zephyrfs/zephyrfs-web / 095d099

+    "@fastify/oauth2": "^7.8.0",

+    "archiver": "^6.0.1",

+    "bcrypt": "^5.1.1",

+    "nodemailer": "^6.9.7",

+    "sqlite3": "^5.1.6",

+    "kysely": "^0.27.2"

+    "@types/bcrypt": "^5.0.2",

+    "@types/nodemailer": "^6.4.14",

+import { Kysely, SqliteDialect } from 'kysely';

+import SQLite from 'sqlite3';

+import { readFileSync } from 'fs';

+import { join } from 'path';

+import type { Database } from './types.js';

+

+let db: Kysely<Database> | null = null;

+

+export function initializeDatabase(dbPath?: string): Kysely<Database> {

+  if (db) {

+    return db;

+  }

+

+  const databasePath = dbPath || process.env.DATABASE_PATH || ':memory:';

+

+  const dialect = new SqliteDialect({

+    database: new SQLite.Database(databasePath),

+  });

+

+  db = new Kysely<Database>({

+    dialect,

+  });

+

+  return db;

+}

+

+export async function setupDatabase(): Promise<void> {

+  const database = getDatabase();

+

+  // Read and execute schema

+  const schemaPath = join(new URL(import.meta.url).pathname, '../schema.sql');

+  const schema = readFileSync(schemaPath, 'utf-8');

+

+  // Split and execute each statement

+  const statements = schema

+    .split(';')

+    .map(stmt => stmt.trim())

+    .filter(stmt => stmt.length > 0);

+

+  for (const statement of statements) {

+    try {

+      await database.executeQuery({

+        sql: statement,

+        parameters: [],

+      });

+    } catch (error) {

+      // Ignore table already exists errors

+      if (!error.message?.includes('already exists')) {

+        console.error('Database setup error:', error);

+        throw error;

+      }

+    }

+  }

+}

+

+export function getDatabase(): Kysely<Database> {

+  if (!db) {

+    throw new Error('Database not initialized. Call initializeDatabase() first.');

+  }

+  return db;

+}

+

+export async function closeDatabase(): Promise<void> {

+  if (db) {

+    await db.destroy();

+    db = null;

+  }

+}

+

+// Helper function to convert snake_case to camelCase for database rows

+export function toCamelCase<T>(obj: any): T {

+  if (obj === null || obj === undefined) {

+    return obj;

+  }

+

+  if (Array.isArray(obj)) {

+    return obj.map(toCamelCase) as T;

+  }

+

+  if (typeof obj === 'object' && obj.constructor === Object) {

+    const result: any = {};

+    for (const [key, value] of Object.entries(obj)) {

+      const camelKey = key.replace(/_([a-z])/g, (_, letter) => letter.toUpperCase());

+      result[camelKey] = toCamelCase(value);

+    }

+    return result;

+  }

+

+  return obj;

+}

+

+// Helper function to convert camelCase to snake_case for database queries

+export function toSnakeCase<T>(obj: any): T {

+  if (obj === null || obj === undefined) {

+    return obj;

+  }

+

+  if (Array.isArray(obj)) {

+    return obj.map(toSnakeCase) as T;

+  }

+

+  if (typeof obj === 'object' && obj.constructor === Object) {

+    const result: any = {};

+    for (const [key, value] of Object.entries(obj)) {

+      const snakeKey = key.replace(/[A-Z]/g, letter => `_${letter.toLowerCase()}`);

+      result[snakeKey] = toSnakeCase(value);

+    }

+    return result;

+  }

+

+  return obj;

+}

+-- ZephyrFS Authentication Database Schema

+

+-- Users table with email registration and OAuth support

+CREATE TABLE users (

+    id TEXT PRIMARY KEY,

+    email TEXT UNIQUE NOT NULL,

+    username TEXT UNIQUE,

+    password_hash TEXT,

+    user_type TEXT CHECK (user_type IN ('backup', 'volunteer', 'admin')) NOT NULL DEFAULT 'backup',

+    email_verified BOOLEAN DEFAULT FALSE,

+    email_verification_token TEXT,

+    email_verification_expires_at DATETIME,

+    password_reset_token TEXT,

+    password_reset_expires_at DATETIME,

+    github_id TEXT UNIQUE,

+    github_username TEXT,

+    github_avatar_url TEXT,

+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,

+    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,

+    last_login_at DATETIME,

+    profile_data TEXT -- JSON storage for additional profile info

+);

+

+-- OAuth accounts table for multiple providers

+CREATE TABLE oauth_accounts (

+    id TEXT PRIMARY KEY,

+    user_id TEXT NOT NULL,

+    provider TEXT NOT NULL,

+    provider_account_id TEXT NOT NULL,

+    access_token TEXT,

+    refresh_token TEXT,

+    expires_at DATETIME,

+    token_type TEXT,

+    scope TEXT,

+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,

+    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,

+    FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,

+    UNIQUE(provider, provider_account_id)

+);

+

+-- User sessions table

+CREATE TABLE user_sessions (

+    id TEXT PRIMARY KEY,

+    user_id TEXT NOT NULL,

+    session_token TEXT UNIQUE NOT NULL,

+    expires_at DATETIME NOT NULL,

+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,

+    last_access_at DATETIME DEFAULT CURRENT_TIMESTAMP,

+    ip_address TEXT,

+    user_agent TEXT,

+    FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE

+);

+

+-- Email verification attempts tracking

+CREATE TABLE email_verifications (

+    id TEXT PRIMARY KEY,

+    user_id TEXT NOT NULL,

+    email TEXT NOT NULL,

+    token TEXT NOT NULL,

+    attempts INTEGER DEFAULT 0,

+    verified_at DATETIME,

+    expires_at DATETIME NOT NULL,

+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,

+    FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE

+);

+

+-- Password reset attempts tracking

+CREATE TABLE password_resets (

+    id TEXT PRIMARY KEY,

+    user_id TEXT NOT NULL,

+    token TEXT NOT NULL,

+    attempts INTEGER DEFAULT 0,

+    used_at DATETIME,

+    expires_at DATETIME NOT NULL,

+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,

+    FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE

+);

+

+-- User onboarding progress tracking

+CREATE TABLE user_onboarding (

+    id TEXT PRIMARY KEY,

+    user_id TEXT NOT NULL,

+    step TEXT NOT NULL,

+    completed BOOLEAN DEFAULT FALSE,

+    data TEXT, -- JSON storage for step-specific data

+    completed_at DATETIME,

+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,

+    FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE

+);

+

+-- Indexes for performance

+CREATE INDEX idx_users_email ON users (email);

+CREATE INDEX idx_users_username ON users (username);

+CREATE INDEX idx_users_github_id ON oauth_accounts (provider_account_id);

+CREATE INDEX idx_sessions_token ON user_sessions (session_token);

+CREATE INDEX idx_sessions_user_id ON user_sessions (user_id);

+CREATE INDEX idx_email_verifications_token ON email_verifications (token);

+CREATE INDEX idx_password_resets_token ON password_resets (token);

+

+-- Insert default admin user

+INSERT INTO users (

+    id,

+    email,

+    username,

+    password_hash,

+    user_type,

+    email_verified

+) VALUES (

+    'admin',

+    'admin@zephyrfs.org',

+    'admin',

+    '$2b$10$rKGHZ0aB0qKhP0DqW8qZHu2wF2nF.FqD3tYw1pV6gB2wZ8vY0gG4u', -- 'admin' hashed

+    'admin',

+    TRUE

+);

+

+INSERT INTO users (

+    id,

+    email,

+    username,

+    password_hash,

+    user_type,

+    email_verified

+) VALUES (

+    'demo',

+    'demo@zephyrfs.org',

+    'demo',

+    '$2b$10$rKGHZ0aB0qKhP0DqW8qZHu2wF2nF.FqD3tYw1pV6gB2wZ8vY0gG4u', -- 'demo' hashed

+    'backup',

+    TRUE

+);

+// Database types for ZephyrFS authentication system

+

+export interface User {

+  id: string;

+  email: string;

+  username?: string;

+  passwordHash?: string;

+  userType: 'backup' | 'volunteer' | 'admin';

+  emailVerified: boolean;

+  emailVerificationToken?: string;

+  emailVerificationExpiresAt?: Date;

+  passwordResetToken?: string;

+  passwordResetExpiresAt?: Date;

+  githubId?: string;

+  githubUsername?: string;

+  githubAvatarUrl?: string;

+  createdAt: Date;

+  updatedAt: Date;

+  lastLoginAt?: Date;

+  profileData?: string; // JSON storage

+}

+

+export interface OAuthAccount {

+  id: string;

+  userId: string;

+  provider: string;

+  providerAccountId: string;

+  accessToken?: string;

+  refreshToken?: string;

+  expiresAt?: Date;

+  tokenType?: string;

+  scope?: string;

+  createdAt: Date;

+  updatedAt: Date;

+}

+

+export interface UserSession {

+  id: string;

+  userId: string;

+  sessionToken: string;

+  expiresAt: Date;

+  createdAt: Date;

+  lastAccessAt: Date;

+  ipAddress?: string;

+  userAgent?: string;

+}

+

+export interface EmailVerification {

+  id: string;

+  userId: string;

+  email: string;

+  token: string;

+  attempts: number;

+  verifiedAt?: Date;

+  expiresAt: Date;

+  createdAt: Date;

+}

+

+export interface PasswordReset {

+  id: string;

+  userId: string;

+  token: string;

+  attempts: number;

+  usedAt?: Date;

+  expiresAt: Date;

+  createdAt: Date;

+}

+

+export interface UserOnboarding {

+  id: string;

+  userId: string;

+  step: string;

+  completed: boolean;

+  data?: string; // JSON storage

+  completedAt?: Date;

+  createdAt: Date;

+}

+

+export interface Database {

+  users: User;

+  oauth_accounts: OAuthAccount;

+  user_sessions: UserSession;

+  email_verifications: EmailVerification;

+  password_resets: PasswordReset;

+  user_onboarding: UserOnboarding;

+}

+

+// API types for requests/responses

+export interface RegisterRequest {

+  email: string;

+  username?: string;

+  password: string;

+  userType: 'backup' | 'volunteer';

+}

+

+export interface LoginRequest {

+  email?: string;

+  username?: string;

+  password?: string;

+  token?: string;

+}

+

+export interface AuthResponse {

+  token: string;

+  refreshToken: string;

+  expiresIn: number;

+  user: PublicUser;

+}

+

+export interface PublicUser {

+  id: string;

+  email: string;

+  username?: string;

+  userType: 'backup' | 'volunteer' | 'admin';

+  emailVerified: boolean;

+  githubUsername?: string;

+  githubAvatarUrl?: string;

+  createdAt: Date;

+}

+

+export interface EmailVerificationRequest {

+  token: string;

+}

+

+export interface PasswordResetRequest {

+  email: string;

+}

+

+export interface PasswordResetConfirmRequest {

+  token: string;

+  newPassword: string;

+}

+

+export interface OnboardingUpdateRequest {

+  step: string;

+  data?: Record<string, any>;

+  completed?: boolean;

+}

+import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';

+import bcrypt from 'bcrypt';

+import { z } from 'zod';

+import { randomBytes, randomUUID } from 'crypto';

+import { getDatabase, toCamelCase } from '../database/connection.js';

+import { EmailService } from '../services/email.js';

+import type {

+  RegisterRequest,

+  LoginRequest,

+  AuthResponse,

+  PublicUser,

+  EmailVerificationRequest,

+  PasswordResetRequest,

+  PasswordResetConfirmRequest,

+  OnboardingUpdateRequest,

+} from '../database/types.js';

+

+// Validation schemas

+const registerSchema = z.object({

+  email: z.string().email('Invalid email address'),

+  username: z.string().min(3).max(30).optional(),

+  password: z.string().min(8, 'Password must be at least 8 characters'),

+  userType: z.enum(['backup', 'volunteer'], {

+    required_error: 'Please select whether you want to backup files or volunteer storage',

+  }),

+});

+

+const loginSchema = z.object({

+  email: z.string().email().optional(),

+  username: z.string().optional(),

+  password: z.string().optional(),

+  token: z.string().optional(),

+}).refine(

+  (data) => (data.email || data.username) && data.password || data.token,

+  'Email/username and password, or token required'

+);

+

+const emailVerificationSchema = z.object({

+  token: z.string().min(1, 'Verification token required'),

+});

+

+const passwordResetSchema = z.object({

+  email: z.string().email('Invalid email address'),

+});

+

+const passwordResetConfirmSchema = z.object({

+  token: z.string().min(1, 'Reset token required'),

+  newPassword: z.string().min(8, 'Password must be at least 8 characters'),

+});

+

+const onboardingUpdateSchema = z.object({

+  step: z.string().min(1),

+  data: z.record(z.any()).optional(),

+  completed: z.boolean().optional(),

+});

+

+let emailService: EmailService;

+

+export async function authV2Routes(fastify: FastifyInstance) {

+  const db = getDatabase();

+

+  // Initialize email service

+  emailService = new EmailService({

+    host: process.env.SMTP_HOST || 'smtp.ethereal.email',

+    port: parseInt(process.env.SMTP_PORT || '587'),

+    secure: process.env.SMTP_SECURE === 'true',

+    auth: process.env.SMTP_USER && process.env.SMTP_PASS ? {

+      user: process.env.SMTP_USER,

+      pass: process.env.SMTP_PASS,

+    } : undefined,

+    from: process.env.SMTP_FROM || 'ZephyrFS <noreply@zephyrfs.org>',

+  });

+

+  // Helper function to create public user object

+  const toPublicUser = (user: any): PublicUser => ({

+    id: user.id,

+    email: user.email,

+    username: user.username,

+    userType: user.userType || user.user_type,

+    emailVerified: user.emailVerified || user.email_verified,

+    githubUsername: user.githubUsername || user.github_username,

+    githubAvatarUrl: user.githubAvatarUrl || user.github_avatar_url,

+    createdAt: new Date(user.createdAt || user.created_at),

+  });

+

+  // User registration

+  fastify.post<{

+    Body: RegisterRequest;

+  }>('/auth/register', {

+    schema: { body: registerSchema },

+  }, async (request: FastifyRequest, reply: FastifyReply) => {

+    const { email, username, password, userType } = request.body as RegisterRequest;

+

+    try {

+      // Check if user already exists

+      const existingUser = await db

+        .selectFrom('users')

+        .selectAll()

+        .where((eb) => eb.or([

+          eb('email', '=', email),

+          ...(username ? [eb('username', '=', username)] : [])

+        ]))

+        .executeTakeFirst();

+

+      if (existingUser) {

+        if (existingUser.email === email) {

+          throw fastify.httpErrors.conflict('Email already registered');

+        }

+        if (existingUser.username === username) {

+          throw fastify.httpErrors.conflict('Username already taken');

+        }

+      }

+

+      // Hash password

+      const passwordHash = await bcrypt.hash(password, 12);

+

+      // Generate verification token

+      const verificationToken = randomBytes(32).toString('hex');

+      const verificationExpiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours

+

+      // Create user

+      const userId = randomUUID();

+      await db

+        .insertInto('users')

+        .values({

+          id: userId,

+          email,

+          username,

+          password_hash: passwordHash,

+          user_type: userType,

+          email_verified: false,

+          email_verification_token: verificationToken,

+          email_verification_expires_at: verificationExpiresAt.toISOString(),

+          created_at: new Date().toISOString(),

+          updated_at: new Date().toISOString(),

+        })

+        .execute();

+

+      // Create email verification record

+      await db

+        .insertInto('email_verifications')

+        .values({

+          id: randomUUID(),

+          user_id: userId,

+          email,

+          token: verificationToken,

+          attempts: 0,

+          expires_at: verificationExpiresAt.toISOString(),

+          created_at: new Date().toISOString(),

+        })

+        .execute();

+

+      // Send verification email

+      try {

+        await emailService.sendEmailVerification(email, verificationToken, username);

+      } catch (emailError) {

+        fastify.log.error(emailError, 'Failed to send verification email');

+        // Don't fail registration if email fails

+      }

+

+      // Initialize onboarding steps

+      const onboardingSteps = userType === 'volunteer'

+        ? ['user-type-selection', 'storage-setup', 'desktop-app', 'node-configuration']

+        : ['user-type-selection', 'backup-setup', 'first-upload'];

+

+      for (const step of onboardingSteps) {

+        await db

+          .insertInto('user_onboarding')

+          .values({

+            id: randomUUID(),

+            user_id: userId,

+            step,

+            completed: step === 'user-type-selection', // First step completed

+            data: step === 'user-type-selection' ? JSON.stringify({ userType }) : null,

+            completed_at: step === 'user-type-selection' ? new Date().toISOString() : null,

+            created_at: new Date().toISOString(),

+          })

+          .execute();

+      }

+

+      return {

+        success: true,

+        message: 'Registration successful! Please check your email to verify your account.',

+        userId,

+      };

+    } catch (error) {

+      if (error.statusCode) {

+        throw error;

+      }

+      fastify.log.error(error, 'Registration failed');

+      throw fastify.httpErrors.internalServerError('Registration failed');

+    }

+  });

+

+  // Email verification

+  fastify.post<{

+    Body: EmailVerificationRequest;

+  }>('/auth/verify-email', {

+    schema: { body: emailVerificationSchema },

+  }, async (request: FastifyRequest, reply: FastifyReply) => {

+    const { token } = request.body as EmailVerificationRequest;

+

+    try {

+      // Find verification record

+      const verification = await db

+        .selectFrom('email_verifications')

+        .selectAll()

+        .where('token', '=', token)

+        .where('verified_at', 'is', null)

+        .executeTakeFirst();

+

+      if (!verification) {

+        throw fastify.httpErrors.badRequest('Invalid or expired verification token');

+      }

+

+      if (new Date() > new Date(verification.expires_at)) {

+        throw fastify.httpErrors.badRequest('Verification token has expired');

+      }

+

+      // Update verification record

+      await db

+        .updateTable('email_verifications')

+        .set({

+          verified_at: new Date().toISOString(),

+          attempts: verification.attempts + 1,

+        })

+        .where('id', '=', verification.id)

+        .execute();

+

+      // Update user

+      const user = await db

+        .updateTable('users')

+        .set({

+          email_verified: true,

+          email_verification_token: null,

+          email_verification_expires_at: null,

+          updated_at: new Date().toISOString(),

+        })

+        .where('id', '=', verification.user_id)

+        .returningAll()

+        .executeTakeFirstOrThrow();

+

+      // Send welcome email

+      try {

+        await emailService.sendWelcomeEmail(

+          user.email,

+          user.user_type as 'backup' | 'volunteer',

+          user.username || undefined

+        );

+      } catch (emailError) {

+        fastify.log.error(emailError, 'Failed to send welcome email');

+      }

+

+      return {

+        success: true,

+        message: 'Email verified successfully! Welcome to ZephyrFS!',

+        user: toPublicUser(user),

+      };

+    } catch (error) {

+      if (error.statusCode) {

+        throw error;

+      }

+      fastify.log.error(error, 'Email verification failed');

+      throw fastify.httpErrors.internalServerError('Email verification failed');

+    }

+  });

+

+  // Enhanced login

+  fastify.post<{

+    Body: LoginRequest;

+  }>('/auth/login', {

+    schema: { body: loginSchema },

+  }, async (request: FastifyRequest, reply: FastifyReply) => {

+    const { email, username, password, token } = request.body as LoginRequest;

+

+    try {

+      let user: any;

+

+      if (token) {

+        // Token-based authentication

+        try {

+          const decoded = fastify.jwt.verify(token) as { userId: string; username: string };

+          user = await db

+            .selectFrom('users')

+            .selectAll()

+            .where('id', '=', decoded.userId)

+            .executeTakeFirst();

+

+          if (!user) {

+            throw new Error('User not found');

+          }

+        } catch (error) {

+          throw fastify.httpErrors.unauthorized('Invalid token');

+        }

+      } else if ((email || username) && password) {

+        // Password-based authentication

+        user = await db

+          .selectFrom('users')

+          .selectAll()

+          .where((eb) => eb.or([

+            ...(email ? [eb('email', '=', email)] : []),

+            ...(username ? [eb('username', '=', username)] : [])

+          ]))

+          .executeTakeFirst();

+

+        if (!user || !user.password_hash) {

+          throw fastify.httpErrors.unauthorized('Invalid credentials');

+        }

+

+        const validPassword = await bcrypt.compare(password, user.password_hash);

+        if (!validPassword) {

+          throw fastify.httpErrors.unauthorized('Invalid credentials');

+        }

+

+        // Check if email is verified for new registrations

+        if (!user.email_verified) {

+          throw fastify.httpErrors.forbidden('Please verify your email address before logging in');

+        }

+      } else {

+        throw fastify.httpErrors.badRequest('Email/username and password, or token required');

+      }

+

+      // Create session

+      const sessionId = randomUUID();

+      const sessionToken = randomBytes(32).toString('hex');

+      const expiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000); // 30 days

+

+      await db

+        .insertInto('user_sessions')

+        .values({

+          id: sessionId,

+          user_id: user.id,

+          session_token: sessionToken,

+          expires_at: expiresAt.toISOString(),

+          created_at: new Date().toISOString(),

+          last_access_at: new Date().toISOString(),

+          ip_address: request.ip,

+          user_agent: request.headers['user-agent'],

+        })

+        .execute();

+

+      // Update last login

+      await db

+        .updateTable('users')

+        .set({

+          last_login_at: new Date().toISOString(),

+          updated_at: new Date().toISOString(),

+        })

+        .where('id', '=', user.id)

+        .execute();

+

+      // Generate tokens

+      const accessToken = fastify.jwt.sign(

+        { userId: user.id, username: user.username, sessionId },

+        { expiresIn: fastify.config.jwtExpiresIn }

+      );

+

+      const refreshToken = fastify.jwt.sign(

+        { userId: user.id, sessionId, type: 'refresh' },

+        { expiresIn: fastify.config.jwtRefreshExpiresIn }

+      );

+

+      const response: AuthResponse = {

+        token: accessToken,

+        refreshToken,

+        expiresIn: 24 * 60 * 60, // 24 hours in seconds

+        user: toPublicUser(user),

+      };

+

+      return response;

+    } catch (error) {

+      if (error.statusCode) {

+        throw error;

+      }

+      fastify.log.error(error, 'Login failed');

+      throw fastify.httpErrors.internalServerError('Login failed');

+    }

+  });

+

+  // Password reset request

+  fastify.post<{

+    Body: PasswordResetRequest;

+  }>('/auth/password-reset', {

+    schema: { body: passwordResetSchema },

+  }, async (request: FastifyRequest, reply: FastifyReply) => {

+    const { email } = request.body as PasswordResetRequest;

+

+    try {

+      const user = await db

+        .selectFrom('users')

+        .selectAll()

+        .where('email', '=', email)

+        .executeTakeFirst();

+

+      // Always return success to prevent email enumeration

+      if (!user) {

+        return {

+          success: true,

+          message: 'If an account with that email exists, we\'ve sent a password reset link.',

+        };

+      }

+

+      // Generate reset token

+      const resetToken = randomBytes(32).toString('hex');

+      const resetExpiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour

+

+      // Update user with reset token

+      await db

+        .updateTable('users')

+        .set({

+          password_reset_token: resetToken,

+          password_reset_expires_at: resetExpiresAt.toISOString(),

+          updated_at: new Date().toISOString(),

+        })

+        .where('id', '=', user.id)

+        .execute();

+

+      // Create password reset record

+      await db

+        .insertInto('password_resets')

+        .values({

+          id: randomUUID(),

+          user_id: user.id,

+          token: resetToken,

+          attempts: 0,

+          expires_at: resetExpiresAt.toISOString(),

+          created_at: new Date().toISOString(),

+        })

+        .execute();

+

+      // Send reset email

+      try {

+        await emailService.sendPasswordReset(email, resetToken, user.username || undefined);

+      } catch (emailError) {

+        fastify.log.error(emailError, 'Failed to send password reset email');

+      }

+

+      return {

+        success: true,

+        message: 'If an account with that email exists, we\'ve sent a password reset link.',

+      };

+    } catch (error) {

+      fastify.log.error(error, 'Password reset request failed');

+      throw fastify.httpErrors.internalServerError('Password reset request failed');

+    }

+  });

+

+  // Password reset confirmation

+  fastify.post<{

+    Body: PasswordResetConfirmRequest;

+  }>('/auth/password-reset/confirm', {

+    schema: { body: passwordResetConfirmSchema },

+  }, async (request: FastifyRequest, reply: FastifyReply) => {

+    const { token, newPassword } = request.body as PasswordResetConfirmRequest;

+

+    try {

+      // Find reset record

+      const reset = await db

+        .selectFrom('password_resets')

+        .selectAll()

+        .where('token', '=', token)

+        .where('used_at', 'is', null)

+        .executeTakeFirst();

+

+      if (!reset) {

+        throw fastify.httpErrors.badRequest('Invalid or expired reset token');

+      }

+

+      if (new Date() > new Date(reset.expires_at)) {

+        throw fastify.httpErrors.badRequest('Reset token has expired');

+      }

+

+      // Hash new password

+      const passwordHash = await bcrypt.hash(newPassword, 12);

+

+      // Update user

+      await db

+        .updateTable('users')

+        .set({

+          password_hash: passwordHash,

+          password_reset_token: null,

+          password_reset_expires_at: null,

+          updated_at: new Date().toISOString(),

+        })

+        .where('id', '=', reset.user_id)

+        .execute();

+

+      // Mark reset as used

+      await db

+        .updateTable('password_resets')

+        .set({

+          used_at: new Date().toISOString(),

+          attempts: reset.attempts + 1,

+        })

+        .where('id', '=', reset.id)

+        .execute();

+

+      // Invalidate all sessions for this user

+      await db

+        .deleteFrom('user_sessions')

+        .where('user_id', '=', reset.user_id)

+        .execute();

+

+      return {

+        success: true,

+        message: 'Password updated successfully! Please log in with your new password.',

+      };

+    } catch (error) {

+      if (error.statusCode) {

+        throw error;

+      }

+      fastify.log.error(error, 'Password reset confirmation failed');

+      throw fastify.httpErrors.internalServerError('Password reset confirmation failed');

+    }

+  });

+

+  // Get user onboarding status

+  fastify.get('/auth/onboarding', {

+    preHandler: fastify.authenticate,

+  }, async (request: FastifyRequest) => {

+    const user = request.user as { userId: string };

+

+    const onboardingSteps = await db

+      .selectFrom('user_onboarding')

+      .selectAll()

+      .where('user_id', '=', user.userId)

+      .orderBy('created_at', 'asc')

+      .execute();

+

+    return {

+      steps: onboardingSteps.map(toCamelCase),

+      completed: onboardingSteps.filter(step => step.completed).length,

+      total: onboardingSteps.length,

+    };

+  });

+

+  // Update onboarding progress

+  fastify.post<{

+    Body: OnboardingUpdateRequest;

+  }>('/auth/onboarding/update', {

+    preHandler: fastify.authenticate,

+    schema: { body: onboardingUpdateSchema },

+  }, async (request: FastifyRequest) => {

+    const user = request.user as { userId: string };

+    const { step, data, completed } = request.body as OnboardingUpdateRequest;

+

+    await db

+      .updateTable('user_onboarding')

+      .set({

+        completed: completed || false,

+        data: data ? JSON.stringify(data) : null,

+        completed_at: completed ? new Date().toISOString() : null,

+      })

+      .where('user_id', '=', user.userId)

+      .where('step', '=', step)

+      .execute();

+

+    return { success: true };

+  });

+

+  // Get current user info (enhanced)

+  fastify.get('/auth/me', {

+    preHandler: fastify.authenticate,

+  }, async (request: FastifyRequest) => {

+    const authUser = request.user as { userId: string; sessionId: string };

+

+    // Get user details

+    const user = await db

+      .selectFrom('users')

+      .selectAll()

+      .where('id', '=', authUser.userId)

+      .executeTakeFirstOrThrow();

+

+    // Update session last access

+    await db

+      .updateTable('user_sessions')

+      .set({ last_access_at: new Date().toISOString() })

+      .where('id', '=', authUser.sessionId)

+      .execute();

+

+    return toPublicUser(user);

+  });

+

+  // Enhanced logout (cleanup sessions)

+  fastify.post('/auth/logout', {

+    preHandler: fastify.authenticate,

+  }, async (request: FastifyRequest) => {

+    const user = request.user as { sessionId: string };

+

+    // Remove session

+    await db

+      .deleteFrom('user_sessions')

+      .where('id', '=', user.sessionId)

+      .execute();

+

+    return { success: true };

+  });

+

+  // Logout from all devices

+  fastify.post('/auth/logout-all', {

+    preHandler: fastify.authenticate,

+  }, async (request: FastifyRequest) => {

+    const user = request.user as { userId: string };

+

+    // Remove all sessions for user

+    await db

+      .deleteFrom('user_sessions')

+      .where('user_id', '=', user.userId)

+      .execute();

+

+    return { success: true };

+  });

+}

+import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';

+import { randomUUID } from 'crypto';

+import { z } from 'zod';

+import { getDatabase } from '../database/connection.js';

+import { EmailService } from '../services/email.js';

+import type { AuthResponse, PublicUser } from '../database/types.js';

+

+// OAuth callback schemas

+const githubCallbackSchema = z.object({

+  code: z.string().min(1, 'Authorization code required'),

+  state: z.string().optional(),

+});

+

+const userTypeSelectionSchema = z.object({

+  userType: z.enum(['backup', 'volunteer']),

+  tempUserId: z.string().uuid(),

+});

+

+interface GitHubUser {

+  id: number;

+  login: string;

+  name?: string;

+  email?: string;

+  avatar_url?: string;

+}

+

+interface GitHubEmail {

+  email: string;

+  primary: boolean;

+  verified: boolean;

+}

+

+let emailService: EmailService;

+

+export async function oauthRoutes(fastify: FastifyInstance) {

+  const db = getDatabase();

+

+  // Initialize email service

+  emailService = new EmailService({

+    host: process.env.SMTP_HOST || 'smtp.ethereal.email',

+    port: parseInt(process.env.SMTP_PORT || '587'),

+    secure: process.env.SMTP_SECURE === 'true',

+    auth: process.env.SMTP_USER && process.env.SMTP_PASS ? {

+      user: process.env.SMTP_USER,

+      pass: process.env.SMTP_PASS,

+    } : undefined,

+    from: process.env.SMTP_FROM || 'ZephyrFS <noreply@zephyrfs.org>',

+  });

+

+  // Register GitHub OAuth plugin

+  await fastify.register(import('@fastify/oauth2'), {

+    name: 'githubOAuth2',

+    credentials: {

+      client: {

+        id: process.env.GITHUB_CLIENT_ID!,

+        secret: process.env.GITHUB_CLIENT_SECRET!,

+      },

+      auth: fastify.oauth2.GITHUB_CONFIGURATION,

+    },

+    scope: ['user:email', 'read:user'],

+    startRedirectPath: '/oauth/github/login',

+    callbackUri: `${process.env.BACKEND_URL || 'http://localhost:8080'}/oauth/github/callback`,

+  });

+

+  // Helper function to create public user object

+  const toPublicUser = (user: any): PublicUser => ({

+    id: user.id,

+    email: user.email,

+    username: user.username,

+    userType: user.userType || user.user_type,

+    emailVerified: user.emailVerified || user.email_verified,

+    githubUsername: user.githubUsername || user.github_username,

+    githubAvatarUrl: user.githubAvatarUrl || user.github_avatar_url,

+    createdAt: new Date(user.createdAt || user.created_at),

+  });

+

+  // GitHub OAuth login initiation

+  fastify.get('/oauth/github/login', async (request: FastifyRequest, reply: FastifyReply) => {

+    const state = randomUUID();

+

+    // Store state for verification (in production, use Redis or database)

+    // For now, we'll include it in the OAuth flow and verify in callback

+

+    return fastify.githubOAuth2.generateAuthorizationUri(request, reply, {

+      state,

+    });

+  });

+

+  // GitHub OAuth callback

+  fastify.get<{

+    Querystring: z.infer<typeof githubCallbackSchema>;

+  }>('/oauth/github/callback', async (request: FastifyRequest, reply: FastifyReply) => {

+    const { code, state } = request.query as z.infer<typeof githubCallbackSchema>;

+

+    try {

+      // Exchange code for token

+      const tokenResponse = await fastify.githubOAuth2.getAccessTokenFromAuthorizationCodeFlow(request);

+

+      if (!tokenResponse.access_token) {

+        throw new Error('No access token received');

+      }

+

+      // Fetch GitHub user data

+      const userResponse = await fetch('https://api.github.com/user', {