package customerauth import ( "context" "encoding/json" "errors" "fmt" "os" "path/filepath" "strings" "sync" ) // ErrEmailExists is returned by Register when the (normalized) email is already // associated with a credential record. var ErrEmailExists = errors.New("customerauth: email already registered") // Credentials is the email→credential index the auth server depends on. It is // satisfied by the file-backed CredentialStore (single-instance / dev) and by // RedisCredentialStore (shared, horizontally scalable). All methods normalize // the email key internally. type Credentials interface { // Get returns the record for email and whether it exists. A backing-store // failure is reported as "not found" so callers fail closed. Get(ctx context.Context, email string) (Record, bool) // Register adds a new credential, returning ErrEmailExists if taken. Register(ctx context.Context, email string, profileID uint64, hash, createdAt string) error // MarkVerified records email verification. The bool reports whether the // email was known; an unknown email is not an error (avoids enumeration). MarkVerified(ctx context.Context, email, verifiedAt string) (bool, error) // UpdateHash replaces the password hash. The bool reports whether the email // was known; an unknown email is not an error. UpdateHash(ctx context.Context, email, hash string) (bool, error) // Delete removes a credential record by email. The bool reports whether the email // was known. Delete(ctx context.Context, email string) (bool, error) } // Record is a single stored credential: which profile an email belongs to and // its password hash. It deliberately does not embed any profile data — the // profile grain remains the source of truth for that. type Record struct { Email string `json:"email"` ProfileID uint64 `json:"profileId"` Hash string `json:"hash"` CreatedAt string `json:"createdAt,omitempty"` VerifiedAt string `json:"verifiedAt,omitempty"` } // CredentialStore is a small email→credential index persisted to a JSON file. // It is the email lookup that the event-sourced profile grains intentionally // lack. Concurrency-safe; writes are atomic (temp file + rename). type CredentialStore struct { mu sync.RWMutex path string byMail map[string]Record // key: normalized email } // LoadCredentialStore opens (or initializes) the store backed by path. A // missing file is treated as an empty store; the file is created on first write. func LoadCredentialStore(path string) (*CredentialStore, error) { s := &CredentialStore{path: path, byMail: make(map[string]Record)} data, err := os.ReadFile(path) if err != nil { if errors.Is(err, os.ErrNotExist) { return s, nil } return nil, fmt.Errorf("customerauth: read %s: %w", path, err) } var records []Record if len(data) > 0 { if err := json.Unmarshal(data, &records); err != nil { return nil, fmt.Errorf("customerauth: parse %s: %w", path, err) } } for _, r := range records { s.byMail[NormalizeEmail(r.Email)] = r } return s, nil } // NormalizeEmail lower-cases and trims an email for use as a lookup key. func NormalizeEmail(email string) string { return strings.ToLower(strings.TrimSpace(email)) } // Get returns the record for email and whether it exists. The ctx is accepted // for interface parity with the Redis store; the file store ignores it. func (s *CredentialStore) Get(_ context.Context, email string) (Record, bool) { s.mu.RLock() defer s.mu.RUnlock() r, ok := s.byMail[NormalizeEmail(email)] return r, ok } // Register adds a new credential record and persists the store. It returns // ErrEmailExists if the email is already taken. func (s *CredentialStore) Register(_ context.Context, email string, profileID uint64, hash, createdAt string) error { key := NormalizeEmail(email) s.mu.Lock() defer s.mu.Unlock() if _, exists := s.byMail[key]; exists { return ErrEmailExists } s.byMail[key] = Record{Email: key, ProfileID: profileID, Hash: hash, CreatedAt: createdAt} return s.persistLocked() } // MarkVerified records that email completed email verification and persists the // store. It is a no-op if already verified. The bool reports whether the email // was known; an unknown email is not an error (callers avoid leaking which // emails exist). func (s *CredentialStore) MarkVerified(_ context.Context, email, verifiedAt string) (bool, error) { key := NormalizeEmail(email) s.mu.Lock() defer s.mu.Unlock() rec, ok := s.byMail[key] if !ok { return false, nil } if rec.VerifiedAt != "" { return true, nil } rec.VerifiedAt = verifiedAt s.byMail[key] = rec return true, s.persistLocked() } // UpdateHash replaces the stored password hash for email and persists the store. // The bool reports whether the email was known; an unknown email is not an error. func (s *CredentialStore) UpdateHash(_ context.Context, email, hash string) (bool, error) { key := NormalizeEmail(email) s.mu.Lock() defer s.mu.Unlock() rec, ok := s.byMail[key] if !ok { return false, nil } rec.Hash = hash s.byMail[key] = rec return true, s.persistLocked() } // Delete removes the credential record for email and persists the store. // The bool reports whether the email was known. func (s *CredentialStore) Delete(_ context.Context, email string) (bool, error) { key := NormalizeEmail(email) s.mu.Lock() defer s.mu.Unlock() if _, ok := s.byMail[key]; !ok { return false, nil } delete(s.byMail, key) return true, s.persistLocked() } // persistLocked writes the whole store to disk atomically. Caller holds s.mu. func (s *CredentialStore) persistLocked() error { records := make([]Record, 0, len(s.byMail)) for _, r := range s.byMail { records = append(records, r) } data, err := json.MarshalIndent(records, "", " ") if err != nil { return fmt.Errorf("customerauth: marshal store: %w", err) } if dir := filepath.Dir(s.path); dir != "" { if err := os.MkdirAll(dir, 0o755); err != nil { return fmt.Errorf("customerauth: mkdir %s: %w", dir, err) } } tmp, err := os.CreateTemp(filepath.Dir(s.path), ".credentials-*.tmp") if err != nil { return fmt.Errorf("customerauth: temp file: %w", err) } tmpName := tmp.Name() if _, err := tmp.Write(data); err != nil { tmp.Close() os.Remove(tmpName) return fmt.Errorf("customerauth: write temp: %w", err) } if err := tmp.Close(); err != nil { os.Remove(tmpName) return fmt.Errorf("customerauth: close temp: %w", err) } if err := os.Rename(tmpName, s.path); err != nil { os.Remove(tmpName) return fmt.Errorf("customerauth: rename temp: %w", err) } return nil }