@zintrust/core 0.1.19 → 0.1.21

package/src/templates/features/Queue.ts.tpl

@@ -1,6 +1,7 @@
 // TEMPLATE_START
 
-import { generateSecureJobId, Logger } from '@zintrust/core';
+import { generateSecureJobId } from '@zintrust/core';
+import { Logger } from '@zintrust/core';
 
 export interface QueueJob {
   id: string;
@@ -43,4 +44,4 @@ export const Queue = Object.freeze({
   },
 });
 
-// TEMPLATE_END
+// TEMPLATE_END

package/src/templates/project/basic/app/Controllers/AuthController.ts.tpl

@@ -0,0 +1,217 @@
+/**
+ * Auth Controller
+ * Minimal, real auth endpoints backing the example API routes.
+ */
+
+import {
+  getString,
+  Auth,
+  Logger,
+  getValidatedBody,
+  useDatabase,
+  QueryBuilder,
+  JwtManager,
+  TokenRevocation
+} from '@zintrust/core';
+import type { AuthControllerApi, JsonRecord, UserRow } from '@app/Types/controller';
+import type { IRequest, IResponse } from '@zintrust/core';
+import User from '@app/Models/User';
+
+
+const pickPublicUser = (row: UserRow): { id: unknown; name: string; email: string } => {
+  return {
+    id: row.id,
+    name: getString(row.name),
+    email: getString(row.email),
+  };
+};
+
+/**
+ * Authenticates a user by email and password.
+ * Validates credentials against the database and returns a JWT access token on success.
+ * Logs all authentication attempts for security auditing.
+ * @param req - HTTP request containing email and password
+ * @param res - HTTP response to send authentication result
+ * @returns Promise that resolves after sending the response
+ */
+async function login(req: IRequest, res: IResponse): Promise<void> {
+  const body = getValidatedBody<JsonRecord>(req);
+  if (!body) {
+    Logger.error('AuthController.login: validation middleware did not populate req.validated.body');
+    return res.setStatus(500).json({ error: 'Internal server error' });
+  }
+  const email = getString(body['email']);
+  const password = getString(body['password']);
+  const ipAddress = req.getRaw().socket.remoteAddress ?? 'unknown';
+
+  try {
+    const existing = await User.where('email', '=', email).limit(1).first<UserRow>();
+
+    if (existing === null) {
+      Logger.warn('AuthController.login: failed login attempt', {
+        email,
+        ip: ipAddress,
+        reason: 'user_not_found',
+        timestamp: new Date().toISOString(),
+      });
+      res.setStatus(401).json({ error: 'Invalid credentials' });
+      return;
+    }
+
+    const passwordHash = getString(existing.password);
+    const ok = await Auth.compare(password, passwordHash);
+    if (!ok) {
+      Logger.warn('AuthController.login: failed login attempt', {
+        email,
+        ip: ipAddress,
+        reason: 'invalid_password',
+        timestamp: new Date().toISOString(),
+      });
+      res.setStatus(401).json({ error: 'Invalid credentials' });
+      return;
+    }
+
+    const user = pickPublicUser(existing);
+
+    const subject = ((): string | undefined => {
+      const id = user.id;
+      if (typeof id === 'string' && id.length > 0) return id;
+      if (typeof id === 'number' && Number.isFinite(id)) return String(id);
+      return undefined;
+    })();
+
+    const token = JwtManager.signAccessToken({
+      sub: subject,
+      email,
+    });
+
+    Logger.info('AuthController.login: successful login', {
+      userId: subject,
+      email,
+      ip: ipAddress,
+      timestamp: new Date().toISOString(),
+    });
+
+    res.json({
+      token,
+      token_type: 'Bearer',
+      user,
+    });
+  } catch (error) {
+    Logger.error('AuthController.login: unexpected error', {
+      email,
+      ip: ipAddress,
+      error: error instanceof Error ? error.message : String(error),
+      timestamp: new Date().toISOString(),
+    });
+    res.setStatus(500).json({ error: 'Login failed' });
+  }
+}
+
+/**
+ * Registers a new user with name, email, and password.
+ * Validates email uniqueness, hashes password, and stores user in database.
+ * Returns 201 on success, 409 if email already exists.
+ * @param req - HTTP request containing name, email, and password
+ * @param res - HTTP response to send registration result
+ * @returns Promise that resolves after sending the response
+ */
+async function register(req: IRequest, res: IResponse): Promise<void> {
+  const body = getValidatedBody<JsonRecord>(req);
+  if (!body) {
+    Logger.error(
+      'AuthController.register: validation middleware did not populate req.validated.body'
+    );
+    res.setStatus(500).json({ error: 'Internal server error' });
+    return;
+  }
+  const name = getString(body['name']);
+  const email = getString(body['email']);
+  const password = getString(body['password']);
+  const ipAddress = req.getRaw().socket.remoteAddress ?? 'unknown';
+
+  try {
+    const db = useDatabase();
+
+    const existing = await QueryBuilder.create('users', db)
+      .where('email', '=', email)
+      .limit(1)
+      .first<UserRow>();
+
+    if (existing !== null) {
+      Logger.warn('AuthController.register: duplicate email attempt', {
+        email,
+        ip: ipAddress,
+        timestamp: new Date().toISOString(),
+      });
+      res.setStatus(409).json({ error: 'Email already registered' });
+      return;
+    }
+
+    const passwordHash = await Auth.hash(password);
+
+    await QueryBuilder.create('users', db).insert({
+      name,
+      email,
+      password: passwordHash,
+    });
+
+    Logger.info('AuthController.register: successful registration', {
+      email,
+      ip: ipAddress,
+      timestamp: new Date().toISOString(),
+    });
+
+    res.setStatus(201).json({ message: 'Registered' });
+  } catch (error) {
+    Logger.error('AuthController.register failed', error);
+    res.setStatus(500).json({ error: 'Registration failed' });
+  }
+}
+
+/**
+ * Logs out the current user by revoking their JWT token.
+ * Extracts authorization header and marks token as revoked.
+ * Requires persistent token revocation store for stateless JWT validation.
+ * @param req - HTTP request containing authorization header with JWT token
+ * @param res - HTTP response to send logout confirmation
+ * @returns Promise that resolves after sending the response
+ */
+async function logout(req: IRequest, res: IResponse): Promise<void> {
+  const authHeader =
+    typeof req.getHeader === 'function' ? req.getHeader('authorization') : undefined;
+  TokenRevocation.revoke(authHeader);
+  res.json({ message: 'Logged out' });
+}
+
+/**
+ * Refreshes the user's JWT access token.
+ * Generates a new token with the same claims as the current user.
+ * Returns 401 if user is not authenticated.
+ * @param req - HTTP request with user populated by authentication middleware
+ * @param res - HTTP response to send refreshed token
+ * @returns Promise that resolves after sending the response
+ */
+async function refresh(req: IRequest, res: IResponse): Promise<void> {
+  const user = req.user;
+  if (user === undefined) {
+    res.setStatus(401).json({ error: 'Unauthorized' });
+    return;
+  }
+
+  const token = JwtManager.signAccessToken(user);
+  res.json({ token, token_type: 'Bearer' });
+}
+
+export const AuthController = Object.freeze({
+  create(): AuthControllerApi {
+    return {
+      login,
+      register,
+      logout,
+      refresh,
+    };
+  },
+});
+
+export default AuthController;

package/src/templates/project/basic/app/Controllers/UserController.ts.tpl

@@ -5,19 +5,8 @@
 
 import { User } from '@app/Models/User';
 import { IRequest, Logger, IResponse } from '@zintrust/core';
+import { IUserController } from '@app/Types/controller';
 
-/**
- * User Controller Interface
- */
-export interface IUserController {
-  index(req: IRequest, res: IResponse): Promise<void>;
-  show(req: IRequest, res: IResponse): Promise<void>;
-  create(req: IRequest, res: IResponse): Promise<void>;
-  store(req: IRequest, res: IResponse): Promise<void>;
-  edit(req: IRequest, res: IResponse): Promise<void>;
-  update(req: IRequest, res: IResponse): Promise<void>;
-  destroy(req: IRequest, res: IResponse): Promise<void>;
-}
 
 /**
  * User Controller Methods

package/src/templates/project/basic/app/Types/controller.ts.tpl

@@ -0,0 +1,46 @@
+import type { IRequest, IResponse } from '@zintrust/core';
+
+export type JsonRecord = Record<string, unknown>;
+
+export type LoginBody = {
+  email: string;
+  password: string;
+};
+
+export type RegisterBody = {
+  name: string;
+  email: string;
+  password: string;
+};
+
+export type UserRow = {
+  id?: unknown;
+  name?: unknown;
+  email?: unknown;
+  password?: unknown;
+};
+export type AuthControllerApi = {
+  login(req: IRequest, res: IResponse): Promise<void>;
+  register(req: IRequest, res: IResponse): Promise<void>;
+  logout(req: IRequest, res: IResponse): Promise<void>;
+  refresh(req: IRequest, res: IResponse): Promise<void>;
+};
+
+export type ValidationErrorLike = {
+  name?: unknown;
+  toObject?: () => Record<string, string[]>;
+};
+
+/**
+ * User Controller Interface
+ */
+export interface IUserController {
+  index(req: IRequest, res: IResponse): Promise<void>;
+  show(req: IRequest, res: IResponse): Promise<void>;
+  create(req: IRequest, res: IResponse): Promise<void>;
+  store(req: IRequest, res: IResponse): Promise<void>;
+  fill(req: IRequest, res: IResponse): Promise<void>;
+  edit(req: IRequest, res: IResponse): Promise<void>;
+  update(req: IRequest, res: IResponse): Promise<void>;
+  destroy(req: IRequest, res: IResponse): Promise<void>;
+}

package/src/templates/project/basic/config/FileLogWriter.ts.tpl

@@ -1,240 +1,9 @@
 /**
- * FileLogWriter (Node.js only)
+ * FileLogWriter (template)
  *
- * Provides best-effort file logging with daily + size-based rotation.
- * This module imports Node built-ins and should be loaded only in Node environments.
+ * Keep this file declarative:
+ * - Core owns Node-specific file logging implementation.
  */
 
-import { ensureDirSafe } from '@zintrust/core';
-import { Env } from '@zintrust/core';
-import * as fs from 'node:fs';
-import * as path from 'node:path';
-
-const getCwdSafe = (): string => {
-  try {
-    if (typeof process === 'undefined' || typeof process.cwd !== 'function') return '';
-    return process.cwd();
-  } catch {
-    return '';
-  }
-};
-
-const getDateStr = (d: Date): string => d.toISOString().slice(0, 10);
-
-const isAppLogFile = (fileName: string): boolean =>
-  fileName.startsWith('app-') && fileName.endsWith('.log');
-
-const parseDateFromLogFilename = (fileName: string): number | null => {
-  const match = /^app-(\d{4}-\d{2}-\d{2})(?:-\d+)?\.log$/.exec(fileName);
-  if (match?.[1] === undefined) return null;
-
-  const parsed = Date.parse(`${match[1]}T00:00:00.000Z`);
-  return Number.isNaN(parsed) ? null : parsed;
-};
-
-const isOlderThanCutoffByMtime = (fullPath: string, cutoff: number): boolean => {
-  try {
-    const stat = fs.statSync(fullPath);
-    return stat.mtime.getTime() < cutoff;
-  } catch {
-    return false;
-  }
-};
-
-const safeUnlink = (fullPath: string): void => {
-  try {
-    fs.unlinkSync(fullPath);
-  } catch {
-    // best-effort
-  }
-};
-
-const readDirSafe = (dirPath: string): string[] => {
-  try {
-    return fs.readdirSync(dirPath);
-  } catch {
-    return [];
-  }
-};
-
-const shouldDeleteLogFile = (fileName: string, fullPath: string, cutoff: number): boolean => {
-  const parsed = parseDateFromLogFilename(fileName);
-  if (parsed !== null) return parsed < cutoff;
-
-  return isOlderThanCutoffByMtime(fullPath, cutoff);
-};
-
-const cleanupOldLogs = (logsDir: string, keepDays: number): void => {
-  if (keepDays <= 0) return;
-
-  const cutoff = Date.now() - keepDays * 24 * 60 * 60 * 1000;
-  const files = readDirSafe(logsDir);
-  if (files.length === 0) return;
-
-  for (const fileName of files) {
-    if (!isAppLogFile(fileName)) continue;
-
-    const fullPath = path.join(logsDir, fileName);
-    if (!shouldDeleteLogFile(fileName, fullPath, cutoff)) continue;
-
-    safeUnlink(fullPath);
-  }
-};
-
-type CleanOnceOptions = {
-  logsDir?: string;
-  keepDays?: number;
-  maxTotalSize?: number;
-  keepFiles?: number;
-};
-
-const listAppLogFiles = (
-  logsDir: string,
-  order: 'newest-first' | 'oldest-first'
-): Array<{ name: string; path: string }> => {
-  const files = readDirSafe(logsDir)
-    .filter((f) => isAppLogFile(f))
-    .map((f) => ({ name: f, path: path.join(logsDir, f) }));
-
-  return files.sort((a, b) => {
-    if (a.name === b.name) return 0;
-    const newerFirst = a.name < b.name ? 1 : -1;
-    return order === 'newest-first' ? newerFirst : -newerFirst;
-  });
-};
-
-const enforceKeepFilesPolicy = (
-  filesNewestFirst: Array<{ name: string; path: string }>,
-  keepFiles: number | undefined,
-  deleted: string[]
-): void => {
-  if (typeof keepFiles !== 'number' || keepFiles < 0) return;
-  if (filesNewestFirst.length <= keepFiles) return;
-
-  const toDelete = filesNewestFirst.slice(keepFiles);
-  for (const f of toDelete) {
-    safeUnlink(f.path);
-    deleted.push(f.path);
-  }
-};
-
-const getFileSizesTotal = (
-  filesOldestFirst: Array<{ name: string; path: string }>
-): { total: number; sizes: Array<{ path: string; size: number }> } => {
-  let total = 0;
-  const sizes: Array<{ path: string; size: number }> = [];
-
-  for (const file of filesOldestFirst) {
-    try {
-      const stat = fs.statSync(file.path);
-      sizes.push({ path: file.path, size: stat.size });
-      total += stat.size;
-    } catch {
-      // ignore
-    }
-  }
-
-  return { total, sizes };
-};
-
-const deleteOldestUntilWithinLimit = (
-  sizesOldestFirst: Array<{ path: string; size: number }>,
-  maxTotalSize: number,
-  deleted: string[],
-  initialTotal: number
-): void => {
-  let total = initialTotal;
-
-  let idx = 0;
-  while (total > maxTotalSize && idx < sizesOldestFirst.length) {
-    const del = sizesOldestFirst[idx];
-    safeUnlink(del.path);
-    deleted.push(del.path);
-    total -= del.size;
-    idx++;
-  }
-};
-
-const enforceMaxTotalSizePolicy = (
-  logsDir: string,
-  maxTotalSize: number | undefined,
-  deleted: string[]
-): void => {
-  if (typeof maxTotalSize !== 'number' || maxTotalSize <= 0) return;
-
-  const remainingOldestFirst = listAppLogFiles(logsDir, 'oldest-first');
-  const { total, sizes } = getFileSizesTotal(remainingOldestFirst);
-  deleteOldestUntilWithinLimit(sizes, maxTotalSize, deleted, total);
-};
-
-/**
- * Clean log files with additional retention policies.
- * Returns an array of deleted file paths for auditing/tests.
- */
-export const cleanOnce = (options?: CleanOnceOptions): string[] => {
-  const cwd = getCwdSafe();
-  if (cwd === '') return [];
-
-  const logsDir = options?.logsDir ?? path.join(cwd, 'logs');
-  const keepDays = options?.keepDays ?? Env.LOG_ROTATION_DAYS;
-  const maxTotalSize = options?.maxTotalSize ?? Env.getInt('LOG_MAX_TOTAL_SIZE', 0);
-  const keepFiles = options?.keepFiles ?? Env.getInt('LOG_KEEP_FILES', 0);
-
-  // Step 1: delete by age
-  cleanupOldLogs(logsDir, keepDays);
-
-  const deleted: string[] = [];
-
-  // Step 2: enforce keepFiles (keep newest N files)
-  const filesNewestFirst = listAppLogFiles(logsDir, 'newest-first');
-  enforceKeepFilesPolicy(filesNewestFirst, keepFiles, deleted);
-
-  // Step 3: enforce max total size
-  enforceMaxTotalSizePolicy(logsDir, maxTotalSize, deleted);
-
-  return deleted;
-};
-
-const rotateIfNeeded = (logFile: string, maxSizeBytes: number): void => {
-  if (maxSizeBytes <= 0) return;
-
-  try {
-    if (!fs.existsSync(logFile)) return;
-
-    const stat = fs.statSync(logFile);
-    if (stat.size <= maxSizeBytes) return;
-
-    const ext = '.log';
-    const base = logFile.endsWith(ext) ? logFile.slice(0, -ext.length) : logFile;
-    const rotated = `${base}-${Date.now()}${ext}`;
-    fs.renameSync(logFile, rotated);
-  } catch {
-    // best-effort
-  }
-};
-
-export const FileLogWriter = Object.freeze({
-  write(line: string): void {
-    const cwd = getCwdSafe();
-    if (cwd === '') return;
-
-    const logsDir = path.join(cwd, 'logs');
-    ensureDirSafe(logsDir);
-
-    const dateStr = getDateStr(new Date());
-    const logFile = path.join(logsDir, `app-${dateStr}.log`);
-
-    rotateIfNeeded(logFile, Env.LOG_ROTATION_SIZE);
-
-    try {
-      fs.appendFileSync(logFile, `${line}\n`);
-    } catch {
-      // best-effort
-      return;
-    }
-
-    cleanupOldLogs(logsDir, Env.LOG_ROTATION_DAYS);
-  },
-});
-
-export default FileLogWriter;
+export { cleanOnce, FileLogWriter } from '@zintrust/core/node';
+export { FileLogWriter as default } from '@zintrust/core/node';