@restforgejs/platform 5.2.13 → 5.3.5

package/generators/lib/auth/dependency-checker.js

@@ -0,0 +1,102 @@
+'use strict';
+
+/**
+ * Verifikasi + pencatatan dependency runtime auth extension (Fungsi tambahan,
+ * Phase 05, menutup keputusan #6 campaign): middleware butuh `jsonwebtoken`,
+ * processor butuh `bcrypt`.
+ *
+ * Verifikasi resolvability memakai `require.resolve(pkg, { paths: [...] })`
+ * persis algoritma resolusi Node — bukan sekadar cek folder `node_modules/`,
+ * agar hasilnya benar walau dependency ter-hoist ke level lain.
+ *
+ * Pencatatan ke `package.json` project bersifat idempoten (tidak menimpa
+ * versi yang sudah ada) dan TIDAK pernah menjalankan `npm install`.
+ */
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+const PLATFORM_PACKAGE_JSON = require('../../../package.json');
+
+const REQUIRED_DEPENDENCIES = {
+    bcrypt: PLATFORM_PACKAGE_JSON.dependencies.bcrypt,
+    jsonwebtoken: PLATFORM_PACKAGE_JSON.dependencies.jsonwebtoken
+};
+
+/**
+ * @param {string} pkgName
+ * @param {string} fromDir
+ * @returns {string|null} Resolved entry path, atau null bila tidak resolvable.
+ */
+function resolvePackage(pkgName, fromDir) {
+    try {
+        return require.resolve(pkgName, { paths: [fromDir] });
+    } catch (err) {
+        return null;
+    }
+}
+
+/**
+ * Tambahkan `bcrypt`/`jsonwebtoken` ke `dependencies` package.json project
+ * bila belum ada. Tidak pernah menurunkan/menimpa versi yang sudah di-set.
+ *
+ * @param {string} workingDir
+ * @returns {{ hasPackageJson: boolean, pkgPath: string, updated: boolean, added: string[] }}
+ */
+function ensurePackageJsonDependencies(workingDir) {
+    const pkgPath = path.join(workingDir, 'package.json');
+
+    if (!fs.existsSync(pkgPath)) {
+        return { hasPackageJson: false, pkgPath, updated: false, added: [] };
+    }
+
+    const raw = fs.readFileSync(pkgPath, 'utf8');
+    let pkg;
+    try {
+        pkg = JSON.parse(raw);
+    } catch (err) {
+        throw new Error(`Gagal parse ${pkgPath}: ${err.message}`);
+    }
+
+    pkg.dependencies = pkg.dependencies || {};
+    const added = [];
+
+    for (const [name, version] of Object.entries(REQUIRED_DEPENDENCIES)) {
+        if (!Object.prototype.hasOwnProperty.call(pkg.dependencies, name)) {
+            pkg.dependencies[name] = version;
+            added.push(name);
+        }
+    }
+
+    if (added.length > 0) {
+        fs.writeFileSync(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`, 'utf8');
+    }
+
+    return { hasPackageJson: true, pkgPath, updated: added.length > 0, added };
+}
+
+/**
+ * @param {{ workingDir?: string }} options
+ * @returns {{
+ *   resolution: Record<string, { resolvable: boolean, resolvedPath: string|null }>,
+ *   allResolvable: boolean,
+ *   packageJson: { hasPackageJson: boolean, pkgPath: string, updated: boolean, added: string[] },
+ *   needsInstallInstruction: boolean
+ * }}
+ */
+function ensureAuthDependencies({ workingDir = process.cwd() } = {}) {
+    const resolution = {};
+    for (const name of Object.keys(REQUIRED_DEPENDENCIES)) {
+        const resolvedPath = resolvePackage(name, workingDir);
+        resolution[name] = { resolvable: Boolean(resolvedPath), resolvedPath };
+    }
+    const allResolvable = Object.values(resolution).every((r) => r.resolvable);
+
+    const packageJson = ensurePackageJsonDependencies(workingDir);
+
+    const needsInstallInstruction = !allResolvable || !packageJson.hasPackageJson;
+
+    return { resolution, allResolvable, packageJson, needsInstallInstruction };
+}
+
+module.exports = { ensureAuthDependencies, REQUIRED_DEPENDENCIES, resolvePackage };

package/generators/lib/auth/env-injector.js

@@ -0,0 +1,81 @@
+'use strict';
+
+/**
+ * Injeksi variabel env auth (Fungsi tambahan, Phase 05) ke file `--config`,
+ * meniru blok Auth/JWT pada prototype `myapp-with-auth/config/db-connection.env`.
+ * Idempoten: hanya menambahkan key yang belum ada di file; tidak pernah
+ * menimpa nilai existing (termasuk JWT_SECRET yang sudah di-set user).
+ *
+ * Resolusi path config memakai `resolveConfig()` yang sama dipakai
+ * migrate-runner.js, agar blok Auth/JWT ditambahkan ke file yang sama dengan
+ * yang dipakai langkah migrate (cascade lookup cwd -> config/ -> +.env).
+ */
+
+const crypto = require('node:crypto');
+const path = require('node:path');
+
+const { readEnvFile, writeEnvFile } = require('../utils/env-manager');
+const { resolveConfig } = require('../utils/config-resolver');
+
+const AUTH_ENV_DEFAULTS = {
+    JWT_ALGORITHM: 'HS256',
+    ACCESS_TOKEN_EXPIRY_MIN: '60',
+    REFRESH_TOKEN_EXPIRY_DAYS: '30',
+    GOOGLE_CLIENT_ID: ''
+};
+
+const AUTH_ENV_KEYS = [
+    'JWT_SECRET',
+    'JWT_ALGORITHM',
+    'ACCESS_TOKEN_EXPIRY_MIN',
+    'REFRESH_TOKEN_EXPIRY_DAYS',
+    'GOOGLE_CLIENT_ID'
+];
+
+const AUTH_ENV_HEADER_COMMENT = '# Auth / JWT Configuration (rfx_auth, generated by "project auth")';
+
+function generateJwtSecret() {
+    return crypto.randomBytes(48).toString('hex');
+}
+
+/**
+ * @param {{ configPath: string, workingDir?: string }} options
+ * @returns {{
+ *   filePath: string,
+ *   added: string[],
+ *   skipped: string[],
+ *   jwtSecretGenerated: boolean
+ * }}
+ */
+function injectAuthEnv({ configPath, workingDir = process.cwd() } = {}) {
+    const resolved = resolveConfig(configPath, workingDir);
+    const filePath = resolved ? resolved.path : path.resolve(workingDir, configPath || 'config/db-connection.env');
+
+    const { data, lines } = readEnvFile(filePath);
+    const added = [];
+    const skipped = [];
+
+    for (const key of AUTH_ENV_KEYS) {
+        if (Object.prototype.hasOwnProperty.call(data, key)) {
+            skipped.push(key);
+            continue;
+        }
+
+        data[key] = key === 'JWT_SECRET' ? generateJwtSecret() : AUTH_ENV_DEFAULTS[key];
+        added.push(key);
+    }
+
+    if (added.length > 0) {
+        const nextLines = lines.length > 0 ? [...lines, '', AUTH_ENV_HEADER_COMMENT] : [AUTH_ENV_HEADER_COMMENT];
+        writeEnvFile(filePath, data, nextLines);
+    }
+
+    return {
+        filePath,
+        added,
+        skipped,
+        jwtSecretGenerated: added.includes('JWT_SECRET')
+    };
+}
+
+module.exports = { injectAuthEnv, AUTH_ENV_KEYS };

package/generators/lib/auth/migrate-runner.js

@@ -0,0 +1,111 @@
+'use strict';
+
+/**
+ * Migrate runner auth extension (Fungsi 2). Memuat kedua SDF auth (`rfx_auth_user`
+ * & `rfx_auth_refresh_token`) dari `--schema-path`, memvalidasi cross-model (FK
+ * refresh_token -> user), men-generate DDL, lalu apply ke DB via primitif
+ * `dbschema-kit` langsung (in-process). TIDAK menyentuh `generators/cli/schema/migrate.js`
+ * (keputusan #3 campaign project-auth-command-v1) — primitif dipanggil ulang di sini.
+ *
+ * Test seam: sama seperti migrate.js, executor dimuat lewat loadApplyExecutor()
+ * yang menghormati DBSCHEMA_KIT_TEST_APPLY_STUB.
+ */
+
+const path = require('path');
+
+const { loadSchemaPath } = require('../dbschema-kit/loader');
+const { validateCrossModel } = require('../dbschema-kit/validator/cross-model-validator');
+const { generateDDL } = require('../dbschema-kit/ddl-generator');
+const { loadConfig } = require('../dbschema-kit/connection');
+const { splitStatements } = require('../dbschema-kit/statement-splitter');
+const { applyIfNotExistsModifier } = require('../dbschema-kit/statement-modifier');
+const { resolveConfig } = require('../utils/config-resolver');
+const { AUTH_USER_TABLE, AUTH_REFRESH_TOKEN_TABLE } = require('./prefix');
+
+function loadApplyExecutor() {
+    const stubPath = process.env.DBSCHEMA_KIT_TEST_APPLY_STUB;
+    if (stubPath) {
+        return require(path.resolve(stubPath));
+    }
+    return require('../dbschema-kit/apply-executor');
+}
+
+/**
+ * Muat kedua SDF auth dari `schemaPath` ke satu Map gabungan, agar
+ * validateCrossModel bisa memverifikasi FK lintas model.
+ *
+ * @param {string} schemaPath
+ * @returns {Map<string, object>}
+ */
+function loadAuthModels(schemaPath) {
+    const models = new Map();
+    for (const tableName of [AUTH_USER_TABLE, AUTH_REFRESH_TOKEN_TABLE]) {
+        const filePath = path.join(schemaPath, `${tableName}.js`);
+        const fileModels = loadSchemaPath(filePath);
+        for (const [qualified, ir] of fileModels) {
+            models.set(qualified, ir);
+        }
+    }
+    return models;
+}
+
+/**
+ * @param {{ schemaPath: string, configPath: string }} options
+ * @returns {Promise<{ tables: string[], dialect: string, statementsApplied: number, result: object }>}
+ */
+async function runAuthMigrate({ schemaPath, configPath }) {
+    const resolved = resolveConfig(configPath, process.cwd());
+    if (!resolved) {
+        throw new Error(
+            'Migrate auth gagal: --config=<file> tidak ditemukan. Set default config ' +
+            "('npx restforge config set-default --config=<file>') atau sediakan --config eksplisit."
+        );
+    }
+
+    let config;
+    try {
+        config = loadConfig(resolved.path);
+    } catch (err) {
+        throw new Error(`Migrate auth gagal memuat config DB (${resolved.path}): ${err.message}`);
+    }
+
+    let models;
+    try {
+        models = loadAuthModels(schemaPath);
+    } catch (err) {
+        throw new Error(`Migrate auth gagal memuat SDF auth dari '${schemaPath}': ${err.message}`);
+    }
+
+    const crossModelIssues = validateCrossModel(models);
+    const crossModelErrors = crossModelIssues.filter((issue) => issue.severity === 'error');
+    if (crossModelErrors.length > 0) {
+        const messages = crossModelErrors.map((issue) => issue.message).join('; ');
+        throw new Error(`Migrate auth gagal: validasi cross-model menemukan error: ${messages}`);
+    }
+
+    const ddl = generateDDL(models, { dialect: config.dialect, drop: false });
+    const statements = splitStatements(ddl, config.dialect)
+        .map((statement) => applyIfNotExistsModifier(statement, config.dialect));
+
+    const executor = loadApplyExecutor();
+
+    let result;
+    try {
+        result = await executor.applyStatements({ statements, dialect: config.dialect, config });
+    } catch (err) {
+        throw new Error(`Migrate auth gagal menerapkan tabel ke database: ${err.message}`);
+    }
+
+    if (!result || result.status !== 'SUCCESS') {
+        throw new Error(`Migrate auth tidak SUCCESS (status: ${result ? result.status : 'UNKNOWN'}).`);
+    }
+
+    return {
+        tables: [AUTH_USER_TABLE, AUTH_REFRESH_TOKEN_TABLE],
+        dialect: config.dialect,
+        statementsApplied: statements.length,
+        result
+    };
+}
+
+module.exports = { runAuthMigrate, loadAuthModels };

package/generators/lib/auth/prefix.js

@@ -0,0 +1,22 @@
+'use strict';
+
+/**
+ * Konstanta prefix `rfx` (RestForge eXtension) untuk seluruh artefak auth
+ * extension. Satu sumber dipakai ulang oleh Phase 01 (SDF), Phase 02
+ * (tabel hasil migrate), dan Phase 03-04 (component/router/processor).
+ */
+
+const PREFIX = 'rfx';
+
+const AUTH_USER_TABLE = `${PREFIX}_auth_user`;
+const AUTH_REFRESH_TOKEN_TABLE = `${PREFIX}_auth_refresh_token`;
+const AUTH_MIDDLEWARE_NAME = `${PREFIX}_auth-middleware`;
+const AUTH_ROUTER_NAME = `${PREFIX}_auth`;
+
+module.exports = {
+    PREFIX,
+    AUTH_USER_TABLE,
+    AUTH_REFRESH_TOKEN_TABLE,
+    AUTH_MIDDLEWARE_NAME,
+    AUTH_ROUTER_NAME
+};

package/generators/lib/auth/processor-generator.js

@@ -0,0 +1,57 @@
+'use strict';
+
+/**
+ * Generator processor auth (Fungsi 3b). Merender aset template di
+ * `templates/processor/` via template-renderer (Phase 03), lalu menulis ke
+ * lokasi target memakai writeFileWithBackup — perilaku force/skip identik
+ * Fungsi 1/3a: tanpa --force file existing di-skip, dengan --force
+ * di-overwrite + backup.
+ *
+ * `google.js` (Sign in with Google) disertakan; endpoint membutuhkan
+ * GOOGLE_CLIENT_ID di env (di-inject env-injector) dan ID token dari Google
+ * Identity Services di sisi frontend.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const { renderTemplate } = require('./template-renderer');
+const FileUtils = require('../utils/file-utils');
+const { AUTH_USER_TABLE, AUTH_REFRESH_TOKEN_TABLE, AUTH_MIDDLEWARE_NAME } = require('./prefix');
+
+const TEMPLATES_DIR = path.join(__dirname, 'templates', 'processor');
+
+const PROCESSOR_NAMES = ['register', 'login', 'google', 'refresh', 'logout', 'me', 'reset-password'];
+
+const PARAMS = {
+    AUTH_USER_TABLE,
+    AUTH_REFRESH_TOKEN_TABLE,
+    AUTH_MIDDLEWARE_NAME
+};
+
+/**
+ * @param {{ processorDir: string, force?: boolean }} options
+ * @returns {{ written: string[], skipped: string[] }}
+ */
+function generateAuthProcessors({ processorDir, force = false }) {
+    const written = [];
+    const skipped = [];
+
+    for (const name of PROCESSOR_NAMES) {
+        const targetPath = path.join(processorDir, `${name}.js`);
+
+        if (fs.existsSync(targetPath) && !force) {
+            skipped.push(targetPath);
+            continue;
+        }
+
+        const templatePath = path.join(TEMPLATES_DIR, `${name}.js.tmpl`);
+        const content = renderTemplate(templatePath, PARAMS);
+        FileUtils.writeFileWithBackup(targetPath, content, true);
+        written.push(targetPath);
+    }
+
+    return { written, skipped };
+}
+
+module.exports = { generateAuthProcessors };

package/generators/lib/auth/sdf-generator.js

@@ -0,0 +1,102 @@
+'use strict';
+
+/**
+ * Generator SDF auth (prefix `rfx`). Membangun IR dua model auth via
+ * `defineModel` (dbschema-kit), men-serialize ke source SDF via `serialize()`,
+ * lalu menulis ke `<schema-path>/<table>.js` (skip/backup sesuai `--force`).
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const { defineModel } = require('../dbschema-kit/define-model');
+const { serialize } = require('../dbschema-kit/schema-printer');
+const FileUtils = require('../utils/file-utils');
+const { AUTH_USER_TABLE, AUTH_REFRESH_TOKEN_TABLE } = require('./prefix');
+
+function buildAuthUserModel() {
+    return defineModel(AUTH_USER_TABLE, {
+        schema: 'public',
+        fields: {
+            user_id: 'string:36 pk',
+            username: 'string:100 notnull unique',
+            email: 'string:255',
+            full_name: 'string:150',
+            password_hash: 'string:255 notnull',
+            is_active: 'boolean notnull default:true',
+            is_locked: 'boolean notnull default:false',
+            failed_login_count: 'integer notnull default:0',
+            last_login_at: 'timestamp',
+            password_changed_at: 'timestamp',
+            created_at: 'timestamp default:now()',
+            created_by: 'string:70',
+            updated_at: 'timestamp',
+            updated_by: 'string:70'
+        },
+        indexes: ['username', 'email', 'is_active']
+    });
+}
+
+function buildAuthRefreshTokenModel() {
+    return defineModel(AUTH_REFRESH_TOKEN_TABLE, {
+        schema: 'public',
+        fields: {
+            token_id: 'string:36 pk',
+            user_id: 'string:36 notnull',
+            token_hash: 'string:255 notnull',
+            is_revoked: 'boolean notnull default:false',
+            expires_at: 'timestamp notnull',
+            created_at: 'timestamp default:now()'
+        },
+        indexes: ['user_id', 'expires_at'],
+        relations: {
+            user: {
+                type: 'belongsTo',
+                target: AUTH_USER_TABLE,
+                localKey: 'user_id',
+                references: 'user_id',
+                onDelete: 'cascade',
+                onUpdate: 'restrict'
+            }
+        }
+    });
+}
+
+function buildAuthModels() {
+    return {
+        [AUTH_USER_TABLE]: buildAuthUserModel(),
+        [AUTH_REFRESH_TOKEN_TABLE]: buildAuthRefreshTokenModel()
+    };
+}
+
+/**
+ * @param {{ schemaPath: string, force?: boolean }} options
+ * @returns {{ written: string[], skipped: string[] }}
+ */
+function generateAuthSdf({ schemaPath, force = false }) {
+    const models = buildAuthModels();
+    const written = [];
+    const skipped = [];
+
+    for (const [tableName, ir] of Object.entries(models)) {
+        const targetPath = path.join(schemaPath, `${tableName}.js`);
+
+        if (fs.existsSync(targetPath) && !force) {
+            skipped.push(targetPath);
+            continue;
+        }
+
+        const source = serialize(ir, { generatedBy: 'npx restforge project auth --create' });
+        FileUtils.writeFileWithBackup(targetPath, source, true);
+        written.push(targetPath);
+    }
+
+    return { written, skipped };
+}
+
+module.exports = {
+    buildAuthUserModel,
+    buildAuthRefreshTokenModel,
+    buildAuthModels,
+    generateAuthSdf
+};

package/generators/lib/auth/template-renderer.js

@@ -0,0 +1,29 @@
+'use strict';
+
+/**
+ * Renderer template-asset sederhana untuk artefak auth extension. Membaca file
+ * `.tmpl` lalu mengganti placeholder `{{KEY}}` dengan value dari `params`.
+ * Dipakai Fungsi 3a (component/router) dan akan dipakai ulang Fungsi 3b
+ * (6 processor, Phase 04).
+ */
+
+const fs = require('fs');
+
+/**
+ * @param {string} templatePath - Path absolut ke file `.tmpl`
+ * @param {Object<string, string>} [params] - Map placeholder -> value pengganti
+ * @returns {string} isi template setelah substitusi placeholder
+ */
+function renderTemplate(templatePath, params = {}) {
+    // Normalisasi CRLF -> LF agar output deterministik lintas-platform. File
+    // `.tmpl` bisa ter-checkout sebagai CRLF di Windows (`.gitattributes`
+    // `text=auto`) atau ikut terbawa saat npm pack; tanpa normalisasi, output
+    // generator akan ber-CRLF dan menyimpang dari prototype acuan yang ber-LF.
+    let content = fs.readFileSync(templatePath, 'utf8').replace(/\r\n/g, '\n');
+    for (const [key, value] of Object.entries(params)) {
+        content = content.split(`{{${key}}}`).join(value);
+    }
+    return content;
+}
+
+module.exports = { renderTemplate };

package/generators/lib/auth/templates/processor/google.js.tmpl

@@ -0,0 +1,178 @@
+'use strict';
+
+/**
+ * Processor: google (Sign in with Google)
+ * Verifikasi Google ID token, lalu find-or-create user (identitas = email) dan
+ * terbitkan JWT access token + refresh token (sama seperti login biasa).
+ * Method: POST  body: { credential: "<google-id-token>" }
+ *
+ * Verifikasi ID token memakai endpoint tokeninfo Google (tanpa dependensi npm
+ * tambahan). Untuk produksi, pertimbangkan google-auth-library (verifikasi JWKS
+ * lokal) agar tidak bergantung pada round-trip ke Google tiap request.
+ */
+
+const bcrypt = require('bcrypt');
+const crypto = require('crypto');
+const {
+  generateAccessToken,
+  getAccessTokenExpiryMin
+} = require('../../../../components/handlers/{{AUTH_MIDDLEWARE_NAME}}');
+
+const BCRYPT_ROUNDS = 12;
+
+function getRefreshExpiryDays() {
+  return parseInt(process.env.REFRESH_TOKEN_EXPIRY_DAYS || '30', 10);
+}
+
+async function verifyGoogleIdToken(credential) {
+  const url = 'https://oauth2.googleapis.com/tokeninfo?id_token=' + encodeURIComponent(credential);
+  const res = await fetch(url);
+  if (!res.ok) return null;
+  return res.json();
+}
+
+module.exports = {
+  async process(input, services, req) {
+    const { db, logger } = services;
+
+    try {
+      const { credential } = input;
+
+      if (!credential) {
+        return {
+          success: false,
+          statusCode: 400,
+          message: 'Field credential (Google ID token) is required.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      const clientId = process.env.GOOGLE_CLIENT_ID;
+      if (!clientId) {
+        return {
+          success: false,
+          statusCode: 501,
+          message: 'Google login is not configured on the server (GOOGLE_CLIENT_ID is empty).',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      const info = await verifyGoogleIdToken(credential);
+      if (!info || !info.email) {
+        return {
+          success: false,
+          statusCode: 401,
+          message: 'Invalid Google token.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      // Pastikan token memang ditujukan untuk aplikasi ini.
+      if (info.aud !== clientId) {
+        return {
+          success: false,
+          statusCode: 401,
+          message: 'Google token was not issued for this application.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      // Google menandai email_verified sebagai string 'true'.
+      if (info.email_verified !== 'true' && info.email_verified !== true) {
+        return {
+          success: false,
+          statusCode: 403,
+          message: 'Google email is not verified.',
+          timestamp: new Date().toISOString()
+        };
+      }
+
+      const email = String(info.email).toLowerCase();
+      const fullName = info.name || null;
+
+      // Identitas = email. Satukan dengan akun manual ber-email sama.
+      const rows = await db.executeQuery(
+        `SELECT user_id, username, email, full_name, is_active, is_locked
+         FROM public.{{AUTH_USER_TABLE}} WHERE username = $1`,
+        [email]
+      );
+      let user = rows[0] || null;
+
+      if (user) {
+        if (!user.is_active || user.is_locked) {
+          return {
+            success: false,
+            statusCode: 403,
+            message: 'Account is inactive or locked.',
+            timestamp: new Date().toISOString()
+          };
+        }
+        await db.executeQuery(
+          `UPDATE public.{{AUTH_USER_TABLE}}
+           SET last_login_at = NOW(), failed_login_count = 0, updated_at = NOW()
+           WHERE user_id = $1`,
+          [user.user_id]
+        );
+      } else {
+        // User baru via Google: password acak (tidak dapat dipakai login manual
+        // sampai user reset password). password_hash tetap non-null sesuai schema.
+        const randomPw = crypto.randomBytes(32).toString('hex');
+        const passwordHash = await bcrypt.hash(randomPw, BCRYPT_ROUNDS);
+        const userId = crypto.randomUUID();
+
+        await db.executeQuery(
+          `INSERT INTO public.{{AUTH_USER_TABLE}}
+              (user_id, username, email, full_name, password_hash,
+               is_active, is_locked, failed_login_count,
+               last_login_at, password_changed_at, created_at)
+           VALUES ($1, $2, $3, $4, $5, TRUE, FALSE, 0, NOW(), NOW(), NOW())`,
+          [userId, email, email, fullName, passwordHash]
+        );
+
+        user = { user_id: userId, username: email, email: email, full_name: fullName };
+      }
+
+      const accessToken = generateAccessToken(user);
+      const expiresIn = getAccessTokenExpiryMin() * 60;
+
+      const refreshTokenRaw = `${user.user_id}:${crypto.randomBytes(64).toString('hex')}`;
+      const refreshTokenHash = await bcrypt.hash(refreshTokenRaw, BCRYPT_ROUNDS);
+      const refreshExpiresAt = new Date();
+      refreshExpiresAt.setDate(refreshExpiresAt.getDate() + getRefreshExpiryDays());
+
+      await db.executeQuery(
+        `INSERT INTO public.{{AUTH_REFRESH_TOKEN_TABLE}}
+            (token_id, user_id, token_hash, expires_at, created_at)
+         VALUES ($1, $2, $3, $4, NOW())`,
+        [crypto.randomUUID(), user.user_id, refreshTokenHash, refreshExpiresAt]
+      );
+
+      return {
+        success: true,
+        statusCode: 200,
+        message: 'Google login successful.',
+        data: {
+          access_token: accessToken,
+          refresh_token: refreshTokenRaw,
+          token_type: 'Bearer',
+          expires_in: expiresIn,
+          user: {
+            user_id: user.user_id,
+            username: user.username,
+            email: user.email,
+            full_name: user.full_name
+          }
+        },
+        timestamp: new Date().toISOString()
+      };
+    } catch (error) {
+      logger.error({ error: error.message }, '[auth-google] Unexpected error');
+      return {
+        success: false,
+        statusCode: 500,
+        message: 'An internal server error occurred.',
+        timestamp: new Date().toISOString()
+      };
+    }
+  }
+};