feat(auth): Implement email verification using SendGrid

Add email verification system for local authentication strategy:

- Add SendGrid integration for sending verification emails
- Require email verification before allowing login
- Add verification token and expiry fields to User schema
- Implement verification endpoints (/verify-email and /resend-verification)
- Add rate limiting for verification email requests
- Add debug email routes for development environment
- Update registration flow to send verification email
- Add error handling for verification-related errors

BREAKING CHANGE: Local authentication now requires email verification before login

Author: foyzulkarim

package-lock.json

@@ -25,6 +25,7 @@
   "license": "ISC",
   "dependencies": {
     "@octokit/rest": "^20.1.1",
+    "@sendgrid/mail": "^8.1.4",
     "bcrypt": "^5.1.1",
     "compression": "^1.7.4",
     "connect-mongo": "^5.1.0",

package.json

@@ -5,7 +5,7 @@ const {
   getGitHubStrategy,
   getOrCreateUserFromGitHubProfile,
 } = require('./githubStrategy');
-const { localStrategy, registerUser } = require('./localStrategy');
+const { localStrategy, registerUser, verifyEmail, resendVerificationEmail } = require('./localStrategy');
 const {
   getGoogleStrategy,
   getOrCreateUserFromGoogleProfile,
@@ -29,4 +29,6 @@ module.exports = {
   registerUser,
   getGoogleStrategy,
   getOrCreateUserFromGoogleProfile,
+  verifyEmail,
+  resendVerificationEmail,
 };

src/auth/index.js

@@ -1,28 +1,38 @@
 const LocalStrategy = require('passport-local').Strategy;
 const bcrypt = require('bcrypt');
+const crypto = require('crypto');
 const {
   getByUsername,
   getByEmail,
   create,
+  updateById,
+  findByVerificationToken,
+  refreshVerificationToken,
 } = require('../domains/user/service');
 const { AppError } = require('../libraries/error-handling/AppError');
+const { sendVerificationEmail } = require('../libraries/email/emailService');
 
 const verifyCallback = async (username, password, done) => {
   try {
     // Find user by email (since we're using email as username)
     const user = await getByEmail(username);
-    
+
     if (!user) {
       return done(null, false, { message: 'Incorrect email.' });
     }
 
     // Verify this is a local auth user
     if (user.authType !== 'local') {
-      return done(null, false, { 
-        message: `Please use ${user.authType} authentication for this account.` 
+      return done(null, false, {
+        message: `Please use ${user.authType} authentication for this account.`
       });
     }
 
+    // Check if email is verified
+    if (!user.isVerified) {
+      return done(null, false, { message: 'Please verify your email address before signing in.', reason: 'email-not-verified' });
+    }
+
     // Verify password
     const isValidPassword = await bcrypt.compare(password, user.local.password);
     if (!isValidPassword) {
@@ -40,6 +50,10 @@ const verifyCallback = async (username, password, done) => {
   }
 };
 
+const generateVerificationToken = () => {
+  return crypto.randomBytes(32).toString('hex');
+};
+
 const registerUser = async ({ email, password }) => {
   try {
     // Check if user already exists
@@ -52,23 +66,32 @@ const registerUser = async ({ email, password }) => {
     const salt = await bcrypt.genSalt(10);
     const hashedPassword = await bcrypt.hash(password, salt);
 
+    // Generate verification token
+    const verificationToken = generateVerificationToken();
+    const verificationTokenExpiry = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours from now
+
     // Create user payload matching new schema structure
     const payload = {
       email,
       displayName: email,
-      authType: 'local', // Specify auth type
+      authType: 'local',
       local: {
         username: email,
         password: hashedPassword,
       },
       isDemo: false,
       isVerified: false,
       isAdmin: false,
+      verificationToken,
+      verificationTokenExpiry,
     };
 
     // Create the user
     const newUser = await create(payload);
 
+    // Send verification email
+    await sendVerificationEmail(email, verificationToken);
+
     // Prepare the user object for the session
     const userObj = newUser.toObject();
     const trimmedPayloadForSession = {
@@ -87,6 +110,55 @@ const registerUser = async ({ email, password }) => {
   }
 };
 
+const verifyEmail = async (token) => {
+  try {
+    const user = await findByVerificationToken(token);
+
+    if (!user) {
+      throw new AppError('invalid-token', 'Invalid or expired verification token', 400);
+    }
+
+    // Update user as verified
+    await updateById(user._id, {
+      isVerified: true,
+      verificationToken: null,
+      verificationTokenExpiry: null,
+      updatedAt: new Date()
+    });
+
+    return { message: 'Email verified successfully' };
+  } catch (error) {
+    if (error instanceof AppError) {
+      throw error;
+    }
+    throw new AppError('verification-failed', error.message, 400);
+  }
+};
+
+const resendVerificationEmail = async (email) => {
+  try {
+    const { user, verificationToken } = await refreshVerificationToken(email);
+    
+    // Send new verification email
+    await sendVerificationEmail(email, verificationToken);
+    
+    return { 
+      message: 'Verification email sent successfully',
+      email: user.email
+    };
+  } catch (error) {
+    if (error instanceof AppError) {
+      throw error;
+    }
+    throw new AppError('resend-verification-failed', error.message, 400);
+  }
+};
+
 const localStrategy = new LocalStrategy(verifyCallback);
 
-module.exports = { localStrategy, registerUser };
+module.exports = { 
+  localStrategy, 
+  registerUser, 
+  verifyEmail,
+  resendVerificationEmail,
+};

src/auth/localStrategy.js

@@ -33,6 +33,10 @@ const schema = Joi.object({
   ADMIN_USERNAMES: Joi.array().items(Joi.string()).required(),
   SUPERADMIN_EMAIL: Joi.string().email().required(),
   SUPERADMIN_PASSWORD: Joi.string().min(8).required(),
+  // SendGrid Configuration
+  SENDGRID_API_KEY: Joi.string().required(),
+  SENDGRID_FROM_EMAIL: Joi.string().email().required(),
+  SENDGRID_VERIFICATION_TEMPLATE_ID: Joi.string().required(),
 });
 
 module.exports = schema;

src/configs/config.schema.js

@@ -88,6 +88,15 @@ const schema = new mongoose.Schema({
     },
   },
 
+  // Email verification fields
+  verificationToken: {
+    type: String,
+    sparse: true,
+  },
+  verificationTokenExpiry: {
+    type: Date,
+  },
+
   // Auth and status flags
   isDemo: {
     type: Boolean,
@@ -183,5 +192,6 @@ schema.index({ 'github.id': 1 }, { unique: true, sparse: true });
 schema.index({ 'google.id': 1 }, { unique: true, sparse: true });
 schema.index({ 'local.username': 1 }, { unique: true, sparse: true });
 schema.index({ email: 1 }, { unique: true });
+schema.index({ verificationToken: 1 }, { sparse: true });
 
 module.exports = mongoose.model('User', schema);

src/domains/user/schema.js

@@ -1,7 +1,7 @@
 const logger = require('../../libraries/log/logger');
-
 const Model = require('./schema');
 const { AppError } = require('../../libraries/error-handling/AppError');
+const crypto = require('crypto');
 
 const model = 'user';
 const projection = { accessToken: 0, accessTokenIV: 0 };
@@ -203,6 +203,83 @@ const followUser = async (followerId, followedId) => {
   }
 };
 
+const findByVerificationToken = async (token) => {
+  try {
+    return await Model.findOne({
+      verificationToken: token,
+      verificationTokenExpiry: { $gt: new Date() },
+      isVerified: false
+    });
+  } catch (error) {
+    logger.error('findByVerificationToken(): Failed to find user by token', error);
+    throw new AppError('Failed to find user by token', error.message, 400);
+  }
+};
+
+const generateVerificationToken = () => {
+  return crypto.randomBytes(32).toString('hex');
+};
+
+const canResendVerification = async (userId) => {
+  const user = await Model.findById(userId);
+  if (!user) {
+    throw new AppError('user-not-found', 'User not found', 404);
+  }
+
+  // If user is already verified
+  if (user.isVerified) {
+    throw new AppError('already-verified', 'Email is already verified', 400);
+  }
+
+  // Check if last token was generated less than 1 minute ago
+  if (user.verificationTokenExpiry) {
+    const timeSinceLastEmail = new Date() - user.verificationTokenExpiry;
+    const oneMinuteInMs = 1 * 60 * 1000;
+    
+    if (timeSinceLastEmail < oneMinuteInMs) {
+      const remainingSeconds = Math.ceil((oneMinuteInMs - timeSinceLastEmail) / 1000);
+      throw new AppError(
+        'rate-limit', 
+        `Please wait ${remainingSeconds} seconds before requesting another verification email`,
+        429
+      );
+    }
+  }
+
+  return true;
+};
+
+const refreshVerificationToken = async (email) => {
+  try {
+    const user = await Model.findOne({ email, authType: 'local' });
+    
+    if (!user) {
+      throw new AppError('user-not-found', 'No account found with this email', 404);
+    }
+
+    await canResendVerification(user._id);
+
+    // Generate new verification token
+    const verificationToken = generateVerificationToken();
+    const verificationTokenExpiry = new Date(Date.now() + 1 * 60 * 1000); // 1 minute
+
+    // Update user with new token
+    await updateById(user._id, {
+      verificationToken,
+      verificationTokenExpiry,
+      updatedAt: new Date()
+    });
+
+    return { user, verificationToken };
+  } catch (error) {
+    if (error instanceof AppError) {
+      throw error;
+    }
+    logger.error('refreshVerificationToken(): Failed to refresh token', error);
+    throw new AppError('refresh-token-failed', error.message, 400);
+  }
+};
+
 module.exports = {
   create,
   search,
@@ -217,4 +294,6 @@ module.exports = {
   activateUser,
   getByEmail,
   getByGoogleId,
+  findByVerificationToken,
+  refreshVerificationToken,
 };