create-blitzpack 0.1.0

package/template/apps/api/src/server.ts

@@ -0,0 +1,34 @@
+import closeWithGrace from 'close-with-grace';
+
+import { app } from '@/app';
+import { loadEnv } from '@/config/env';
+
+const env = loadEnv();
+
+const start = async () => {
+  try {
+    await app.listen({ port: env.PORT, host: '0.0.0.0' });
+    app.log.info(`API server ready at ${env.API_URL}`);
+    app.log.info(`Environment: ${env.NODE_ENV}`);
+    app.log.info(`CORS enabled for: ${env.FRONTEND_URL}`);
+  } catch (err) {
+    app.log.error(err);
+    process.exit(1);
+  }
+};
+
+const closeListeners = closeWithGrace(
+  { delay: Number(process.env.FASTIFY_CLOSE_GRACE_DELAY) || 500 },
+  async ({ err }) => {
+    if (err) {
+      app.log.error(err);
+    }
+    await app.close();
+  }
+);
+
+app.addHook('onClose', async () => {
+  closeListeners.uninstall();
+});
+
+start();

package/template/apps/api/src/services/accounts.service.ts

@@ -0,0 +1,125 @@
+import { NotFoundError, ValidationError } from '@repo/packages-utils/errors';
+
+import { type LoggerService } from '@/common/logger.service';
+import type { PrismaClient } from '@/generated/client/client.js';
+
+export interface ConnectedAccount {
+  providerId: string;
+  accountId: string;
+  connectedAt: Date;
+  scope?: string;
+}
+
+export interface UserAccounts {
+  userId: string;
+  hasPassword: boolean;
+  connectedAccounts: ConnectedAccount[];
+}
+
+export class AccountsService {
+  constructor(
+    private readonly prisma: PrismaClient,
+    private readonly logger: LoggerService
+  ) {
+    this.logger.setContext('AccountsService');
+  }
+
+  async getUserAccounts(userId: string): Promise<UserAccounts> {
+    this.logger.info('Fetching user accounts', { userId });
+
+    const accounts = await this.prisma.account.findMany({
+      where: { userId },
+      select: {
+        providerId: true,
+        accountId: true,
+        createdAt: true,
+        scope: true,
+        password: true,
+      },
+    });
+
+    if (accounts.length === 0) {
+      throw new NotFoundError('User has no connected accounts');
+    }
+
+    const credentialAccount = accounts.find(
+      (a) => a.providerId === 'credential'
+    );
+    const hasPassword = !!(credentialAccount && credentialAccount.password);
+
+    const connectedAccounts: ConnectedAccount[] = accounts
+      .filter((a) => a.providerId !== 'credential')
+      .map((a) => ({
+        providerId: a.providerId,
+        accountId: a.accountId,
+        connectedAt: a.createdAt,
+        scope: a.scope || undefined,
+      }));
+
+    if (hasPassword) {
+      connectedAccounts.unshift({
+        providerId: 'credential',
+        accountId: credentialAccount!.accountId,
+        connectedAt: credentialAccount!.createdAt,
+      });
+    }
+
+    return {
+      userId,
+      hasPassword,
+      connectedAccounts,
+    };
+  }
+
+  async unlinkAccount(
+    userId: string,
+    providerId: string
+  ): Promise<{ success: boolean }> {
+    this.logger.info('Unlinking account', { userId, providerId });
+
+    const accounts = await this.prisma.account.findMany({
+      where: { userId },
+    });
+
+    if (accounts.length <= 1) {
+      throw new ValidationError(
+        'Cannot unlink the only account. User must have at least one login method.'
+      );
+    }
+
+    if (providerId === 'credential') {
+      throw new ValidationError(
+        'Cannot unlink password login. Please change your password or contact support.'
+      );
+    }
+
+    const account = accounts.find((a) => a.providerId === providerId);
+    if (!account) {
+      throw new NotFoundError(
+        `Account with provider ${providerId} not found for this user`
+      );
+    }
+
+    await this.prisma.account.delete({
+      where: { id: account.id },
+    });
+
+    this.logger.info('Account unlinked successfully', { userId, providerId });
+
+    return { success: true };
+  }
+
+  async canChangePassword(userId: string): Promise<boolean> {
+    const credentialAccount = await this.prisma.account.findFirst({
+      where: {
+        userId,
+        providerId: 'credential',
+      },
+      select: {
+        password: true,
+      },
+    });
+
+    return !!(credentialAccount && credentialAccount.password);
+  }
+}

package/template/apps/api/src/services/authorization.service.ts

@@ -0,0 +1,162 @@
+import type { Role } from '@repo/packages-types/role';
+import { ForbiddenError } from '@repo/packages-utils/errors';
+
+import type { LoggerService } from '@/common/logger.service';
+
+export interface AuthorizationContext {
+  actorId: string;
+  actorRole: Role;
+  targetUserId?: string;
+  targetUserRole?: Role;
+}
+
+export class AuthorizationService {
+  private readonly roleHierarchy: Record<Role, number> = {
+    super_admin: 3,
+    admin: 2,
+    user: 1,
+  };
+
+  constructor(private readonly logger: LoggerService) {
+    this.logger.setContext('AuthorizationService');
+  }
+
+  private getRoleLevel(role: Role): number {
+    return this.roleHierarchy[role];
+  }
+
+  canModifyUser(actorRole: Role, targetRole: Role): boolean {
+    const actorLevel = this.getRoleLevel(actorRole);
+    const targetLevel = this.getRoleLevel(targetRole);
+
+    return actorLevel > targetLevel;
+  }
+
+  canDeleteUser(actorRole: Role, targetRole: Role): boolean {
+    return this.canModifyUser(actorRole, targetRole);
+  }
+
+  canChangeRole(
+    actorRole: Role,
+    targetCurrentRole: Role,
+    newRole: Role
+  ): boolean {
+    const actorLevel = this.getRoleLevel(actorRole);
+    const targetLevel = this.getRoleLevel(targetCurrentRole);
+    const newRoleLevel = this.getRoleLevel(newRole);
+
+    return actorLevel > targetLevel && actorLevel > newRoleLevel;
+  }
+
+  canChangeEmail(actorRole: Role): boolean {
+    return actorRole === 'super_admin';
+  }
+
+  assertCanModifyUser(
+    actorId: string,
+    actorRole: Role,
+    targetUserId: string,
+    targetRole: Role
+  ): void {
+    if (actorId === targetUserId) {
+      return;
+    }
+
+    if (!this.canModifyUser(actorRole, targetRole)) {
+      this.logger.warn('Authorization failed: Cannot modify user', {
+        actorId,
+        actorRole,
+        targetUserId,
+        targetRole,
+      });
+      throw new ForbiddenError(
+        `Insufficient permissions to modify user with role: ${targetRole}`,
+        {
+          requiredLevel: 'higher than target',
+          actorRole,
+          targetRole,
+        }
+      );
+    }
+  }
+
+  assertCanDeleteUser(
+    actorId: string,
+    actorRole: Role,
+    targetUserId: string,
+    targetRole: Role
+  ): void {
+    if (actorId === targetUserId) {
+      this.logger.warn('Authorization failed: Cannot delete own account', {
+        actorId,
+      });
+      throw new ForbiddenError('Cannot delete your own account');
+    }
+
+    if (!this.canDeleteUser(actorRole, targetRole)) {
+      this.logger.warn('Authorization failed: Cannot delete user', {
+        actorId,
+        actorRole,
+        targetUserId,
+        targetRole,
+      });
+      throw new ForbiddenError(
+        `Insufficient permissions to delete user with role: ${targetRole}`,
+        {
+          requiredLevel: 'higher than target',
+          actorRole,
+          targetRole,
+        }
+      );
+    }
+  }
+
+  assertCanChangeRole(
+    actorId: string,
+    actorRole: Role,
+    targetUserId: string,
+    targetCurrentRole: Role,
+    newRole: Role
+  ): void {
+    if (actorId === targetUserId) {
+      this.logger.warn('Authorization failed: Cannot modify own role', {
+        actorId,
+      });
+      throw new ForbiddenError('Cannot modify your own role');
+    }
+
+    if (!this.canChangeRole(actorRole, targetCurrentRole, newRole)) {
+      this.logger.warn('Authorization failed: Cannot change role', {
+        actorId,
+        actorRole,
+        targetUserId,
+        targetCurrentRole,
+        newRole,
+      });
+      throw new ForbiddenError(
+        `Insufficient permissions to change role from ${targetCurrentRole} to ${newRole}`,
+        {
+          requiredLevel: 'higher than both current and target roles',
+          actorRole,
+          targetCurrentRole,
+          newRole,
+        }
+      );
+    }
+  }
+
+  assertCanChangeEmail(actorRole: Role): void {
+    if (!this.canChangeEmail(actorRole)) {
+      this.logger.warn('Authorization failed: Cannot change email', {
+        actorRole,
+      });
+      throw new ForbiddenError(
+        'Only super admins can change user email addresses',
+        {
+          requiredRole: 'super_admin',
+          currentRole: actorRole,
+        }
+      );
+    }
+  }
+}

package/template/apps/api/src/services/email.service.ts

@@ -0,0 +1,170 @@
+import { render } from '@react-email/components';
+import PasswordResetEmail from 'emails/password-reset-email';
+import VerificationEmail from 'emails/verification-email';
+import { Resend } from 'resend';
+
+import type { LoggerService } from '@/common/logger.service';
+import type { Env } from '@/config/env';
+import type { PrismaClient } from '@/generated/client/client.js';
+
+export class EmailService {
+  private resend: Resend | null = null;
+  private isConfigured: boolean;
+  private emailFrom: string;
+
+  constructor(
+    private readonly env: Env,
+    private readonly logger: LoggerService,
+    private readonly prisma: PrismaClient
+  ) {
+    this.logger.setContext('EmailService');
+
+    this.isConfigured = !!(this.env.RESEND_API_KEY && this.env.EMAIL_FROM);
+    this.emailFrom = this.env.EMAIL_FROM || 'noreply@example.com';
+
+    if (this.isConfigured) {
+      this.resend = new Resend(this.env.RESEND_API_KEY!);
+      this.logger.info(
+        `[+] Email service initialized with Resend. Email: ${this.emailFrom}`
+      );
+    } else {
+      this.logger.warn(
+        'Email service not configured (missing RESEND_API_KEY or EMAIL_FROM) - emails will be logged to console'
+      );
+    }
+  }
+
+  async sendVerificationEmail(
+    email: string,
+    verificationUrl: string
+  ): Promise<{ success: boolean; error?: string }> {
+    const subject = 'Verify your email address';
+
+    try {
+      const html = await render(
+        VerificationEmail({
+          verificationUrl,
+          userEmail: email,
+        })
+      );
+
+      await this.sendEmail({
+        to: email,
+        subject,
+        html,
+      });
+
+      this.logger.info('Verification email sent', { to: email });
+      return { success: true };
+    } catch (error) {
+      this.logger.error(
+        'Failed to send verification email - user can resend later',
+        error instanceof Error ? error : new Error(String(error)),
+        { to: email }
+      );
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : String(error),
+      };
+    }
+  }
+
+  async sendPasswordResetEmail(
+    email: string,
+    resetUrl: string
+  ): Promise<{ success: boolean; error?: string }> {
+    const subject = 'Reset your password';
+
+    try {
+      const html = await render(
+        PasswordResetEmail({
+          resetUrl,
+          userEmail: email,
+        })
+      );
+
+      await this.sendEmail({
+        to: email,
+        subject,
+        html,
+      });
+
+      this.logger.info('Password reset email sent', { to: email });
+      return { success: true };
+    } catch (error) {
+      this.logger.error(
+        'Failed to send password reset email',
+        error instanceof Error ? error : new Error(String(error)),
+        { to: email }
+      );
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : String(error),
+      };
+    }
+  }
+
+  private async sendEmail({
+    to,
+    subject,
+    html,
+  }: {
+    to: string;
+    subject: string;
+    html: string;
+  }) {
+    if (!this.isConfigured) {
+      this.logger
+        .detailed()
+        .info('Email not sent (dev mode - no API key configured)', {
+          to,
+          subject,
+        });
+
+      console.log(
+        '\n┌─────────────────────────────────────────────────────────┐'
+      );
+      console.log(
+        '│                   📧 EMAIL PREVIEW                      │'
+      );
+      console.log(
+        '└─────────────────────────────────────────────────────────┘'
+      );
+      console.log(`To:      ${to}`);
+      console.log(`From:    ${this.emailFrom}`);
+      console.log(`Subject: ${subject}`);
+      console.log('─────────────────────────────────────────────────────────');
+      console.log(`Preview: ${html.slice(0, 300)}...`);
+      console.log(
+        '─────────────────────────────────────────────────────────\n'
+      );
+
+      return;
+    }
+
+    try {
+      const result = await this.resend!.emails.send({
+        from: this.emailFrom,
+        to,
+        subject,
+        html,
+      });
+
+      this.logger.detailed().debug('Email sent successfully', {
+        to,
+        subject,
+        emailId: result.data?.id,
+      });
+    } catch (error) {
+      this.logger.error(
+        'Failed to send email via Resend',
+        error instanceof Error ? error : new Error(String(error)),
+        {
+          to,
+          subject,
+        }
+      );
+      throw error;
+    }
+  }
+}