@insureco/cli 0.1.10 → 0.1.12

package/dist/templates/nextjs-oauth/README.md

@@ -0,0 +1,115 @@
+# {{name}}
+
+{{description}}
+
+## Quickstart
+
+```bash
+# 1. Create an OAuth app (one-time setup)
+iec oauth create "{{name}}" "http://localhost:3000/api/auth/callback"
+#    Save the CLIENT_ID and CLIENT_SECRET — the secret is shown only once
+
+# 2. Configure environment
+cp .env.example .env
+#    Paste OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET into .env
+#    Generate a JWT_SECRET:
+node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+
+# 3. Run locally
+npm install
+npm run dev
+#    Open http://localhost:3000 → Sign In → you'll be redirected to Bio-id
+```
+
+## Deploy to Tawa Platform
+
+```bash
+# Add the sandbox redirect URI to your OAuth app
+iec oauth add-uri <CLIENT_ID> "https://{{name}}.sandbox.tawa.insureco.io/api/auth/callback"
+
+# Register service and deploy
+iec register
+iec deploy
+```
+
+Set the environment variables in your Helm values (`helm/{{name}}/values.yaml`) or via the builder's env config.
+
+## How Authentication Works
+
+This app uses **Bio-id OAuth2 with PKCE**:
+
+1. User clicks **Sign In** → redirected to Bio-id
+2. Bio-id authenticates the user and redirects back with an authorization code
+3. `/api/auth/callback` exchanges the code for tokens, fetches user info from Bio-id
+4. A **session JWT** is created (signed with your `JWT_SECRET`) and stored as an httpOnly cookie
+5. Middleware and server components verify the session JWT on protected routes
+
+The app never stores Bio-id's access token in cookies. Instead, it creates its own session after validating the user through Bio-id's userinfo endpoint.
+
+### Auth Endpoints
+
+| Route | Method | Description |
+|-------|--------|-------------|
+| `/api/auth/login` | GET | Starts OAuth flow (redirects to Bio-id) |
+| `/api/auth/callback` | GET | Handles redirect, creates session |
+| `/api/auth/logout` | GET/POST | Clears session cookies |
+| `/api/auth/session` | GET | Returns current user as JSON (with auto-refresh) |
+
+### Protecting Routes
+
+**Middleware** (`src/middleware.ts`) guards `/dashboard` — add more paths to `PROTECTED_PATHS`.
+
+**Server components** use `getCurrentUser()`:
+
+```tsx
+import { getCurrentUser } from '@/lib/auth'
+
+export default async function ProtectedPage() {
+  const user = await getCurrentUser()
+  if (!user) redirect('/api/auth/login')
+  return <p>Hello {user.name}</p>
+}
+```
+
+## Environment Variables
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `BIO_ID_URL` | Yes | Bio-id server URL (`https://bio.tawa.insureco.io`) |
+| `APP_URL` | Yes | Your app's URL (`http://localhost:3000` for dev) |
+| `OAUTH_CLIENT_ID` | Yes | From `iec oauth create` |
+| `OAUTH_CLIENT_SECRET` | Yes | From `iec oauth create` (shown once) |
+| `JWT_SECRET` | Yes | Random 32+ byte hex string for signing session JWTs |
+| `NEXT_PUBLIC_APP_NAME` | No | Display name in browser tab |
+
+## Project Structure
+
+```
+{{name}}/
+├── src/
+│   ├── lib/
+│   │   └── auth.ts              # OAuth2 + session management
+│   ├── middleware.ts             # Route protection
+│   └── app/
+│       ├── page.tsx              # Home page (sign in button)
+│       ├── dashboard/page.tsx    # Protected page
+│       └── api/
+│           ├── health/route.ts   # Health check (Kubernetes)
+│           ├── example/route.ts  # Example API route
+│           └── auth/
+│               ├── login/route.ts
+│               ├── callback/route.ts
+│               ├── logout/route.ts
+│               └── session/route.ts
+├── helm/{{name}}/               # Kubernetes Helm chart
+├── Dockerfile
+└── catalog-info.yaml            # Backstage service catalog
+```
+
+## Development
+
+```bash
+npm run dev      # Start dev server at http://localhost:3000
+npm run build    # Production build
+npm start        # Start production server
+```

package/dist/templates/nextjs-oauth/catalog-info.yaml

@@ -0,0 +1,17 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: {{name}}
+  description: {{description}}
+  tags:
+    - tawa
+    - frontend
+    - nextjs
+  annotations:
+    insureco.io/framework: nextjs
+    insureco.io/language: typescript
+    insureco.io/auth: bio-id
+spec:
+  type: service
+  lifecycle: experimental
+  owner: team-platform

package/dist/templates/nextjs-oauth/helm/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: {{name}}
+description: Next.js app with Bio-id OAuth2 authentication
+type: application
+version: 0.1.0
+appVersion: "1.0.0"

package/dist/templates/nextjs-oauth/helm/templates/_helpers.tpl

@@ -0,0 +1,49 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "app.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "app.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "app.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "app.labels" -}}
+helm.sh/chart: {{ include "app.chart" . }}
+{{ include "app.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "app.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "app.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

package/dist/templates/nextjs-oauth/helm/templates/configmap.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "app.fullname" . }}-config
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+data:
+  {{- range $key, $value := .Values.env }}
+  {{ $key }}: {{ $value | quote }}
+  {{- end }}

package/dist/templates/nextjs-oauth/helm/templates/deployment.yaml

@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "app.fullname" . }}
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "app.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "app.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: {{ include "app.fullname" . }}-config
+            {{- if .Values.secretRef }}
+            - secretRef:
+                name: {{ .Values.secretRef }}
+                optional: true
+            {{- end }}
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

package/dist/templates/nextjs-oauth/helm/templates/ingress.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "app.fullname" . }}
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ include "app.fullname" $ }}
+                port:
+                  number: {{ $.Values.service.port }}
+          {{- end }}
+    {{- end }}
+{{- end }}

package/dist/templates/nextjs-oauth/helm/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "app.fullname" . }}
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "app.selectorLabels" . | nindent 4 }}

package/dist/templates/nextjs-oauth/helm/values.yaml

@@ -0,0 +1,69 @@
+replicaCount: 1
+
+image:
+  repository: registry.digitalocean.com/insureco/{{name}}
+  pullPolicy: IfNotPresent
+  tag: "latest"
+
+imagePullSecrets:
+  - name: insureco
+
+nameOverride: ""
+fullnameOverride: ""
+
+service:
+  type: ClusterIP
+  port: 3000
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
+  hosts:
+    - host: {{name}}.sandbox.tawa.insureco.io
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: []
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 256Mi
+
+autoscaling:
+  enabled: false
+
+env:
+  NODE_ENV: production
+  PORT: "3000"
+  HOSTNAME: "0.0.0.0"
+  BIO_ID_URL: "https://bio.tawa.insureco.io"
+
+# K8s Secret containing OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, JWT_SECRET
+# Create with: kubectl create secret generic {{name}}-secrets --from-env-file=.env -n <namespace>
+secretRef: {{name}}-secrets
+
+livenessProbe:
+  httpGet:
+    path: /api/health
+    port: http
+  initialDelaySeconds: 15
+  periodSeconds: 10
+  failureThreshold: 3
+
+readinessProbe:
+  httpGet:
+    path: /api/health
+    port: http
+  initialDelaySeconds: 5
+  periodSeconds: 5
+
+nodeSelector: {}
+tolerations: []
+affinity: {}

package/dist/templates/nextjs-oauth/helm/{{name}}/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: {{name}}
+description: Helm chart for {{name}} (Next.js)
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+maintainers:
+  - name: team-platform
+    email: platform@insureco.io

package/dist/templates/nextjs-oauth/helm/{{name}}/templates/deployment.yaml

@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    app: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}
+        app.kubernetes.io/name: {{ .Release.Name }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: {{ .Release.Name }}-config
+                optional: true
+            - secretRef:
+                name: {{ .Release.Name }}-secrets
+                optional: true
+          {{- with .Values.env }}
+          env:
+            {{- range $key, $value := . }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+          {{- end }}
+          {{- with .Values.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

package/dist/templates/nextjs-oauth/helm/{{name}}/templates/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    app: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app: {{ .Release.Name }}

package/dist/templates/nextjs-oauth/helm/{{name}}/values.yaml

@@ -0,0 +1,51 @@
+replicaCount: 1
+
+image:
+  repository: registry.digitalocean.com/insureco/{{name}}
+  tag: latest
+  pullPolicy: IfNotPresent
+
+imagePullSecrets:
+  - name: do-registry
+
+service:
+  type: ClusterIP
+  port: 3000
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 5
+  targetCPUUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+env: {}
+
+secrets: {}
+
+livenessProbe:
+  httpGet:
+    path: /api/health
+    port: 3000
+  initialDelaySeconds: 15
+  periodSeconds: 10
+
+readinessProbe:
+  httpGet:
+    path: /api/health
+    port: 3000
+  initialDelaySeconds: 5
+  periodSeconds: 5

package/dist/templates/nextjs-oauth/next.config.js

@@ -0,0 +1,23 @@
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  output: 'standalone',
+  reactStrictMode: true,
+  poweredByHeader: false,
+
+  // Enable experimental features as needed
+  // experimental: {
+  //   serverActions: true,
+  // },
+
+  // Configure allowed image domains
+  // images: {
+  //   remotePatterns: [
+  //     {
+  //       protocol: 'https',
+  //       hostname: '*.insureco.io',
+  //     },
+  //   ],
+  // },
+}
+
+module.exports = nextConfig

package/dist/templates/nextjs-oauth/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "{{name}}",
+  "version": "0.1.0",
+  "description": "{{description}}",
+  "private": true,
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "next lint",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "next": "^14.2.0",
+    "react": "^18.3.0",
+    "react-dom": "^18.3.0",
+    "jose": "^5.9.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "@types/react": "^18.3.0",
+    "@types/react-dom": "^18.3.0",
+    "eslint": "^8.0.0",
+    "eslint-config-next": "^14.2.0",
+    "typescript": "^5.7.0"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  }
+}

package/dist/templates/nextjs-oauth/src/app/api/auth/callback/route.ts

@@ -0,0 +1,77 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { cookies } from 'next/headers'
+import {
+  exchangeCodeForTokens,
+  fetchUserInfo,
+  createSessionToken,
+  setSessionCookies,
+  sanitizeReturnTo,
+  getAppUrl,
+} from '@/lib/auth'
+
+export async function GET(request: NextRequest) {
+  const searchParams = request.nextUrl.searchParams
+  const code = searchParams.get('code')
+  const state = searchParams.get('state')
+  const error = searchParams.get('error')
+  const errorDescription = searchParams.get('error_description')
+
+  const cookieStore = await cookies()
+  const storedState = cookieStore.get('oauth_state')?.value
+  const codeVerifier = cookieStore.get('oauth_code_verifier')?.value
+  const returnTo = cookieStore.get('oauth_return_to')?.value || '/dashboard'
+
+  // Clear OAuth flow cookies
+  cookieStore.delete('oauth_state')
+  cookieStore.delete('oauth_code_verifier')
+  cookieStore.delete('oauth_return_to')
+
+  // Handle error from authorization server
+  if (error) {
+    const errorUrl = new URL('/', getAppUrl())
+    errorUrl.searchParams.set('error', error)
+    if (errorDescription) {
+      errorUrl.searchParams.set('error_description', errorDescription)
+    }
+    return NextResponse.redirect(errorUrl)
+  }
+
+  // Validate state to prevent CSRF
+  if (!state || state !== storedState) {
+    const errorUrl = new URL('/', getAppUrl())
+    errorUrl.searchParams.set('error', 'invalid_state')
+    errorUrl.searchParams.set('error_description', 'State parameter mismatch')
+    return NextResponse.redirect(errorUrl)
+  }
+
+  // Validate required params
+  if (!code || !codeVerifier) {
+    const errorUrl = new URL('/', getAppUrl())
+    errorUrl.searchParams.set('error', 'invalid_request')
+    errorUrl.searchParams.set('error_description', 'Missing authorization code')
+    return NextResponse.redirect(errorUrl)
+  }
+
+  try {
+    // Exchange code for bio-id tokens
+    const tokens = await exchangeCodeForTokens(code, codeVerifier)
+
+    // Fetch user info from bio-id using the access token
+    const user = await fetchUserInfo(tokens.access_token)
+
+    // Create our own session JWT and store it (not bio-id's access token)
+    const sessionToken = await createSessionToken(user)
+    await setSessionCookies(sessionToken, tokens.refresh_token)
+
+    const safeReturnTo = sanitizeReturnTo(returnTo)
+    return NextResponse.redirect(new URL(safeReturnTo, getAppUrl()))
+  } catch (err) {
+    const errorUrl = new URL('/', getAppUrl())
+    errorUrl.searchParams.set('error', 'token_exchange_failed')
+    errorUrl.searchParams.set(
+      'error_description',
+      err instanceof Error ? err.message : 'Failed to exchange authorization code'
+    )
+    return NextResponse.redirect(errorUrl)
+  }
+}

package/dist/templates/nextjs-oauth/src/app/api/auth/login/route.ts

@@ -0,0 +1,16 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { getLoginUrl } from '@/lib/auth'
+
+export async function GET(request: NextRequest) {
+  const returnTo = request.nextUrl.searchParams.get('returnTo') || '/dashboard'
+
+  try {
+    const loginUrl = await getLoginUrl(returnTo)
+    return NextResponse.redirect(loginUrl)
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Login failed'
+    return NextResponse.redirect(
+      new URL(`/?error=${encodeURIComponent(message)}`, request.url)
+    )
+  }
+}