Database indexes are set up correctly.');
     } on Exception catch (e, s) {
       _log.severe('Failed to create database indexes.', e, s);