@thinhnguyencth1204/nextcli 0.8.0 → 0.9.0

package/templates/next-base/src/lib/api/response.ts

@@ -0,0 +1,45 @@
+import { NextResponse } from "next/server";
+import type { ApiErrorResponse, ApiMeta, ApiSuccess, ErrorCode } from "@/types";
+
+type SuccessInit = {
+  status?: number;
+  requestId?: string;
+  meta?: Omit<ApiMeta, "timestamp" | "requestId">;
+};
+
+type FailInit = {
+  status?: number;
+  requestId?: string;
+  details?: unknown;
+};
+
+function createTimestamp(): string {
+  return new Date().toISOString();
+}
+
+export function ok<T>(data: T, init: SuccessInit = {}) {
+  const payload: ApiSuccess<T> = {
+    success: true,
+    data,
+    meta: {
+      timestamp: createTimestamp(),
+      requestId: init.requestId,
+      ...init.meta,
+    },
+  };
+  return NextResponse.json(payload, { status: init.status ?? 200 });
+}
+
+export function fail(code: ErrorCode, message: string, init: FailInit = {}) {
+  const payload: ApiErrorResponse = {
+    success: false,
+    error: {
+      code,
+      message,
+      details: init.details,
+    },
+    timestamp: createTimestamp(),
+    requestId: init.requestId,
+  };
+  return NextResponse.json(payload, { status: init.status ?? 500 });
+}

package/templates/next-base/src/lib/api/token-store.ts

@@ -0,0 +1,13 @@
+let accessToken: string | null = null;
+
+export function getAccessToken(): string | null {
+  return accessToken;
+}
+
+export function setAccessToken(token: string | null): void {
+  accessToken = token;
+}
+
+export function clearAccessToken(): void {
+  accessToken = null;
+}

package/templates/next-base/src/lib/auth/bootstrap.ts

@@ -0,0 +1,95 @@
+import type { PrismaClient } from "@prisma/client";
+import {
+  ADMIN_ROLE_LEVEL,
+  ADMIN_ROLE_NAME,
+  DEFAULT_ADMIN_PASSWORD,
+  INTERNAL_EMAIL_DOMAIN,
+  SUPER_ADMIN_USERNAME,
+} from "@/lib/constants";
+import { auth } from "@/lib/auth";
+import prisma from "@/lib/db/prisma";
+
+function hasRoleModel(client: PrismaClient): boolean {
+  const delegate = (
+    client as PrismaClient & { role?: { findUnique?: unknown } }
+  ).role;
+  return typeof delegate?.findUnique === "function";
+}
+
+function logBootstrapSkip(message: string): void {
+  console.warn(`[bootstrap] ${message}`);
+}
+
+export async function runBootstrap(): Promise<void> {
+  if (!hasRoleModel(prisma)) {
+    logBootstrapSkip(
+      "Prisma client is missing the Role model. Run: bun run db:generate && bun run db:migrate",
+    );
+    return;
+  }
+
+  try {
+    let adminRole = await prisma.role.findUnique({
+      where: { name: ADMIN_ROLE_NAME },
+    });
+
+    if (!adminRole) {
+      adminRole = await prisma.role.create({
+        data: {
+          name: ADMIN_ROLE_NAME,
+          level: ADMIN_ROLE_LEVEL,
+        },
+      });
+    }
+
+    const existingAdmin = await prisma.user.findUnique({
+      where: { username: SUPER_ADMIN_USERNAME },
+    });
+
+    if (existingAdmin) {
+      if (!existingAdmin.roleId) {
+        await prisma.user.update({
+          where: { id: existingAdmin.id },
+          data: { roleId: adminRole.id },
+        });
+      }
+      return;
+    }
+
+    try {
+      await auth.api.signUpEmail({
+        body: {
+          email: `${SUPER_ADMIN_USERNAME}@${INTERNAL_EMAIL_DOMAIN}`,
+          password: DEFAULT_ADMIN_PASSWORD,
+          name: "Administrator",
+          username: SUPER_ADMIN_USERNAME,
+          displayUsername: SUPER_ADMIN_USERNAME,
+        },
+      });
+    } catch {
+      // User may already exist from a partial bootstrap run.
+    }
+
+    const adminUser = await prisma.user.findUnique({
+      where: { username: SUPER_ADMIN_USERNAME },
+    });
+
+    if (!adminUser) {
+      return;
+    }
+
+    await prisma.user.update({
+      where: { id: adminUser.id },
+      data: {
+        roleId: adminRole.id,
+        requirePasswordChange: true,
+      },
+    });
+  } catch (error) {
+    const message =
+      error instanceof Error ? error.message : "Unknown bootstrap error";
+    logBootstrapSkip(
+      `Skipped admin seed (${message}). Ensure Postgres is running and run: bun run db:migrate`,
+    );
+  }
+}

package/templates/next-base/src/lib/auth/client.ts

@@ -0,0 +1,7 @@
+import { createAuthClient } from "better-auth/react";
+import { jwtClient, usernameClient } from "better-auth/client/plugins";
+
+export const authClient = createAuthClient({
+  baseURL: process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000",
+  plugins: [jwtClient(), usernameClient()],
+});

package/templates/next-base/src/lib/auth/cookies.ts

@@ -0,0 +1,15 @@
+const refreshCookieName = "nextcli_refresh_token";
+
+export function refreshCookieOptions() {
+  return {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: 60 * 60 * 24 * 30,
+  } as const;
+}
+
+export function getRefreshCookieName(): string {
+  return refreshCookieName;
+}

package/templates/next-base/src/lib/auth/index.ts

@@ -0,0 +1 @@
+export { auth } from "./server";

package/templates/next-base/src/lib/auth/rbac.ts

@@ -0,0 +1,59 @@
+import { headers } from "next/headers";
+import type { Role, User } from "@prisma/client";
+import { auth } from "@/lib/auth";
+import prisma from "@/lib/db/prisma";
+import { SUPER_ADMIN_USERNAME } from "@/lib/constants";
+
+export type SessionUser = User & { role: Role | null };
+
+export async function getSessionUser(
+  requestHeaders?: Headers,
+): Promise<SessionUser | null> {
+  const session = await auth.api.getSession({
+    headers: requestHeaders ?? (await headers()),
+  });
+
+  if (!session?.user?.id) {
+    return null;
+  }
+
+  return prisma.user.findUnique({
+    where: { id: session.user.id },
+    include: { role: true },
+  });
+}
+
+export function isSuperAdmin(user: Pick<User, "username">): boolean {
+  return user.username === SUPER_ADMIN_USERNAME;
+}
+
+export function canActOnUser(actor: SessionUser, target: SessionUser): boolean {
+  if (isSuperAdmin(target)) {
+    return false;
+  }
+
+  if (!actor.role || !target.role) {
+    return false;
+  }
+
+  return actor.role.level > target.role.level;
+}
+
+export function canAssignRole(
+  actor: SessionUser,
+  targetRole: Pick<Role, "level">,
+): boolean {
+  if (!actor.role) {
+    return false;
+  }
+
+  return actor.role.level > targetRole.level;
+}
+
+export function requireAuthenticated(
+  user: SessionUser | null,
+): asserts user is SessionUser {
+  if (!user) {
+    throw new Error("UNAUTHORIZED");
+  }
+}

package/templates/next-base/src/lib/auth/server.ts

@@ -0,0 +1,21 @@
+import { betterAuth } from "better-auth/minimal";
+import { prismaAdapter } from "better-auth/adapters/prisma";
+import { jwt, username } from "better-auth/plugins";
+import prisma from "@/lib/db/prisma";
+
+const socialProviders = {
+  // AUTO_GENERATED_AUTH_PROVIDERS_START
+  // AUTO_GENERATED_AUTH_PROVIDERS_END
+};
+
+export const auth = betterAuth({
+  database: prismaAdapter(prisma, {
+    provider: "postgresql",
+  }),
+  plugins: [jwt(), username()],
+  emailAndPassword: {
+    enabled: true,
+    minPasswordLength: 8,
+  },
+  socialProviders,
+});

package/templates/next-base/src/lib/constants.ts

@@ -0,0 +1,10 @@
+/** Built-in super-admin account username — protected from RBAC mutations. */
+export const SUPER_ADMIN_USERNAME = "admin";
+
+/** Dev-only bootstrap password (≥8 chars for Better Auth). Change on first login. */
+export const DEFAULT_ADMIN_PASSWORD = "admin1234";
+
+export const ADMIN_ROLE_NAME = "admin";
+export const ADMIN_ROLE_LEVEL = 100;
+
+export const INTERNAL_EMAIL_DOMAIN = "internal.local";

package/templates/next-base/src/lib/db/prisma.ts

@@ -0,0 +1,23 @@
+import { PrismaPg } from "@prisma/adapter-pg";
+import { PrismaClient } from "@prisma/client";
+import { Pool } from "pg";
+
+declare global {
+  var prisma: PrismaClient | undefined;
+}
+
+const connectionString = process.env.DATABASE_URL;
+if (!connectionString) {
+  throw new Error(
+    "DATABASE_URL is missing. Please set it in your environment.",
+  );
+}
+
+const adapter = new PrismaPg(new Pool({ connectionString }));
+const prisma = global.prisma ?? new PrismaClient({ adapter });
+
+if (process.env.NODE_ENV !== "production") {
+  global.prisma = prisma;
+}
+
+export default prisma;

package/templates/next-base/src/lib/prisma.ts

@@ -0,0 +1,23 @@
+import { PrismaPg } from "@prisma/adapter-pg";
+import { PrismaClient } from "@prisma/client";
+import { Pool } from "pg";
+
+declare global {
+  var prisma: PrismaClient | undefined;
+}
+
+const connectionString = process.env.DATABASE_URL;
+if (!connectionString) {
+  throw new Error(
+    "DATABASE_URL is missing. Please set it in your environment.",
+  );
+}
+
+const adapter = new PrismaPg(new Pool({ connectionString }));
+const prisma = global.prisma ?? new PrismaClient({ adapter });
+
+if (process.env.NODE_ENV !== "production") {
+  global.prisma = prisma;
+}
+
+export default prisma;

package/templates/next-base/src/lib/supabase/client.ts

@@ -0,0 +1,6 @@
+import { createClient } from "@supabase/supabase-js";
+
+const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
+const anonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+
+export const supabase = url && anonKey ? createClient(url, anonKey) : null;

package/templates/next-base/src/lib/supabase/rich-text-image-sync.ts

@@ -0,0 +1,28 @@
+import { removeResource } from "@/lib/supabase/storage";
+import {
+  isSupabaseManagedImageUrl,
+  syncRemovedRichTextImages,
+  type RemoveManagedImageFn,
+} from "@/lib/rich-text";
+import type { SerializedEditorState } from "lexical";
+
+export const removeSupabaseManagedImage: RemoveManagedImageFn = async (
+  _url,
+  ref,
+) => {
+  await removeResource(ref.path, ref.bucket);
+};
+
+/**
+ * Deletes Supabase storage objects for images removed from rich text content.
+ * Only URLs belonging to this project's configured Supabase bucket are removed.
+ */
+export async function syncRemovedSupabaseRichTextImages(
+  previous: SerializedEditorState | null | undefined,
+  next: SerializedEditorState | null | undefined,
+) {
+  return syncRemovedRichTextImages(previous, next, {
+    isManagedUrl: isSupabaseManagedImageUrl,
+    removeManagedImage: removeSupabaseManagedImage,
+  });
+}

package/templates/next-base/src/lib/supabase/storage-config.ts

@@ -0,0 +1,69 @@
+export const DEFAULT_STORAGE_BUCKET =
+  process.env.NEXT_PUBLIC_SUPABASE_STORAGE_BUCKET?.trim() || "public";
+
+export const STORAGE_RESOURCE_CATEGORIES = [
+  "images",
+  "documents",
+  "avatars",
+  "misc",
+] as const;
+
+export type StorageResourceCategory =
+  (typeof STORAGE_RESOURCE_CATEGORIES)[number];
+
+const CATEGORY_DEFAULTS: Record<
+  StorageResourceCategory,
+  { maxBytes: number; allowedMimePrefixes: string[] }
+> = {
+  images: { maxBytes: 5 * 1024 * 1024, allowedMimePrefixes: ["image/"] },
+  documents: {
+    maxBytes: 10 * 1024 * 1024,
+    allowedMimePrefixes: [
+      "application/pdf",
+      "application/msword",
+      "application/vnd.",
+      "text/",
+    ],
+  },
+  avatars: { maxBytes: 2 * 1024 * 1024, allowedMimePrefixes: ["image/"] },
+  misc: { maxBytes: 10 * 1024 * 1024, allowedMimePrefixes: [] },
+};
+
+export function getStorageCategoryDefaults(category: StorageResourceCategory) {
+  return CATEGORY_DEFAULTS[category];
+}
+
+export function sanitizeStorageFileName(fileName: string): string {
+  const base = fileName.split(/[/\\]/).pop() ?? "file";
+  const sanitized = base
+    .normalize("NFKD")
+    .replace(/[^\w.\-]+/g, "-")
+    .replace(/-+/g, "-")
+    .replace(/^-+|-+$/g, "")
+    .slice(0, 120);
+
+  return sanitized || "file";
+}
+
+function sanitizeStorageScope(scope: string): string {
+  const sanitized = scope
+    .trim()
+    .replace(/[^a-zA-Z0-9_-]/g, "-")
+    .replace(/-+/g, "-")
+    .slice(0, 64);
+
+  return sanitized || "shared";
+}
+
+export function buildStorageObjectPath(input: {
+  scope: string;
+  category: StorageResourceCategory;
+  fileName: string;
+  uniqueId?: string;
+}): string {
+  const scope = sanitizeStorageScope(input.scope);
+  const uniqueId = input.uniqueId ?? crypto.randomUUID();
+  const safeName = sanitizeStorageFileName(input.fileName);
+
+  return `${scope}/${input.category}/${uniqueId}-${safeName}`;
+}

package/templates/next-base/src/lib/supabase/storage.ts

@@ -0,0 +1,164 @@
+import { supabase } from "@/lib/supabase/client";
+import {
+  DEFAULT_STORAGE_BUCKET,
+  buildStorageObjectPath,
+  getStorageCategoryDefaults,
+  type StorageResourceCategory,
+} from "@/lib/supabase/storage-config";
+
+export type UploadResourceInput = {
+  file: File | Blob;
+  fileName: string;
+  /** Tenant/user/feature namespace, e.g. user id or `shared`. */
+  scope: string;
+  category?: StorageResourceCategory;
+  bucket?: string;
+  upsert?: boolean;
+  cacheControl?: string;
+  contentType?: string;
+};
+
+export type UploadResourceResult = {
+  bucket: string;
+  path: string;
+  publicUrl: string;
+};
+
+export class StorageHelperError extends Error {
+  constructor(
+    message: string,
+    readonly code:
+      | "NOT_CONFIGURED"
+      | "VALIDATION"
+      | "UPLOAD_FAILED"
+      | "REMOVE_FAILED",
+    readonly cause?: unknown,
+  ) {
+    super(message);
+    this.name = "StorageHelperError";
+  }
+}
+
+function getClient() {
+  if (!supabase) {
+    throw new StorageHelperError(
+      "Supabase is not configured. Set NEXT_PUBLIC_SUPABASE_URL and NEXT_PUBLIC_SUPABASE_ANON_KEY.",
+      "NOT_CONFIGURED",
+    );
+  }
+
+  return supabase;
+}
+
+function resolveContentType(
+  file: File | Blob,
+  override?: string,
+): string | undefined {
+  if (override) {
+    return override;
+  }
+
+  if (file instanceof File && file.type) {
+    return file.type;
+  }
+
+  return undefined;
+}
+
+function assertCategoryRules(
+  category: StorageResourceCategory,
+  file: File | Blob,
+  contentType?: string,
+): void {
+  const { maxBytes, allowedMimePrefixes } =
+    getStorageCategoryDefaults(category);
+
+  if (file.size > maxBytes) {
+    throw new StorageHelperError(
+      `File exceeds ${category} limit of ${maxBytes} bytes.`,
+      "VALIDATION",
+    );
+  }
+
+  if (allowedMimePrefixes.length === 0) {
+    return;
+  }
+
+  const mime = contentType ?? (file instanceof File ? file.type : "");
+
+  if (!mime || !allowedMimePrefixes.some((prefix) => mime.startsWith(prefix))) {
+    throw new StorageHelperError(
+      `File type "${mime || "unknown"}" is not allowed for category "${category}".`,
+      "VALIDATION",
+    );
+  }
+}
+
+export function getResourcePublicUrl(
+  path: string,
+  bucket: string = DEFAULT_STORAGE_BUCKET,
+): string {
+  const client = getClient();
+  const { data } = client.storage.from(bucket).getPublicUrl(path);
+
+  return data.publicUrl;
+}
+
+export async function uploadResource(
+  input: UploadResourceInput,
+): Promise<UploadResourceResult> {
+  const client = getClient();
+  const bucket = input.bucket ?? DEFAULT_STORAGE_BUCKET;
+  const category = input.category ?? "images";
+  const contentType = resolveContentType(input.file, input.contentType);
+
+  assertCategoryRules(category, input.file, contentType);
+
+  const path = buildStorageObjectPath({
+    scope: input.scope,
+    category,
+    fileName: input.fileName,
+  });
+
+  const { error } = await client.storage.from(bucket).upload(path, input.file, {
+    contentType,
+    cacheControl: input.cacheControl ?? "3600",
+    upsert: input.upsert ?? false,
+  });
+
+  if (error) {
+    throw new StorageHelperError(
+      error.message || "Upload failed.",
+      "UPLOAD_FAILED",
+      error,
+    );
+  }
+
+  return {
+    bucket,
+    path,
+    publicUrl: getResourcePublicUrl(path, bucket),
+  };
+}
+
+export async function uploadImage(
+  input: Omit<UploadResourceInput, "category">,
+): Promise<UploadResourceResult> {
+  return uploadResource({ ...input, category: "images" });
+}
+
+export async function removeResource(
+  path: string,
+  bucket: string = DEFAULT_STORAGE_BUCKET,
+): Promise<void> {
+  const client = getClient();
+  const { error } = await client.storage.from(bucket).remove([path]);
+
+  if (error) {
+    throw new StorageHelperError(
+      error.message || "Remove failed.",
+      "REMOVE_FAILED",
+      error,
+    );
+  }
+}

package/templates/next-base/src/types/data-table.ts

@@ -0,0 +1,4 @@
+export type DataTablePaginationState = {
+  pageIndex: number;
+  pageSize: number;
+};