-

2025-09-01 18:26:44 -04:00
parent 74b2d75dbc
commit 3e3ade75e5
31 changed files with 1678 additions and 191 deletions
--- a/user/internal/repository/interfaces/interfaces.go
+++ b/user/internal/repository/interfaces/interfaces.go
@ -2,6 +2,7 @@ package interfaces

 import (
 	"context"
+	"time"

 	"github.com/google/uuid"
 	"github.com/RyanCopley/skybridge/user/internal/domain"
@ -35,6 +36,14 @@ type UserRepository interface {
 	
 	// ExistsByEmail checks if a user exists with the given email
 	ExistsByEmail(ctx context.Context, email string) (bool, error)
+	
+	// Security methods
+	IncrementFailedAttempts(ctx context.Context, userID uuid.UUID, lockoutDuration time.Duration) error
+	ResetFailedAttempts(ctx context.Context, userID uuid.UUID) error
+	GetFailedAttempts(ctx context.Context, userID uuid.UUID) (int, *time.Time, error)
+	SetEmailVerified(ctx context.Context, userID uuid.UUID, verified bool) error
+	UpdatePassword(ctx context.Context, userID uuid.UUID, passwordHash string) error
+	UpdateTwoFactorSettings(ctx context.Context, userID uuid.UUID, enabled bool, secret *string, backupCodes []string) error
 }

 // UserProfileRepository defines the interface for user profile operations
@ -126,4 +135,39 @@ type GetEventsResponse struct {
 	Limit   int          `json:"limit"`
 	Offset  int          `json:"offset"`
 	HasMore bool         `json:"has_more"`
+}
+
+// PasswordResetTokenRepository defines the interface for password reset token operations
+type PasswordResetTokenRepository interface {
+	Create(ctx context.Context, token *domain.PasswordResetToken) error
+	GetByToken(ctx context.Context, token string) (*domain.PasswordResetToken, error)
+	MarkAsUsed(ctx context.Context, tokenID uuid.UUID) error
+	DeleteExpired(ctx context.Context) error
+	DeleteByUserID(ctx context.Context, userID uuid.UUID) error
+}
+
+// EmailVerificationTokenRepository defines the interface for email verification token operations
+type EmailVerificationTokenRepository interface {
+	Create(ctx context.Context, token *domain.EmailVerificationToken) error
+	GetByToken(ctx context.Context, token string) (*domain.EmailVerificationToken, error)
+	MarkAsUsed(ctx context.Context, tokenID uuid.UUID) error
+	DeleteExpired(ctx context.Context) error
+	DeleteByUserID(ctx context.Context, userID uuid.UUID) error
+}
+
+// LoginAttemptRepository defines the interface for login attempt tracking
+type LoginAttemptRepository interface {
+	Create(ctx context.Context, attempt *domain.LoginAttempt) error
+	GetRecentAttempts(ctx context.Context, email string, since time.Time) ([]domain.LoginAttempt, error)
+	GetFailedAttemptsCount(ctx context.Context, email string, since time.Time) (int, error)
+	DeleteOldAttempts(ctx context.Context, before time.Time) error
+}
+
+// TwoFactorRecoveryCodeRepository defines the interface for 2FA recovery code operations
+type TwoFactorRecoveryCodeRepository interface {
+	Create(ctx context.Context, codes []domain.TwoFactorRecoveryCode) error
+	GetByUserID(ctx context.Context, userID uuid.UUID) ([]domain.TwoFactorRecoveryCode, error)
+	MarkAsUsed(ctx context.Context, codeID uuid.UUID) error
+	DeleteByUserID(ctx context.Context, userID uuid.UUID) error
+	ValidateCode(ctx context.Context, userID uuid.UUID, codeHash string) (bool, error)
 }
--- a/user/internal/repository/postgres/user_repository.go
+++ b/user/internal/repository/postgres/user_repository.go
@ -28,10 +28,16 @@ func (r *userRepository) Create(ctx context.Context, user *domain.User) error {
 	query := `
 		INSERT INTO users (
 			id, email, first_name, last_name, display_name, avatar, 
-			role, status, created_at, updated_at, created_by, updated_by
+			role, status, password_hash, password_salt, email_verified, 
+			email_verification_token, email_verification_expires_at,
+			two_factor_enabled, two_factor_secret, two_factor_backup_codes,
+			created_at, updated_at, created_by, updated_by
 		) VALUES (
 			:id, :email, :first_name, :last_name, :display_name, :avatar,
-			:role, :status, :created_at, :updated_at, :created_by, :updated_by
+			:role, :status, :password_hash, :password_salt, :email_verified,
+			:email_verification_token, :email_verification_expires_at,
+			:two_factor_enabled, :two_factor_secret, :two_factor_backup_codes,
+			:created_at, :updated_at, :created_by, :updated_by
 		)`

 	if user.ID == uuid.Nil {
@ -58,7 +64,11 @@ func (r *userRepository) Create(ctx context.Context, user *domain.User) error {
 func (r *userRepository) GetByID(ctx context.Context, id uuid.UUID) (*domain.User, error) {
 	query := `
 		SELECT id, email, first_name, last_name, display_name, avatar,
-		       role, status, last_login_at, created_at, updated_at, created_by, updated_by
+		       role, status, last_login_at, password_hash, password_salt,
+		       email_verified, email_verification_token, email_verification_expires_at,
+		       password_reset_token, password_reset_expires_at, failed_login_attempts,
+		       locked_until, two_factor_enabled, two_factor_secret, two_factor_backup_codes,
+		       last_password_change, created_at, updated_at, created_by, updated_by
 		FROM users 
 		WHERE id = $1`

@ -77,7 +87,11 @@ func (r *userRepository) GetByID(ctx context.Context, id uuid.UUID) (*domain.Use
 func (r *userRepository) GetByEmail(ctx context.Context, email string) (*domain.User, error) {
 	query := `
 		SELECT id, email, first_name, last_name, display_name, avatar,
-		       role, status, last_login_at, created_at, updated_at, created_by, updated_by
+		       role, status, last_login_at, password_hash, password_salt,
+		       email_verified, email_verification_token, email_verification_expires_at,
+		       password_reset_token, password_reset_expires_at, failed_login_attempts,
+		       locked_until, two_factor_enabled, two_factor_secret, two_factor_backup_codes,
+		       last_password_change, created_at, updated_at, created_by, updated_by
 		FROM users 
 		WHERE email = $1`

@ -302,4 +316,133 @@ func (r *userRepository) ExistsByEmail(ctx context.Context, email string) (bool,
 	}

 	return exists, nil
+}
+
+// Security methods
+
+func (r *userRepository) IncrementFailedAttempts(ctx context.Context, userID uuid.UUID, lockoutDuration time.Duration) error {
+	query := `
+		UPDATE users SET 
+			failed_login_attempts = failed_login_attempts + 1,
+			locked_until = CASE 
+				WHEN failed_login_attempts + 1 >= 5 THEN $2
+				ELSE locked_until
+			END,
+			updated_at = $3
+		WHERE id = $1`
+
+	_, err := r.db.ExecContext(ctx, query, userID, time.Now().Add(lockoutDuration), time.Now())
+	if err != nil {
+		return fmt.Errorf("failed to increment failed attempts: %w", err)
+	}
+
+	return nil
+}
+
+func (r *userRepository) ResetFailedAttempts(ctx context.Context, userID uuid.UUID) error {
+	query := `
+		UPDATE users SET 
+			failed_login_attempts = 0,
+			locked_until = NULL,
+			updated_at = $2
+		WHERE id = $1`
+
+	_, err := r.db.ExecContext(ctx, query, userID, time.Now())
+	if err != nil {
+		return fmt.Errorf("failed to reset failed attempts: %w", err)
+	}
+
+	return nil
+}
+
+func (r *userRepository) GetFailedAttempts(ctx context.Context, userID uuid.UUID) (int, *time.Time, error) {
+	query := `SELECT failed_login_attempts, locked_until FROM users WHERE id = $1`
+
+	var attempts int
+	var lockedUntil *time.Time
+	err := r.db.QueryRowContext(ctx, query, userID).Scan(&attempts, &lockedUntil)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return 0, nil, fmt.Errorf("user not found")
+		}
+		return 0, nil, fmt.Errorf("failed to get failed attempts: %w", err)
+	}
+
+	return attempts, lockedUntil, nil
+}
+
+func (r *userRepository) SetEmailVerified(ctx context.Context, userID uuid.UUID, verified bool) error {
+	query := `
+		UPDATE users SET 
+			email_verified = $2,
+			email_verification_token = NULL,
+			email_verification_expires_at = NULL,
+			updated_at = $3
+		WHERE id = $1`
+
+	result, err := r.db.ExecContext(ctx, query, userID, verified, time.Now())
+	if err != nil {
+		return fmt.Errorf("failed to set email verified: %w", err)
+	}
+
+	rowsAffected, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get affected rows: %w", err)
+	}
+	if rowsAffected == 0 {
+		return fmt.Errorf("user not found")
+	}
+
+	return nil
+}
+
+func (r *userRepository) UpdatePassword(ctx context.Context, userID uuid.UUID, passwordHash string) error {
+	query := `
+		UPDATE users SET 
+			password_hash = $2,
+			last_password_change = $3,
+			password_reset_token = NULL,
+			password_reset_expires_at = NULL,
+			updated_at = $3
+		WHERE id = $1`
+
+	result, err := r.db.ExecContext(ctx, query, userID, passwordHash, time.Now())
+	if err != nil {
+		return fmt.Errorf("failed to update password: %w", err)
+	}
+
+	rowsAffected, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get affected rows: %w", err)
+	}
+	if rowsAffected == 0 {
+		return fmt.Errorf("user not found")
+	}
+
+	return nil
+}
+
+func (r *userRepository) UpdateTwoFactorSettings(ctx context.Context, userID uuid.UUID, enabled bool, secret *string, backupCodes []string) error {
+	query := `
+		UPDATE users SET 
+			two_factor_enabled = $2,
+			two_factor_secret = $3,
+			two_factor_backup_codes = $4,
+			updated_at = $5
+		WHERE id = $1`
+
+	result, err := r.db.ExecContext(ctx, query, userID, enabled, secret, pq.Array(backupCodes), time.Now())
+	if err != nil {
+		return fmt.Errorf("failed to update two factor settings: %w", err)
+	}
+
+	rowsAffected, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get affected rows: %w", err)
+	}
+	if rowsAffected == 0 {
+		return fmt.Errorf("user not found")
+	}
+
+	return nil
 }