Add transactions to auth procedures and extract DB models

- Wrap multiple DB operations in transactions for atomicity: - login-if-completed: device upsert + session + login_request deletion - forgot-password: delete old tokens + insert new token - signup: session + email_verification creation - Extract reusable DB model operations to packages/db/src/models/: - sessions.ts: insertSession() - user-devices.ts: upsertUserDevice(), isDeviceTrusted() - Update session.ts to use new model functions from @reviq/db - Fix type narrowing in admin.test.ts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-12 15:52:05 +08:00
parent 5a2e0297e5
commit b085a315be
9 changed files with 241 additions and 124 deletions
--- a/apps/api-server/src/procedures/auth/signup.ts
+++ b/apps/api-server/src/procedures/auth/signup.ts
@@ -269,13 +269,34 @@ export const signup = os.auth.signup.handler(async ({ input, context }) => {
    });
  }

-  // Create session (7 days, trusted mode false initially, no device)
-  const session = await createSession(context.db, {
-    userId,
-    deviceId: null,
-    trustedMode: false,
-    geo,
-    userAgent,
+  // Generate verification token
+  const verificationToken = generateSecureBase58Token();
+  const verificationExpiresAt = generateExpiry(
+    TOKEN_DURATIONS.EMAIL_VERIFICATION,
+  );
+
+  // Create session and email verification in transaction
+  const session = await context.db.transaction().execute(async (trx) => {
+    // Create session (7 days, trusted mode false initially, no device)
+    const newSession = await createSession(trx, {
+      userId,
+      deviceId: null,
+      trustedMode: false,
+      geo,
+      userAgent,
+    });
+
+    // Store verification token (store raw token, not hash - it's already high-entropy)
+    await trx
+      .insertInto("email_verifications")
+      .values({
+        user_id: userId,
+        token: verificationToken,
+        expires_at: verificationExpiresAt,
+      })
+      .execute();
+
+    return newSession;
  });

  // Set session cookie
@@ -286,20 +307,6 @@ export const signup = os.auth.signup.handler(async ({ input, context }) => {
    COOKIE_OPTIONS.session,
  );

-  // Generate verification token
-  const verificationToken = generateSecureBase58Token();
-  const expiresAt = generateExpiry(TOKEN_DURATIONS.EMAIL_VERIFICATION);
-
-  // Store verification token (store raw token, not hash - it's already high-entropy)
-  await context.db
-    .insertInto("email_verifications")
-    .values({
-      user_id: userId,
-      token: verificationToken,
-      expires_at: expiresAt,
-    })
-    .execute();
-
  // Send verification email (stubbed)
  await sendVerificationEmail(email, verificationToken);