Chore/unit tests use cases

.env.example

@@ -9,6 +9,9 @@ ACCESS_TOKEN_SECRET_KEY=your_access_token_secret
 ACCESS_TOKEN_EXPIRES_IN=900
 REFRESH_TOKEN_EXPIRES_IN=1800
 
+# OTP Configuration
+OTP_EXPIRY_SECONDS=600
+
 # Cookie Configuration
 COOKIE_SECRET=your_cookie_secret
 

src/core/ports/services/auth-token.port.ts

@@ -22,8 +22,8 @@ export interface TokenResult {
     /** The opaque random refresh token string. */
     refreshToken: string;
 
-    /** The date at which the refresh token expires. */
-    refreshTokenExpiresAt: Date;
+    /** The Unix timestamp (in seconds) at which the refresh token expires. */
+    refreshTokenExpiresAt: number;
 }
 
 /**

src/core/ports/services/crypto.port.ts

@@ -25,4 +25,13 @@ export interface CryptoPort {
      * @returns A hex-encoded string of the specified byte length.
      */
     generateRandomHex(bytes: number): string;
+
+    /**
+     * Compares two strings in constant time to prevent timing attacks.
+     *
+     * @param a - First string to compare.
+     * @param b - Second string to compare.
+     * @returns True if the strings are equal, false otherwise.
+     */
+    timingSafeEqual(a: string, b: string): boolean;
 }

src/core/ports/services/transaction.port.ts

@@ -5,6 +5,7 @@ import type { ICommentRepository } from "@core/ports/repositories/comment.reposi
 import type { IPostLikeRepository } from "@core/ports/repositories/post-like.repository";
 import type { INotificationRepository } from "@core/ports/repositories/notification.repository";
 import type { IBookmarkRepository } from "../repositories/bookmark.repository";
+import type { IVerificationTokenRepository } from "@core/ports/repositories/verification-token.repository";
 
 /**
  * Provides transactional access to repositories within a single atomic operation.
@@ -29,6 +30,8 @@ export interface TransactionContext {
     readonly notificationRepository: INotificationRepository;
     /** */
     readonly bookmarkRepository: IBookmarkRepository;
+    /** Repository for verification token operations within the transaction. */
+    readonly verificationTokenRepository: IVerificationTokenRepository;
 }
 
 /**

src/core/use-cases/auth/auth.mapper.ts

@@ -35,12 +35,12 @@ export class AuthMapper {
         accessToken: string;
         expiresAt: number;
         refreshToken: string;
-        refreshTokenExpiresAt: Date;
+        refreshTokenExpiresAt: number;
     }): {
         accessToken: string;
         expiresAt: number;
         refreshToken: string;
-        refreshTokenExpiresAt: Date;
+        refreshTokenExpiresAt: number;
     } {
         return {
             accessToken: tokens.accessToken,
@@ -61,14 +61,14 @@ export class AuthMapper {
         accessToken: string;
         expiresAt: number;
         refreshToken: string;
-        refreshTokenExpiresAt: Date;
+        refreshTokenExpiresAt: number;
     }): {
         user: { id: string; username: string };
         tokens: {
             accessToken: string;
             expiresAt: number;
             refreshToken: string;
-            refreshTokenExpiresAt: Date;
+            refreshTokenExpiresAt: number;
         };
     } {
         return {

src/core/use-cases/auth/forgot-password/forgot-password.usecase.ts

@@ -25,6 +25,7 @@ export class ForgotPasswordUseCase {
         private readonly verificationTokenRepository: IVerificationTokenRepository,
         private readonly emailService: EmailPort,
         private readonly cryptoService: CryptoPort,
+        private readonly otpExpirySeconds: number = 10 * 60,
     ) {}
 
     /**
@@ -54,10 +55,7 @@ export class ForgotPasswordUseCase {
 
         const otp = this.cryptoService.generateOtp(8);
         const tokenHash = this.cryptoService.hashOtp(otp);
-        /**
-         * It can then be done from the .env file.
-         */
-        const expiresAt = new Date(Date.now() + 10 * 60 * 1000);
+        const expiresAt = new Date(Date.now() + this.otpExpirySeconds * 1000);
 
         await this.verificationTokenRepository.upsert({
             userId: user.id,

src/core/use-cases/auth/login/login.output.ts

@@ -24,7 +24,7 @@ export interface LoginOutput {
         expiresAt: number;
         /** Long-lived token used to obtain new access tokens */
         refreshToken: string;
-        /** Date indicating when the refresh token expires */
-        refreshTokenExpiresAt: Date;
+        /** Unix timestamp (in seconds) indicating when the refresh token expires */
+        refreshTokenExpiresAt: number;
     };
 }

src/core/use-cases/auth/login/login.usecase.ts

@@ -90,7 +90,7 @@ export class LoginUseCase {
             userId: user.id,
             deviceIp: input.deviceIp,
             userAgent: input.userAgent,
-            expiresAt: refreshTokenExpiresAt,
+            expiresAt: new Date(refreshTokenExpiresAt * 1000),
         });
 
         return {

src/core/use-cases/auth/logout/logout.usecase.ts

@@ -1,5 +1,5 @@
 import type { AuthTokenPort } from "@core/ports/services/auth-token.port";
-import type { TransactionPort } from "@core/ports/services/transaction.port";
+import type { IRefreshTokenRepository } from "@core/ports/repositories/refresh-token.repository";
 import type { LogoutInput } from "./logout.input";
 
 /**
@@ -12,11 +12,11 @@ export class LogoutUseCase {
     /**
      * Creates a new instance of LogoutUseCase.
      *
-     * @param transactionService - Service for managing database transactions
+     * @param refreshTokenRepository - Repository for refresh token operations
      * @param authTokenService - Service for token operations
      */
     constructor(
-        private readonly transactionService: TransactionPort,
+        private readonly refreshTokenRepository: IRefreshTokenRepository,
         private readonly authTokenService: AuthTokenPort,
     ) {}
 
@@ -28,26 +28,20 @@ export class LogoutUseCase {
      *
      * @remarks
      * If no token is provided, the method returns silently.
-     * The operation is performed within a database transaction to ensure consistency.
+     * If the token is not found or already revoked, the method returns silently.
      */
     async execute(input: LogoutInput): Promise<void> {
         if (!input.token) {
             return;
         }
 
-        await this.transactionService.runInTransaction(async (ctx) => {
-            const tokenHash = this.authTokenService.hashRefreshSecret(
-                input.token,
-            );
+        const tokenHash = this.authTokenService.hashRefreshSecret(input.token);
+        const currentToken =
+            await this.refreshTokenRepository.findByTokenHash(tokenHash);
 
-            const currentToken =
-                await ctx.refreshTokenRepository.findByTokenHash(tokenHash);
-
-            if (currentToken && !currentToken.isRevoked) {
-                currentToken.revoke();
-
-                await ctx.refreshTokenRepository.update(currentToken);
-            }
-        });
+        if (currentToken && !currentToken.isRevoked) {
+            currentToken.revoke();
+            await this.refreshTokenRepository.update(currentToken);
+        }
     }
 }

src/core/use-cases/auth/recover-account/recover-account.input.ts

@@ -6,4 +6,12 @@ export interface RecoverAccountInput {
      * The token used to recover the account
      */
     recoveryToken: string;
+    /**
+     * The IP address of the device making the recovery request
+     */
+    deviceIp: string;
+    /**
+     * The user agent string of the device making the recovery request
+     */
+    userAgent: string;
 }

src/core/use-cases/auth/recover-account/recover-account.usecase.ts

@@ -1,9 +1,10 @@
 import type { IUserRepository } from "@core/ports/repositories/user.repository";
+import type { IRefreshTokenRepository } from "@core/ports/repositories/refresh-token.repository";
 import type {
     AuthTokenPort,
     RecoveryPayload,
 } from "@core/ports/services/auth-token.port";
-import { UnauthorizedError, BadRequestError } from "@core/errors";
+import { UnauthorizedError } from "@core/errors";
 import { type LoginOutput } from "../login/login.output";
 import type { RecoverAccountInput } from "./recover-account.input";
 import { AuthMapper } from "../auth.mapper";
@@ -19,10 +20,12 @@ export class RecoverAccountUseCase {
      * Creates a new instance of RecoverAccountUseCase.
      *
      * @param userRepository - Repository for managing user data
+     * @param refreshTokenRepository - Repository for persisting refresh tokens
      * @param authTokenService - Service for token operations
      */
     constructor(
         private readonly userRepository: IUserRepository,
+        private readonly refreshTokenRepository: IRefreshTokenRepository,
         private readonly authTokenService: AuthTokenPort,
     ) {}
 
@@ -58,15 +61,27 @@ export class RecoverAccountUseCase {
 
         const user = await this.userRepository.findById(userId);
 
-        if (!user) {
-            throw new BadRequestError("User not found.");
+        if (!user || !user.isDeleted()) {
+            throw new UnauthorizedError("Invalid or expired recovery token.");
         }
 
         await this.userRepository.restoreById(user.id);
 
-        const tokens = this.authTokenService.generate({
-            id: user.id,
-            username: user.username,
+        const { accessToken, expiresAt, refreshToken, refreshTokenExpiresAt } =
+            this.authTokenService.generate({
+                id: user.id,
+                username: user.username,
+            });
+
+        const refreshTokenHash =
+            this.authTokenService.hashRefreshSecret(refreshToken);
+
+        await this.refreshTokenRepository.create({
+            tokenHash: refreshTokenHash,
+            userId: user.id,
+            deviceIp: input.deviceIp,
+            userAgent: input.userAgent,
+            expiresAt: new Date(refreshTokenExpiresAt * 1000),
         });
 
         return {
@@ -76,10 +91,10 @@ export class RecoverAccountUseCase {
                 isEmailVerified: user.isEmailVerified,
             },
             tokens: AuthMapper.toTokenOutput({
-                accessToken: tokens.accessToken,
-                expiresAt: tokens.expiresAt,
-                refreshToken: tokens.refreshToken,
-                refreshTokenExpiresAt: tokens.refreshTokenExpiresAt,
+                accessToken,
+                expiresAt,
+                refreshToken,
+                refreshTokenExpiresAt,
             }),
         };
     }

src/core/use-cases/auth/refresh/refresh.output.ts

@@ -4,7 +4,7 @@ import type { UserPayload } from "@core/ports/services/auth-token.port";
  * @property {string} accessToken - The new access token for the user
  * @property {number} expiresAt - The timestamp when the access token expires
  * @property {string} refreshToken - The new refresh token for the user
- * @property {Date} refreshTokenExpiresAt - The expiration date of the new refresh token
+ * @property {number} refreshTokenExpiresAt - The Unix timestamp (in seconds) of the new refresh token expiration
  * @property {UserPayload} user - The payload containing user information included in the token
  */
 export interface RefreshOutput {
@@ -23,7 +23,7 @@ export interface RefreshOutput {
     /**
      * The expiration date of the new refresh token, used by clients to know when they need to prompt the user to log in again
      */
-    refreshTokenExpiresAt: Date;
+    refreshTokenExpiresAt: number;
     /**
      * The payload containing user information included in the token, which can be used by clients to display user info without needing to decode the token themselves
      */

src/core/use-cases/auth/refresh/refresh.usecase.ts

@@ -93,7 +93,7 @@ export class RefreshUseCase {
                 userId: user.id,
                 deviceIp: input.deviceIp,
                 userAgent: input.userAgent,
-                expiresAt: refreshTokenExpiresAt,
+                expiresAt: new Date(refreshTokenExpiresAt * 1000),
             });
 
             return {

src/core/use-cases/auth/reset-password/reset-password.usecase.ts

@@ -1,9 +1,10 @@
 import { BadRequestError } from "@core/errors";
 import type { IUserRepository } from "@core/ports/repositories/user.repository";
 import type { IVerificationTokenRepository } from "@core/ports/repositories/verification-token.repository";
-import type { PasswordService } from "@infrastructure/security/password.service";
+import type { PasswordPort } from "@core/ports/services/password.port";
 import { TokenType } from "@core/domain/enums/token-type.enum";
 import type { CryptoPort } from "@core/ports/services/crypto.port";
+import type { TransactionPort } from "@core/ports/services/transaction.port";
 import type { ResetPasswordInput } from "./reset-password.input";
 
 /**
@@ -26,8 +27,9 @@ export class ResetPasswordUseCase {
     constructor(
         private readonly userRepository: IUserRepository,
         private readonly verificationTokenRepository: IVerificationTokenRepository,
-        private readonly passwordService: PasswordService,
+        private readonly passwordService: PasswordPort,
         private readonly cryptoService: CryptoPort,
+        private readonly transactionService: TransactionPort,
     ) {}
 
     /**
@@ -67,7 +69,12 @@ export class ResetPasswordUseCase {
 
         const hashedInputOtp = this.cryptoService.hashOtp(input.otp);
 
-        if (hashedInputOtp !== verificationToken.tokenHash) {
+        if (
+            !this.cryptoService.timingSafeEqual(
+                hashedInputOtp,
+                verificationToken.tokenHash,
+            )
+        ) {
             throw new BadRequestError(this.GENERIC_ERROR);
         }
 
@@ -77,7 +84,9 @@ export class ResetPasswordUseCase {
 
         user.hashPassword = newPasswordHash;
 
-        await this.userRepository.update(user);
-        await this.verificationTokenRepository.delete(verificationToken.id);
+        await this.transactionService.runInTransaction(async (ctx) => {
+            await ctx.userRepository.update(user);
+            await ctx.verificationTokenRepository.delete(verificationToken.id);
+        });
     }
 }

src/core/use-cases/auth/send-verification-email/send-verification-email.usecase.ts

@@ -26,6 +26,7 @@ export class SendVerificationEmailUseCase {
         private readonly verificationTokenRepository: IVerificationTokenRepository,
         private readonly emailService: EmailPort,
         private readonly cryptoService: CryptoPort,
+        private readonly otpExpirySeconds: number = 10 * 60,
     ) {}
 
     /**
@@ -55,7 +56,7 @@ export class SendVerificationEmailUseCase {
 
         const hashedOtp = this.cryptoService.hashOtp(plainOtp);
 
-        const expiresAt = new Date(Date.now() + 10 * 60 * 1000);
+        const expiresAt = new Date(Date.now() + this.otpExpirySeconds * 1000);
 
         await this.verificationTokenRepository.upsert({
             userId: user.id,

src/core/use-cases/auth/verify-email/verify-email.usecase.ts

@@ -3,6 +3,7 @@ import type { IUserRepository } from "@core/ports/repositories/user.repository";
 import type { IVerificationTokenRepository } from "@core/ports/repositories/verification-token.repository";
 import { TokenType } from "@core/domain/enums/token-type.enum";
 import { type CryptoPort } from "@core/ports/services/crypto.port";
+import type { TransactionPort } from "@core/ports/services/transaction.port";
 import type { VerifyEmailInput } from "./verify-email.input";
 /**
  * Use case for verifying a user's email address using a one-time password (OTP)
@@ -20,6 +21,7 @@ export class VerifyEmailUseCase {
         private readonly userRepository: IUserRepository,
         private readonly verificationTokenRepository: IVerificationTokenRepository,
         private readonly cryptoService: CryptoPort,
+        private readonly transactionService: TransactionPort,
     ) {}
     /**
      * Executes the email verification process for a user based on the provided input
@@ -56,14 +58,20 @@ export class VerifyEmailUseCase {
         }
 
         const hashedInputOtp = this.cryptoService.hashOtp(input.otp);
-        if (hashedInputOtp !== verificationToken.tokenHash) {
+        if (
+            !this.cryptoService.timingSafeEqual(
+                hashedInputOtp,
+                verificationToken.tokenHash,
+            )
+        ) {
             throw new BadRequestError("Invalid verification code.");
         }
 
         user.verifyEmail();
 
-        await this.userRepository.update(user);
-
-        await this.verificationTokenRepository.delete(verificationToken.id);
+        await this.transactionService.runInTransaction(async (ctx) => {
+            await ctx.userRepository.update(user);
+            await ctx.verificationTokenRepository.delete(verificationToken.id);
+        });
     }
 }