ar-saas 0.1.0

package/templates/backend/src/modules/auth/auth.controller.ts

@@ -0,0 +1,158 @@
+import {
+  Body,
+  Controller,
+  Get,
+  HttpCode,
+  HttpStatus,
+  Post,
+  Query,
+  Res,
+  UnauthorizedException,
+  UseGuards,
+} from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { ApiOperation, ApiTags } from '@nestjs/swagger';
+import type { Response } from 'express';
+import { CurrentUser } from '../../common/decorators/current-user.decorator';
+import type { TokenPayload } from '../../common/decorators/current-user.decorator';
+import { Cookie } from '../../common/decorators/cookie.decorator';
+import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
+import { AuthService } from './auth.service';
+import { ForgotPasswordDto } from './dto/forgot-password.dto';
+import { LoginDto } from './dto/login.dto';
+import { RefreshTokenDto } from './dto/refresh-token.dto';
+import { RegisterDto } from './dto/register.dto';
+import { ResetPasswordDto } from './dto/reset-password.dto';
+import { VerifyEmailDto } from './dto/verify-email.dto';
+
+@ApiTags('Auth')
+@Controller('auth')
+export class AuthController {
+  private readonly refreshCookiePath: string;
+
+  constructor(
+    private readonly authService: AuthService,
+    private readonly configService: ConfigService,
+  ) {
+    const prefix = this.configService.get<string>('API_PREFIX', 'api');
+    this.refreshCookiePath = `/${prefix}/auth/refresh`;
+  }
+
+  @Post('register')
+  @HttpCode(HttpStatus.CREATED)
+  @ApiOperation({ summary: 'Registrar nuevo usuario y workspace' })
+  register(@Body() dto: RegisterDto) {
+    return this.authService.register(dto);
+  }
+
+  @Get('verify-email')
+  @ApiOperation({ summary: 'Verificar email con token' })
+  verifyEmail(@Query() dto: VerifyEmailDto) {
+    return this.authService.verifyEmail(dto.token);
+  }
+
+  @Post('login')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({ summary: 'Iniciar sesión' })
+  async login(
+    @Body() dto: LoginDto,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    const { user, accessToken, refreshToken } =
+      await this.authService.login(dto);
+    this.setTokenCookies(res, accessToken, refreshToken);
+    return user;
+  }
+
+  @Post('refresh')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({ summary: 'Renovar access token usando el refresh token' })
+  async refresh(
+    @Cookie('refresh_token') cookieToken: string | undefined,
+    @Body() dto: RefreshTokenDto,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    const token = cookieToken ?? dto.refreshToken;
+    if (!token) {
+      throw new UnauthorizedException('Refresh token no encontrado.');
+    }
+    const tokens = await this.authService.refresh(token);
+    this.setTokenCookies(res, tokens.accessToken, tokens.refreshToken);
+    return { message: 'Token refreshed' };
+  }
+
+  @Post('logout')
+  @HttpCode(HttpStatus.OK)
+  @UseGuards(JwtAuthGuard)
+  @ApiOperation({ summary: 'Cerrar sesión' })
+  async logout(
+    @CurrentUser() user: TokenPayload,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    await this.authService.logout(user.userId);
+    this.clearTokenCookies(res);
+    return { message: 'Logged out' };
+  }
+
+  @Post('forgot-password')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({ summary: 'Solicitar restablecimiento de contraseña' })
+  forgotPassword(@Body() dto: ForgotPasswordDto) {
+    return this.authService.forgotPassword(dto);
+  }
+
+  @Post('reset-password')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({ summary: 'Restablecer contraseña con token del email' })
+  resetPassword(@Body() dto: ResetPasswordDto) {
+    return this.authService.resetPassword(dto);
+  }
+
+  @Get('me')
+  @UseGuards(JwtAuthGuard)
+  @ApiOperation({ summary: 'Obtener perfil del usuario autenticado' })
+  getMe(@CurrentUser() user: TokenPayload) {
+    return this.authService.getMe(user.userId);
+  }
+
+  // ─── Private helpers ────────────────────────────────────────────────────────
+
+  private setTokenCookies(
+    res: Response,
+    accessToken: string,
+    refreshToken: string,
+  ): void {
+    const isProd = this.configService.get<string>('NODE_ENV') === 'production';
+    const base = {
+      httpOnly: true,
+      secure: isProd,
+      sameSite: 'lax' as const,
+    };
+
+    res.cookie('access_token', accessToken, {
+      ...base,
+      maxAge: 15 * 60 * 1000,
+    });
+
+    res.cookie('refresh_token', refreshToken, {
+      ...base,
+      path: this.refreshCookiePath,
+      maxAge: 7 * 24 * 60 * 60 * 1000,
+    });
+  }
+
+  private clearTokenCookies(res: Response): void {
+    const isProd = this.configService.get<string>('NODE_ENV') === 'production';
+    const base = {
+      httpOnly: true,
+      secure: isProd,
+      sameSite: 'lax' as const,
+    };
+
+    res.clearCookie('access_token', base);
+    res.clearCookie('refresh_token', {
+      ...base,
+      path: this.refreshCookiePath,
+    });
+  }
+}

package/templates/backend/src/modules/auth/auth.module.ts

@@ -0,0 +1,20 @@
+import { Module } from '@nestjs/common';
+import { JwtModule } from '@nestjs/jwt';
+import { PassportModule } from '@nestjs/passport';
+import { UsersModule } from '../users/users.module';
+import { WorkspacesModule } from '../workspaces/workspaces.module';
+import { AuthController } from './auth.controller';
+import { AuthService } from './auth.service';
+import { JwtStrategy } from './strategies/jwt.strategy';
+
+@Module({
+  imports: [
+    PassportModule,
+    JwtModule.register({}),
+    UsersModule,
+    WorkspacesModule,
+  ],
+  controllers: [AuthController],
+  providers: [AuthService, JwtStrategy],
+})
+export class AuthModule {}

package/templates/backend/src/modules/auth/auth.service.ts

@@ -0,0 +1,257 @@
+import {
+  BadRequestException,
+  Injectable,
+  InternalServerErrorException,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { JwtService } from '@nestjs/jwt';
+import * as crypto from 'crypto';
+import * as bcrypt from 'bcryptjs';
+import type { StringValue } from 'ms';
+import { MailService } from '../mail/mail.service';
+import { UsersService } from '../users/users.service';
+import { UserDocument } from '../users/schemas/user.schema';
+import { WorkspacesService } from '../workspaces/workspaces.service';
+import { ForgotPasswordDto } from './dto/forgot-password.dto';
+import { LoginDto } from './dto/login.dto';
+import { RegisterDto } from './dto/register.dto';
+import { ResetPasswordDto } from './dto/reset-password.dto';
+
+interface TokenPair {
+  accessToken: string;
+  refreshToken: string;
+}
+
+@Injectable()
+export class AuthService {
+  constructor(
+    private readonly usersService: UsersService,
+    private readonly workspacesService: WorkspacesService,
+    private readonly mailService: MailService,
+    private readonly jwtService: JwtService,
+    private readonly configService: ConfigService,
+  ) {}
+
+  // ─── Register ──────────────────────────────────────────────────────────────
+
+  async register(dto: RegisterDto): Promise<{ message: string }> {
+    // 1. Create workspace with placeholder ownerId (user doesn't exist yet)
+    const workspace = await this.workspacesService.create('pending', dto.name);
+    const workspaceId = String(workspace._id);
+
+    // 2. Create user linked to the workspace
+    const user = await this.usersService.create({
+      name: dto.name,
+      email: dto.email,
+      password: dto.password,
+      workspaceId,
+    });
+    const userId = String(user._id);
+
+    // 3. Set the real ownerId on the workspace
+    await this.workspacesService.update(workspaceId, { ownerId: userId });
+
+    // 4. Generate email verification token (expires in 24h)
+    const token = this.generateSecureToken();
+    const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000);
+    await this.usersService.setEmailVerificationToken(userId, token, expiresAt);
+
+    // 5. Send verification email
+    await this.mailService.sendVerificationEmail(dto.email, dto.name, token);
+
+    return { message: 'Verification email sent' };
+  }
+
+  // ─── Verify Email ───────────────────────────────────────────────────────────
+
+  async verifyEmail(token: string): Promise<{ message: string }> {
+    const user = await this.usersService.findByVerificationToken(token);
+    if (!user) {
+      throw new BadRequestException('Token inválido o expirado.');
+    }
+    if (
+      user.emailVerificationTokenExpiresAt &&
+      user.emailVerificationTokenExpiresAt < new Date()
+    ) {
+      throw new BadRequestException(
+        'El enlace de verificación expiró. Solicitá uno nuevo.',
+      );
+    }
+    await this.usersService.markEmailVerified(String(user._id));
+    return { message: 'Email verified' };
+  }
+
+  // ─── Login ──────────────────────────────────────────────────────────────────
+
+  async login(
+    dto: LoginDto,
+  ): Promise<{ user: UserDocument } & TokenPair> {
+    const user = await this.usersService.findByEmail(dto.email);
+    if (!user?.password) {
+      throw new UnauthorizedException('Email o contraseña incorrectos.');
+    }
+
+    const valid = await bcrypt.compare(dto.password, user.password);
+    if (!valid) {
+      throw new UnauthorizedException('Email o contraseña incorrectos.');
+    }
+
+    if (!user.emailVerified) {
+      throw new UnauthorizedException(
+        'Por favor verificá tu email antes de ingresar.',
+      );
+    }
+
+    const userId = String(user._id);
+    const tokens = await this.generateTokens(
+      userId,
+      user.email,
+      user.workspaceId,
+      user.role,
+    );
+
+    await Promise.all([
+      this.usersService.updateRefreshToken(userId, tokens.refreshToken),
+      this.usersService.updateLastLoginAt(userId),
+    ]);
+
+    // Re-fetch without secrets for the response
+    const cleanUser = await this.usersService.findById(userId);
+    if (!cleanUser) {
+      throw new InternalServerErrorException('Error al obtener el usuario.');
+    }
+
+    return { user: cleanUser, ...tokens };
+  }
+
+  // ─── Refresh Token ──────────────────────────────────────────────────────────
+
+  async refresh(token: string): Promise<TokenPair> {
+    let payload: { sub: string };
+    try {
+      payload = await this.jwtService.verifyAsync<{ sub: string }>(token, {
+        secret: this.configService.getOrThrow<string>('JWT_REFRESH_SECRET'),
+      });
+    } catch {
+      throw new UnauthorizedException('Refresh token inválido.');
+    }
+
+    const user = await this.usersService.validateRefreshToken(
+      payload.sub,
+      token,
+    );
+    if (!user) {
+      throw new UnauthorizedException('Refresh token inválido.');
+    }
+
+    const userId = String(user._id);
+    const tokens = await this.generateTokens(
+      userId,
+      user.email,
+      user.workspaceId,
+      user.role,
+    );
+
+    await this.usersService.updateRefreshToken(userId, tokens.refreshToken);
+    return tokens;
+  }
+
+  // ─── Logout ─────────────────────────────────────────────────────────────────
+
+  async logout(userId: string): Promise<void> {
+    await this.usersService.updateRefreshToken(userId, null);
+  }
+
+  // ─── Forgot Password ────────────────────────────────────────────────────────
+
+  async forgotPassword(
+    dto: ForgotPasswordDto,
+  ): Promise<{ message: string }> {
+    const user = await this.usersService.findByEmail(dto.email);
+
+    // Always return the same response to avoid leaking email existence
+    if (user?.emailVerified) {
+      const token = this.generateSecureToken();
+      const expiresAt = new Date(Date.now() + 60 * 60 * 1000);
+      await this.usersService.setPasswordResetToken(
+        String(user._id),
+        token,
+        expiresAt,
+      );
+      await this.mailService.sendPasswordResetEmail(
+        dto.email,
+        user.name,
+        token,
+      );
+    }
+
+    return { message: 'Reset email sent' };
+  }
+
+  // ─── Reset Password ─────────────────────────────────────────────────────────
+
+  async resetPassword(dto: ResetPasswordDto): Promise<{ message: string }> {
+    const user = await this.usersService.findByPasswordResetToken(dto.token);
+    if (!user) {
+      throw new BadRequestException('Token inválido o expirado.');
+    }
+    if (
+      user.passwordResetTokenExpiresAt &&
+      user.passwordResetTokenExpiresAt < new Date()
+    ) {
+      throw new BadRequestException(
+        'El enlace de restablecimiento expiró. Solicitá uno nuevo.',
+      );
+    }
+
+    await this.usersService.updatePassword(String(user._id), dto.newPassword);
+    return { message: 'Password reset successful' };
+  }
+
+  // ─── Get Me ─────────────────────────────────────────────────────────────────
+
+  async getMe(userId: string): Promise<UserDocument> {
+    const user = await this.usersService.findById(userId);
+    if (!user) {
+      throw new UnauthorizedException('Usuario no encontrado.');
+    }
+    return user;
+  }
+
+  // ─── Private helpers ────────────────────────────────────────────────────────
+
+  private generateSecureToken(): string {
+    return crypto.randomBytes(32).toString('hex');
+  }
+
+  private async generateTokens(
+    userId: string,
+    email: string,
+    workspaceId: string,
+    role: string,
+  ): Promise<TokenPair> {
+    const accessPayload = { sub: userId, email, workspaceId, role };
+    const refreshPayload = { sub: userId };
+
+    const accessExpiresIn = (
+      this.configService.get<string>('JWT_ACCESS_EXPIRES_IN') ?? '15m'
+    ) as StringValue;
+    const refreshExpiresIn = (
+      this.configService.get<string>('JWT_REFRESH_EXPIRES_IN') ?? '7d'
+    ) as StringValue;
+
+    const [accessToken, refreshToken] = await Promise.all([
+      this.jwtService.signAsync(accessPayload, {
+        secret: this.configService.getOrThrow<string>('JWT_ACCESS_SECRET'),
+        expiresIn: accessExpiresIn,
+      }),
+      this.jwtService.signAsync(refreshPayload, {
+        secret: this.configService.getOrThrow<string>('JWT_REFRESH_SECRET'),
+        expiresIn: refreshExpiresIn,
+      }),
+    ]);
+
+    return { accessToken, refreshToken };
+  }
+}

package/templates/backend/src/modules/auth/dto/forgot-password.dto.ts

@@ -0,0 +1,9 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsEmail, IsNotEmpty } from 'class-validator';
+
+export class ForgotPasswordDto {
+  @ApiProperty({ example: 'juan@example.com' })
+  @IsEmail({}, { message: 'El email no tiene un formato válido' })
+  @IsNotEmpty({ message: 'El email es obligatorio' })
+  email!: string;
+}

package/templates/backend/src/modules/auth/dto/login.dto.ts

@@ -0,0 +1,14 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsEmail, IsNotEmpty, IsString } from 'class-validator';
+
+export class LoginDto {
+  @ApiProperty({ example: 'juan@example.com' })
+  @IsEmail({}, { message: 'El email no tiene un formato válido' })
+  @IsNotEmpty({ message: 'El email es obligatorio' })
+  email!: string;
+
+  @ApiProperty()
+  @IsString({ message: 'La contraseña debe ser texto' })
+  @IsNotEmpty({ message: 'La contraseña es obligatoria' })
+  password!: string;
+}

package/templates/backend/src/modules/auth/dto/refresh-token.dto.ts

@@ -0,0 +1,12 @@
+import { ApiPropertyOptional } from '@nestjs/swagger';
+import { IsOptional, IsString } from 'class-validator';
+
+export class RefreshTokenDto {
+  @ApiPropertyOptional({
+    description:
+      'Refresh token (opcional — se lee de la cookie refresh_token si no se provee)',
+  })
+  @IsString({ message: 'El token debe ser texto' })
+  @IsOptional()
+  refreshToken?: string;
+}

package/templates/backend/src/modules/auth/dto/register.dto.ts

@@ -0,0 +1,26 @@
+import { ApiProperty } from '@nestjs/swagger';
+import {
+  IsEmail,
+  IsNotEmpty,
+  IsString,
+  MaxLength,
+  MinLength,
+} from 'class-validator';
+
+export class RegisterDto {
+  @ApiProperty({ example: 'Juan Pérez', maxLength: 80 })
+  @IsString({ message: 'El nombre debe ser texto' })
+  @IsNotEmpty({ message: 'El nombre es obligatorio' })
+  @MaxLength(80, { message: 'El nombre no puede superar 80 caracteres' })
+  name!: string;
+
+  @ApiProperty({ example: 'juan@example.com' })
+  @IsEmail({}, { message: 'El email no tiene un formato válido' })
+  @IsNotEmpty({ message: 'El email es obligatorio' })
+  email!: string;
+
+  @ApiProperty({ minLength: 8 })
+  @IsString({ message: 'La contraseña debe ser texto' })
+  @MinLength(8, { message: 'La contraseña debe tener al menos 8 caracteres' })
+  password!: string;
+}

package/templates/backend/src/modules/auth/dto/reset-password.dto.ts

@@ -0,0 +1,16 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsNotEmpty, IsString, MinLength } from 'class-validator';
+
+export class ResetPasswordDto {
+  @ApiProperty({ description: 'Token de reset recibido por email' })
+  @IsString({ message: 'El token debe ser texto' })
+  @IsNotEmpty({ message: 'El token es obligatorio' })
+  token!: string;
+
+  @ApiProperty({ minLength: 8 })
+  @IsString({ message: 'La nueva contraseña debe ser texto' })
+  @MinLength(8, {
+    message: 'La nueva contraseña debe tener al menos 8 caracteres',
+  })
+  newPassword!: string;
+}

package/templates/backend/src/modules/auth/dto/verify-email.dto.ts

@@ -0,0 +1,9 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsNotEmpty, IsString } from 'class-validator';
+
+export class VerifyEmailDto {
+  @ApiProperty({ description: 'Token de verificación recibido por email' })
+  @IsString({ message: 'El token debe ser texto' })
+  @IsNotEmpty({ message: 'El token es obligatorio' })
+  token!: string;
+}

package/templates/backend/src/modules/auth/strategies/jwt.strategy.ts

@@ -0,0 +1,43 @@
+import { Injectable } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { PassportStrategy } from '@nestjs/passport';
+import { Request } from 'express';
+import { ExtractJwt, Strategy } from 'passport-jwt';
+
+export interface JwtPayload {
+  sub: string;
+  email: string;
+  workspaceId: string;
+  role: string;
+}
+
+export interface TokenUser {
+  userId: string;
+  email: string;
+  workspaceId: string;
+  role: string;
+}
+
+@Injectable()
+export class JwtStrategy extends PassportStrategy(Strategy) {
+  constructor(configService: ConfigService) {
+    super({
+      jwtFromRequest: ExtractJwt.fromExtractors([
+        (req: Request): string | null =>
+          (req?.cookies as Record<string, string>)?.access_token ?? null,
+        ExtractJwt.fromAuthHeaderAsBearerToken(),
+      ]),
+      ignoreExpiration: false,
+      secretOrKey: configService.getOrThrow<string>('JWT_ACCESS_SECRET'),
+    });
+  }
+
+  validate(payload: JwtPayload): TokenUser {
+    return {
+      userId: payload.sub,
+      email: payload.email,
+      workspaceId: payload.workspaceId,
+      role: payload.role,
+    };
+  }
+}

package/templates/backend/src/modules/mail/mail.module.ts

@@ -0,0 +1,9 @@
+import { Global, Module } from '@nestjs/common';
+import { MailService } from './mail.service';
+
+@Global()
+@Module({
+  providers: [MailService],
+  exports: [MailService],
+})
+export class MailModule {}