Merge branch 'main' into feat/account-deletion

packages/trpc/server/auth-router/schema.ts

@@ -1,9 +1,25 @@
 import { z } from 'zod';
 
+export const ZCurrentPasswordSchema = z
+  .string()
+  .min(6, { message: 'Must be at least 6 characters in length' })
+  .max(72);
+
+export const ZPasswordSchema = z
+  .string()
+  .regex(new RegExp('.*[A-Z].*'), { message: 'One uppercase character' })
+  .regex(new RegExp('.*[a-z].*'), { message: 'One lowercase character' })
+  .regex(new RegExp('.*\\d.*'), { message: 'One number' })
+  .regex(new RegExp('.*[`~<>?,./!@#$%^&*()\\-_+="\'|{}\\[\\];:\\\\].*'), {
+    message: 'One special character is required',
+  })
+  .min(8, { message: 'Must be at least 8 characters in length' })
+  .max(72, { message: 'Cannot be more than 72 characters in length' });
+
 export const ZSignUpMutationSchema = z.object({
   name: z.string().min(1),
   email: z.string().email(),
-  password: z.string().min(6),
+  password: ZPasswordSchema,
   signature: z.string().min(1, { message: 'A signature is required.' }),
 });
 

packages/trpc/server/context.ts

@@ -1,4 +1,4 @@
-import { CreateNextContextOptions } from '@trpc/server/adapters/next';
+import type { CreateNextContextOptions } from '@trpc/server/adapters/next';
 
 import { getServerSession } from '@documenso/lib/next-auth/get-server-session';
 
@@ -9,6 +9,7 @@ export const createTrpcContext = async ({ req, res }: CreateNextContextOptions)
     return {
       session: null,
       user: null,
+      req,
     };
   }
 
@@ -16,12 +17,14 @@ export const createTrpcContext = async ({ req, res }: CreateNextContextOptions)
     return {
       session: null,
       user: null,
+      req,
     };
   }
 
   return {
     session,
     user,
+    req,
   };
 };
 

packages/trpc/server/crypto/router.ts

@@ -0,0 +1,17 @@
+import { encryptSecondaryData } from '@documenso/lib/server-only/crypto/encrypt';
+
+import { procedure, router } from '../trpc';
+import { ZEncryptSecondaryDataMutationSchema } from './schema';
+
+export const cryptoRouter = router({
+  encryptSecondaryData: procedure
+    .input(ZEncryptSecondaryDataMutationSchema)
+    .mutation(({ input }) => {
+      try {
+        return encryptSecondaryData(input);
+      } catch {
+        // Never leak errors for crypto.
+        throw new Error('Failed to encrypt data');
+      }
+    }),
+});

packages/trpc/server/crypto/schema.ts

@@ -0,0 +1,15 @@
+import { z } from 'zod';
+
+export const ZEncryptSecondaryDataMutationSchema = z.object({
+  data: z.string(),
+  expiresAt: z.number().optional(),
+});
+
+export const ZDecryptDataMutationSchema = z.object({
+  data: z.string(),
+});
+
+export type TEncryptSecondaryDataMutationSchema = z.infer<
+  typeof ZEncryptSecondaryDataMutationSchema
+>;
+export type TDecryptDataMutationSchema = z.infer<typeof ZDecryptDataMutationSchema>;

packages/trpc/server/document-router/schema.ts

@@ -1,6 +1,6 @@
 import { z } from 'zod';
 
-import { DocumentStatus, FieldType } from '@documenso/prisma/client';
+import { DocumentStatus, FieldType, RecipientRole } from '@documenso/prisma/client';
 
 export const ZGetDocumentByIdQuerySchema = z.object({
   id: z.number().min(1),
@@ -35,6 +35,7 @@ export const ZSetRecipientsForDocumentMutationSchema = z.object({
       id: z.number().nullish(),
       email: z.string().min(1).email(),
       name: z.string(),
+      role: z.nativeEnum(RecipientRole),
     }),
   ),
 });

packages/trpc/server/profile-router/router.ts

@@ -2,16 +2,19 @@ import { TRPCError } from '@trpc/server';
 
 import { deleteStripeCustomer } from '@documenso/ee/server-only/stripe/delete-customer';
 import { deleteUser } from '@documenso/lib/server-only/user/delete-user';
+import { findUserSecurityAuditLogs } from '@documenso/lib/server-only/user/find-user-security-audit-logs';
 import { forgotPassword } from '@documenso/lib/server-only/user/forgot-password';
 import { getUserById } from '@documenso/lib/server-only/user/get-user-by-id';
 import { resetPassword } from '@documenso/lib/server-only/user/reset-password';
 import { sendConfirmationToken } from '@documenso/lib/server-only/user/send-confirmation-token';
 import { updatePassword } from '@documenso/lib/server-only/user/update-password';
 import { updateProfile } from '@documenso/lib/server-only/user/update-profile';
+import { extractNextApiRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 
 import { adminProcedure, authenticatedProcedure, procedure, router } from '../trpc';
 import {
   ZConfirmEmailMutationSchema,
+  ZFindUserSecurityAuditLogsSchema,
   ZForgotPasswordFormSchema,
   ZResetPasswordFormSchema,
   ZRetrieveUserByIdQuerySchema,
@@ -20,6 +23,22 @@ import {
 } from './schema';
 
 export const profileRouter = router({
+  findUserSecurityAuditLogs: authenticatedProcedure
+    .input(ZFindUserSecurityAuditLogsSchema)
+    .query(async ({ input, ctx }) => {
+      try {
+        return await findUserSecurityAuditLogs({
+          userId: ctx.user.id,
+          ...input,
+        });
+      } catch (err) {
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: 'We were unable to find user security audit logs. Please try again.',
+        });
+      }
+    }),
+
   getUser: adminProcedure.input(ZRetrieveUserByIdQuerySchema).query(async ({ input }) => {
     try {
       const { id } = input;
@@ -43,6 +62,7 @@ export const profileRouter = router({
           userId: ctx.user.id,
           name,
           signature,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         console.error(err);
@@ -65,6 +85,7 @@ export const profileRouter = router({
           userId: ctx.user.id,
           password,
           currentPassword,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
         });
       } catch (err) {
         let message =
@@ -93,13 +114,14 @@ export const profileRouter = router({
     }
   }),
 
-  resetPassword: procedure.input(ZResetPasswordFormSchema).mutation(async ({ input }) => {
+  resetPassword: procedure.input(ZResetPasswordFormSchema).mutation(async ({ input, ctx }) => {
     try {
       const { password, token } = input;
 
       return await resetPassword({
         token,
         password,
+        requestMetadata: extractNextApiRequestMetadata(ctx.req),
       });
     } catch (err) {
       let message = 'We were unable to reset your password. Please try again.';

packages/trpc/server/profile-router/schema.ts

@@ -1,5 +1,12 @@
 import { z } from 'zod';
 
+import { ZCurrentPasswordSchema, ZPasswordSchema } from '../auth-router/schema';
+
+export const ZFindUserSecurityAuditLogsSchema = z.object({
+  page: z.number().optional(),
+  perPage: z.number().optional(),
+});
+
 export const ZRetrieveUserByIdQuerySchema = z.object({
   id: z.number().min(1),
 });
@@ -10,8 +17,8 @@ export const ZUpdateProfileMutationSchema = z.object({
 });
 
 export const ZUpdatePasswordMutationSchema = z.object({
-  currentPassword: z.string().min(6),
-  password: z.string().min(6),
+  currentPassword: ZCurrentPasswordSchema,
+  password: ZPasswordSchema,
 });
 
 export const ZForgotPasswordFormSchema = z.object({
@@ -19,7 +26,7 @@ export const ZForgotPasswordFormSchema = z.object({
 });
 
 export const ZResetPasswordFormSchema = z.object({
-  password: z.string().min(6),
+  password: ZPasswordSchema,
   token: z.string().min(1),
 });
 
@@ -27,6 +34,7 @@ export const ZConfirmEmailMutationSchema = z.object({
   email: z.string().email().min(1),
 });
 
+export type TFindUserSecurityAuditLogsSchema = z.infer<typeof ZFindUserSecurityAuditLogsSchema>;
 export type TRetrieveUserByIdQuerySchema = z.infer<typeof ZRetrieveUserByIdQuerySchema>;
 export type TUpdateProfileMutationSchema = z.infer<typeof ZUpdateProfileMutationSchema>;
 export type TUpdatePasswordMutationSchema = z.infer<typeof ZUpdatePasswordMutationSchema>;

packages/trpc/server/recipient-router/router.ts

@@ -25,6 +25,7 @@ export const recipientRouter = router({
             id: signer.nativeId,
             email: signer.email,
             name: signer.name,
+            role: signer.role,
           })),
         });
       } catch (err) {

packages/trpc/server/recipient-router/schema.ts

@@ -1,5 +1,7 @@
 import { z } from 'zod';
 
+import { RecipientRole } from '@documenso/prisma/client';
+
 export const ZAddSignersMutationSchema = z
   .object({
     documentId: z.number(),
@@ -8,6 +10,7 @@ export const ZAddSignersMutationSchema = z
         nativeId: z.number().optional(),
         email: z.string().email().min(1),
         name: z.string(),
+        role: z.nativeEnum(RecipientRole),
       }),
     ),
   })

packages/trpc/server/router.ts

@@ -1,5 +1,6 @@
 import { adminRouter } from './admin-router/router';
 import { authRouter } from './auth-router/router';
+import { cryptoRouter } from './crypto/router';
 import { documentRouter } from './document-router/router';
 import { fieldRouter } from './field-router/router';
 import { profileRouter } from './profile-router/router';
@@ -12,6 +13,7 @@ import { twoFactorAuthenticationRouter } from './two-factor-authentication-route
 
 export const appRouter = router({
   auth: authRouter,
+  crypto: cryptoRouter,
   profile: profileRouter,
   document: documentRouter,
   field: fieldRouter,

packages/trpc/server/template-router/router.ts

@@ -1,5 +1,6 @@
 import { TRPCError } from '@trpc/server';
 
+import { getServerLimits } from '@documenso/ee/server-only/limits/server';
 import { createDocumentFromTemplate } from '@documenso/lib/server-only/template/create-document-from-template';
 import { createTemplate } from '@documenso/lib/server-only/template/create-template';
 import { deleteTemplate } from '@documenso/lib/server-only/template/delete-template';
@@ -41,6 +42,12 @@ export const templateRouter = router({
       try {
         const { templateId } = input;
 
+        const limits = await getServerLimits({ email: ctx.user.email });
+
+        if (limits.remaining.documents === 0) {
+          throw new Error('You have reached your document limit.');
+        }
+
         return await createDocumentFromTemplate({
           templateId,
           userId: ctx.user.id,

packages/trpc/server/two-factor-authentication-router/router.ts

@@ -6,6 +6,7 @@ import { enableTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/en
 import { getBackupCodes } from '@documenso/lib/server-only/2fa/get-backup-code';
 import { setupTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/setup-2fa';
 import { compareSync } from '@documenso/lib/server-only/auth/hash';
+import { extractNextApiRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 
 import { authenticatedProcedure, router } from '../trpc';
 import {
@@ -23,7 +24,10 @@ export const twoFactorAuthenticationRouter = router({
 
       const { password } = input;
 
-      return await setupTwoFactorAuthentication({ user, password });
+      return await setupTwoFactorAuthentication({
+        user,
+        password,
+      });
     }),
 
   enable: authenticatedProcedure
@@ -34,7 +38,11 @@ export const twoFactorAuthenticationRouter = router({
 
         const { code } = input;
 
-        return await enableTwoFactorAuthentication({ user, code });
+        return await enableTwoFactorAuthentication({
+          user,
+          code,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
+        });
       } catch (err) {
         console.error(err);
 
@@ -53,7 +61,12 @@ export const twoFactorAuthenticationRouter = router({
 
         const { password, backupCode } = input;
 
-        return await disableTwoFactorAuthentication({ user, password, backupCode });
+        return await disableTwoFactorAuthentication({
+          user,
+          password,
+          backupCode,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
+        });
       } catch (err) {
         console.error(err);