Merge branch 'main' into feat/disable-access-unverified-users

2025-11-13 08:13:56 +10:00 · 2024-02-07 16:30:22 +11:00
parent 6053a4a40a bf26f2cb9d
commit cad48236a0
283 changed files with 14656 additions and 1399 deletions
--- a/packages/lib/server-only/user/create-user.ts
+++ b/packages/lib/server-only/user/create-user.ts
@ -1,11 +1,12 @@
 import { hash } from 'bcrypt';

 import { getStripeCustomerByUser } from '@documenso/ee/server-only/stripe/get-customer';
+import { updateSubscriptionItemQuantity } from '@documenso/ee/server-only/stripe/update-subscription-item-quantity';
 import { prisma } from '@documenso/prisma';
-import { IdentityProvider } from '@documenso/prisma/client';
+import { IdentityProvider, Prisma, TeamMemberInviteStatus } from '@documenso/prisma/client';

+import { IS_BILLING_ENABLED } from '../../constants/app';
 import { SALT_ROUNDS } from '../../constants/auth';
-import { getFlag } from '../../universal/get-feature-flag';

 export interface CreateUserOptions {
  name: string;
@ -15,8 +16,6 @@ export interface CreateUserOptions {
 }

 export const createUser = async ({ name, email, password, signature }: CreateUserOptions) => {
-  const isBillingEnabled = await getFlag('app_billing');
-
  const hashedPassword = await hash(password, SALT_ROUNDS);

  const userExists = await prisma.user.findFirst({
@ -29,7 +28,7 @@ export const createUser = async ({ name, email, password, signature }: CreateUse
    throw new Error('User already exists');
  }

-  let user = await prisma.user.create({
+  const user = await prisma.user.create({
    data: {
      name,
      email: email.toLowerCase(),
@ -39,12 +38,81 @@ export const createUser = async ({ name, email, password, signature }: CreateUse
    },
  });

-  if (isBillingEnabled) {
+  const acceptedTeamInvites = await prisma.teamMemberInvite.findMany({
+    where: {
+      email: {
+        equals: email,
+        mode: Prisma.QueryMode.insensitive,
+      },
+      status: TeamMemberInviteStatus.ACCEPTED,
+    },
+  });
+
+  // For each team invite, add the user to the team and delete the team invite.
+  // If an error occurs, reset the invitation to not accepted.
+  await Promise.allSettled(
+    acceptedTeamInvites.map(async (invite) =>
+      prisma
+        .$transaction(async (tx) => {
+          await tx.teamMember.create({
+            data: {
+              teamId: invite.teamId,
+              userId: user.id,
+              role: invite.role,
+            },
+          });
+
+          await tx.teamMemberInvite.delete({
+            where: {
+              id: invite.id,
+            },
+          });
+
+          if (!IS_BILLING_ENABLED) {
+            return;
+          }
+
+          const team = await tx.team.findFirstOrThrow({
+            where: {
+              id: invite.teamId,
+            },
+            include: {
+              members: {
+                select: {
+                  id: true,
+                },
+              },
+              subscription: true,
+            },
+          });
+
+          if (team.subscription) {
+            await updateSubscriptionItemQuantity({
+              priceId: team.subscription.priceId,
+              subscriptionId: team.subscription.planId,
+              quantity: team.members.length,
+            });
+          }
+        })
+        .catch(async () => {
+          await prisma.teamMemberInvite.update({
+            where: {
+              id: invite.id,
+            },
+            data: {
+              status: TeamMemberInviteStatus.PENDING,
+            },
+          });
+        }),
+    ),
+  );
+
+  // Update the user record with a new or existing Stripe customer record.
+  if (IS_BILLING_ENABLED) {
    try {
-      const stripeSession = await getStripeCustomerByUser(user);
-      user = stripeSession.user;
-    } catch (e) {
-      console.error(e);
+      return await getStripeCustomerByUser(user).then((session) => session.user);
+    } catch (err) {
+      console.error(err);
    }
  }

--- a/packages/lib/server-only/user/find-user-security-audit-logs.ts
+++ b/packages/lib/server-only/user/find-user-security-audit-logs.ts
@ -0,0 +1,52 @@
+import type { FindResultSet } from '@documenso/lib/types/find-result-set';
+import { prisma } from '@documenso/prisma';
+import type { UserSecurityAuditLog, UserSecurityAuditLogType } from '@documenso/prisma/client';
+
+export type FindUserSecurityAuditLogsOptions = {
+  userId: number;
+  type?: UserSecurityAuditLogType;
+  page?: number;
+  perPage?: number;
+  orderBy?: {
+    column: keyof Omit<UserSecurityAuditLog, 'id' | 'userId'>;
+    direction: 'asc' | 'desc';
+  };
+};
+
+export const findUserSecurityAuditLogs = async ({
+  userId,
+  type,
+  page = 1,
+  perPage = 10,
+  orderBy,
+}: FindUserSecurityAuditLogsOptions) => {
+  const orderByColumn = orderBy?.column ?? 'createdAt';
+  const orderByDirection = orderBy?.direction ?? 'desc';
+
+  const whereClause = {
+    userId,
+    type,
+  };
+
+  const [data, count] = await Promise.all([
+    prisma.userSecurityAuditLog.findMany({
+      where: whereClause,
+      skip: Math.max(page - 1, 0) * perPage,
+      take: perPage,
+      orderBy: {
+        [orderByColumn]: orderByDirection,
+      },
+    }),
+    prisma.userSecurityAuditLog.count({
+      where: whereClause,
+    }),
+  ]);
+
+  return {
+    data,
+    count,
+    currentPage: Math.max(page, 1),
+    perPage,
+    totalPages: Math.ceil(count / perPage),
+  } satisfies FindResultSet<typeof data>;
+};
--- a/packages/lib/server-only/user/reset-password.ts
+++ b/packages/lib/server-only/user/reset-password.ts
@ -1,16 +1,19 @@
 import { compare, hash } from 'bcrypt';

 import { prisma } from '@documenso/prisma';
+import { UserSecurityAuditLogType } from '@documenso/prisma/client';

 import { SALT_ROUNDS } from '../../constants/auth';
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { sendResetPassword } from '../auth/send-reset-password';

 export type ResetPasswordOptions = {
  token: string;
  password: string;
+  requestMetadata?: RequestMetadata;
 };

-export const resetPassword = async ({ token, password }: ResetPasswordOptions) => {
+export const resetPassword = async ({ token, password, requestMetadata }: ResetPasswordOptions) => {
  if (!token) {
    throw new Error('Invalid token provided. Please try again.');
  }
@ -56,6 +59,14 @@ export const resetPassword = async ({ token, password }: ResetPasswordOptions) =
        userId: foundToken.userId,
      },
    }),
+    prisma.userSecurityAuditLog.create({
+      data: {
+        userId: foundToken.userId,
+        type: UserSecurityAuditLogType.PASSWORD_RESET,
+        userAgent: requestMetadata?.userAgent,
+        ipAddress: requestMetadata?.ipAddress,
+      },
+    }),
  ]);

  await sendResetPassword({ userId: foundToken.userId });
--- a/packages/lib/server-only/user/update-password.ts
+++ b/packages/lib/server-only/user/update-password.ts
@ -1,19 +1,22 @@
 import { compare, hash } from 'bcrypt';

+import { SALT_ROUNDS } from '@documenso/lib/constants/auth';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 import { prisma } from '@documenso/prisma';
-
-import { SALT_ROUNDS } from '../../constants/auth';
+import { UserSecurityAuditLogType } from '@documenso/prisma/client';

 export type UpdatePasswordOptions = {
  userId: number;
  password: string;
  currentPassword: string;
+  requestMetadata?: RequestMetadata;
 };

 export const updatePassword = async ({
  userId,
  password,
  currentPassword,
+  requestMetadata,
 }: UpdatePasswordOptions) => {
  // Existence check
  const user = await prisma.user.findFirstOrThrow({
@ -39,14 +42,23 @@ export const updatePassword = async ({

  const hashedNewPassword = await hash(password, SALT_ROUNDS);

-  const updatedUser = await prisma.user.update({
-    where: {
-      id: userId,
-    },
-    data: {
-      password: hashedNewPassword,
-    },
-  });
+  return await prisma.$transaction(async (tx) => {
+    await tx.userSecurityAuditLog.create({
+      data: {
+        userId,
+        type: UserSecurityAuditLogType.PASSWORD_UPDATE,
+        userAgent: requestMetadata?.userAgent,
+        ipAddress: requestMetadata?.ipAddress,
+      },
+    });

-  return updatedUser;
+    return await tx.user.update({
+      where: {
+        id: userId,
+      },
+      data: {
+        password: hashedNewPassword,
+      },
+    });
+  });
 };
--- a/packages/lib/server-only/user/update-profile.ts
+++ b/packages/lib/server-only/user/update-profile.ts
@ -1,12 +1,21 @@
 import { prisma } from '@documenso/prisma';
+import { UserSecurityAuditLogType } from '@documenso/prisma/client';
+
+import type { RequestMetadata } from '../../universal/extract-request-metadata';

 export type UpdateProfileOptions = {
  userId: number;
  name: string;
  signature: string;
+  requestMetadata?: RequestMetadata;
 };

-export const updateProfile = async ({ userId, name, signature }: UpdateProfileOptions) => {
+export const updateProfile = async ({
+  userId,
+  name,
+  signature,
+  requestMetadata,
+}: UpdateProfileOptions) => {
  // Existence check
  await prisma.user.findFirstOrThrow({
    where: {
@ -14,15 +23,24 @@ export const updateProfile = async ({ userId, name, signature }: UpdateProfileOp
    },
  });

-  const updatedUser = await prisma.user.update({
-    where: {
-      id: userId,
-    },
-    data: {
-      name,
-      signature,
-    },
-  });
+  return await prisma.$transaction(async (tx) => {
+    await tx.userSecurityAuditLog.create({
+      data: {
+        userId,
+        type: UserSecurityAuditLogType.ACCOUNT_PROFILE_UPDATE,
+        userAgent: requestMetadata?.userAgent,
+        ipAddress: requestMetadata?.ipAddress,
+      },
+    });

-  return updatedUser;
+    return await tx.user.update({
+      where: {
+        id: userId,
+      },
+      data: {
+        name,
+        signature,
+      },
+    });
+  });
 };