update website

Author: siddhsuresh

.gitignore copy

@@ -0,0 +1,56 @@
+# dependencies
+node_modules
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions
+.pnp.*
+.npm
+web_modules/
+
+# blitz
+/.blitz/
+/.next/
+*.sqlite
+*.sqlite-journal
+.now
+.blitz**
+blitz-log.log
+
+# misc
+.DS_Store
+
+# local env files
+.env.local
+.env.*.local
+.envrc
+
+# Logs
+logs
+*.log
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Testing
+.coverage
+*.lcov
+.nyc_output
+lib-cov
+
+# Caches
+*.tsbuildinfo
+.eslintcache
+.node_repl_history
+.yarn-integrity
+
+# Serverless directories
+.serverless/
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test

.npmrc

@@ -0,0 +1,8 @@
+save-exact=true
+legacy-peer-deps=true
+
+public-hoist-pattern[]=@tanstack/react-query
+public-hoist-pattern[]=next
+public-hoist-pattern[]=secure-password
+public-hoist-pattern[]=*jest*
+public-hoist-pattern[]=@testing-library/*

.prettierignore

@@ -0,0 +1,9 @@
+.gitkeep
+.env*
+*.ico
+*.lock
+db/migrations
+.next
+.yarn
+.pnp.*
+node_modules

app/auth/components/LoginForm.tsx

@@ -0,0 +1,59 @@
+import { AuthenticationError, PromiseReturnType } from "blitz"
+import Link from "next/link"
+import { LabeledTextField } from "app/core/components/LabeledTextField"
+import { Form, FORM_ERROR } from "app/core/components/Form"
+import login from "app/auth/mutations/login"
+import { Login } from "app/auth/validations"
+import { useMutation } from "@blitzjs/rpc"
+import { Routes } from "@blitzjs/next"
+
+type LoginFormProps = {
+  onSuccess?: (user: PromiseReturnType<typeof login>) => void
+}
+
+export const LoginForm = (props: LoginFormProps) => {
+  const [loginMutation] = useMutation(login)
+  return (
+    <div className="flex flex-col items-center justify-center" style={{height: "100vh"}}>
+      <h1>Login</h1>
+
+      <Form
+        submitText="Login"
+        schema={Login}
+        initialValues={{ email: "", password: "" }}
+        onSubmit={async (values) => {
+          try {
+            const user = await loginMutation(values)
+            props.onSuccess?.(user)
+          } catch (error: any) {
+            if (error instanceof AuthenticationError) {
+              return { [FORM_ERROR]: "Sorry, those credentials are invalid" }
+            } else {
+              return {
+                [FORM_ERROR]:
+                  "Sorry, we had an unexpected error. Please try again. - " + error.toString(),
+              }
+            }
+          }
+        }}
+      >
+        <LabeledTextField name="email" label="Email" placeholder="Email" />
+        <LabeledTextField name="password" label="Password" placeholder="Password" type="password" />
+        <div>
+          <Link href={Routes.ForgotPasswordPage()} passHref>
+            <a>Forgot your password?</a>
+          </Link>
+        </div>
+      </Form>
+
+      <div style={{ marginTop: "1rem" }}>
+        Or{" "}
+        <Link href={Routes.SignupPage()} passHref>
+          <a>Sign Up</a>
+        </Link>
+      </div>
+    </div>
+  )
+}
+
+export default LoginForm

app/auth/components/SignupForm.tsx

@@ -0,0 +1,42 @@
+import { LabeledTextField } from "app/core/components/LabeledTextField"
+import { Form, FORM_ERROR } from "app/core/components/Form"
+import signup from "app/auth/mutations/signup"
+import { Signup } from "app/auth/validations"
+import { useMutation } from "@blitzjs/rpc"
+
+type SignupFormProps = {
+  onSuccess?: () => void
+}
+
+export const SignupForm = (props: SignupFormProps) => {
+  const [signupMutation] = useMutation(signup)
+  return (
+    <div className="flex flex-col items-center justify-center" style={{height: "100vh"}}>
+      <h1>Create an Account</h1>
+
+      <Form
+        submitText="Create Account"
+        schema={Signup}
+        initialValues={{ email: "", password: "" }}
+        onSubmit={async (values) => {
+          try {
+            await signupMutation(values)
+            props.onSuccess?.()
+          } catch (error: any) {
+            if (error.code === "P2002" && error.meta?.target?.includes("email")) {
+              // This error comes from Prisma
+              return { email: "This email is already being used" }
+            } else {
+              return { [FORM_ERROR]: error.toString() }
+            }
+          }
+        }}
+      >
+        <LabeledTextField name="email" label="Email" placeholder="Email" />
+        <LabeledTextField name="password" label="Password" placeholder="Password" type="password" />
+      </Form>
+    </div>
+  )
+}
+
+export default SignupForm

app/auth/mutations/changePassword.ts

@@ -0,0 +1,25 @@
+import { NotFoundError } from "blitz"
+import db from "db"
+import { authenticateUser } from "./login"
+import { ChangePassword } from "../validations"
+import { resolver } from "@blitzjs/rpc"
+import { SecurePassword } from "@blitzjs/auth"
+
+export default resolver.pipe(
+  resolver.zod(ChangePassword),
+  resolver.authorize(),
+  async ({ currentPassword, newPassword }, ctx) => {
+    const user = await db.user.findFirst({ where: { id: ctx.session.userId as string } })
+    if (!user) throw new NotFoundError()
+
+    await authenticateUser(user.email, currentPassword)
+
+    const hashedPassword = await SecurePassword.hash(newPassword.trim())
+    await db.user.update({
+      where: { id: user.id },
+      data: { hashedPassword },
+    })
+
+    return true
+  }
+)

app/auth/mutations/forgotPassword.ts

@@ -0,0 +1,42 @@
+import { generateToken, hash256 } from "@blitzjs/auth"
+import { resolver } from "@blitzjs/rpc"
+import db from "db"
+import { forgotPasswordMailer } from "mailers/forgotPasswordMailer"
+import { ForgotPassword } from "../validations"
+
+const RESET_PASSWORD_TOKEN_EXPIRATION_IN_HOURS = 4
+
+export default resolver.pipe(resolver.zod(ForgotPassword), async ({ email }) => {
+  // 1. Get the user
+  const user = await db.user.findFirst({ where: { email: email.toLowerCase() } })
+
+  // 2. Generate the token and expiration date.
+  const token = generateToken()
+  const hashedToken = hash256(token)
+  const expiresAt = new Date()
+  expiresAt.setHours(expiresAt.getHours() + RESET_PASSWORD_TOKEN_EXPIRATION_IN_HOURS)
+
+  // 3. If user with this email was found
+  if (user) {
+    // 4. Delete any existing password reset tokens
+    await db.token.deleteMany({ where: { type: "RESET_PASSWORD", userId: user.id } })
+    // 5. Save this new token in the database.
+    await db.token.create({
+      data: {
+        user: { connect: { id: user.id } },
+        type: "RESET_PASSWORD",
+        expiresAt,
+        hashedToken,
+        sentTo: user.email,
+      },
+    })
+    // 6. Send the email
+    await forgotPasswordMailer({ to: user.email, token }).send()
+  } else {
+    // 7. If no user found wait the same time so attackers can't tell the difference
+    await new Promise((resolve) => setTimeout(resolve, 750))
+  }
+
+  // 8. Return the same result whether a password reset email was sent or not
+  return
+})

app/auth/mutations/login.ts

@@ -0,0 +1,32 @@
+import { SecurePassword } from "@blitzjs/auth"
+import { resolver } from "@blitzjs/rpc"
+import { AuthenticationError } from "blitz"
+import db from "db"
+import { Role } from "types"
+import { Login } from "../validations"
+
+export const authenticateUser = async (rawEmail: string, rawPassword: string) => {
+  const { email, password } = Login.parse({ email: rawEmail, password: rawPassword })
+  const user = await db.user.findFirst({ where: { email } })
+  if (!user) throw new AuthenticationError()
+
+  const result = await SecurePassword.verify(user.hashedPassword, password)
+
+  if (result === SecurePassword.VALID_NEEDS_REHASH) {
+    // Upgrade hashed password with a more secure hash
+    const improvedHash = await SecurePassword.hash(password)
+    await db.user.update({ where: { id: user.id }, data: { hashedPassword: improvedHash } })
+  }
+
+  const { hashedPassword, ...rest } = user
+  return rest
+}
+
+export default resolver.pipe(resolver.zod(Login), async ({ email, password }, ctx) => {
+  // This throws an error if credentials are invalid
+  const user = await authenticateUser(email, password)
+
+  await ctx.session.$create({ userId: user.id, role: user.role as Role })
+
+  return user
+})

app/auth/mutations/logout.ts

@@ -0,0 +1,5 @@
+import { Ctx } from "blitz"
+
+export default async function logout(_: any, ctx: Ctx) {
+  return await ctx.session.$revoke()
+}

app/auth/mutations/resetPassword.ts

@@ -0,0 +1,48 @@
+import { SecurePassword, hash256 } from "@blitzjs/auth"
+import db from "db"
+import { ResetPassword } from "../validations"
+import login from "./login"
+
+export class ResetPasswordError extends Error {
+  name = "ResetPasswordError"
+  message = "Reset password link is invalid or it has expired."
+}
+
+export default async function resetPassword(input, ctx) {
+  ResetPassword.parse(input)
+  // 1. Try to find this token in the database
+  const hashedToken = hash256(input.token)
+  const possibleToken = await db.token.findFirst({
+    where: { hashedToken, type: "RESET_PASSWORD" },
+    include: { user: true },
+  })
+
+  // 2. If token not found, error
+  if (!possibleToken) {
+    throw new ResetPasswordError()
+  }
+  const savedToken = possibleToken
+
+  // 3. Delete token so it can't be used again
+  await db.token.delete({ where: { id: savedToken.id } })
+
+  // 4. If token has expired, error
+  if (savedToken.expiresAt < new Date()) {
+    throw new ResetPasswordError()
+  }
+
+  // 5. Since token is valid, now we can update the user's password
+  const hashedPassword = await SecurePassword.hash(input.password.trim())
+  const user = await db.user.update({
+    where: { id: savedToken.userId },
+    data: { hashedPassword },
+  })
+
+  // 6. Revoke all existing login sessions for this user
+  await db.session.deleteMany({ where: { userId: user.id } })
+
+  // 7. Now log the user in with the new credentials
+  await login({ email: user.email, password: input.password }, ctx)
+
+  return true
+}

app/auth/mutations/signup.ts

@@ -0,0 +1,21 @@
+import db from "db"
+import { SecurePassword } from "@blitzjs/auth"
+import { Role } from "types"
+
+export default async function signup(input, ctx) {
+  const blitzContext = ctx
+
+  const hashedPassword = await SecurePassword.hash((input.password as string) || "test-password")
+  const email = (input.email as string) || "test" + Math.random() + "@test.com"
+  const user = await db.user.create({
+    data: { email, hashedPassword, role: "user" },
+    select: { id: true, name: true, email: true, role: true },
+  })
+
+  await blitzContext.session.$create({
+    userId: user.id,
+    role: user.role as Role,
+  })
+
+  return { userId: blitzContext.session.userId, ...user, email: input.email }
+}