fix(auth): remove brevo and add resend mail service

Author: rohitbytecode

package-lock.json

@@ -32,7 +32,7 @@
     "mongoose": "^9.0.0",
     "morgan": "^1.10.1",
     "razorpay": "^2.9.6",
-    "sib-api-v3-sdk": "^8.5.0"
+    "resend": "^6.9.2"
   },
   "devDependencies": {
     "@typescript-eslint/eslint-plugin": "^8.49.0",

package.json

@@ -1,7 +1,8 @@
 import bcrypt from 'bcrypt';
 import jwt from 'jsonwebtoken';
 import User from '../models/User.js';
-import { createAndSendOTP, verifyOTP } from '../services/otp.service.js';
+import { sendOtpEmail } from "../services/email.service.js";
+import { createAndStoreOtp, verifyStoredOtp } from "../services/otp.service.js";
 
 export const login = async (req, res) => {
   try {
@@ -58,33 +59,41 @@ export const login = async (req, res) => {
   }
 };
 
-export const sendOTP = async (req, res, next) => {
+export const sendOTP = async (req, res) => {
   try {
     const { email } = req.body;
 
-    await createAndSendOTP(email);
+    const otp = await createAndStoreOtp(email);
+    await sendOtpEmail(email, otp);
 
     res.status(200).json({
       success: true,
-      message: 'OTP sent successfully'
+      message: "OTP sent successfully"
     });
+
   } catch (error) {
-    next(error);
+    res.status(500).json({
+      success: false,
+      message: error.message
+    });
   }
 };
 
-
-export const validateOTP = async (req, res, next) => {
+export const verifyOTP = async (req, res) => {
   try {
     const { email, otp } = req.body;
 
-    await verifyOTP(email, otp);
+    await verifyStoredOtp(email, otp);
 
     res.status(200).json({
       success: true,
-      message: 'OTP verified successfully'
+      message: "OTP verified successfully"
     });
+
   } catch (error) {
-    next(error);
+    res.status(400).json({
+      success: false,
+      message: error.message
+    });
   }
 };

src/controllers/authcontroller.js

@@ -0,0 +1,28 @@
+import mongoose from "mongoose";
+
+const otpSchema = new mongoose.Schema(
+  {
+    email: {
+      type: String,
+      required: true,
+      index: true
+    },
+    otpHash: {
+      type: String,
+      required: true
+    },
+    expiresAt: {
+      type: Date,
+      required: true
+    },
+    attempts: {
+      type: Number,
+      default: 0
+    }
+  },
+  { timestamps: true }
+);
+
+otpSchema.index({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+
+export default mongoose.model("Otp", otpSchema);

src/models/otp.js

@@ -1,34 +1,33 @@
-  import express from 'express';
-  import * as authController from '../controllers/authcontroller.js';
-  import User from '../models/User.js';
-  import bcrypt from 'bcrypt';
-  import { sendOTP, validateOTP } from '../controllers/authcontroller.js';
-  
-  const router = express.Router();
+import express from 'express';
+import * as authController from '../controllers/authcontroller.js';
+import User from '../models/User.js';
+import bcrypt from 'bcrypt';
 
-  router.post('/login', authController.login);
-  router.get('/health', (req, res) => {
+const router = express.Router();
+
+router.post('/login', authController.login);
+router.post('/send-otp', authController.sendOTP);
+router.post('/verify-otp', authController.verifyOTP);
+
+router.get('/health', (req, res) => {
   res.json({
     status: 'OK',
     service: 'hms-backend-node',
     time: new Date().toISOString()
   });
 });
 
-  router.post('/signup', async (req, res) => {
-    try {
-      const { email, password, role } = req.body;
-      const hashedPassword = await bcrypt.hash(password, 10);
-      const user = new User({ email, password: hashedPassword, role });
-      await user.save();
-      res.status(201).json({ message: 'User created' });
-    } catch (error) {
-      console.error('Signup error:', error);
-      res.status(500).json({ message: 'Error creating user', error: error.message });
-    }
-  });
-
-  router.post('/send-otp', sendOTP);
-  router.post('/verify-otp', validateOTP);
+router.post('/signup', async (req, res) => {
+  try {
+    const { email, password, role } = req.body;
+    const hashedPassword = await bcrypt.hash(password, 10);
+    const user = new User({ email, password: hashedPassword, role });
+    await user.save();
+    res.status(201).json({ message: 'User created' });
+  } catch (error) {
+    console.error('Signup error:', error);
+    res.status(500).json({ message: 'Error creating user', error: error.message });
+  }
+});
 
 export default router;

src/models/otp.model.js

@@ -0,0 +1,19 @@
+import { Resend } from "resend";
+
+const resend = new Resend(process.env.RESEND_API_KEY);
+
+export const sendOtpEmail = async (to, otp) => {
+  return await resend.emails.send({
+    from: "HMS <onboarding@resend.dev>",
+    to,
+    subject: "Your OTP Code",
+    html: `
+      <div style="font-family: Arial;">
+        <h2>OTP Verification</h2>
+        <p>Your OTP is:</p>
+        <h1>${otp}</h1>
+        <p>This OTP expires in 5 minutes.</p>
+      </div>
+    `
+  });
+};

src/routes/auth.routes.js

@@ -1,94 +1,51 @@
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import OTP from '../models/otp.js';
-import { brevoEmailClient } from '../config/brevo.js';
+import crypto from "crypto";
+import Otp from "../models/otp.model.js";
 
-export const generateOTP = () => {
-  return crypto.randomInt(100000, 999999).toString();
-};
+const OTP_EXPIRY_MINUTES = 5;
+const MAX_ATTEMPTS = 5;
 
-export const sendOTPEmail = async (email, otp) => {
-  await brevoEmailClient.sendTransacEmail({
-    sender: { email: process.env.BREVO_SENDER_EMAIL },
-    to: [{ email }],
-    subject: 'Your One-Time Password (OTP) – Secure Verification',
-    htmlContent: `
-      <div style="font-family: Arial, sans-serif; background-color: #f4f6f8; padding: 20px;">
-        <div style="max-width: 600px; margin: 0 auto; background-color: #ffffff; padding: 30px; border-radius: 8px; box-shadow: 0 2px 8px rgba(0,0,0,0.05);">
-          
-          <h2 style="color: #333333; margin-bottom: 10px;">Verification Required</h2>
-          
-          <p style="color: #555555; font-size: 14px; line-height: 1.6;">
-            Dear User,
-          </p>
-          
-          <p style="color: #555555; font-size: 14px; line-height: 1.6;">
-            We received a request to verify your identity. Please use the One-Time Password (OTP) below to proceed:
-          </p>
-          
-          <div style="text-align: center; margin: 25px 0;">
-            <span style="display: inline-block; font-size: 28px; font-weight: bold; letter-spacing: 4px; color: #1a73e8; background-color: #f1f3f4; padding: 12px 24px; border-radius: 6px;">
-              ${otp}
-            </span>
-          </div>
-          
-          <p style="color: #555555; font-size: 14px; line-height: 1.6;">
-            This OTP is valid for <strong>${process.env.OTP_EXPIRE_MINUTES} minutes</strong>. 
-            For security reasons, please do not share this code with anyone.
-          </p>
-          
-          <p style="color: #555555; font-size: 14px; line-height: 1.6;">
-            If you did not request this verification, you may safely ignore this email.
-          </p>
-          
-          <hr style="border: none; border-top: 1px solid #eeeeee; margin: 30px 0;" />
-          
-          <p style="color: #888888; font-size: 12px; line-height: 1.5;">
-            This is an automated message. Please do not reply to this email.
-          </p>
-          
-          <p style="color: #888888; font-size: 12px;">
-            © ${new Date().getFullYear()} HMS Team. All rights reserved.
-          </p>
-          
-        </div>
-      </div>
-    `
-  });
+const generateOtp = () => {
+  return Math.floor(100000 + Math.random() * 900000).toString();
 };
 
+const hashOtp = (otp) => {
+  return crypto.createHash("sha256").update(otp).digest("hex");
+};
 
-export const createAndSendOTP = async (email) => {
-  const otp = generateOTP();
-  const hashedOTP = await bcrypt.hash(otp, 10);
-
-  const expireTime = new Date(Date.now() + process.env.OTP_EXPIRE_MINUTES * 60000);
+export const createAndStoreOtp = async (email) => {
+  const otp = generateOtp();
+  const otpHash = hashOtp(otp);
 
-  await OTP.findOneAndDelete({ email });
+  const expiresAt = new Date(Date.now() + OTP_EXPIRY_MINUTES * 60 * 1000);
 
-  await OTP.create({
-    email,
-    otp: hashedOTP,
-    expiresAt: expireTime
-  });
+  await Otp.findOneAndUpdate(
+    { email },
+    { otpHash, expiresAt, attempts: 0 },
+    { upsert: true, new: true }
+  );
 
-  await sendOTPEmail(email, otp);
+  return otp;
 };
 
-export const verifyOTP = async (email, enteredOTP) => {
-  const record = await OTP.findOne({ email });
+export const verifyStoredOtp = async (email, otp) => {
+  const record = await Otp.findOne({ email });
 
   if (!record) {
-    throw new Error('OTP expired or not found');
+    throw new Error("OTP not found");
   }
 
-  const isValid = await bcrypt.compare(enteredOTP, record.otp);
-
-  if (!isValid) {
-    throw new Error('Invalid OTP');
+  if (record.attempts >= MAX_ATTEMPTS) {
+    throw new Error("Too many attempts");
   }
 
-  await OTP.deleteOne({ email });
+  const hashedInput = hashOtp(otp);
+
+  if (hashedInput !== record.otpHash) {
+    record.attempts += 1;
+    await record.save();
+    throw new Error("Invalid OTP");
+  }
 
+  await Otp.deleteOne({ email });
   return true;
 };