ar-saas 0.3.2 → 0.4.0

package/templates/backend/src/modules/auth/auth.controller.ts

@@ -1,158 +1,162 @@
-import {
-  Body,
-  Controller,
-  Get,
-  HttpCode,
-  HttpStatus,
-  Post,
-  Query,
-  Res,
-  UnauthorizedException,
-  UseGuards,
-} from '@nestjs/common';
-import { ConfigService } from '@nestjs/config';
-import { ApiOperation, ApiTags } from '@nestjs/swagger';
-import type { Response } from 'express';
-import { CurrentUser } from '../../common/decorators/current-user.decorator';
-import type { TokenPayload } from '../../common/decorators/current-user.decorator';
-import { Cookie } from '../../common/decorators/cookie.decorator';
-import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
-import { AuthService } from './auth.service';
-import { ForgotPasswordDto } from './dto/forgot-password.dto';
-import { LoginDto } from './dto/login.dto';
-import { RefreshTokenDto } from './dto/refresh-token.dto';
-import { RegisterDto } from './dto/register.dto';
-import { ResetPasswordDto } from './dto/reset-password.dto';
-import { VerifyEmailDto } from './dto/verify-email.dto';
-
-@ApiTags('Auth')
-@Controller('auth')
-export class AuthController {
-  private readonly refreshCookiePath: string;
-
-  constructor(
-    private readonly authService: AuthService,
-    private readonly configService: ConfigService,
-  ) {
-    const prefix = this.configService.get<string>('API_PREFIX', 'api');
-    this.refreshCookiePath = `/${prefix}/auth/refresh`;
-  }
-
-  @Post('register')
-  @HttpCode(HttpStatus.CREATED)
-  @ApiOperation({ summary: 'Registrar nuevo usuario y workspace' })
-  register(@Body() dto: RegisterDto) {
-    return this.authService.register(dto);
-  }
-
-  @Get('verify-email')
-  @ApiOperation({ summary: 'Verificar email con token' })
-  verifyEmail(@Query() dto: VerifyEmailDto) {
-    return this.authService.verifyEmail(dto.token);
-  }
-
-  @Post('login')
-  @HttpCode(HttpStatus.OK)
-  @ApiOperation({ summary: 'Iniciar sesión' })
-  async login(
-    @Body() dto: LoginDto,
-    @Res({ passthrough: true }) res: Response,
-  ) {
-    const { user, accessToken, refreshToken } =
-      await this.authService.login(dto);
-    this.setTokenCookies(res, accessToken, refreshToken);
-    return user;
-  }
-
-  @Post('refresh')
-  @HttpCode(HttpStatus.OK)
-  @ApiOperation({ summary: 'Renovar access token usando el refresh token' })
-  async refresh(
-    @Cookie('refresh_token') cookieToken: string | undefined,
-    @Body() dto: RefreshTokenDto,
-    @Res({ passthrough: true }) res: Response,
-  ) {
-    const token = cookieToken ?? dto.refreshToken;
-    if (!token) {
-      throw new UnauthorizedException('Refresh token no encontrado.');
-    }
-    const tokens = await this.authService.refresh(token);
-    this.setTokenCookies(res, tokens.accessToken, tokens.refreshToken);
-    return { message: 'Token refreshed' };
-  }
-
-  @Post('logout')
-  @HttpCode(HttpStatus.OK)
-  @UseGuards(JwtAuthGuard)
-  @ApiOperation({ summary: 'Cerrar sesión' })
-  async logout(
-    @CurrentUser() user: TokenPayload,
-    @Res({ passthrough: true }) res: Response,
-  ) {
-    await this.authService.logout(user.userId);
-    this.clearTokenCookies(res);
-    return { message: 'Logged out' };
-  }
-
-  @Post('forgot-password')
-  @HttpCode(HttpStatus.OK)
-  @ApiOperation({ summary: 'Solicitar restablecimiento de contraseña' })
-  forgotPassword(@Body() dto: ForgotPasswordDto) {
-    return this.authService.forgotPassword(dto);
-  }
-
-  @Post('reset-password')
-  @HttpCode(HttpStatus.OK)
-  @ApiOperation({ summary: 'Restablecer contraseña con token del email' })
-  resetPassword(@Body() dto: ResetPasswordDto) {
-    return this.authService.resetPassword(dto);
-  }
-
-  @Get('me')
-  @UseGuards(JwtAuthGuard)
-  @ApiOperation({ summary: 'Obtener perfil del usuario autenticado' })
-  getMe(@CurrentUser() user: TokenPayload) {
-    return this.authService.getMe(user.userId);
-  }
-
-  // ─── Private helpers ────────────────────────────────────────────────────────
-
-  private setTokenCookies(
-    res: Response,
-    accessToken: string,
-    refreshToken: string,
-  ): void {
-    const isProd = this.configService.get<string>('NODE_ENV') === 'production';
-    const base = {
-      httpOnly: true,
-      secure: isProd,
-      sameSite: 'lax' as const,
-    };
-
-    res.cookie('access_token', accessToken, {
-      ...base,
-      maxAge: 15 * 60 * 1000,
-    });
-
-    res.cookie('refresh_token', refreshToken, {
-      ...base,
-      path: this.refreshCookiePath,
-      maxAge: 7 * 24 * 60 * 60 * 1000,
-    });
-  }
-
-  private clearTokenCookies(res: Response): void {
-    const isProd = this.configService.get<string>('NODE_ENV') === 'production';
-    const base = {
-      httpOnly: true,
-      secure: isProd,
-      sameSite: 'lax' as const,
-    };
-
-    res.clearCookie('access_token', base);
-    res.clearCookie('refresh_token', {
-      ...base,
-      path: this.refreshCookiePath,
-    });
-  }
-}
+import {
+  Body,
+  Controller,
+  Get,
+  HttpCode,
+  HttpStatus,
+  Post,
+  Query,
+  Res,
+  UnauthorizedException,
+  UseGuards,
+} from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { Throttle } from '@nestjs/throttler';
+import { ApiOperation, ApiTags } from '@nestjs/swagger';
+import type { Response } from 'express';
+import { CurrentUser } from '../../common/decorators/current-user.decorator';
+import type { TokenPayload } from '../../common/decorators/current-user.decorator';
+import { Cookie } from '../../common/decorators/cookie.decorator';
+import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
+import { AuthService } from './auth.service';
+import { ForgotPasswordDto } from './dto/forgot-password.dto';
+import { LoginDto } from './dto/login.dto';
+import { RefreshTokenDto } from './dto/refresh-token.dto';
+import { RegisterDto } from './dto/register.dto';
+import { ResetPasswordDto } from './dto/reset-password.dto';
+import { VerifyEmailDto } from './dto/verify-email.dto';
+
+@ApiTags('Auth')
+@Controller('auth')
+export class AuthController {
+  private readonly refreshCookiePath: string;
+
+  constructor(
+    private readonly authService: AuthService,
+    private readonly configService: ConfigService,
+  ) {
+    const prefix = this.configService.get<string>('API_PREFIX', 'api');
+    this.refreshCookiePath = `/${prefix}/auth/refresh`;
+  }
+
+  @Post('register')
+  @HttpCode(HttpStatus.CREATED)
+  @Throttle({ default: { limit: 5, ttl: 60000 } })
+  @ApiOperation({ summary: 'Registrar nuevo usuario y workspace' })
+  register(@Body() dto: RegisterDto) {
+    return this.authService.register(dto);
+  }
+
+  @Get('verify-email')
+  @ApiOperation({ summary: 'Verificar email con token' })
+  verifyEmail(@Query() dto: VerifyEmailDto) {
+    return this.authService.verifyEmail(dto.token);
+  }
+
+  @Post('login')
+  @HttpCode(HttpStatus.OK)
+  @Throttle({ default: { limit: 5, ttl: 60000 } })
+  @ApiOperation({ summary: 'Iniciar sesión' })
+  async login(
+    @Body() dto: LoginDto,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    const { user, accessToken, refreshToken } =
+      await this.authService.login(dto);
+    this.setTokenCookies(res, accessToken, refreshToken);
+    return user;
+  }
+
+  @Post('refresh')
+  @HttpCode(HttpStatus.OK)
+  @Throttle({ default: { limit: 10, ttl: 60000 } })
+  @ApiOperation({ summary: 'Renovar access token usando el refresh token' })
+  async refresh(
+    @Cookie('refresh_token') cookieToken: string | undefined,
+    @Body() dto: RefreshTokenDto,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    const token = cookieToken ?? dto.refreshToken;
+    if (!token) {
+      throw new UnauthorizedException('Refresh token no encontrado.');
+    }
+    const tokens = await this.authService.refresh(token);
+    this.setTokenCookies(res, tokens.accessToken, tokens.refreshToken);
+    return { message: 'Token refreshed' };
+  }
+
+  @Post('logout')
+  @HttpCode(HttpStatus.OK)
+  @UseGuards(JwtAuthGuard)
+  @ApiOperation({ summary: 'Cerrar sesión' })
+  async logout(
+    @CurrentUser() user: TokenPayload,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    await this.authService.logout(user.userId);
+    this.clearTokenCookies(res);
+    return { message: 'Logged out' };
+  }
+
+  @Post('forgot-password')
+  @HttpCode(HttpStatus.OK)
+  @Throttle({ default: { limit: 3, ttl: 60000 } })
+  @ApiOperation({ summary: 'Solicitar restablecimiento de contraseña' })
+  forgotPassword(@Body() dto: ForgotPasswordDto) {
+    return this.authService.forgotPassword(dto);
+  }
+
+  @Post('reset-password')
+  @HttpCode(HttpStatus.OK)
+  @Throttle({ default: { limit: 3, ttl: 60000 } })
+  @ApiOperation({ summary: 'Restablecer contraseña con token del email' })
+  resetPassword(@Body() dto: ResetPasswordDto) {
+    return this.authService.resetPassword(dto);
+  }
+
+  @Get('me')
+  @UseGuards(JwtAuthGuard)
+  @ApiOperation({ summary: 'Obtener perfil del usuario autenticado' })
+  getMe(@CurrentUser() user: TokenPayload) {
+    return this.authService.getMe(user.userId);
+  }
+
+  private setTokenCookies(
+    res: Response,
+    accessToken: string,
+    refreshToken: string,
+  ): void {
+    const isProd = this.configService.get<string>('NODE_ENV') === 'production';
+    const base = {
+      httpOnly: true,
+      secure: isProd,
+      sameSite: 'strict' as const,
+    };
+
+    res.cookie('access_token', accessToken, {
+      ...base,
+      maxAge: 15 * 60 * 1000,
+    });
+
+    res.cookie('refresh_token', refreshToken, {
+      ...base,
+      path: this.refreshCookiePath,
+      maxAge: 7 * 24 * 60 * 60 * 1000,
+    });
+  }
+
+  private clearTokenCookies(res: Response): void {
+    const isProd = this.configService.get<string>('NODE_ENV') === 'production';
+    const base = {
+      httpOnly: true,
+      secure: isProd,
+      sameSite: 'strict' as const,
+    };
+
+    res.clearCookie('access_token', base);
+    res.clearCookie('refresh_token', {
+      ...base,
+      path: this.refreshCookiePath,
+    });
+  }
+}