create-forgeon 0.1.34 → 0.1.36

package/templates/module-presets/jwt-auth/packages/auth-api/src/auth.service.ts

@@ -0,0 +1,155 @@
+import {
+  AUTH_ERROR_CODES,
+  AuthUser,
+  LoginResponse,
+  RefreshResponse,
+  TokenPair,
+} from '@forgeon/auth-contracts';
+import { Inject, Injectable, UnauthorizedException } from '@nestjs/common';
+import { JwtService } from '@nestjs/jwt';
+import { compare, hash } from 'bcryptjs';
+import {
+  AUTH_REFRESH_TOKEN_STORE,
+  AuthRefreshTokenStore,
+} from './auth-refresh-token.store';
+import { AuthConfigService } from './auth-config.service';
+import { LoginDto, RefreshDto } from './dto';
+import { AuthJwtPayload } from './auth.types';
+
+@Injectable()
+export class AuthService {
+  constructor(
+    private readonly jwtService: JwtService,
+    private readonly configService: AuthConfigService,
+    @Inject(AUTH_REFRESH_TOKEN_STORE)
+    private readonly refreshTokenStore: AuthRefreshTokenStore,
+  ) {}
+
+  getTokenStoreKind(): string {
+    return this.refreshTokenStore.kind;
+  }
+
+  async login(input: LoginDto): Promise<LoginResponse> {
+    const email = input.email.trim().toLowerCase();
+    if (email !== this.configService.demoEmail || input.password !== this.configService.demoPassword) {
+      throw new UnauthorizedException({
+        message: 'Invalid credentials',
+        details: { code: AUTH_ERROR_CODES.invalidCredentials },
+      });
+    }
+
+    const user: AuthUser = {
+      sub: email,
+      email,
+      roles: ['user'],
+    };
+
+    const tokens = await this.issueTokens(user);
+    return {
+      ...tokens,
+      user,
+      tokenStore: this.refreshTokenStore.kind,
+    };
+  }
+
+  async refresh(input: RefreshDto): Promise<RefreshResponse> {
+    let payload: AuthJwtPayload;
+    try {
+      payload = await this.jwtService.verifyAsync<AuthJwtPayload>(input.refreshToken, {
+        secret: this.configService.refreshSecret,
+      });
+    } catch (error) {
+      const code =
+        error instanceof Error && error.name === 'TokenExpiredError'
+          ? AUTH_ERROR_CODES.tokenExpired
+          : AUTH_ERROR_CODES.refreshInvalid;
+
+      throw new UnauthorizedException({
+        message: 'Refresh token is invalid or expired',
+        details: { code },
+      });
+    }
+
+    if (this.refreshTokenStore.kind !== 'none') {
+      const storedHash = await this.refreshTokenStore.getRefreshTokenHash(payload.sub);
+      if (!storedHash) {
+        throw new UnauthorizedException({
+          message: 'Refresh token is invalid or expired',
+          details: { code: AUTH_ERROR_CODES.refreshInvalid },
+        });
+      }
+
+      const matched = await compare(input.refreshToken, storedHash);
+      if (!matched) {
+        throw new UnauthorizedException({
+          message: 'Refresh token is invalid or expired',
+          details: { code: AUTH_ERROR_CODES.refreshInvalid },
+        });
+      }
+    }
+
+    const user = this.toAuthUser(payload);
+    const tokens = await this.issueTokens(user);
+    return {
+      ...tokens,
+      user,
+      tokenStore: this.refreshTokenStore.kind,
+    };
+  }
+
+  async logout(user: AuthJwtPayload): Promise<void> {
+    if (this.refreshTokenStore.kind === 'none') {
+      return;
+    }
+    await this.refreshTokenStore.removeRefreshTokenHash(user.sub);
+  }
+
+  getProbeStatus() {
+    return {
+      status: 'ok',
+      feature: 'jwt-auth',
+      tokenStore: this.refreshTokenStore.kind,
+      demoEmail: this.configService.demoEmail,
+    };
+  }
+
+  private async issueTokens(user: AuthUser): Promise<TokenPair> {
+    const payload: AuthJwtPayload = {
+      sub: user.sub,
+      email: user.email,
+      roles: user.roles,
+    };
+
+    const [accessToken, refreshToken] = await Promise.all([
+      this.jwtService.signAsync(payload, {
+        secret: this.configService.accessSecret,
+        expiresIn: this.configService.accessExpiresIn,
+      }),
+      this.jwtService.signAsync(payload, {
+        secret: this.configService.refreshSecret,
+        expiresIn: this.configService.refreshExpiresIn,
+      }),
+    ]);
+
+    if (this.refreshTokenStore.kind !== 'none') {
+      const tokenHash = await hash(refreshToken, this.configService.bcryptRounds);
+      await this.refreshTokenStore.saveRefreshTokenHash(user.sub, tokenHash);
+    }
+
+    return {
+      accessToken,
+      refreshToken,
+      tokenType: 'Bearer',
+      accessTtl: this.configService.accessExpiresIn,
+      refreshTtl: this.configService.refreshExpiresIn,
+    };
+  }
+
+  private toAuthUser(payload: AuthJwtPayload): AuthUser {
+    return {
+      sub: payload.sub,
+      email: payload.email,
+      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],
+    };
+  }
+}

package/templates/module-presets/jwt-auth/packages/auth-api/src/auth.types.ts

@@ -0,0 +1,6 @@
+import type { AuthUser } from '@forgeon/auth-contracts';
+
+export interface AuthJwtPayload extends AuthUser {
+  iat?: number;
+  exp?: number;
+}

package/templates/module-presets/jwt-auth/packages/auth-api/src/dto/index.ts

@@ -0,0 +1,2 @@
+export * from './login.dto';
+export * from './refresh.dto';

package/templates/module-presets/jwt-auth/packages/auth-api/src/dto/login.dto.ts

@@ -0,0 +1,11 @@
+import { LoginRequest } from '@forgeon/auth-contracts';
+import { IsEmail, IsString, MinLength } from 'class-validator';
+
+export class LoginDto implements LoginRequest {
+  @IsEmail()
+  email!: string;
+
+  @IsString()
+  @MinLength(8)
+  password!: string;
+}

package/templates/module-presets/jwt-auth/packages/auth-api/src/dto/refresh.dto.ts

@@ -0,0 +1,8 @@
+import { RefreshRequest } from '@forgeon/auth-contracts';
+import { IsString, MinLength } from 'class-validator';
+
+export class RefreshDto implements RefreshRequest {
+  @IsString()
+  @MinLength(16)
+  refreshToken!: string;
+}

package/templates/module-presets/jwt-auth/packages/auth-api/src/forgeon-auth.module.ts

@@ -0,0 +1,47 @@
+import {
+  DynamicModule,
+  Module,
+  ModuleMetadata,
+  Provider,
+} from '@nestjs/common';
+import { JwtModule } from '@nestjs/jwt';
+import { PassportModule } from '@nestjs/passport';
+import {
+  AUTH_REFRESH_TOKEN_STORE,
+  NoopAuthRefreshTokenStore,
+} from './auth-refresh-token.store';
+import { AuthConfigModule } from './auth-config.module';
+import { AuthController } from './auth.controller';
+import { AuthService } from './auth.service';
+import { JwtAuthGuard } from './jwt-auth.guard';
+import { JwtStrategy } from './jwt.strategy';
+
+export interface ForgeonAuthModuleOptions {
+  imports?: ModuleMetadata['imports'];
+  refreshTokenStoreProvider?: Provider;
+}
+
+@Module({})
+export class ForgeonAuthModule {
+  static register(options: ForgeonAuthModuleOptions = {}): DynamicModule {
+    const refreshTokenStoreProvider =
+      options.refreshTokenStoreProvider ??
+      ({
+        provide: AUTH_REFRESH_TOKEN_STORE,
+        useClass: NoopAuthRefreshTokenStore,
+      } satisfies Provider);
+
+    return {
+      module: ForgeonAuthModule,
+      imports: [
+        AuthConfigModule,
+        PassportModule.register({ defaultStrategy: 'jwt' }),
+        JwtModule.register({}),
+        ...(options.imports ?? []),
+      ],
+      controllers: [AuthController],
+      providers: [AuthService, JwtStrategy, JwtAuthGuard, refreshTokenStoreProvider],
+      exports: [AuthConfigModule, AuthService, JwtAuthGuard, AUTH_REFRESH_TOKEN_STORE],
+    };
+  }
+}

package/templates/module-presets/jwt-auth/packages/auth-api/src/index.ts

@@ -0,0 +1,12 @@
+export * from './auth-env.schema';
+export * from './auth-config.loader';
+export * from './auth-config.module';
+export * from './auth-config.service';
+export * from './auth-refresh-token.store';
+export * from './auth.controller';
+export * from './auth.service';
+export * from './auth.types';
+export * from './dto';
+export * from './forgeon-auth.module';
+export * from './jwt-auth.guard';
+export * from './jwt.strategy';

package/templates/module-presets/jwt-auth/packages/auth-api/src/jwt-auth.guard.ts

@@ -0,0 +1,5 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+
+@Injectable()
+export class JwtAuthGuard extends AuthGuard('jwt') {}

package/templates/module-presets/jwt-auth/packages/auth-api/src/jwt.strategy.ts

@@ -0,0 +1,20 @@
+import { Injectable } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { ExtractJwt, Strategy } from 'passport-jwt';
+import { AuthConfigService } from './auth-config.service';
+import { AuthJwtPayload } from './auth.types';
+
+@Injectable()
+export class JwtStrategy extends PassportStrategy(Strategy) {
+  constructor(configService: AuthConfigService) {
+    super({
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      ignoreExpiration: false,
+      secretOrKey: configService.accessSecret,
+    });
+  }
+
+  validate(payload: AuthJwtPayload): AuthJwtPayload {
+    return payload;
+  }
+}

package/templates/module-presets/jwt-auth/packages/auth-api/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.base.node.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist",
+    "types": ["node"]
+  },
+  "include": ["src/**/*.ts"]
+}

package/templates/module-presets/jwt-auth/packages/auth-contracts/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "@forgeon/auth-contracts",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.7",
+    "typescript": "^5.7.3"
+  }
+}

package/templates/module-presets/jwt-auth/packages/auth-contracts/src/index.ts

@@ -0,0 +1,47 @@
+export const AUTH_API_ROUTES = {
+  login: '/api/auth/login',
+  refresh: '/api/auth/refresh',
+  logout: '/api/auth/logout',
+  me: '/api/auth/me',
+} as const;
+
+export const AUTH_ERROR_CODES = {
+  invalidCredentials: 'AUTH_INVALID_CREDENTIALS',
+  tokenExpired: 'AUTH_TOKEN_EXPIRED',
+  refreshInvalid: 'AUTH_REFRESH_INVALID',
+} as const;
+
+export type AuthErrorCode = (typeof AUTH_ERROR_CODES)[keyof typeof AUTH_ERROR_CODES];
+
+export interface AuthUser {
+  sub: string;
+  email: string;
+  roles: string[];
+}
+
+export interface LoginRequest {
+  email: string;
+  password: string;
+}
+
+export interface RefreshRequest {
+  refreshToken: string;
+}
+
+export interface TokenPair {
+  accessToken: string;
+  refreshToken: string;
+  tokenType: 'Bearer';
+  accessTtl: string;
+  refreshTtl: string;
+}
+
+export interface LoginResponse extends TokenPair {
+  user: AuthUser;
+  tokenStore: string;
+}
+
+export interface RefreshResponse extends TokenPair {
+  user: AuthUser;
+  tokenStore: string;
+}

package/templates/module-presets/jwt-auth/packages/auth-contracts/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.base.esm.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist",
+    "types": ["node"]
+  },
+  "include": ["src/**/*.ts"]
+}