@nubase/create 0.1.2 → 0.1.4

package/dist/index.js

@@ -107,10 +107,7 @@ Creating project in ${chalk.bold(targetDir)}...
     if (template === "root") {
       copyTemplateDir(templatePath, targetDir, options);
     } else {
-      const destPath = path.join(
-        targetDir,
-        `${toKebabCase(projectName)}-${template}`
-      );
+      const destPath = path.join(targetDir, template);
       copyTemplateDir(templatePath, destPath, options);
     }
     console.log(chalk.green(`  \u2713 Created ${template}`));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nubase/create",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Create a new Nubase application",
   "type": "module",
   "bin": {

package/templates/backend/package.json

@@ -1,5 +1,5 @@
 {
-  "name": "__PROJECT_NAME__-backend",
+  "name": "backend",
   "version": "0.1.0",
   "type": "module",
   "scripts": {
@@ -9,12 +9,13 @@
     "start": "node dist/index.js",
     "db:dev:up": "docker compose -f docker/dev/docker-compose.yml up -d",
     "db:dev:down": "docker compose -f docker/dev/docker-compose.yml down",
-    "db:dev:kill": "docker compose -f docker/dev/docker-compose.yml down -v",
+    "db:dev:kill": "docker compose -f docker/dev/docker-compose.yml down -v && rm -rf docker/dev/postgresql-data",
     "db:dev:seed": "NODE_ENV=development tsx src/db/seed.ts",
+    "db:dev:reset": "npm run db:dev:kill && npm run db:schema-sync && npm run db:dev:up && sleep 2 && npm run db:dev:seed",
     "db:test:up": "docker compose -f docker/test/docker-compose.yml up -d",
     "db:test:down": "docker compose -f docker/test/docker-compose.yml down",
-    "db:test:kill": "docker compose -f docker/test/docker-compose.yml down -v",
-    "db:seed": "tsx src/db/seed.ts",
+    "db:test:kill": "docker compose -f docker/test/docker-compose.yml down -v && rm -rf docker/test/postgresql-data",
+    "db:test:reset": "npm run db:test:kill && npm run db:schema-sync && npm run db:test:up",
     "db:schema-sync": "cp db/schema.sql docker/dev/postgresql-init/dump.sql && cp db/schema.sql docker/test/postgresql-init/dump.sql",
     "typecheck": "tsc --noEmit",
     "lint": "biome check .",
@@ -31,7 +32,7 @@
     "hono": "^4.6.14",
     "jsonwebtoken": "^9.0.2",
     "pg": "^8.13.1",
-    "__PROJECT_NAME__-schema": "*"
+    "schema": "*"
   },
   "devDependencies": {
     "@faker-js/faker": "^9.3.0",

package/templates/backend/src/api/routes/auth.ts

@@ -1,209 +1,384 @@
+import {
+	createHttpHandler,
+	getAuthController,
+	HttpError,
+} from "@nubase/backend";
 import bcrypt from "bcrypt";
-import { eq } from "drizzle-orm";
-import type { Context } from "hono";
-import { __PROJECT_NAME_PASCAL__AuthController } from "../../auth";
-import { adminDb, db } from "../../db/helpers/drizzle";
-import { userWorkspaces, users, workspaces } from "../../db/schema";
-
-const authController = new __PROJECT_NAME_PASCAL__AuthController();
+import { and, eq, inArray } from "drizzle-orm";
+import { apiEndpoints } from "schema";
+import jwt from "jsonwebtoken";
+import type { __PROJECT_NAME_PASCAL__User } from "../../auth";
+import { db, adminDb } from "../../db/helpers/drizzle";
+import { users, userWorkspaces, workspaces } from "../../db/schema";
+
+// Short-lived secret for login tokens (in production, use a proper secret)
+const LOGIN_TOKEN_SECRET =
+	process.env.LOGIN_TOKEN_SECRET ||
+	"nubase-login-token-secret-change-in-production";
+const LOGIN_TOKEN_EXPIRY = "5m"; // 5 minutes to complete workspace selection
+
+interface LoginTokenPayload {
+	userId: number;
+	username: string;
+}
 
 export const authHandlers = {
-	async loginStart(c: Context) {
-		const { email, password } = await c.req.json();
-
-		const [user] = await db.select().from(users).where(eq(users.email, email));
-
-		if (!user) {
-			return c.json({ error: "Invalid credentials" }, 401);
-		}
-
-		const isValid = await bcrypt.compare(password, user.passwordHash);
-		if (!isValid) {
-			return c.json({ error: "Invalid credentials" }, 401);
-		}
-
-		// Get user's workspaces
-		const userWs = await db
-			.select({
-				id: workspaces.id,
-				slug: workspaces.slug,
-				name: workspaces.name,
-			})
-			.from(userWorkspaces)
-			.innerJoin(workspaces, eq(userWorkspaces.workspaceId, workspaces.id))
-			.where(eq(userWorkspaces.userId, user.id));
-
-		return c.json({ workspaces: userWs });
-	},
-
-	async loginComplete(c: Context) {
-		const { email, password, workspaceId } = await c.req.json();
-
-		const [user] = await db.select().from(users).where(eq(users.email, email));
-
-		if (!user) {
-			return c.json({ error: "Invalid credentials" }, 401);
-		}
-
-		const isValid = await bcrypt.compare(password, user.passwordHash);
-		if (!isValid) {
-			return c.json({ error: "Invalid credentials" }, 401);
-		}
-
-		const [workspace] = await db
-			.select()
-			.from(workspaces)
-			.where(eq(workspaces.id, workspaceId));
-
-		if (!workspace) {
-			return c.json({ error: "Workspace not found" }, 404);
-		}
-
-		const token = authController.generateToken({
-			userId: user.id,
-			workspaceId: workspace.id,
-			username: user.username,
-		});
-
-		return c.json({
-			token,
-			user: { id: user.id, email: user.email, username: user.username },
-			workspace: { id: workspace.id, slug: workspace.slug, name: workspace.name },
-		});
-	},
-
-	async login(c: Context) {
-		const { email, password } = await c.req.json();
-
-		const [user] = await db.select().from(users).where(eq(users.email, email));
-
-		if (!user) {
-			return c.json({ error: "Invalid credentials" }, 401);
-		}
-
-		const isValid = await bcrypt.compare(password, user.passwordHash);
-		if (!isValid) {
-			return c.json({ error: "Invalid credentials" }, 401);
-		}
-
-		// Get first workspace for simple login
-		const [userWs] = await db
-			.select({
-				id: workspaces.id,
-				slug: workspaces.slug,
-				name: workspaces.name,
-			})
-			.from(userWorkspaces)
-			.innerJoin(workspaces, eq(userWorkspaces.workspaceId, workspaces.id))
-			.where(eq(userWorkspaces.userId, user.id));
-
-		if (!userWs) {
-			return c.json({ error: "No workspace found" }, 404);
-		}
-
-		const token = authController.generateToken({
-			userId: user.id,
-			workspaceId: userWs.id,
-			username: user.username,
-		});
-
-		return c.json({
-			token,
-			user: { id: user.id, email: user.email, username: user.username },
-			workspace: userWs,
-		});
-	},
-
-	async logout(c: Context) {
-		// Client-side token removal
-		return c.json({ success: true });
-	},
-
-	async getMe(c: Context) {
-		const authHeader = c.req.header("Authorization");
-		if (!authHeader?.startsWith("Bearer ")) {
-			return c.json({ error: "Unauthorized" }, 401);
-		}
-
-		const token = authHeader.slice(7);
-		const payload = authController.verifyToken(token);
-
-		if (!payload) {
-			return c.json({ error: "Invalid token" }, 401);
-		}
-
-		const [user] = await db
-			.select()
-			.from(users)
-			.where(eq(users.id, payload.userId));
-
-		if (!user) {
-			return c.json({ error: "User not found" }, 404);
-		}
-
-		const [workspace] = await db
-			.select()
-			.from(workspaces)
-			.where(eq(workspaces.id, payload.workspaceId));
-
-		return c.json({
-			user: { id: user.id, email: user.email, username: user.username },
-			workspace: workspace
-				? { id: workspace.id, slug: workspace.slug, name: workspace.name }
-				: null,
-		});
-	},
-
-	async signup(c: Context) {
-		const { email, username, password, workspaceName } = await c.req.json();
-
-		// Check if user exists
-		const [existingUser] = await db
-			.select()
-			.from(users)
-			.where(eq(users.email, email));
-
-		if (existingUser) {
-			return c.json({ error: "Email already registered" }, 400);
-		}
-
-		// Create user
-		const passwordHash = await bcrypt.hash(password, 10);
-		const [user] = await adminDb
-			.insert(users)
-			.values({ email, username, passwordHash })
-			.returning();
-
-		// Create or get workspace
-		const wsSlug = workspaceName?.toLowerCase().replace(/\s+/g, "-") || "default";
-		let [workspace] = await db
-			.select()
-			.from(workspaces)
-			.where(eq(workspaces.slug, wsSlug));
-
-		if (!workspace) {
-			[workspace] = await adminDb
+	/**
+	 * Login Start handler - Step 1 of two-step auth.
+	 * Validates credentials and returns list of workspaces.
+	 */
+	loginStart: createHttpHandler({
+		endpoint: apiEndpoints.loginStart,
+		handler: async ({ body }) => {
+			// Find user by username
+			const [user] = await adminDb
+				.select()
+				.from(users)
+				.where(eq(users.username, body.username));
+
+			if (!user) {
+				throw new HttpError(401, "Invalid username or password");
+			}
+
+			// Verify password
+			const isValidPassword = await bcrypt.compare(
+				body.password,
+				user.passwordHash,
+			);
+			if (!isValidPassword) {
+				throw new HttpError(401, "Invalid username or password");
+			}
+
+			// Get all workspaces this user belongs to
+			const userWorkspaceRows = await adminDb
+				.select()
+				.from(userWorkspaces)
+				.where(eq(userWorkspaces.userId, user.id));
+
+			if (userWorkspaceRows.length === 0) {
+				throw new HttpError(401, "User has no workspace access");
+			}
+
+			// Fetch workspace details
+			const workspaceIds = userWorkspaceRows.map((uw) => uw.workspaceId);
+			const workspaceList = await adminDb
+				.select()
+				.from(workspaces)
+				.where(inArray(workspaces.id, workspaceIds));
+
+			// Create a short-lived login token
+			const loginToken = jwt.sign(
+				{
+					userId: user.id,
+					username: body.username,
+				} satisfies LoginTokenPayload,
+				LOGIN_TOKEN_SECRET,
+				{ expiresIn: LOGIN_TOKEN_EXPIRY },
+			);
+
+			return {
+				loginToken,
+				username: body.username,
+				workspaces: workspaceList.map((w) => ({
+					id: w.id,
+					slug: w.slug,
+					name: w.name,
+				})),
+			};
+		},
+	}),
+
+	/**
+	 * Login Complete handler - Step 2 of two-step auth.
+	 * Validates the login token and selected workspace.
+	 */
+	loginComplete: createHttpHandler({
+		endpoint: apiEndpoints.loginComplete,
+		handler: async ({ body, ctx }) => {
+			const authController = getAuthController<__PROJECT_NAME_PASCAL__User>(ctx);
+
+			// Verify the login token
+			let decoded: LoginTokenPayload;
+			try {
+				decoded = jwt.verify(
+					body.loginToken,
+					LOGIN_TOKEN_SECRET,
+				) as LoginTokenPayload;
+			} catch {
+				throw new HttpError(401, "Invalid or expired login token");
+			}
+
+			// Look up the selected workspace
+			const [workspace] = await adminDb
+				.select()
+				.from(workspaces)
+				.where(eq(workspaces.slug, body.workspace));
+
+			if (!workspace) {
+				throw new HttpError(404, `Workspace not found: ${body.workspace}`);
+			}
+
+			// Verify user has access to this workspace
+			const [access] = await adminDb
+				.select()
+				.from(userWorkspaces)
+				.where(
+					and(
+						eq(userWorkspaces.userId, decoded.userId),
+						eq(userWorkspaces.workspaceId, workspace.id),
+					),
+				);
+
+			if (!access) {
+				throw new HttpError(403, "You do not have access to this workspace");
+			}
+
+			// Fetch the user
+			const [dbUser] = await adminDb
+				.select()
+				.from(users)
+				.where(eq(users.id, decoded.userId));
+
+			if (!dbUser) {
+				throw new HttpError(401, "User not found");
+			}
+
+			// Create user object for token
+			const user: __PROJECT_NAME_PASCAL__User = {
+				id: dbUser.id,
+				email: dbUser.email,
+				username: dbUser.username,
+				workspaceId: workspace.id,
+			};
+
+			// Create and set the auth token
+			const token = await authController.createToken(user);
+			authController.setTokenInResponse(ctx, token);
+
+			return {
+				user: {
+					id: user.id,
+					email: user.email,
+					username: user.username,
+				},
+				workspace: {
+					id: workspace.id,
+					slug: workspace.slug,
+					name: workspace.name,
+				},
+			};
+		},
+	}),
+
+	/**
+	 * Legacy Login handler - validates credentials and sets HttpOnly cookie.
+	 * @deprecated Use loginStart and loginComplete for two-step flow
+	 */
+	login: createHttpHandler({
+		endpoint: apiEndpoints.login,
+		handler: async ({ body, ctx }) => {
+			const authController = getAuthController<__PROJECT_NAME_PASCAL__User>(ctx);
+
+			// Look up workspace
+			const [workspace] = await adminDb
+				.select()
+				.from(workspaces)
+				.where(eq(workspaces.slug, body.workspace));
+
+			if (!workspace) {
+				throw new HttpError(404, `Workspace not found: ${body.workspace}`);
+			}
+
+			// Find user by username
+			const [dbUser] = await adminDb
+				.select()
+				.from(users)
+				.where(eq(users.username, body.username));
+
+			if (!dbUser) {
+				throw new HttpError(401, "Invalid username or password");
+			}
+
+			// Verify password
+			const isValidPassword = await bcrypt.compare(
+				body.password,
+				dbUser.passwordHash,
+			);
+			if (!isValidPassword) {
+				throw new HttpError(401, "Invalid username or password");
+			}
+
+			// Verify user has access to this workspace
+			const [access] = await adminDb
+				.select()
+				.from(userWorkspaces)
+				.where(
+					and(
+						eq(userWorkspaces.userId, dbUser.id),
+						eq(userWorkspaces.workspaceId, workspace.id),
+					),
+				);
+
+			if (!access) {
+				throw new HttpError(403, "You do not have access to this workspace");
+			}
+
+			// Create user object for token
+			const user: __PROJECT_NAME_PASCAL__User = {
+				id: dbUser.id,
+				email: dbUser.email,
+				username: dbUser.username,
+				workspaceId: workspace.id,
+			};
+
+			// Create and set token
+			const token = await authController.createToken(user);
+			authController.setTokenInResponse(ctx, token);
+
+			return {
+				user: {
+					id: user.id,
+					email: user.email,
+					username: user.username,
+				},
+			};
+		},
+	}),
+
+	/** Logout handler - clears the auth cookie. */
+	logout: createHttpHandler({
+		endpoint: apiEndpoints.logout,
+		handler: async ({ ctx }) => {
+			const authController = getAuthController(ctx);
+			authController.clearTokenFromResponse(ctx);
+			return { success: true };
+		},
+	}),
+
+	/** Get current user handler. */
+	getMe: createHttpHandler<
+		typeof apiEndpoints.getMe,
+		"optional",
+		__PROJECT_NAME_PASCAL__User
+	>({
+		endpoint: apiEndpoints.getMe,
+		auth: "optional",
+		handler: async ({ user }) => {
+			if (!user) {
+				return { user: undefined };
+			}
+
+			return {
+				user: {
+					id: user.id,
+					email: user.email,
+					username: user.username,
+				},
+			};
+		},
+	}),
+
+	/** Signup handler - creates a new workspace and admin user. */
+	signup: createHttpHandler({
+		endpoint: apiEndpoints.signup,
+		handler: async ({ body, ctx }) => {
+			const authController = getAuthController<__PROJECT_NAME_PASCAL__User>(ctx);
+
+			// Validate workspace slug format
+			if (!/^[a-z0-9-]+$/.test(body.workspace)) {
+				throw new HttpError(
+					400,
+					"Workspace slug must be lowercase and contain only letters, numbers, and hyphens",
+				);
+			}
+
+			// Check if workspace slug already exists
+			const [existingWorkspace] = await adminDb
+				.select()
+				.from(workspaces)
+				.where(eq(workspaces.slug, body.workspace));
+
+			if (existingWorkspace) {
+				throw new HttpError(409, "Organization slug is already taken");
+			}
+
+			// Check if username already exists
+			const [existingUser] = await adminDb
+				.select()
+				.from(users)
+				.where(eq(users.username, body.username));
+
+			if (existingUser) {
+				throw new HttpError(409, "Username is already taken");
+			}
+
+			// Check if email already exists
+			const [existingEmail] = await adminDb
+				.select()
+				.from(users)
+				.where(eq(users.email, body.email));
+
+			if (existingEmail) {
+				throw new HttpError(409, "Email is already registered");
+			}
+
+			// Validate password length
+			if (body.password.length < 8) {
+				throw new HttpError(400, "Password must be at least 8 characters long");
+			}
+
+			// Create the workspace
+			const [newWorkspace] = await adminDb
 				.insert(workspaces)
-				.values({ slug: wsSlug, name: workspaceName || "Default Workspace" })
+				.values({
+					slug: body.workspace,
+					name: body.workspaceName,
+				})
+				.returning();
+
+			// Hash the password
+			const passwordHash = await bcrypt.hash(body.password, 10);
+
+			// Create the admin user
+			const [newUser] = await adminDb
+				.insert(users)
+				.values({
+					email: body.email,
+					username: body.username,
+					passwordHash,
+				})
 				.returning();
-		}
-
-		// Link user to workspace
-		await adminDb.insert(userWorkspaces).values({
-			userId: user.id,
-			workspaceId: workspace.id,
-		});
-
-		const token = authController.generateToken({
-			userId: user.id,
-			workspaceId: workspace.id,
-			username: user.username,
-		});
-
-		return c.json({
-			token,
-			user: { id: user.id, email: user.email, username: user.username },
-			workspace: { id: workspace.id, slug: workspace.slug, name: workspace.name },
-		});
-	},
+
+			// Link user to workspace
+			await adminDb.insert(userWorkspaces).values({
+				userId: newUser.id,
+				workspaceId: newWorkspace.id,
+			});
+
+			// Create user object for token
+			const user: __PROJECT_NAME_PASCAL__User = {
+				id: newUser.id,
+				email: newUser.email,
+				username: newUser.username,
+				workspaceId: newWorkspace.id,
+			};
+
+			// Create and set the auth token
+			const token = await authController.createToken(user);
+			authController.setTokenInResponse(ctx, token);
+
+			return {
+				user: {
+					id: user.id,
+					email: user.email,
+					username: user.username,
+				},
+				workspace: {
+					id: newWorkspace.id,
+					slug: newWorkspace.slug,
+					name: newWorkspace.name,
+				},
+			};
+		},
+	}),
 };

package/templates/backend/src/api/routes/ticket.ts

@@ -1,62 +1,111 @@
+import { createHttpHandler, HttpError } from "@nubase/backend";
 import { eq } from "drizzle-orm";
-import type { Context } from "hono";
+import { apiEndpoints } from "schema";
 import { db } from "../../db/helpers/drizzle";
 import { tickets } from "../../db/schema";
 
 export const ticketHandlers = {
-	async getTickets(c: Context) {
-		const allTickets = await db.select().from(tickets);
-		return c.json(allTickets);
-	},
-
-	async getTicket(c: Context) {
-		const id = Number(c.req.param("id"));
-		const [ticket] = await db.select().from(tickets).where(eq(tickets.id, id));
-
-		if (!ticket) {
-			return c.json({ error: "Ticket not found" }, 404);
-		}
-
-		return c.json(ticket);
-	},
-
-	async postTicket(c: Context) {
-		const body = await c.req.json();
-		const [ticket] = await db
-			.insert(tickets)
-			.values({
-				workspaceId: 1, // TODO: Get from context
-				title: body.title,
-				description: body.description,
-			})
-			.returning();
-
-		return c.json(ticket, 201);
-	},
-
-	async patchTicket(c: Context) {
-		const id = Number(c.req.param("id"));
-		const body = await c.req.json();
-
-		const [ticket] = await db
-			.update(tickets)
-			.set({
-				...body,
+	getTickets: createHttpHandler({
+		endpoint: apiEndpoints.getTickets,
+		handler: async () => {
+			const allTickets = await db.select().from(tickets);
+			return allTickets.map((ticket) => ({
+				id: ticket.id,
+				title: ticket.title,
+				description: ticket.description ?? undefined,
+			}));
+		},
+	}),
+
+	getTicket: createHttpHandler({
+		endpoint: apiEndpoints.getTicket,
+		handler: async ({ params }) => {
+			const [ticket] = await db
+				.select()
+				.from(tickets)
+				.where(eq(tickets.id, params.id));
+
+			if (!ticket) {
+				throw new HttpError(404, "Ticket not found");
+			}
+
+			return {
+				id: ticket.id,
+				title: ticket.title,
+				description: ticket.description ?? undefined,
+			};
+		},
+	}),
+
+	postTicket: createHttpHandler({
+		endpoint: apiEndpoints.postTicket,
+		handler: async ({ body }) => {
+			const [ticket] = await db
+				.insert(tickets)
+				.values({
+					workspaceId: 1, // TODO: Get from context
+					title: body.title,
+					description: body.description,
+				})
+				.returning();
+
+			if (!ticket) {
+				throw new HttpError(500, "Failed to create ticket");
+			}
+
+			return {
+				id: ticket.id,
+				title: ticket.title,
+				description: ticket.description ?? undefined,
+			};
+		},
+	}),
+
+	patchTicket: createHttpHandler({
+		endpoint: apiEndpoints.patchTicket,
+		handler: async ({ params, body }) => {
+			const updateData: { title?: string; description?: string; updatedAt: Date } = {
 				updatedAt: new Date(),
-			})
-			.where(eq(tickets.id, id))
-			.returning();
-
-		if (!ticket) {
-			return c.json({ error: "Ticket not found" }, 404);
-		}
-
-		return c.json(ticket);
-	},
-
-	async deleteTicket(c: Context) {
-		const id = Number(c.req.param("id"));
-		await db.delete(tickets).where(eq(tickets.id, id));
-		return c.json({ success: true });
-	},
+			};
+
+			if (body.title !== undefined) {
+				updateData.title = body.title;
+			}
+			if (body.description !== undefined) {
+				updateData.description = body.description;
+			}
+
+			const [ticket] = await db
+				.update(tickets)
+				.set(updateData)
+				.where(eq(tickets.id, params.id))
+				.returning();
+
+			if (!ticket) {
+				throw new HttpError(404, "Ticket not found");
+			}
+
+			return {
+				id: ticket.id,
+				title: ticket.title,
+				description: ticket.description ?? undefined,
+			};
+		},
+	}),
+
+	deleteTicket: createHttpHandler({
+		endpoint: apiEndpoints.deleteTicket,
+		handler: async ({ params }) => {
+			const [deleted] = await db
+				.delete(tickets)
+				.where(eq(tickets.id, params.id))
+				.returning();
+
+			if (!deleted) {
+				throw new HttpError(404, "Ticket not found");
+			}
+
+			return { success: true };
+		},
+	}),
 };

package/templates/backend/src/auth/index.ts

@@ -1,32 +1,226 @@
+import type {
+	BackendAuthController,
+	BackendUser,
+	TokenPayload,
+	VerifyTokenResult,
+} from "@nubase/backend";
+import { getCookie } from "@nubase/backend";
 import bcrypt from "bcrypt";
+import { and, eq } from "drizzle-orm";
+import type { Context } from "hono";
 import jwt from "jsonwebtoken";
+import { adminDb } from "../db/helpers/drizzle";
+import { users, userWorkspaces } from "../db/schema";
 
-export interface TokenPayload {
-	userId: number;
+/**
+ * User type for __PROJECT_NAME_PASCAL__ application.
+ */
+export interface __PROJECT_NAME_PASCAL__User extends BackendUser {
+	id: number;
+	email: string;
+	username: string;
 	workspaceId: number;
+}
+
+/**
+ * Token payload for __PROJECT_NAME_PASCAL__ JWTs.
+ */
+export interface __PROJECT_NAME_PASCAL__TokenPayload extends TokenPayload {
+	userId: number;
 	username: string;
+	workspaceId: number;
 }
 
-const JWT_SECRET = process.env.JWT_SECRET || "your-secret-key";
+// Configuration
+const JWT_SECRET =
+	process.env.JWT_SECRET || "nubase-dev-secret-change-in-production";
+const JWT_EXPIRY = "1h";
+const COOKIE_NAME = "nubase_auth";
+
+/**
+ * __PROJECT_NAME_PASCAL__-specific implementation of BackendAuthController.
+ * Handles JWT-based authentication using HttpOnly cookies.
+ */
+export class __PROJECT_NAME_PASCAL__AuthController
+	implements
+		BackendAuthController<
+			__PROJECT_NAME_PASCAL__User,
+			__PROJECT_NAME_PASCAL__TokenPayload
+		>
+{
+	/**
+	 * Extract the authentication token from the request.
+	 */
+	extractToken(ctx: Context): string | null {
+		// Check Authorization header first (Bearer token)
+		const authHeader = ctx.req.header("Authorization");
+		if (authHeader?.startsWith("Bearer ")) {
+			return authHeader.slice(7);
+		}
 
-export class __PROJECT_NAME_PASCAL__AuthController {
-	async hashPassword(password: string): Promise<string> {
-		return bcrypt.hash(password, 10);
+		// Fall back to cookie
+		const cookieHeader = ctx.req.header("Cookie") || "";
+		return getCookie(cookieHeader, COOKIE_NAME);
 	}
 
-	async verifyPassword(password: string, hash: string): Promise<boolean> {
-		return bcrypt.compare(password, hash);
+	/**
+	 * Verify a JWT token and return the authenticated user.
+	 */
+	async verifyToken(
+		token: string,
+	): Promise<VerifyTokenResult<__PROJECT_NAME_PASCAL__User>> {
+		try {
+			// Verify JWT signature and expiration
+			const decoded = jwt.verify(
+				token,
+				JWT_SECRET,
+			) as __PROJECT_NAME_PASCAL__TokenPayload;
+
+			// Fetch user from database to ensure they still exist
+			const [dbUser] = await adminDb
+				.select()
+				.from(users)
+				.where(eq(users.id, decoded.userId));
+
+			if (!dbUser) {
+				return { valid: false, error: "User not found" };
+			}
+
+			// Verify user still has access to the workspace in the token
+			const [access] = await adminDb
+				.select()
+				.from(userWorkspaces)
+				.where(
+					and(
+						eq(userWorkspaces.userId, decoded.userId),
+						eq(userWorkspaces.workspaceId, decoded.workspaceId),
+					),
+				);
+
+			if (!access) {
+				return {
+					valid: false,
+					error: "User no longer has access to this workspace",
+				};
+			}
+
+			return {
+				valid: true,
+				user: {
+					id: dbUser.id,
+					email: dbUser.email,
+					username: dbUser.username,
+					workspaceId: decoded.workspaceId,
+				},
+			};
+		} catch (error) {
+			if (error instanceof jwt.TokenExpiredError) {
+				return { valid: false, error: "Token expired" };
+			}
+			if (error instanceof jwt.JsonWebTokenError) {
+				return { valid: false, error: "Invalid token" };
+			}
+			return {
+				valid: false,
+				error:
+					error instanceof Error ? error.message : "Token verification failed",
+			};
+		}
 	}
 
-	generateToken(payload: TokenPayload): string {
-		return jwt.sign(payload, JWT_SECRET, { expiresIn: "7d" });
+	/**
+	 * Create a JWT token for a user.
+	 */
+	async createToken(
+		user: __PROJECT_NAME_PASCAL__User,
+		additionalPayload?: Partial<__PROJECT_NAME_PASCAL__TokenPayload>,
+	): Promise<string> {
+		const payload: __PROJECT_NAME_PASCAL__TokenPayload = {
+			userId: user.id,
+			username: user.username,
+			workspaceId: user.workspaceId,
+			...additionalPayload,
+		};
+
+		return jwt.sign(payload, JWT_SECRET, { expiresIn: JWT_EXPIRY });
 	}
 
-	verifyToken(token: string): TokenPayload | null {
-		try {
-			return jwt.verify(token, JWT_SECRET) as TokenPayload;
-		} catch {
+	/**
+	 * Set the authentication token in an HttpOnly cookie.
+	 */
+	setTokenInResponse(ctx: Context, token: string): void {
+		ctx.header(
+			"Set-Cookie",
+			`${COOKIE_NAME}=${token}; HttpOnly; Path=/; SameSite=None; Secure; Max-Age=3600`,
+		);
+	}
+
+	/**
+	 * Clear the authentication cookie.
+	 */
+	clearTokenFromResponse(ctx: Context): void {
+		ctx.header(
+			"Set-Cookie",
+			`${COOKIE_NAME}=; HttpOnly; Path=/; SameSite=None; Secure; Max-Age=0`,
+		);
+	}
+
+	/**
+	 * Validate user credentials during login.
+	 */
+	async validateCredentials(
+		username: string,
+		password: string,
+		workspaceId?: number,
+	): Promise<__PROJECT_NAME_PASCAL__User | null> {
+		if (workspaceId === undefined) {
+			throw new Error(
+				"workspaceId is required for multi-workspace authentication",
+			);
+		}
+
+		// Find user by username
+		const [dbUser] = await adminDb
+			.select()
+			.from(users)
+			.where(eq(users.username, username));
+
+		if (!dbUser) {
+			return null;
+		}
+
+		// Verify password
+		const isValidPassword = await bcrypt.compare(password, dbUser.passwordHash);
+		if (!isValidPassword) {
+			return null;
+		}
+
+		// Check if user has access to the workspace
+		const [access] = await adminDb
+			.select()
+			.from(userWorkspaces)
+			.where(
+				and(
+					eq(userWorkspaces.userId, dbUser.id),
+					eq(userWorkspaces.workspaceId, workspaceId),
+				),
+			);
+
+		if (!access) {
 			return null;
 		}
+
+		return {
+			id: dbUser.id,
+			email: dbUser.email,
+			username: dbUser.username,
+			workspaceId: workspaceId,
+		};
 	}
 }
+
+/**
+ * Singleton instance of the auth controller.
+ */
+export const __PROJECT_NAME_CAMEL__AuthController =
+	new __PROJECT_NAME_PASCAL__AuthController();

package/templates/backend/src/index.ts

@@ -1,9 +1,13 @@
 import { serve } from "@hono/node-server";
+import { createAuthMiddleware, registerHandlers } from "@nubase/backend";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { ticketHandlers } from "./api/routes/ticket";
 import { authHandlers } from "./api/routes/auth";
-import { workspaceMiddleware } from "./middleware/workspace-middleware";
+import {
+	createPostAuthWorkspaceMiddleware,
+	createWorkspaceMiddleware,
+} from "./middleware/workspace-middleware";
 import { __PROJECT_NAME_PASCAL__AuthController } from "./auth";
 import { loadEnv } from "./helpers/env";
 
@@ -12,38 +16,39 @@ loadEnv();
 
 const app = new Hono();
 
+// Auth controller
+const authController = new __PROJECT_NAME_PASCAL__AuthController();
+
 // CORS configuration
 app.use(
 	"*",
 	cors({
-		origin: ["http://localhost:__FRONTEND_PORT__"],
+		origin: (origin) => {
+			// Allow localhost origins
+			if (origin?.match(/^http:\/\/localhost(:\d+)?$/)) {
+				return origin;
+			}
+			return null;
+		},
 		credentials: true,
 	}),
 );
 
-// Workspace middleware (extracts workspace from path)
-app.use("/:workspace/*", workspaceMiddleware);
+// Workspace middleware - handles login path (gets workspace from body)
+app.use("*", createWorkspaceMiddleware());
 
-// Auth controller
-const authController = new __PROJECT_NAME_PASCAL__AuthController();
+// Auth middleware - extracts and verifies JWT, sets user in context
+app.use("*", createAuthMiddleware({ controller: authController }));
+
+// Post-auth workspace middleware - sets context from authenticated user's workspace
+app.use("*", createPostAuthWorkspaceMiddleware());
+
+// Root route
+app.get("/", (c) => c.json({ message: "Welcome to __PROJECT_NAME_PASCAL__ API" }));
 
-// Routes
-app.get("/:workspace", (c) => c.json({ message: "Welcome to __PROJECT_NAME_PASCAL__ API" }));
-
-// Auth routes
-app.post("/:workspace/auth/login/start", authHandlers.loginStart);
-app.post("/:workspace/auth/login/complete", authHandlers.loginComplete);
-app.post("/:workspace/auth/login", authHandlers.login);
-app.post("/:workspace/auth/logout", authHandlers.logout);
-app.get("/:workspace/auth/me", authHandlers.getMe);
-app.post("/:workspace/auth/signup", authHandlers.signup);
-
-// Ticket routes
-app.get("/:workspace/tickets", ticketHandlers.getTickets);
-app.get("/:workspace/tickets/:id", ticketHandlers.getTicket);
-app.post("/:workspace/tickets", ticketHandlers.postTicket);
-app.patch("/:workspace/tickets/:id", ticketHandlers.patchTicket);
-app.delete("/:workspace/tickets/:id", ticketHandlers.deleteTicket);
+// Register all handlers - path and method extracted from endpoint metadata
+registerHandlers(app, authHandlers);
+registerHandlers(app, ticketHandlers);
 
 const port = Number(process.env.PORT) || __BACKEND_PORT__;
 

package/templates/backend/src/middleware/workspace-middleware.ts

@@ -1,11 +1,97 @@
-import type { Context, Next } from "hono";
+import { eq } from "drizzle-orm";
+import { createMiddleware } from "hono/factory";
+import { db } from "../db/helpers/drizzle";
+import { workspaces } from "../db/schema";
 
-export async function workspaceMiddleware(c: Context, next: Next) {
-	const workspace = c.req.param("workspace");
+export interface Workspace {
+	id: number;
+	slug: string;
+	name: string;
+}
+
+// Paths that don't require a workspace to exist (for bootstrapping and health checks)
+const WORKSPACE_BYPASS_PATHS = ["/"];
+
+// Paths where workspace comes from request body (login) instead of JWT
+const WORKSPACE_FROM_BODY_PATHS = ["/auth/login"];
+
+/**
+ * Workspace middleware for path-based multi-workspace.
+ *
+ * For most authenticated requests, the workspace is identified from the JWT token.
+ * For login requests, the workspace slug is provided in the request body.
+ */
+export function createWorkspaceMiddleware() {
+	return createMiddleware<{ Variables: { workspace: Workspace } }>(
+		async (c, next) => {
+			const path = c.req.path;
+
+			// Allow certain paths to bypass workspace check (for bootstrapping)
+			if (WORKSPACE_BYPASS_PATHS.includes(path)) {
+				return next();
+			}
+
+			// For login, workspace will be handled by the login handler itself
+			if (WORKSPACE_FROM_BODY_PATHS.includes(path)) {
+				return next();
+			}
+
+			// For other paths, workspace will be set from JWT by auth middleware
+			return next();
+		},
+	);
+}
+
+/**
+ * Post-auth middleware that sets context based on authenticated user's workspace.
+ * This should run after the auth middleware.
+ */
+export function createPostAuthWorkspaceMiddleware() {
+	return createMiddleware<{
+		Variables: { workspace: Workspace; user: { workspaceId: number } | null };
+	}>(async (c, next) => {
+		const path = c.req.path;
+
+		// Skip for bypass paths and login (already handled)
+		if (
+			WORKSPACE_BYPASS_PATHS.includes(path) ||
+			WORKSPACE_FROM_BODY_PATHS.includes(path)
+		) {
+			return next();
+		}
+
+		// If workspace is already set, skip
+		const existingWorkspace = c.get("workspace");
+		if (existingWorkspace) {
+			return next();
+		}
+
+		// Get user from auth middleware
+		const user = c.get("user");
+
+		if (!user || !user.workspaceId) {
+			// No authenticated user - proceed without workspace context
+			return next();
+		}
+
+		// Look up workspace from user's workspaceId
+		const workspaceRows = await db
+			.select()
+			.from(workspaces)
+			.where(eq(workspaces.id, user.workspaceId));
+
+		if (workspaceRows.length === 0) {
+			return c.json({ error: "User's workspace not found" }, 500);
+		}
+
+		const workspace = {
+			id: workspaceRows[0].id,
+			slug: workspaceRows[0].slug,
+			name: workspaceRows[0].name,
+		};
 
-	if (workspace) {
 		c.set("workspace", workspace);
-	}
 
-	await next();
+		return next();
+	});
 }

package/templates/frontend/package.json

@@ -1,5 +1,5 @@
 {
-  "name": "__PROJECT_NAME__-frontend",
+  "name": "frontend",
   "private": true,
   "version": "0.1.0",
   "type": "module",
@@ -19,7 +19,7 @@
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "tailwindcss": "^4.1.18",
-    "__PROJECT_NAME__-schema": "*"
+    "schema": "*"
   },
   "devDependencies": {
     "@types/react": "^19.0.10",

package/templates/frontend/src/config.tsx

@@ -1,7 +1,7 @@
 import type { NubaseFrontendConfig } from "@nubase/frontend";
 import { defaultKeybindings, resourceLink } from "@nubase/frontend";
 import { Home, TicketIcon } from "lucide-react";
-import { apiEndpoints } from "__PROJECT_NAME__-schema";
+import { apiEndpoints } from "schema";
 import { __PROJECT_NAME_PASCAL__AuthController } from "./auth/__PROJECT_NAME_PASCAL__AuthController";
 import { ticketResource } from "./resources/ticket";
 

package/templates/frontend/src/resources/ticket.ts

@@ -1,5 +1,5 @@
 import { createResource } from "@nubase/frontend";
-import { apiEndpoints } from "__PROJECT_NAME__-schema";
+import { apiEndpoints } from "schema";
 
 export const ticketResource = createResource("ticket")
 	.withApiEndpoints(apiEndpoints)

package/templates/root/README.md

@@ -49,10 +49,10 @@ The application will be available at:
 
 ```
 __PROJECT_NAME__/
-├── __PROJECT_NAME__-schema/    # Shared API schemas and types
-├── __PROJECT_NAME__-backend/   # Node.js backend (Hono + PostgreSQL)
-├── __PROJECT_NAME__-frontend/  # React frontend (Vite + Nubase)
-└── package.json                # Root workspace configuration
+├── schema/      # Shared API schemas and types
+├── backend/     # Node.js backend (Hono + PostgreSQL)
+├── frontend/    # React frontend (Vite + Nubase)
+└── package.json # Root workspace configuration
 ```
 
 ## Available Scripts

package/templates/root/package.json

@@ -4,17 +4,17 @@
   "private": true,
   "type": "module",
   "workspaces": [
-    "__PROJECT_NAME__-schema",
-    "__PROJECT_NAME__-backend",
-    "__PROJECT_NAME__-frontend"
+    "schema",
+    "backend",
+    "frontend"
   ],
   "scripts": {
     "dev": "turbo run dev",
     "build": "turbo run build",
-    "db:up": "cd __PROJECT_NAME__-backend && npm run db:dev:up",
-    "db:down": "cd __PROJECT_NAME__-backend && npm run db:dev:down",
-    "db:kill": "cd __PROJECT_NAME__-backend && npm run db:dev:kill",
-    "db:seed": "cd __PROJECT_NAME__-backend && npm run db:seed",
+    "db:up": "cd backend && npm run db:dev:up",
+    "db:down": "cd backend && npm run db:dev:down",
+    "db:seed": "cd backend && npm run db:dev:seed",
+    "db:reset": "cd backend && npm run db:dev:reset",
     "typecheck": "turbo run typecheck",
     "lint": "turbo run lint",
     "lint:fix": "turbo run lint:fix"

package/templates/schema/package.json

@@ -1,5 +1,5 @@
 {
-  "name": "__PROJECT_NAME__-schema",
+  "name": "schema",
   "version": "0.1.0",
   "description": "Schema for __PROJECT_NAME_PASCAL__",
   "type": "module",