@restforgejs/platform 5.2.12 → 5.2.16

package/generators/lib/auth/processor-generator.js

@@ -0,0 +1,55 @@
+'use strict';
+
+/**
+ * Generator processor auth (Fungsi 3b). Merender keenam aset template di
+ * `templates/processor/` via template-renderer (Phase 03), lalu menulis ke
+ * lokasi target memakai writeFileWithBackup — perilaku force/skip identik
+ * Fungsi 1/3a: tanpa --force file existing di-skip, dengan --force
+ * di-overwrite + backup.
+ *
+ * `google.js` TIDAK disertakan (keputusan #5 campaign).
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const { renderTemplate } = require('./template-renderer');
+const FileUtils = require('../utils/file-utils');
+const { AUTH_USER_TABLE, AUTH_REFRESH_TOKEN_TABLE, AUTH_MIDDLEWARE_NAME } = require('./prefix');
+
+const TEMPLATES_DIR = path.join(__dirname, 'templates', 'processor');
+
+const PROCESSOR_NAMES = ['register', 'login', 'refresh', 'logout', 'me', 'reset-password'];
+
+const PARAMS = {
+    AUTH_USER_TABLE,
+    AUTH_REFRESH_TOKEN_TABLE,
+    AUTH_MIDDLEWARE_NAME
+};
+
+/**
+ * @param {{ processorDir: string, force?: boolean }} options
+ * @returns {{ written: string[], skipped: string[] }}
+ */
+function generateAuthProcessors({ processorDir, force = false }) {
+    const written = [];
+    const skipped = [];
+
+    for (const name of PROCESSOR_NAMES) {
+        const targetPath = path.join(processorDir, `${name}.js`);
+
+        if (fs.existsSync(targetPath) && !force) {
+            skipped.push(targetPath);
+            continue;
+        }
+
+        const templatePath = path.join(TEMPLATES_DIR, `${name}.js.tmpl`);
+        const content = renderTemplate(templatePath, PARAMS);
+        FileUtils.writeFileWithBackup(targetPath, content, true);
+        written.push(targetPath);
+    }
+
+    return { written, skipped };
+}
+
+module.exports = { generateAuthProcessors };

package/generators/lib/auth/sdf-generator.js

@@ -0,0 +1,102 @@
+'use strict';
+
+/**
+ * Generator SDF auth (prefix `rfx`). Membangun IR dua model auth via
+ * `defineModel` (dbschema-kit), men-serialize ke source SDF via `serialize()`,
+ * lalu menulis ke `<schema-path>/<table>.js` (skip/backup sesuai `--force`).
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const { defineModel } = require('../dbschema-kit/define-model');
+const { serialize } = require('../dbschema-kit/schema-printer');
+const FileUtils = require('../utils/file-utils');
+const { AUTH_USER_TABLE, AUTH_REFRESH_TOKEN_TABLE } = require('./prefix');
+
+function buildAuthUserModel() {
+    return defineModel(AUTH_USER_TABLE, {
+        schema: 'public',
+        fields: {
+            user_id: 'string:36 pk',
+            username: 'string:100 notnull unique',
+            email: 'string:255',
+            full_name: 'string:150',
+            password_hash: 'string:255 notnull',
+            is_active: 'boolean notnull default:true',
+            is_locked: 'boolean notnull default:false',
+            failed_login_count: 'integer notnull default:0',
+            last_login_at: 'timestamp',
+            password_changed_at: 'timestamp',
+            created_at: 'timestamp default:now()',
+            created_by: 'string:70',
+            updated_at: 'timestamp',
+            updated_by: 'string:70'
+        },
+        indexes: ['username', 'email', 'is_active']
+    });
+}
+
+function buildAuthRefreshTokenModel() {
+    return defineModel(AUTH_REFRESH_TOKEN_TABLE, {
+        schema: 'public',
+        fields: {
+            token_id: 'string:36 pk',
+            user_id: 'string:36 notnull',
+            token_hash: 'string:255 notnull',
+            is_revoked: 'boolean notnull default:false',
+            expires_at: 'timestamp notnull',
+            created_at: 'timestamp default:now()'
+        },
+        indexes: ['user_id', 'expires_at'],
+        relations: {
+            user: {
+                type: 'belongsTo',
+                target: AUTH_USER_TABLE,
+                localKey: 'user_id',
+                references: 'user_id',
+                onDelete: 'cascade',
+                onUpdate: 'restrict'
+            }
+        }
+    });
+}
+
+function buildAuthModels() {
+    return {
+        [AUTH_USER_TABLE]: buildAuthUserModel(),
+        [AUTH_REFRESH_TOKEN_TABLE]: buildAuthRefreshTokenModel()
+    };
+}
+
+/**
+ * @param {{ schemaPath: string, force?: boolean }} options
+ * @returns {{ written: string[], skipped: string[] }}
+ */
+function generateAuthSdf({ schemaPath, force = false }) {
+    const models = buildAuthModels();
+    const written = [];
+    const skipped = [];
+
+    for (const [tableName, ir] of Object.entries(models)) {
+        const targetPath = path.join(schemaPath, `${tableName}.js`);
+
+        if (fs.existsSync(targetPath) && !force) {
+            skipped.push(targetPath);
+            continue;
+        }
+
+        const source = serialize(ir, { generatedBy: 'npx restforge project auth --create' });
+        FileUtils.writeFileWithBackup(targetPath, source, true);
+        written.push(targetPath);
+    }
+
+    return { written, skipped };
+}
+
+module.exports = {
+    buildAuthUserModel,
+    buildAuthRefreshTokenModel,
+    buildAuthModels,
+    generateAuthSdf
+};

package/generators/lib/auth/template-renderer.js

@@ -0,0 +1,29 @@
+'use strict';
+
+/**
+ * Renderer template-asset sederhana untuk artefak auth extension. Membaca file
+ * `.tmpl` lalu mengganti placeholder `{{KEY}}` dengan value dari `params`.
+ * Dipakai Fungsi 3a (component/router) dan akan dipakai ulang Fungsi 3b
+ * (6 processor, Phase 04).
+ */
+
+const fs = require('fs');
+
+/**
+ * @param {string} templatePath - Path absolut ke file `.tmpl`
+ * @param {Object<string, string>} [params] - Map placeholder -> value pengganti
+ * @returns {string} isi template setelah substitusi placeholder
+ */
+function renderTemplate(templatePath, params = {}) {
+    // Normalisasi CRLF -> LF agar output deterministik lintas-platform. File
+    // `.tmpl` bisa ter-checkout sebagai CRLF di Windows (`.gitattributes`
+    // `text=auto`) atau ikut terbawa saat npm pack; tanpa normalisasi, output
+    // generator akan ber-CRLF dan menyimpang dari prototype acuan yang ber-LF.
+    let content = fs.readFileSync(templatePath, 'utf8').replace(/\r\n/g, '\n');
+    for (const [key, value] of Object.entries(params)) {
+        content = content.split(`{{${key}}}`).join(value);
+    }
+    return content;
+}
+
+module.exports = { renderTemplate };

package/generators/lib/auth/templates/processor/login.js.tmpl

@@ -0,0 +1,152 @@
+'use strict';
+
+/**
+ * Processor: login
+ * Verifikasi kredensial, lalu terbitkan JWT access token + refresh token.
+ * Method: POST
+ */
+
+const bcrypt = require('bcrypt');
+const crypto = require('crypto');
+const {
+  generateAccessToken,
+  getAccessTokenExpiryMin
+} = require('../../../../components/handlers/{{AUTH_MIDDLEWARE_NAME}}');
+
+const BCRYPT_ROUNDS = 12;
+const MAX_FAILED_LOGIN = 5;
+
+function getRefreshExpiryDays() {
+  return parseInt(process.env.REFRESH_TOKEN_EXPIRY_DAYS || '30', 10);
+}
+
+module.exports = {
+  async process(input, services, req) {
+    const { db, logger } = services;
+
+    try {
+      const { username, password } = input;
+
+      if (!username || !password) {
+        return {
+          success: false,
+          statusCode: 400,
+          message: 'Field username dan password wajib diisi.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      const userRows = await db.executeQuery(
+        `SELECT user_id, username, email, full_name,
+                password_hash, is_active, is_locked, failed_login_count
+         FROM public.{{AUTH_USER_TABLE}}
+         WHERE username = $1`,
+        [username]
+      );
+      const user = userRows[0] || null;
+
+      if (!user) {
+        return {
+          success: false,
+          statusCode: 401,
+          message: 'Username atau password salah.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      if (!user.is_active) {
+        return {
+          success: false,
+          statusCode: 403,
+          message: 'Akun tidak aktif. Hubungi administrator.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      if (user.is_locked) {
+        return {
+          success: false,
+          statusCode: 403,
+          message: 'Akun terkunci karena terlalu banyak percobaan login gagal. Hubungi administrator.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      const passwordValid = await bcrypt.compare(password, user.password_hash);
+
+      if (!passwordValid) {
+        const newFailedCount = (user.failed_login_count || 0) + 1;
+        const shouldLock = newFailedCount >= MAX_FAILED_LOGIN;
+
+        await db.executeQuery(
+          `UPDATE public.{{AUTH_USER_TABLE}}
+           SET failed_login_count = $1, is_locked = $2, updated_at = NOW()
+           WHERE user_id = $3`,
+          [newFailedCount, shouldLock, user.user_id]
+        );
+
+        const message = shouldLock
+          ? 'Akun terkunci karena terlalu banyak percobaan login gagal. Hubungi administrator.'
+          : `Username atau password salah. Sisa percobaan: ${MAX_FAILED_LOGIN - newFailedCount}.`;
+
+        return {
+          success: false,
+          statusCode: 401,
+          message,
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      // Login berhasil — reset counter, update last_login_at
+      await db.executeQuery(
+        `UPDATE public.{{AUTH_USER_TABLE}}
+         SET failed_login_count = 0, last_login_at = NOW(), updated_at = NOW()
+         WHERE user_id = $1`,
+        [user.user_id]
+      );
+
+      const accessToken = generateAccessToken(user);
+      const expiresIn = getAccessTokenExpiryMin() * 60;
+
+      // Refresh token: `<user_id>:<random-hex>`, disimpan sebagai hash bcrypt
+      const refreshTokenRaw = `${user.user_id}:${crypto.randomBytes(64).toString('hex')}`;
+      const refreshTokenHash = await bcrypt.hash(refreshTokenRaw, BCRYPT_ROUNDS);
+      const refreshExpiresAt = new Date();
+      refreshExpiresAt.setDate(refreshExpiresAt.getDate() + getRefreshExpiryDays());
+
+      await db.executeQuery(
+        `INSERT INTO public.{{AUTH_REFRESH_TOKEN_TABLE}}
+            (token_id, user_id, token_hash, expires_at, created_at)
+         VALUES ($1, $2, $3, $4, NOW())`,
+        [crypto.randomUUID(), user.user_id, refreshTokenHash, refreshExpiresAt]
+      );
+
+      return {
+        success: true,
+        statusCode: 200,
+        message: 'Login berhasil.',
+        data: {
+          access_token: accessToken,
+          refresh_token: refreshTokenRaw,
+          token_type: 'Bearer',
+          expires_in: expiresIn,
+          user: {
+            user_id: user.user_id,
+            username: user.username,
+            email: user.email,
+            full_name: user.full_name
+          }
+        },
+        timestamp: new Date().toISOString()
+      };
+    } catch (error) {
+      logger.error({ error: error.message }, '[auth-login] Unexpected error');
+      return {
+        success: false,
+        statusCode: 500,
+        message: 'Terjadi kesalahan internal pada server.',
+        timestamp: new Date().toISOString()
+      };
+    }
+  }
+};

package/generators/lib/auth/templates/processor/logout.js.tmpl

@@ -0,0 +1,58 @@
+'use strict';
+
+/**
+ * Processor: logout
+ * Revoke refresh token bila disertakan. Selalu sukses (idempoten dari sisi client).
+ * Method: POST
+ */
+
+const bcrypt = require('bcrypt');
+
+module.exports = {
+  async process(input, services, req) {
+    const { db, logger } = services;
+
+    try {
+      const { refresh_token } = input;
+
+      if (refresh_token) {
+        const colonIdx = refresh_token.indexOf(':');
+        if (colonIdx >= 0) {
+          const userId = refresh_token.substring(0, colonIdx);
+
+          const tokenRows = await db.executeQuery(
+            `SELECT token_id, token_hash
+             FROM public.{{AUTH_REFRESH_TOKEN_TABLE}}
+             WHERE user_id = $1 AND is_revoked = FALSE`,
+            [userId]
+          );
+
+          for (const t of (tokenRows || [])) {
+            if (await bcrypt.compare(refresh_token, t.token_hash)) {
+              await db.executeQuery(
+                'UPDATE public.{{AUTH_REFRESH_TOKEN_TABLE}} SET is_revoked = TRUE WHERE token_id = $1',
+                [t.token_id]
+              );
+              break;
+            }
+          }
+        }
+      }
+
+      return {
+        success: true,
+        statusCode: 200,
+        message: 'Logout berhasil.',
+        timestamp: new Date().toISOString()
+      };
+    } catch (error) {
+      logger.error({ error: error.message }, '[auth-logout] Unexpected error');
+      return {
+        success: false,
+        statusCode: 500,
+        message: 'Terjadi kesalahan internal pada server.',
+        timestamp: new Date().toISOString()
+      };
+    }
+  }
+};

package/generators/lib/auth/templates/processor/me.js.tmpl

@@ -0,0 +1,64 @@
+'use strict';
+
+/**
+ * Processor: me
+ * Mengembalikan profil user dari JWT access token (header Authorization).
+ * Method: GET
+ */
+
+const { verifyToken } = require('../../../../components/handlers/{{AUTH_MIDDLEWARE_NAME}}');
+
+module.exports = {
+  async process(input, services, req) {
+    const { db, logger } = services;
+
+    try {
+      let decoded;
+      try {
+        decoded = verifyToken(req);
+      } catch (err) {
+        return {
+          success: false,
+          statusCode: err.statusCode || 401,
+          message: err.message,
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      const userRows = await db.executeQuery(
+        `SELECT user_id, username, email, full_name,
+                is_active, is_locked, last_login_at,
+                created_at, updated_at
+         FROM public.{{AUTH_USER_TABLE}}
+         WHERE user_id = $1`,
+        [decoded.sub]
+      );
+      const user = userRows[0] || null;
+
+      if (!user) {
+        return {
+          success: false,
+          statusCode: 404,
+          message: 'User tidak ditemukan.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      return {
+        success: true,
+        statusCode: 200,
+        message: 'OK',
+        data: user,
+        timestamp: new Date().toISOString()
+      };
+    } catch (error) {
+      logger.error({ error: error.message }, '[auth-me] Unexpected error');
+      return {
+        success: false,
+        statusCode: 500,
+        message: 'Terjadi kesalahan internal pada server.',
+        timestamp: new Date().toISOString()
+      };
+    }
+  }
+};

package/generators/lib/auth/templates/processor/refresh.js.tmpl

@@ -0,0 +1,134 @@
+'use strict';
+
+/**
+ * Processor: refresh
+ * Tukar refresh token dengan access token baru (dengan token rotation:
+ * refresh token lama di-revoke, refresh token baru diterbitkan).
+ * Method: POST
+ */
+
+const bcrypt = require('bcrypt');
+const crypto = require('crypto');
+const {
+  generateAccessToken,
+  getAccessTokenExpiryMin
+} = require('../../../../components/handlers/{{AUTH_MIDDLEWARE_NAME}}');
+
+const BCRYPT_ROUNDS = 12;
+
+function getRefreshExpiryDays() {
+  return parseInt(process.env.REFRESH_TOKEN_EXPIRY_DAYS || '30', 10);
+}
+
+module.exports = {
+  async process(input, services, req) {
+    const { db, logger } = services;
+
+    try {
+      const { refresh_token } = input;
+
+      if (!refresh_token) {
+        return {
+          success: false,
+          statusCode: 400,
+          message: 'Field refresh_token wajib diisi.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      const colonIdx = refresh_token.indexOf(':');
+      if (colonIdx < 0) {
+        return {
+          success: false,
+          statusCode: 401,
+          message: 'Refresh token tidak valid.',
+          timestamp: new Date().toISOString()
+        };
+      }
+      const userId = refresh_token.substring(0, colonIdx);
+
+      const tokenRows = await db.executeQuery(
+        `SELECT token_id, token_hash
+         FROM public.{{AUTH_REFRESH_TOKEN_TABLE}}
+         WHERE user_id = $1 AND is_revoked = FALSE AND expires_at > NOW()`,
+        [userId]
+      );
+
+      let matched = null;
+      for (const t of (tokenRows || [])) {
+        if (await bcrypt.compare(refresh_token, t.token_hash)) {
+          matched = t;
+          break;
+        }
+      }
+
+      if (!matched) {
+        return {
+          success: false,
+          statusCode: 401,
+          message: 'Refresh token tidak valid atau sudah kedaluwarsa.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      const userRows = await db.executeQuery(
+        `SELECT user_id, username, email, full_name, is_active, is_locked
+         FROM public.{{AUTH_USER_TABLE}}
+         WHERE user_id = $1`,
+        [userId]
+      );
+      const user = userRows[0] || null;
+
+      if (!user || !user.is_active || user.is_locked) {
+        return {
+          success: false,
+          statusCode: 403,
+          message: 'User tidak aktif atau terkunci.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      // Rotation: revoke token lama
+      await db.executeQuery(
+        'UPDATE public.{{AUTH_REFRESH_TOKEN_TABLE}} SET is_revoked = TRUE WHERE token_id = $1',
+        [matched.token_id]
+      );
+
+      const accessToken = generateAccessToken(user);
+      const expiresIn = getAccessTokenExpiryMin() * 60;
+
+      const newRefreshRaw = `${user.user_id}:${crypto.randomBytes(64).toString('hex')}`;
+      const newRefreshHash = await bcrypt.hash(newRefreshRaw, BCRYPT_ROUNDS);
+      const refreshExpiresAt = new Date();
+      refreshExpiresAt.setDate(refreshExpiresAt.getDate() + getRefreshExpiryDays());
+
+      await db.executeQuery(
+        `INSERT INTO public.{{AUTH_REFRESH_TOKEN_TABLE}}
+            (token_id, user_id, token_hash, expires_at, created_at)
+         VALUES ($1, $2, $3, $4, NOW())`,
+        [crypto.randomUUID(), user.user_id, newRefreshHash, refreshExpiresAt]
+      );
+
+      return {
+        success: true,
+        statusCode: 200,
+        message: 'Token berhasil diperbarui.',
+        data: {
+          access_token: accessToken,
+          refresh_token: newRefreshRaw,
+          token_type: 'Bearer',
+          expires_in: expiresIn
+        },
+        timestamp: new Date().toISOString()
+      };
+    } catch (error) {
+      logger.error({ error: error.message }, '[auth-refresh] Unexpected error');
+      return {
+        success: false,
+        statusCode: 500,
+        message: 'Terjadi kesalahan internal pada server.',
+        timestamp: new Date().toISOString()
+      };
+    }
+  }
+};

package/generators/lib/auth/templates/processor/register.js.tmpl

@@ -0,0 +1,77 @@
+'use strict';
+
+/**
+ * Processor: register
+ * Membuat user baru dengan password ter-hash bcrypt.
+ * Method: POST
+ */
+
+const bcrypt = require('bcrypt');
+const crypto = require('crypto');
+
+const BCRYPT_ROUNDS = 12;
+
+module.exports = {
+  async process(input, services, req) {
+    const { db, logger } = services;
+
+    try {
+      const { username, password, email, full_name } = input;
+
+      if (!username || !password) {
+        return {
+          success: false,
+          statusCode: 400,
+          message: 'Field username dan password wajib diisi.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      const existing = await db.executeQuery(
+        'SELECT user_id FROM public.{{AUTH_USER_TABLE}} WHERE username = $1',
+        [username]
+      );
+      if (existing && existing.length > 0) {
+        return {
+          success: false,
+          statusCode: 409,
+          message: 'Username sudah terpakai.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      const passwordHash = await bcrypt.hash(password, BCRYPT_ROUNDS);
+      const userId = crypto.randomUUID();
+
+      await db.executeQuery(
+        `INSERT INTO public.{{AUTH_USER_TABLE}}
+            (user_id, username, email, full_name, password_hash,
+             is_active, is_locked, failed_login_count,
+             password_changed_at, created_at)
+         VALUES ($1, $2, $3, $4, $5, TRUE, FALSE, 0, NOW(), NOW())`,
+        [userId, username, email || null, full_name || null, passwordHash]
+      );
+
+      return {
+        success: true,
+        statusCode: 201,
+        message: 'Registrasi berhasil.',
+        data: {
+          user_id: userId,
+          username,
+          email: email || null,
+          full_name: full_name || null
+        },
+        timestamp: new Date().toISOString()
+      };
+    } catch (error) {
+      logger.error({ error: error.message }, '[auth-register] Unexpected error');
+      return {
+        success: false,
+        statusCode: 500,
+        message: 'Terjadi kesalahan internal pada server.',
+        timestamp: new Date().toISOString()
+      };
+    }
+  }
+};