@thinhnguyencth1204/nextcli 0.3.0 → 0.4.1

package/templates/next-base/messages/vi/auth.json

@@ -1,25 +1,39 @@
 {
   "signInPage": {
     "title": "Đăng nhập",
-    "description": "Dùng email và mật khẩu để truy cập hệ thống."
+    "description": "Dùng tên đăng nhập và mật khẩu để truy cập hệ thống."
   },
   "signInForm": {
-    "email": "Email",
+    "username": "Tên đăng nhập",
     "password": "Mật khẩu",
-    "emailPlaceholder": "ban@example.com",
+    "usernamePlaceholder": "admin",
     "passwordPlaceholder": "********",
     "submit": "Đăng nhập",
     "submitting": "Đang đăng nhập...",
-    "invalidInput": "Vui lòng nhập email và mật khẩu hợp lệ.",
+    "invalidInput": "Vui lòng nhập tên đăng nhập và mật khẩu hợp lệ.",
     "missingAccessToken": "Không tìm thấy access token.",
     "success": "Đăng nhập thành công.",
     "failed": "Đăng nhập thất bại."
   },
+  "changePasswordPage": {
+    "title": "Đổi mật khẩu",
+    "description": "Bạn cần đổi mật khẩu trước khi tiếp tục sử dụng hệ thống."
+  },
+  "changePasswordForm": {
+    "currentPassword": "Mật khẩu hiện tại",
+    "newPassword": "Mật khẩu mới",
+    "submit": "Cập nhật mật khẩu",
+    "submitting": "Đang cập nhật...",
+    "invalidInput": "Vui lòng nhập mật khẩu hợp lệ (tối thiểu 8 ký tự).",
+    "success": "Đổi mật khẩu thành công.",
+    "failed": "Không thể đổi mật khẩu."
+  },
   "account": {
     "title": "Tài khoản",
     "loading": "Đang tải thông tin tài khoản...",
     "noSession": "Chưa có phiên đăng nhập hoạt động.",
     "userId": "Mã người dùng",
+    "username": "Tên đăng nhập",
     "email": "Email",
     "name": "Tên",
     "na": "N/A",

package/templates/next-base/next-env.d.ts

@@ -1,4 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
+import "./.next/dev/types/routes.d.ts";
 
-// This file is auto-generated by Next.js and should not be edited manually.
+// NOTE: This file should not be edited
+// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

package/templates/next-base/prisma/migrations/20260612000000_init/migration.sql

@@ -0,0 +1,104 @@
+-- CreateTable
+CREATE TABLE "Role" (
+    "id" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "level" INTEGER NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "Role_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "User" (
+    "id" TEXT NOT NULL,
+    "email" TEXT,
+    "username" TEXT NOT NULL,
+    "displayUsername" TEXT,
+    "name" TEXT,
+    "image" TEXT,
+    "emailVerified" BOOLEAN NOT NULL DEFAULT false,
+    "requirePasswordChange" BOOLEAN NOT NULL DEFAULT false,
+    "roleId" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "User_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "Example" (
+    "id" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "description" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "Example_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "Session" (
+    "id" TEXT NOT NULL,
+    "token" TEXT NOT NULL,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "ipAddress" TEXT,
+    "userAgent" TEXT,
+    "userId" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "Session_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "Account" (
+    "id" TEXT NOT NULL,
+    "accountId" TEXT NOT NULL,
+    "providerId" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "accessToken" TEXT,
+    "refreshToken" TEXT,
+    "idToken" TEXT,
+    "accessTokenExpiresAt" TIMESTAMP(3),
+    "refreshTokenExpiresAt" TIMESTAMP(3),
+    "scope" TEXT,
+    "password" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "Account_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "Verification" (
+    "id" TEXT NOT NULL,
+    "identifier" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "createdAt" TIMESTAMP(3) DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3),
+
+    CONSTRAINT "Verification_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Role_name_key" ON "Role"("name");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "User_username_key" ON "User"("username");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Session_token_key" ON "Session"("token");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Account_providerId_accountId_key" ON "Account"("providerId", "accountId");
+
+-- AddForeignKey
+ALTER TABLE "User" ADD CONSTRAINT "User_roleId_fkey" FOREIGN KEY ("roleId") REFERENCES "Role"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "Session" ADD CONSTRAINT "Session_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "Account" ADD CONSTRAINT "Account_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;

package/templates/next-base/prisma/migrations/migration_lock.toml

@@ -0,0 +1,3 @@
+# Please do not edit this file manually
+# It should be added in your version-control system (i.e. Git)
+provider = "postgresql"

package/templates/next-base/prisma/schema.prisma

@@ -6,16 +6,30 @@ datasource db {
   provider = "postgresql"
 }
 
+model Role {
+  id        String   @id @default(cuid())
+  name      String   @unique
+  level     Int
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+  users     User[]
+}
+
 model User {
-  id            String    @id @default(cuid())
-  email         String    @unique
-  name          String?
-  image         String?
-  emailVerified Boolean   @default(false)
-  createdAt     DateTime  @default(now())
-  updatedAt     DateTime  @updatedAt
-  sessions      Session[]
-  accounts      Account[]
+  id                    String    @id @default(cuid())
+  email                 String?
+  username              String    @unique
+  displayUsername       String?
+  name                  String?
+  image                 String?
+  emailVerified         Boolean   @default(false)
+  requirePasswordChange Boolean   @default(false)
+  roleId                String?
+  role                  Role?     @relation(fields: [roleId], references: [id], onDelete: SetNull)
+  createdAt             DateTime  @default(now())
+  updatedAt             DateTime  @updatedAt
+  sessions              Session[]
+  accounts              Account[]
 }
 
 // Starter demo table for template onboarding only.

package/templates/next-base/public/logo.svg

@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" fill="none">
+  <rect width="64" height="64" rx="12" fill="oklch(0.205 0 0)"/>
+  <path d="M18 44V20h10.5c5.2 0 8.5 2.8 8.5 7.2 0 3.1-1.7 5.4-4.5 6.5L38 44h-6.2l-4.8-9.2H24.2V44H18zm6.2-14.8h3.8c2.4 0 3.8-1.2 3.8-3.1s-1.4-3.1-3.8-3.1h-3.8v6.2z" fill="oklch(0.985 0 0)"/>
+</svg>

package/templates/next-base/src/app/(auth)/change-password/layout.tsx

@@ -0,0 +1,21 @@
+import type { ReactNode } from "react";
+import { redirect } from "next/navigation";
+import { getSessionUser } from "@/lib/rbac";
+
+export default async function ChangePasswordLayout({
+  children,
+}: {
+  children: ReactNode;
+}) {
+  const user = await getSessionUser();
+
+  if (!user) {
+    redirect("/sign-in");
+  }
+
+  if (!user.requirePasswordChange) {
+    redirect("/dashboard");
+  }
+
+  return <>{children}</>;
+}

package/templates/next-base/src/app/(auth)/change-password/page.tsx

@@ -0,0 +1,14 @@
+import { useTranslations } from "next-intl";
+import { ChangePasswordForm } from "@/features/auth/components/change-password-form";
+
+export default function ChangePasswordPage() {
+  const t = useTranslations("auth.changePasswordPage");
+
+  return (
+    <main className="space-y-3">
+      <h1 className="text-2xl font-semibold">{t("title")}</h1>
+      <p className="text-sm text-muted-foreground">{t("description")}</p>
+      <ChangePasswordForm />
+    </main>
+  );
+}

package/templates/next-base/src/app/(auth)/layout.tsx

@@ -1,9 +1,9 @@
 import type { ReactNode } from "react";
 
-export default function AuthLayout({ children }: { children: ReactNode }) {
+export default function AuthRouteLayout({ children }: { children: ReactNode }) {
   return (
-    <main className="flex min-h-screen items-center justify-center bg-muted px-4 py-8">
+    <div className="flex min-h-screen items-center justify-center p-4">
       <div className="w-full max-w-md">{children}</div>
-    </main>
+    </div>
   );
 }

package/templates/next-base/src/app/(auth)/sign-in/layout.tsx

@@ -0,0 +1,17 @@
+import type { ReactNode } from "react";
+import { redirect } from "next/navigation";
+import { getSessionUser } from "@/lib/rbac";
+
+export default async function SignInLayout({ children }: { children: ReactNode }) {
+  const user = await getSessionUser();
+
+  if (user?.requirePasswordChange) {
+    redirect("/change-password");
+  }
+
+  if (user) {
+    redirect("/dashboard");
+  }
+
+  return children;
+}

package/templates/next-base/src/app/(dashboard)/layout.tsx

@@ -1,10 +1,22 @@
 import type { ReactNode } from "react";
+import { redirect } from "next/navigation";
 import { DashboardLayout } from "@/components/layout/private/dashboard-layout";
+import { getSessionUser } from "@/lib/rbac";
 
-export default function DashboardRouteLayout({
+export default async function DashboardRouteLayout({
   children,
 }: {
   children: ReactNode;
 }) {
+  const user = await getSessionUser();
+
+  if (!user) {
+    redirect("/sign-in");
+  }
+
+  if (user.requirePasswordChange) {
+    redirect("/change-password");
+  }
+
   return <DashboardLayout>{children}</DashboardLayout>;
 }

package/templates/next-base/src/app/api/v1/auth/change-password/route.ts

@@ -0,0 +1,55 @@
+import { changePasswordSchema } from "@/features/auth/validations";
+import { fail, ok } from "@/lib/api-response";
+import { auth } from "@/lib/auth";
+import { getSessionUser } from "@/lib/rbac";
+import prisma from "@/lib/prisma";
+
+const authBaseUrl =
+  process.env.BETTER_AUTH_URL ??
+  process.env.NEXT_PUBLIC_APP_URL ??
+  "http://localhost:3000";
+
+export async function POST(request: Request) {
+  const actor = await getSessionUser(request.headers);
+  if (!actor) {
+    return fail("UNAUTHORIZED", "Unauthorized", { status: 401 });
+  }
+
+  const payload = await request.json().catch(() => null);
+  const parsed = changePasswordSchema.safeParse(payload);
+
+  if (!parsed.success) {
+    return fail("VALIDATION_ERROR", "Invalid password payload.", {
+      status: 400,
+      details: parsed.error.flatten(),
+    });
+  }
+
+  const verifyResponse = await fetch(`${authBaseUrl}/api/auth/sign-in/username`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      username: actor.username,
+      password: parsed.data.currentPassword,
+    }),
+  });
+
+  if (!verifyResponse.ok) {
+    return fail("UNAUTHORIZED", "Current password is incorrect.", { status: 401 });
+  }
+
+  await auth.api.changePassword({
+    body: {
+      currentPassword: parsed.data.currentPassword,
+      newPassword: parsed.data.newPassword,
+    },
+    headers: request.headers,
+  });
+
+  await prisma.user.update({
+    where: { id: actor.id },
+    data: { requirePasswordChange: false },
+  });
+
+  return ok({ updated: true });
+}

package/templates/next-base/src/app/api/v1/auth/login/route.ts

@@ -1,5 +1,6 @@
 import { getRefreshCookieName, refreshCookieOptions } from "@/lib/auth-cookies";
 import { fail, ok } from "@/lib/api-response";
+import prisma from "@/lib/prisma";
 
 const authBaseUrl =
   process.env.BETTER_AUTH_URL ??
@@ -8,21 +9,23 @@ const authBaseUrl =
 
 export async function POST(request: Request) {
   const payload = (await request.json().catch(() => ({}))) as {
-    email?: string;
+    username?: string;
     password?: string;
   };
 
-  if (!payload.email || !payload.password) {
-    return fail("BAD_REQUEST", "Email and password are required.", { status: 400 });
+  if (!payload.username || !payload.password) {
+    return fail("BAD_REQUEST", "Username and password are required.", {
+      status: 400,
+    });
   }
 
-  const signInResponse = await fetch(`${authBaseUrl}/api/auth/sign-in/email`, {
+  const signInResponse = await fetch(`${authBaseUrl}/api/auth/sign-in/username`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
     },
     body: JSON.stringify({
-      email: payload.email,
+      username: payload.username,
       password: payload.password,
     }),
   });
@@ -47,8 +50,15 @@ export async function POST(request: Request) {
   }
 
   const tokenPayload = await tokenResponse.json();
+
+  const dbUser = await prisma.user.findUnique({
+    where: { username: payload.username },
+    select: { requirePasswordChange: true },
+  });
+
   const response = ok({
     accessToken: tokenPayload.token,
+    requirePasswordChange: dbUser?.requirePasswordChange ?? false,
   });
 
   if (cookieHeader) {

package/templates/next-base/src/app/api/v1/auth/me/route.ts

@@ -1,26 +1,24 @@
 import { fail, ok } from "@/lib/api-response";
-
-const authBaseUrl =
-  process.env.BETTER_AUTH_URL ??
-  process.env.NEXT_PUBLIC_APP_URL ??
-  "http://localhost:3000";
+import { getSessionUser } from "@/lib/rbac";
 
 export async function GET(request: Request) {
-  const incomingCookie = request.headers.get("cookie") ?? "";
-
-  const sessionResponse = await fetch(`${authBaseUrl}/api/auth/get-session`, {
-    method: "GET",
-    headers: {
-      cookie: incomingCookie,
-    },
-  });
+  const user = await getSessionUser(request.headers);
 
-  if (!sessionResponse.ok) {
-    return fail("UNAUTHORIZED", "Unauthorized", {
-      status: sessionResponse.status,
-    });
+  if (!user) {
+    return fail("UNAUTHORIZED", "Unauthorized", { status: 401 });
   }
 
-  const payload = await sessionResponse.json();
-  return ok(payload);
+  return ok({
+    user: {
+      id: user.id,
+      username: user.username,
+      displayUsername: user.displayUsername,
+      name: user.name,
+      email: user.email,
+      requirePasswordChange: user.requirePasswordChange,
+      role: user.role
+        ? { id: user.role.id, name: user.role.name, level: user.role.level }
+        : null,
+    },
+  });
 }

package/templates/next-base/src/app/api/v1/users/[id]/route.ts

@@ -0,0 +1,104 @@
+import { updateUserSchema } from "@/features/users/validations";
+import {
+  deleteUserRecord,
+  getUserByIdForActor,
+  updateUserRecord,
+} from "@/features/users/services";
+import { fail, ok } from "@/lib/api-response";
+import {
+  canActOnUser,
+  canAssignRole,
+  getSessionUser,
+  isSuperAdmin,
+} from "@/lib/rbac";
+import prisma from "@/lib/prisma";
+
+type RouteContext = {
+  params: Promise<{ id: string }>;
+};
+
+export async function GET(request: Request, context: RouteContext) {
+  const actor = await getSessionUser(request.headers);
+  if (!actor?.role) {
+    return fail("FORBIDDEN", "Insufficient permissions.", { status: 403 });
+  }
+
+  const { id } = await context.params;
+  const user = await getUserByIdForActor(id, actor.role.level);
+
+  if (!user) {
+    return fail("NOT_FOUND", "User not found.", { status: 404 });
+  }
+
+  return ok(user);
+}
+
+export async function PATCH(request: Request, context: RouteContext) {
+  const actor = await getSessionUser(request.headers);
+  if (!actor?.role) {
+    return fail("FORBIDDEN", "Insufficient permissions.", { status: 403 });
+  }
+
+  const { id } = await context.params;
+  const target = await prisma.user.findUnique({
+    where: { id },
+    include: { role: true },
+  });
+
+  if (!target || !canActOnUser(actor, target)) {
+    return fail("FORBIDDEN", "Cannot modify this user.", { status: 403 });
+  }
+
+  const payload = await request.json().catch(() => null);
+  const parsed = updateUserSchema.safeParse(payload);
+
+  if (!parsed.success) {
+    return fail("VALIDATION_ERROR", "Invalid user payload.", {
+      status: 400,
+      details: parsed.error.flatten(),
+    });
+  }
+
+  if (parsed.data.roleId) {
+    const nextRole = await prisma.role.findUnique({
+      where: { id: parsed.data.roleId },
+    });
+
+    if (!nextRole || !canAssignRole(actor, nextRole)) {
+      return fail("FORBIDDEN", "Cannot assign the requested role.", {
+        status: 403,
+      });
+    }
+  }
+
+  const updated = await updateUserRecord(id, parsed.data);
+  if (!updated) {
+    return fail("NOT_FOUND", "User not found.", { status: 404 });
+  }
+
+  return ok(updated);
+}
+
+export async function DELETE(request: Request, context: RouteContext) {
+  const actor = await getSessionUser(request.headers);
+  if (!actor?.role) {
+    return fail("FORBIDDEN", "Insufficient permissions.", { status: 403 });
+  }
+
+  const { id } = await context.params;
+  const target = await prisma.user.findUnique({
+    where: { id },
+    include: { role: true },
+  });
+
+  if (!target) {
+    return fail("NOT_FOUND", "User not found.", { status: 404 });
+  }
+
+  if (isSuperAdmin(target) || !canActOnUser(actor, target)) {
+    return fail("FORBIDDEN", "Cannot delete this user.", { status: 403 });
+  }
+
+  await deleteUserRecord(id);
+  return ok({ deleted: true });
+}

package/templates/next-base/src/app/api/v1/users/route.ts

@@ -0,0 +1,58 @@
+import { createUserSchema } from "@/features/users/validations";
+import {
+  createUserRecord,
+  listUsersForActor,
+} from "@/features/users/services";
+import { fail, ok } from "@/lib/api-response";
+import { canAssignRole, getSessionUser } from "@/lib/rbac";
+import prisma from "@/lib/prisma";
+
+export async function GET(request: Request) {
+  const actor = await getSessionUser(request.headers);
+  if (!actor?.role) {
+    return fail("FORBIDDEN", "Insufficient permissions.", { status: 403 });
+  }
+
+  const users = await listUsersForActor(actor.role.level);
+  return ok({ items: users });
+}
+
+export async function POST(request: Request) {
+  const actor = await getSessionUser(request.headers);
+  if (!actor?.role) {
+    return fail("FORBIDDEN", "Insufficient permissions.", { status: 403 });
+  }
+
+  const payload = await request.json().catch(() => null);
+  const parsed = createUserSchema.safeParse(payload);
+
+  if (!parsed.success) {
+    return fail("VALIDATION_ERROR", "Invalid user payload.", {
+      status: 400,
+      details: parsed.error.flatten(),
+    });
+  }
+
+  const targetRole = await prisma.role.findUnique({
+    where: { id: parsed.data.roleId },
+  });
+
+  if (!targetRole || !canAssignRole(actor, targetRole)) {
+    return fail("FORBIDDEN", "Cannot assign the requested role.", { status: 403 });
+  }
+
+  const existing = await prisma.user.findUnique({
+    where: { username: parsed.data.username },
+  });
+
+  if (existing) {
+    return fail("CONFLICT", "Username already exists.", { status: 409 });
+  }
+
+  try {
+    const created = await createUserRecord(parsed.data);
+    return ok(created, { status: 201 });
+  } catch {
+    return fail("INTERNAL_ERROR", "Failed to create user.", { status: 500 });
+  }
+}

package/templates/next-base/src/app/globals.css

@@ -1,6 +1,7 @@
 @import "tailwindcss";
 @import "tw-animate-css";
 
+/* nextcli:theme:start — edit brand colors below */
 :root {
   --background: oklch(1 0 0);
   --foreground: oklch(0.145 0 0);
@@ -32,6 +33,7 @@
   --sidebar-ring: oklch(0.708 0 0);
 }
 
+/* nextcli:theme-dark:start */
 .dark {
   --background: oklch(0.145 0 0);
   --foreground: oklch(0.985 0 0);
@@ -61,6 +63,8 @@
   --sidebar-border: oklch(1 0 0 / 10%);
   --sidebar-ring: oklch(0.556 0 0);
 }
+/* nextcli:theme-dark:end */
+/* nextcli:theme:end */
 
 @theme inline {
   --color-background: var(--background);

package/templates/next-base/src/app/layout.tsx

@@ -6,13 +6,17 @@ import { Toaster } from "sonner";
 import type { ReactNode } from "react";
 import { QueryProvider } from "@/components/providers/query-provider";
 import { ThemeProvider } from "@/components/providers/theme-provider";
+import { branding } from "@/config/branding";
 import "@/app/globals.css";
 
-const beVietnamPro = Be_Vietnam_Pro({ subsets: ["latin"] });
+const beVietnamPro = Be_Vietnam_Pro({
+  subsets: ["latin", "vietnamese"],
+  weight: ["400", "500", "600", "700"],
+});
 
 export const metadata: Metadata = {
-  title: "__PROJECT_NAME__",
-  description: "Outsource-ready Next.js scaffolded by NexTCLI",
+  title: branding.projectName,
+  description: branding.description,
 };
 
 export default async function RootLayout({