@ftisindia/create-app 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (108) hide show
  1. package/package.json +1 -1
  2. package/template/README.md +1 -1
  3. package/template/_package.json +0 -2
  4. package/template/docs/API_REFERENCE.md +13 -0
  5. package/template/docs/OAUTH.md +7 -3
  6. package/template/scripts/gen-module.mjs +2 -0
  7. package/template/src/app.module.ts +16 -22
  8. package/template/src/common/dto/error-response.dto.ts +3 -3
  9. package/template/src/common/dto/membership-response.dto.ts +26 -14
  10. package/template/src/common/dto/mutation-response.dto.ts +1 -1
  11. package/template/src/common/dto/pagination-query.dto.ts +37 -0
  12. package/template/src/common/dto/role-summary.dto.ts +5 -5
  13. package/template/src/common/dto/user-summary.dto.ts +6 -6
  14. package/template/src/common/filters/http-exception.filter.ts +9 -19
  15. package/template/src/common/swagger/api-error-responses.ts +12 -12
  16. package/template/src/config/app.config.ts +3 -3
  17. package/template/src/config/auth.config.ts +3 -3
  18. package/template/src/config/database.config.ts +3 -3
  19. package/template/src/config/env.validation.ts +58 -40
  20. package/template/src/config/index.ts +5 -5
  21. package/template/src/config/rbac.config.ts +3 -3
  22. package/template/src/database/prisma/prisma-transaction.ts +1 -1
  23. package/template/src/database/prisma/prisma.module.ts +2 -2
  24. package/template/src/database/prisma/prisma.service.ts +3 -6
  25. package/template/src/main.ts +11 -11
  26. package/template/src/modules/access-control/access-control.module.ts +9 -9
  27. package/template/src/modules/access-control/application/role-permission-policy.ts +71 -0
  28. package/template/src/modules/access-control/application/route-registry.validator.ts +34 -63
  29. package/template/src/modules/access-control/application/services/ability.factory.ts +5 -9
  30. package/template/src/modules/access-control/application/services/access-control.service.ts +78 -85
  31. package/template/src/modules/access-control/application/services/permission.guard.ts +16 -21
  32. package/template/src/modules/access-control/application/services/rbac-cache.service.ts +7 -9
  33. package/template/src/modules/access-control/dto/access-control-response.dto.ts +32 -20
  34. package/template/src/modules/access-control/dto/create-role.dto.ts +6 -6
  35. package/template/src/modules/access-control/dto/update-role-permissions.dto.ts +3 -10
  36. package/template/src/modules/access-control/dto/update-role.dto.ts +6 -6
  37. package/template/src/modules/access-control/presentation/access-control.controller.ts +69 -74
  38. package/template/src/modules/access-control/presentation/permissions.decorator.ts +3 -3
  39. package/template/src/modules/access-control/presentation/public.decorator.ts +2 -2
  40. package/template/src/modules/access-control/types/permission-key.ts +19 -19
  41. package/template/src/modules/access-control/types/route-permission-registry.ts +76 -76
  42. package/template/src/modules/audit/application/services/audit.service.ts +7 -7
  43. package/template/src/modules/audit/audit.module.ts +4 -4
  44. package/template/src/modules/audit/dto/audit-response.dto.ts +18 -18
  45. package/template/src/modules/audit/dto/list-audit-logs-query.dto.ts +14 -14
  46. package/template/src/modules/audit/presentation/audit.controller.ts +17 -23
  47. package/template/src/modules/auth/application/services/auth.service.ts +147 -110
  48. package/template/src/modules/auth/application/services/password.service.ts +2 -2
  49. package/template/src/modules/auth/application/services/token.service.ts +20 -21
  50. package/template/src/modules/auth/auth.module.ts +20 -47
  51. package/template/src/modules/auth/dto/auth-response.dto.ts +9 -10
  52. package/template/src/modules/auth/dto/login.dto.ts +4 -4
  53. package/template/src/modules/auth/dto/logout.dto.ts +1 -1
  54. package/template/src/modules/auth/dto/oauth-exchange.dto.ts +4 -5
  55. package/template/src/modules/auth/dto/refresh-token.dto.ts +4 -5
  56. package/template/src/modules/auth/dto/signup.dto.ts +5 -11
  57. package/template/src/modules/auth/infrastructure/passport/google-auth.guard.ts +6 -14
  58. package/template/src/modules/auth/infrastructure/passport/google-oauth-state.store.ts +98 -0
  59. package/template/src/modules/auth/infrastructure/passport/google.strategy.ts +21 -30
  60. package/template/src/modules/auth/infrastructure/passport/jwt-auth.guard.ts +3 -3
  61. package/template/src/modules/auth/infrastructure/passport/jwt.strategy.ts +11 -11
  62. package/template/src/modules/auth/presentation/auth.controller.ts +45 -45
  63. package/template/src/modules/auth/presentation/current-user.decorator.ts +3 -5
  64. package/template/src/modules/auth/presentation/google-oauth-exception.filter.ts +5 -10
  65. package/template/src/modules/health/dto/health-response.dto.ts +5 -5
  66. package/template/src/modules/health/health.module.ts +2 -2
  67. package/template/src/modules/health/presentation/health.controller.ts +13 -13
  68. package/template/src/modules/invitations/application/services/invitations.service.ts +127 -176
  69. package/template/src/modules/invitations/dto/accept-invitation.dto.ts +6 -7
  70. package/template/src/modules/invitations/dto/create-invitation.dto.ts +14 -15
  71. package/template/src/modules/invitations/dto/invitation-response.dto.ts +37 -29
  72. package/template/src/modules/invitations/dto/invitation-token.dto.ts +4 -4
  73. package/template/src/modules/invitations/invitations.module.ts +5 -5
  74. package/template/src/modules/invitations/presentation/invitations.controller.ts +61 -63
  75. package/template/src/modules/memberships/application/services/memberships.service.ts +70 -84
  76. package/template/src/modules/memberships/dto/transfer-owner.dto.ts +4 -4
  77. package/template/src/modules/memberships/dto/update-billing-contact.dto.ts +2 -2
  78. package/template/src/modules/memberships/dto/update-membership-owner.dto.ts +2 -2
  79. package/template/src/modules/memberships/dto/update-membership-role.dto.ts +4 -4
  80. package/template/src/modules/memberships/dto/update-membership-status.dto.ts +3 -3
  81. package/template/src/modules/memberships/memberships.module.ts +4 -4
  82. package/template/src/modules/memberships/presentation/memberships.controller.ts +83 -99
  83. package/template/src/modules/organisations/application/services/organisations.service.ts +21 -23
  84. package/template/src/modules/organisations/dto/create-organisation.dto.ts +6 -13
  85. package/template/src/modules/organisations/dto/organisation-response.dto.ts +14 -14
  86. package/template/src/modules/organisations/infrastructure/repositories/organisations.repository.ts +4 -7
  87. package/template/src/modules/organisations/organisations.module.ts +5 -5
  88. package/template/src/modules/organisations/presentation/organisations.controller.ts +14 -23
  89. package/template/src/modules/organisations/types/default-organisation-data.ts +3 -9
  90. package/template/src/modules/request-context/application/services/request-context.service.ts +15 -7
  91. package/template/src/modules/request-context/presentation/org-scope.guard.ts +4 -9
  92. package/template/src/modules/request-context/presentation/request-context.interceptor.ts +4 -9
  93. package/template/src/modules/request-context/presentation/request-context.middleware.ts +7 -8
  94. package/template/src/modules/request-context/request-context.module.ts +7 -7
  95. package/template/src/modules/request-context/types/request-context.ts +2 -2
  96. package/template/src/modules/sample/application/services/sample.service.ts +10 -8
  97. package/template/src/modules/sample/dto/sample-echo.dto.ts +3 -3
  98. package/template/src/modules/sample/dto/sample-response.dto.ts +12 -12
  99. package/template/src/modules/sample/presentation/sample.controller.ts +25 -42
  100. package/template/src/modules/sample/sample.module.ts +4 -4
  101. package/template/src/modules/settings/application/services/settings.service.ts +15 -27
  102. package/template/src/modules/settings/dto/setting-response.dto.ts +9 -9
  103. package/template/src/modules/settings/dto/update-setting.dto.ts +5 -5
  104. package/template/src/modules/settings/presentation/settings.controller.ts +29 -35
  105. package/template/src/modules/settings/settings.module.ts +5 -5
  106. package/template/src/modules/settings/types/setting-definitions.ts +49 -33
  107. package/template/test/auth-refresh.spec.ts +90 -0
  108. package/template/test/role-permission-policy.spec.ts +94 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ftisindia/create-app",
3
- "version": "0.1.3",
3
+ "version": "0.1.4",
4
4
  "description": "One-command scaffolder for the Phase 1 NestJS foundation starter.",
5
5
  "type": "module",
6
6
  "bin": {
@@ -1,4 +1,4 @@
1
- # __PROJECT_NAME__
1
+ # **PROJECT_NAME**
2
2
 
3
3
  NestJS modular-monolith starter with email/password auth, Google OAuth handoff, organisations, memberships, invitations, per-organisation RBAC with CASL, request context, audit logs, typed settings, Swagger, and a complete sample module.
4
4
 
@@ -42,7 +42,6 @@
42
42
  "bcryptjs": "3.0.3",
43
43
  "class-transformer": "0.5.1",
44
44
  "class-validator": "0.15.1",
45
- "express-session": "1.19.0",
46
45
  "passport": "0.7.0",
47
46
  "passport-google-oauth20": "2.0.0",
48
47
  "passport-jwt": "4.0.1",
@@ -56,7 +55,6 @@
56
55
  "@nestjs/cli": "11.0.21",
57
56
  "@nestjs/schematics": "11.1.0",
58
57
  "@nestjs/testing": "11.1.24",
59
- "@types/express-session": "1.19.0",
60
58
  "@types/jest": "30.0.0",
61
59
  "@types/node": "20.19.41",
62
60
  "@types/passport": "1.0.17",
@@ -28,6 +28,19 @@ After authorization, Swagger can call protected routes directly.
28
28
  Successful responses are documented per endpoint with typed response DTOs. Most
29
29
  date values are ISO strings.
30
30
 
31
+ Growable list endpoints such as memberships, invitations, and roles are cursor
32
+ paginated:
33
+
34
+ ```json
35
+ {
36
+ "items": [],
37
+ "nextCursor": null
38
+ }
39
+ ```
40
+
41
+ Use `?limit=50` and pass `nextCursor` back as `?cursor=...` to fetch the next
42
+ page.
43
+
31
44
  Errors use one common envelope:
32
45
 
33
46
  ```json
@@ -18,9 +18,12 @@ Failures redirect to `AUTH_GOOGLE_ERROR_REDIRECT_URL?error=oauth_failed`.
18
18
 
19
19
  ## State And PKCE
20
20
 
21
- Google OAuth uses state and PKCE. A short-lived `oauth.sid` session cookie is scoped only to `/auth/google` and `/auth/google/callback` so Passport can store and verify the OAuth state and PKCE code verifier during the handshake.
21
+ Google OAuth uses state and PKCE. The API encrypts and authenticates the PKCE
22
+ code verifier inside a short-lived state value, so the callback can be handled
23
+ without an Express session store.
22
24
 
23
- The rest of the app remains stateless JWT. There is no `passport.session()` and no persistent login session.
25
+ The app remains stateless JWT. There is no `passport.session()`, no persistent
26
+ login session, and no in-memory OAuth session store.
24
27
 
25
28
  ## Auth Endpoint Hardening
26
29
 
@@ -43,4 +46,5 @@ SESSION_SECRET=
43
46
 
44
47
  `SESSION_SECRET` must be at least 32 random characters.
45
48
 
46
- The default `express-session` memory store is intended for development and single-instance deployments. In multi-instance production deployments, use sticky sessions or replace the store with a shared store such as Redis.
49
+ When `NODE_ENV=production`, all configured Google callback/success/error URLs
50
+ must use HTTPS.
@@ -78,6 +78,8 @@ export class ${names.pascal}Service {
78
78
  messageLength: message.length,
79
79
  requestId: this.requestContext.getRequestId(),
80
80
  } satisfies Prisma.InputJsonObject,
81
+ ipAddress: this.requestContext.getIpAddress(),
82
+ userAgent: this.requestContext.getUserAgent(),
81
83
  },
82
84
  });
83
85
 
@@ -1,25 +1,19 @@
1
- import { Module } from "@nestjs/common";
2
- import { ConfigModule } from "@nestjs/config";
3
- import { APP_GUARD } from "@nestjs/core";
4
- import { ThrottlerGuard, ThrottlerModule } from "@nestjs/throttler";
5
- import {
6
- appConfig,
7
- authConfig,
8
- databaseConfig,
9
- rbacConfig,
10
- validate,
11
- } from "./config";
12
- import { PrismaModule } from "./database/prisma/prisma.module";
13
- import { AccessControlModule } from "./modules/access-control/access-control.module";
14
- import { AuditModule } from "./modules/audit/audit.module";
15
- import { AuthModule } from "./modules/auth/auth.module";
16
- import { HealthModule } from "./modules/health/health.module";
17
- import { InvitationsModule } from "./modules/invitations/invitations.module";
18
- import { MembershipsModule } from "./modules/memberships/memberships.module";
19
- import { OrganisationsModule } from "./modules/organisations/organisations.module";
20
- import { RequestContextModule } from "./modules/request-context/request-context.module";
21
- import { SampleModule } from "./modules/sample/sample.module";
22
- import { SettingsModule } from "./modules/settings/settings.module";
1
+ import { Module } from '@nestjs/common';
2
+ import { ConfigModule } from '@nestjs/config';
3
+ import { APP_GUARD } from '@nestjs/core';
4
+ import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
5
+ import { appConfig, authConfig, databaseConfig, rbacConfig, validate } from './config';
6
+ import { PrismaModule } from './database/prisma/prisma.module';
7
+ import { AccessControlModule } from './modules/access-control/access-control.module';
8
+ import { AuditModule } from './modules/audit/audit.module';
9
+ import { AuthModule } from './modules/auth/auth.module';
10
+ import { HealthModule } from './modules/health/health.module';
11
+ import { InvitationsModule } from './modules/invitations/invitations.module';
12
+ import { MembershipsModule } from './modules/memberships/memberships.module';
13
+ import { OrganisationsModule } from './modules/organisations/organisations.module';
14
+ import { RequestContextModule } from './modules/request-context/request-context.module';
15
+ import { SampleModule } from './modules/sample/sample.module';
16
+ import { SettingsModule } from './modules/settings/settings.module';
23
17
 
24
18
  @Module({
25
19
  imports: [
@@ -1,10 +1,10 @@
1
- import { ApiProperty, ApiPropertyOptional } from "@nestjs/swagger";
1
+ import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
2
2
 
3
3
  class ErrorBodyDto {
4
- @ApiProperty({ example: "BAD_REQUEST" })
4
+ @ApiProperty({ example: 'BAD_REQUEST' })
5
5
  code!: string;
6
6
 
7
- @ApiProperty({ example: "Validation failed." })
7
+ @ApiProperty({ example: 'Validation failed.' })
8
8
  message!: string;
9
9
 
10
10
  @ApiPropertyOptional({ type: Object })
@@ -1,30 +1,30 @@
1
- import { ApiProperty, ApiPropertyOptional } from "@nestjs/swagger";
2
- import { MembershipStatus } from "@prisma/client";
3
- import { RoleSummaryDto } from "./role-summary.dto";
4
- import { ActiveUserSummaryDto } from "./user-summary.dto";
1
+ import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
2
+ import { MembershipStatus } from '@prisma/client';
3
+ import { RoleSummaryDto } from './role-summary.dto';
4
+ import { ActiveUserSummaryDto } from './user-summary.dto';
5
5
 
6
6
  export class MembershipResponseDto {
7
7
  @ApiProperty({
8
- example: "0a57fb4a-95c6-4f7e-bd5a-f96dbe0599e3",
9
- format: "uuid",
8
+ example: '0a57fb4a-95c6-4f7e-bd5a-f96dbe0599e3',
9
+ format: 'uuid',
10
10
  })
11
11
  id!: string;
12
12
 
13
13
  @ApiProperty({
14
- example: "4a4f0d8a-4bd2-469f-a6a9-3e1cb6a2b456",
15
- format: "uuid",
14
+ example: '4a4f0d8a-4bd2-469f-a6a9-3e1cb6a2b456',
15
+ format: 'uuid',
16
16
  })
17
17
  userId!: string;
18
18
 
19
19
  @ApiProperty({
20
- example: "2c67399d-670c-4025-a5fd-1ea9a211891e",
21
- format: "uuid",
20
+ example: '2c67399d-670c-4025-a5fd-1ea9a211891e',
21
+ format: 'uuid',
22
22
  })
23
23
  orgId!: string;
24
24
 
25
25
  @ApiProperty({
26
- example: "f602c057-04f4-4ef8-8c84-1b7c62fbf8c5",
27
- format: "uuid",
26
+ example: 'f602c057-04f4-4ef8-8c84-1b7c62fbf8c5',
27
+ format: 'uuid',
28
28
  })
29
29
  roleId!: string;
30
30
 
@@ -43,9 +43,21 @@ export class MembershipResponseDto {
43
43
  @ApiPropertyOptional({ type: RoleSummaryDto })
44
44
  role?: RoleSummaryDto;
45
45
 
46
- @ApiProperty({ example: "2026-06-01T10:30:00.000Z", format: "date-time" })
46
+ @ApiProperty({ example: '2026-06-01T10:30:00.000Z', format: 'date-time' })
47
47
  createdAt!: string;
48
48
 
49
- @ApiProperty({ example: "2026-06-01T10:30:00.000Z", format: "date-time" })
49
+ @ApiProperty({ example: '2026-06-01T10:30:00.000Z', format: 'date-time' })
50
50
  updatedAt!: string;
51
51
  }
52
+
53
+ export class MembershipListResponseDto {
54
+ @ApiProperty({ type: [MembershipResponseDto] })
55
+ items!: MembershipResponseDto[];
56
+
57
+ @ApiPropertyOptional({
58
+ example: '0a57fb4a-95c6-4f7e-bd5a-f96dbe0599e3',
59
+ format: 'uuid',
60
+ nullable: true,
61
+ })
62
+ nextCursor!: string | null;
63
+ }
@@ -1,4 +1,4 @@
1
- import { ApiProperty } from "@nestjs/swagger";
1
+ import { ApiProperty } from '@nestjs/swagger';
2
2
 
3
3
  export class DeletedResponseDto {
4
4
  @ApiProperty({ example: true })
@@ -0,0 +1,37 @@
1
+ import { ApiPropertyOptional } from '@nestjs/swagger';
2
+ import { Type } from 'class-transformer';
3
+ import { IsInt, IsOptional, IsUUID, Max, Min } from 'class-validator';
4
+
5
+ export const DEFAULT_PAGE_LIMIT = 50;
6
+ export const MAX_PAGE_LIMIT = 100;
7
+
8
+ export class PaginationQueryDto {
9
+ @ApiPropertyOptional({ example: 50, minimum: 1, maximum: MAX_PAGE_LIMIT })
10
+ @IsOptional()
11
+ @Type(() => Number)
12
+ @IsInt()
13
+ @Min(1)
14
+ @Max(MAX_PAGE_LIMIT)
15
+ limit?: number;
16
+
17
+ @ApiPropertyOptional({
18
+ example: 'df6537c4-f58b-452e-a67e-18ec528d0f0f',
19
+ format: 'uuid',
20
+ })
21
+ @IsOptional()
22
+ @IsUUID()
23
+ cursor?: string;
24
+ }
25
+
26
+ export function resolvePageLimit(limit: number | undefined) {
27
+ return Math.min(limit ?? DEFAULT_PAGE_LIMIT, MAX_PAGE_LIMIT);
28
+ }
29
+
30
+ export function toPage<T extends { id: string }>(rows: T[], limit: number) {
31
+ const items = rows.slice(0, limit);
32
+
33
+ return {
34
+ items,
35
+ nextCursor: rows.length > limit ? (items[items.length - 1]?.id ?? null) : null,
36
+ };
37
+ }
@@ -1,16 +1,16 @@
1
- import { ApiProperty, ApiPropertyOptional } from "@nestjs/swagger";
1
+ import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
2
2
 
3
3
  export class RoleSummaryDto {
4
4
  @ApiProperty({
5
- example: "f602c057-04f4-4ef8-8c84-1b7c62fbf8c5",
6
- format: "uuid",
5
+ example: 'f602c057-04f4-4ef8-8c84-1b7c62fbf8c5',
6
+ format: 'uuid',
7
7
  })
8
8
  id!: string;
9
9
 
10
- @ApiProperty({ example: "Owner" })
10
+ @ApiProperty({ example: 'Owner' })
11
11
  name!: string;
12
12
 
13
- @ApiPropertyOptional({ example: "Full organisation access.", nullable: true })
13
+ @ApiPropertyOptional({ example: 'Full organisation access.', nullable: true })
14
14
  description?: string | null;
15
15
 
16
16
  @ApiPropertyOptional({ example: true })
@@ -1,19 +1,19 @@
1
- import { ApiProperty, ApiPropertyOptional } from "@nestjs/swagger";
1
+ import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
2
2
 
3
3
  export class UserSummaryDto {
4
4
  @ApiProperty({
5
- example: "4a4f0d8a-4bd2-469f-a6a9-3e1cb6a2b456",
6
- format: "uuid",
5
+ example: '4a4f0d8a-4bd2-469f-a6a9-3e1cb6a2b456',
6
+ format: 'uuid',
7
7
  })
8
8
  id!: string;
9
9
 
10
- @ApiPropertyOptional({ example: "owner@example.com", nullable: true })
10
+ @ApiPropertyOptional({ example: 'owner@example.com', nullable: true })
11
11
  email?: string | null;
12
12
 
13
- @ApiPropertyOptional({ example: "+14155552671", nullable: true })
13
+ @ApiPropertyOptional({ example: '+14155552671', nullable: true })
14
14
  mobile?: string | null;
15
15
 
16
- @ApiPropertyOptional({ example: "Starter Owner", nullable: true })
16
+ @ApiPropertyOptional({ example: 'Starter Owner', nullable: true })
17
17
  displayName?: string | null;
18
18
  }
19
19
 
@@ -1,10 +1,4 @@
1
- import {
2
- ArgumentsHost,
3
- Catch,
4
- ExceptionFilter,
5
- HttpException,
6
- HttpStatus,
7
- } from "@nestjs/common";
1
+ import { ArgumentsHost, Catch, ExceptionFilter, HttpException, HttpStatus } from '@nestjs/common';
8
2
 
9
3
  type HttpResponse = {
10
4
  status: (statusCode: number) => {
@@ -17,9 +11,7 @@ export class HttpExceptionFilter implements ExceptionFilter {
17
11
  catch(exception: unknown, host: ArgumentsHost) {
18
12
  const response = host.switchToHttp().getResponse<HttpResponse>();
19
13
  const status =
20
- exception instanceof HttpException
21
- ? exception.getStatus()
22
- : HttpStatus.INTERNAL_SERVER_ERROR;
14
+ exception instanceof HttpException ? exception.getStatus() : HttpStatus.INTERNAL_SERVER_ERROR;
23
15
 
24
16
  response.status(status).json({
25
17
  error: {
@@ -32,25 +24,25 @@ export class HttpExceptionFilter implements ExceptionFilter {
32
24
  }
33
25
 
34
26
  function errorCode(status: number) {
35
- return HttpStatus[status] ?? "ERROR";
27
+ return HttpStatus[status] ?? 'ERROR';
36
28
  }
37
29
 
38
30
  function errorMessage(exception: unknown) {
39
31
  if (!(exception instanceof HttpException)) {
40
- return "Internal server error.";
32
+ return 'Internal server error.';
41
33
  }
42
34
 
43
35
  const body = exception.getResponse();
44
- if (typeof body === "string") {
36
+ if (typeof body === 'string') {
45
37
  return body;
46
38
  }
47
39
 
48
- if (isObject(body) && typeof body.message === "string") {
40
+ if (isObject(body) && typeof body.message === 'string') {
49
41
  return body.message;
50
42
  }
51
43
 
52
44
  if (isObject(body) && Array.isArray(body.message)) {
53
- return body.message.join("; ");
45
+ return body.message.join('; ');
54
46
  }
55
47
 
56
48
  return exception.message;
@@ -67,12 +59,10 @@ function errorDetails(exception: unknown) {
67
59
  }
68
60
 
69
61
  return Object.fromEntries(
70
- Object.entries(body).filter(
71
- ([key]) => !["statusCode", "error", "message"].includes(key),
72
- ),
62
+ Object.entries(body).filter(([key]) => !['statusCode', 'error', 'message'].includes(key)),
73
63
  );
74
64
  }
75
65
 
76
66
  function isObject(value: unknown): value is Record<string, unknown> {
77
- return typeof value === "object" && value !== null;
67
+ return typeof value === 'object' && value !== null;
78
68
  }
@@ -1,4 +1,4 @@
1
- import { applyDecorators } from "@nestjs/common";
1
+ import { applyDecorators } from '@nestjs/common';
2
2
  import {
3
3
  ApiBadRequestResponse,
4
4
  ApiConflictResponse,
@@ -9,8 +9,8 @@ import {
9
9
  ApiServiceUnavailableResponse,
10
10
  ApiTooManyRequestsResponse,
11
11
  ApiUnauthorizedResponse,
12
- } from "@nestjs/swagger";
13
- import { ErrorResponseDto } from "../dto/error-response.dto";
12
+ } from '@nestjs/swagger';
13
+ import { ErrorResponseDto } from '../dto/error-response.dto';
14
14
 
15
15
  type ApiErrorStatus = 400 | 401 | 403 | 404 | 409 | 410 | 429 | 500 | 503;
16
16
 
@@ -27,15 +27,15 @@ const errorResponseFactories = {
27
27
  } satisfies Record<ApiErrorStatus, typeof ApiBadRequestResponse>;
28
28
 
29
29
  const descriptions: Record<ApiErrorStatus, string> = {
30
- 400: "The request body, route parameter, or query string is invalid.",
31
- 401: "Authentication failed or the bearer token is missing.",
32
- 403: "The authenticated user does not have access to this organisation or permission.",
33
- 404: "The requested resource was not found.",
34
- 409: "The request conflicts with current resource state.",
35
- 410: "The resource is no longer available.",
36
- 429: "Too many requests.",
37
- 500: "Unexpected server error.",
38
- 503: "The service is temporarily unavailable.",
30
+ 400: 'The request body, route parameter, or query string is invalid.',
31
+ 401: 'Authentication failed or the bearer token is missing.',
32
+ 403: 'The authenticated user does not have access to this organisation or permission.',
33
+ 404: 'The requested resource was not found.',
34
+ 409: 'The request conflicts with current resource state.',
35
+ 410: 'The resource is no longer available.',
36
+ 429: 'Too many requests.',
37
+ 500: 'Unexpected server error.',
38
+ 503: 'The service is temporarily unavailable.',
39
39
  };
40
40
 
41
41
  export function ApiErrorResponses(...statuses: ApiErrorStatus[]) {
@@ -1,7 +1,7 @@
1
- import { registerAs } from "@nestjs/config";
2
- import { getEnv } from "./env.validation";
1
+ import { registerAs } from '@nestjs/config';
2
+ import { getEnv } from './env.validation';
3
3
 
4
- export default registerAs("app", () => ({
4
+ export default registerAs('app', () => ({
5
5
  nodeEnv: getEnv().NODE_ENV,
6
6
  port: getEnv().PORT,
7
7
  }));
@@ -1,7 +1,7 @@
1
- import { registerAs } from "@nestjs/config";
2
- import { getEnv } from "./env.validation";
1
+ import { registerAs } from '@nestjs/config';
2
+ import { getEnv } from './env.validation';
3
3
 
4
- export default registerAs("auth", () => {
4
+ export default registerAs('auth', () => {
5
5
  const env = getEnv();
6
6
 
7
7
  return {
@@ -1,6 +1,6 @@
1
- import { registerAs } from "@nestjs/config";
2
- import { getEnv } from "./env.validation";
1
+ import { registerAs } from '@nestjs/config';
2
+ import { getEnv } from './env.validation';
3
3
 
4
- export default registerAs("database", () => ({
4
+ export default registerAs('database', () => ({
5
5
  url: getEnv().DATABASE_URL,
6
6
  }));
@@ -1,17 +1,17 @@
1
- import { z } from "zod";
1
+ import { z } from 'zod';
2
2
 
3
3
  const booleanFromEnv = z.preprocess((value) => {
4
- if (typeof value === "boolean") {
4
+ if (typeof value === 'boolean') {
5
5
  return value;
6
6
  }
7
7
 
8
- if (typeof value === "string") {
8
+ if (typeof value === 'string') {
9
9
  const normalized = value.trim().toLowerCase();
10
- if (normalized === "true") {
10
+ if (normalized === 'true') {
11
11
  return true;
12
12
  }
13
13
 
14
- if (normalized === "false") {
14
+ if (normalized === 'false') {
15
15
  return false;
16
16
  }
17
17
  }
@@ -22,52 +22,47 @@ const booleanFromEnv = z.preprocess((value) => {
22
22
  const durationSchema = z
23
23
  .string()
24
24
  .trim()
25
- .regex(/^\d+[smhdw]$/, "duration must use s, m, h, d, or w units");
25
+ .regex(/^\d+[smhdw]$/, 'duration must use s, m, h, d, or w units');
26
26
 
27
27
  export const envSchema = z
28
28
  .object({
29
- NODE_ENV: z
30
- .enum(["development", "test", "production"])
31
- .default("development"),
29
+ NODE_ENV: z.enum(['development', 'test', 'production']).default('development'),
32
30
  PORT: z.coerce.number().int().positive().default(3000),
33
31
  DATABASE_URL: z
34
32
  .string()
35
33
  .trim()
36
- .min(1, "DATABASE_URL is required")
37
- .url("DATABASE_URL must be a valid URL"),
38
- JWT_SECRET: z
39
- .string()
40
- .trim()
41
- .min(16, "JWT_SECRET must be at least 16 characters"),
42
- JWT_ACCESS_EXPIRES_IN: durationSchema.default("15m"),
43
- JWT_REFRESH_EXPIRES_IN: durationSchema.default("7d"),
44
- JWT_ISSUER: z.string().trim().min(1).default("foundation-starter"),
45
- JWT_AUDIENCE: z.string().trim().min(1).default("foundation-api"),
34
+ .min(1, 'DATABASE_URL is required')
35
+ .url('DATABASE_URL must be a valid URL'),
36
+ JWT_SECRET: z.string().trim().min(32, 'JWT_SECRET must be at least 32 characters'),
37
+ JWT_ACCESS_EXPIRES_IN: durationSchema.default('15m'),
38
+ JWT_REFRESH_EXPIRES_IN: durationSchema.default('7d'),
39
+ JWT_ISSUER: z.string().trim().min(1).default('foundation-starter'),
40
+ JWT_AUDIENCE: z.string().trim().min(1).default('foundation-api'),
46
41
  AUTH_EMAIL_PASSWORD_ENABLED: booleanFromEnv.default(true),
47
42
  AUTH_GOOGLE_ENABLED: booleanFromEnv.default(false),
48
- AUTH_GOOGLE_CLIENT_ID: z.string().trim().optional().default(""),
49
- AUTH_GOOGLE_CLIENT_SECRET: z.string().trim().optional().default(""),
43
+ AUTH_GOOGLE_CLIENT_ID: z.string().trim().optional().default(''),
44
+ AUTH_GOOGLE_CLIENT_SECRET: z.string().trim().optional().default(''),
50
45
  AUTH_GOOGLE_CALLBACK_URL: z
51
46
  .string()
52
47
  .trim()
53
48
  .url()
54
- .default("http://localhost:3000/auth/google/callback"),
49
+ .default('http://localhost:3000/auth/google/callback'),
55
50
  AUTH_GOOGLE_SUCCESS_REDIRECT_URL: z
56
51
  .string()
57
52
  .trim()
58
53
  .url()
59
- .default("http://localhost:3000/auth/google/success"),
54
+ .default('http://localhost:3000/auth/google/success'),
60
55
  AUTH_GOOGLE_ERROR_REDIRECT_URL: z
61
56
  .string()
62
57
  .trim()
63
58
  .url()
64
- .default("http://localhost:3000/auth/google/error"),
65
- SESSION_SECRET: z.string().trim().optional().default(""),
59
+ .default('http://localhost:3000/auth/google/error'),
60
+ SESSION_SECRET: z.string().trim().optional().default(''),
66
61
  AUTH_FACEBOOK_ENABLED: booleanFromEnv.default(false),
67
62
  AUTH_MOBILE_OTP_ENABLED: booleanFromEnv.default(false),
68
63
  AUTH_MAGIC_LINK_ENABLED: booleanFromEnv.default(false),
69
64
  RBAC_CACHE_TTL_SECONDS: z.coerce.number().int().positive().default(60),
70
- ORG_CONTEXT_MODE: z.literal("path").default("path"),
65
+ ORG_CONTEXT_MODE: z.literal('path').default('path'),
71
66
  })
72
67
  .superRefine((env, ctx) => {
73
68
  if (!env.AUTH_GOOGLE_ENABLED) {
@@ -76,30 +71,41 @@ export const envSchema = z
76
71
 
77
72
  if (!env.AUTH_GOOGLE_CLIENT_ID) {
78
73
  ctx.addIssue({
79
- code: "custom",
80
- path: ["AUTH_GOOGLE_CLIENT_ID"],
81
- message:
82
- "AUTH_GOOGLE_CLIENT_ID is required when AUTH_GOOGLE_ENABLED=true",
74
+ code: 'custom',
75
+ path: ['AUTH_GOOGLE_CLIENT_ID'],
76
+ message: 'AUTH_GOOGLE_CLIENT_ID is required when AUTH_GOOGLE_ENABLED=true',
83
77
  });
84
78
  }
85
79
 
86
80
  if (!env.AUTH_GOOGLE_CLIENT_SECRET) {
87
81
  ctx.addIssue({
88
- code: "custom",
89
- path: ["AUTH_GOOGLE_CLIENT_SECRET"],
90
- message:
91
- "AUTH_GOOGLE_CLIENT_SECRET is required when AUTH_GOOGLE_ENABLED=true",
82
+ code: 'custom',
83
+ path: ['AUTH_GOOGLE_CLIENT_SECRET'],
84
+ message: 'AUTH_GOOGLE_CLIENT_SECRET is required when AUTH_GOOGLE_ENABLED=true',
92
85
  });
93
86
  }
94
87
 
95
88
  if (env.SESSION_SECRET.length < 32) {
96
89
  ctx.addIssue({
97
- code: "custom",
98
- path: ["SESSION_SECRET"],
99
- message:
100
- "SESSION_SECRET must be at least 32 characters when AUTH_GOOGLE_ENABLED=true",
90
+ code: 'custom',
91
+ path: ['SESSION_SECRET'],
92
+ message: 'SESSION_SECRET must be at least 32 characters when AUTH_GOOGLE_ENABLED=true',
101
93
  });
102
94
  }
95
+
96
+ if (env.NODE_ENV === 'production') {
97
+ requireHttpsInProduction(ctx, 'AUTH_GOOGLE_CALLBACK_URL', env.AUTH_GOOGLE_CALLBACK_URL);
98
+ requireHttpsInProduction(
99
+ ctx,
100
+ 'AUTH_GOOGLE_SUCCESS_REDIRECT_URL',
101
+ env.AUTH_GOOGLE_SUCCESS_REDIRECT_URL,
102
+ );
103
+ requireHttpsInProduction(
104
+ ctx,
105
+ 'AUTH_GOOGLE_ERROR_REDIRECT_URL',
106
+ env.AUTH_GOOGLE_ERROR_REDIRECT_URL,
107
+ );
108
+ }
103
109
  });
104
110
 
105
111
  export type Env = z.infer<typeof envSchema>;
@@ -114,8 +120,8 @@ function parseEnv(config: Record<string, unknown>): Env {
114
120
  }
115
121
 
116
122
  const details = parsed.error.issues
117
- .map((issue) => `- ${issue.path.join(".") || "env"}: ${issue.message}`)
118
- .join("\n");
123
+ .map((issue) => `- ${issue.path.join('.') || 'env'}: ${issue.message}`)
124
+ .join('\n');
119
125
 
120
126
  throw new Error(`Environment validation failed:\n${details}`);
121
127
  }
@@ -129,3 +135,15 @@ export function getEnv(): Env {
129
135
  validatedEnv ??= parseEnv(process.env);
130
136
  return validatedEnv;
131
137
  }
138
+
139
+ function requireHttpsInProduction(ctx: z.RefinementCtx, key: string, value: string) {
140
+ if (new URL(value).protocol === 'https:') {
141
+ return;
142
+ }
143
+
144
+ ctx.addIssue({
145
+ code: 'custom',
146
+ path: [key],
147
+ message: `${key} must use https when Google OAuth is enabled in production.`,
148
+ });
149
+ }
@@ -1,5 +1,5 @@
1
- export { default as appConfig } from "./app.config";
2
- export { default as authConfig } from "./auth.config";
3
- export { default as databaseConfig } from "./database.config";
4
- export { default as rbacConfig } from "./rbac.config";
5
- export { validate } from "./env.validation";
1
+ export { default as appConfig } from './app.config';
2
+ export { default as authConfig } from './auth.config';
3
+ export { default as databaseConfig } from './database.config';
4
+ export { default as rbacConfig } from './rbac.config';
5
+ export { validate } from './env.validation';
@@ -1,6 +1,6 @@
1
- import { registerAs } from "@nestjs/config";
2
- import { getEnv } from "./env.validation";
1
+ import { registerAs } from '@nestjs/config';
2
+ import { getEnv } from './env.validation';
3
3
 
4
- export default registerAs("rbac", () => ({
4
+ export default registerAs('rbac', () => ({
5
5
  cacheTtlSeconds: getEnv().RBAC_CACHE_TTL_SECONDS,
6
6
  }));