feat: add and use vfn identifier fn so we know which email

Author: karrui

apps/web/src/server/modules/auth/__tests__/auth.service.spec.ts

@@ -8,7 +8,7 @@ import { db } from '@acme/db'
 
 import * as mailService from '../../mail/mail.service'
 import { emailLogin, emailVerifyOtp } from '../auth.service'
-import { createAuthToken } from '../auth.utils'
+import { createAuthToken, createVfnIdentifier } from '../auth.utils'
 
 const mockedMailService = mock(mailService)
 
@@ -30,9 +30,10 @@ describe('auth.service', () => {
         otpPrefix: expect.any(String),
       })
 
-      // Verify token was created in database with nonce as identifier
+      // Verify token was created in database with vfnIdentifier
+      const vfnIdentifier = createVfnIdentifier({ email, nonce })
       const token = await db.verificationToken.findUnique({
-        where: { identifier: nonce },
+        where: { identifier: vfnIdentifier },
       })
       expect(token).toBeDefined()
       expect(mockedMailService.sendMail).toHaveBeenCalledWith({
@@ -49,17 +50,18 @@ describe('auth.service', () => {
       // First login
       await emailLogin({ email, nonce })
 
+      const vfnIdentifier = createVfnIdentifier({ email, nonce })
       // Simulate failed attempts
       await db.verificationToken.update({
-        where: { identifier: nonce },
+        where: { identifier: vfnIdentifier },
         data: { attempts: 3 },
       })
 
       // Second login should reset attempts
       await emailLogin({ email, nonce })
 
       const token = await db.verificationToken.findUnique({
-        where: { identifier: nonce },
+        where: { identifier: vfnIdentifier },
       })
       expect(token?.attempts).toBe(0)
     })
@@ -71,9 +73,10 @@ describe('auth.service', () => {
       await emailLogin({ email, nonce })
       await emailLogin({ email, nonce })
 
+      const vfnIdentifier = createVfnIdentifier({ email, nonce })
       // Should only have one record
       const tokens = await db.verificationToken.findMany({
-        where: { identifier: nonce },
+        where: { identifier: vfnIdentifier },
       })
       expect(tokens).toHaveLength(1)
     })
@@ -87,11 +90,13 @@ describe('auth.service', () => {
       await emailLogin({ email, nonce: nonce2 })
 
       // Should have two records with different nonces
+      const vfnIdentifier1 = createVfnIdentifier({ email, nonce: nonce1 })
+      const vfnIdentifier2 = createVfnIdentifier({ email, nonce: nonce2 })
       const token1 = await db.verificationToken.findUnique({
-        where: { identifier: nonce1 },
+        where: { identifier: vfnIdentifier1 },
       })
       const token2 = await db.verificationToken.findUnique({
-        where: { identifier: nonce2 },
+        where: { identifier: vfnIdentifier2 },
       })
 
       expect(token1).toBeDefined()
@@ -114,8 +119,9 @@ describe('auth.service', () => {
       ).resolves.not.toThrow()
 
       // Token should be deleted after successful verification
+      const vfnIdentifier = createVfnIdentifier({ email, nonce })
       const verificationToken = await db.verificationToken.findUnique({
-        where: { identifier: nonce },
+        where: { identifier: vfnIdentifier },
       })
       expect(verificationToken).toBeNull()
     })
@@ -137,11 +143,12 @@ describe('auth.service', () => {
 
       const { token, hashedToken } = createAuthToken({ email, nonce })
 
+      const vfnIdentifier = createVfnIdentifier({ email, nonce })
       // Create a verification token with an old issuedAt date
       const oldDate = add(new Date(), { seconds: -700 }) // 700 seconds ago (beyond 600s expiry)
       await db.verificationToken.create({
         data: {
-          identifier: nonce,
+          identifier: vfnIdentifier,
           token: hashedToken,
           issuedAt: oldDate,
         },
@@ -159,17 +166,18 @@ describe('auth.service', () => {
 
       await emailLogin({ email, nonce })
 
+      const vfnIdentifier = createVfnIdentifier({ email, nonce })
       // First attempt
       await expect(emailVerifyOtp({ email, token, nonce })).rejects.toThrow()
       let verificationToken = await db.verificationToken.findUnique({
-        where: { identifier: nonce },
+        where: { identifier: vfnIdentifier },
       })
       expect(verificationToken?.attempts).toBe(1)
 
       // Second attempt
       await expect(emailVerifyOtp({ email, token, nonce })).rejects.toThrow()
       verificationToken = await db.verificationToken.findUnique({
-        where: { identifier: nonce },
+        where: { identifier: vfnIdentifier },
       })
       expect(verificationToken?.attempts).toBe(2)
     })
@@ -210,8 +218,9 @@ describe('auth.service', () => {
       await emailVerifyOtp({ email, token, nonce })
 
       // Token should be deleted
+      const vfnIdentifier = createVfnIdentifier({ email, nonce })
       const verificationToken = await db.verificationToken.findUnique({
-        where: { identifier: nonce },
+        where: { identifier: vfnIdentifier },
       })
       expect(verificationToken).toBeNull()
     })
@@ -245,8 +254,9 @@ describe('auth.service', () => {
       ).rejects.toThrow('Invalid login email or missing nonce')
 
       // Original token should still exist
+      const vfnIdentifier1 = createVfnIdentifier({ email, nonce: nonce1 })
       const verificationToken = await db.verificationToken.findUnique({
-        where: { identifier: nonce1 },
+        where: { identifier: vfnIdentifier1 },
       })
       expect(verificationToken).toBeDefined()
     })

apps/web/src/server/modules/auth/__tests__/auth.utils.spec.ts

@@ -1,6 +1,65 @@
-import { createAuthToken, createVfnPrefix, isValidToken } from '../auth.utils'
+import {
+  createAuthToken,
+  createVfnIdentifier,
+  createVfnPrefix,
+  isValidToken,
+} from '../auth.utils'
 
 describe('auth.utils', () => {
+  describe('createVfnIdentifier', () => {
+    it('should create identifier in format "nonce:email"', () => {
+      const email = '[email protected]'
+      const nonce = 'test-nonce-123'
+
+      const identifier = createVfnIdentifier({ email, nonce })
+
+      expect(identifier).toBe('test-nonce-123:[email protected]')
+    })
+
+    it('should create different identifiers for different nonces with same email', () => {
+      const email = '[email protected]'
+      const nonce1 = 'nonce-1'
+      const nonce2 = 'nonce-2'
+
+      const identifier1 = createVfnIdentifier({ email, nonce: nonce1 })
+      const identifier2 = createVfnIdentifier({ email, nonce: nonce2 })
+
+      expect(identifier1).not.toBe(identifier2)
+      expect(identifier1).toBe('nonce-1:[email protected]')
+      expect(identifier2).toBe('nonce-2:[email protected]')
+    })
+
+    it('should handle special characters in email', () => {
+      const email = '[email protected]'
+      const nonce = 'test-nonce'
+
+      const identifier = createVfnIdentifier({ email, nonce })
+
+      expect(identifier).toBe('test-nonce:[email protected]')
+    })
+
+    it('should handle special characters in nonce', () => {
+      const email = '[email protected]'
+      const nonce = 'nonce-with-special_chars.123'
+
+      const identifier = createVfnIdentifier({ email, nonce })
+
+      expect(identifier).toBe('nonce-with-special_chars.123:[email protected]')
+    })
+
+    it('should create deterministic identifiers', () => {
+      const email = '[email protected]'
+      const nonce = 'test-nonce'
+
+      const identifier1 = createVfnIdentifier({ email, nonce })
+      const identifier2 = createVfnIdentifier({ email, nonce })
+      const identifier3 = createVfnIdentifier({ email, nonce })
+
+      expect(identifier1).toBe(identifier2)
+      expect(identifier2).toBe(identifier3)
+    })
+  })
+
   describe('createVfnPrefix', () => {
     it('should generate a 3-character prefix', () => {
       const prefix = createVfnPrefix()

apps/web/src/server/modules/auth/auth.service.ts

@@ -8,7 +8,12 @@ import { Prisma } from '@acme/db/client'
 import { env } from '~/env'
 import { getBaseUrl } from '~/utils/get-base-url'
 import { sendMail } from '../mail/mail.service'
-import { createAuthToken, createVfnPrefix, isValidToken } from './auth.utils'
+import {
+  createAuthToken,
+  createVfnIdentifier,
+  createVfnPrefix,
+  isValidToken,
+} from './auth.utils'
 
 export const emailLogin = async ({
   email,
@@ -22,17 +27,19 @@ export const emailLogin = async ({
 
   const url = new URL(getBaseUrl())
 
+  const vfnIdentifier = createVfnIdentifier({ email, nonce })
+
   const { issuedAt } = await db.verificationToken.upsert({
     where: {
-      identifier: nonce,
+      identifier: vfnIdentifier,
     },
     update: {
       token: hashedToken,
       attempts: 0,
       issuedAt: new Date(),
     },
     create: {
-      identifier: nonce,
+      identifier: vfnIdentifier,
       token: hashedToken,
       issuedAt: new Date(),
     },
@@ -69,11 +76,13 @@ export const emailVerifyOtp = async ({
   token: string
   nonce: string
 }) => {
+  const vfnIdentifier = createVfnIdentifier({ email, nonce })
+
   try {
     // Not in transaction, because we do not want it to rollback
     const hashedToken = await db.verificationToken.update({
       where: {
-        identifier: nonce,
+        identifier: vfnIdentifier,
       },
       data: {
         attempts: {
@@ -106,7 +115,7 @@ export const emailVerifyOtp = async ({
     // Valid token, delete record to prevent reuse
     return db.verificationToken.delete({
       where: {
-        identifier: nonce,
+        identifier: vfnIdentifier,
       },
     })
   } catch (error) {

apps/web/src/server/modules/auth/auth.utils.ts

@@ -14,6 +14,16 @@ export const createVfnPrefix = customAlphabet(
   OTP_PREFIX_LENGTH,
 )
 
+export const createVfnIdentifier = ({
+  email,
+  nonce,
+}: {
+  email: string
+  nonce: string
+}) => {
+  return `${nonce}:${email}`
+}
+
 const createTokenHash = ({
   token,
   email,