Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions src/admin/admin.controller.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
import {
Body,
Controller,
Delete,
Get,
NotFoundException,
Param,
Patch,
Post,
Expand All @@ -16,7 +18,7 @@
HttpStatus,
} from '@nestjs/common';
import { Response } from 'express';
import { ApiTags, ApiOperation, ApiQuery } from '@nestjs/swagger';

Check warning on line 21 in src/admin/admin.controller.ts

View workflow job for this annotation

GitHub Actions / lint

'ApiQuery' is defined but never used

Check warning on line 21 in src/admin/admin.controller.ts

View workflow job for this annotation

GitHub Actions / lint

'ApiOperation' is defined but never used
import { CurrentUser } from '../auth/decorators/current-user.decorator';
import { Roles } from '../auth/decorators/roles.decorator';
import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
Expand Down Expand Up @@ -53,17 +55,17 @@
) {}

@Get('dashboard')
getDashboard() {

Check warning on line 58 in src/admin/admin.controller.ts

View workflow job for this annotation

GitHub Actions / lint

Missing return type on function

Check warning on line 58 in src/admin/admin.controller.ts

View workflow job for this annotation

GitHub Actions / lint

Missing return type on function
return this.adminService.getDashboard();
}

@Get('backups')
listBackups() {

Check warning on line 63 in src/admin/admin.controller.ts

View workflow job for this annotation

GitHub Actions / lint

Missing return type on function

Check warning on line 63 in src/admin/admin.controller.ts

View workflow job for this annotation

GitHub Actions / lint

Missing return type on function
return this.adminService.listBackups();
}

@Get('backups/status')
getBackupStatus() {

Check warning on line 68 in src/admin/admin.controller.ts

View workflow job for this annotation

GitHub Actions / lint

Missing return type on function
return this.adminService.getBackupStatus();
}

Expand Down Expand Up @@ -274,4 +276,17 @@
note: 'This is a preview with sample data. Actual emails will use real data.',
};
}

@Delete('exports/:filename')
deleteExport(@Param('filename') filename: string) {
const filepath = path.join(process.cwd(), 'exports', filename);

if (!fs.existsSync(filepath)) {
throw new NotFoundException('Export file not found');
}

fs.unlinkSync(filepath);

return { message: 'Export file deleted successfully' };
}
}
1 change: 1 addition & 0 deletions src/auth/auth.service.captcha.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ describe('AuthService – CAPTCHA failure lockout', () => {
password: '$2b$10$invalidhash',
isBlocked: false,
isDeactivated: false,
isVerified: true,
twoFactorEnabled: false,
});

Expand Down
20 changes: 12 additions & 8 deletions src/auth/auth.service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ import {
comparePassword,
createSha256,
generateBackupCodes,
getPasswordHistoryLimit,
hashPassword,
parseDuration,
randomBase32Secret,
Expand Down Expand Up @@ -116,7 +115,7 @@ export class AuthService {
throw new BadRequestException('A user with that email already exists');
}

const passwordErrors = validatePassword(data.password);
const passwordErrors = validatePassword(data.password, this.configService);
if (passwordErrors.length > 0) {
throw new BadRequestException(
`Password does not meet complexity requirements: ${passwordErrors.join('; ')}`,
Expand Down Expand Up @@ -175,7 +174,7 @@ export class AuthService {
* 2. CAPTCHA check: If failed attempts exceed threshold, require CAPTCHA to proceed.
* 3. Credentials check: (Performed in the main login method after preflight)
*/
private async preflightChecks(data: LoginDto): Promise<void> {
private async preflightChecks(data: LoginDto, ipAddress?: string, userAgent?: string): Promise<void> {
// Check if account is locked out
const isLocked = await this.rateLimitService.isAccountLocked(data.email);
if (isLocked) {
Expand Down Expand Up @@ -205,7 +204,7 @@ export class AuthService {
}

async login(data: LoginDto, ipAddress?: string, userAgent?: string) {
await this.preflightChecks(data);
await this.preflightChecks(data, ipAddress, userAgent);

const user = await this.usersService.findByEmail(data.email);
if (!user) {
Expand Down Expand Up @@ -704,7 +703,7 @@ export class AuthService {
}

async changePassword(user: AuthUserPayload, data: ChangePasswordDto) {
const passwordHistoryLimit = getPasswordHistoryLimit();
const passwordHistoryLimit = this.getPasswordHistoryLimit();
const existingUser = await this.prisma.user.findUnique({
where: { id: user.sub },
include: {
Expand All @@ -726,7 +725,7 @@ export class AuthService {
throw new UnauthorizedException('Current password is incorrect');
}

const passwordErrors = validatePassword(data.newPassword);
const passwordErrors = validatePassword(data.newPassword, this.configService);
if (passwordErrors.length > 0) {
throw new BadRequestException(
`Password does not meet complexity requirements: ${passwordErrors.join('; ')}`,
Expand Down Expand Up @@ -1335,9 +1334,9 @@ export class AuthService {
throw new BadRequestException('Account is blocked');
}

const passwordHistoryLimit = getPasswordHistoryLimit();
const passwordHistoryLimit = this.getPasswordHistoryLimit();

const passwordErrors = validatePassword(data.newPassword);
const passwordErrors = validatePassword(data.newPassword, this.configService);
if (passwordErrors.length > 0) {
throw new BadRequestException(
`Password does not meet complexity requirements: ${passwordErrors.join('; ')}`,
Expand Down Expand Up @@ -1437,6 +1436,11 @@ export class AuthService {
});
}

private getPasswordHistoryLimit(): number {
const parsed = Number(this.configService.get('PASSWORD_HISTORY_LIMIT') ?? 5);
return Number.isFinite(parsed) && parsed > 0 ? parsed : 5;
}

private async verifyCaptcha(token: string): Promise<boolean> {
const secret = this.configService.get<string>('RECAPTCHA_SECRET');
if (!secret) {
Expand Down
20 changes: 11 additions & 9 deletions src/auth/password.utils.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
// @ts-nocheck

import { ConfigService } from '@nestjs/config';

export type PasswordPolicy = {
minLength: number;
requireUppercase: boolean;
Expand All @@ -9,22 +11,22 @@ export type PasswordPolicy = {
specialChars?: string;
};

export function getPasswordPolicy(): PasswordPolicy {
const minLength = Number(process.env.PASSWORD_MIN_LENGTH ?? 8);
export function getPasswordPolicy(configService: ConfigService): PasswordPolicy {
const minLength = Number(configService.get('PASSWORD_MIN_LENGTH') ?? 8);
return {
minLength: Number.isFinite(minLength) && minLength > 0 ? minLength : 8,
requireUppercase: (process.env.PASSWORD_REQUIRE_UPPERCASE ?? 'true') === 'true',
requireLowercase: (process.env.PASSWORD_REQUIRE_LOWERCASE ?? 'true') === 'true',
requireDigit: (process.env.PASSWORD_REQUIRE_DIGIT ?? 'true') === 'true',
requireSpecial: (process.env.PASSWORD_REQUIRE_SPECIAL ?? 'true') === 'true',
requireUppercase: (configService.get('PASSWORD_REQUIRE_UPPERCASE') ?? 'true') === 'true',
requireLowercase: (configService.get('PASSWORD_REQUIRE_LOWERCASE') ?? 'true') === 'true',
requireDigit: (configService.get('PASSWORD_REQUIRE_DIGIT') ?? 'true') === 'true',
requireSpecial: (configService.get('PASSWORD_REQUIRE_SPECIAL') ?? 'true') === 'true',
specialChars:
process.env.PASSWORD_SPECIAL_CHARS ?? '!@#$%^&*()_+-=[]{}|;:\",./<>?'.slice(0, 32),
configService.get('PASSWORD_SPECIAL_CHARS') ?? '!@#$%^&*()_+-=[]{}|;:\",./<>?'.slice(0, 32),
};
}

export function validatePassword(password: string): string[] {
export function validatePassword(password: string, configService: ConfigService): string[] {
const errors: string[] = [];
const policy = getPasswordPolicy();
const policy = getPasswordPolicy(configService);

if (!password || password.length < policy.minLength) {
errors.push(`Password must be at least ${policy.minLength} characters long`);
Expand Down
5 changes: 0 additions & 5 deletions src/auth/security.utils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -78,11 +78,6 @@ export function generateBackupCodes(count = 8): string[] {
return Array.from({ length: count }, () => randomBytes(4).toString('hex').toUpperCase());
}

export function getPasswordHistoryLimit(): number {
const parsed = Number(process.env.PASSWORD_HISTORY_LIMIT ?? 5);
return Number.isFinite(parsed) && parsed > 0 ? parsed : 5;
}

export function verifyBackupCode(candidate: string, backupCodeHashes: string[]) {
const digest = createSha256(candidate.trim().toUpperCase());
const digestBuffer = Buffer.from(digest);
Expand Down
6 changes: 6 additions & 0 deletions src/blockchain/blockchain.service.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,14 @@ describe('BlockchainService', () => {
});

it('should produce different hashes for different data', () => {
const ts = 1716812345678;
const data1 = {
transactionId: 'tx-123',
propertyId: 'prop-456',
buyerAddress: '0xBuyer',
sellerAddress: '0xSeller',
amount: 1000,
timestamp: ts,
};

const data2 = {
Expand All @@ -89,6 +91,7 @@ describe('BlockchainService', () => {
buyerAddress: '0xBuyer',
sellerAddress: '0xSeller',
amount: 1000,
timestamp: ts,
};

const hash1 = service.generateBlockchainHash(data1);
Expand All @@ -98,12 +101,14 @@ describe('BlockchainService', () => {
});

it('should handle address normalization', () => {
const ts = 1716812345678;
const data1 = {
transactionId: 'tx-123',
propertyId: 'prop-456',
buyerAddress: '0xBUYER',
sellerAddress: '0xSELLER',
amount: 1000,
timestamp: ts,
};

const data2 = {
Expand All @@ -112,6 +117,7 @@ describe('BlockchainService', () => {
buyerAddress: '0xbuyer',
sellerAddress: '0xseller',
amount: 1000,
timestamp: ts,
};

const hash1 = service.generateBlockchainHash(data1);
Expand Down
27 changes: 22 additions & 5 deletions src/transactions/transactions.service.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -256,14 +256,31 @@ describe('TransactionsService', () => {
expect(result.volumeTrends).toEqual([]);
});

it('should reject date ranges larger than 365 days', async () => {
it('should cap date ranges larger than maxDays', async () => {
const startDate = new Date('2025-01-01T00:00:00.000Z');
const endDate = new Date('2026-01-02T00:00:00.000Z');
const cappedEnd = new Date(startDate);
cappedEnd.setDate(cappedEnd.getDate() + 365);

await expect(
service.getAnalytics({ startDate, endDate, granularity: TransactionAnalyticsGranularity.MONTH }),
).rejects.toThrow(BadRequestException);
expect(prisma.transaction.findMany).not.toHaveBeenCalled();
mockPrismaService.transaction.findMany.mockResolvedValue([]);

const result = await service.getAnalytics({
startDate,
endDate,
granularity: TransactionAnalyticsGranularity.MONTH,
});

expect(prisma.transaction.findMany).toHaveBeenCalledWith(
expect.objectContaining({
where: expect.objectContaining({
createdAt: expect.objectContaining({
gte: startDate,
lte: cappedEnd,
}),
}),
}),
);
expect(result.totalTransactions).toBe(0);
});
});
});
8 changes: 1 addition & 7 deletions src/transactions/transactions.service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -318,15 +318,9 @@ export class TransactionsService {
const maxDays = query.maxDays ?? 365;

if (query.startDate && query.endDate) {
const maxRangeMs = 365 * 24 * 60 * 60 * 1000;
const durationMs = query.endDate.getTime() - query.startDate.getTime();

if (durationMs < 0) {
if (query.endDate.getTime() < query.startDate.getTime()) {
throw new BadRequestException('endDate must be on or after startDate');
}
if (durationMs > maxRangeMs) {
throw new BadRequestException('Date range cannot exceed 365 days');
}
}

if (query.type) {
Expand Down
22 changes: 21 additions & 1 deletion src/users/users.controller.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ import {
Delete,
ForbiddenException,
Get,
GoneException,
HttpException,
HttpStatus,
InternalServerErrorException,
NotFoundException,
Expand All @@ -27,6 +29,7 @@ import { CurrentUser } from '../auth/decorators/current-user.decorator';
import { AuthUserPayload } from '../auth/types/auth-user.type';
import { UserRole } from '../types/prisma.types';
import { UsersService } from './users.service';
import { ActivityLogService } from './activity-log.service';
import {
CreateUserDto,
SearchUsersDto,
Expand All @@ -41,7 +44,10 @@ const UNAUTHORIZED_ACTION_MESSAGE = 'You are not authorized to perform this acti

@Controller('users')
export class UsersController {
constructor(private readonly usersService: UsersService) {}
constructor(
private readonly usersService: UsersService,
private readonly activityLogService: ActivityLogService,
) {}

// ─── Admin Endpoints ─────────────────────────────────────────────

Expand Down Expand Up @@ -167,12 +173,26 @@ export class UsersController {
throw new NotFoundException('Export file not found');
}

const stats = fs.statSync(filepath);
const expirationTime = 24 * 60 * 60 * 1000;
if (Date.now() - stats.mtimeMs > expirationTime) {
throw new GoneException('Export file has expired');
}

const ownerId = this.extractExportOwnerId(filename);

if (user.sub !== ownerId && user.role !== UserRole.ADMIN) {
throw new ForbiddenException(UNAUTHORIZED_ACTION_MESSAGE);
}

this.activityLogService.create(user.sub, {
action: 'EXPORT_DOWNLOAD',
entityType: 'USER',
entityId: ownerId,
description: `Downloaded export file: ${filename}`,
metadata: { filename, ownerId },
});

res.download(filepath, (err) => {
if (err && !res.headersSent) {
res.status(HttpStatus.INTERNAL_SERVER_ERROR).send({
Expand Down
Loading
Loading