@idevconn/create-icore 0.1.0

package/templates/apps/api/src/app/storage/storage.controller.ts

@@ -0,0 +1,108 @@
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Delete,
+  Get,
+  PayloadTooLargeException,
+  Post,
+  Query,
+  Req,
+  UploadedFile,
+  UseInterceptors,
+} from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { FileInterceptor } from '@nestjs/platform-express';
+import {
+  ApiBearerAuth,
+  ApiBody,
+  ApiConsumes,
+  ApiOperation,
+  ApiQuery,
+  ApiTags,
+} from '@nestjs/swagger';
+import { UploadClientService } from '@icore/upload-client';
+import type { StorageRef, VerifiedToken } from '@icore/shared';
+import type { Request } from 'express';
+import { assertOwnership } from './assert-ownership';
+
+interface AuthedReq extends Request {
+  user?: VerifiedToken;
+}
+
+const DEFAULT_MAX_KB = 5120;
+
+@ApiTags('storage')
+@ApiBearerAuth()
+@Controller('storage')
+export class StorageController {
+  constructor(
+    private readonly uploadClient: UploadClientService,
+    private readonly cfg: ConfigService,
+  ) {}
+
+  @Post('upload')
+  @UseInterceptors(FileInterceptor('file'))
+  @ApiOperation({ summary: 'Upload a file and return its StorageRef' })
+  @ApiConsumes('multipart/form-data')
+  @ApiBody({
+    schema: {
+      type: 'object',
+      properties: { file: { type: 'string', format: 'binary' } },
+      required: ['file'],
+    },
+  })
+  async upload(
+    @UploadedFile() file: Express.Multer.File | undefined,
+    @Req() req: AuthedReq,
+  ): Promise<StorageRef> {
+    if (!file) throw new BadRequestException('missing_file');
+    const maxKb = Number(this.cfg.get<string>('MAX_FILE_SIZE_KB') ?? DEFAULT_MAX_KB);
+    if (file.size > maxKb * 1024) {
+      throw new PayloadTooLargeException(`file exceeds ${maxKb} KB`);
+    }
+    return this.uploadClient.upload(req.user!.uid, {
+      buffer: file.buffer,
+      filename: file.originalname,
+      mimeType: file.mimetype,
+    });
+  }
+
+  @Get('signed-url')
+  @ApiOperation({ summary: 'Sign a StorageRef for short-lived download' })
+  @ApiQuery({ name: 'bucket', type: String })
+  @ApiQuery({ name: 'path', type: String })
+  @ApiQuery({ name: 'ttlSec', type: Number, required: false })
+  signedUrl(
+    @Query('bucket') bucket: string,
+    @Query('path') path: string,
+    @Query('ttlSec') ttlSec: string | undefined,
+    @Req() req: AuthedReq,
+  ): Promise<string> {
+    const ref: StorageRef = { bucket, path };
+    assertOwnership(ref, req.user!.uid);
+    return this.uploadClient.signedUrl(req.user!.uid, ref, ttlSec ? Number(ttlSec) : undefined);
+  }
+
+  @Delete('remove')
+  @ApiOperation({ summary: 'Delete a file the caller owns' })
+  @ApiBody({
+    schema: {
+      type: 'object',
+      required: ['bucket', 'path'],
+      properties: { bucket: { type: 'string' }, path: { type: 'string' } },
+    },
+  })
+  remove(@Body() body: { bucket: string; path: string }, @Req() req: AuthedReq): Promise<void> {
+    const ref: StorageRef = { bucket: body.bucket, path: body.path };
+    assertOwnership(ref, req.user!.uid);
+    return this.uploadClient.remove(req.user!.uid, ref);
+  }
+
+  @Get('list')
+  @ApiOperation({ summary: "List the caller's stored files" })
+  @ApiQuery({ name: 'prefix', type: String, required: false })
+  list(@Query('prefix') prefix: string | undefined, @Req() req: AuthedReq): Promise<StorageRef[]> {
+    return this.uploadClient.list(req.user!.uid, prefix);
+  }
+}

package/templates/apps/api/src/app/storage/storage.module.ts

@@ -0,0 +1,10 @@
+import { Module } from '@nestjs/common';
+import { UploadClientModule } from '@icore/upload-client';
+import { StorageController } from './storage.controller';
+
+@Module({
+  imports: [UploadClientModule.forRoot()],
+  controllers: [StorageController],
+  exports: [UploadClientModule],
+})
+export class StorageModule {}

package/templates/apps/api/src/main.ts

@@ -0,0 +1,43 @@
+import { Logger } from '@nestjs/common';
+import { NestFactory } from '@nestjs/core';
+import { NestExpressApplication } from '@nestjs/platform-express';
+import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
+import { AppModule } from './app/app.module';
+import pkg from '@icore/package.json';
+
+const DEFAULT_PORT = 3001;
+
+async function bootstrap() {
+  const app = await NestFactory.create<NestExpressApplication>(AppModule);
+  app.setGlobalPrefix('api');
+
+  const swaggerConfig = new DocumentBuilder()
+    .setTitle('iCore API')
+    .setDescription('iCore Gateway HTTP surface')
+    .setVersion(pkg.version)
+    .addBearerAuth()
+    .build();
+  const document = SwaggerModule.createDocument(app, swaggerConfig);
+  SwaggerModule.setup('api/docs', app, document);
+
+  const port = Number(process.env.API_PORT ?? DEFAULT_PORT);
+  await app.listen(port);
+}
+
+bootstrap()
+  .then(() => {
+    const logger = new Logger('API-Bootstrap');
+    logger.log(
+      `API Bootstrap completed successfully: ${process.env.API_ORIGIN ?? 'http://localhost'}:${process.env.API_PORT ?? DEFAULT_PORT}/api`,
+    );
+    logger.log(
+      `Swagger UI: ${process.env.API_ORIGIN ?? 'http://localhost'}:${process.env.API_PORT ?? DEFAULT_PORT}/api/docs`,
+    );
+  })
+  .catch((err) => {
+    new Logger('API-Bootstrap').error(
+      'Gateway bootstrap failed',
+      err instanceof Error ? err.stack : err,
+    );
+    process.exit(1);
+  });

package/templates/apps/api/tsconfig.app.json

@@ -0,0 +1,13 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "../../dist/out-tsc",
+    "module": "node16",
+    "moduleResolution": "node16",
+    "types": ["node", "multer"],
+    "experimentalDecorators": true,
+    "emitDecoratorMetadata": true,
+    "target": "es2021"
+  },
+  "include": ["src/**/*.ts"]
+}

package/templates/apps/api/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "files": [],
+  "include": [],
+  "references": [
+    {
+      "path": "./tsconfig.app.json"
+    },
+    {
+      "path": "./tsconfig.spec.json"
+    }
+  ],
+  "compilerOptions": {
+    "esModuleInterop": true
+  }
+}

package/templates/apps/api/tsconfig.spec.json

@@ -0,0 +1,16 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "../../dist/out-tsc",
+    "types": ["vitest/globals", "vitest/importMeta", "vite/client", "node", "vitest"]
+  },
+  "include": [
+    "vitest.config.ts",
+    "vitest.config.mts",
+    "src/**/*.test.ts",
+    "src/**/*.spec.ts",
+    "src/**/*.test.tsx",
+    "src/**/*.spec.tsx",
+    "src/**/*.d.ts"
+  ]
+}

package/templates/apps/api/vitest.config.mts

@@ -0,0 +1,21 @@
+import { defineConfig } from 'vitest/config';
+import { nxViteTsPaths } from '@nx/vite/plugins/nx-tsconfig-paths.plugin';
+import { nxCopyAssetsPlugin } from '@nx/vite/plugins/nx-copy-assets.plugin';
+
+export default defineConfig(() => ({
+  root: __dirname,
+  cacheDir: '../../node_modules/.vite/apps/api',
+  plugins: [nxViteTsPaths(), nxCopyAssetsPlugin(['*.md'])],
+  test: {
+    name: 'api',
+    watch: false,
+    globals: true,
+    environment: 'node',
+    include: ['src/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}'],
+    reporters: ['default'],
+    coverage: {
+      reportsDirectory: '../../coverage/apps/api',
+      provider: 'v8' as const,
+    },
+  },
+}));

package/templates/apps/api/webpack.config.js

@@ -0,0 +1,25 @@
+const { NxAppWebpackPlugin } = require('@nx/webpack/app-plugin');
+const { join } = require('path');
+
+module.exports = {
+  output: {
+    path: join(__dirname, '../../dist/apps/api'),
+    clean: true,
+    ...(process.env.NODE_ENV !== 'production' && {
+      devtoolModuleFilenameTemplate: '[absolute-resource-path]',
+    }),
+  },
+  plugins: [
+    new NxAppWebpackPlugin({
+      target: 'node',
+      compiler: 'tsc',
+      main: './src/main.ts',
+      tsConfig: './tsconfig.app.json',
+      assets: ['./src/assets'],
+      optimization: false,
+      outputHashing: 'none',
+      generatePackageJson: true,
+      sourceMap: true,
+    }),
+  ],
+};

package/templates/apps/microservices/auth/.env.example

@@ -0,0 +1,38 @@
+# Transport (gateway ↔ this MS) — TCP by default; flip to redis or nats in prod
+AUTH_TRANSPORT=tcp
+AUTH_HOST=127.0.0.1
+AUTH_PORT=4001
+# AUTH_REDIS_URL=redis://localhost:6379
+# AUTH_NATS_URL=nats://localhost:4222
+
+# Which concrete AuthStrategy to instantiate
+AUTH_PROVIDER=supabase
+# AUTH_PROVIDER=firebase
+
+# Comma-separated emails granted admin role on signup. Case-insensitive.
+# Empty / unset = everyone gets 'user'. Existing roles are never overwritten.
+ADMINS_LIST=
+
+# --- Supabase credentials (when AUTH_PROVIDER=supabase) ---
+SUPABASE_URL=https://<your-project-ref>.supabase.co
+SUPABASE_SERVICE_ROLE_KEY=eyJ...
+
+# --- Firebase credentials (when AUTH_PROVIDER=firebase) ---
+# Get these from Firebase console → Project Settings → Service accounts →
+# Generate new private key. Paste each field below. The private key must
+# preserve its \n newline escapes — quote it with single quotes.
+FB_ADMIN_TYPE=service_account
+FB_ADMIN_PROJECT_ID=<your-project-id>
+FB_ADMIN_PRIVATE_KEY_ID=<id>
+FB_ADMIN_PRIVATE_KEY='-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n'
+FB_ADMIN_CLIENT_EMAIL=firebase-adminsdk-<hash>@<project-id>.iam.gserviceaccount.com
+FB_ADMIN_CLIENT_ID=<id>
+FB_ADMIN_AUTH_URI=https://accounts.google.com/o/oauth2/auth
+FB_ADMIN_TOKEN_URI=https://oauth2.googleapis.com/token
+FB_ADMIN_AUTH_PROVIDER_X509_CERT_URL=https://www.googleapis.com/oauth2/v1/certs
+FB_ADMIN_CLIENT_X509_CERT_URL=https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-<hash>%40<project-id>.iam.gserviceaccount.com
+FB_ADMIN_UNIVERSE_DOMAIN=googleapis.com
+
+# Firebase Web API key (Project Settings → General → Your apps → SDK config → apiKey).
+# Required for Identity Toolkit REST calls (signUp / signIn / refresh).
+FIREBASE_WEB_API_KEY=<your-web-api-key>

package/templates/apps/microservices/auth/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "auth",
+  "version": "0.0.1",
+  "private": true,
+  "dependencies": {
+    "@icore/auth-firebase": "*",
+    "@icore/auth-supabase": "*",
+    "@icore/shared": "*",
+    "firebase-admin": "^13.0.0",
+    "@nestjs/common": "^11.1.24",
+    "@nestjs/config": "^4.0.4",
+    "@nestjs/core": "^11.1.24",
+    "@nestjs/microservices": "^11.1.24",
+    "@supabase/supabase-js": "^2.106.2",
+    "reflect-metadata": "^0.2.2",
+    "rxjs": "^7.8.2",
+    "tslib": "^2.8.1"
+  }
+}

package/templates/apps/microservices/auth/project.json

@@ -0,0 +1,65 @@
+{
+  "name": "auth",
+  "$schema": "../../../node_modules/nx/schemas/project-schema.json",
+  "sourceRoot": "apps/microservices/auth/src",
+  "projectType": "application",
+  "targets": {
+    "build": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "webpack-cli build",
+        "args": ["--node-env=production"],
+        "cwd": "apps/microservices/auth"
+      },
+      "configurations": {
+        "development": {
+          "args": ["--node-env=development"]
+        }
+      }
+    },
+    "prune-lockfile": {
+      "dependsOn": ["build"],
+      "cache": true,
+      "executor": "@nx/js:prune-lockfile",
+      "outputs": [
+        "{workspaceRoot}/dist/apps/microservices/auth/package.json",
+        "{workspaceRoot}/dist/apps/microservices/auth/yarn.lock"
+      ],
+      "options": {
+        "buildTarget": "build"
+      }
+    },
+    "copy-workspace-modules": {
+      "dependsOn": ["build"],
+      "cache": true,
+      "outputs": ["{workspaceRoot}/dist/apps/microservices/auth/workspace_modules"],
+      "executor": "@nx/js:copy-workspace-modules",
+      "options": {
+        "buildTarget": "build"
+      }
+    },
+    "prune": {
+      "dependsOn": ["prune-lockfile", "copy-workspace-modules"],
+      "executor": "nx:noop"
+    },
+    "serve": {
+      "continuous": true,
+      "executor": "@nx/js:node",
+      "defaultConfiguration": "development",
+      "dependsOn": ["build"],
+      "options": {
+        "buildTarget": "auth:build",
+        "runBuildTargetDependencies": false
+      },
+      "configurations": {
+        "development": {
+          "buildTarget": "auth:build:development"
+        },
+        "production": {
+          "buildTarget": "auth:build:production"
+        }
+      }
+    }
+  },
+  "tags": []
+}

package/templates/apps/microservices/auth/src/app/__tests__/auth.controller.firebase.integration.unit.test.ts

@@ -0,0 +1,53 @@
+import { describe, expect, it } from 'vitest';
+import { ConfigService } from '@nestjs/config';
+import {
+  FirebaseAuthStrategy,
+  createMockIdentityToolkit,
+  createMockAdminAuth,
+} from '@icore/auth-firebase';
+import { AuthController } from '../auth.controller';
+
+function makeConfig(env: Record<string, string | undefined>): ConfigService {
+  return { get: (key: string) => env[key] } as unknown as ConfigService;
+}
+
+describe('AuthController × FirebaseAuthStrategy × ADMINS_LIST', () => {
+  const fixture = (env: Record<string, string | undefined> = {}) => {
+    const toolkit = createMockIdentityToolkit();
+    const adminAuth = createMockAdminAuth({ identityToolkit: toolkit });
+    const strategy = new FirebaseAuthStrategy({ identityToolkit: toolkit.client, adminAuth });
+    return { strategy, controller: new AuthController(strategy, makeConfig(env)) };
+  };
+
+  it('signup auto-assigns admin role when email is in ADMINS_LIST', async () => {
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'boss@x.com, owner@x.com' });
+    const session = await controller.signup({ email: 'boss@x.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('admin');
+  });
+
+  it('signup auto-assigns user role for non-admin email', async () => {
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'boss@x.com' });
+    const session = await controller.signup({ email: 'normal@x.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('user');
+  });
+
+  it('signup auto-assigns user role when ADMINS_LIST is unset', async () => {
+    const { strategy, controller } = fixture({});
+    const session = await controller.signup({ email: 'a@x.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('user');
+  });
+
+  it('does not overwrite an existing role on later setRole calls', async () => {
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'boss@x.com' });
+    const session = await controller.signup({ email: 'boss@x.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('admin');
+    await controller.setRole({ uid: session.user.id, role: 'user' });
+    expect(await strategy.getRole(session.user.id)).toBe('user');
+  });
+
+  it('ADMINS_LIST is case-insensitive on email match', async () => {
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'BOSS@x.COM' });
+    const session = await controller.signup({ email: 'boss@X.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('admin');
+  });
+});

package/templates/apps/microservices/auth/src/app/__tests__/auth.controller.supabase.integration.unit.test.ts

@@ -0,0 +1,47 @@
+import { describe, expect, it } from 'vitest';
+import { ConfigService } from '@nestjs/config';
+import { SupabaseAuthStrategy, createMockSupabaseClient } from '@icore/auth-supabase';
+import { AuthController } from '../auth.controller';
+
+function makeConfig(env: Record<string, string | undefined>): ConfigService {
+  return { get: (key: string) => env[key] } as unknown as ConfigService;
+}
+
+describe('AuthController × SupabaseAuthStrategy × ADMINS_LIST', () => {
+  const fixture = (env: Record<string, string | undefined> = {}) => {
+    const strategy = new SupabaseAuthStrategy({ client: createMockSupabaseClient() });
+    return { strategy, controller: new AuthController(strategy, makeConfig(env)) };
+  };
+
+  it('signup auto-assigns admin role when email is in ADMINS_LIST', async () => {
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'boss@x.com, owner@x.com' });
+    const session = await controller.signup({ email: 'boss@x.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('admin');
+  });
+
+  it('signup auto-assigns user role for non-admin email', async () => {
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'boss@x.com' });
+    const session = await controller.signup({ email: 'normal@x.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('user');
+  });
+
+  it('signup auto-assigns user role when ADMINS_LIST is unset', async () => {
+    const { strategy, controller } = fixture({});
+    const session = await controller.signup({ email: 'a@x.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('user');
+  });
+
+  it('does not overwrite an existing role on later setRole calls', async () => {
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'boss@x.com' });
+    const session = await controller.signup({ email: 'boss@x.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('admin');
+    await controller.setRole({ uid: session.user.id, role: 'user' });
+    expect(await strategy.getRole(session.user.id)).toBe('user');
+  });
+
+  it('ADMINS_LIST is case-insensitive on email match', async () => {
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'BOSS@x.COM' });
+    const session = await controller.signup({ email: 'boss@X.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('admin');
+  });
+});

package/templates/apps/microservices/auth/src/app/__tests__/auth.controller.unit.test.ts

@@ -0,0 +1,87 @@
+import { describe, expect, it } from 'vitest';
+import { ConfigService } from '@nestjs/config';
+import { FakeAuthStrategy } from '@icore/shared';
+import { AuthController } from '../auth.controller';
+
+function makeConfig(env: Record<string, string | undefined>): ConfigService {
+  return {
+    get: (key: string) => env[key],
+  } as unknown as ConfigService;
+}
+
+describe('AuthController', () => {
+  const fixture = (env: Record<string, string | undefined> = {}) => {
+    const strategy = new FakeAuthStrategy();
+    return { strategy, controller: new AuthController(strategy, makeConfig(env)) };
+  };
+
+  it('signup → verify round-trip resolves the new uid', async () => {
+    const { controller } = fixture();
+    const session = await controller.signup({ email: 't@x.com', password: 'pw12345!' });
+    expect(session.accessToken).toBeTruthy();
+    const verified = await controller.verify({ token: session.accessToken });
+    expect(verified.uid).toBe(session.user.id);
+  });
+
+  it('login after signup issues a new session for the same user', async () => {
+    const { controller } = fixture();
+    const signup = await controller.signup({ email: 'l@x.com', password: 'pw12345!' });
+    const login = await controller.login({ email: 'l@x.com', password: 'pw12345!' });
+    expect(login.user.id).toBe(signup.user.id);
+  });
+
+  it('refresh issues a new session and invalidates the used token', async () => {
+    const { controller } = fixture();
+    const first = await controller.signup({ email: 'r@x.com', password: 'pw12345!' });
+    const next = await controller.refresh({ refreshToken: first.refreshToken });
+    expect(next.user.id).toBe(first.user.id);
+    await expect(controller.refresh({ refreshToken: first.refreshToken })).rejects.toThrow();
+  });
+
+  it('setRole writes a role visible on verify after re-login', async () => {
+    const { controller } = fixture();
+    const session = await controller.signup({ email: 's@x.com', password: 'pw12345!' });
+    await controller.setRole({ uid: session.user.id, role: 'admin' });
+    const re = await controller.login({ email: 's@x.com', password: 'pw12345!' });
+    const verified = await controller.verify({ token: re.accessToken });
+    expect(verified.role).toBe('admin');
+  });
+
+  it('signup auto-assigns admin role when email is in ADMINS_LIST', async () => {
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'boss@x.com, owner@x.com' });
+    const session = await controller.signup({ email: 'boss@x.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('admin');
+  });
+
+  it('signup auto-assigns user role when email is NOT in ADMINS_LIST', async () => {
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'boss@x.com' });
+    const session = await controller.signup({ email: 'normal@x.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('user');
+  });
+
+  it('signup auto-assigns user role when ADMINS_LIST is unset', async () => {
+    const { strategy, controller } = fixture({});
+    const session = await controller.signup({ email: 'a@x.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('user');
+  });
+
+  it('ADMINS_LIST is case-insensitive on email match', async () => {
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'BOSS@x.COM' });
+    const session = await controller.signup({ email: 'boss@X.com', password: 'pw12345!' });
+    expect(await strategy.getRole(session.user.id)).toBe('admin');
+  });
+
+  it('does not overwrite an existing role on re-signup attempts', async () => {
+    // The fake throws on duplicate signup, but a manual sequence simulates
+    // the idempotency path: set the role first, then call the private hook
+    // again via setRole-after-signup. We use a separate signup path so the
+    // strategy's state mirrors a returning consumer.
+    const { strategy, controller } = fixture({ ADMINS_LIST: 'boss@x.com' });
+    const session = await controller.signup({ email: 'boss@x.com', password: 'pw12345!' });
+    // Manually demote, then re-invoke setRole(admin) to prove the hook is
+    // not re-run on subsequent calls. The controller's hook only runs
+    // inside signup(), so demoting after the fact must persist.
+    await controller.setRole({ uid: session.user.id, role: 'user' });
+    expect(await strategy.getRole(session.user.id)).toBe('user');
+  });
+});

package/templates/apps/microservices/auth/src/app/app.module.ts

@@ -0,0 +1,66 @@
+import { join } from 'node:path';
+import { Module } from '@nestjs/common';
+import { ConfigModule, ConfigService } from '@nestjs/config';
+import { createClient } from '@supabase/supabase-js';
+import * as admin from 'firebase-admin';
+import { SupabaseAuthStrategy } from '@icore/auth-supabase';
+import { FirebaseAuthStrategy, HttpIdentityToolkitClient } from '@icore/auth-firebase';
+import type { AuthStrategy } from '@icore/shared';
+import { AuthController } from './auth.controller';
+
+function makeFirebaseStrategy(cfg: ConfigService): AuthStrategy {
+  const projectId = cfg.getOrThrow<string>('FB_ADMIN_PROJECT_ID');
+  if (admin.apps.length === 0) {
+    admin.initializeApp({
+      credential: admin.credential.cert({
+        projectId,
+        clientEmail: cfg.getOrThrow<string>('FB_ADMIN_CLIENT_EMAIL'),
+        privateKey: cfg.getOrThrow<string>('FB_ADMIN_PRIVATE_KEY').replace(/\\n/g, '\n'),
+      }),
+    });
+  }
+  const identityToolkit = new HttpIdentityToolkitClient(
+    cfg.getOrThrow<string>('FIREBASE_WEB_API_KEY'),
+  );
+  return new FirebaseAuthStrategy({
+    identityToolkit,
+    adminAuth: admin.auth(),
+  });
+}
+
+@Module({
+  imports: [
+    ConfigModule.forRoot({
+      isGlobal: true,
+      envFilePath: [
+        join(process.cwd(), 'apps/microservices/auth/.env'),
+        join(process.cwd(), '.env'),
+      ],
+    }),
+  ],
+  controllers: [AuthController],
+  providers: [
+    {
+      provide: 'AuthStrategy',
+      useFactory: (cfg: ConfigService): AuthStrategy => {
+        const provider = cfg.getOrThrow<string>('AUTH_PROVIDER');
+        switch (provider) {
+          case 'supabase': {
+            const client = createClient(
+              cfg.getOrThrow<string>('SUPABASE_URL'),
+              cfg.getOrThrow<string>('SUPABASE_SERVICE_ROLE_KEY'),
+              { auth: { autoRefreshToken: false, persistSession: false } },
+            );
+            return new SupabaseAuthStrategy({ client });
+          }
+          case 'firebase':
+            return makeFirebaseStrategy(cfg);
+          default:
+            throw new Error(`Unsupported AUTH_PROVIDER: ${provider}`);
+        }
+      },
+      inject: [ConfigService],
+    },
+  ],
+})
+export class AppModule {}