@insureco/cli 0.1.10 → 0.1.12

package/dist/templates/nextjs-oauth/src/app/api/auth/logout/route.ts

@@ -0,0 +1,7 @@
+import { NextResponse } from 'next/server'
+import { clearAuthCookies, getAppUrl } from '@/lib/auth'
+
+export async function POST() {
+  await clearAuthCookies()
+  return NextResponse.redirect(new URL('/', getAppUrl()), { status: 303 })
+}

package/dist/templates/nextjs-oauth/src/app/api/auth/session/route.ts

@@ -0,0 +1,42 @@
+import { NextResponse } from 'next/server'
+import { cookies } from 'next/headers'
+import {
+  getCurrentUser,
+  refreshAccessToken,
+  fetchUserInfo,
+  createSessionToken,
+  setSessionCookies,
+  COOKIE_PREFIX,
+} from '@/lib/auth'
+
+const NO_CACHE_HEADERS = { 'Cache-Control': 'no-store, no-cache, must-revalidate' }
+
+export async function GET() {
+  try {
+    const user = await getCurrentUser()
+
+    if (user) {
+      return NextResponse.json({ user }, { headers: NO_CACHE_HEADERS })
+    }
+
+    // Session expired — try refreshing via bio-id refresh token
+    const cookieStore = await cookies()
+    const refreshToken = cookieStore.get(`${COOKIE_PREFIX}_refresh_token`)?.value
+
+    if (refreshToken) {
+      try {
+        const tokens = await refreshAccessToken(refreshToken)
+        const refreshedUser = await fetchUserInfo(tokens.access_token)
+        const sessionToken = await createSessionToken(refreshedUser)
+        await setSessionCookies(sessionToken, tokens.refresh_token)
+        return NextResponse.json({ user: refreshedUser }, { headers: NO_CACHE_HEADERS })
+      } catch {
+        // Refresh token also invalid — user must re-login
+      }
+    }
+
+    return NextResponse.json({ user: null }, { headers: NO_CACHE_HEADERS })
+  } catch {
+    return NextResponse.json({ user: null }, { headers: NO_CACHE_HEADERS })
+  }
+}

package/dist/templates/nextjs-oauth/src/app/api/example/route.ts

@@ -0,0 +1,63 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+// In-memory storage for demo
+const items: Map<string, { id: string; name: string; createdAt: string }> = new Map()
+
+export async function GET() {
+  const itemList = Array.from(items.values())
+  return NextResponse.json({
+    success: true,
+    data: itemList,
+    meta: {
+      total: itemList.length,
+      timestamp: new Date().toISOString(),
+    },
+  })
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json()
+
+    if (!body.name || typeof body.name !== 'string') {
+      return NextResponse.json(
+        {
+          success: false,
+          error: {
+            code: 'VALIDATION_ERROR',
+            message: 'Name is required',
+          },
+        },
+        { status: 400 }
+      )
+    }
+
+    const id = Date.now().toString(36) + Math.random().toString(36).substring(2)
+    const item = {
+      id,
+      name: body.name,
+      createdAt: new Date().toISOString(),
+    }
+
+    items.set(id, item)
+
+    return NextResponse.json(
+      {
+        success: true,
+        data: item,
+      },
+      { status: 201 }
+    )
+  } catch {
+    return NextResponse.json(
+      {
+        success: false,
+        error: {
+          code: 'PARSE_ERROR',
+          message: 'Invalid JSON body',
+        },
+      },
+      { status: 400 }
+    )
+  }
+}

package/dist/templates/nextjs-oauth/src/app/api/health/route.ts

@@ -0,0 +1,10 @@
+import { NextResponse } from 'next/server'
+
+export async function GET() {
+  return NextResponse.json({
+    status: 'healthy',
+    service: '{{name}}',
+    timestamp: new Date().toISOString(),
+    environment: process.env.NODE_ENV,
+  })
+}

package/dist/templates/nextjs-oauth/src/app/dashboard/page.tsx

@@ -0,0 +1,92 @@
+import { redirect } from 'next/navigation'
+import { getCurrentUser } from '@/lib/auth'
+
+export default async function DashboardPage() {
+  const user = await getCurrentUser()
+
+  if (!user) {
+    redirect('/api/auth/login?returnTo=/dashboard')
+  }
+
+  return (
+    <main style={{
+      maxWidth: '48rem',
+      margin: '0 auto',
+      padding: '2rem',
+      fontFamily: 'system-ui, -apple-system, sans-serif',
+    }}>
+      <div style={{
+        display: 'flex',
+        justifyContent: 'space-between',
+        alignItems: 'center',
+        marginBottom: '2rem',
+      }}>
+        <h1 style={{ fontSize: '2rem', margin: 0 }}>Dashboard</h1>
+        <form action="/api/auth/logout" method="post">
+          <button
+            type="submit"
+            style={{
+              padding: '0.5rem 1rem',
+              backgroundColor: '#dc2626',
+              color: 'white',
+              borderRadius: '0.375rem',
+              border: 'none',
+              cursor: 'pointer',
+              fontSize: '0.875rem',
+            }}
+          >
+            Logout
+          </button>
+        </form>
+      </div>
+
+      <div style={{
+        backgroundColor: '#f9fafb',
+        border: '1px solid #e5e7eb',
+        borderRadius: '0.5rem',
+        padding: '1.5rem',
+        marginBottom: '1.5rem',
+      }}>
+        <h2 style={{ fontSize: '1.25rem', marginTop: 0, marginBottom: '1rem' }}>
+          Welcome, {user.name}
+        </h2>
+        <dl style={{ margin: 0 }}>
+          <dt style={{ fontWeight: 600, color: '#6b7280', fontSize: '0.875rem' }}>Email</dt>
+          <dd style={{ margin: '0 0 0.75rem 0' }}>{user.email}</dd>
+
+          <dt style={{ fontWeight: 600, color: '#6b7280', fontSize: '0.875rem' }}>User ID</dt>
+          <dd style={{ margin: '0 0 0.75rem 0', fontFamily: 'monospace', fontSize: '0.875rem' }}>{user.id}</dd>
+
+          <dt style={{ fontWeight: 600, color: '#6b7280', fontSize: '0.875rem' }}>Roles</dt>
+          <dd style={{ margin: 0 }}>
+            {user.roles.length > 0 ? (
+              <div style={{ display: 'flex', gap: '0.5rem', flexWrap: 'wrap' }}>
+                {user.roles.map((role) => (
+                  <span
+                    key={role}
+                    style={{
+                      backgroundColor: '#dbeafe',
+                      color: '#1e40af',
+                      padding: '0.125rem 0.5rem',
+                      borderRadius: '9999px',
+                      fontSize: '0.75rem',
+                    }}
+                  >
+                    {role}
+                  </span>
+                ))}
+              </div>
+            ) : (
+              <span style={{ color: '#9ca3af' }}>No roles assigned</span>
+            )}
+          </dd>
+        </dl>
+      </div>
+
+      <p style={{ color: '#6b7280', fontSize: '0.875rem' }}>
+        This page is protected by middleware and server-side auth checks.
+        Edit <code>src/app/dashboard/page.tsx</code> to customize.
+      </p>
+    </main>
+  )
+}

package/dist/templates/nextjs-oauth/src/app/layout.tsx

@@ -0,0 +1,18 @@
+import type { Metadata } from 'next'
+
+export const metadata: Metadata = {
+  title: '{{name}}',
+  description: '{{description}}',
+}
+
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode
+}) {
+  return (
+    <html lang="en">
+      <body>{children}</body>
+    </html>
+  )
+}

package/dist/templates/nextjs-oauth/src/app/page.tsx

@@ -0,0 +1,110 @@
+import { getCurrentUser } from '@/lib/auth'
+
+export default async function Home() {
+  const user = await getCurrentUser()
+
+  return (
+    <main style={{
+      display: 'flex',
+      flexDirection: 'column',
+      alignItems: 'center',
+      justifyContent: 'center',
+      minHeight: '100vh',
+      padding: '2rem',
+      fontFamily: 'system-ui, -apple-system, sans-serif',
+    }}>
+      <h1 style={{ fontSize: '3rem', marginBottom: '1rem' }}>
+        {'{{name}}'}
+      </h1>
+      <p style={{ fontSize: '1.25rem', color: '#666', marginBottom: '2rem' }}>
+        {'{{description}}'}
+      </p>
+
+      {user ? (
+        <div style={{ textAlign: 'center', marginBottom: '2rem' }}>
+          <p style={{ marginBottom: '1rem' }}>
+            Signed in as <strong>{user.name}</strong> ({user.email})
+          </p>
+          <div style={{ display: 'flex', gap: '1rem' }}>
+            <a
+              href="/dashboard"
+              style={{
+                padding: '0.75rem 1.5rem',
+                backgroundColor: '#0070f3',
+                color: 'white',
+                borderRadius: '0.5rem',
+                textDecoration: 'none',
+              }}
+            >
+              Dashboard
+            </a>
+            <form action="/api/auth/logout" method="post" style={{ display: 'inline' }}>
+              <button
+                type="submit"
+                style={{
+                  padding: '0.75rem 1.5rem',
+                  backgroundColor: '#dc2626',
+                  color: 'white',
+                  borderRadius: '0.5rem',
+                  border: 'none',
+                  cursor: 'pointer',
+                  fontSize: 'inherit',
+                }}
+              >
+                Logout
+              </button>
+            </form>
+          </div>
+        </div>
+      ) : (
+        <div style={{ display: 'flex', gap: '1rem', marginBottom: '2rem' }}>
+          <a
+            href="/api/auth/login"
+            style={{
+              padding: '0.75rem 1.5rem',
+              backgroundColor: '#0070f3',
+              color: 'white',
+              borderRadius: '0.5rem',
+              textDecoration: 'none',
+            }}
+          >
+            Sign In
+          </a>
+        </div>
+      )}
+
+      <div style={{ display: 'flex', gap: '1rem' }}>
+        <a
+          href="/api/health"
+          style={{
+            padding: '0.5rem 1rem',
+            border: '1px solid #e5e7eb',
+            borderRadius: '0.5rem',
+            textDecoration: 'none',
+            color: '#666',
+            fontSize: '0.875rem',
+          }}
+        >
+          Health Check
+        </a>
+        <a
+          href="/api/example"
+          style={{
+            padding: '0.5rem 1rem',
+            border: '1px solid #e5e7eb',
+            borderRadius: '0.5rem',
+            textDecoration: 'none',
+            color: '#666',
+            fontSize: '0.875rem',
+          }}
+        >
+          Example API
+        </a>
+      </div>
+
+      <footer style={{ marginTop: '4rem', color: '#999' }}>
+        Deployed on Tawa Platform
+      </footer>
+    </main>
+  )
+}

package/dist/templates/nextjs-oauth/src/lib/auth.ts

@@ -0,0 +1,285 @@
+import { cookies } from 'next/headers'
+import { SignJWT, jwtVerify } from 'jose'
+import crypto from 'crypto'
+
+// Configuration — read lazily so `next build` doesn't fail when env vars are
+// absent (they are injected at runtime via ConfigMap / Secret in K8s).
+function getBioIdUrl(): string {
+  return process.env.BIO_ID_URL || 'http://localhost:6100'
+}
+function getAppUrl(): string {
+  return process.env.APP_URL || 'http://localhost:3000'
+}
+function getClientId(): string {
+  const id = process.env.OAUTH_CLIENT_ID
+  if (!id) throw new Error('OAUTH_CLIENT_ID is not configured')
+  return id
+}
+function getClientSecret(): string {
+  const secret = process.env.OAUTH_CLIENT_SECRET
+  if (!secret) throw new Error('OAUTH_CLIENT_SECRET is not configured')
+  return secret
+}
+function getJwtSecret(): Uint8Array {
+  const secret = process.env.JWT_SECRET
+  if (!secret && process.env.NODE_ENV === 'production') {
+    throw new Error('JWT_SECRET environment variable is required in production')
+  }
+  return new TextEncoder().encode(secret || 'dev-only-secret-do-not-use-in-production')
+}
+
+const COOKIE_PREFIX = '{{name}}'
+const SESSION_MAX_AGE = 60 * 60           // 1 hour
+const REFRESH_TOKEN_MAX_AGE = 60 * 60 * 24 * 30 // 30 days
+const OAUTH_FLOW_MAX_AGE = 60 * 10        // 10 minutes
+
+export interface User {
+  id: string
+  email: string
+  name: string
+  roles: string[]
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+export function sanitizeReturnTo(returnTo: string | undefined, fallback = '/dashboard'): string {
+  if (!returnTo || !returnTo.startsWith('/') || returnTo.startsWith('//')) {
+    return fallback
+  }
+  return returnTo
+}
+
+export function generatePKCE(): { codeVerifier: string; codeChallenge: string } {
+  const codeVerifier = crypto.randomBytes(32).toString('base64url')
+  const codeChallenge = crypto
+    .createHash('sha256')
+    .update(codeVerifier)
+    .digest('base64url')
+  return { codeVerifier, codeChallenge }
+}
+
+export function getAuthorizationUrl(state: string, codeChallenge: string): string {
+  const params = new URLSearchParams({
+    client_id: getClientId(),
+    redirect_uri: `${getAppUrl()}/api/auth/callback`,
+    response_type: 'code',
+    scope: 'openid profile email',
+    state,
+    code_challenge: codeChallenge,
+    code_challenge_method: 'S256',
+  })
+  return `${getBioIdUrl()}/oauth/authorize?${params.toString()}`
+}
+
+async function parseErrorResponse(response: Response, fallbackMessage: string): Promise<string> {
+  try {
+    const error = await response.json()
+    return error.error_description || error.error || fallbackMessage
+  } catch {
+    return fallbackMessage
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Bio-id API calls
+// ---------------------------------------------------------------------------
+
+export async function exchangeCodeForTokens(
+  code: string,
+  codeVerifier: string
+): Promise<{
+  access_token: string
+  token_type: string
+  expires_in: number
+  refresh_token: string
+  scope: string
+  id_token?: string
+}> {
+  const response = await fetch(`${getBioIdUrl()}/api/oauth/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      grant_type: 'authorization_code',
+      code,
+      redirect_uri: `${getAppUrl()}/api/auth/callback`,
+      client_id: getClientId(),
+      client_secret: getClientSecret(),
+      code_verifier: codeVerifier,
+    }).toString(),
+  })
+
+  if (!response.ok) {
+    throw new Error(await parseErrorResponse(response, 'Token exchange failed'))
+  }
+
+  return response.json()
+}
+
+export async function refreshAccessToken(refreshToken: string): Promise<{
+  access_token: string
+  token_type: string
+  expires_in: number
+  refresh_token: string
+  scope: string
+}> {
+  const response = await fetch(`${getBioIdUrl()}/api/oauth/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      grant_type: 'refresh_token',
+      refresh_token: refreshToken,
+      client_id: getClientId(),
+      client_secret: getClientSecret(),
+    }).toString(),
+  })
+
+  if (!response.ok) {
+    throw new Error(await parseErrorResponse(response, 'Token refresh failed'))
+  }
+
+  return response.json()
+}
+
+export async function fetchUserInfo(accessToken: string): Promise<User> {
+  const response = await fetch(`${getBioIdUrl()}/api/oauth/userinfo`, {
+    headers: { Authorization: `Bearer ${accessToken}` },
+  })
+
+  if (!response.ok) {
+    throw new Error('Failed to fetch user info')
+  }
+
+  const data = await response.json()
+
+  return {
+    id: data.bio_id || data.sub,
+    email: data.email,
+    name: data.name,
+    roles: data.roles || [],
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Session management
+//
+// After the OAuth callback, we create OUR OWN session JWT signed with
+// JWT_SECRET. This avoids needing to verify bio-id's access token locally
+// (bio-id uses HS256 signed with its own server secret).
+// ---------------------------------------------------------------------------
+
+export async function createSessionToken(user: User): Promise<string> {
+  return new SignJWT({
+    sub: user.id,
+    email: user.email,
+    name: user.name,
+    roles: user.roles,
+  })
+    .setProtectedHeader({ alg: 'HS256' })
+    .setIssuedAt()
+    .setExpirationTime(`${SESSION_MAX_AGE}s`)
+    .setIssuer(getAppUrl())
+    .sign(getJwtSecret())
+}
+
+export async function setSessionCookies(
+  sessionToken: string,
+  bioRefreshToken: string
+): Promise<void> {
+  const cookieStore = await cookies()
+  const secure = getAppUrl().startsWith('https://')
+
+  cookieStore.set(`${COOKIE_PREFIX}_session`, sessionToken, {
+    httpOnly: true,
+    secure,
+    sameSite: 'lax',
+    maxAge: SESSION_MAX_AGE,
+    path: '/',
+  })
+
+  cookieStore.set(`${COOKIE_PREFIX}_refresh_token`, bioRefreshToken, {
+    httpOnly: true,
+    secure,
+    sameSite: 'lax',
+    maxAge: REFRESH_TOKEN_MAX_AGE,
+    path: '/',
+  })
+}
+
+export async function clearAuthCookies(): Promise<void> {
+  const cookieStore = await cookies()
+  cookieStore.delete(`${COOKIE_PREFIX}_session`)
+  cookieStore.delete(`${COOKIE_PREFIX}_refresh_token`)
+  cookieStore.delete('oauth_state')
+  cookieStore.delete('oauth_code_verifier')
+  cookieStore.delete('oauth_return_to')
+}
+
+/**
+ * Get the current user from the session cookie (no network call).
+ * Verifies OUR session JWT — not bio-id's access token.
+ */
+export async function getCurrentUser(): Promise<User | null> {
+  const cookieStore = await cookies()
+  const sessionToken = cookieStore.get(`${COOKIE_PREFIX}_session`)?.value
+
+  if (!sessionToken) {
+    return null
+  }
+
+  try {
+    const { payload } = await jwtVerify(sessionToken, getJwtSecret(), {
+      issuer: getAppUrl(),
+    })
+
+    return {
+      id: payload.sub || '',
+      email: payload.email as string,
+      name: payload.name as string,
+      roles: (payload.roles as string[]) || [],
+    }
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Generate a login URL with PKCE and state stored in cookies
+ */
+export async function getLoginUrl(returnTo?: string): Promise<string> {
+  const cookieStore = await cookies()
+  const secure = getAppUrl().startsWith('https://')
+
+  const state = crypto.randomBytes(16).toString('hex')
+  const { codeVerifier, codeChallenge } = generatePKCE()
+
+  cookieStore.set('oauth_state', state, {
+    httpOnly: true,
+    secure,
+    sameSite: 'lax',
+    maxAge: OAUTH_FLOW_MAX_AGE,
+    path: '/',
+  })
+
+  cookieStore.set('oauth_code_verifier', codeVerifier, {
+    httpOnly: true,
+    secure,
+    sameSite: 'lax',
+    maxAge: OAUTH_FLOW_MAX_AGE,
+    path: '/',
+  })
+
+  const safeReturnTo = sanitizeReturnTo(returnTo)
+  cookieStore.set('oauth_return_to', safeReturnTo, {
+    httpOnly: true,
+    secure,
+    sameSite: 'lax',
+    maxAge: OAUTH_FLOW_MAX_AGE,
+    path: '/',
+  })
+
+  return getAuthorizationUrl(state, codeChallenge)
+}
+
+export { COOKIE_PREFIX, getBioIdUrl, getAppUrl }

package/dist/templates/nextjs-oauth/src/middleware.ts

@@ -0,0 +1,71 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { jwtVerify } from 'jose'
+
+const COOKIE_PREFIX = '{{name}}'
+
+// Routes that require authentication
+const PROTECTED_PATHS = ['/dashboard']
+
+// Routes that should never be blocked
+const PUBLIC_PATHS = [
+  '/',
+  '/api/auth',
+  '/api/health',
+]
+
+function isPublicPath(pathname: string): boolean {
+  return PUBLIC_PATHS.some(
+    (path) => pathname === path || pathname.startsWith(`${path}/`)
+  )
+}
+
+function isProtectedPath(pathname: string): boolean {
+  return PROTECTED_PATHS.some(
+    (path) => pathname === path || pathname.startsWith(`${path}/`)
+  )
+}
+
+export async function middleware(request: NextRequest) {
+  const { pathname } = request.nextUrl
+
+  if (isPublicPath(pathname)) {
+    return NextResponse.next()
+  }
+
+  if (!isProtectedPath(pathname)) {
+    return NextResponse.next()
+  }
+
+  // Check for our session cookie (not bio-id's access token)
+  const sessionToken = request.cookies.get(`${COOKIE_PREFIX}_session`)?.value
+
+  if (!sessionToken) {
+    const loginUrl = new URL('/api/auth/login', request.url)
+    loginUrl.searchParams.set('returnTo', pathname)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  // Verify our own session JWT (signed with JWT_SECRET, issued by APP_URL)
+  try {
+    const secret = new TextEncoder().encode(
+      process.env.JWT_SECRET || 'dev-only-secret-do-not-use-in-production'
+    )
+    await jwtVerify(sessionToken, secret, {
+      issuer: process.env.APP_URL || 'http://localhost:3000',
+    })
+  } catch {
+    // Session expired or invalid — redirect to login
+    const loginUrl = new URL('/api/auth/login', request.url)
+    loginUrl.searchParams.set('returnTo', pathname)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  return NextResponse.next()
+}
+
+export const config = {
+  matcher: [
+    // Match all paths except static files and Next.js internals
+    '/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
+  ],
+}