create-blitzpack 0.1.0

package/template/apps/api/src/routes/admin-sessions.ts

@@ -0,0 +1,92 @@
+import {
+  QuerySessionsSchema,
+  RevokeSessionParamsSchema,
+  RevokeUserSessionsParamsSchema,
+} from '@repo/packages-types/session';
+import type { FastifyPluginAsync } from 'fastify';
+import type { ZodTypeProvider } from 'fastify-type-provider-zod';
+import type { z } from 'zod';
+
+import { requireAuth, requireRole } from '@/hooks/auth';
+
+type RevokeSessionParams = z.infer<typeof RevokeSessionParamsSchema>;
+type RevokeUserSessionsParams = z.infer<typeof RevokeUserSessionsParamsSchema>;
+
+const adminSessionsRoutes: FastifyPluginAsync = async (app) => {
+  const server = app.withTypeProvider<ZodTypeProvider>();
+
+  server.get(
+    '/admin/sessions',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        querystring: QuerySessionsSchema,
+        description: 'Get paginated sessions with filtering (Admin only)',
+        tags: ['Admin'],
+      },
+    },
+    async (request) => {
+      return app.sessionsService.getAdminSessions(request.query);
+    }
+  );
+
+  server.get(
+    '/admin/sessions/stats',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        description: 'Get session statistics (Admin only)',
+        tags: ['Admin'],
+      },
+    },
+    async () => {
+      return app.sessionsService.getSessionStats();
+    }
+  );
+
+  server.delete<{ Params: RevokeSessionParams }>(
+    '/admin/sessions/:sessionId',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        params: RevokeSessionParamsSchema,
+        description: 'Force revoke a session (Admin only)',
+        tags: ['Admin'],
+      },
+    },
+    async (request) => {
+      const { sessionId } = request.params;
+      await app.sessionsService.adminRevokeSession(
+        request.user!.id,
+        request.user!.role as 'user' | 'admin' | 'super_admin',
+        sessionId
+      );
+
+      return { message: 'Session revoked successfully' };
+    }
+  );
+
+  server.delete<{ Params: RevokeUserSessionsParams }>(
+    '/admin/sessions/user/:userId',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        params: RevokeUserSessionsParamsSchema,
+        description: 'Revoke all sessions for a user (Admin only)',
+        tags: ['Admin'],
+      },
+    },
+    async (request) => {
+      const { userId } = request.params;
+      const count = await app.sessionsService.adminRevokeUserSessions(
+        request.user!.id,
+        request.user!.role as 'user' | 'admin' | 'super_admin',
+        userId
+      );
+
+      return { message: `Revoked ${count} session(s) for user` };
+    }
+  );
+};
+
+export default adminSessionsRoutes;

package/template/apps/api/src/routes/metrics.ts

@@ -0,0 +1,71 @@
+import type { FastifyPluginAsync } from 'fastify';
+
+import { requireAuth, requireRole } from '@/hooks/auth';
+import { metricsService } from '@/services/metrics.service';
+
+const metricsRoutes: FastifyPluginAsync = async (app) => {
+  app.get(
+    '/admin/metrics/stream',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        description: 'Stream real-time system metrics via SSE (Admin only)',
+        tags: ['Admin'],
+      },
+    },
+    async (request, reply) => {
+      reply.raw.writeHead(200, {
+        'Content-Type': 'text/event-stream',
+        'Cache-Control': 'no-cache',
+        Connection: 'keep-alive',
+        'Access-Control-Allow-Origin': app.env.FRONTEND_URL,
+        'Access-Control-Allow-Credentials': 'true',
+      });
+
+      const history = metricsService.getHistory();
+      if (history.length > 0) {
+        reply.raw.write(`event: history\n`);
+        reply.raw.write(`data: ${JSON.stringify(history)}\n\n`);
+      }
+
+      const unsubscribe = metricsService.subscribe((metrics) => {
+        if (!reply.raw.destroyed) {
+          reply.raw.write(`event: metrics\n`);
+          reply.raw.write(`data: ${JSON.stringify(metrics)}\n\n`);
+        }
+      });
+
+      const heartbeatInterval = setInterval(() => {
+        if (!reply.raw.destroyed) {
+          reply.raw.write(`:heartbeat\n\n`);
+        }
+      }, 15000);
+
+      request.raw.on('close', () => {
+        unsubscribe();
+        clearInterval(heartbeatInterval);
+      });
+
+      return reply;
+    }
+  );
+
+  app.get(
+    '/admin/metrics/snapshot',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        description: 'Get current metrics snapshot (Admin only)',
+        tags: ['Admin'],
+      },
+    },
+    async () => {
+      return {
+        current: metricsService.getLatest(),
+        history: metricsService.getHistory(),
+      };
+    }
+  );
+};
+
+export default metricsRoutes;

package/template/apps/api/src/routes/password.ts

@@ -0,0 +1,46 @@
+import { ValidationError } from '@repo/packages-utils/errors';
+import type { FastifyPluginAsync } from 'fastify';
+import { z } from 'zod';
+
+import { requireAuth } from '@/hooks/auth';
+
+const ChangePasswordSchema = z.object({
+  currentPassword: z.string().min(8, 'Password must be at least 8 characters'),
+  newPassword: z.string().min(8, 'Password must be at least 8 characters'),
+});
+
+const passwordRoutes: FastifyPluginAsync = async (app) => {
+  app.post<{
+    Body: z.infer<typeof ChangePasswordSchema>;
+  }>(
+    '/password/change',
+    {
+      preHandler: requireAuth,
+      schema: {
+        body: ChangePasswordSchema,
+      },
+    },
+    async (request) => {
+      const { currentPassword, newPassword } = request.body;
+
+      if (currentPassword === newPassword) {
+        throw new ValidationError(
+          'New password must be different from current password'
+        );
+      }
+
+      await app.passwordService.changePassword(
+        request.user!.id,
+        currentPassword,
+        newPassword
+      );
+
+      return {
+        message:
+          'Password changed successfully. All other sessions have been revoked.',
+      };
+    }
+  );
+};
+
+export default passwordRoutes;

package/template/apps/api/src/routes/sessions.ts

@@ -0,0 +1,53 @@
+import type { FastifyPluginAsync } from 'fastify';
+
+import { requireAuth } from '@/hooks/auth';
+
+const sessionsRoutes: FastifyPluginAsync = async (app) => {
+  app.get(
+    '/sessions',
+    {
+      preHandler: requireAuth,
+    },
+    async (request) => {
+      const sessions = await app.sessionsService.getUserSessions(
+        request.user!.id
+      );
+      return { data: sessions };
+    }
+  );
+
+  app.delete<{
+    Params: { sessionId: string };
+  }>(
+    '/sessions/:sessionId',
+    {
+      preHandler: requireAuth,
+    },
+    async (request) => {
+      await app.sessionsService.revokeSession(
+        request.user!.id,
+        request.params.sessionId
+      );
+
+      return { message: 'Session revoked successfully' };
+    }
+  );
+
+  app.delete(
+    '/sessions',
+    {
+      preHandler: requireAuth,
+    },
+    async (request) => {
+      const currentSessionId = request.user?.session?.id;
+      await app.sessionsService.revokeAllSessions(
+        request.user!.id,
+        currentSessionId
+      );
+
+      return { message: 'All other sessions revoked successfully' };
+    }
+  );
+};
+
+export default sessionsRoutes;

package/template/apps/api/src/routes/stats.ts

@@ -0,0 +1,38 @@
+import type { FastifyPluginAsync } from 'fastify';
+import type { ZodTypeProvider } from 'fastify-type-provider-zod';
+
+import { requireAuth, requireRole } from '@/hooks/auth';
+
+const statsRoutes: FastifyPluginAsync = async (app) => {
+  const server = app.withTypeProvider<ZodTypeProvider>();
+
+  server.get(
+    '/admin/stats',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        description: 'Get comprehensive system statistics (Admin only)',
+        tags: ['Admin'],
+      },
+    },
+    async () => {
+      return app.statsService.getSystemStats();
+    }
+  );
+
+  server.get(
+    '/admin/stats/health',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        description: 'Get system health check with DB latency (Admin only)',
+        tags: ['Admin'],
+      },
+    },
+    async () => {
+      return app.statsService.getHealthCheck();
+    }
+  );
+};
+
+export default statsRoutes;

package/template/apps/api/src/routes/uploads-serve.ts

@@ -0,0 +1,27 @@
+import path from 'node:path';
+
+import fastifyStatic from '@fastify/static';
+import type { FastifyPluginAsync } from 'fastify';
+
+const uploadsServeRoutes: FastifyPluginAsync = async (app) => {
+  const storageType = app.fileStorageService.getStorageType();
+
+  // Only serve local files if using local storage
+  if (storageType === 'local') {
+    const uploadsDir = path.join(process.cwd(), 'public', 'uploads');
+
+    await app.register(fastifyStatic, {
+      root: uploadsDir,
+      prefix: '/uploads/files/',
+      decorateReply: false,
+    });
+
+    app.log.info('[+] Local file serving configured at /uploads/files/');
+  } else {
+    app.log.info(
+      `[+] Using ${storageType} storage - local file serving disabled`
+    );
+  }
+};
+
+export default uploadsServeRoutes;

package/template/apps/api/src/routes/uploads.ts

@@ -0,0 +1,154 @@
+import type { MultipartFile } from '@fastify/multipart';
+import {
+  DeleteUploadParamsSchema,
+  GetUploadsQuerySchema,
+  UploadResponseSchema,
+  UploadStatsSchema,
+} from '@repo/packages-types/upload';
+import {
+  UnauthorizedError,
+  ValidationError,
+} from '@repo/packages-utils/errors';
+import type { FastifyPluginAsync } from 'fastify';
+import type { ZodTypeProvider } from 'fastify-type-provider-zod';
+import { z } from 'zod';
+
+import { RATE_LIMIT_CONFIG } from '@/config/rate-limit.js';
+import { requireAuth } from '@/hooks/auth';
+
+const uploadsRoutes: FastifyPluginAsync = async (app) => {
+  const server = app.withTypeProvider<ZodTypeProvider>();
+
+  // POST /api/uploads - Upload a file
+  server.post(
+    '/uploads',
+    {
+      onRequest: requireAuth,
+      config: {
+        rateLimit: {
+          max: RATE_LIMIT_CONFIG.routes.uploads.max,
+          timeWindow: RATE_LIMIT_CONFIG.routes.uploads.timeWindow,
+        },
+      },
+      schema: {
+        description: 'Upload a file',
+        tags: ['Uploads'],
+        response: {
+          201: UploadResponseSchema,
+        },
+      },
+    },
+    async (request, reply) => {
+      const userId = request.user?.id;
+
+      if (!userId) {
+        throw new UnauthorizedError();
+      }
+
+      const data = await request.file();
+
+      if (!data) {
+        throw new ValidationError('No file provided');
+      }
+
+      const file = data as MultipartFile;
+
+      const upload = await app.uploadsService.uploadFile(file, userId);
+
+      return reply.status(201).send(upload);
+    }
+  );
+
+  // GET /api/uploads - Get user's uploads
+  server.get(
+    '/uploads',
+    {
+      onRequest: requireAuth,
+      schema: {
+        querystring: GetUploadsQuerySchema,
+        description: 'Get paginated list of user uploads',
+        tags: ['Uploads'],
+        response: {
+          200: z.array(
+            UploadResponseSchema.omit({ user: true }).extend({
+              userId: z.string(),
+            })
+          ),
+        },
+      },
+    },
+    async (request) => {
+      const userId = request.user?.id;
+
+      if (!userId) {
+        throw new UnauthorizedError();
+      }
+
+      const { limit, offset } = request.query;
+
+      const uploads = await app.uploadsService.getUserUploads(userId, {
+        limit,
+        offset,
+      });
+
+      return uploads;
+    }
+  );
+
+  // GET /api/uploads/stats - Get upload statistics
+  server.get(
+    '/uploads/stats',
+    {
+      onRequest: requireAuth,
+      schema: {
+        description: 'Get upload statistics for current user',
+        tags: ['Uploads'],
+        response: {
+          200: UploadStatsSchema,
+        },
+      },
+    },
+    async (request) => {
+      const userId = request.user?.id;
+
+      if (!userId) {
+        throw new UnauthorizedError();
+      }
+
+      const stats = await app.uploadsService.getUploadStats(userId);
+
+      return stats;
+    }
+  );
+
+  // DELETE /api/uploads/:id - Delete an upload
+  server.delete(
+    '/uploads/:id',
+    {
+      onRequest: requireAuth,
+      schema: {
+        params: DeleteUploadParamsSchema,
+        description: 'Delete an upload',
+        tags: ['Uploads'],
+        response: {
+          204: z.void(),
+        },
+      },
+    },
+    async (request, reply) => {
+      const userId = request.user?.id;
+
+      if (!userId) {
+        throw new UnauthorizedError();
+      }
+
+      const { id } = request.params;
+
+      await app.uploadsService.deleteUpload(id, userId);
+
+      return reply.status(204).send();
+    }
+  );
+};
+
+export default uploadsRoutes;

package/template/apps/api/src/routes/users.ts

@@ -0,0 +1,114 @@
+import { QueryUsersSchema } from '@repo/packages-types/pagination';
+import {
+  CreateUserSchema,
+  GetUserByIdSchema,
+  UpdateUserSchema,
+} from '@repo/packages-types/user';
+import type { FastifyPluginAsync } from 'fastify';
+import type { ZodTypeProvider } from 'fastify-type-provider-zod';
+
+import { requireAuth, requireRole } from '@/hooks/auth';
+
+const usersRoutes: FastifyPluginAsync = async (app) => {
+  const server = app.withTypeProvider<ZodTypeProvider>();
+
+  // GET /users - Get paginated users with filtering and sorting (Admin only)
+  server.get(
+    '/users',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        querystring: QueryUsersSchema,
+        description:
+          'Get paginated users with filtering and sorting (Admin only)',
+        tags: ['Users'],
+      },
+    },
+    async (request) => {
+      return app.usersService.getUsers(request.query);
+    }
+  );
+
+  // GET /users/:id - Get user by ID (Admin only)
+  server.get(
+    '/users/:id',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        params: GetUserByIdSchema,
+        description: 'Get user by ID (Admin only)',
+        tags: ['Users'],
+      },
+    },
+    async (request) => {
+      const user = await app.usersService.getUserById(request.params.id);
+      return { data: user };
+    }
+  );
+
+  // POST /users - Create a new user (Admin only)
+  server.post(
+    '/users',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        body: CreateUserSchema,
+        description: 'Create a new user (Admin only)',
+        tags: ['Users'],
+      },
+    },
+    async (request, reply) => {
+      const user = await app.usersService.createUser(request.body);
+
+      return reply.status(201).send({ data: user });
+    }
+  );
+
+  // PATCH /users/:id - Update user by ID (Admin only)
+  server.patch(
+    '/users/:id',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        params: GetUserByIdSchema,
+        body: UpdateUserSchema,
+        description: 'Update user by ID (Admin only)',
+        tags: ['Users'],
+      },
+    },
+    async (request) => {
+      const user = await app.usersService.updateUser(
+        request.user!.id,
+        request.user!.role as 'user' | 'admin' | 'super_admin',
+        request.params.id,
+        request.body
+      );
+
+      return { data: user };
+    }
+  );
+
+  // DELETE /users/:id - Delete user by ID (Admin only)
+  server.delete(
+    '/users/:id',
+    {
+      preHandler: [requireAuth, requireRole(['admin', 'super_admin'])],
+      schema: {
+        params: GetUserByIdSchema,
+        description: 'Delete user by ID (Admin only)',
+        tags: ['Users'],
+      },
+    },
+    async (request) => {
+      await app.usersService.deleteUser(
+        request.user!.id,
+        request.user!.role as 'user' | 'admin' | 'super_admin',
+        request.params.id
+      );
+
+      return { message: 'User deleted successfully' };
+    }
+  );
+};
+
+export default usersRoutes;

package/template/apps/api/src/routes/verification.ts

@@ -0,0 +1,90 @@
+import type { FastifyPluginAsync } from 'fastify';
+import type { ZodTypeProvider } from 'fastify-type-provider-zod';
+import { z } from 'zod';
+
+import { requireAuth } from '@/hooks/auth';
+
+const ResendVerificationSchema = z.object({
+  email: z.string().email().optional(),
+});
+
+const verificationRoutes: FastifyPluginAsync = async (app) => {
+  const server = app.withTypeProvider<ZodTypeProvider>();
+
+  // POST /verification/resend - Resend verification email
+  server.post(
+    '/verification/resend',
+    {
+      preHandler: [requireAuth],
+      schema: {
+        body: ResendVerificationSchema,
+        description:
+          'Resend verification email to authenticated user or specified email',
+        tags: ['Verification'],
+      },
+    },
+    async (request, reply) => {
+      const currentUser = request.user;
+      if (!currentUser) {
+        return reply.status(401).send({
+          error: 'Unauthorized',
+          message: 'Authentication required',
+        });
+      }
+
+      const targetEmail = request.body.email || currentUser.email;
+
+      if (request.body.email && request.body.email !== currentUser.email) {
+        return reply.status(403).send({
+          error: 'Forbidden',
+          message: 'You can only resend verification for your own email',
+        });
+      }
+
+      const user = await app.prisma.user.findUnique({
+        where: { email: targetEmail },
+      });
+
+      if (!user) {
+        return reply.status(404).send({
+          error: 'Not Found',
+          message: 'User not found',
+        });
+      }
+
+      if (user.emailVerified) {
+        return reply.status(400).send({
+          error: 'Bad Request',
+          message: 'Email is already verified',
+        });
+      }
+
+      try {
+        await app.auth.api.sendVerificationEmail({
+          body: {
+            email: user.email,
+            callbackURL: app.env.FRONTEND_URL,
+          },
+        });
+
+        return { message: 'Verification email sent successfully' };
+      } catch (error) {
+        request.log.error(
+          {
+            err: error instanceof Error ? error : new Error(String(error)),
+            email: user.email,
+          },
+          'Failed to send verification email via Better Auth'
+        );
+
+        return reply.status(500).send({
+          error: 'Email Send Failed',
+          message:
+            'Failed to send verification email. Please try again later or contact support.',
+        });
+      }
+    }
+  );
+};
+
+export default verificationRoutes;