Add magic link auth

.cursorrules

@@ -0,0 +1,76 @@
+You are a Senior Frontend Developer and an Expert in React, Next.js, tRPC, TypeScript, TailwindCSS, HTML and CSS. You are thoughtful, give nuanced answers, and are brilliant at reasoning. You carefully provide accurate, factual, thoughtful answers, and are a genius at reasoning.
+
+Follow the user’s requirements carefully & to the letter.
+
+- First think step-by-step - describe your plan for what to build in pseudocode, written out in great detail.
+- Confirm, then write code!
+- Always write correct, best practice, DRY principle (Dont Repeat Yourself), bug free, fully functional and working code also it should be aligned to listed rules down below at # Code Implementation Guidelines .
+- Focus on easy and readability code, over being performant.
+- Fully implement all requested functionality.
+- Leave NO todo’s, placeholders or missing pieces.
+- Ensure code is complete! Verify thoroughly finalised.
+- Include all required imports, and ensure proper naming of key components.
+- Be concise Minimize any other prose.
+- If you think there might not be a correct answer, you say so.
+- If you do not know the answer, say so, instead of guessing
+
+**Coding Environment**
+
+The user asks questions about the following coding languages and frameworks:
+
+- React
+- Next.js
+- Drizzle
+- tRPC
+- Vitest
+- TypeScript
+- TailwindCSS
+- HTML
+- CSS
+
+**Code Implementation Guidelines**
+
+Follow these rules when you write code:
+
+- Use early returns whenever possible to make the code more readable.
+- Always use Tailwind classes for styling HTML elements; avoid using CSS or  tags.
+- Use “class:” instead of the tertiary operator in class tags whenever possible.
+- Use descriptive variable and function/const names. Also, event functions should be named with a “handle” prefix, like “handleClick” for onClick and “handleKeyDown” for onKeyDown.
+- Implement accessibility features on elements. For example, a  tag should have a tabindex=“0”, aria-label, on:click, and on:keydown, and similar attributes.
+- Usefunctions instead of consts, for example, “function toggle() {}”. Also, define a type if possible.
+
+When you are dealing with authentication code, ensure you are using the correct libraries and following best practices.
+
+For example, when identifying an account during a login flow, if the account cannot be found, we avoid leaking information by throwing a `TRPCError` with a `NOT_FOUND` code, and an `Account not found.` message.
+
+**Test Implementation Guidelines**
+
+Follow these rules when you write tests:
+
+- Use Vitest, do not use Jest.
+- When you are testing for errors, use `waitError` to wait for the error to be thrown. For example:
+
+```
+import waitError from "@peated/server/lib/test/waitError";
+
+const err = await waitError(
+  caller.authPasswordResetConfirm({
+    token,
+    password: "testpassword",
+  }),
+);
+```
+
+- In addition to using `waitError`, utilize snapshots for the resulting error. For example, `expect(err).toMatchInlineSnapshot();`
+- Prefer dependency injection over mocking when the called functions make it possible.
+- When calling tRPC endpoints that are not expected to error, await on the caller. Do not test the Promise directly. For example:
+
+```
+const caller = createCaller();
+
+const data = await caller.authRegister({
+  username: "foo",
+  email: "[email protected]",
+  password: "example",
+});
+```

.vscode/settings.json

@@ -9,5 +9,6 @@
     "**/app/**/layout.tsx": "${dirname} - Layout",
     "**/component/**/index.tsx": "${dirname} - Component"
   },
-  "scm.showHistoryGraph": false
+  "scm.showHistoryGraph": false,
+  "makefile.configureOnOpen": false
 }

apps/server/src/lib/auth.ts

@@ -10,6 +10,7 @@
 import { serialize } from "../serializers";
 import { UserSerializer } from "../serializers/user";
 import { logError } from "./log";
+import { absoluteUrl } from "./urls";
 
 // I love to ESM.
 import type { JwtPayload } from "jsonwebtoken";
@@ -120,3 +121,22 @@
   if (!user) throw new Error("Unable to create user");
   return user;
 }
+
+export async function generateMagicLink(user: User, redirectTo = "/") {
+  const token = {
+    id: user.id,
+    email: user.email,
+    createdAt: new Date().toISOString(),
+  };
+
+  const signedToken = await signPayload(token);
+  const url = absoluteUrl(
+    config.URL_PREFIX,
+    `/auth/magic-link?token=${signedToken}&redirectTo=${encodeURIComponent(redirectTo)}`,
+  );
+
+  return {
+    token: signedToken,
+    url,
+  };
+}

apps/server/src/lib/email.ts

@@ -1,4 +1,5 @@
 import cuid2 from "@paralleldrive/cuid2";
+import { Template as MagicLinkEmailTemplate } from "@peated/email/templates/magicLinkEmail";
 import { Template as NewCommentTemplate } from "@peated/email/templates/newCommentEmail";
 import { Template as PasswordResetEmailTemplate } from "@peated/email/templates/passwordResetEmail";
 import { Template as VerifyEmailTemplate } from "@peated/email/templates/verifyEmail";
@@ -20,7 +21,7 @@
   type User,
 } from "../db/schema";
 import type { EmailVerifySchema, PasswordResetSchema } from "../schemas";
-import { signPayload } from "./auth";
+import { generateMagicLink, signPayload } from "./auth";
 import { logError } from "./log";
 
 let mailTransport: Transporter<SMTPTransport.SentMessageInfo>;
@@ -127,12 +128,11 @@
   for (const email of emailList) {
     try {
       await transport.sendMail({
-        from: `"${config.SMTP_FROM_NAME}" <${config.SMTP_FROM}>`,
+        ...getMailDefaults(),
         to: email,
         subject: "New Comment on Tasting",
         text: `View this comment on Peated: ${commentUrl}\n\n${comment.comment}`,
         html,
-        replyTo: `"${config.SMTP_FROM_NAME}" <${config.SMTP_REPLY_TO || config.SMTP_FROM}>`,
       });
     } catch (err) {
       logError(err);
@@ -147,6 +147,7 @@
   user: User;
   transport?: Transporter<SMTPTransport.SentMessageInfo>;
 }) {
+  // TODO: error out
   if (!hasEmailSupport()) return;
 
   if (!transport) {
@@ -167,13 +168,12 @@
 
   try {
     await transport.sendMail({
-      from: `"${config.SMTP_FROM_NAME}" <${config.SMTP_FROM}>`,
+      ...getMailDefaults(),
       to: user.email,
       subject: "Account Verification",
       // TODO:
       text: `Your account requires verification: ${verifyUrl}`,
       html,
-      replyTo: `"${config.SMTP_FROM_NAME}" <${config.SMTP_REPLY_TO || config.SMTP_FROM}>`,
     });
   } catch (err) {
     logError(err);
@@ -187,6 +187,7 @@
   user: User;
   transport?: Transporter<SMTPTransport.SentMessageInfo>;
 }) {
+  // TODO: error out
   if (!hasEmailSupport()) return;
 
   if (!transport) {
@@ -210,20 +211,55 @@
     PasswordResetEmailTemplate({ baseUrl: config.URL_PREFIX, resetUrl }),
   );
 
-  try {
-    await transport.sendMail({
-      from: `"${config.SMTP_FROM_NAME}" <${config.SMTP_FROM}>`,
-      to: user.email,
-      subject: "Reset Password",
-      // TODO:
-      text: `A password reset was requested for your account.\n\nIf you don't recognize this request, you can ignore this.\n\nTo continue: ${resetUrl}`,
-      html,
-      replyTo: `"${config.SMTP_FROM_NAME}" <${config.SMTP_REPLY_TO || config.SMTP_FROM}>`,
-      headers: {
-        References: `${cuid2.createId()}@peated.com`,
-      },
-    });
-  } catch (err) {
-    logError(err);
+  await transport.sendMail({
+    ...getMailDefaults(),
+    to: user.email,
+    subject: "Reset Password",
+    // TODO:
+    text: `A password reset was requested for your account.\n\nIf you don't recognize this request, you can ignore this.\n\nTo continue: ${resetUrl}`,
+    html,
+    headers: {
+      References: `${cuid2.createId()}@peated.com`,
+    },
+  });
+}
+
+export async function sendMagicLinkEmail({
+  user,
+  transport = mailTransport,
+}: {
+  user: User;
+  transport?: Transporter<SMTPTransport.SentMessageInfo>;
+}) {
+  // TODO: error out
+  if (!hasEmailSupport()) return;
+
+  if (!transport) {
+    if (!mailTransport) mailTransport = createMailTransport();
+    transport = mailTransport;
   }
+
+  const magicLink = await generateMagicLink(user);
+
+  const html = await render(
+    MagicLinkEmailTemplate({
+      baseUrl: config.URL_PREFIX,
+      magicLinkUrl: magicLink.url,
+    }),
+  );
+
+  await transport.sendMail({
+    ...getMailDefaults(),
+    to: user.email,
+    subject: "Magic Link for Peated",
+    text: `Click the following link to log in to Peated: ${magicLink.url}`,
+    html: html,
+  });
+}
+
+function getMailDefaults() {
+  return {
+    from: `"${config.SMTP_FROM_NAME}" <${config.SMTP_FROM}>`,
+    replyTo: `"${config.SMTP_FROM_NAME}" <${config.SMTP_REPLY_TO || config.SMTP_FROM}>`,
+  };
 }

apps/server/src/schemas/index.ts

@@ -12,6 +12,7 @@ export * from "./externalSites";
 export * from "./flights";
 export * from "./follows";
 export * from "./friends";
+export * from "./magicLink";
 export * from "./notifications";
 export * from "./regions";
 export * from "./reviews";

apps/server/src/schemas/magicLink.ts

@@ -0,0 +1,10 @@
+import { z } from "zod";
+import { zDatetime } from "./common";
+
+export const MagicLinkSchema = z.object({
+  id: z.number(),
+  email: z.string().email(),
+  createdAt: zDatetime,
+});
+
+export type MagicLink = z.infer<typeof MagicLinkSchema>;

apps/server/src/trpc/router.ts

@@ -4,6 +4,8 @@ import type { Context } from "./context";
 import auth from "./routes/auth";
 import authBasic from "./routes/authBasic";
 import authGoogle from "./routes/authGoogle";
+import authMagicLinkConfirm from "./routes/authMagicLinkConfirm";
+import authMagicLinkSend from "./routes/authMagicLinkSend";
 import authPasswordReset from "./routes/authPasswordReset";
 import authPasswordResetConfirm from "./routes/authPasswordResetConfirm";
 import authRegister from "./routes/authRegister";
@@ -118,6 +120,8 @@ export const appRouter = router({
   auth,
   authBasic,
   authGoogle,
+  authMagicLinkConfirm,
+  authMagicLinkSend,
   authRegister,
   authPasswordReset,
   authPasswordResetConfirm,

apps/server/src/trpc/routes/authMagicLinkConfirm.test.ts

@@ -0,0 +1,108 @@
+import { createAccessToken, verifyPayload } from "@peated/server/lib/auth";
+import waitError from "@peated/server/lib/test/waitError";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { createCaller } from "../router";
+
+// Mock the auth functions
+vi.mock("@peated/server/lib/auth", () => ({
+  createAccessToken: vi.fn(),
+  verifyPayload: vi.fn(),
+}));
+
+describe("authMagicLinkConfirm", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test("confirms magic link for active user", async ({ fixtures }) => {
+    const user = await fixtures.User({ active: true, verified: false });
+    const caller = createCaller({ user: null });
+    const token = "valid-token";
+
+    vi.mocked(verifyPayload).mockResolvedValue({
+      id: user.id,
+      email: user.email,
+      createdAt: new Date().toISOString(),
+    });
+
+    vi.mocked(createAccessToken).mockResolvedValue("mocked-access-token");
+
+    const result = await caller.authMagicLinkConfirm({ token });
+
+    expect(result.user.id).toBe(user.id);
+    expect(result.user.verified).toBe(true);
+    expect(result.accessToken).toBe("mocked-access-token");
+    expect(createAccessToken).toHaveBeenCalledWith(
+      expect.objectContaining({ id: user.id }),
+    );
+  });
+
+  test("throws error for invalid token", async ({ fixtures }) => {
+    const caller = createCaller({ user: null });
+    const token = "invalid-token";
+
+    vi.mocked(verifyPayload).mockRejectedValue(new Error("Invalid token"));
+
+    const error = await waitError(caller.authMagicLinkConfirm({ token }));
+
+    expect(error).toMatchInlineSnapshot(
+      `[TRPCError: Invalid magic link token.]`,
+    );
+  });
+
+  test("throws error for expired token", async ({ fixtures }) => {
+    const user = await fixtures.User({ active: true });
+    const caller = createCaller({ user: null });
+    const token = "expired-token";
+
+    const expiredDate = new Date();
+    expiredDate.setMinutes(expiredDate.getMinutes() - 11); // 11 minutes ago
+
+    vi.mocked(verifyPayload).mockResolvedValue({
+      id: user.id,
+      email: user.email,
+      createdAt: expiredDate.toISOString(),
+    });
+
+    const error = await waitError(caller.authMagicLinkConfirm({ token }));
+
+    expect(error).toMatchInlineSnapshot(
+      `[TRPCError: Invalid magic link token.]`,
+    );
+  });
+
+  test("throws error for inactive user", async ({ fixtures }) => {
+    const user = await fixtures.User({ active: false });
+    const caller = createCaller({ user: null });
+    const token = "valid-token";
+
+    vi.mocked(verifyPayload).mockResolvedValue({
+      id: user.id,
+      email: user.email,
+      createdAt: new Date().toISOString(),
+    });
+
+    const error = await waitError(caller.authMagicLinkConfirm({ token }));
+
+    expect(error).toMatchInlineSnapshot(
+      `[TRPCError: Invalid magic link token.]`,
+    );
+  });
+
+  test("throws error for non-existent user", async ({ fixtures }) => {
+    const caller = createCaller({ user: null });
+    const token = "valid-token";
+
+    vi.mocked(verifyPayload).mockResolvedValue({
+      id: "non-existent-id",
+      email: "[email protected]",
+      createdAt: new Date().toISOString(),
+    });
+
+    const error = await waitError(caller.authMagicLinkConfirm({ token }));
+
+    expect(error).toMatchInlineSnapshot(
+      `[TRPCError: Invalid magic link token.]`,
+    );
+  });
+});