Feat: Add authentication methods

api/cmd/api/main.go

@@ -44,7 +44,11 @@ func main() {
 		os.Exit(1)
 	}
 
-	sqlDB, _ := db.DB()
+	sqlDB, err := db.DB()
+	if err != nil {
+		log.Error("get underlying sql.DB", "error", err)
+		os.Exit(1)
+	}
 	defer sqlDB.Close()
 
 	// Redis
@@ -86,6 +90,7 @@ func main() {
 		Queue:           queuePublisher,
 		Minio:           mc,
 		CORSAllowOrigin: cfg.CORSAllowOrigin,
+		AppBaseURL:      cfg.AppBaseURL,
 	})
 
 	// Start task consumer when RabbitMQ is available

api/internal/auth/service.go

@@ -18,17 +18,27 @@ var (
 	ErrInvalidCredentials = errors.New("invalid email or password")
 	ErrEmailTaken         = errors.New("email already registered")
 	ErrUsernameTaken      = errors.New("username already taken")
+	ErrResetTokenInvalid  = errors.New("invalid or expired reset token")
 )
 
 const bcryptCost = 12
 
+// dummyHash is used for timing-safe responses when a user is not found.
+var dummyHash []byte
+
+func init() {
+	h, _ := bcrypt.GenerateFromPassword([]byte("timing-safe-dummy"), bcryptCost)
+	dummyHash = h
+}
+
 type Service struct {
-	userStore    *store.UserStore
-	sessionStore *store.SessionStore
+	userStore       *store.UserStore
+	sessionStore    *store.SessionStore
+	resetTokenStore *store.PasswordResetTokenStore
 }
 
-func NewService(userStore *store.UserStore, sessionStore *store.SessionStore) *Service {
-	return &Service{userStore: userStore, sessionStore: sessionStore}
+func NewService(userStore *store.UserStore, sessionStore *store.SessionStore, resetTokenStore *store.PasswordResetTokenStore) *Service {
+	return &Service{userStore: userStore, sessionStore: sessionStore, resetTokenStore: resetTokenStore}
 }
 
 type SignUpRequest struct {
@@ -80,11 +90,14 @@ func (s *Service) SignUp(ctx context.Context, req SignUpRequest) (sessionKey str
 	return sessionKey, u, nil
 }
 
+// SignIn authenticates a user with email+password. Uses a dummy bcrypt comparison
+// when the user is not found to prevent timing-based user enumeration.
 func (s *Service) SignIn(ctx context.Context, req SignInRequest) (sessionKey string, user *model.User, err error) {
 	email := strings.TrimSpace(strings.ToLower(req.Email))
 	u, err := s.userStore.GetByEmail(ctx, email)
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
+			_ = bcrypt.CompareHashAndPassword(dummyHash, []byte(req.Password))
 			return "", nil, ErrInvalidCredentials
 		}
 		return "", nil, err
@@ -117,12 +130,10 @@ func (s *Service) UserFromSession(ctx context.Context, sessionKey string) (*mode
 	return s.userStore.GetByID(ctx, data.UserID)
 }
 
-// UpdateProfile updates the user's profile (first name, last name, display name, timezone). Email is not updatable.
 func (s *Service) UpdateProfile(ctx context.Context, u *model.User) error {
 	return s.userStore.Update(ctx, u)
 }
 
-// ChangePassword verifies current password and sets a new one. Returns ErrInvalidCredentials if current password is wrong or user not found.
 func (s *Service) ChangePassword(ctx context.Context, userID uuid.UUID, currentPassword, newPassword string) error {
 	u, err := s.userStore.GetByID(ctx, userID)
 	if err != nil {
@@ -145,6 +156,71 @@ func (s *Service) ChangePassword(ctx context.Context, userID uuid.UUID, currentP
 	return s.userStore.Update(ctx, u)
 }
 
+// EmailCheck determines whether an email is already registered.
+func (s *Service) EmailCheck(ctx context.Context, email string) (exists bool, err error) {
+	email = strings.TrimSpace(strings.ToLower(email))
+	u, err := s.userStore.GetByEmail(ctx, email)
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return false, nil
+		}
+		return false, err
+	}
+	return u != nil, nil
+}
+
+// ForgotPassword generates a reset token for the given email.
+// Returns ("", nil) when the email does not exist (to prevent user enumeration).
+func (s *Service) ForgotPassword(ctx context.Context, email string) (token string, err error) {
+	if s.resetTokenStore == nil {
+		return "", errors.New("password reset not configured")
+	}
+	email = strings.TrimSpace(strings.ToLower(email))
+	u, err := s.userStore.GetByEmail(ctx, email)
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return "", nil
+		}
+		return "", err
+	}
+	if u == nil || !u.IsActive {
+		return "", nil
+	}
+	tokenBytes := make([]byte, 32)
+	if _, err := rand.Read(tokenBytes); err != nil {
+		return "", err
+	}
+	token = hex.EncodeToString(tokenBytes)
+	if err := s.resetTokenStore.Create(ctx, u.ID, token); err != nil {
+		return "", err
+	}
+	return token, nil
+}
+
+// ResetPassword validates the reset token and sets a new password.
+func (s *Service) ResetPassword(ctx context.Context, token, newPassword string) error {
+	if s.resetTokenStore == nil {
+		return ErrResetTokenInvalid
+	}
+	rt, err := s.resetTokenStore.GetValid(ctx, token)
+	if err != nil || rt == nil {
+		return ErrResetTokenInvalid
+	}
+	hash, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcryptCost)
+	if err != nil {
+		return err
+	}
+	u, err := s.userStore.GetByID(ctx, rt.UserID)
+	if err != nil {
+		return ErrResetTokenInvalid
+	}
+	u.Password = string(hash)
+	if err := s.userStore.Update(ctx, u); err != nil {
+		return err
+	}
+	return s.resetTokenStore.MarkUsed(ctx, rt.ID)
+}
+
 func (s *Service) createSession(ctx context.Context, userID uuid.UUID) (string, error) {
 	key := make([]byte, 20)
 	if _, err := rand.Read(key); err != nil {

api/internal/handler/auth.go

@@ -1,15 +1,17 @@
-// Package handler implements HTTP handlers for the API.
 package handler
 
 import (
 	"errors"
+	"fmt"
+	"log/slog"
 	"net/http"
 	"strings"
 	"time"
 
 	"github.com/Devlaner/devlane/api/internal/auth"
 	"github.com/Devlaner/devlane/api/internal/middleware"
 	"github.com/Devlaner/devlane/api/internal/model"
+	"github.com/Devlaner/devlane/api/internal/queue"
 	"github.com/Devlaner/devlane/api/internal/store"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
@@ -23,6 +25,9 @@ type AuthHandler struct {
 	Ws         *store.WorkspaceStore
 	NotifPrefs *store.UserNotificationPreferenceStore
 	ApiTokens  *store.ApiTokenStore
+	Queue      *queue.Publisher
+	AppBaseURL string
+	Log        *slog.Logger
 }
 
 type SignInRequest struct {
@@ -52,6 +57,13 @@ func authBool(v model.JSONMap, key string, defaultVal bool) bool {
 	return defaultVal
 }
 
+func (h *AuthHandler) log() *slog.Logger {
+	if h.Log != nil {
+		return h.Log
+	}
+	return slog.Default()
+}
+
 // SignIn authenticates with email/password and sets a session cookie.
 // POST /auth/sign-in/
 func (h *AuthHandler) SignIn(c *gin.Context) {
@@ -132,11 +144,7 @@ func (h *AuthHandler) SignUp(c *gin.Context) {
 	})
 	if err != nil {
 		if err == auth.ErrEmailTaken {
-			c.JSON(http.StatusConflict, gin.H{"error": "Email already registered"})
-			return
-		}
-		if err == auth.ErrUsernameTaken {
-			c.JSON(http.StatusConflict, gin.H{"error": "Username already taken"})
+			c.JSON(http.StatusConflict, gin.H{"error": "An account with this email already exists"})
 			return
 		}
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Sign up failed"})
@@ -146,8 +154,12 @@ func (h *AuthHandler) SignUp(c *gin.Context) {
 		now := time.Now()
 		inv.Accepted = true
 		inv.RespondedAt = &now
-		_ = h.Winv.Update(ctx, inv)
-		_ = h.Ws.AddMember(ctx, &model.WorkspaceMember{WorkspaceID: inv.WorkspaceID, MemberID: user.ID, Role: inv.Role})
+		if err := h.Winv.Update(ctx, inv); err != nil {
+			h.log().Error("failed to mark invite accepted", "error", err, "invite_id", inv.ID)
+		}
+		if err := h.Ws.AddMember(ctx, &model.WorkspaceMember{WorkspaceID: inv.WorkspaceID, MemberID: user.ID, Role: inv.Role}); err != nil {
+			h.log().Error("failed to add member after signup", "error", err, "user_id", user.ID)
+		}
 	}
 	setSessionCookie(c, sessionKey)
 	c.JSON(http.StatusCreated, userResponse(user))
@@ -177,12 +189,12 @@ func (h *AuthHandler) Me(c *gin.Context) {
 
 // UpdateMeRequest is the body for PATCH /api/users/me/
 type UpdateMeRequest struct {
-	FirstName    *string `json:"first_name"`
-	LastName     *string `json:"last_name"`
-	DisplayName  *string `json:"display_name"`
-	UserTimezone *string `json:"user_timezone"`
-	Avatar       *string `json:"avatar"`
-	CoverImage   *string `json:"cover_image"`
+	FirstName    *string `json:"first_name" binding:"omitempty,max=255"`
+	LastName     *string `json:"last_name" binding:"omitempty,max=255"`
+	DisplayName  *string `json:"display_name" binding:"omitempty,max=255"`
+	UserTimezone *string `json:"user_timezone" binding:"omitempty,max=100"`
+	Avatar       *string `json:"avatar" binding:"omitempty,max=2048"`
+	CoverImage   *string `json:"cover_image" binding:"omitempty,max=2048"`
 }
 
 // UpdateMe updates the authenticated user's profile (email is not updatable).
@@ -398,8 +410,8 @@ func (h *AuthHandler) ListTokens(c *gin.Context) {
 type CreateTokenRequest struct {
 	Label       string  `json:"label" binding:"required"`
 	Description string  `json:"description"`
-	ExpiresIn   *string `json:"expires_in"` // e.g. "7d", "30d", "90d", "365d", or empty for never
-	ExpiredAt   *string `json:"expired_at"` // ISO date for custom expiry
+	ExpiresIn   *string `json:"expires_in"`
+	ExpiredAt   *string `json:"expired_at"`
 }
 
 // CreateToken creates a new API token and returns it once (including secret).
@@ -495,6 +507,123 @@ func (h *AuthHandler) RevokeToken(c *gin.Context) {
 	c.Status(http.StatusNoContent)
 }
 
+// InstanceAuthConfig returns public auth configuration (no auth required).
+// GET /auth/config/
+func (h *AuthHandler) InstanceAuthConfig(c *gin.Context) {
+	isPasswordEnabled := true
+	enableSignup := true
+	isSmtpConfigured := false
+	if h.Settings != nil {
+		ctx := c.Request.Context()
+		row, _ := h.Settings.Get(ctx, "auth")
+		if row != nil {
+			isPasswordEnabled = authBool(row.Value, "password", true)
+			enableSignup = authBool(row.Value, "allow_public_signup", true)
+		}
+		emailRow, _ := h.Settings.Get(ctx, "email")
+		if emailRow != nil && emailRow.Value != nil {
+			host, _ := emailRow.Value["host"].(string)
+			isSmtpConfigured = strings.TrimSpace(host) != ""
+		}
+	}
+	c.JSON(http.StatusOK, gin.H{
+		"is_email_password_enabled": isPasswordEnabled,
+		"enable_signup":             enableSignup,
+		"is_smtp_configured":        isSmtpConfigured,
+	})
+}
+
+// EmailCheck checks whether an email is already registered.
+// POST /auth/email-check/
+func (h *AuthHandler) EmailCheck(c *gin.Context) {
+	var body struct {
+		Email string `json:"email" binding:"required,email"`
+	}
+	if err := c.ShouldBindJSON(&body); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request"})
+		return
+	}
+	exists, err := h.Auth.EmailCheck(c.Request.Context(), body.Email)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Check failed"})
+		return
+	}
+	allowPublicSignup := true
+	if h.Settings != nil {
+		row, _ := h.Settings.Get(c.Request.Context(), "auth")
+		if row != nil {
+			allowPublicSignup = authBool(row.Value, "allow_public_signup", true)
+		}
+	}
+	c.JSON(http.StatusOK, gin.H{
+		"existing":            exists,
+		"status":              "CREDENTIAL",
+		"allow_public_signup": allowPublicSignup,
+	})
+}
+
+// ForgotPassword initiates a password reset flow by sending an email.
+// POST /auth/forgot-password/
+func (h *AuthHandler) ForgotPassword(c *gin.Context) {
+	var body struct {
+		Email string `json:"email" binding:"required,email"`
+	}
+	if err := c.ShouldBindJSON(&body); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request"})
+		return
+	}
+	ctx := c.Request.Context()
+	token, err := h.Auth.ForgotPassword(ctx, body.Email)
+	if err != nil {
+		h.log().Error("forgot password error", "error", err)
+	}
+	if token != "" && h.Queue != nil && h.AppBaseURL != "" {
+		resetLink := strings.TrimSuffix(h.AppBaseURL, "/") + "/reset-password?token=" + token
+		subject := "Reset your Devlane password"
+		bodyText := fmt.Sprintf(
+			"You requested a password reset.\n\nClick the link below to reset your password:\n%s\n\nThis link expires in 30 minutes. If you did not request a reset, ignore this email.\n",
+			resetLink,
+		)
+		_ = h.Queue.PublishSendEmail(ctx, queue.SendEmailPayload{
+			To:      body.Email,
+			Subject: subject,
+			Body:    bodyText,
+			Kind:    "forgot_password",
+			Extra:   map[string]string{"reset_link": resetLink},
+		})
+	}
+	c.JSON(http.StatusOK, gin.H{"message": "If an account exists for that email, a reset link has been sent."})
+}
+
+// ResetPassword validates a reset token and sets a new password.
+// POST /auth/reset-password/
+func (h *AuthHandler) ResetPassword(c *gin.Context) {
+	var body struct {
+		Token       string `json:"token" binding:"required"`
+		NewPassword string `json:"new_password" binding:"required,min=8"`
+	}
+	if err := c.ShouldBindJSON(&body); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request", "detail": err.Error()})
+		return
+	}
+	if err := h.Auth.ResetPassword(c.Request.Context(), body.Token, body.NewPassword); err != nil {
+		if err == auth.ErrResetTokenInvalid {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid or expired reset token"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to reset password"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"message": "Password has been reset successfully."})
+}
+
+func isSecureRequest(c *gin.Context) bool {
+	if c.Request.TLS != nil {
+		return true
+	}
+	return strings.EqualFold(c.GetHeader("X-Forwarded-Proto"), "https")
+}
+
 func setSessionCookie(c *gin.Context, sessionKey string) {
 	http.SetCookie(c.Writer, &http.Cookie{
 		Name:     middleware.SessionCookieName,
@@ -503,7 +632,7 @@ func setSessionCookie(c *gin.Context, sessionKey string) {
 		MaxAge:   14 * 24 * 3600,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
-		Secure:   false,
+		Secure:   isSecureRequest(c),
 	})
 }
 
@@ -515,6 +644,7 @@ func clearSessionCookie(c *gin.Context) {
 		MaxAge:   -1,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
+		Secure:   isSecureRequest(c),
 	})
 }