Improvements to the authentication and registration system (#6)

* Refactor register_user procedure and update schema for username validation

* Change parameter types from VARCHAR to TEXT in authenticate_user and register_user functions

* Fix parameter order in register_user procedure for consistency

* Add is_user_available function to check user availability by username, email, or phone

* Update register_user procedure to use language_id directly and enhance schema constraints for user and language tables

* Refactor register_user procedure to remove exception handling and simplify user insertion logic; delete obsolete authentication test file.

* Enhance task configuration by adding Docker-related tasks for building, running, and managing Docker containers; improve formatting for better readability.

* Update password_hash constraint to enforce Argon2id hash format for improved security

* Refactor is_user_available function to is_email_available for clarity; update users table to enforce discriminator constraint and add pending_users table for email verification

* Reintroduce is_email_available function for email availability checks in users table

Author: Vianpyro

.vscode/tasks.json

@@ -18,7 +18,9 @@
             "label": "Flatten SQL Files",
             "type": "shell",
             "command": "./scripts/flatten-sql.sh",
-            "dependsOn": ["Start Database"],
+            "dependsOn": [
+                "Start Database"
+            ],
             "options": {
                 "cwd": "${workspaceFolder}"
             },
@@ -28,8 +30,13 @@
             "label": "Rebuild Database",
             "type": "shell",
             "command": "./scripts/rebuild-db.sh",
-            "args": ["${input:db_username}", "${input:db_name}"],
-            "dependsOn": ["Flatten SQL Files"],
+            "args": [
+                "${input:db_username}",
+                "${input:db_name}"
+            ],
+            "dependsOn": [
+                "Flatten SQL Files"
+            ],
             "options": {
                 "cwd": "${workspaceFolder}"
             },
@@ -81,7 +88,9 @@
             "label": "Run Unit Tests",
             "type": "shell",
             "command": "pg_prove -Q -d ${input:db_name} -U ${input:db_username} database/tests/*.test.sql",
-            "dependsOn": ["Full Database Rebuild"],
+            "dependsOn": [
+                "Full Database Rebuild"
+            ],
             "problemMatcher": [],
             "group": {
                 "kind": "test",
@@ -103,6 +112,55 @@
             "runOptions": {
                 "runOn": "default"
             }
+        },
+        {
+            "label": "Build Docker Image",
+            "type": "shell",
+            "command": "docker build -t ${input:docker_image_name} .",
+            "group": {
+                "kind": "build",
+                "isDefault": false
+            },
+            "presentation": {
+                "panel": "shared",
+                "close": true
+            },
+            "problemMatcher": [],
+        },
+        {
+            "label": "Run Docker Container",
+            "type": "shell",
+            "command": "docker run -d -p 5432:5432 --name ${input:docker_container_name} --env-file .env --security-opt no-new-privileges:true --cap-drop=ALL --cap-add=NET_BIND_SERVICE ${input:docker_image_name}",
+            "presentation": {
+                "panel": "shared",
+                "close": true
+            },
+            "problemMatcher": [],
+        },
+        {
+            "label": "Remove Docker Container",
+            "type": "shell",
+            "command": "docker stop ${input:docker_container_name} ; docker rm ${input:docker_container_name}",
+            "presentation": {
+                "panel": "shared",
+                "close": true
+            },
+            "problemMatcher": [],
+        },
+        {
+            "label": "Reset Docker Container",
+            "type": "shell",
+            "dependsOn": [
+                "Remove Docker Container",
+                "Build Docker Image",
+                "Run Docker Container"
+            ],
+            "presentation": {
+                "panel": "shared",
+                "close": true
+            },
+            "dependsOrder": "sequence",
+            "problemMatcher": []
         }
     ],
     "inputs": [
@@ -117,6 +175,18 @@
             "type": "promptString",
             "description": "Enter the database name",
             "default": "chocomax"
+        },
+        {
+            "id": "docker_image_name",
+            "type": "promptString",
+            "description": "Enter the Docker image name",
+            "default": "chocomax-database-image"
+        },
+        {
+            "id": "docker_container_name",
+            "type": "promptString",
+            "description": "Enter the Docker container name",
+            "default": "chocomax-database-container"
         }
     ],
     "options": {

database/functions/authenticate_user.sql

@@ -1,7 +1,7 @@
 -- Authenticate a user and log the result
 CREATE OR REPLACE FUNCTION authenticate_user(
-    p_username VARCHAR,
-    p_password_hash VARCHAR,
+    p_username TEXT,
+    p_password_hash TEXT,
     p_ip_address INET,
     p_user_agent TEXT
 ) RETURNS BOOLEAN AS $$

database/functions/is_email_available.sql

@@ -0,0 +1,8 @@
+CREATE OR REPLACE FUNCTION is_email_available(
+    p_email_hash TEXT
+)
+RETURNS BOOLEAN AS $$
+    SELECT NOT EXISTS (
+        SELECT 1 FROM users WHERE email_hash = p_email_hash
+    );
+$$ LANGUAGE sql;

database/procedures/register_user.sql

@@ -1,46 +1,32 @@
 -- Register a new user
 CREATE OR REPLACE PROCEDURE register_user(
+    p_username TEXT,
     p_email_encrypted TEXT,
     p_email_hash TEXT,
-    p_username VARCHAR,
-    p_password_hash VARCHAR,
+    p_password_hash TEXT,
     p_phone_encrypted TEXT,
     p_phone_hash TEXT,
-    p_preferred_language_iso_code CHAR(2)
+    p_language_id INTEGER
 )
 LANGUAGE plpgsql AS $$
 BEGIN
-    BEGIN
-        INSERT INTO users (
-            email_encrypted,
-            email_hash,
-            username,
-            password_hash,
-            phone_encrypted,
-            phone_hash,
-            language_id
-        )
-        VALUES (
-            p_email_encrypted,
-            p_email_hash,
-            p_username,
-            p_password_hash,
-            p_phone_encrypted,
-            p_phone_hash,
-            (SELECT language_id FROM languages WHERE iso_code = p_preferred_language_iso_code)
-        );
-    EXCEPTION
-        WHEN unique_violation THEN
-            -- Identify the constraint that caused the error
-            IF SQLERRM LIKE '%username%' THEN
-                RAISE EXCEPTION 'Username % already exists', p_username;
-            ELSIF SQLERRM LIKE '%email_hash%' THEN
-                RAISE EXCEPTION 'Email address already exists';
-            ELSIF SQLERRM LIKE '%phone_hash%' THEN
-                RAISE EXCEPTION 'Phone number already exists';
-            ELSE
-                RAISE;
-            END IF;
-    END;
+    INSERT INTO users (
+        username,
+        email_encrypted,
+        email_hash,
+        password_hash,
+        phone_encrypted,
+        phone_hash,
+        language_id
+    )
+    VALUES (
+        p_username,
+        p_email_encrypted,
+        p_email_hash,
+        p_password_hash,
+        p_phone_encrypted,
+        p_phone_hash,
+        p_language_id
+    );
 END;
 $$;

database/schema.sql

@@ -38,26 +38,37 @@ CREATE TYPE admin_action_target_type AS ENUM ('user', 'product', 'comment', 'ord
 CREATE TABLE languages (
     language_id INTEGER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
     iso_code CHAR(2) UNIQUE,
-    english_name VARCHAR(30) UNIQUE,
-    native_name VARCHAR(30) UNIQUE
+    english_name TEXT UNIQUE CHECK (english_name ~ '^[A-Za-z ]+$'),
+    native_name TEXT UNIQUE
 );
 
 -- User & Security Tables
 
 CREATE TABLE users (
     user_id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
-    username VARCHAR(50) UNIQUE NOT NULL,
-    email_encrypted TEXT NOT NULL,
-    email_hash TEXT UNIQUE NOT NULL,
+    username TEXT NOT NULL CHECK (username ~ '^[a-zA-Z0-9_]+$'), -- username must be alphanumeric and can include underscores
+    discriminator SMALLINT NOT NULL CHECK (discriminator >= 0 AND discriminator <= 9999), -- 4-digit tag
+    email_encrypted TEXT NOT NULL CHECK (email_encrypted <> ''), -- Encrypted email must not be empty
+    email_hash TEXT UNIQUE NOT NULL CHECK (email_hash ~ '^[a-f0-9]{64}$'), -- SHA-256 hash of email
     is_email_verified BOOLEAN DEFAULT FALSE,
-    password_hash TEXT NOT NULL,
-    phone_encrypted TEXT,
-    phone_hash TEXT UNIQUE,
+    password_hash TEXT NOT NULL CHECK (password_hash ~ '^\$argon2id\$v=\d+\$m=\d+,t=\d+,p=\d+\$[a-zA-Z0-9+\/=]+\$[a-zA-Z0-9+\/=]+$'), -- Argon2id hash format
+    phone_encrypted TEXT CHECK (phone_encrypted IS NULL OR phone_encrypted <> ''), -- Encrypted phone can be NULL or cannot be empty
+    phone_hash TEXT UNIQUE CHECK (phone_hash ~ '^[a-f0-9]{64}$'), -- SHA-256 hash of phone
     language_id INTEGER REFERENCES languages (language_id) ON DELETE SET NULL,
+    display_role TEXT, -- For badges/icons like "owner", "verified seller", etc.
     created_at TIMESTAMPTZ DEFAULT current_timestamp,
     updated_at TIMESTAMPTZ DEFAULT current_timestamp,
-    last_login_at TIMESTAMPTZ,
-    deleted_at TIMESTAMPTZ
+    last_login_at TIMESTAMPTZ CHECK (last_login_at <= current_timestamp),
+    deleted_at TIMESTAMPTZ CHECK (deleted_at <= current_timestamp),
+    UNIQUE (username, discriminator)
+);
+
+CREATE TABLE pending_users (
+    pending_user_id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+    email_encrypted TEXT NOT NULL CHECK (email_encrypted <> ''), -- Encrypted email must not be empty
+    email_hash TEXT NOT NULL CHECK (email_hash ~ '^[a-f0-9]{64}$'), -- SHA-256 hash of email
+    verification_token TEXT NOT NULL UNIQUE CHECK (verification_token ~ '^[a-zA-Z0-9]{32}$'), -- 32-character alphanumeric token
+    created_at TIMESTAMPTZ DEFAULT current_timestamp
 );
 
 CREATE TABLE user_permissions (
@@ -310,7 +321,7 @@ CREATE TABLE user_loyalty_progress (
 
 CREATE TABLE translations (
     translation_id INTEGER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
-    translation_key VARCHAR(100) NOT NULL,
+    translation_key TEXT NOT NULL UNIQUE CHECK (translation_key ~ '^[a-z0-9_.]+$'), -- Key must be lowercase alphanumeric with underscores and dots
     language_id INTEGER NOT NULL REFERENCES languages (language_id) ON DELETE CASCADE,
     translation_value TEXT NOT NULL,
     created_at TIMESTAMPTZ DEFAULT current_timestamp,

database/tests/authentication.test.sql

@@ -8,6 +8,8 @@ SELECT is(
     (
         SELECT count(*)::INT FROM languages
         WHERE iso_code = 'fr'
+            AND english_name = 'French'
+            AND native_name = 'Français'
     ),
     1, 'Language with ISO code "fr" exists'
 );
@@ -16,6 +18,8 @@ SELECT is(
     (
         SELECT count(*)::INT FROM languages
         WHERE iso_code = 'en'
+            AND english_name = 'English'
+            AND native_name = 'English'
     ),
     1, 'Language with ISO code "en" exists'
 );
@@ -24,6 +28,8 @@ SELECT is(
     (
         SELECT count(*)::INT FROM languages
         WHERE iso_code = 'es'
+            AND english_name = 'Spanish'
+            AND native_name = 'Español'
     ),
     1, 'Language with ISO code "es" exists'
 );