npm - @digilogiclabs/create-saas-app - Versions diffs - 2.0.0 → 2.2.0 - Mend

@digilogiclabs/create-saas-app 2.0.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (348) hide show

package/src/templates/infrastructure/terraform/gcp/template/outputs.tf ADDED Viewed

@@ -0,0 +1,51 @@
+# {{titleCaseName}} - GCP Terraform Outputs
+output "vercel_project_id" {
+  description = "Vercel project ID"
+  value       = vercel_project.app.id
+}
+output "vercel_domains" {
+  description = "Vercel project domains"
+  value       = [var.domain]
+}
+output "storage_bucket_name" {
+  description = "Cloud Storage bucket name"
+  value       = google_storage_bucket.storage.name
+}
+output "storage_bucket_url" {
+  description = "Cloud Storage bucket URL"
+  value       = google_storage_bucket.storage.url
+}
+output "cdn_ip_address" {
+  description = "CDN IP address"
+  value       = google_compute_global_address.storage_cdn.address
+}
+output "cloud_tasks_queue_name" {
+  description = "Cloud Tasks queue name"
+  value       = google_cloud_tasks_queue.jobs.name
+}
+output "pubsub_topic_name" {
+  description = "Pub/Sub topic name"
+  value       = google_pubsub_topic.events.name
+}
+output "pubsub_subscription_name" {
+  description = "Pub/Sub subscription name"
+  value       = google_pubsub_subscription.events.name
+}
+output "service_account_email" {
+  description = "Service account email"
+  value       = google_service_account.app.email
+}
+output "logs_bucket_name" {
+  description = "Logs bucket name"
+  value       = google_storage_bucket.logs.name
+}

package/src/templates/infrastructure/terraform/gcp/template/terraform.tfvars.example ADDED Viewed

@@ -0,0 +1,29 @@
+# {{titleCaseName}} - GCP Terraform Variables
+# Copy to terraform.tfvars and fill in values
+# General
+environment    = "staging"
+gcp_project_id = "your-gcp-project-id"
+gcp_region     = "us-central1"
+# Vercel
+vercel_api_token = "your-vercel-api-token"
+vercel_team_id   = null  # Optional: your-team-id
+github_repo      = "your-org/{{projectName}}"
+domain           = "{{projectName}}.com"
+# Supabase
+supabase_url              = "https://xxx.supabase.co"
+supabase_anon_key         = "your-supabase-anon-key"
+supabase_service_role_key = "your-supabase-service-role-key"
+# Stripe (Optional - leave empty if not using payments)
+stripe_secret_key     = ""
+stripe_webhook_secret = ""
+# AI (Optional - leave empty if not using AI features)
+openai_api_key    = ""
+anthropic_api_key = ""
+# Monitoring
+alert_email = "alerts@{{projectName}}.com"

package/src/templates/infrastructure/terraform/gcp/template/variables.tf ADDED Viewed

@@ -0,0 +1,115 @@
+# {{titleCaseName}} - GCP Terraform Variables
+# ============================================
+# General
+# ============================================
+variable "environment" {
+  description = "Environment name (staging, production)"
+  type        = string
+  default     = "staging"
+}
+variable "gcp_project_id" {
+  description = "GCP project ID"
+  type        = string
+}
+variable "gcp_region" {
+  description = "GCP region"
+  type        = string
+  default     = "us-central1"
+}
+# ============================================
+# Vercel
+# ============================================
+variable "vercel_api_token" {
+  description = "Vercel API token"
+  type        = string
+  sensitive   = true
+}
+variable "vercel_team_id" {
+  description = "Vercel team ID (optional)"
+  type        = string
+  default     = null
+}
+variable "github_repo" {
+  description = "GitHub repository (org/repo format)"
+  type        = string
+}
+variable "domain" {
+  description = "Production domain"
+  type        = string
+}
+# ============================================
+# Supabase
+# ============================================
+variable "supabase_url" {
+  description = "Supabase project URL"
+  type        = string
+}
+variable "supabase_anon_key" {
+  description = "Supabase anonymous key"
+  type        = string
+  sensitive   = true
+}
+variable "supabase_service_role_key" {
+  description = "Supabase service role key"
+  type        = string
+  sensitive   = true
+}
+# ============================================
+# Stripe (Optional)
+# ============================================
+variable "stripe_secret_key" {
+  description = "Stripe secret key"
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+variable "stripe_webhook_secret" {
+  description = "Stripe webhook secret"
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+# ============================================
+# AI (Optional)
+# ============================================
+variable "openai_api_key" {
+  description = "OpenAI API key"
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+variable "anthropic_api_key" {
+  description = "Anthropic API key"
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+# ============================================
+# Monitoring
+# ============================================
+variable "alert_email" {
+  description = "Email address for alerts"
+  type        = string
+  default     = ""
+}

package/src/templates/shared/admin/web/app/admin/layout.tsx ADDED Viewed

@@ -0,0 +1,34 @@
+import { redirect } from 'next/navigation';
+import { auth } from '@/auth';
+import { AdminNav } from '@/components/admin-nav';
+/**
+ * Admin layout with authentication guard.
+ *
+ * Protects all /admin/* routes. Requires the user to have the 'admin' role
+ * from Keycloak. Customize the role check and nav links below.
+ */
+export default async function AdminLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  const session = await auth();
+  if (!session?.user) {
+    redirect('/api/auth/signin?callbackUrl=/admin');
+  }
+  const roles = (session.user as { roles?: string[] }).roles || [];
+  if (!roles.includes('admin')) {
+    redirect('/');
+  }
+  return (
+    <div className="mx-auto max-w-7xl px-4 py-8 sm:px-6 lg:px-8">
+      <AdminNav />
+      <main className="mt-6">{children}</main>
+    </div>
+  );
+}

package/src/templates/shared/admin/web/components/admin-nav.tsx ADDED Viewed

@@ -0,0 +1,48 @@
+'use client';
+import Link from 'next/link';
+import { usePathname } from 'next/navigation';
+/**
+ * Admin navigation component.
+ *
+ * Configuration-driven tab navigation with active state.
+ * Add your admin sections to the ADMIN_LINKS array below.
+ */
+const ADMIN_LINKS = [
+  { href: '/admin', label: 'Dashboard' },
+  { href: '/admin/users', label: 'Users' },
+  { href: '/admin/settings', label: 'Settings' },
+];
+export function AdminNav() {
+  const pathname = usePathname();
+  return (
+    <nav className="border-b border-gray-200 dark:border-gray-800">
+      <div className="flex gap-1">
+        {ADMIN_LINKS.map((link) => {
+          const isActive =
+            link.href === '/admin'
+              ? pathname === '/admin'
+              : pathname.startsWith(link.href);
+          return (
+            <Link
+              key={link.href}
+              href={link.href}
+              className={`rounded-t-lg px-4 py-2.5 text-sm font-medium transition-colors ${
+                isActive
+                  ? 'border-b-2 border-blue-600 text-blue-600 dark:text-blue-400'
+                  : 'text-gray-600 hover:text-gray-900 dark:text-gray-400 dark:hover:text-gray-200'
+              }`}
+            >
+              {link.label}
+            </Link>
+          );
+        })}
+      </div>
+    </nav>
+  );
+}

package/src/templates/shared/audit/web/lib/audit.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * Audit logging for admin/security-sensitive actions.
+ *
+ * Uses createAuditLogger from platform-core/auth. Currently console-only
+ * (structured logs to stdout). Persistence (Redis/DB) can be added later
+ * by providing a `persist` callback.
+ */
+import 'server-only';
+import { createAuditLogger, StandardAuditActions } from '@digilogiclabs/platform-core/auth';
+/** App-specific audit actions extending the standard set. */
+export const AppAuditActions = {
+  ...StandardAuditActions,
+  // Add your app-specific actions here:
+  // USER_ROLE_CHANGED: 'app.user.role_changed',
+  // SUBSCRIPTION_CREATED: 'app.subscription.created',
+} as const;
+/**
+ * Audit logger instance.
+ * Console-only persistence — logs structured events to stdout.
+ */
+export const audit = createAuditLogger();

package/src/templates/shared/auth/keycloak/web/app/api/auth/federated-logout/route.ts ADDED Viewed

@@ -0,0 +1,173 @@
+/**
+ * Federated Logout Route
+ *
+ * Handles proper logout from both Auth.js and Keycloak.
+ * Ensures the Keycloak session is cleared so users aren't auto-logged-in
+ * when they try to sign in again.
+ *
+ * Flow:
+ * 1. Get the id_token from the Auth.js session
+ * 2. Return an HTML page with Set-Cookie headers to clear all auth cookies
+ * 3. The HTML page auto-redirects to Keycloak's logout endpoint
+ * 4. Keycloak clears its session and redirects back to the app
+ *
+ * Returns HTML (200) instead of 307 redirect because browsers may not
+ * reliably process Set-Cookie headers on redirect responses.
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import { auth } from '@/auth';
+import { getToken } from 'next-auth/jwt';
+/** Serialize a Set-Cookie header string for cookie deletion. */
+function expireCookie(
+  name: string,
+  options?: { domain?: string; secure?: boolean; hostPrefix?: boolean }
+): string {
+  const parts = [
+    `${name}=`,
+    'Path=/',
+    'Expires=Thu, 01 Jan 1970 00:00:00 GMT',
+    'Max-Age=0',
+    'SameSite=Lax',
+  ];
+  if (options?.hostPrefix) {
+    parts.push('Secure');
+  } else {
+    parts.push('HttpOnly');
+    if (options?.domain) parts.push(`Domain=${options.domain}`);
+    if (options?.secure) parts.push('Secure');
+  }
+  return parts.join('; ');
+}
+/** Validate callback URL to prevent open redirect attacks. */
+function isAllowedCallbackUrl(url: string, baseUrl: string): boolean {
+  if (url.startsWith('/') && !url.startsWith('//')) return true;
+  try {
+    const parsed = new URL(url);
+    const base = new URL(baseUrl);
+    const allowedHosts = [base.hostname, `www.${base.hostname}`];
+    if (base.hostname.startsWith('www.')) {
+      allowedHosts.push(base.hostname.slice(4));
+    }
+    return allowedHosts.includes(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+export async function GET(request: NextRequest) {
+  const session = await auth();
+  const searchParams = request.nextUrl.searchParams;
+  const rawCallbackUrl = searchParams.get('callbackUrl') || '/';
+  const queryIdToken = searchParams.get('id_token_hint');
+  const baseUrl = process.env.NEXTAUTH_URL || process.env.AUTH_URL || 'http://localhost:3000';
+  const callbackUrl = isAllowedCallbackUrl(rawCallbackUrl, baseUrl) ? rawCallbackUrl : '/';
+  const postLogoutRedirectUri = callbackUrl.startsWith('http')
+    ? callbackUrl
+    : `${baseUrl}${callbackUrl}`;
+  const keycloakIssuer = process.env.AUTH_KEYCLOAK_ISSUER;
+  if (!keycloakIssuer) {
+    console.error('[Federated Logout] Missing AUTH_KEYCLOAK_ISSUER');
+    return NextResponse.redirect(
+      new URL('/api/auth/signout?callbackUrl=' + encodeURIComponent(callbackUrl), request.url)
+    );
+  }
+  // Revoke refresh token (best-effort)
+  const jwtToken = await getToken({ req: request });
+  const refreshToken = jwtToken?.refreshToken as string | undefined;
+  if (refreshToken) {
+    try {
+      await fetch(`${keycloakIssuer}/protocol/openid-connect/revoke`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          token: refreshToken,
+          token_type_hint: 'refresh_token',
+          ...(process.env.AUTH_KEYCLOAK_ID && { client_id: process.env.AUTH_KEYCLOAK_ID }),
+          ...(process.env.AUTH_KEYCLOAK_SECRET && {
+            client_secret: process.env.AUTH_KEYCLOAK_SECRET,
+          }),
+        }),
+      });
+    } catch {
+      // Best-effort — don't block logout
+    }
+  }
+  // Build Keycloak logout URL
+  const logoutUrl = new URL(`${keycloakIssuer}/protocol/openid-connect/logout`);
+  logoutUrl.searchParams.set('post_logout_redirect_uri', postLogoutRedirectUri);
+  if (process.env.AUTH_KEYCLOAK_ID) {
+    logoutUrl.searchParams.set('client_id', process.env.AUTH_KEYCLOAK_ID);
+  }
+  const idToken = session?.idToken || queryIdToken;
+  if (idToken) {
+    logoutUrl.searchParams.set('id_token_hint', idToken);
+  }
+  const escapedUrl = logoutUrl
+    .toString()
+    .replace(/&/g, '&amp;')
+    .replace(/"/g, '&quot;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+  const html = `<!DOCTYPE html>
+<html><head>
+<meta charset="utf-8">
+<meta http-equiv="refresh" content="0;url=${escapedUrl}">
+<title>Signing out...</title>
+<style>body{display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;font-family:system-ui,sans-serif;background:#0a0a0a;color:#fff}p{font-size:1.1rem;opacity:0.7}</style>
+</head><body>
+<p>Signing out&hellip;</p>
+<script>window.location.replace(${JSON.stringify(logoutUrl.toString()).replace(/</g, '\\u003c')});</script>
+</body></html>`;
+  const response = new NextResponse(html, {
+    status: 200,
+    headers: {
+      'Content-Type': 'text/html; charset=utf-8',
+      'Cache-Control': 'no-store, no-cache, must-revalidate',
+      Pragma: 'no-cache',
+    },
+  });
+  // Clear ALL Auth.js cookie variants
+  const isProduction = process.env.NODE_ENV === 'production';
+  const cookieNames = [
+    'authjs.session-token',
+    '__Secure-authjs.session-token',
+    'authjs.callback-url',
+    '__Secure-authjs.callback-url',
+    'authjs.csrf-token',
+    '__Secure-authjs.csrf-token',
+    'authjs.pkce.code_verifier',
+    '__Secure-authjs.pkce.code_verifier',
+    'authjs.state',
+    '__Secure-authjs.state',
+    // Legacy next-auth names
+    'next-auth.session-token',
+    '__Secure-next-auth.session-token',
+    'next-auth.callback-url',
+    '__Secure-next-auth.callback-url',
+    'next-auth.csrf-token',
+    '__Secure-next-auth.csrf-token',
+  ];
+  for (const name of cookieNames) {
+    const needsSecure = isProduction || name.startsWith('__Secure-');
+    response.headers.append('Set-Cookie', expireCookie(name, { secure: needsSecure }));
+  }
+  // __Host- prefix cookies
+  for (const name of ['__Host-authjs.csrf-token', '__Host-next-auth.csrf-token']) {
+    response.headers.append('Set-Cookie', expireCookie(name, { hostPrefix: true }));
+  }
+  return response;
+}

package/src/templates/shared/auth/keycloak/web/auth.config.ts ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+ * Auth.js Base Configuration (Edge-compatible)
+ *
+ * This file contains ONLY Edge-runtime-compatible configuration.
+ * It is imported by middleware.ts for Edge middleware auth.
+ *
+ * Server-only code (database sync, events) lives in auth.ts which
+ * extends this config. API routes and server components use auth.ts.
+ *
+ * IMPORTANT: Do NOT add any imports of server-only modules here
+ * (ioredis, pg, nodemailer, platform-core barrel, etc.)
+ */
+import Keycloak from 'next-auth/providers/keycloak';
+import type { NextAuthConfig } from 'next-auth';
+import {
+  buildKeycloakCallbacks,
+  buildAuthCookies,
+  buildRedirectCallback,
+} from '@digilogiclabs/platform-core/auth';
+// Extend the built-in session types
+declare module 'next-auth' {
+  interface Session {
+    user: {
+      id: string;
+      email?: string | null;
+      name?: string | null;
+      image?: string | null;
+      roles?: string[]; // Keycloak realm roles
+    };
+    idToken?: string; // For federated logout
+    accessToken?: string; // For API calls
+    // refreshToken intentionally NOT exposed to client — used server-side only via getToken()
+    error?: string; // Token refresh error — client should re-authenticate
+  }
+}
+/** Keycloak callbacks — JWT token storage, role parsing, automatic refresh, session mapping */
+const keycloakCallbacks = buildKeycloakCallbacks({
+  issuer: process.env.AUTH_KEYCLOAK_ISSUER!,
+  clientId: process.env.AUTH_KEYCLOAK_ID!,
+  clientSecret: process.env.AUTH_KEYCLOAK_SECRET!,
+});
+export const authConfig: NextAuthConfig = {
+  // Trust the host in production (required for Auth.js v5 behind reverse proxy)
+  trustHost: true,
+  // Cookie configuration for cross-domain OIDC (www/non-www compatibility).
+  // csrfToken uses __Host- prefix which CANNOT have a Domain attribute.
+  // The federated-logout route handles clearing all cookie variants.
+  cookies: buildAuthCookies(),
+  providers: [
+    Keycloak({
+      clientId: process.env.AUTH_KEYCLOAK_ID!,
+      clientSecret: process.env.AUTH_KEYCLOAK_SECRET!,
+      issuer: process.env.AUTH_KEYCLOAK_ISSUER!,
+    }),
+  ],
+  session: {
+    strategy: 'jwt',
+    maxAge: 30 * 24 * 60 * 60, // 30 days
+  },
+  callbacks: {
+    ...keycloakCallbacks,
+    async signIn() {
+      return true;
+    },
+    redirect: buildRedirectCallback(),
+  },
+  pages: {
+    signIn: '/auth/signin',
+    error: '/auth/signin',
+  },
+  debug: process.env.NODE_ENV === 'development',
+};

package/src/templates/shared/auth/keycloak/web/auth.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Auth.js Server Configuration
+ *
+ * Extends the Edge-compatible auth.config.ts with server-only features
+ * (database sync, events, etc.). This file is used by API routes and
+ * server components.
+ *
+ * Middleware uses auth.config.ts directly (Edge-compatible).
+ */
+import NextAuth from 'next-auth';
+import { authConfig } from './auth.config';
+export const { handlers, auth, signIn, signOut } = NextAuth({
+  ...authConfig,
+  // Server-only events — add database sync, audit logging, etc.
+  events: {
+    async signIn({ user }) {
+      // Optional: sync user to your database on sign-in
+      // const db = await getDatabase();
+      // await db.upsert('users', { id: user.id, email: user.email, name: user.name });
+      console.log(`[Auth] User signed in: ${user.email}`);
+    },
+  },
+});

package/src/templates/shared/beta/web/app/api/beta-settings/route.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import { NextResponse } from 'next/server';
+export const dynamic = 'force-dynamic';
+/**
+ * GET /api/beta-settings
+ *
+ * Returns beta mode configuration. Controlled via environment variables:
+ *   BETA_MODE           - 'true'/'false' (default: true)
+ *   REQUIRE_INVITE_CODE - 'true'/'false' (default: true)
+ *   BETA_MESSAGE        - Custom message shown to users
+ */
+export async function GET() {
+  const betaMode = process.env.BETA_MODE !== 'false';
+  const requireInviteCode = process.env.REQUIRE_INVITE_CODE !== 'false';
+  const betaMessage =
+    process.env.BETA_MESSAGE ||
+    'We are currently in private beta. Enter your invite code to continue.';
+  return NextResponse.json({
+    betaMode,
+    requireInviteCode,
+    betaMessage,
+  });
+}

package/src/templates/shared/beta/web/app/api/validate-beta-code/route.ts ADDED Viewed

@@ -0,0 +1,67 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { enforceRateLimit, CommonRateLimits } from '@digilogiclabs/platform-core/auth';
+export const dynamic = 'force-dynamic';
+/**
+ * POST /api/validate-beta-code
+ *
+ * Validates a beta invite code against environment-defined codes.
+ * Rate limited to 5/min with 5-minute block to prevent brute force.
+ *
+ * Env vars:
+ *   BETA_CODES - Comma-separated list of valid codes (e.g. "CODE1,CODE2")
+ */
+export async function POST(request: NextRequest) {
+  // Rate limit: 5 attempts per minute, 5-minute block on exceed
+  const rateLimitResult = await enforceRateLimit(
+    request,
+    'validate-beta-code',
+    CommonRateLimits.betaValidation
+  );
+  if (rateLimitResult) return rateLimitResult;
+  try {
+    const body = await request.json();
+    const { code } = body;
+    if (!code || typeof code !== 'string') {
+      return NextResponse.json({ valid: false, message: 'Invalid code format' });
+    }
+    const normalizedCode = code.trim().toUpperCase();
+    if (normalizedCode.length < 3) {
+      return NextResponse.json({
+        valid: false,
+        message: 'Code must be at least 3 characters',
+      });
+    }
+    // Get valid codes from environment
+    const validCodesEnv = process.env.BETA_CODES || '';
+    const validCodes = validCodesEnv
+      .split(',')
+      .map((c) => c.trim().toUpperCase())
+      .filter(Boolean);
+    const allValidCodes = new Set(validCodes);
+    if (allValidCodes.has(normalizedCode)) {
+      return NextResponse.json({
+        valid: true,
+        message: 'Welcome to the beta! You can now continue.',
+      });
+    }
+    return NextResponse.json({
+      valid: false,
+      message: 'Invalid invite code. Please check your code and try again.',
+    });
+  } catch {
+    return NextResponse.json(
+      { valid: false, message: 'Unable to validate code. Please try again.' },
+      { status: 500 }
+    );
+  }
+}