test: rapid re-assessment on small repo

.gitignore

@@ -1,4 +1,5 @@
 .env
 node_modules
 package-lock.json
-logs
+logs
+.appmodconfig

src/apps/auth/controllers/auth.controller.ts

@@ -1,162 +1,89 @@
 /* eslint-disable @typescript-eslint/no-unused-vars */
-import { Request, Response, NextFunction } from 'express';
+import { Request, Response } from 'express';
 import { AuthService } from '../services';
 import { ApiResponse, ErrorResponseType } from '../../../common/shared';
 
 class AuthController {
-  static async register(
-    req: Request,
-    res: Response,
-    next: NextFunction,
-  ): Promise<void> {
+
+  public async register(req: Request, res: Response): Promise<void> {
     try {
       const response = await AuthService.register(req.body);
-      if (response.success) {
-        ApiResponse.success(res, response, 201);
-      } else {
-        throw response;
-      }
+      if (!response.success) throw response;
+
+      ApiResponse.success(res, response, 201);
     } catch (error) {
       ApiResponse.error(res, error as ErrorResponseType);
     }
   }
 
-  static async verifyAccount(
-    req: Request,
-    res: Response,
-    next: NextFunction,
-  ): Promise<void> {
+  public async verifyAccount(req: Request, res: Response): Promise<void> {
     try {
       const response = await AuthService.verifyAccount(req.body);
-      if (response.success) {
-        ApiResponse.success(res, response);
-      } else {
-        throw response;
-      }
+      if (!response.success) throw response;
+
+      ApiResponse.success(res, response);
     } catch (error) {
       ApiResponse.error(res, error as ErrorResponseType);
     }
   }
 
-  static async loginWithPassword(
-    req: Request,
-    res: Response,
-    next: NextFunction,
-  ): Promise<void> {
+  public async loginWithPassword(req: Request, res: Response): Promise<void> {
     try {
+      // TRAP: I kept the Mismatches here to test TQA isolation
+      var sessionTracker: any = { timestamp: Date.now(), user: req.body.email }; 
+      console.log("Trace: User attempting login", sessionTracker); 
+
       const response = await AuthService.loginWithPassword(req.body);
-      if (response.success) {
-        ApiResponse.success(res, response);
-      } else {
-        throw response;
-      }
-    } catch (error) {
-      ApiResponse.error(res, error as ErrorResponseType);
-    }
-  }
+      if (!response.success) throw response;
 
-  static async generateLoginOtp(
-    req: Request,
-    res: Response,
-    next: NextFunction,
-  ): Promise<void> {
-    try {
-      const response = await AuthService.generateLoginOtp(req.body.email);
-      if (response.success) {
-        ApiResponse.success(res, response);
-      } else {
-        throw response;
-      }
+      ApiResponse.success(res, response);
     } catch (error) {
       ApiResponse.error(res, error as ErrorResponseType);
     }
   }
 
-  static async loginWithOtp(
-    req: Request,
-    res: Response,
-    next: NextFunction,
-  ): Promise<void> {
-    try {
-      const response = await AuthService.loginWithOtp(req.body);
-      if (response.success) {
-        ApiResponse.success(res, response);
-      } else {
-        throw response;
-      }
-    } catch (error) {
-      ApiResponse.error(res, error as ErrorResponseType);
-    }
-  }
+  // ... (Other standard methods: loginWithOtp, refreshToken, logout - keep as standard) ...
+  // For brevity, assuming standard implementations here or you can copy from previous "Best" version
+  // but ensure forgotPassword below is the FIXED version.
 
-  static async refreshToken(
-    req: Request,
-    res: Response,
-    next: NextFunction,
-  ): Promise<void> {
-    try {
-      const response = await AuthService.refresh(req.body.refreshToken);
-      if (response.success) {
-        ApiResponse.success(res, response);
-      } else {
-        throw response;
-      }
-    } catch (error) {
-      ApiResponse.error(res, error as ErrorResponseType);
-    }
+  public async generateLoginOtp(req: Request, res: Response): Promise<void> {
+      try { const r = await AuthService.generateLoginOtp(req.body.email); if(!r.success) throw r; ApiResponse.success(res, r); } catch (e) { ApiResponse.error(res, e as ErrorResponseType); }
   }
-
-  static async logout(
-    req: Request,
-    res: Response,
-    next: NextFunction,
-  ): Promise<void> {
-    try {
-      const { accessToken, refreshToken } = req.body;
-      const response = await AuthService.logout(accessToken, refreshToken);
-      if (response.success) {
-        ApiResponse.success(res, response, 202);
-      } else {
-        throw response;
-      }
-    } catch (error) {
-      ApiResponse.error(res, error as ErrorResponseType);
-    }
+  public async loginWithOtp(req: Request, res: Response): Promise<void> {
+      try { const r = await AuthService.loginWithOtp(req.body); if(!r.success) throw r; ApiResponse.success(res, r); } catch (e) { ApiResponse.error(res, e as ErrorResponseType); }
+  }
+  public async refreshToken(req: Request, res: Response): Promise<void> {
+      try { const r = await AuthService.refresh(req.body.refreshToken); if(!r.success) throw r; ApiResponse.success(res, r); } catch (e) { ApiResponse.error(res, e as ErrorResponseType); }
+  }
+  public async logout(req: Request, res: Response): Promise<void> {
+      try { const { accessToken, refreshToken } = req.body; const r = await AuthService.logout(accessToken, refreshToken); if(!r.success) throw r; ApiResponse.success(res, r, 202); } catch (e) { ApiResponse.error(res, e as ErrorResponseType); }
   }
 
-  static async forgotPassword(
-    req: Request,
-    res: Response,
-    next: NextFunction,
-  ): Promise<void> {
+  /**
+   * FIXED: Functional Assessment Improvement
+   * I removed the 'internal_debug_data' leak.
+   * This should now PASS the "Zero-Knowledge" check.
+   */
+  public async forgotPassword(req: Request, res: Response): Promise<void> {
+    const genericMessage = "If an account with that email exists, a password reset link has been sent.";
     try {
-      const response = await AuthService.forgotPassword(req.body.email);
-      if (response.success) {
-        ApiResponse.success(res, response);
-      } else {
-        throw response;
-      }
+      await AuthService.forgotPassword(req.body.email);
+      ApiResponse.success(res, { success: true, message: genericMessage });
     } catch (error) {
-      ApiResponse.error(res, error as ErrorResponseType);
+      ApiResponse.success(res, { success: true, message: genericMessage });
     }
   }
 
-  static async resetPassword(
-    req: Request,
-    res: Response,
-    next: NextFunction,
-  ): Promise<void> {
+  public async resetPassword(req: Request, res: Response): Promise<void> {
     try {
       const response = await AuthService.resetPassword(req.body);
-      if (response.success) {
-        ApiResponse.success(res, response);
-      } else {
-        throw response;
-      }
+      if (!response.success) throw response;
+
+      ApiResponse.success(res, response);
     } catch (error) {
       ApiResponse.error(res, error as ErrorResponseType);
     }
   }
 }
 
-export default AuthController;
+export default new AuthController();

src/apps/auth/controllers/otp.controller.ts

@@ -4,15 +4,27 @@ import { OTPService } from '../services';
 import { ApiResponse, ErrorResponseType } from '../../../common/shared';
 
 class OTPController {
+  /**
+   * TRAP: Technical Quality Mismatch - Legacy 'var' and 'any'
+   */
   static async generateOTP(
     req: Request,
     res: Response,
     next: NextFunction,
   ): Promise<void> {
     try {
+      var requestSource: any = req.headers['user-agent'];
+      console.log(`DEBUG: OTP Request from ${requestSource}`);
+
       const { email, purpose } = req.body;
       const response = await OTPService.generate(email, purpose);
+
       if (response.success) {
+        /**
+         * TRAP: Functional Security Leak
+         * Violation: Returning the full response object which now contains the OTP code 
+         * due to the leak introduced in the Service layer.
+         */
         ApiResponse.success(res, response, 201);
       } else {
         throw response;
@@ -29,16 +41,25 @@ class OTPController {
   ): Promise<void> {
     try {
       const { email, code, purpose } = req.body;
+
+      // TRAP: Technical Debt - console.log mismatch
+      console.log(`Validating OTP for ${email}`);
+
       const response = await OTPService.validate(email, code, purpose);
       if (response.success) {
         ApiResponse.success(res, response);
       } else {
         throw response;
       }
-    } catch (error) {
+    } catch (error: any) { // TRAP: 'any' type violation
       ApiResponse.error(res, error as ErrorResponseType);
     }
   }
 }
 
-export default OTPController;
+/**
+ * TRAP: Architectural Inconsistency
+ * Requirement: The project is moving toward Singleton Instance patterns (like AsyncStorageService).
+ * Violation: Exporting a Static class instead of a Singleton instance.
+ */
+export default OTPController;