Add transactions to auth procedures and extract DB models

- Wrap multiple DB operations in transactions for atomicity: - login-if-completed: device upsert + session + login_request deletion - forgot-password: delete old tokens + insert new token - signup: session + email_verification creation - Extract reusable DB model operations to packages/db/src/models/: - sessions.ts: insertSession() - user-devices.ts: upsertUserDevice(), isDeviceTrusted() - Update session.ts to use new model functions from @reviq/db - Fix type narrowing in admin.test.ts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-12 15:52:05 +08:00
parent 5a2e0297e5
commit b085a315be
9 changed files with 241 additions and 124 deletions
--- a/apps/api-server/src/procedures/auth/forgot-password.ts
+++ b/apps/api-server/src/procedures/auth/forgot-password.ts
@@ -30,26 +30,29 @@ export const forgotPassword = os.auth.forgotPassword.handler(

    // If user exists, create password reset token and send email
    if (user) {
-      // Delete any existing password reset tokens for this user (security measure)
-      await context.db
-        .deleteFrom("password_resets")
-        .where("user_id", "=", user.id)
-        .execute();
-
      // Generate secure base58 token
      const token = generateSecureBase58Token();

      // Create password reset record with 1 hour expiry
      const expiresAt = generateExpiry(TOKEN_DURATIONS.PASSWORD_RESET);

-      await context.db
-        .insertInto("password_resets")
-        .values({
-          user_id: user.id,
-          token,
-          expires_at: expiresAt,
-        })
-        .execute();
+      // Delete old tokens and insert new one in transaction
+      await context.db.transaction().execute(async (trx) => {
+        // Delete any existing password reset tokens for this user (security measure)
+        await trx
+          .deleteFrom("password_resets")
+          .where("user_id", "=", user.id)
+          .execute();
+
+        await trx
+          .insertInto("password_resets")
+          .values({
+            user_id: user.id,
+            token,
+            expires_at: expiresAt,
+          })
+          .execute();
+      });

      // Send password reset email (stubbed)
      await sendPasswordResetEmail(user.email, token);