@mars-stack/cli 0.2.0 → 0.2.2

package/template/src/app/api/auth/login/route.ts

@@ -0,0 +1,121 @@
+import 'server-only';
+
+import { handleApiError, logSecurityEvent, createSession } from '@/lib/mars';
+import { checkRateLimit, getClientIP, RATE_LIMITS, rateLimitResponse } from '@mars-stack/core/rate-limit';
+import { verifyPassword } from '@mars-stack/core/auth/password';
+import {
+  findUserByEmailForAuth,
+  incrementFailedLoginAttempts,
+  resetFailedLoginAttempts,
+} from '@/features/auth/server/user';
+import { createDbSession } from '@/features/auth/server/sessions';
+import { apiSchemas } from '@mars-stack/core/auth/validation';
+import { buildCredentialTag } from '@mars-stack/core/auth/credential-tag';
+import { NextResponse } from 'next/server';
+
+const DUMMY_HASH =
+  '$2a$12$zEgRvyqUT4JQBPCQZmCIteu6sSGKbqwm0D93.CC8C8AImVzKsMe0q';
+
+export async function POST(request: Request) {
+  const ipAddress = getClientIP(request);
+  const rateLimit = await checkRateLimit(ipAddress, RATE_LIMITS.login);
+  if (!rateLimit.success) return rateLimitResponse(rateLimit.resetAt);
+
+  const userAgent = request.headers.get('user-agent') || 'unknown';
+
+  try {
+    const body = await request.json();
+    const { email, password } = apiSchemas.login.parse(body);
+
+    const user = await findUserByEmailForAuth(email);
+
+    if (!user || !user.password) {
+      await verifyPassword('dummy-password-for-timing', DUMMY_HASH);
+      logSecurityEvent.loginFailure({
+        email,
+        ipAddress,
+        userAgent,
+        reason: 'Invalid credentials - user not found or no password',
+      });
+      return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 });
+    }
+
+    if (!user.emailVerified) {
+      logSecurityEvent.loginFailure({ email, ipAddress, userAgent, reason: 'Email not verified' });
+      return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 });
+    }
+
+    if (user.lockedUntil && user.lockedUntil > new Date()) {
+      logSecurityEvent.loginFailure({ email, ipAddress, userAgent, reason: 'Account locked' });
+      return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 });
+    }
+
+    const isPasswordValid = await verifyPassword(password, user.password);
+
+    if (!isPasswordValid) {
+      const updatedUser = await incrementFailedLoginAttempts(user.id);
+
+      logSecurityEvent.loginFailure({ email, ipAddress, userAgent, reason: 'Invalid password' });
+
+      if (updatedUser.lockedUntil && updatedUser.lockedUntil > new Date()) {
+        logSecurityEvent.accountLocked({
+          userId: user.id,
+          email,
+          failedAttempts: updatedUser.failedLoginAttempts,
+        });
+      }
+
+      return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 });
+    }
+
+    await resetFailedLoginAttempts(user.id);
+
+    logSecurityEvent.loginSuccess({ userId: user.id, email, ipAddress, userAgent });
+
+    if (user.role === 'admin') {
+      logSecurityEvent.adminLogin({ userId: user.id, email, ipAddress });
+    }
+
+    await createSession({
+      id: user.id,
+      email: user.email,
+      name: user.name || user.email,
+      role: user.role,
+      emailVerified: !!user.emailVerified,
+      credentialTag: await buildCredentialTag(user.password),
+    });
+
+    await createDbSession({
+      userId: user.id,
+      ipAddress,
+      userAgent,
+    });
+
+    return NextResponse.json(
+      {
+        message: 'Login successful',
+        user: {
+          id: user.id,
+          name: user.name || user.email,
+          role: user.role,
+          emailVerified: !!user.emailVerified,
+        },
+      },
+      { status: 200 },
+    );
+  } catch (error) {
+    const safeReason =
+      error instanceof Error ? String(error.message).slice(0, 100) : 'Unknown error';
+    logSecurityEvent.loginFailure({
+      email: 'unknown',
+      ipAddress,
+      userAgent,
+      reason: `Server error: ${safeReason}`,
+    });
+
+    return handleApiError(error, {
+      endpoint: '/api/auth/login',
+      fallbackMessage: 'An error occurred during login',
+    });
+  }
+}

package/template/src/app/api/auth/logout/route.ts

@@ -0,0 +1,19 @@
+import { deleteSession, getSession } from '@/lib/mars';
+import { revokeAllSessionsForUser } from '@/features/auth/server/sessions';
+import { NextResponse } from 'next/server';
+
+export async function POST() {
+  try {
+    const session = await getSession();
+
+    if (session?.userId) {
+      await revokeAllSessionsForUser(session.userId);
+    }
+
+    await deleteSession();
+    return NextResponse.json({ message: 'Logout successful' }, { status: 200 });
+  } catch (error) {
+    console.error('Logout error:', error);
+    return NextResponse.json({ error: 'An error occurred during logout' }, { status: 500 });
+  }
+}

package/template/src/app/api/auth/me/route.ts

@@ -0,0 +1,30 @@
+import { handleApiError, getSession } from '@/lib/mars';
+import { NextResponse } from 'next/server';
+
+export async function GET() {
+  try {
+    const session = await getSession();
+
+    if (!session) {
+      return NextResponse.json(
+        { authenticated: false, user: null },
+        { status: 200, headers: { 'Cache-Control': 'no-store' } },
+      );
+    }
+
+    return NextResponse.json(
+      {
+        authenticated: true,
+        user: {
+          id: session.userId,
+          name: session.name,
+          role: session.role,
+          emailVerified: session.emailVerified,
+        },
+      },
+      { status: 200, headers: { 'Cache-Control': 'no-store' } },
+    );
+  } catch (error) {
+    return handleApiError(error, { endpoint: '/api/auth/me' });
+  }
+}

package/template/src/app/api/auth/reset/route.ts

@@ -0,0 +1,45 @@
+import { prisma } from '@/lib/prisma';
+import { checkRateLimit, getClientIP, RATE_LIMITS, rateLimitResponse } from '@mars-stack/core/rate-limit';
+import { hashPassword } from '@mars-stack/core/auth/password';
+import { hashPasswordResetToken } from '@mars-stack/core/auth/reset-token';
+import { findUserByEmailPublic, updateUserPassword } from '@/features/auth/server/user';
+import { handleApiError } from '@/lib/mars';
+import { apiSchemas } from '@mars-stack/core/auth/validation';
+import { NextResponse } from 'next/server';
+
+export async function POST(req: Request) {
+  const ip = getClientIP(req);
+  const rateLimit = await checkRateLimit(ip, RATE_LIMITS.resetPassword);
+  if (!rateLimit.success) return rateLimitResponse(rateLimit.resetAt);
+
+  try {
+    const { token, email, password } = apiSchemas.resetPassword.parse(await req.json());
+    const tokenHash = await hashPasswordResetToken(token);
+
+    const verificationToken = await prisma.verificationToken.findUnique({
+      where: { token: tokenHash },
+    });
+
+    if (!verificationToken || verificationToken.expires < new Date()) {
+      return NextResponse.json({ error: 'Invalid or expired token' }, { status: 400 });
+    }
+
+    if (verificationToken.identifier !== email) {
+      return NextResponse.json({ error: 'Invalid token for this email' }, { status: 400 });
+    }
+
+    const user = await findUserByEmailPublic(email);
+    if (!user) {
+      return NextResponse.json({ error: 'User not found' }, { status: 404 });
+    }
+
+    const hashedPassword = await hashPassword(password);
+    await updateUserPassword(user.id, hashedPassword);
+
+    await prisma.verificationToken.delete({ where: { token: tokenHash } });
+
+    return NextResponse.json({ message: 'Password reset successfully', ok: true });
+  } catch (error) {
+    return handleApiError(error, { endpoint: '/api/auth/reset' });
+  }
+}

package/template/src/app/api/auth/signup/route.ts

@@ -0,0 +1,85 @@
+import 'server-only';
+
+import { prisma } from '@/lib/prisma';
+import { sendEmail, handleApiError, getBaseUrl } from '@/lib/mars';
+import { checkRateLimit, getClientIP, RATE_LIMITS, rateLimitResponse } from '@mars-stack/core/rate-limit';
+import { hashPassword } from '@mars-stack/core/auth/password';
+import { hashToken } from '@mars-stack/core/auth/crypto-utils';
+import { findUserByEmailPublic } from '@/features/auth/server/user';
+import { buildEmailVerificationUrl } from '@mars-stack/core/auth/link-utils';
+import { apiSchemas } from '@mars-stack/core/auth/validation';
+import { verificationEmailHtml } from '@/lib/core/email/templates';
+import { appConfig } from '@/config/app.config';
+import { randomBytes } from 'crypto';
+import { NextResponse } from 'next/server';
+
+export async function POST(request: Request) {
+  const ip = getClientIP(request);
+  const rateLimit = await checkRateLimit(ip, RATE_LIMITS.signup);
+  if (!rateLimit.success) return rateLimitResponse(rateLimit.resetAt);
+
+  try {
+    const body = await request.json();
+    const { email, password, name, termsAccepted, marketingOptIn } = apiSchemas.signup.parse(body);
+
+    const existingUser = await findUserByEmailPublic(email);
+
+    if (existingUser) {
+      await hashPassword('dummy-password-for-timing');
+      return NextResponse.json({ message: 'User created successfully' }, { status: 201 });
+    }
+
+    const hashedPassword = await hashPassword(password);
+    const token = randomBytes(32).toString('hex');
+    const tokenHash = await hashToken(token, 'email-verification-v1');
+    const expires = new Date(Date.now() + 24 * 60 * 60 * 1000);
+
+    const autoVerify =
+      process.env.NODE_ENV === 'development' &&
+      process.env.AUTO_VERIFY_EMAIL === 'true';
+
+    await prisma.$transaction(async (tx) => {
+      await tx.user.create({
+        data: {
+          email,
+          password: hashedPassword,
+          name,
+          role: 'user',
+          emailVerified: autoVerify ? new Date() : null,
+          termsAcceptedAt: termsAccepted ? new Date() : null,
+          privacyAcceptedAt: termsAccepted ? new Date() : null,
+          marketingOptIn: marketingOptIn || false,
+          marketingOptInAt: marketingOptIn ? new Date() : null,
+        },
+      });
+      if (!autoVerify) {
+        await tx.verificationToken.create({
+          data: { identifier: email, token: tokenHash, expires },
+        });
+      }
+    });
+
+    if (autoVerify) {
+      console.log(`[mars:auth] AUTO_VERIFY_EMAIL is enabled — ${email} verified immediately`);
+    } else {
+      const baseUrl = getBaseUrl();
+      const verifyUrl = buildEmailVerificationUrl({ baseUrl, token });
+      const { html, text } = verificationEmailHtml({
+        appName: appConfig.name,
+        verifyUrl,
+        userName: name || undefined,
+      });
+
+      await sendEmail({
+        to: email,
+        subject: `Welcome to ${appConfig.name} - Verify Your Email`,
+        html,
+        text,
+      });
+    }
+
+    return NextResponse.json({ message: 'User created successfully' }, { status: 201 });
+  } catch (error) {
+    return handleApiError(error, { endpoint: '/api/auth/signup', fallbackMessage: 'An error occurred during signup' });
+  }
+}

package/template/src/app/api/auth/verify/route.ts

@@ -0,0 +1,46 @@
+import { prisma } from '@/lib/prisma';
+import { checkRateLimit, getClientIP, RATE_LIMITS, rateLimitResponse } from '@mars-stack/core/rate-limit';
+import { verifyEmailFromToken } from '@mars-stack/core/auth/verification';
+import { handleApiError } from '@/lib/mars';
+import { apiSchemas } from '@mars-stack/core/auth/validation';
+import { NextResponse } from 'next/server';
+
+export async function POST(req: Request) {
+  const ip = getClientIP(req);
+  const rateLimit = await checkRateLimit(ip, RATE_LIMITS.emailVerification);
+  if (!rateLimit.success) return rateLimitResponse(rateLimit.resetAt);
+
+  try {
+    const { token, email } = apiSchemas.emailVerification.parse(await req.json());
+
+    const result = await verifyEmailFromToken({
+      token,
+      email,
+      verificationTokens: prisma.verificationToken,
+      users: prisma.user,
+    });
+
+    if (!result.ok) {
+      if (result.error === 'invalid_or_expired') {
+        return NextResponse.json({ error: 'Invalid or expired token' }, { status: 400 });
+      }
+      if (result.error === 'email_mismatch') {
+        return NextResponse.json({ error: 'Invalid verification link' }, { status: 400 });
+      }
+      return NextResponse.json({ error: 'User not found' }, { status: 404 });
+    }
+
+    return NextResponse.json(
+      {
+        message:
+          result.status === 'already_verified'
+            ? 'Email already verified'
+            : 'Email verified successfully',
+        ok: true,
+      },
+      { status: 200 },
+    );
+  } catch (error) {
+    return handleApiError(error, { endpoint: '/api/auth/verify' });
+  }
+}

package/template/src/app/api/csrf/route.ts

@@ -0,0 +1,12 @@
+import { requireCSRFToken } from '@/lib/mars';
+import { NextResponse } from 'next/server';
+
+export async function GET() {
+  try {
+    const token = await requireCSRFToken();
+    return NextResponse.json({ token }, { status: 200 });
+  } catch (error) {
+    console.error('CSRF token generation error:', error);
+    return NextResponse.json({ error: 'Failed to generate CSRF token' }, { status: 500 });
+  }
+}

package/template/src/app/api/health/route.ts

@@ -0,0 +1,10 @@
+import { NextResponse } from 'next/server';
+import packageJson from '../../../../package.json';
+
+export async function GET() {
+  return NextResponse.json({
+    status: 'ok',
+    version: packageJson.version,
+    uptime: process.uptime(),
+  });
+}

package/template/src/app/api/protected/admin/users/route.ts

@@ -0,0 +1,24 @@
+import { withRole, handleApiError } from '@/lib/mars';
+import { prisma } from '@/lib/prisma';
+import { NextResponse } from 'next/server';
+import type { AuthenticatedRequest } from '@mars-stack/core/auth/middleware';
+
+export const GET = withRole(['admin'], async (_request: AuthenticatedRequest, _context) => {
+  try {
+    const users = await prisma.user.findMany({
+      select: {
+        id: true,
+        name: true,
+        email: true,
+        role: true,
+        emailVerified: true,
+        createdAt: true,
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+
+    return NextResponse.json({ users });
+  } catch (error) {
+    return handleApiError(error, { endpoint: '/api/protected/admin/users' });
+  }
+});

package/template/src/app/api/protected/billing/checkout/route.ts

@@ -0,0 +1,83 @@
+import { withAuthNoParams, handleApiError } from '@/lib/mars';
+import { prisma } from '@/lib/prisma';
+import { createPaymentService } from '@mars-stack/core/payments';
+import { appConfig } from '@/config/app.config';
+import type { AuthenticatedRequest } from '@mars-stack/core/auth/middleware';
+import { NextResponse } from 'next/server';
+import { z } from 'zod';
+
+const checkoutSchema = z.object({
+  priceId: z.string().min(1, 'Price ID is required'),
+});
+
+const payments = createPaymentService({
+  provider: appConfig.services.payments.provider,
+});
+
+export const POST = withAuthNoParams(async (request: AuthenticatedRequest) => {
+  try {
+    const body = await request.json();
+    const result = checkoutSchema.safeParse(body);
+
+    if (!result.success) {
+      return NextResponse.json(
+        { error: result.error.issues[0]?.message || 'Invalid input' },
+        { status: 400 },
+      );
+    }
+
+    const { priceId } = result.data;
+    const userId = request.session.userId;
+
+    const user = await prisma.user.findUnique({
+      where: { id: userId },
+      select: { email: true, subscription: { select: { stripeCustomerId: true } } },
+    });
+
+    if (!user) {
+      return NextResponse.json({ error: 'User not found' }, { status: 404 });
+    }
+
+    let stripeCustomerId = user.subscription?.stripeCustomerId;
+
+    if (!stripeCustomerId) {
+      const Stripe = (await import('stripe')).default;
+      const secretKey = process.env.STRIPE_SECRET_KEY;
+      if (!secretKey) throw new Error('STRIPE_SECRET_KEY is not set');
+
+      const stripe = new Stripe(secretKey);
+      const customer = await stripe.customers.create({
+        email: user.email,
+        metadata: { userId },
+      });
+
+      stripeCustomerId = customer.id;
+
+      await prisma.subscription.upsert({
+        where: { userId },
+        create: {
+          userId,
+          stripeCustomerId: stripeCustomerId,
+          status: 'inactive',
+        },
+        update: {
+          stripeCustomerId: stripeCustomerId,
+        },
+      });
+    }
+
+    const baseUrl = new URL(request.url).origin;
+
+    const { url } = await payments.createCheckoutSession({
+      customerId: stripeCustomerId as string,
+      priceId,
+      successUrl: `${baseUrl}/settings?billing=success`,
+      cancelUrl: `${baseUrl}/settings?billing=cancelled`,
+      metadata: { userId },
+    });
+
+    return NextResponse.json({ url });
+  } catch (error) {
+    return handleApiError(error, { endpoint: '/api/protected/billing/checkout' });
+  }
+});

package/template/src/app/api/protected/billing/portal/route.ts

@@ -0,0 +1,39 @@
+import { withAuthNoParams, handleApiError } from '@/lib/mars';
+import { prisma } from '@/lib/prisma';
+import { createPaymentService } from '@mars-stack/core/payments';
+import { appConfig } from '@/config/app.config';
+import type { AuthenticatedRequest } from '@mars-stack/core/auth/middleware';
+import { NextResponse } from 'next/server';
+
+const payments = createPaymentService({
+  provider: appConfig.services.payments.provider,
+});
+
+export const POST = withAuthNoParams(async (request: AuthenticatedRequest) => {
+  try {
+    const userId = request.session.userId;
+
+    const subscription = await prisma.subscription.findUnique({
+      where: { userId },
+      select: { stripeCustomerId: true },
+    });
+
+    if (!subscription?.stripeCustomerId) {
+      return NextResponse.json(
+        { error: 'No billing account found. Please subscribe first.' },
+        { status: 404 },
+      );
+    }
+
+    const baseUrl = new URL(request.url).origin;
+
+    const { url } = await payments.createPortalSession({
+      customerId: subscription.stripeCustomerId,
+      returnUrl: `${baseUrl}/settings`,
+    });
+
+    return NextResponse.json({ url });
+  } catch (error) {
+    return handleApiError(error, { endpoint: '/api/protected/billing/portal' });
+  }
+});

package/template/src/app/api/protected/files/[fileId]/route.ts

@@ -0,0 +1,86 @@
+import { withOwnership, handleApiError } from '@/lib/mars';
+import { appConfig } from '@/config/app.config';
+import { createStorageService } from '@mars-stack/core/storage';
+import { prisma } from '@/lib/prisma';
+import { getFileRecord, deleteFileRecord } from '@/features/uploads/server';
+import type { AuthenticatedRequest } from '@mars-stack/core/auth/middleware';
+import { NextResponse } from 'next/server';
+
+const storage = createStorageService({
+  provider: appConfig.services.storage.provider,
+});
+
+async function getFileOwnerUserId(
+  _request: AuthenticatedRequest,
+  context: { params: Promise<{ [key: string]: string }> },
+): Promise<string | null> {
+  const { fileId } = await context.params;
+  const file = await prisma.file.findUnique({
+    where: { id: fileId },
+    select: { userId: true },
+  });
+  return file?.userId ?? null;
+}
+
+export const GET = withOwnership(
+  getFileOwnerUserId,
+  async (request: AuthenticatedRequest, context) => {
+    try {
+      const { fileId } = await context.params;
+      const file = await getFileRecord(fileId, request.session.userId);
+
+      if (!file) {
+        return NextResponse.json({ error: 'File not found' }, { status: 404 });
+      }
+
+      if (file.size > 100 * 1024 * 1024) {
+        return NextResponse.json({ error: 'File too large to proxy' }, { status: 413 });
+      }
+
+      const url = await storage.getSignedUrl(file.url);
+      const fileResponse = await fetch(url);
+
+      if (!fileResponse.ok || !fileResponse.body) {
+        return NextResponse.json(
+          { error: 'Failed to retrieve file from storage' },
+          { status: 502 },
+        );
+      }
+
+      const safeFilename = file.filename
+        .replace(/[^\w.\- ]/g, '_')
+        .slice(0, 255);
+
+      return new NextResponse(fileResponse.body, {
+        headers: {
+          'Content-Type': file.contentType,
+          'Content-Disposition': `attachment; filename="${safeFilename}"`,
+          'Content-Length': String(file.size),
+          'Cache-Control': 'private, no-cache',
+        },
+      });
+    } catch (error) {
+      return handleApiError(error, { endpoint: '/api/protected/files/[fileId]' });
+    }
+  },
+);
+
+export const DELETE = withOwnership(
+  getFileOwnerUserId,
+  async (request: AuthenticatedRequest, context) => {
+    try {
+      const { fileId } = await context.params;
+      const file = await deleteFileRecord(fileId, request.session.userId);
+
+      if (!file) {
+        return NextResponse.json({ error: 'File not found' }, { status: 404 });
+      }
+
+      await storage.delete(file.url);
+
+      return NextResponse.json({ message: 'File deleted' });
+    } catch (error) {
+      return handleApiError(error, { endpoint: '/api/protected/files/[fileId]' });
+    }
+  },
+);

package/template/src/app/api/protected/files/upload/route.ts

@@ -0,0 +1,64 @@
+import { withAuthNoParams, handleApiError } from '@/lib/mars';
+import { appConfig } from '@/config/app.config';
+import { createStorageService } from '@mars-stack/core/storage';
+import { createFileRecord } from '@/features/uploads/server';
+import type { AuthenticatedRequest } from '@mars-stack/core/auth/middleware';
+import { NextResponse } from 'next/server';
+
+const MAX_FILE_SIZE_BYTES = 10 * 1024 * 1024; // 10 MB
+
+const storage = createStorageService({
+  provider: appConfig.services.storage.provider,
+  maxFileSizeBytes: MAX_FILE_SIZE_BYTES,
+});
+
+function sanitizeForContentDisposition(filename: string): string {
+  return filename.replace(/[^\w.\-]/g, '_').slice(0, 255);
+}
+
+export const POST = withAuthNoParams(async (request: AuthenticatedRequest) => {
+  try {
+    const formData = await request.formData();
+    const file = formData.get('file');
+
+    if (!(file instanceof File)) {
+      return NextResponse.json(
+        { error: 'No file provided. Send a FormData field named "file".' },
+        { status: 400 },
+      );
+    }
+
+    if (file.size === 0) {
+      return NextResponse.json({ error: 'File is empty' }, { status: 400 });
+    }
+
+    if (file.size > MAX_FILE_SIZE_BYTES) {
+      return NextResponse.json(
+        { error: `File size exceeds maximum of ${MAX_FILE_SIZE_BYTES / (1024 * 1024)} MB` },
+        { status: 413 },
+      );
+    }
+
+    const access = (formData.get('access') as string) === 'public' ? 'public' : 'private';
+
+    const result = await storage.upload({
+      filename: sanitizeForContentDisposition(file.name),
+      contentType: file.type || 'application/octet-stream',
+      data: file,
+      access,
+    });
+
+    const record = await createFileRecord({
+      userId: request.session.userId,
+      filename: file.name,
+      url: result.url,
+      contentType: result.contentType,
+      size: result.size,
+      access,
+    });
+
+    return NextResponse.json({ file: record }, { status: 201 });
+  } catch (error) {
+    return handleApiError(error, { endpoint: '/api/protected/files/upload' });
+  }
+});