@mars-stack/cli 0.2.0 → 0.2.2

package/template/src/features/auth/server/session-revocation.ts

@@ -0,0 +1,20 @@
+import 'server-only';
+
+import { prisma } from '@/lib/prisma';
+import { buildCredentialTag } from '@mars-stack/core/auth/credential-tag';
+import { constantTimeEqual } from '@mars-stack/core/auth/crypto-utils';
+
+export async function isSessionCredentialValid(
+  userId: string,
+  credentialTag: string,
+): Promise<boolean> {
+  const user = await prisma.user.findUnique({
+    where: { id: userId },
+    select: { password: true },
+  });
+
+  if (!user) return false;
+
+  const currentCredentialTag = await buildCredentialTag(user.password);
+  return constantTimeEqual(credentialTag, currentCredentialTag);
+}

package/template/src/features/auth/server/sessions.ts

@@ -0,0 +1,66 @@
+import 'server-only';
+
+import { prisma } from '@/lib/prisma';
+
+const SESSION_DURATION_MS = 30 * 24 * 60 * 60 * 1000; // 30 days
+
+interface CreateDbSessionInput {
+  userId: string;
+  ipAddress: string;
+  userAgent: string;
+}
+
+export async function createDbSession({ userId, ipAddress, userAgent }: CreateDbSessionInput) {
+  return prisma.session.create({
+    data: {
+      userId,
+      token: crypto.randomUUID(),
+      expiresAt: new Date(Date.now() + SESSION_DURATION_MS),
+      ipAddress,
+      userAgent,
+    },
+  });
+}
+
+export async function listSessionsForUser(userId: string) {
+  return prisma.session.findMany({
+    where: {
+      userId,
+      expiresAt: { gt: new Date() },
+    },
+    select: {
+      id: true,
+      ipAddress: true,
+      userAgent: true,
+      createdAt: true,
+      expiresAt: true,
+    },
+    orderBy: { createdAt: 'desc' },
+  });
+}
+
+export async function findSessionById(sessionId: string) {
+  return prisma.session.findUnique({
+    where: { id: sessionId },
+    select: { id: true, userId: true },
+  });
+}
+
+export async function revokeSession(sessionId: string) {
+  return prisma.session.delete({ where: { id: sessionId } });
+}
+
+export async function revokeAllSessionsForUser(userId: string, excludeSessionId?: string) {
+  return prisma.session.deleteMany({
+    where: {
+      userId,
+      ...(excludeSessionId ? { id: { not: excludeSessionId } } : {}),
+    },
+  });
+}
+
+export async function deleteExpiredSessions() {
+  return prisma.session.deleteMany({
+    where: { expiresAt: { lte: new Date() } },
+  });
+}

package/template/src/features/auth/server/user.ts

@@ -0,0 +1,166 @@
+import 'server-only';
+
+import { prisma } from '@/lib/prisma';
+import { verifySession } from '@/lib/mars';
+import type { SessionPayload } from '@mars-stack/core/auth/session';
+import type { User } from '@db';
+import { cache } from 'react';
+
+export const getUserByEmail = cache(async (email: string): Promise<User | null> => {
+  await verifySession();
+  return prisma.user.findUnique({ where: { email } });
+});
+
+export const getUserById = cache(async (id: string): Promise<User | null> => {
+  await verifySession();
+  return prisma.user.findUnique({ where: { id } });
+});
+
+export const getCurrentUserFromDB = cache(async (): Promise<User | null> => {
+  const session = await verifySession();
+  return prisma.user.findUnique({ where: { id: session.userId } });
+});
+
+export async function updateUser(
+  id: string,
+  data: Partial<Pick<User, 'name' | 'email' | 'emailVerified' | 'image'>>,
+): Promise<User> {
+  const session = await verifySession();
+
+  if (session.userId !== id && session.role !== 'admin') {
+    throw new Error("Unauthorized: Cannot update other user's data");
+  }
+
+  return prisma.user.update({ where: { id }, data });
+}
+
+export async function deleteUser(id: string): Promise<void> {
+  const session = await verifySession();
+
+  if (session.userId !== id && session.role !== 'admin') {
+    throw new Error("Unauthorized: Cannot delete other user's account");
+  }
+
+  await prisma.user.delete({ where: { id } });
+}
+
+async function verifyAdminFromDB(): Promise<SessionPayload> {
+  const session = await verifySession();
+  const dbUser = await prisma.user.findUnique({
+    where: { id: session.userId },
+    select: { role: true },
+  });
+
+  if (!dbUser || dbUser.role !== 'admin') {
+    throw new Error('Unauthorized: Admin access required');
+  }
+
+  return session;
+}
+
+export const getAllUsers = cache(async (): Promise<User[]> => {
+  await verifyAdminFromDB();
+  return prisma.user.findMany({ orderBy: { createdAt: 'desc' } });
+});
+
+export async function updateUserRole(id: string, role: string): Promise<User> {
+  await verifyAdminFromDB();
+  return prisma.user.update({ where: { id }, data: { role } });
+}
+
+export async function createUser(data: {
+  email: string;
+  password: string;
+  name?: string;
+  termsAccepted?: boolean;
+  marketingOptIn?: boolean;
+}): Promise<User> {
+  const now = new Date();
+
+  return prisma.user.create({
+    data: {
+      email: data.email,
+      password: data.password,
+      name: data.name,
+      role: 'user',
+      termsAcceptedAt: data.termsAccepted ? now : null,
+      privacyAcceptedAt: data.termsAccepted ? now : null,
+      marketingOptIn: data.marketingOptIn || false,
+      marketingOptInAt: data.marketingOptIn ? now : null,
+    },
+  });
+}
+
+export async function findUserByEmailPublic(
+  email: string,
+): Promise<Omit<User, 'password'> | null> {
+  return prisma.user.findUnique({
+    where: { email },
+    select: {
+      id: true,
+      email: true,
+      name: true,
+      role: true,
+      emailVerified: true,
+      image: true,
+      createdAt: true,
+      updatedAt: true,
+      failedLoginAttempts: true,
+      lastFailedLogin: true,
+      lockedUntil: true,
+      termsAcceptedAt: true,
+      privacyAcceptedAt: true,
+      marketingOptIn: true,
+      marketingOptInAt: true,
+    },
+  });
+}
+
+export async function findUserByEmailForAuth(email: string): Promise<User | null> {
+  return prisma.user.findUnique({ where: { email } });
+}
+
+export async function updateUserPassword(id: string, hashedPassword: string): Promise<User> {
+  return prisma.user.update({
+    where: { id },
+    data: {
+      password: hashedPassword,
+      failedLoginAttempts: 0,
+      lastFailedLogin: null,
+      lockedUntil: null,
+    },
+  });
+}
+
+export async function incrementFailedLoginAttempts(id: string): Promise<User> {
+  const user = await prisma.user.findUnique({
+    where: { id },
+    select: { failedLoginAttempts: true },
+  });
+
+  const attempts = (user?.failedLoginAttempts || 0) + 1;
+  const shouldLock = attempts >= 5;
+
+  return prisma.user.update({
+    where: { id },
+    data: {
+      failedLoginAttempts: attempts,
+      lastFailedLogin: new Date(),
+      lockedUntil: shouldLock ? new Date(Date.now() + 15 * 60 * 1000) : null,
+    },
+  });
+}
+
+export async function resetFailedLoginAttempts(id: string): Promise<User> {
+  return prisma.user.update({
+    where: { id },
+    data: { failedLoginAttempts: 0, lastFailedLogin: null, lockedUntil: null },
+  });
+}
+
+export async function verifyUserEmail(email: string): Promise<User> {
+  return prisma.user.update({
+    where: { email },
+    data: { emailVerified: new Date() },
+  });
+}

package/template/src/features/auth/types.ts

@@ -0,0 +1,19 @@
+export interface AuthError {
+  code: string;
+  message: string;
+}
+
+export interface AuthUser {
+  id: string;
+  email: string;
+  name?: string;
+  role: string;
+  emailVerified: boolean;
+}
+
+export enum AuthErrorCode {
+  INVALID_CREDENTIALS = 'invalid_credentials',
+  EMAIL_NOT_VERIFIED = 'email_not_verified',
+  ACCOUNT_LOCKED = 'account_locked',
+  SERVER_ERROR = 'server_error',
+}

package/template/src/features/auth/validators.ts

@@ -0,0 +1,29 @@
+import { passwordSchema } from '@mars-stack/core/auth/password';
+
+export function validateEmail(value: string): string | undefined {
+  if (!value) return 'Email is required';
+
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  if (!emailRegex.test(value)) return 'Please enter a valid email address';
+
+  return undefined;
+}
+
+export function validatePassword(value: string): string | undefined {
+  if (!value) return 'Password is required';
+
+  try {
+    passwordSchema.parse(value);
+    return undefined;
+  } catch (error) {
+    if (error instanceof Error) return error.message;
+    return 'Password validation failed';
+  }
+}
+
+export function validateRequired(fieldName: string) {
+  return (value: string): string | undefined => {
+    if (!value) return `${fieldName} is required`;
+    return undefined;
+  };
+}

package/template/src/features/billing/server/index.ts

@@ -0,0 +1,66 @@
+import 'server-only';
+
+import { prisma } from '@/lib/prisma';
+import type {
+  SubscriptionRecord,
+  UpsertSubscriptionData,
+  UpdateSubscriptionStatusData,
+} from '../types';
+
+export async function findSubscriptionByUserId(
+  userId: string,
+): Promise<SubscriptionRecord | null> {
+  return prisma.subscription.findUnique({ where: { userId } });
+}
+
+export async function findSubscriptionByStripeCustomerId(
+  stripeCustomerId: string,
+): Promise<SubscriptionRecord | null> {
+  return prisma.subscription.findUnique({ where: { stripeCustomerId } });
+}
+
+export async function findSubscriptionByStripeSubscriptionId(
+  stripeSubscriptionId: string,
+): Promise<SubscriptionRecord | null> {
+  return prisma.subscription.findUnique({ where: { stripeSubscriptionId } });
+}
+
+export async function upsertSubscription(
+  data: UpsertSubscriptionData,
+): Promise<SubscriptionRecord> {
+  return prisma.subscription.upsert({
+    where: { userId: data.userId },
+    create: {
+      userId: data.userId,
+      stripeCustomerId: data.stripeCustomerId,
+      stripePriceId: data.stripePriceId ?? null,
+      stripeSubscriptionId: data.stripeSubscriptionId ?? null,
+      status: data.status,
+      currentPeriodEnd: data.currentPeriodEnd ?? null,
+      cancelAtPeriodEnd: data.cancelAtPeriodEnd ?? false,
+    },
+    update: {
+      stripeCustomerId: data.stripeCustomerId,
+      stripePriceId: data.stripePriceId,
+      stripeSubscriptionId: data.stripeSubscriptionId,
+      status: data.status,
+      currentPeriodEnd: data.currentPeriodEnd,
+      cancelAtPeriodEnd: data.cancelAtPeriodEnd,
+    },
+  });
+}
+
+export async function updateSubscriptionStatus(
+  stripeSubscriptionId: string,
+  data: UpdateSubscriptionStatusData,
+): Promise<SubscriptionRecord> {
+  return prisma.subscription.update({
+    where: { stripeSubscriptionId },
+    data: {
+      status: data.status,
+      stripePriceId: data.stripePriceId,
+      currentPeriodEnd: data.currentPeriodEnd,
+      cancelAtPeriodEnd: data.cancelAtPeriodEnd,
+    },
+  });
+}

package/template/src/features/billing/types.ts

@@ -0,0 +1,43 @@
+export const SUBSCRIPTION_STATUS = {
+  active: 'active',
+  canceled: 'canceled',
+  incomplete: 'incomplete',
+  incompleteExpired: 'incomplete_expired',
+  pastDue: 'past_due',
+  trialing: 'trialing',
+  unpaid: 'unpaid',
+  paused: 'paused',
+  inactive: 'inactive',
+} as const;
+
+export type SubscriptionStatus = (typeof SUBSCRIPTION_STATUS)[keyof typeof SUBSCRIPTION_STATUS];
+
+export interface SubscriptionRecord {
+  id: string;
+  userId: string;
+  stripeCustomerId: string;
+  stripePriceId: string | null;
+  stripeSubscriptionId: string | null;
+  status: string;
+  currentPeriodEnd: Date | null;
+  cancelAtPeriodEnd: boolean;
+  createdAt: Date;
+  updatedAt: Date;
+}
+
+export interface UpsertSubscriptionData {
+  userId: string;
+  stripeCustomerId: string;
+  stripePriceId?: string;
+  stripeSubscriptionId?: string;
+  status: string;
+  currentPeriodEnd?: Date;
+  cancelAtPeriodEnd?: boolean;
+}
+
+export interface UpdateSubscriptionStatusData {
+  status: string;
+  stripePriceId?: string;
+  currentPeriodEnd?: Date;
+  cancelAtPeriodEnd?: boolean;
+}

package/template/src/features/uploads/server/index.ts

@@ -0,0 +1,49 @@
+import 'server-only';
+
+import { prisma } from '@/lib/prisma';
+import type { FileRecord, CreateFileData, FileListParams } from '../types';
+
+export async function createFileRecord(data: CreateFileData): Promise<FileRecord> {
+  return prisma.file.create({
+    data: {
+      userId: data.userId,
+      filename: data.filename,
+      url: data.url,
+      contentType: data.contentType,
+      size: data.size,
+      access: data.access ?? 'private',
+    },
+  });
+}
+
+export async function getFileRecord(
+  fileId: string,
+  userId: string,
+): Promise<FileRecord | null> {
+  return prisma.file.findFirst({
+    where: { id: fileId, userId },
+  });
+}
+
+export async function deleteFileRecord(
+  fileId: string,
+  userId: string,
+): Promise<FileRecord | null> {
+  const file = await prisma.file.findFirst({
+    where: { id: fileId, userId },
+  });
+
+  if (!file) return null;
+
+  await prisma.file.delete({ where: { id: fileId } });
+  return file;
+}
+
+export async function listUserFiles(params: FileListParams): Promise<FileRecord[]> {
+  return prisma.file.findMany({
+    where: { userId: params.userId },
+    orderBy: { createdAt: 'desc' },
+    take: params.limit ?? 50,
+    skip: params.offset ?? 0,
+  });
+}

package/template/src/features/uploads/types.ts

@@ -0,0 +1,26 @@
+export interface FileRecord {
+  id: string;
+  userId: string;
+  filename: string;
+  url: string;
+  contentType: string;
+  size: number;
+  access: string;
+  createdAt: Date;
+  updatedAt: Date;
+}
+
+export interface CreateFileData {
+  userId: string;
+  filename: string;
+  url: string;
+  contentType: string;
+  size: number;
+  access?: string;
+}
+
+export interface FileListParams {
+  userId: string;
+  limit?: number;
+  offset?: number;
+}

package/template/src/lib/core/email/templates/base-layout.ts

@@ -0,0 +1,122 @@
+const BRAND_PRIMARY = '#6366f1';
+const TEXT_PRIMARY = '#111827';
+const TEXT_SECONDARY = '#6b7280';
+const BORDER_COLOR = '#e5e7eb';
+const BG_COLOR = '#f9fafb';
+
+interface EmailLayoutOptions {
+  appName: string;
+  previewText: string;
+  content: string;
+}
+
+export function emailLayout({ appName, previewText, content }: EmailLayoutOptions): string {
+  return `<!DOCTYPE html>
+<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <meta http-equiv="X-UA-Compatible" content="IE=edge" />
+  <title>${appName}</title>
+  <!--[if mso]>
+  <noscript>
+    <xml>
+      <o:OfficeDocumentSettings>
+        <o:PixelsPerInch>96</o:PixelsPerInch>
+      </o:OfficeDocumentSettings>
+    </xml>
+  </noscript>
+  <![endif]-->
+  <style>
+    body, table, td, a { -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }
+    table, td { mso-table-lspace: 0pt; mso-table-rspace: 0pt; }
+    img { -ms-interpolation-mode: bicubic; border: 0; height: auto; line-height: 100%; outline: none; text-decoration: none; }
+    body { margin: 0; padding: 0; width: 100% !important; }
+  </style>
+</head>
+<body style="margin: 0; padding: 0; background-color: ${BG_COLOR}; font-family: system-ui, -apple-system, 'Segoe UI', Roboto, sans-serif;">
+  <!-- Preview text (hidden) -->
+  <div style="display: none; max-height: 0; overflow: hidden; mso-hide: all;">
+    ${previewText}
+    ${'&nbsp;'.repeat(40)}
+  </div>
+
+  <!-- Outer wrapper table -->
+  <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background-color: ${BG_COLOR};">
+    <tr>
+      <td align="center" style="padding: 40px 16px;">
+        <!-- Inner content table -->
+        <table role="presentation" width="600" cellpadding="0" cellspacing="0" style="max-width: 600px; width: 100%; background-color: #ffffff; border-radius: 8px; border: 1px solid ${BORDER_COLOR};">
+          <!-- Header -->
+          <tr>
+            <td style="padding: 32px 40px 0 40px;">
+              <table role="presentation" width="100%" cellpadding="0" cellspacing="0">
+                <tr>
+                  <td style="font-size: 20px; font-weight: 700; color: ${TEXT_PRIMARY};">
+                    ${appName}
+                  </td>
+                </tr>
+              </table>
+            </td>
+          </tr>
+
+          <!-- Divider -->
+          <tr>
+            <td style="padding: 16px 40px 0 40px;">
+              <table role="presentation" width="100%" cellpadding="0" cellspacing="0">
+                <tr>
+                  <td style="border-top: 1px solid ${BORDER_COLOR};"></td>
+                </tr>
+              </table>
+            </td>
+          </tr>
+
+          <!-- Body content -->
+          <tr>
+            <td style="padding: 32px 40px; color: ${TEXT_PRIMARY}; font-size: 16px; line-height: 24px;">
+              ${content}
+            </td>
+          </tr>
+
+          <!-- Footer -->
+          <tr>
+            <td style="padding: 0 40px 32px 40px;">
+              <table role="presentation" width="100%" cellpadding="0" cellspacing="0">
+                <tr>
+                  <td style="border-top: 1px solid ${BORDER_COLOR}; padding-top: 20px; color: ${TEXT_SECONDARY}; font-size: 13px; line-height: 20px;">
+                    This is an automated message, please do not reply.
+                  </td>
+                </tr>
+                <tr>
+                  <td style="color: ${TEXT_SECONDARY}; font-size: 13px; line-height: 20px; padding-top: 4px;">
+                    &copy; ${new Date().getFullYear()} ${appName}. All rights reserved.
+                  </td>
+                </tr>
+              </table>
+            </td>
+          </tr>
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>`;
+}
+
+export function emailButton(href: string, label: string): string {
+  return `<table role="presentation" width="100%" cellpadding="0" cellspacing="0">
+  <tr>
+    <td align="center" style="padding: 24px 0;">
+      <!--[if mso]>
+      <v:roundrect xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w="urn:schemas-microsoft-com:office:word" href="${href}" style="height:48px;v-text-anchor:middle;width:220px;" arcsize="13%" fillcolor="${BRAND_PRIMARY}">
+        <w:anchorlock/>
+        <center style="color:#ffffff;font-family:system-ui,sans-serif;font-size:16px;font-weight:600;">${label}</center>
+      </v:roundrect>
+      <![endif]-->
+      <!--[if !mso]><!-->
+      <a href="${href}" target="_blank" style="display: inline-block; background-color: ${BRAND_PRIMARY}; color: #ffffff; font-size: 16px; font-weight: 600; text-decoration: none; padding: 12px 32px; border-radius: 6px; mso-hide: all;">${label}</a>
+      <!--<![endif]-->
+    </td>
+  </tr>
+</table>`;
+}

package/template/src/lib/core/email/templates/index.ts

@@ -0,0 +1,4 @@
+export { emailLayout, emailButton } from './base-layout';
+export { verificationEmailHtml } from './verification-email';
+export { passwordResetEmailHtml } from './password-reset-email';
+export { welcomeEmailHtml } from './welcome-email';

package/template/src/lib/core/email/templates/password-reset-email.ts

@@ -0,0 +1,42 @@
+import { emailLayout, emailButton } from './base-layout';
+
+interface PasswordResetEmailOptions {
+  appName: string;
+  resetUrl: string;
+  userName?: string;
+}
+
+export function passwordResetEmailHtml({ appName, resetUrl, userName }: PasswordResetEmailOptions): { html: string; text: string } {
+  const greeting = userName ? `Hi ${userName},` : 'Hi there,';
+
+  const content = `
+    <h1 style="margin: 0 0 16px 0; font-size: 24px; font-weight: 700; color: #111827;">Reset your password</h1>
+    <p style="margin: 0 0 8px 0;">${greeting}</p>
+    <p style="margin: 0 0 8px 0;">We received a request to reset the password for your ${appName} account.</p>
+    ${emailButton(resetUrl, 'Reset Password')}
+    <p style="margin: 0 0 8px 0; font-size: 14px; color: #6b7280;">If the button doesn't work, copy and paste this link into your browser:</p>
+    <p style="margin: 0 0 16px 0; font-size: 14px; word-break: break-all; color: #6366f1;">${resetUrl}</p>
+    <p style="margin: 0 0 8px 0; font-size: 14px; color: #6b7280;">This link expires in 1 hour.</p>
+    <p style="margin: 0; font-size: 14px; color: #6b7280; font-style: italic;">If you didn't request this, you can safely ignore this email. Your password will not be changed.</p>`;
+
+  const html = emailLayout({
+    appName,
+    previewText: `Reset your ${appName} password`,
+    content,
+  });
+
+  const text = [
+    `Reset your password`,
+    ``,
+    `${greeting}`,
+    ``,
+    `We received a request to reset the password for your ${appName} account. Open this link to reset your password:`,
+    ``,
+    resetUrl,
+    ``,
+    `This link expires in 1 hour.`,
+    `If you didn't request this, you can safely ignore this email. Your password will not be changed.`,
+  ].join('\n');
+
+  return { html, text };
+}