create-fluxstack 1.12.1 → 1.13.0

package/app/server/live/LiveProtectedChat.ts

@@ -0,0 +1,150 @@
+// 🔒 LiveProtectedChat - Exemplo de Live Component com autenticação
+//
+// Demonstra como usar o sistema de auth em Live Components:
+// - static auth: define que o componente requer autenticação
+// - static actionAuth: define permissões por action
+// - this.$auth: acessa o contexto de auth dentro do componente
+//
+// Client usage:
+//   import type { LiveProtectedChat as _Client } from '@client/src/live/ProtectedChat'
+
+import { LiveComponent } from '@core/types/types'
+import type { LiveComponentAuth, LiveActionAuthMap } from '@core/server/live/auth/types'
+
+interface ChatMessage {
+  id: number
+  userId: string
+  text: string
+  timestamp: number
+  isAdmin: boolean
+}
+
+interface ProtectedChatState {
+  messages: ChatMessage[]
+  userCount: number
+  currentUser: string | null
+  isAdmin: boolean
+}
+
+export class LiveProtectedChat extends LiveComponent<ProtectedChatState> {
+  static componentName = 'LiveProtectedChat'
+
+  static defaultState: ProtectedChatState = {
+    messages: [],
+    userCount: 0,
+    currentUser: null,
+    isAdmin: false,
+  }
+
+  // 🔒 Auth: componente requer autenticação
+  static auth: LiveComponentAuth = {
+    required: true,
+  }
+
+  // 🔒 Auth por action: deleteMessage requer permissão 'chat.admin'
+  static actionAuth: LiveActionAuthMap = {
+    deleteMessage: { permissions: ['chat.admin'] },
+    clearMessages: { roles: ['admin'] },
+  }
+
+  protected roomType = 'protected-chat'
+
+  constructor(
+    initialState: Partial<ProtectedChatState>,
+    ws: any,
+    options?: { room?: string; userId?: string }
+  ) {
+    super(initialState, ws, options)
+
+    // Escutar mensagens de outros usuários na sala
+    this.onRoomEvent<ChatMessage>('NEW_MESSAGE', (msg) => {
+      const messages = [...this.state.messages, msg].slice(-50)
+      this.setState({ messages })
+    })
+
+    this.onRoomEvent<{ count: number }>('USER_COUNT', (data) => {
+      this.setState({ userCount: data.count })
+    })
+  }
+
+  /**
+   * Entra na sala e configura info do usuário autenticado
+   */
+  async join(payload: { room: string }) {
+    this.$room(payload.room).join()
+
+    // 🔒 Usar $auth para identificar o usuário
+    const userId = this.$auth.user?.id || this.userId || 'anonymous'
+    const isAdmin = this.$auth.hasRole('admin')
+
+    this.setState({
+      currentUser: userId,
+      isAdmin,
+    })
+
+    return { success: true, userId, isAdmin }
+  }
+
+  /**
+   * Envia mensagem - qualquer usuário autenticado pode enviar
+   */
+  async sendMessage(payload: { text: string }) {
+    if (!payload.text?.trim()) {
+      throw new Error('Message cannot be empty')
+    }
+
+    const message: ChatMessage = {
+      id: Date.now(),
+      userId: this.$auth.user?.id || this.userId || 'unknown',
+      text: payload.text.trim(),
+      timestamp: Date.now(),
+      isAdmin: this.$auth.hasRole('admin'),
+    }
+
+    // Atualiza estado local + notifica outros na sala
+    this.emitRoomEventWithState(
+      'NEW_MESSAGE',
+      message,
+      { messages: [...this.state.messages, message].slice(-50) }
+    )
+
+    return { success: true, messageId: message.id }
+  }
+
+  /**
+   * Deleta uma mensagem - requer permissão 'chat.admin'
+   * (protegido via static actionAuth)
+   */
+  async deleteMessage(payload: { messageId: number }) {
+    const messages = this.state.messages.filter(m => m.id !== payload.messageId)
+    this.setState({ messages })
+
+    // Notificar outros na sala
+    this.emitRoomEvent('MESSAGE_DELETED', { messageId: payload.messageId })
+
+    return { success: true }
+  }
+
+  /**
+   * Limpa todas as mensagens - requer role 'admin'
+   * (protegido via static actionAuth)
+   */
+  async clearMessages() {
+    this.setState({ messages: [] })
+    this.emitRoomEvent('MESSAGES_CLEARED', {})
+    return { success: true }
+  }
+
+  /**
+   * Retorna info do usuário autenticado (sem restrição extra)
+   */
+  async getAuthInfo() {
+    return {
+      authenticated: this.$auth.authenticated,
+      userId: this.$auth.user?.id,
+      roles: this.$auth.user?.roles,
+      permissions: this.$auth.user?.permissions,
+      isAdmin: this.$auth.hasRole('admin'),
+    }
+  }
+}

package/app/server/routes/auth.routes.ts

@@ -0,0 +1,278 @@
+/**
+ * FluxStack Auth Routes
+ *
+ * Endpoints de autenticação:
+ * - POST /api/auth/register — Registrar novo usuário
+ * - POST /api/auth/login    — Login (email + password)
+ * - POST /api/auth/logout   — Logout (destroi sessão)
+ * - GET  /api/auth/me       — Retorna usuário autenticado
+ */
+
+import { Elysia, t } from 'elysia'
+import {
+  getAuthManager,
+  getRateLimiter,
+  auth,
+  guest,
+  buildRequestContext,
+} from '@server/auth'
+import { authConfig } from '@config/system/auth.config'
+
+// ===== Schemas TypeBox (para validação + Swagger) =====
+
+const RegisterBodySchema = t.Object({
+  name: t.String({ minLength: 1, description: 'User name' }),
+  email: t.String({ format: 'email', description: 'User email' }),
+  password: t.String({ minLength: 6, description: 'User password (min 6 chars)' }),
+})
+
+const LoginBodySchema = t.Object({
+  email: t.String({ format: 'email', description: 'User email' }),
+  password: t.String({ minLength: 1, description: 'User password' }),
+})
+
+const AuthUserResponseSchema = t.Object({
+  success: t.Literal(true),
+  user: t.Object({
+    id: t.Union([t.String(), t.Number()]),
+    name: t.Optional(t.String()),
+    email: t.Optional(t.String()),
+    createdAt: t.Optional(t.String()),
+  }),
+})
+
+const AuthErrorResponseSchema = t.Object({
+  success: t.Literal(false),
+  error: t.String(),
+  message: t.Optional(t.String()),
+})
+
+const LoginResponseSchema = t.Object({
+  success: t.Literal(true),
+  user: t.Object({
+    id: t.Union([t.String(), t.Number()]),
+    name: t.Optional(t.String()),
+    email: t.Optional(t.String()),
+    createdAt: t.Optional(t.String()),
+  }),
+  token: t.Optional(t.String({ description: 'Bearer token (only for token guard)' })),
+})
+
+// ===== Routes =====
+
+export const authRoutes = new Elysia({
+  prefix: '/auth',
+  tags: ['Auth'],
+})
+
+  // ───── Register ─────
+  .post('/register', async (ctx) => {
+    const { body, set } = ctx
+
+    try {
+      const authManager = getAuthManager()
+      const guard = authManager.freshGuard(undefined, buildRequestContext(ctx))
+
+      // Resolver provider para criar user
+      const config = authManager.getConfig()
+      const providerName = config.guards[config.defaults.guard]?.provider ?? config.defaults.provider
+
+      // Acessar provider via guard.attempt com credenciais
+      // Alternativa: criar user via provider e depois login
+      const guardInstance = authManager.guard()
+
+      // Criar user diretamente via provider registrado
+      // O provider é acessível via attempt/validate, mas para register
+      // precisamos acessar createUser.
+      // Solução: usar o InMemoryProvider diretamente ou o guard.
+      // Por segurança, vamos usar attempt após criar o user.
+
+      // Buscar provider do auth manager config
+      const providers = (authManager as any).providerInstances as Map<string, any>
+      const provider = providers.get(providerName)
+
+      if (!provider) {
+        set.status = 500
+        return { success: false as const, error: 'ServerError', message: 'Auth provider not available' }
+      }
+
+      // Verificar se email já existe
+      const existing = await provider.retrieveByCredentials({ email: body.email })
+      if (existing) {
+        set.status = 422
+        return { success: false as const, error: 'ValidationError', message: 'Email already in use' }
+      }
+
+      // Criar usuário
+      const user = await provider.createUser({
+        name: body.name,
+        email: body.email,
+        password: body.password,
+      })
+
+      // Auto-login após registro
+      await guard.login(user)
+
+      set.status = 201
+      return {
+        success: true as const,
+        user: user.toJSON() as any,
+      }
+    } catch (error: any) {
+      set.status = 422
+      return {
+        success: false as const,
+        error: 'RegistrationFailed',
+        message: error.message ?? 'Failed to register user',
+      }
+    }
+  }, {
+    body: RegisterBodySchema,
+    response: {
+      201: AuthUserResponseSchema,
+      422: AuthErrorResponseSchema,
+      500: AuthErrorResponseSchema,
+    },
+    detail: {
+      summary: 'Register',
+      description: 'Create a new user account and auto-login',
+    },
+  })
+
+  // ───── Login ─────
+  .post('/login', async (ctx) => {
+    const { body, set } = ctx
+
+    const rateLimiter = getRateLimiter()
+    const requestContext = buildRequestContext(ctx)
+    const throttleKey = `${body.email}|${requestContext.ip}`
+
+    // Rate limiting
+    const maxAttempts = authConfig.rateLimit.maxAttempts ?? 5
+    const decaySeconds = authConfig.rateLimit.decaySeconds ?? 60
+
+    if (await rateLimiter.tooManyAttempts(throttleKey, maxAttempts)) {
+      const retryAfter = await rateLimiter.availableIn(throttleKey)
+      set.status = 429
+      set.headers['Retry-After'] = String(retryAfter)
+      return {
+        success: false as const,
+        error: 'TooManyAttempts',
+        message: `Too many login attempts. Try again in ${retryAfter} seconds.`,
+      }
+    }
+
+    try {
+      const authManager = getAuthManager()
+      const guard = authManager.freshGuard(undefined, requestContext)
+
+      // Tentar autenticar
+      const user = await guard.attempt({
+        email: body.email,
+        password: body.password,
+      })
+
+      if (!user) {
+        // Registrar tentativa falha
+        await rateLimiter.hit(throttleKey, decaySeconds)
+        set.status = 401
+        return {
+          success: false as const,
+          error: 'InvalidCredentials',
+          message: 'Invalid email or password.',
+        }
+      }
+
+      // Sucesso: limpar rate limit
+      await rateLimiter.clear(throttleKey)
+
+      // Montar response
+      const response: any = {
+        success: true as const,
+        user: user.toJSON(),
+      }
+
+      // Se for token guard, incluir token na response
+      if ('getLastGeneratedToken' in guard) {
+        const token = (guard as any).getLastGeneratedToken()
+        if (token) {
+          response.token = token
+        }
+      }
+
+      return response
+    } catch (error: any) {
+      set.status = 500
+      return {
+        success: false as const,
+        error: 'LoginFailed',
+        message: error.message ?? 'An unexpected error occurred.',
+      }
+    }
+  }, {
+    body: LoginBodySchema,
+    response: {
+      200: LoginResponseSchema,
+      401: AuthErrorResponseSchema,
+      429: AuthErrorResponseSchema,
+      500: AuthErrorResponseSchema,
+    },
+    detail: {
+      summary: 'Login',
+      description: 'Authenticate with email and password. Returns user data and session cookie (or token).',
+    },
+  })
+
+  // ───── Logout ─────
+  .use(auth())
+  .post('/logout', async (ctx) => {
+    const { auth: guard } = ctx as any
+
+    try {
+      if (guard) {
+        await guard.logout()
+      }
+
+      return {
+        success: true as const,
+        message: 'Logged out successfully.',
+      }
+    } catch (error: any) {
+      (ctx as any).set.status = 500
+      return {
+        success: false as const,
+        error: 'LogoutFailed',
+        message: error.message ?? 'Failed to logout.',
+      }
+    }
+  }, {
+    response: {
+      200: t.Object({
+        success: t.Literal(true),
+        message: t.String(),
+      }),
+      500: AuthErrorResponseSchema,
+    },
+    detail: {
+      summary: 'Logout',
+      description: 'Destroy the current session and clear the cookie.',
+    },
+  })
+
+  // ───── Me (current user) ─────
+  .get('/me', async (ctx) => {
+    const { user } = ctx as any
+
+    return {
+      success: true as const,
+      user: user.toJSON(),
+    }
+  }, {
+    response: {
+      200: AuthUserResponseSchema,
+    },
+    detail: {
+      summary: 'Current User',
+      description: 'Returns the currently authenticated user.',
+    },
+  })

package/app/server/routes/index.ts

@@ -1,6 +1,7 @@
 import { Elysia, t } from "elysia"
 import { usersRoutes } from "./users.routes"
 import { roomRoutes } from "./room.routes"
+import { authRoutes } from "./auth.routes"
 
 export const apiRoutes = new Elysia({ prefix: "/api" })
   .get("/", () => ({ message: "🔥 Hot Reload funcionando! FluxStack API v1.4.0 ⚡" }), {
@@ -34,5 +35,6 @@ export const apiRoutes = new Elysia({ prefix: "/api" })
     }
   })
   // Register routes
+  .use(authRoutes)
   .use(usersRoutes)
   .use(roomRoutes)

package/config/index.ts

@@ -40,6 +40,8 @@ export { appRuntimeConfig } from './system/runtime.config'
 export { systemConfig, systemRuntimeInfo } from './system/system.config'
 export { databaseConfig } from './system/database.config'
 export { servicesConfig } from './system/services.config'
+export { authConfig } from './system/auth.config'
+export { sessionConfig } from './system/session.config'
 
 // Main FluxStack config (composed)
 export { fluxStackConfig, config as fluxConfig, type FluxStackConfig } from './fluxstack.config'
@@ -80,6 +82,8 @@ export type { SystemConfig, SystemRuntimeInfo } from './system/system.config'
 export type { AppRuntimeConfig } from './system/runtime.config'
 export type { DatabaseConfig } from './system/database.config'
 export type { ServicesConfig } from './system/services.config'
+export type { AuthConfig } from './system/auth.config'
+export type { SessionConfig } from './system/session.config'
 
 // Plugin types
 export type { CryptoAuthConfig } from '../plugins/crypto-auth/config'
@@ -99,6 +103,8 @@ import { appRuntimeConfig } from './system/runtime.config'
 import { systemConfig, systemRuntimeInfo } from './system/system.config'
 import { databaseConfig } from './system/database.config'
 import { servicesConfig } from './system/services.config'
+import { authConfig } from './system/auth.config'
+import { sessionConfig } from './system/session.config'
 import { cryptoAuthConfig } from '../plugins/crypto-auth/config'
 
 /**
@@ -122,6 +128,8 @@ export const config = {
   systemRuntime: systemRuntimeInfo,
   database: databaseConfig,
   services: servicesConfig,
+  auth: authConfig,
+  session: sessionConfig,
 
   // Plugin configs
   cryptoAuth: cryptoAuthConfig

package/config/system/auth.config.ts

@@ -0,0 +1,49 @@
+/**
+ * Auth Configuration
+ *
+ * Configuração do sistema de autenticação.
+ * Inspirado no config/auth.php do Laravel.
+ *
+ * Guards: COMO autenticar (session, token, jwt...)
+ * Providers: ONDE buscar usuários (memory, database...)
+ */
+
+import { defineConfig, defineNestedConfig, config } from '@core/utils/config-schema'
+
+// ===== Defaults =====
+
+const defaultsSchema = {
+  guard: config.enum('AUTH_DEFAULT_GUARD', ['session', 'token'] as const, 'session'),
+  provider: config.enum('AUTH_DEFAULT_PROVIDER', ['memory', 'database'] as const, 'memory'),
+} as const
+
+// ===== Password Hashing =====
+
+const passwordsSchema = {
+  hashAlgorithm: config.enum('AUTH_HASH_ALGORITHM', ['bcrypt', 'argon2id'] as const, 'bcrypt'),
+  bcryptRounds: config.number('AUTH_BCRYPT_ROUNDS', 10),
+} as const
+
+// ===== Rate Limiting =====
+
+const rateLimitSchema = {
+  maxAttempts: config.number('AUTH_RATE_LIMIT_MAX_ATTEMPTS', 5),
+  decaySeconds: config.number('AUTH_RATE_LIMIT_DECAY_SECONDS', 60),
+} as const
+
+// ===== Token Guard =====
+
+const tokenSchema = {
+  ttl: config.number('AUTH_TOKEN_TTL', 86400),
+} as const
+
+export const authConfig = defineNestedConfig({
+  defaults: defaultsSchema,
+  passwords: passwordsSchema,
+  rateLimit: rateLimitSchema,
+  token: tokenSchema,
+})
+
+export type AuthConfig = typeof authConfig
+
+export default authConfig

package/config/system/session.config.ts

@@ -0,0 +1,33 @@
+/**
+ * Session Configuration
+ *
+ * Configuração do sistema de sessões.
+ * Inspirado no config/session.php do Laravel.
+ */
+
+import { defineConfig, config } from '@core/utils/config-schema'
+
+const sessionConfigSchema = {
+  /** Driver de sessão (memory = processo, extensível para redis, database) */
+  driver: config.enum('SESSION_DRIVER', ['memory'] as const, 'memory'),
+  /** Tempo de vida da sessão em segundos (default: 7200 = 2 horas) */
+  lifetime: config.number('SESSION_LIFETIME', 7200),
+  /** Nome do cookie de sessão */
+  cookieName: config.string('SESSION_COOKIE', 'fluxstack_session'),
+  /** Cookie httpOnly (default: true) */
+  httpOnly: config.boolean('SESSION_HTTP_ONLY', true),
+  /** Cookie secure - true em produção (default: false) */
+  secure: config.boolean('SESSION_SECURE', false),
+  /** Cookie sameSite */
+  sameSite: config.enum('SESSION_SAME_SITE', ['strict', 'lax', 'none'] as const, 'lax'),
+  /** Cookie path */
+  path: config.string('SESSION_PATH', '/'),
+  /** Cookie domain (vazio = current domain) */
+  domain: config.string('SESSION_DOMAIN', ''),
+} as const
+
+export const sessionConfig = defineConfig(sessionConfigSchema)
+
+export type SessionConfig = typeof sessionConfig
+
+export default sessionConfig