From ee97ccbf460a97198d0af9f40629802bb67c40ae Mon Sep 17 00:00:00 2001
From: Maxime Lalo <maxime.lalo.pro@gmail.com>
Date: Fri, 24 Nov 2023 10:21:31 +0100
Subject: [PATCH] :sparkles: Checking sms code in login & hiding password in
 ressource

---
 package.json                                  |  2 +-
 src/app/api/customer/AuthController.ts        | 45 ++++++++++++++-----
 .../CustomersService/CustomersService.ts      |  3 +-
 3 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/package.json b/package.json
index b9f73143..eaa73a16 100644
--- a/package.json
+++ b/package.json
@@ -56,7 +56,7 @@
     "file-type-checker": "^1.0.8",
     "fp-ts": "^2.16.1",
     "jsonwebtoken": "^9.0.0",
-    "le-coffre-resources": "git@github.com:smart-chain-fr/leCoffre-resources.git#v2.95",
+    "le-coffre-resources": "git@github.com:smart-chain-fr/leCoffre-resources.git#v2.96",
     "module-alias": "^2.2.2",
     "monocle-ts": "^2.3.13",
     "multer": "^1.4.5-lts.1",
diff --git a/src/app/api/customer/AuthController.ts b/src/app/api/customer/AuthController.ts
index ad48db50..5492bd52 100644
--- a/src/app/api/customer/AuthController.ts
+++ b/src/app/api/customer/AuthController.ts
@@ -38,11 +38,10 @@ export default class AuthController extends ApiController {
 			return;
 		}
 
-		// if code has more than 5mn, regenerate it
-		if (
-			!customer.smsCodeExpire ||
-			(customer.smsCodeExpire && new Date().getTime() - customer.smsCodeExpire.getTime() > 5 * 60 * 1000)
-		) {
+		// if no sms code has been generated, generate it
+		// if code has expired, regenerate it
+		const now = new Date().getTime();
+		if (!customer.smsCodeExpire || now > customer.smsCodeExpire.getTime()) {
 			customer = await this.customerService.generateSmsCode(customer);
 		}
 
@@ -57,7 +56,7 @@ export default class AuthController extends ApiController {
 		}
 
 		try {
-			this.httpSuccess(response, { email, customer });
+			this.httpSuccess(response, { info: "Sending a sms for a connection" });
 		} catch (error) {
 			console.log(error);
 			this.httpInternalError(response);
@@ -68,12 +67,19 @@ export default class AuthController extends ApiController {
 	@Post("/api/v1/customer/login")
 	protected async login(req: Request, response: Response) {
 		const email = req.body["email"];
+		const smsCode = req.body["smsCode"];
 		const password = req.body["password"];
+
 		if (!email) {
 			this.httpBadRequest(response, "Email is required");
 			return;
 		}
 
+		if (!smsCode) {
+			this.httpBadRequest(response, "Sms code is required");
+			return;
+		}
+
 		if (!password) {
 			this.httpBadRequest(response, "Password is required");
 			return;
@@ -95,6 +101,21 @@ export default class AuthController extends ApiController {
 			return;
 		}
 
+		if (!customer.smsCode) {
+			this.httpBadRequest(response, "No sms code found");
+			return;
+		}
+
+		if (!customer.smsCodeExpire || new Date().getTime() > customer.smsCodeExpire.getTime()) {
+			this.httpBadRequest(response, "Sms code expired");
+			return;
+		}
+
+		if (customer.smsCode !== smsCode) {
+			this.httpBadRequest(response, "Invalid sms code");
+			return;
+		}
+
 		if (!customer.password) {
 			this.httpBadRequest(response, "Customer not registered");
 			return;
@@ -108,7 +129,7 @@ export default class AuthController extends ApiController {
 		}
 
 		try {
-			this.httpSuccess(response, { customer });
+			this.httpSuccess(response, { customer: Customer.hydrate<Customer>(customer) });
 		} catch (error) {
 			console.log(error);
 			this.httpInternalError(response);
@@ -153,6 +174,11 @@ export default class AuthController extends ApiController {
 			return;
 		}
 
+		if (customer.password) {
+			this.httpBadRequest(response, "Password already set, please login");
+			return;
+		}
+
 		if (!customer.smsCode) {
 			this.httpBadRequest(response, "No sms code found");
 			return;
@@ -163,11 +189,6 @@ export default class AuthController extends ApiController {
 			return;
 		}
 
-		if (customer.password) {
-			this.httpBadRequest(response, "Password already set");
-			return;
-		}
-
 		const hashedPassword = await this.authService.hashPassword(password);
 		await this.customerService.setPassword(customer, hashedPassword);
 
diff --git a/src/services/customer/CustomersService/CustomersService.ts b/src/services/customer/CustomersService/CustomersService.ts
index 6461e6e4..15e561fd 100644
--- a/src/services/customer/CustomersService/CustomersService.ts
+++ b/src/services/customer/CustomersService/CustomersService.ts
@@ -32,12 +32,13 @@ export default class CustomersService extends BaseService {
 	 */
 	public async generateSmsCode(customer: Customer) {
 		const smsCode = Math.floor(100000 + Math.random() * 900000);
+		const now = new Date();
 		return await this.customerRepository.update(
 			customer.uid as string,
 			Customer.hydrate<Customer>({
 				...customer,
 				smsCode: smsCode.toString(),
-				smsCodeExpire: new Date(),
+				smsCodeExpire: new Date(now.getTime() + 5 * 60 * 1000),
 			}),
 		);
 	}