@assistkick/create 1.0.0

package/templates/product-system/packages/backend/src/routes/auth.ts

@@ -0,0 +1,463 @@
+/**
+ * Auth routes — registration, login, and user info.
+ * POST /api/auth/register — only available when no users exist.
+ * POST /api/auth/login — email/password login, returns JWT cookies.
+ * GET /api/auth/me — returns current user info from JWT cookie.
+ */
+
+import { Router } from 'express';
+import { eq, count } from 'drizzle-orm';
+import { randomUUID } from 'node:crypto';
+import { users, refreshTokens } from '@interview-system/shared/db/schema.js';
+import type { AuthService } from '../services/auth_service.js';
+import type { PasswordResetService } from '../services/password_reset_service.js';
+import type { InvitationService } from '../services/invitation_service.js';
+
+interface AuthRoutesDeps {
+  getDb: () => any;
+  authService: AuthService;
+  passwordResetService: PasswordResetService;
+  invitationService: InvitationService;
+  log: (tag: string, ...args: any[]) => void;
+}
+
+export const createAuthRoutes = ({ getDb, authService, passwordResetService, invitationService, log }: AuthRoutesDeps): Router => {
+  const router: Router = Router();
+
+  // POST /api/auth/register
+  router.post('/register', async (req, res) => {
+    const { email, password } = req.body;
+    log('AUTH', 'POST /api/auth/register');
+
+    if (!email || !password) {
+      return res.status(400).json({ error: 'Email and password are required' });
+    }
+
+    if (typeof email !== 'string' || typeof password !== 'string') {
+      return res.status(400).json({ error: 'Email and password must be strings' });
+    }
+
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(email)) {
+      return res.status(400).json({ error: 'Invalid email format' });
+    }
+
+    if (password.length < 8) {
+      return res.status(400).json({ error: 'Password must be at least 8 characters' });
+    }
+
+    try {
+      const db = getDb();
+
+      // Check if any users exist — registration is only open for the first user
+      const [{ userCount }] = await db.select({ userCount: count() }).from(users);
+      if (userCount > 0) {
+        log('AUTH', 'Registration rejected — users already exist');
+        return res.status(403).json({ error: 'Registration is closed. Contact an admin for an invitation.' });
+      }
+
+      // Check for duplicate email (defensive — shouldn't happen if count is 0)
+      const existing = await db.select({ id: users.id }).from(users).where(eq(users.email, email.toLowerCase()));
+      if (existing.length > 0) {
+        return res.status(409).json({ error: 'Email already registered' });
+      }
+
+      const now = new Date().toISOString();
+      const userId = randomUUID();
+      const passwordHash = await authService.hashPassword(password);
+
+      // First user gets admin role
+      await db.insert(users).values({
+        id: userId,
+        email: email.toLowerCase(),
+        passwordHash,
+        role: 'admin',
+        createdAt: now,
+        updatedAt: now,
+      });
+
+      log('AUTH', `User registered: ${email} (admin, first user)`);
+
+      // Generate tokens
+      const accessToken = await authService.generateAccessToken(userId, email.toLowerCase(), 'admin');
+      const refreshToken = await authService.generateRefreshToken(userId);
+
+      // Store refresh token hash in DB for revocation support
+      const refreshTokenHash = await authService.hashPassword(refreshToken);
+      const refreshExpiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString();
+
+      await db.insert(refreshTokens).values({
+        id: randomUUID(),
+        userId,
+        tokenHash: refreshTokenHash,
+        expiresAt: refreshExpiresAt,
+        createdAt: now,
+      });
+
+      // Set HTTP-only cookies
+      authService.setAuthCookies(res, accessToken, refreshToken);
+
+      res.status(201).json({
+        user: { id: userId, email: email.toLowerCase(), role: 'admin' },
+      });
+    } catch (err: any) {
+      log('AUTH', `Registration failed: ${err.message}`);
+      res.status(500).json({ error: 'Registration failed' });
+    }
+  });
+
+  // POST /api/auth/login
+  router.post('/login', async (req, res) => {
+    const { email, password } = req.body;
+    log('AUTH', 'POST /api/auth/login');
+
+    if (!email || !password) {
+      return res.status(400).json({ error: 'Email and password are required' });
+    }
+
+    if (typeof email !== 'string' || typeof password !== 'string') {
+      return res.status(400).json({ error: 'Email and password must be strings' });
+    }
+
+    try {
+      const db = getDb();
+
+      const [user] = await db
+        .select({
+          id: users.id,
+          email: users.email,
+          passwordHash: users.passwordHash,
+          role: users.role,
+        })
+        .from(users)
+        .where(eq(users.email, email.toLowerCase()));
+
+      if (!user) {
+        return res.status(401).json({ error: 'Invalid email or password' });
+      }
+
+      const passwordValid = await authService.verifyPassword(password, user.passwordHash);
+      if (!passwordValid) {
+        return res.status(401).json({ error: 'Invalid email or password' });
+      }
+
+      // Generate tokens
+      const accessToken = await authService.generateAccessToken(user.id, user.email, user.role);
+      const refreshToken = await authService.generateRefreshToken(user.id);
+
+      // Store refresh token hash in DB for revocation support
+      const refreshTokenHash = await authService.hashPassword(refreshToken);
+      const now = new Date().toISOString();
+      const refreshExpiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString();
+
+      await db.insert(refreshTokens).values({
+        id: randomUUID(),
+        userId: user.id,
+        tokenHash: refreshTokenHash,
+        expiresAt: refreshExpiresAt,
+        createdAt: now,
+      });
+
+      // Set HTTP-only cookies
+      authService.setAuthCookies(res, accessToken, refreshToken);
+
+      log('AUTH', `User logged in: ${user.email}`);
+
+      res.json({
+        user: { id: user.id, email: user.email, role: user.role },
+      });
+    } catch (err: any) {
+      log('AUTH', `Login failed: ${err.message}`);
+      res.status(500).json({ error: 'Login failed' });
+    }
+  });
+
+  // GET /api/auth/me — returns current user info from JWT cookie
+  router.get('/me', async (req, res) => {
+    const token = (req as any).cookies?.['access_token'];
+    if (!token) {
+      return res.status(401).json({ error: 'Not authenticated' });
+    }
+
+    try {
+      const payload = await authService.verifyToken(token);
+      return res.json({ user: { id: payload.sub, email: payload.email, role: payload.role } });
+    } catch {
+      return res.status(401).json({ error: 'Invalid or expired token' });
+    }
+  });
+
+  // POST /api/auth/refresh — exchange refresh token for new access token
+  router.post('/refresh', async (req, res) => {
+    const refreshTokenCookie = (req as any).cookies?.['refresh_token'];
+    if (!refreshTokenCookie) {
+      return res.status(401).json({ error: 'No refresh token' });
+    }
+
+    try {
+      const payload = await authService.verifyToken(refreshTokenCookie);
+      if (payload.type !== 'refresh') {
+        return res.status(401).json({ error: 'Invalid token type' });
+      }
+
+      const db = getDb();
+
+      // Find matching refresh token in DB (verify it hasn't been revoked)
+      const storedTokens = await db
+        .select()
+        .from(refreshTokens)
+        .where(eq(refreshTokens.userId, payload.sub));
+
+      let matchedToken: typeof storedTokens[0] | null = null;
+      for (const stored of storedTokens) {
+        const isMatch = await authService.verifyPassword(refreshTokenCookie, stored.tokenHash);
+        if (isMatch) {
+          matchedToken = stored;
+          break;
+        }
+      }
+
+      if (!matchedToken) {
+        return res.status(401).json({ error: 'Refresh token revoked' });
+      }
+
+      // Check if refresh token has expired in DB
+      if (new Date(matchedToken.expiresAt) < new Date()) {
+        await db.delete(refreshTokens).where(eq(refreshTokens.id, matchedToken.id));
+        return res.status(401).json({ error: 'Refresh token expired' });
+      }
+
+      // Look up user to get current email and role
+      const [user] = await db
+        .select({ id: users.id, email: users.email, role: users.role })
+        .from(users)
+        .where(eq(users.id, payload.sub));
+
+      if (!user) {
+        return res.status(401).json({ error: 'User not found' });
+      }
+
+      // Generate new access token
+      const accessToken = await authService.generateAccessToken(user.id, user.email, user.role);
+
+      // Set the new access token cookie
+      const cookieOptions = {
+        httpOnly: true,
+        secure: authService.isProductionMode,
+        sameSite: 'strict' as const,
+        maxAge: 30 * 60 * 1000, // 30 minutes
+      };
+      res.cookie('access_token', accessToken, cookieOptions);
+
+      log('AUTH', `Token refreshed for user: ${user.email}`);
+      res.json({ message: 'Token refreshed' });
+    } catch {
+      return res.status(401).json({ error: 'Invalid refresh token' });
+    }
+  });
+
+  // POST /api/auth/logout — clear auth cookies and delete refresh token from DB
+  router.post('/logout', async (req, res) => {
+    log('AUTH', 'POST /api/auth/logout');
+
+    // Try to delete refresh token from DB if we can identify the user
+    const refreshTokenCookie = (req as any).cookies?.['refresh_token'];
+    if (refreshTokenCookie) {
+      try {
+        const payload = await authService.verifyToken(refreshTokenCookie);
+        const db = getDb();
+
+        // Find and delete the matching refresh token
+        const storedTokens = await db
+          .select()
+          .from(refreshTokens)
+          .where(eq(refreshTokens.userId, payload.sub));
+
+        for (const stored of storedTokens) {
+          const isMatch = await authService.verifyPassword(refreshTokenCookie, stored.tokenHash);
+          if (isMatch) {
+            await db.delete(refreshTokens).where(eq(refreshTokens.id, stored.id));
+            break;
+          }
+        }
+      } catch {
+        // Token may be expired/invalid — still proceed with clearing cookies
+      }
+    }
+
+    authService.clearAuthCookies(res);
+    res.json({ message: 'Logged out' });
+  });
+
+  // POST /api/auth/forgot-password — request a password reset email
+  router.post('/forgot-password', async (req, res) => {
+    const { email } = req.body;
+    log('AUTH', 'POST /api/auth/forgot-password');
+
+    if (!email || typeof email !== 'string') {
+      return res.status(400).json({ error: 'Email is required' });
+    }
+
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(email)) {
+      return res.status(400).json({ error: 'Invalid email format' });
+    }
+
+    try {
+      await passwordResetService.requestReset(email);
+      // Always return success to prevent user enumeration
+      res.json({ message: 'If an account with that email exists, a reset link has been sent.' });
+    } catch (err: any) {
+      log('AUTH', `Forgot password failed: ${err.message}`);
+      res.status(500).json({ error: 'Failed to process reset request' });
+    }
+  });
+
+  // POST /api/auth/reset-password — confirm password reset with token
+  router.post('/reset-password', async (req, res) => {
+    const { token, password } = req.body;
+    log('AUTH', 'POST /api/auth/reset-password');
+
+    if (!token || typeof token !== 'string') {
+      return res.status(400).json({ error: 'Reset token is required' });
+    }
+
+    if (!password || typeof password !== 'string') {
+      return res.status(400).json({ error: 'New password is required' });
+    }
+
+    if (password.length < 8) {
+      return res.status(400).json({ error: 'Password must be at least 8 characters' });
+    }
+
+    try {
+      await passwordResetService.confirmReset(token, password);
+      res.json({ message: 'Password has been reset successfully.' });
+    } catch (err: any) {
+      log('AUTH', `Reset password failed: ${err.message}`);
+      if (err.message === 'Invalid or expired reset token') {
+        return res.status(400).json({ error: err.message });
+      }
+      res.status(500).json({ error: 'Failed to reset password' });
+    }
+  });
+
+  // POST /api/auth/invite — admin sends invitation email (requires auth + admin role)
+  router.post('/invite', async (req, res) => {
+    const { email } = req.body;
+    log('AUTH', 'POST /api/auth/invite');
+
+    // Verify JWT from cookie
+    const token = (req as any).cookies?.['access_token'];
+    if (!token) {
+      return res.status(401).json({ error: 'Not authenticated' });
+    }
+
+    let payload: { sub: string; email?: string; role?: string };
+    try {
+      payload = await authService.verifyToken(token);
+    } catch {
+      return res.status(401).json({ error: 'Invalid or expired token' });
+    }
+
+    // Check admin role
+    if (payload.role !== 'admin') {
+      return res.status(403).json({ error: 'Only admins can send invitations' });
+    }
+
+    if (!email || typeof email !== 'string') {
+      return res.status(400).json({ error: 'Email is required' });
+    }
+
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(email)) {
+      return res.status(400).json({ error: 'Invalid email format' });
+    }
+
+    try {
+      await invitationService.sendInvitation(email, payload.sub);
+      res.json({ message: `Invitation sent to ${email.toLowerCase()}` });
+    } catch (err: any) {
+      log('AUTH', `Invite failed: ${err.message}`);
+      if (err.message.includes('already exists') || err.message.includes('active invitation')) {
+        return res.status(409).json({ error: err.message });
+      }
+      res.status(500).json({ error: 'Failed to send invitation' });
+    }
+  });
+
+  // GET /api/auth/invitation — validate an invitation token (public)
+  router.get('/invitation', async (req, res) => {
+    const { token, email } = req.query;
+    log('AUTH', 'GET /api/auth/invitation');
+
+    if (!token || typeof token !== 'string' || !email || typeof email !== 'string') {
+      return res.status(400).json({ error: 'Token and email are required' });
+    }
+
+    try {
+      const result = await invitationService.validateToken(token, email);
+      res.json(result);
+    } catch (err: any) {
+      log('AUTH', `Invitation validation failed: ${err.message}`);
+      res.status(500).json({ error: 'Failed to validate invitation' });
+    }
+  });
+
+  // POST /api/auth/accept-invitation — accept invitation and create account (public)
+  router.post('/accept-invitation', async (req, res) => {
+    const { token, email, password } = req.body;
+    log('AUTH', 'POST /api/auth/accept-invitation');
+
+    if (!token || typeof token !== 'string') {
+      return res.status(400).json({ error: 'Invitation token is required' });
+    }
+
+    if (!email || typeof email !== 'string') {
+      return res.status(400).json({ error: 'Email is required' });
+    }
+
+    if (!password || typeof password !== 'string') {
+      return res.status(400).json({ error: 'Password is required' });
+    }
+
+    if (password.length < 8) {
+      return res.status(400).json({ error: 'Password must be at least 8 characters' });
+    }
+
+    try {
+      const { userId, email: userEmail } = await invitationService.acceptInvitation(token, email, password);
+
+      // Generate tokens and log the user in
+      const accessToken = await authService.generateAccessToken(userId, userEmail, 'user');
+      const refreshToken = await authService.generateRefreshToken(userId);
+
+      const refreshTokenHash = await authService.hashPassword(refreshToken);
+      const now = new Date().toISOString();
+      const refreshExpiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString();
+
+      const db = getDb();
+      await db.insert(refreshTokens).values({
+        id: randomUUID(),
+        userId,
+        tokenHash: refreshTokenHash,
+        expiresAt: refreshExpiresAt,
+        createdAt: now,
+      });
+
+      authService.setAuthCookies(res, accessToken, refreshToken);
+
+      res.status(201).json({
+        user: { id: userId, email: userEmail, role: 'user' },
+      });
+    } catch (err: any) {
+      log('AUTH', `Accept invitation failed: ${err.message}`);
+      if (err.message === 'Invalid or expired invitation token' || err.message.includes('already exists')) {
+        return res.status(400).json({ error: err.message });
+      }
+      res.status(500).json({ error: 'Failed to accept invitation' });
+    }
+  });
+
+  return router;
+};

package/templates/product-system/packages/backend/src/routes/coherence.ts

@@ -0,0 +1,187 @@
+/**
+ * Coherence review API routes — get/run/approve/dismiss proposals.
+ */
+
+import { Router } from 'express';
+import { detectConflicts } from '@interview-system/shared/lib/coherence.js';
+import { log } from '../services/init.js';
+import {
+  coherenceRunning,
+  coherenceProgress,
+  readCoherenceData,
+  writeCoherenceData,
+  runCoherenceReview,
+  executeProposalAction,
+  setCoherenceRunning,
+  setCoherenceProgress,
+} from '../services/coherence-review.js';
+
+const router: Router = Router();
+
+// GET /api/coherence
+router.get('/', async (req, res) => {
+  const projectId = req.query.project_id as string | undefined;
+  log('API', `GET /api/coherence${projectId ? ` project_id=${projectId}` : ''}`);
+  try {
+    const data: any = await readCoherenceData(projectId);
+    data.progress = coherenceRunning ? coherenceProgress : null;
+
+    const conflictsMap = detectConflicts(data.proposals);
+    const conflicts: Record<string, string[]> = {};
+    for (const [id, cSet] of conflictsMap) {
+      conflicts[id] = [...cSet];
+    }
+    data.conflicts = conflicts;
+
+    res.json(data);
+  } catch (err: any) {
+    log('API', `GET /api/coherence FAILED: ${err.message}`);
+    res.status(500).json({ error: 'Failed to read coherence data' });
+  }
+});
+
+// POST /api/coherence/run
+router.post('/run', async (req, res) => {
+  const projectId = req.query.project_id as string | undefined || req.body.project_id;
+  log('API', `POST /api/coherence/run${projectId ? ` project_id=${projectId}` : ''}`);
+  if (coherenceRunning) {
+    return res.status(409).json({ error: 'Coherence review already running' });
+  }
+
+  try {
+    const data = await readCoherenceData(projectId);
+    const hasPending = data.proposals.some((p: any) => p.status === 'pending');
+    if (hasPending) {
+      return res.status(400).json({ error: 'Resolve all pending proposals before starting a new review' });
+    }
+  } catch (err: any) {
+    return res.status(500).json({ error: 'Failed to check coherence state' });
+  }
+
+  setCoherenceRunning(true);
+  // Fire and forget
+  runCoherenceReview(projectId).catch((err: any) => {
+    log('COHERENCE', `Uncaught error: ${err.message}`);
+    setCoherenceRunning(false);
+    setCoherenceProgress({ current: 0, total: 0, message: '' });
+  });
+  res.json({ started: true });
+});
+
+// POST /api/coherence/batch/approve
+router.post('/batch/approve', async (req, res) => {
+  const projectId = req.query.project_id as string | undefined || req.body.project_id;
+  log('API', 'POST /api/coherence/batch/approve');
+  try {
+    const { batch_id, dismiss_ids = [] } = req.body;
+
+    if (!batch_id) {
+      return res.status(400).json({ error: 'Missing batch_id' });
+    }
+
+    const coherenceData = await readCoherenceData(projectId);
+    const batchProposals = coherenceData.proposals.filter(
+      (p: any) => p.batch_id === batch_id && p.status === 'pending'
+    );
+
+    if (batchProposals.length === 0) {
+      return res.status(404).json({ error: `No pending proposals in batch "${batch_id}"` });
+    }
+
+    const now = new Date().toISOString();
+    const results: any = { approved: [], dismissed: [] };
+
+    for (const p of batchProposals) {
+      if (dismiss_ids.includes(p.id)) {
+        p.status = 'dismissed';
+        p.resolved_at = now;
+        results.dismissed.push(p.id);
+      }
+    }
+
+    await writeCoherenceData(coherenceData, projectId);
+
+    const errors: any[] = [];
+    for (const p of batchProposals) {
+      if (p.status === 'pending') {
+        try {
+          await executeProposalAction(p, coherenceData, projectId);
+          p.status = 'approved';
+          p.resolved_at = now;
+          results.approved.push(p.id);
+        } catch (err: any) {
+          log('COHERENCE', `Batch: failed to execute proposal ${p.id}: ${err.message}`);
+          errors.push({ id: p.id, error: err.message });
+        }
+      }
+    }
+
+    await writeCoherenceData(coherenceData, projectId);
+    if (errors.length > 0) {
+      results.errors = errors;
+    }
+    res.json(results);
+  } catch (err: any) {
+    log('COHERENCE', `Batch approve error: ${err.message}`);
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// POST /api/coherence/:id/approve
+router.post('/:id/approve', async (req, res) => {
+  const proposalId = req.params.id;
+  const projectId = req.query.project_id as string | undefined || req.body.project_id;
+  log('API', `POST /api/coherence/${proposalId}/approve`);
+  try {
+    const coherenceData = await readCoherenceData(projectId);
+    const proposal = coherenceData.proposals.find((p: any) => p.id === proposalId);
+    if (!proposal) {
+      return res.status(404).json({ error: `Proposal "${proposalId}" not found` });
+    }
+    if (proposal.status !== 'pending') {
+      return res.status(400).json({ error: `Proposal already ${proposal.status}` });
+    }
+
+    try {
+      await executeProposalAction(proposal, coherenceData, projectId);
+    } catch (err: any) {
+      log('COHERENCE', `Failed to execute proposal action: ${err.message}`);
+      return res.status(500).json({ error: `Failed to execute proposal action: ${err.message}` });
+    }
+
+    proposal.status = 'approved';
+    proposal.resolved_at = new Date().toISOString();
+    await writeCoherenceData(coherenceData, projectId);
+    res.json({ approved: true, proposal });
+  } catch (err: any) {
+    log('COHERENCE', `Approve error: ${err.message}`);
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// POST /api/coherence/:id/dismiss
+router.post('/:id/dismiss', async (req, res) => {
+  const proposalId = req.params.id;
+  const projectId = req.query.project_id as string | undefined || req.body.project_id;
+  log('API', `POST /api/coherence/${proposalId}/dismiss`);
+  try {
+    const coherenceData = await readCoherenceData(projectId);
+    const proposal = coherenceData.proposals.find((p: any) => p.id === proposalId);
+    if (!proposal) {
+      return res.status(404).json({ error: `Proposal "${proposalId}" not found` });
+    }
+    if (proposal.status !== 'pending') {
+      return res.status(400).json({ error: `Proposal already ${proposal.status}` });
+    }
+
+    proposal.status = 'dismissed';
+    proposal.resolved_at = new Date().toISOString();
+    await writeCoherenceData(coherenceData, projectId);
+    res.json({ dismissed: true, proposal });
+  } catch (err: any) {
+    log('COHERENCE', `Dismiss error: ${err.message}`);
+    res.status(500).json({ error: err.message });
+  }
+});
+
+export default router;