create-blitzpack 0.1.0

package/template/apps/api/package.json

@@ -0,0 +1,84 @@
+{
+  "name": "@repo/api",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "tsx watch --clear-screen=false --ignore '../../packages/**' --ignore '**/node_modules/**' src/server.ts",
+    "build": "tsc && tsc-alias -p tsconfig.json --resolve-full-paths",
+    "start": "node dist/src/server.js",
+    "start:dev": "tsx src/server.ts",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint \"src/**/*.ts\"",
+    "lint:fix": "eslint \"src/**/*.ts\" --fix",
+    "test": "vitest run",
+    "test:unit": "vitest run src/",
+    "test:integration": "vitest run test/integration/",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "email:dev": "email dev --dir emails --port 3001",
+    "db:generate": "prisma generate",
+    "db:migrate": "prisma migrate dev",
+    "db:push": "prisma db push",
+    "db:studio": "prisma studio",
+    "db:seed": "tsx prisma/seed.ts",
+    "db:reset": "prisma migrate reset --force --skip-seed",
+    "db:reset:seed": "prisma migrate reset --force"
+  },
+  "dependencies": {
+    "@aws-sdk/client-s3": "^3.934.0",
+    "@fastify/cookie": "^11.0.1",
+    "@fastify/cors": "^10.0.1",
+    "@fastify/formbody": "^8.0.1",
+    "@fastify/helmet": "^12.0.1",
+    "@fastify/multipart": "^9.3.0",
+    "@fastify/rate-limit": "^10.1.1",
+    "@fastify/schedule": "^5.0.2",
+    "@fastify/static": "^8.3.0",
+    "@fastify/swagger": "^9.3.0",
+    "@fastify/swagger-ui": "^5.0.1",
+    "@prisma/adapter-pg": "^7.0.1",
+    "@prisma/client": "7.0.1",
+    "@react-email/components": "^1.0.1",
+    "@react-email/preview-server": "^5.0.4",
+    "@repo/packages-types": "workspace:*",
+    "@scalar/fastify-api-reference": "^1.39.3",
+    "bcryptjs": "^3.0.2",
+    "better-auth": "^1.3.27",
+    "close-with-grace": "^2.1.0",
+    "dotenv-flow": "^4.1.0",
+    "fastify": "^5.2.0",
+    "fastify-plugin": "^5.0.1",
+    "fastify-type-provider-zod": "^5.0.1",
+    "pg": "^8.16.3",
+    "pino": "^10.0.0",
+    "pino-pretty": "^13.1.2",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "react-email": "^5.0.4",
+    "resend": "^6.5.0",
+    "sharp": "^0.34.5",
+    "toad-scheduler": "^3.1.0",
+    "zod": "^4.1.12"
+  },
+  "devDependencies": {
+    "@repo/packages-utils": "workspace:*",
+    "@types/bcryptjs": "^3.0.0",
+    "@types/node": "^24.7.1",
+    "@types/pg": "^8.15.6",
+    "@types/react": "^19.0.6",
+    "@types/react-dom": "^19.0.2",
+    "@typescript-eslint/eslint-plugin": "^8.20.0",
+    "@typescript-eslint/parser": "^8.20.0",
+    "dotenv": "^17.2.3",
+    "dotenv-cli": "^10.0.0",
+    "eslint": "^9.18.0",
+    "eslint-config-prettier": "^10.1.8",
+    "prisma": "7.0.1",
+    "tsc-alias": "^1.8.16",
+    "tsx": "^4.20.6",
+    "typescript": "^5.7.2",
+    "vite-tsconfig-paths": "^5.1.4",
+    "vitest": "^3.2.4"
+  }
+}

package/template/apps/api/prisma/migrations/20251012111439_init/migration.sql

@@ -0,0 +1,13 @@
+-- CreateTable
+CREATE TABLE "users" (
+    "id" TEXT NOT NULL,
+    "email" TEXT NOT NULL,
+    "name" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "users_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "users_email_key" ON "users"("email");

package/template/apps/api/prisma/migrations/20251018162629_add_better_auth_fields/migration.sql

@@ -0,0 +1,67 @@
+-- AlterTable
+ALTER TABLE "users" ADD COLUMN     "emailVerified" BOOLEAN NOT NULL DEFAULT false,
+ADD COLUMN     "image" TEXT;
+
+-- CreateTable
+CREATE TABLE "sessions" (
+    "id" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "token" TEXT NOT NULL,
+    "ipAddress" TEXT,
+    "userAgent" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "sessions_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "accounts" (
+    "id" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "accountId" TEXT NOT NULL,
+    "providerId" TEXT NOT NULL,
+    "accessToken" TEXT,
+    "refreshToken" TEXT,
+    "idToken" TEXT,
+    "expiresAt" TIMESTAMP(3),
+    "password" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "accounts_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "verifications" (
+    "id" TEXT NOT NULL,
+    "identifier" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "verifications_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "sessions_token_key" ON "sessions"("token");
+
+-- CreateIndex
+CREATE INDEX "sessions_userId_idx" ON "sessions"("userId");
+
+-- CreateIndex
+CREATE INDEX "accounts_userId_idx" ON "accounts"("userId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "accounts_providerId_accountId_key" ON "accounts"("providerId", "accountId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "verifications_identifier_value_key" ON "verifications"("identifier", "value");
+
+-- AddForeignKey
+ALTER TABLE "sessions" ADD CONSTRAINT "sessions_userId_fkey" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "accounts" ADD CONSTRAINT "accounts_userId_fkey" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;

package/template/apps/api/prisma/migrations/20251019142208_add_user_role_enum/migration.sql

@@ -0,0 +1,5 @@
+-- CreateEnum
+CREATE TYPE "Role" AS ENUM ('user', 'admin', 'super_admin');
+
+-- AlterTable
+ALTER TABLE "users" ADD COLUMN     "role" "Role" NOT NULL DEFAULT 'user';

package/template/apps/api/prisma/migrations/20251019182151_user_auth/migration.sql

@@ -0,0 +1,7 @@
+-- AlterTable
+ALTER TABLE "sessions" ADD COLUMN     "impersonatedBy" TEXT;
+
+-- AlterTable
+ALTER TABLE "users" ADD COLUMN     "banExpires" TIMESTAMP(3),
+ADD COLUMN     "banReason" TEXT,
+ADD COLUMN     "banned" BOOLEAN NOT NULL DEFAULT false;

package/template/apps/api/prisma/migrations/20251019211416_faster_session_lookup/migration.sql

@@ -0,0 +1,2 @@
+-- CreateIndex
+CREATE INDEX "sessions_expiresAt_idx" ON "sessions"("expiresAt");

package/template/apps/api/prisma/migrations/20251119124337_add_upload_model/migration.sql

@@ -0,0 +1,26 @@
+-- CreateTable
+CREATE TABLE "uploads" (
+    "id" TEXT NOT NULL,
+    "filename" TEXT NOT NULL,
+    "originalName" TEXT NOT NULL,
+    "mimeType" TEXT NOT NULL,
+    "size" INTEGER NOT NULL,
+    "url" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "uploads_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "uploads_filename_key" ON "uploads"("filename");
+
+-- CreateIndex
+CREATE INDEX "uploads_userId_idx" ON "uploads"("userId");
+
+-- CreateIndex
+CREATE INDEX "uploads_createdAt_idx" ON "uploads"("createdAt");
+
+-- AddForeignKey
+ALTER TABLE "uploads" ADD CONSTRAINT "uploads_userId_fkey" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;

package/template/apps/api/prisma/migrations/20251120071241_add_scope_to_account/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "accounts" ADD COLUMN     "scope" TEXT;

package/template/apps/api/prisma/migrations/20251120072608_add_oauth_token_expiration_fields/migration.sql

@@ -0,0 +1,10 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `expiresAt` on the `accounts` table. All the data in the column will be lost.
+
+*/
+-- AlterTable
+ALTER TABLE "accounts" DROP COLUMN "expiresAt",
+ADD COLUMN     "accessTokenExpiresAt" TIMESTAMP(3),
+ADD COLUMN     "refreshTokenExpiresAt" TIMESTAMP(3);

package/template/apps/api/prisma/migrations/20251120144705_add_audit_logs/migration.sql

@@ -0,0 +1,29 @@
+-- CreateTable
+CREATE TABLE "audit_logs" (
+    "id" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "action" TEXT NOT NULL,
+    "resourceType" TEXT NOT NULL,
+    "resourceId" TEXT,
+    "changes" JSONB,
+    "ipAddress" TEXT,
+    "userAgent" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "audit_logs_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE INDEX "audit_logs_userId_idx" ON "audit_logs"("userId");
+
+-- CreateIndex
+CREATE INDEX "audit_logs_action_idx" ON "audit_logs"("action");
+
+-- CreateIndex
+CREATE INDEX "audit_logs_createdAt_idx" ON "audit_logs"("createdAt");
+
+-- CreateIndex
+CREATE INDEX "audit_logs_resourceType_idx" ON "audit_logs"("resourceType");
+
+-- AddForeignKey
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_userId_fkey" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;

package/template/apps/api/prisma/migrations/20251127123614_remove_impersonated_by/migration.sql

@@ -0,0 +1,8 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `impersonatedBy` on the `sessions` table. All the data in the column will be lost.
+
+*/
+-- AlterTable
+ALTER TABLE "sessions" DROP COLUMN "impersonatedBy";

package/template/apps/api/prisma/migrations/20251127125630_remove_audit_logs/migration.sql

@@ -0,0 +1,11 @@
+/*
+  Warnings:
+
+  - You are about to drop the `audit_logs` table. If the table is not empty, all the data it contains will be lost.
+
+*/
+-- DropForeignKey
+ALTER TABLE "audit_logs" DROP CONSTRAINT "audit_logs_userId_fkey";
+
+-- DropTable
+DROP TABLE "audit_logs";

package/template/apps/api/prisma/migrations/migration_lock.toml

@@ -0,0 +1,3 @@
+# Please do not edit this file manually
+# It should be added in your version-control system (e.g., Git)
+provider = "postgresql"

package/template/apps/api/prisma/schema.prisma

@@ -0,0 +1,116 @@
+// This is your Prisma schema file,
+// learn more about it in the docs: https://pris.ly/d/prisma-schema
+
+generator client {
+  provider = "prisma-client"
+  output   = "../src/generated/client"
+}
+
+datasource db {
+  provider = "postgresql"
+}
+
+// Role enum for user permissions
+enum Role {
+  user
+  admin
+  super_admin
+}
+
+// User model with better-auth support
+model User {
+  id            String    @id @default(cuid())
+  email         String    @unique
+  emailVerified Boolean   @default(false)
+  name          String?
+  image         String?
+  role          Role      @default(user)
+  banned        Boolean   @default(false)
+  banReason     String?
+  banExpires    DateTime?
+  createdAt     DateTime  @default(now())
+  updatedAt     DateTime  @updatedAt
+
+  sessions      Session[]
+  accounts      Account[]
+  uploads       Upload[]
+
+  @@map("users")
+}
+
+// Session model for better-auth
+model Session {
+  id             String   @id @default(cuid())
+  userId         String
+  expiresAt      DateTime
+  token          String   @unique
+  ipAddress      String?
+  userAgent      String?
+  createdAt      DateTime @default(now())
+  updatedAt      DateTime @updatedAt
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+  @@index([expiresAt])
+  @@map("sessions")
+}
+
+// Account model for OAuth providers
+// IMPORTANT: This schema MUST match Better Auth's expected fields exactly
+// Do NOT modify field names without checking Better Auth documentation
+// https://www.better-auth.com/docs/concepts/database#account-model
+model Account {
+  id                     String    @id @default(cuid())
+  userId                 String
+  accountId              String
+  providerId             String
+  accessToken            String?
+  refreshToken           String?
+  idToken                String?
+  accessTokenExpiresAt   DateTime? // OAuth access token expiration
+  refreshTokenExpiresAt  DateTime? // OAuth refresh token expiration
+  scope                  String?   // OAuth scopes granted
+  password               String?   // For credential provider (email/password)
+  createdAt              DateTime  @default(now())
+  updatedAt              DateTime  @updatedAt
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([providerId, accountId])
+  @@index([userId])
+  @@map("accounts")
+}
+
+// Verification model for email verification and password reset
+model Verification {
+  id         String   @id @default(cuid())
+  identifier String
+  value      String
+  expiresAt  DateTime
+  createdAt  DateTime @default(now())
+  updatedAt  DateTime @updatedAt
+
+  @@unique([identifier, value])
+  @@map("verifications")
+}
+
+// Upload model for file tracking
+model Upload {
+  id           String   @id @default(cuid())
+  filename     String   @unique // stored filename (unique)
+  originalName String // user's original filename
+  mimeType     String
+  size         Int // bytes
+  url          String // public URL
+  userId       String
+  createdAt    DateTime @default(now())
+  updatedAt    DateTime @updatedAt
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+  @@index([createdAt])
+  @@map("uploads")
+}
+

package/template/apps/api/prisma/seed.ts

@@ -0,0 +1,159 @@
+import 'dotenv-flow/config';
+
+import { PrismaPg } from '@prisma/adapter-pg';
+import { betterAuth } from 'better-auth';
+import { prismaAdapter } from 'better-auth/adapters/prisma';
+import { admin } from 'better-auth/plugins';
+import { Pool } from 'pg';
+
+import { PrismaClient, Role } from '../src/generated/client/client.js';
+
+const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+const adapter = new PrismaPg(pool);
+const prisma = new PrismaClient({ adapter });
+
+const auth = betterAuth({
+  database: prismaAdapter(prisma, {
+    provider: 'postgresql',
+  }),
+  baseURL: 'http://localhost:8080',
+  secret: 'temp-seed-secret',
+  emailAndPassword: {
+    enabled: true,
+  },
+  plugins: [
+    admin({
+      defaultRole: 'user',
+      adminRoles: ['admin', 'super_admin'],
+    }),
+  ],
+});
+
+async function main() {
+  console.log('🌱 Seeding database...');
+
+  // SAFETY: Block seeding in production
+  if (process.env.NODE_ENV === 'production') {
+    console.error('❌ SAFETY ERROR: Seed script is blocked in production!');
+    console.error(
+      '   Test accounts with weak passwords should NEVER be created in production.'
+    );
+    console.error(
+      '   If you need to seed production data, create a separate seed-prod.ts file.'
+    );
+    process.exit(1);
+  }
+
+  console.log(`📍 Environment: ${process.env.NODE_ENV || 'development'}`);
+
+  // Delete all existing test accounts first
+  await prisma.account.deleteMany({
+    where: {
+      providerId: 'credential',
+      accountId: {
+        in: [
+          'admin@example.com',
+          'alice@example.com',
+          'bob@example.com',
+          'charlie@example.com',
+        ],
+      },
+    },
+  });
+
+  await prisma.user.deleteMany({
+    where: {
+      email: {
+        in: [
+          'admin@example.com',
+          'alice@example.com',
+          'bob@example.com',
+          'charlie@example.com',
+        ],
+      },
+    },
+  });
+
+  console.log('🗑️  Cleaned up existing test accounts');
+
+  const usersData = [
+    {
+      email: 'admin@example.com',
+      name: 'Super Admin',
+      password: 'Admin@123456',
+      role: Role.super_admin,
+      emailVerified: true,
+    },
+    {
+      email: 'alice@example.com',
+      name: 'Alice Johnson',
+      password: 'Alice@123456',
+      role: Role.user,
+      emailVerified: false,
+    },
+    {
+      email: 'bob@example.com',
+      name: 'Bob Smith',
+      password: 'Bob@123456',
+      role: Role.admin,
+      emailVerified: false,
+    },
+    {
+      email: 'charlie@example.com',
+      name: 'Charlie Davis',
+      password: 'Charlie@123456',
+      role: Role.user,
+      emailVerified: false,
+    },
+  ];
+
+  for (const userData of usersData) {
+    // Create user with Better Auth (this handles password hashing correctly)
+    const response = await auth.api.signUpEmail({
+      body: {
+        email: userData.email,
+        password: userData.password,
+        name: userData.name,
+      },
+    });
+
+    if (!response || !response.user) {
+      console.error(`❌ Failed to create user: ${userData.email}`);
+      continue;
+    }
+
+    // Update user role and email verification status
+    await prisma.user.update({
+      where: { id: response.user.id },
+      data: {
+        role: userData.role,
+        emailVerified: userData.emailVerified,
+      },
+    });
+
+    console.log(
+      `✅ Created: ${userData.email} (${userData.role}) - emailVerified: ${userData.emailVerified}`
+    );
+  }
+
+  console.log('');
+  console.log('✅ Database seeded successfully!');
+  console.log('');
+  console.log('Test accounts:');
+  console.log('  admin@example.com / Admin@123456 (super_admin)');
+  console.log('  alice@example.com / Alice@123456 (user)');
+  console.log('  bob@example.com / Bob@123456 (admin)');
+  console.log('  charlie@example.com / Charlie@123456 (user)');
+  console.log('');
+  console.log('⚠️  IMPORTANT: Change passwords after first login!');
+}
+
+main()
+  .catch((e) => {
+    console.error('❌ Seed failed:', e);
+    process.exit(1);
+  })
+  .finally(async () => {
+    await prisma.$disconnect();
+    await pool.end();
+  });

package/template/apps/api/prisma.config.ts

@@ -0,0 +1,14 @@
+import 'dotenv-flow/config';
+
+import { defineConfig, env } from 'prisma/config';
+
+export default defineConfig({
+  schema: 'prisma/schema.prisma',
+  migrations: {
+    path: 'prisma/migrations',
+    seed: 'tsx prisma/seed.ts',
+  },
+  datasource: {
+    url: env('DATABASE_URL'),
+  },
+});