This document outlines how to migrate the existing Java identity service to TypeScript using Express and Prisma.
- Prisma: Database access to
common_oltpandauthorizationschemas - Redis: Caching for tokens, OTPs, sessions
- Event Bus: For publishing events (user creation, email triggers)
- Auth0: User authentication and management
- Slack: System notifications
jsonwebtoken: JWT token generationbcrypt: Password hashing
- Purpose: Search and list users
- Auth: Admin or
readscope required - Database: Read from
usertable - Logic: Filter by handle/email/status, paginate results
- Purpose: Get single user with profile data
- Auth: Self access or Admin/
readscope - Database: Read
user,email,social_user_profile, roles - Logic: Combine user data with related profiles and permissions
- Purpose: Register new user account
- Auth: Public endpoint
- Database: Create
user,credential,emailrecords - Logic:
- Validate input (handle, email, password)
- Check for duplicates
- Hash password with bcrypt
- Create user records
- Generate activation OTP
- Store OTP in Redis
- Assign default role
- Send activation email via Event Bus
- Purpose: Update user information
- Auth: Self or Admin/
updatescope - Database: Update
userandcredentialtables - Logic:
- Verify permissions
- If changing password, verify current password
- Hash new password if provided
- Update user record
- Publish update event
- Purpose: Authenticate user credentials
- Auth: Public (used by Auth0)
- Database: Read
user,credential,email, roles - Logic:
- Find user by handle or email
- Verify password with bcrypt
- Check user status is active
- Return user details and roles
- Request Reset -
GET /users/resetToken- Generate reset token, store in Redis
- Send reset email via Event Bus
- Complete Reset -
PUT /users/resetPassword- Validate reset token from Redis
- Hash new password and update
- Activate -
PUT /users/activate- Validate OTP from Redis
- Set user status to ACTIVE
- Mark email as verified
- Send welcome email
- Resend Activation -
POST /users/resendActivationEmail- Decode JWT token
- Generate new OTP
- Send new activation email
- Auth: Admin/
updatescope - Logic: Check uniqueness, update handle
- Auth: Admin/
updatescope - Logic:
- Validate new email
- Create/update email record
- Send verification OTP
- Generate activation email
- Add -
POST /users/{id}/profiles - Delete -
DELETE /users/{id}/profiles/{provider} - Auth: Admin scope required
- Get -
GET /users/{id}/2fa - Update -
PATCH /users/{id}/2fa - Auth: Self or Admin access
- Send OTP -
POST /users/sendOtp- Generate 6-digit code
- Store in Redis with 5-minute expiry
- Send via email
- Resend OTP -
POST /users/resendOtpEmail- Validate resend token
- Generate new OTP
- Check OTP -
POST /users/checkOtp- Validate OTP from Redis
- Complete login process
- Handle -
GET /users/validateHandle - Email -
GET /users/validateEmail - Social Profile -
GET /users/validateSocial
All return { valid: boolean, message?: string }
UserController- Handle HTTP requests, validate input, format responses
UserService- Core user CRUD operationsAuthFlowService- Login, password reset, activation flowsUserProfileService- Social profiles, SSO loginsTwoFactorAuthService- 2FA and OTP managementValidationService- Handle/email/social validationNotificationService- Event Bus publishing
RoleService- Role management (may exist from other migrations)CacheService- Redis operationsAuth0Service- Auth0 API wrapper
- All passwords hashed with bcrypt
- OTPs stored in Redis with expiration
- JWT tokens for temporary operations
- Scope-based authorization
- Use Prisma for all database operations
- Two schemas:
common_oltpandauthorization - Maintain referential integrity
- Event Bus for async operations (emails, notifications)
- Redis for temporary data (OTPs, tokens, sessions)
- Auth0 for identity management
- Slack for system notifications
- Return appropriate HTTP status codes
- Don't leak user existence in validation responses
- Log security events appropriately
This structure provides a clean separation of concerns while maintaining all existing functionality.