feat: add api for magic links

Author: AlbanSdl

.gitignore

@@ -11,4 +11,5 @@ next-env.d.ts
 .env.prod
 *.pem
 *.mjs
-*.xml
+*.xml
+*.patch

api/.env.dist

@@ -12,4 +12,12 @@ SALT_ROUNDS=10
 
 CRYPTO_PUBLIC_KEY=
 BALANCE_MIN_VALUE=1
-LOCKER_SERVICE_KEY=
+LOCKER_SERVICE_KEY=
+
+SMTP_HOST=
+SMTP_PORT=
+SMTP_USER=
+SMTP_PASS=
+SMTP_FROM=
+FRONT_URL=https://buck.utt.fr/
+MAGIC_LINK_VALIDITY=3600000

api/package.json

@@ -34,6 +34,7 @@
     "fast-xml-parser": "^5.0.9",
     "file-type": "^20.4.1",
     "multer": "1.4.5-lts.2",
+    "nodemailer": "^6.10.0",
     "pactum-matchers": "^1.1.6",
     "passport-jwt": "^4.0.1",
     "prisma": "^6.5.0",
@@ -51,6 +52,7 @@
     "@types/multer": "^1.4.11",
     "@types/mysql": "^2.15.27",
     "@types/node": "22.13.13",
+    "@types/nodemailer": "^6.4.17",
     "@types/passport-jwt": "^4.0.1",
     "@types/pdfkit": "^0.13.9",
     "@typescript-eslint/eslint-plugin": "^8.28.0",

api/pnpm-lock.yaml

@@ -7,18 +7,28 @@ datasource db {
   url      = env("DATABASE_URL")
 }
 
+model MagicLink {
+  token         String    @id @default(uuid())
+  createdAt     DateTime  @default(now())
+  usedAt        DateTime?
+  userId        String
+  originatingIp String
+  user          User      @relation(fields: [userId], references: [id])
+}
+
 model User {
-  id            String    @id
-  type          UserType  @default(USER)
-  email         String    @unique
+  id            String      @id
+  type          UserType    @default(USER)
+  email         String      @unique
   pwdHash       String
   firstName     String
   lastName      String
   balance       Int
   processed     DateTime?
-  iban          String?   @db.Text
-  ibanFoolproof String?   @db.Char(4)
-  locker        String?   @db.Text
+  iban          String?     @db.Text
+  ibanFoolproof String?     @db.Char(4)
+  locker        String?     @db.Text
+  magicLinks    MagicLink[]
 }
 
 model ReportProperty {

api/prisma/schema.prisma

@@ -7,9 +7,10 @@ import { JwtGuard } from './auth/guard';
 import { ConfigModule } from './config/config.module';
 import { HttpModule } from './http/http.module';
 import { AdminModule } from './admin/admin.module';
+import { MailModule } from './mails/mail.module';
 
 @Module({
-  imports: [ConfigModule, HttpModule, PrismaModule, AuthModule, UsersModule, AdminModule],
+  imports: [ConfigModule, HttpModule, PrismaModule, MailModule, AuthModule, UsersModule, AdminModule],
   // The providers below are used for all the routes of the api.
   // For example, the JwtGuard is used for all the routes and checks whether the user is authenticated.
   providers: [

api/src/app.module.ts

@@ -1,4 +1,4 @@
-import { Body, Controller, Get, Headers, HttpCode, HttpStatus, Post } from '@nestjs/common';
+import { Body, Controller, Delete, Get, Headers, HttpCode, HttpStatus, Post } from '@nestjs/common';
 import { AuthService } from './auth.service';
 import AuthSignInReqDto from './dto/req/auth-sign-in-req.dto';
 import { IsPublic } from './decorator';
@@ -8,6 +8,8 @@ import AccessTokenResponse from './dto/res/access-token-res.dto';
 import TokenValidityResDto from './dto/res/token-validity-res.dto';
 import { ApiAppErrorResponse } from '../app.dto';
 import { ConfigModule } from '../config/config.module';
+import AuthCreateMagicDto from './dto/req/auth-create-magic.dto';
+import AuthDeleteMagicDto from './dto/req/auth-delete-magic.dto';
 
 @Controller('auth')
 @ApiTags('Authentication')
@@ -84,4 +86,39 @@ export class AuthController {
       operation: user ? (user.type === 'ADMIN' ? 'administrate' : 'refund') : false,
     };
   }
+
+  @HttpCode(HttpStatus.OK)
+  @IsPublic()
+  @Post('magic')
+  @ApiOperation({
+    description: 'Generates a magic link for the user. This link should be sent to the user by email.',
+  })
+  @ApiBody({ type: AuthCreateMagicDto })
+  async generateMagicLink(@Body() dto: AuthCreateMagicDto, @Headers() { 'X-Forwarded-for': ip }): Promise<void> {
+    const linkData = await this.authService.generateMagicLink(dto.login, ip);
+    if (!linkData) throw new AppException(ERROR_CODE.INVALID_CREDENTIALS);
+    await this.authService.sendMagicLink(dto.login, linkData.code, linkData.name);
+  }
+
+  @HttpCode(HttpStatus.OK)
+  @IsPublic()
+  @Delete('magic')
+  @ApiOperation({
+    description: 'Consumes/Deletes the magic link.',
+  })
+  @ApiBody({ type: AuthDeleteMagicDto })
+  async consumeMagicLink(@Body() dto: AuthDeleteMagicDto): Promise<AccessTokenResponse> {
+    const { token, id } = (await this.authService.consumeMagicLink(dto.spell)) ?? {};
+    if (!token) throw new AppException(ERROR_CODE.INVALID_CREDENTIALS);
+    const user = id ? await this.authService.getUser(id) : undefined;
+    return {
+      access_token: token,
+      currentBalance: user.balance,
+      firstName: user.firstName,
+      paymentMethodRegistered: user.iban ? user.ibanFoolproof : null,
+      processed: !!user.processed,
+      eligible: user.balance >= this.config.BALANCE_MIN_VALUE,
+      operation: user.type === 'ADMIN' ? 'administrate' : 'refund',
+    };
+  }
 }

api/src/auth/auth.controller.ts

@@ -4,10 +4,16 @@ import * as bcrypt from 'bcryptjs';
 import { JwtService } from '@nestjs/jwt';
 import { ConfigModule } from '../config/config.module';
 import AuthSignInReqDto from './dto/req/auth-sign-in-req.dto';
+import { MailService } from '../mails/mail.service';
 
 @Injectable()
 export class AuthService {
-  constructor(private prisma: PrismaService, private jwt: JwtService, private config: ConfigModule) {}
+  constructor(
+    private prisma: PrismaService,
+    private jwt: JwtService,
+    private mail: MailService,
+    private config: ConfigModule,
+  ) {}
 
   /**
    * Verifies the credentials are right.
@@ -75,4 +81,64 @@ export class AuthService {
       },
     });
   }
+
+  async generateMagicLink(email: string, ip: string): Promise<{ code: string; name: string } | null> {
+    try {
+      const link = await this.prisma.magicLink.create({
+        data: {
+          user: {
+            connect: {
+              email,
+            },
+          },
+          originatingIp: ip,
+        },
+        select: {
+          token: true,
+          user: {
+            select: {
+              firstName: true,
+            },
+          },
+        },
+      });
+      return { code: link.token.replaceAll('-', '').toUpperCase(), name: link.user.firstName };
+    } catch {
+      // User does not exist, silent the error
+      return null;
+    }
+  }
+
+  async sendMagicLink(email: string, token: string, name: string): Promise<void> {
+    return this.mail.sendGeneric({
+      recipient: email,
+      title: 'Accès à ton compte BuckUTT',
+      content: `<h2>Bonjour ${name},</h2><p>Voici le lien pour accéder à ton compte BuckUTT : <a href="${this.config.FRONT_URL}/magic?spell=${token}">${this.config.FRONT_URL}/magic?spell=${token}</a></p><p>Le lien est valide pendant ${this.config.MAGIC_LINK_VALIDITY / 60000} minutes. Si tu n'as pas demandé ce lien, ignore ce message.</p><p>À bientôt !</p>`,
+    });
+  }
+
+  async consumeMagicLink(token: string): Promise<{ token: string; id: string } | null> {
+    const link = await this.prisma.magicLink.update({
+      data: {
+        usedAt: new Date(),
+      },
+      where: {
+        usedAt: null,
+        token,
+        createdAt: {
+          gte: new Date(Date.now() - this.config.MAGIC_LINK_VALIDITY),
+        },
+      },
+      select: {
+        user: {
+          select: {
+            id: true,
+            email: true,
+          },
+        },
+      },
+    });
+    if (!link) return null;
+    return { token: await this.signToken(link.user.id, link.user.email), id: link.user.id };
+  }
 }

api/src/auth/auth.service.ts

@@ -0,0 +1,7 @@
+import { IsEmail, IsNotEmpty } from 'class-validator';
+
+export default class AuthCreateMagicDto {
+  @IsNotEmpty()
+  @IsEmail()
+  login: string;
+}

api/src/auth/dto/req/auth-create-magic.dto.ts

@@ -0,0 +1,7 @@
+import { IsAscii, IsNotEmpty } from 'class-validator';
+
+export default class AuthDeleteMagicDto {
+  @IsNotEmpty()
+  @IsAscii()
+  spell: string;
+}