create-lyrajs 1.0.15 → 1.0.17

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-lyrajs",
-  "version": "1.0.15",
+  "version": "1.0.17",
   "description": "CLI tool to create new LyraJS projects",
   "keywords": [
     "create",

package/template/package.json

@@ -7,7 +7,7 @@
     "maestro": "maestro"
   },
   "dependencies": {
-    "@lyra-js/core": "^1.0.13",
+    "@lyra-js/core": "^1.0.15",
     "bcrypt": "^6.0.0",
     "cookie-parser": "^1.4.7",
     "cors": "^2.8.5",
@@ -15,6 +15,7 @@
     "express": "^5.1.0",
     "express-rate-limit": "^8.2.1",
     "jsonwebtoken": "^9.0.2",
+    "md5": "^2.3.0",
     "mysql2": "^3.14.1",
     "nodemailer": "^7.0.7",
     "reflect-metadata": "^0.2.2",
@@ -24,7 +25,6 @@
     "@types/bcrypt": "^5.0.2",
     "@types/cookie-parser": "^1.4.8",
     "@types/cors": "^2.8.18",
-    "@types/dotenv": "^8.2.3",
     "@types/express": "^5.0.1",
     "@types/jsonwebtoken": "^9.0.9",
     "@types/node": "^22.15.17",

package/template/src/controller/AuthController.ts

@@ -1,9 +1,10 @@
+import { AccessControl, ProtectedRouteType, SecurityConfig } from "@lyra-js/core"
+import { AuthenticatedRequest, UnauthorizedException, Validator } from "@lyra-js/core"
 import bcrypt from "bcrypt"
 import { NextFunction, Request, Response } from "express"
 import jwt from "jsonwebtoken"
+import md5 from "md5"
 
-import { SecurityConfig } from "@lyra-js/core"
-import { AuthenticatedRequest, UnauthorizedException, Validator } from "@lyra-js/core"
 import { User } from "@entity/User"
 import { userRepository } from "@repository/UserRepository"
 
@@ -44,7 +45,7 @@ export class AuthController {
       user.lastname = lastname
       user.email = email
       user.password = hashedPassword
-      user.role = 'ROLE_USER'
+      user.role = "ROLE_USER"
 
       await userRepository.save(user)
 
@@ -77,11 +78,13 @@ export class AuthController {
         expiresIn: securityConfig.jwt.token_expiration
       })
 
-      user.refresh_token = jwt.sign({ id: user.id }, securityConfig.jwt.secret_key_refresh as string, {
+      const refreshToken = jwt.sign({ id: user.id }, securityConfig.jwt.secret_key_refresh as string, {
         algorithm: securityConfig.jwt.algorithm as string,
         expiresIn: securityConfig.jwt.refresh_token_expiration
       })
 
+      user.refresh_token = md5(refreshToken)
+
       await userRepository.save(user)
 
       res.cookie("Token", token, {
@@ -92,9 +95,18 @@ export class AuthController {
         partitioned: false
       })
 
+      res.cookie("RefreshToken", refreshToken, {
+        sameSite: "Lax",
+        httpOnly: true,
+        secure: process.env.ENV === "production",
+        maxAge: 1000 * 60 * 60 * 24,
+        partitioned: false
+      })
+
       delete user.password
+      delete user.refresh_token
 
-      res.status(200).json({ message: "User authenticated in successfully", user, token })
+      res.status(200).json({ message: "User authenticated in successfully", user, token, refreshToken })
     } catch (error) {
       next(error)
     }
@@ -119,6 +131,72 @@ export class AuthController {
 
   static signOut = async (_req: Request, res: Response) => {
     res.clearCookie("Token")
+    res.clearCookie("RefreshToken")
     res.status(200).json({ message: "Unauthenticated successfully" })
   }
+
+  static updateProfile = async (req: AuthenticatedRequest<Request>, res: Response, next: NextFunction) => {
+    try {
+      const { data }: { data: User } = req.body
+      const user = req.user as User
+      if (!user) throw new UnauthorizedException()
+      if (data?.id && data.id !== user.id) throw new UnauthorizedException()
+      if (data.role) delete data.role
+      if (data.created_at) delete data.created_at
+      if (data.refresh_token) delete data.refresh_token
+      data.updated_at = new Date()
+      if (user && data.password) data.password = await bcrypt.hash(data.password, 10)
+      if (user) await userRepository.save(data)
+      res.status(200).json({ message: "Users updated successfully" })
+    } catch (error) {
+      next(error)
+    }
+  }
+
+  static refreshToken = async (req: Request, res: Response, next: NextFunction) => {
+    try {
+      const securityConfig = new SecurityConfig().getConfig()
+      const refreshToken = req.cookies.RefreshToken
+      const decoded = await AccessControl.decodeToken(refreshToken)
+
+      if (!decoded || !decoded.id) throw new UnauthorizedException("Invalid refresh token")
+
+      const user = await userRepository.find(decoded.id)
+
+      if (!user || md5(refreshToken) !== user.refresh_token) throw new UnauthorizedException("Invalid refresh token")
+
+      AccessControl.checkRefreshTokenValid(refreshToken)
+
+      const newToken = await AccessControl.getNewToken(user)
+
+      await userRepository.save({ ...user })
+
+      res.cookie("Token", newToken, {
+        sameSite: "lax",
+        httpOnly: true,
+        secure: process.env.ENV === "production",
+        maxAge: securityConfig.jwt.token_expiration
+      })
+
+      delete user.password
+      delete user.refresh_token
+
+      res.status(200).json({ message: "User authenticated in successfully", user, refreshToken })
+    } catch (_refreshError) {
+      return res.redirect(securityConfig.auth_routes.sign_out)
+    }
+  }
+
+  static removeUser = async (req: AuthenticatedRequest<Request>, res: Response, next: NextFunction) => {
+    const user = req.user
+
+    if (!user) throw new UnauthorizedException()
+
+    await userRepository.delete(user.id)
+
+    res.clearCookie("Token")
+    res.clearCookie("RefreshToken")
+
+    res.status(200).json({ message: "User deleted successfully" })
+  }
 }

package/template/src/controller/UserController.ts

@@ -2,11 +2,12 @@ import { NextFunction, Request, Response } from "express"
 import { Validator, ValidationException } from "@lyra-js/core"
 import { User } from "@entity/User"
 import { userRepository } from "@repository/UserRepository"
+import bcrypt from "bcrypt";
 
 export class UserController {
   static list = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
     try {
-      const users = await userRepository.findAll().map( (user: User) => {
+      const users = (await userRepository.findAll()).map( (user: User) => {
           delete user.password
           return user
       } )
@@ -55,7 +56,25 @@ export class UserController {
         new ValidationException("Password is to weak. I must be 10 characters long, including at least 1 lowercase, 1 uppercase, 1 number and 1 special character.")
       }
 
-      data.role = "ROLE_USER";
+      const isEmailUsed = await userRepository.findOneBy({ data.email })
+
+      if (isEmailUsed) {
+        throw new Error("Email already in use")
+      }
+
+      if (!Validator.isPasswordValid(data.password)) {
+        throw new Error("Invalid password")
+      }
+
+      const user = new User()
+      const hashedPassword = await bcrypt.hash(data.password, 10)
+
+      user.username = data.username
+      user.firstname = data.firstname
+      user.lastname = data.lastname
+      user.email = data.email
+      user.password = hashedPassword
+      user.role = 'ROLE_USER'
 
       await userRepository.save(data)
       res.status(201).json({ message: "User created successfully" })
@@ -69,6 +88,8 @@ export class UserController {
       const { data }: {data: User} = req.body
       const user = await userRepository.find(data.id)
       if (!user) res.status(404).json({ message: "User not found" })
+      if (user && data.password) data.password = await bcrypt.hash(data.password, 10);
+      user.updated_at = new Date()
       if (user) await userRepository.save(data)
       res.status(200).json({ message: "Users updated successfully" })
     } catch (error) {

package/template/src/router/routes/authRoutes.ts

@@ -8,3 +8,6 @@ authRoutes.post("/sign-up", AuthController.signUp)
 authRoutes.post("/sign-in", rateLimiter, AuthController.signIn)
 authRoutes.get("/user", AuthController.getAuthenticatedUser)
 authRoutes.get("/sign-out", AuthController.signOut)
+authRoutes.get("/refresh-token", AuthController.refreshToken)
+authRoutes.post("/update-account", AuthController.updateProfile)
+authRoutes.delete("/delete-account", AuthController.removeUser)

package/template/src/router/routes/userRoutes.ts

@@ -1,10 +1,11 @@
 import { UserController } from "@controller/UserController"
 import { Router } from "express"
+import { isAdmin } from "@lyrajs/core"
 
 export const userRoutes = Router()
 
-userRoutes.get("/all", UserController.list)
-userRoutes.get("/:id", UserController.read)
-userRoutes.put("/", UserController.create)
-userRoutes.patch("/:id", UserController.update)
-userRoutes.delete("/:id", UserController.delete)
+userRoutes.get("/all", isAdmin, UserController.list)
+userRoutes.get("/:id", isAdmin, UserController.read)
+userRoutes.post("/", isAdmin, UserController.create)
+userRoutes.patch("/:id", isAdmin, UserController.update)
+userRoutes.delete("/:id", isAdmin, UserController.delete)

package/template/src/server.ts

@@ -15,14 +15,13 @@ const securityConfig = new SecurityConfig().getConfig()
 const port = process.env.PORT
 const app = express()
 
-app.set("trust proxy", true)
+app.set("trust proxy", false)
 app.use(cookieParser())
 app.use(express.json({ limit: securityConfig.limits.request_max_size || "10mb" }))
 app.use(express.urlencoded({ limit: securityConfig.limits.request_max_size || "10mb", extended: true }))
 app.use(
   cors({
     origin: `${process.env.CLIENT_APP_URL}`,
-    methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"],
     credentials: true
   })
 )