abdellah0l-stack 1.0.2 → 1.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "abdellah0l-stack",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "Scaffold a Next.js project with TypeScript, tRPC, Drizzle, Better-Auth, Arcjet, and Vercel AI SDK",
   "bin": {
     "abdellah0l-stack": "./bin/cli.js"

package/template/.env.example

@@ -1,9 +1,6 @@
 # Database (Neon PostgreSQL)
 DATABASE_URL=
 
-# Node Environment
-NODE_ENV="development"
-
 # Better Auth
 BETTER_AUTH_SECRET=
 BETTER_AUTH_URL=http://localhost:3000
@@ -25,6 +22,3 @@ AI_GATEWAY_API_KEY=
 
 # UploadThing (File Uploads)
 UPLOADTHING_TOKEN=
-
-# App URL
-NEXT_PUBLIC_APP_URL=http://localhost:3000

package/template/package.json

@@ -11,6 +11,7 @@
     "db:migrate": "drizzle-kit migrate",
     "db:studio": "drizzle-kit studio",
     "db:push": "drizzle-kit push",
+    "auth:generate": "npx @better-auth/cli@latest generate --config ./src/lib/auth.ts --output ./src/drizzle/schema/new-auth-schema.ts --yes",
     "lint": "eslint"
   },
   "dependencies": {
@@ -59,4 +60,4 @@
     "tsx": "^4.20.6",
     "typescript": "^5"
   }
-}
+}

package/template/src/app/api/v1/auth/[...all]/route.ts

@@ -1,5 +1,105 @@
-import { auth } from "@/lib/auth"; 
-import { toNextJsHandler } from "better-auth/next-js";
+import { auth, getSession } from '@/lib/auth';
+import { toNextJsHandler } from "better-auth/next-js"
+import arcjet, {
+  BotOptions,
+  detectBot,
+  EmailOptions,
+  protectSignup,
+  shield,
+  slidingWindow,
+  SlidingWindowRateLimitOptions,
+} from "@arcjet/next"
+import { env } from '@/data/env/server';
 
-export const { POST, GET } = toNextJsHandler(auth);
+const aj = arcjet({
+  key: env.ARCJET_KEY!,
+  characteristics: ["userId"],
+  rules: [shield({ mode: "LIVE" })],
+})
+
+const botSettings = {
+  mode: "LIVE",
+  allow: [],
+} satisfies BotOptions
+const restrictiveRateLimitSettings = {
+  mode: "LIVE",
+  max: 10,
+  interval: "10m",
+} satisfies SlidingWindowRateLimitOptions<[]>
+const laxRateLimitSettings = {
+  mode: "LIVE",
+  max: 60,
+  interval: "1m",
+} satisfies SlidingWindowRateLimitOptions<[]>
+const emailSettings = {
+  mode: "LIVE",
+  block: ["DISPOSABLE", "INVALID", "NO_MX_RECORDS"],
+} satisfies EmailOptions
+
+const authHandlers = toNextJsHandler(auth)
+export const { GET } = authHandlers
+
+export async function POST(request: Request) {
+  const clonedRequest = request.clone()
+  const decision = await checkArcjet(request)
+
+  if (decision.isDenied()) {
+    if (decision.reason.isRateLimit()) {
+      return new Response(null, { status: 429 })
+    } else if (decision.reason.isEmail()) {
+      let message: string
+
+      if (decision.reason.emailTypes.includes("INVALID")) {
+        message = "Email address format is invalid."
+      } else if (decision.reason.emailTypes.includes("DISPOSABLE")) {
+        message = "Disposable email addresses are not allowed."
+      } else if (decision.reason.emailTypes.includes("NO_MX_RECORDS")) {
+        message = "Email domain is not valid."
+      } else {
+        message = "Invalid email."
+      }
+
+      return Response.json({ message }, { status: 400 })
+    } else {
+      return new Response(null, { status: 403 })
+    }
+  }
+
+  return authHandlers.POST(clonedRequest)
+}
+
+async function checkArcjet(request: Request) {
+  const body = (await request.json()) as unknown
+  const session = await getSession();
+  const userId = session?.user.id  || "127.0.0.1";
+
+  if (request.url.endsWith("/auth/sign-up/email")) {
+    if (
+      body &&
+      typeof body === "object" &&
+      "email" in body &&
+      typeof body.email === "string"
+    ) {
+      return aj
+        .withRule(
+          protectSignup({
+            email: emailSettings,
+            bots: botSettings,
+            rateLimit: restrictiveRateLimitSettings,
+          })
+        )
+        .protect(request, { email: body.email, userId })
+    } else {
+      return aj
+        .withRule(detectBot(botSettings))
+        .withRule(slidingWindow(restrictiveRateLimitSettings))
+        .protect(request, { userId })
+    }
+  }
+
+  return aj
+    .withRule(detectBot(botSettings))
+    .withRule(slidingWindow(laxRateLimitSettings))
+    .protect(request, { userId })
+}
 

package/template/src/server/routers/posts.ts

@@ -37,7 +37,7 @@ export const postsRouter = router({
         .values({
           title: input.title,
           content: input.content,
-          userId: ctx.user.id,
+          userId: ctx.session.user.id,
         })
         .returning();
       return post;
@@ -58,7 +58,7 @@ export const postsRouter = router({
         .from(posts)
         .where(eq(posts.id, input.id));
 
-      if (!existing || existing.userId !== ctx.user.id) {
+      if (!existing || existing.userId !== ctx.session.user.id) {
         throw new Error("Not authorized");
       }
 
@@ -83,7 +83,7 @@ export const postsRouter = router({
         .from(posts)
         .where(eq(posts.id, input.id));
 
-      if (!existing || existing.userId !== ctx.user.id) {
+      if (!existing || existing.userId !== ctx.session.user.id) {
         throw new Error("Not authorized");
       }
 

package/template/src/server/routers/users.ts

@@ -3,7 +3,6 @@ import { router, publicProcedure, protectedProcedure } from "../trpc";
 import { db } from "@/drizzle/db";
 import { user } from "@/drizzle/schema/auth-schema";
 import { eq } from "drizzle-orm";
-import { session } from '../../drizzle/schema/auth-schema';
 
 // this is an example router file for managing users
 // the ctx in protectedProcedure contains the authenticated user's session info