@plyaz/auth 1.0.0

package/src/server/middleware/auth.middleware.ts

@@ -0,0 +1,46 @@
+import type { NestMiddleware } from "@nestjs/common";
+import { Injectable } from "@nestjs/common";
+import type { Request, Response, NextFunction } from "express";
+
+/**
+ * Extends the Express Request object to include `sessionId`.
+ */
+export interface AuthRequest extends Request {
+  /** Optional session ID extracted from cookies or headers */
+  sessionId?: string;
+}
+
+/**
+ * Middleware to extract the session ID from incoming requests.
+ *
+ * This middleware does **not validate** the session.  
+ * It only reads the session ID from:
+ *  - Cookies (`session_id`)  
+ *  - Headers (`x-session-id`)  
+ * and attaches it to `req.sessionId` for use in guards or controllers.
+ *
+ * @example
+ * // Access sessionId in a controller or guard
+ * const sessionId = req.sessionId;
+ */
+@Injectable()
+export class AuthMiddleware implements NestMiddleware {
+  /**
+   * Extracts session ID from cookies or headers and attaches it to the request object.
+   *
+   * @param req - Express request object
+   * @param res - Express response object
+   * @param next - Function to pass control to the next middleware
+   */
+  use(req: AuthRequest, res: Response, next: NextFunction):void {
+    // Read session cookie (or header)
+    const sessionId = req.cookies?.session_id ?? req.headers["x-session-id"];
+
+    // Just attach it — NO validation
+    if (sessionId) {
+      req.sessionId = String(sessionId);
+    }
+
+    next();
+  }
+}

package/src/server/middleware/index.ts

@@ -0,0 +1,2 @@
+export { SessionMiddleware } from "./session.middleware";
+export { AuthMiddleware } from "./auth.middleware";

package/src/server/middleware/middleware.ts

@@ -0,0 +1,11 @@
+// The `config` object is a Next.js feature used to configure the middleware.
+export const config = {
+  // `matcher` is an array of paths that the middleware should run on.
+  // It's a powerful tool for specifying exactly which routes need to be
+  // protected or have authentication checked.
+  matcher: [
+    "/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)",
+    "/api/(.*)",
+    "/trpc/(.*)",
+  ],
+};

package/src/server/middleware/session.middleware.ts

@@ -0,0 +1,255 @@
+/**
+ * @fileoverview Session middleware for @plyaz/auth
+ * @module @plyaz/auth/server/middleware/session-middleware
+ *
+ * @description
+ * NestJS middleware for session refresh management. Checks if access token
+ * is close to expiry and auto-refreshes if refresh token is valid.
+ * Sets new tokens in response cookies for seamless user experience.
+ *
+ * @example
+ * ```typescript
+ * import { SessionMiddleware } from '@plyaz/auth';
+ *
+ * @Module({
+ *   providers: [SessionMiddleware]
+ * })
+ * export class AppModule implements NestModule {
+ *   configure(consumer: MiddlewareConsumer) {
+ *     consumer.apply(SessionMiddleware).forRoutes('*');
+ *   }
+ * }
+ * ```
+ */
+
+import type { NestMiddleware } from "@nestjs/common";
+import { Injectable, Logger } from "@nestjs/common";
+import type { Request, Response, NextFunction } from "express";
+import type { TokenService } from "../services/token.service";
+import type { SessionService } from "../services/session.service";
+import { NUMERIX } from "@plyaz/config";
+
+/**
+ * Session middleware configuration
+ */
+interface SessionMiddlewareConfig {
+  /** Refresh threshold in seconds (default: 300 = 5 minutes) */
+  refreshThreshold: number;
+  /** Cookie options for tokens */
+  cookieOptions: {
+    httpOnly: boolean;
+    secure: boolean;
+    sameSite: "strict" | "lax" | "none";
+    path: string;
+  };
+}
+
+/**
+ * Session middleware implementation
+ * Manages session refresh and token rotation
+ */
+@Injectable()
+export class SessionMiddleware implements NestMiddleware {
+  private readonly logger = new Logger(SessionMiddleware.name);
+  private readonly config: SessionMiddlewareConfig;
+
+  constructor(
+    private tokenService: TokenService,
+    private sessionService: SessionService
+  ) {
+    this.config = {
+      refreshThreshold: 300, // 5 minutes
+      cookieOptions: {
+        httpOnly: true,
+        secure: globalThis.process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        path: "/",
+      },
+    };
+  }
+
+  /**
+   * Middleware function to handle session refresh
+   * @param req - HTTP request
+   * @param res - HTTP response
+   * @param next - Next function
+   */
+  async use(req: Request, res: Response, next: NextFunction): Promise<void> {
+    try {
+      const accessToken = this.extractAccessToken(req);
+      const refreshToken = this.extractRefreshToken(req);
+
+      if (!accessToken || !refreshToken) {
+        // No tokens present, continue without refresh
+        return next();
+      }
+
+      // Check if access token needs refresh
+      const shouldRefresh = await this.shouldRefreshToken(accessToken);
+
+      if (shouldRefresh) {
+        await this.refreshTokens(req, res, refreshToken);
+      }
+
+      next();
+    } catch (error) {
+      this.logger.error("Session middleware error", error);
+      // Don't block the request on refresh errors
+      next();
+    }
+  }
+
+  /**
+   * Check if token should be refreshed
+   * @param accessToken - Access token to check
+   * @returns True if token should be refreshed
+   * @private
+   */
+  private async shouldRefreshToken(accessToken: string): Promise<boolean> {
+    try {
+      const timeUntilExpiry =
+        this.tokenService.getTimeUntilExpiration(accessToken);
+
+      if (timeUntilExpiry === null) {
+        return false; // Invalid token, don't refresh
+      }
+
+      // Refresh if token expires within threshold
+      return timeUntilExpiry <= this.config.refreshThreshold;
+    } catch (error) {
+      this.logger.debug("Error checking token expiry", error);
+      return false;
+    }
+  }
+
+  /**
+   * Refresh tokens and update cookies
+   * @param req - HTTP request
+   * @param res - HTTP response
+   * @param refreshToken - Refresh token
+   * @private
+   */
+  private async refreshTokens(
+    req: Request,
+    res: Response,
+    refreshToken: string
+  ): Promise<void> {
+    try {
+      this.logger.debug("Refreshing tokens");
+
+      // Validate refresh token first
+      const validationResult =
+        await this.tokenService.validateRefreshToken(refreshToken);
+
+      if (!validationResult.valid) {
+        this.logger.warn("Invalid refresh token, clearing cookies");
+        this.clearTokenCookies(res);
+        return;
+      }
+
+      // Get user roles and permissions for new tokens
+      const payload = validationResult.payload;
+      const userRoles = payload?.roles;
+      const userPermissions = payload?.permissions;
+
+      // Generate new token pair
+      const tokenPair = await this.tokenService.refreshTokenPair(
+        refreshToken,
+        userRoles,
+        userPermissions
+      );
+
+      // Set new tokens in cookies
+      this.setTokenCookies(res, tokenPair.accessToken, tokenPair.refreshToken);
+
+      // Update request with new access token for downstream handlers
+      this.updateRequestToken(req, tokenPair.accessToken);
+
+      this.logger.log("Tokens refreshed successfully");
+    } catch (error) {
+      this.logger.error("Failed to refresh tokens", error);
+      // Clear invalid tokens
+      this.clearTokenCookies(res);
+    }
+  }
+
+  /**
+   * Extract access token from request
+   * @param req - HTTP request
+   * @returns Access token or null
+   * @private
+   */
+  private extractAccessToken(req: Request): string | null {
+    // Check Authorization header first
+    const authHeader = req.headers.authorization;
+    if (authHeader?.startsWith("Bearer ")) {
+      const seven = 7;
+      return authHeader.substring(seven);
+    }
+
+    // Check cookies
+    return req.cookies?.accessToken ?? null;
+  }
+
+  /**
+   * Extract refresh token from request
+   * @param req - HTTP request
+   * @returns Refresh token or null
+   * @private
+   */
+  private extractRefreshToken(req: Request): string | null {
+    return req.cookies?.refreshToken ?? null;
+  }
+
+  /**
+   * Set token cookies in response
+   * @param res - HTTP response
+   * @param accessToken - Access token
+   * @param refreshToken - Refresh token
+   * @private
+   */
+  private setTokenCookies(
+    res: Response,
+    accessToken: string,
+    refreshToken: string
+  ): void {
+    const fifteen = 15;
+    // Set access token cookie (shorter expiry)
+    res.cookie("accessToken", accessToken, {
+      ...this.config.cookieOptions,
+      maxAge: fifteen * NUMERIX.SIXTY * NUMERIX.THOUSAND, // 15 minutes
+    });
+    const seven = 7;
+    // Set refresh token cookie (longer expiry)
+    res.cookie("refreshToken", refreshToken, {
+      ...this.config.cookieOptions,
+      maxAge:
+        seven *
+        NUMERIX.TWENTY_FOUR *
+        NUMERIX.SIXTY *
+        NUMERIX.SIXTY *
+        NUMERIX.THOUSAND, // 7 days
+    });
+  }
+
+  /**
+   * Clear token cookies from response
+   * @param res - HTTP response
+   * @private
+   */
+  private clearTokenCookies(res: Response): void {
+    res.clearCookie("accessToken", this.config.cookieOptions);
+    res.clearCookie("refreshToken", this.config.cookieOptions);
+  }
+
+  /**
+   * Update request with new access token
+   * @param req - HTTP request
+   * @param accessToken - New access token
+   * @private
+   */
+  private updateRequestToken(req: Request, accessToken: string): void {
+    // Update Authorization header for downstream handlers
+    req.headers.authorization = `Bearer ${accessToken}`;
+  }
+}

package/src/server/services/account.service.ts

@@ -0,0 +1,269 @@
+/**
+ * @fileoverview Account service for @plyaz/auth
+ * @module @plyaz/auth/server/services/account-service
+ * 
+ * @description
+ * NestJS service for connected account management operations.
+ * Provides high-level operations for linking/unlinking provider accounts,
+ * managing primary accounts, and handling account-related business logic.
+ * 
+ * @example
+ * ```typescript
+ * import { AccountService } from '@plyaz/auth';
+ * 
+ * @Controller('accounts')
+ * export class AccountsController {
+ *   constructor(private accountService: AccountService) {}
+ * 
+ *   @Post('link')
+ *   async linkAccount(@Body() data, @CurrentUser() user) {
+ *     return await this.accountService.link(user.id, data.provider, data);
+ *   }
+ * }
+ * ```
+ */
+
+import { Injectable, Logger } from '@nestjs/common';
+import type { ConnectedAccountRepository } from '../../db/repositories/connected-account.repository';
+
+import type { ConnectedAccount } from '@plyaz/types';
+import { AUTH_EVENTS } from '@plyaz/types';
+
+/**
+ * Account service implementation
+ * Provides connected account management operations for NestJS applications
+ */
+@Injectable()
+export class AccountService {
+  private readonly logger = new Logger(AccountService.name);
+
+  constructor(private accountRepository: ConnectedAccountRepository) {}
+
+  /**
+   * Link account to user
+   * INSERT new connected account and emit account.linked event
+   * @param userId - User identifier
+   * @param provider - Provider name
+   * @param providerData - Provider account data
+   * @returns Created connected account
+   */
+
+  async link(userId: string, provider: string, providerData: ConnectedAccount): Promise<ConnectedAccount> {
+    this.logger.debug(`Linking ${provider} account for user: ${userId}`);
+    
+    try {
+     
+
+      // Link the account
+      const connectedAccount = await this.accountRepository.linkAccount(
+        userId,
+        provider,
+        providerData
+      );
+      
+      this.logger.log(`${provider} account linked for user: ${userId}`);
+      this.emitEvent(AUTH_EVENTS.ACCOUNT_LINKED, {
+        userId,
+        provider,
+        accountId: connectedAccount.id,
+        timestamp: new Date()
+      });
+      
+      return connectedAccount;
+    } catch (error) {
+      this.logger.error(`Failed to link ${provider} account for user: ${userId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Unlink account from user
+   * DELETE connected account with validation and emit account.unlinked event
+   * @param userId - User identifier
+   * @param accountId - Account identifier
+   */
+  async unlink(userId: string, accountId: string): Promise<void> {
+    this.logger.debug(`Unlinking account ${accountId} for user: ${userId}`);
+    
+    try {
+      // Get account details
+      const account = await this.accountRepository.findById(accountId);
+      if (!account) {
+        // throw new UserNotFoundError('Connected account not found');
+      }
+
+      // Verify account belongs to user
+      if (account?.userId !== userId) {
+        throw new Error('Account does not belong to user');
+      }
+
+      // Unlink the account (includes validation for last auth method)
+      await this.accountRepository.unlinkAccount(accountId);
+      
+      this.logger.log(`Account ${accountId} unlinked for user: ${userId}`);
+      this.emitEvent(AUTH_EVENTS.ACCOUNT_UNLINKED, {
+        userId,
+        provider: account?.provider,
+        accountId,
+        timestamp: new Date()
+      });
+    } catch (error) {
+      this.logger.error(`Failed to unlink account ${accountId} for user: ${userId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Get all connected accounts for user
+   * @param userId - User identifier
+   * @returns Array of connected accounts
+   */
+  async getAll(userId: string): Promise<ConnectedAccount[]> {
+    this.logger.debug(`Getting all accounts for user: ${userId}`);
+    
+    try {
+      return await this.accountRepository.findByUserId(userId);
+    } catch (error) {
+      this.logger.error(`Failed to get accounts for user: ${userId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Set primary connected account
+   * @param userId - User identifier
+   * @param accountId - Account identifier to set as primary
+   */
+  async setPrimary(userId: string, accountId: string): Promise<void> {
+    this.logger.debug(`Setting primary account ${accountId} for user: ${userId}`);
+    
+    try {
+      // Verify account belongs to user
+      const account = await this.accountRepository.findById(accountId);
+      if (account?.userId !== userId) {
+        throw new Error('Account not found or does not belong to user');
+      }
+
+      // Set as primary
+      await this.accountRepository.setPrimary(userId, accountId);
+      
+      this.logger.log(`Primary account set to ${accountId} for user: ${userId}`);
+    } catch (error) {
+      this.logger.error(`Failed to set primary account ${accountId} for user: ${userId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Get primary connected account for user
+   * @param userId - User identifier
+   * @returns Primary connected account or null
+   */
+  async getPrimary(userId: string): Promise<ConnectedAccount | null> {
+    this.logger.debug(`Getting primary account for user: ${userId}`);
+    
+    try {
+      return await this.accountRepository.findPrimary(userId);
+    } catch (error) {
+      this.logger.error(`Failed to get primary account for user: ${userId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Find account by provider credentials
+   * @param provider - Provider name
+   * @param providerAccountId - Provider account ID
+   * @returns Connected account or null
+   */
+  async findByProvider(provider: string, providerAccountId: string): Promise<ConnectedAccount | null> {
+    this.logger.debug(`Finding account by provider: ${provider}, ID: ${providerAccountId}`);
+    
+    try {
+      return await this.accountRepository.findByProvider(provider, providerAccountId);
+    } catch (error) {
+      this.logger.error(`Failed to find account by provider: ${provider}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Update account tokens
+   * @param accountId - Account identifier
+   * @param accessToken - New access token
+   * @param refreshToken - New refresh token (optional)
+   */
+  async updateTokens(accountId: string, accessToken: string, refreshToken?: string): Promise<void> {
+    this.logger.debug(`Updating tokens for account: ${accountId}`);
+    
+    try {
+      await this.accountRepository.updateTokens(accountId, accessToken, refreshToken);
+      this.logger.log(`Tokens updated for account: ${accountId}`);
+    } catch (error) {
+      this.logger.error(`Failed to update tokens for account: ${accountId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Get account by ID
+   * @param accountId - Account identifier
+   * @returns Connected account or null
+   */
+  async getById(accountId: string): Promise<ConnectedAccount | null> {
+    this.logger.debug(`Getting account by ID: ${accountId}`);
+    
+    try {
+      return await this.accountRepository.findById(accountId);
+    } catch (error) {
+      this.logger.error(`Failed to get account by ID: ${accountId}`, error);
+      throw error;
+    }
+  }
+
+  /**
+   * Check if user has account with provider
+   * @param userId - User identifier
+   * @param provider - Provider name
+   * @returns True if user has account with provider
+   */
+  async hasProviderAccount(userId: string, provider: string): Promise<boolean> {
+    this.logger.debug(`Checking if user ${userId} has ${provider} account`);
+    
+    try {
+      const accounts = await this.accountRepository.findByUserId(userId);
+      return accounts.some(account => account.provider === provider && account.isActive);
+    } catch (error) {
+      this.logger.error(`Failed to check provider account for user: ${userId}`, error);
+      return false;
+    }
+  }
+
+  /**
+   * Get account count for user
+   * @param userId - User identifier
+   * @returns Number of connected accounts
+   */
+  async getAccountCount(userId: string): Promise<number> {
+    this.logger.debug(`Getting account count for user: ${userId}`);
+    
+    try {
+      const accounts = await this.accountRepository.findByUserId(userId);
+      return accounts.filter(account => account.isActive).length;
+    } catch (error) {
+      this.logger.error(`Failed to get account count for user: ${userId}`, error);
+      return 0;
+    }
+  }
+
+  /**
+   * Emit event (mock implementation)
+   * @param eventType - Event type
+   * @param payload - Event payload
+   * @private
+   */
+  private emitEvent(eventType: string, payload: unknown): void {
+    // Mock event emission - in real implementation would use event system
+    this.logger.debug(`Event: ${eventType}`, payload);
+  }
+}

package/src/server/services/auth.service.ts

@@ -0,0 +1,79 @@
+import { Injectable } from '@nestjs/common';
+
+import type { SessionManager } from '../../core/session/session.manager';
+import type { TraditionalAuthStrategy } from '../../strategies/traditional-auth.strategy';
+import type { OAuthStrategy, OAuthProfile } from '../../strategies/oauth.strategy';
+import type { UserRepository } from '../../db/repositories/user.repository';
+import type { User, AuthTokens } from '../../common/types/auth.types';
+import type { Session } from '@plyaz/types';
+import type { JwtManager } from '@/core/jwt/jwt.manager';
+
+
+@Injectable()
+export class AuthService {
+  // eslint-disable-next-line max-params
+  constructor(
+    private jwtManager:JwtManager,
+    private sessionManager: SessionManager,
+    private traditionalAuth: TraditionalAuthStrategy,
+    private oauthAuth: OAuthStrategy,
+    private userRepo: UserRepository
+  ) {}
+
+  async signIn(email: string, password: string, deviceInfo: Record<string,unknown>): Promise<{ user: User; tokens: AuthTokens; session: Session }> {
+    const user = await this.traditionalAuth.authenticate(email, password);
+    const session = await this.sessionManager.createSession(user.id, deviceInfo);
+    const tokens = this.jwtManager.generateTokens(user);
+    
+    await this.userRepo.updateLastLogin(user.id);
+    
+    return { user, tokens: { ...tokens, refreshToken: tokens.refreshToken ?? '' }, session };
+  }
+
+  async signUp(userData: Partial<User>, password: string): Promise<User> {
+    const passwordHash = await this.traditionalAuth.hashPassword(password);
+    
+    return this.userRepo.create({
+      email: userData.email!,
+      displayName: userData.displayName!,
+      passwordHash,
+      authProvider: 'email',
+      isActive: true,
+      ...userData,
+    });
+  }
+
+  async signOut(sessionId: string): Promise<void> {
+    await this.sessionManager.invalidateSession(sessionId);
+  }
+
+  async signOutAll(userId: string): Promise<void> {
+    await this.sessionManager.invalidateAllUserSessions(userId);
+  }
+
+  async refreshToken(refreshToken: string): Promise<AuthTokens> {
+    const payload = this.jwtManager.verifyRefreshToken(refreshToken);
+    const user = await this.userRepo.findById(payload.sub);
+    
+    if (!user?.isActive) {
+      throw new Error('Invalid refresh token');
+    }
+
+    const tokens = this.jwtManager.generateTokens(user);
+    return { ...tokens, refreshToken: tokens.refreshToken ?? '' };
+  }
+
+  async validateUser(userId: string): Promise<User | null> {
+    return this.userRepo.findById(userId);
+  }
+
+  async oauthSignIn(profile: OAuthProfile, accessToken: string, refreshToken?: string, deviceInfo?: Record<string,unknown>): Promise<{ user: User; tokens: AuthTokens; session: Session }> {
+    const user = await this.oauthAuth.authenticate(profile, accessToken, refreshToken);
+    const session = await this.sessionManager.createSession(user.id, deviceInfo ?? {});
+    const tokens = this.jwtManager.generateTokens(user);
+    
+    await this.userRepo.updateLastLogin(user.id);
+    
+    return { user, tokens: { ...tokens, refreshToken: tokens.refreshToken ?? '' }, session };
+  }
+}