create-nara 1.0.37 → 1.0.40

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-nara",
-  "version": "1.0.37",
+  "version": "1.0.40",
   "description": "CLI to scaffold NARA projects",
   "type": "module",
   "bin": {

package/templates/features/auth/app/controllers/AuthController.ts

@@ -1,11 +1,14 @@
 import { BaseController, jsonSuccess, jsonError } from '@nara-web/core';
 import type { NaraRequest, NaraResponse } from '@nara-web/core';
 import { UserModel } from '../models/User.js';
+import LoginThrottle from '../services/LoginThrottle.js';
+import Logger from '../services/Logger.js';
 import bcrypt from 'bcrypt';
 import jwt from 'jsonwebtoken';
+import { AUTH, ERROR_MESSAGES } from '../config/index.js';
 
 const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
-const JWT_EXPIRES_SECONDS = 7 * 24 * 60 * 60; // 7 days in seconds
+const JWT_EXPIRES_SECONDS = AUTH.JWT_EXPIRY_SECONDS;
 
 // Cookie options for auth token
 const COOKIE_OPTIONS = {
@@ -18,25 +21,86 @@ const COOKIE_OPTIONS = {
 export class AuthController extends BaseController {
   async login(req: NaraRequest, res: NaraResponse) {
     const { email, password } = await req.json();
+    const ip = req.ip || 'unknown';
 
     if (!email || !password) {
-      // Set error cookie and redirect back (Inertia pattern)
-      res.cookie('error', 'Email and password are required', 5000);
+      res.cookie('error', 'Email and password are required', AUTH.ERROR_COOKIE_EXPIRY_MS);
       return res.redirect('/login');
     }
 
+    // Check if locked out due to too many failed attempts
+    if (LoginThrottle.isLockedOut(email, ip)) {
+      const remainingMs = LoginThrottle.getRemainingLockoutTime(email, ip);
+      const remainingMinutes = Math.ceil(remainingMs / 60000);
+
+      Logger.logSecurity('Login blocked - account locked', {
+        email,
+        ip,
+        remainingMinutes,
+      });
+
+      res.cookie('error', `Terlalu banyak percobaan login. Coba lagi dalam ${remainingMinutes} menit.`, AUTH.ERROR_COOKIE_EXPIRY_MS);
+      return res.redirect('/login');
+    }
+
+    Logger.info('Login attempt', {
+      email,
+      ip,
+      userAgent: req.headers['user-agent'],
+    });
+
     // Find user by email
     const user = await UserModel.findByEmail(email);
-    if (!user || !await bcrypt.compare(password, user.password)) {
-      res.cookie('error', 'Invalid credentials', 5000);
+    if (!user) {
+      const throttleResult = LoginThrottle.recordFailedAttempt(email, ip);
+
+      Logger.logSecurity('Login failed - user not found', {
+        email,
+        ip,
+        remainingAttempts: throttleResult.remainingAttempts,
+      });
+
+      const errorMsg = throttleResult.isLocked
+        ? `Terlalu banyak percobaan login. Coba lagi dalam ${Math.ceil(throttleResult.lockoutMs / 60000)} menit.`
+        : ERROR_MESSAGES.INVALID_CREDENTIALS;
+
+      res.cookie('error', errorMsg, AUTH.ERROR_COOKIE_EXPIRY_MS);
+      return res.redirect('/login');
+    }
+
+    const passwordMatch = await bcrypt.compare(password, user.password);
+    if (!passwordMatch) {
+      const throttleResult = LoginThrottle.recordFailedAttempt(email, ip);
+
+      Logger.logSecurity('Login failed - invalid password', {
+        userId: user.id,
+        email: user.email,
+        ip,
+        remainingAttempts: throttleResult.remainingAttempts,
+      });
+
+      const errorMsg = throttleResult.isLocked
+        ? `Terlalu banyak percobaan login. Coba lagi dalam ${Math.ceil(throttleResult.lockoutMs / 60000)} menit.`
+        : ERROR_MESSAGES.INVALID_CREDENTIALS;
+
+      res.cookie('error', errorMsg, AUTH.ERROR_COOKIE_EXPIRY_MS);
       return res.redirect('/login');
     }
 
+    // Successful login - clear attempts
+    LoginThrottle.clearAttempts(email, ip);
+
+    Logger.logAuth('login_success', {
+      userId: user.id,
+      email: user.email,
+      ip,
+    });
+
     // Generate JWT token with user info
     const token = jwt.sign(
       { userId: user.id, email: user.email, name: user.name },
       JWT_SECRET,
-      { expiresIn: JWT_EXPIRES_SECONDS }
+      { expiresIn: AUTH.JWT_EXPIRY_SECONDS }
     );
 
     // Set auth cookie for web routes (maxAge in ms)
@@ -50,42 +114,64 @@ export class AuthController extends BaseController {
     const { name, email, password } = await req.json();
 
     if (!name || !email || !password) {
-      res.cookie('error', 'Name, email and password are required', 5000);
+      res.cookie('error', 'Name, email and password are required', AUTH.ERROR_COOKIE_EXPIRY_MS);
       return res.redirect('/register');
     }
 
+    Logger.info('Registration attempt', {
+      email,
+      name,
+      ip: req.ip,
+    });
+
     // Check if email already exists
     const existing = await UserModel.findByEmail(email);
     if (existing) {
-      res.cookie('error', 'Email already registered', 5000);
+      Logger.logSecurity('Registration failed - duplicate email', {
+        email,
+        ip: req.ip,
+      });
+      res.cookie('error', ERROR_MESSAGES.EMAIL_EXISTS, AUTH.ERROR_COOKIE_EXPIRY_MS);
       return res.redirect('/register');
     }
 
     // Hash password
-    const hashedPassword = await bcrypt.hash(password, 10);
-
-    // Create user in database
-    const [userId] = await UserModel.create({ name, email, password: hashedPassword });
-
-    // Generate JWT token
-    const token = jwt.sign(
-      { userId, email, name },
-      JWT_SECRET,
-      { expiresIn: JWT_EXPIRES_SECONDS }
-    );
-
-    // Set auth cookie for web routes (maxAge in ms)
-    res.cookie('auth_token', token, JWT_EXPIRES_SECONDS * 1000, COOKIE_OPTIONS);
-
-    // Redirect to dashboard
-    return res.redirect('/dashboard');
+    const hashedPassword = await bcrypt.hash(password, AUTH.BCRYPT_SALT_ROUNDS);
+
+    try {
+      // Create user in database
+      const [userId] = await UserModel.create({ name, email, password: hashedPassword });
+
+      Logger.logAuth('registration_success', {
+        userId,
+        email,
+        ip: req.ip,
+      });
+
+      // Generate JWT token
+      const token = jwt.sign(
+        { userId, email, name },
+        JWT_SECRET,
+        { expiresIn: AUTH.JWT_EXPIRY_SECONDS }
+      );
+
+      // Set auth cookie for web routes (maxAge in ms)
+      res.cookie('auth_token', token, JWT_EXPIRES_SECONDS * 1000, COOKIE_OPTIONS);
+
+      // Redirect to dashboard
+      return res.redirect('/dashboard');
+    } catch (error: any) {
+      Logger.error('Registration failed', error);
+      res.cookie('error', ERROR_MESSAGES.INTERNAL_ERROR, AUTH.ERROR_COOKIE_EXPIRY_MS);
+      return res.redirect('/register');
+    }
   }
 
   async me(req: NaraRequest, res: NaraResponse) {
     const user = req.user;
 
     if (!user) {
-      return jsonError(res, 'Unauthorized', 401);
+      return jsonError(res, ERROR_MESSAGES.UNAUTHORIZED, 401);
     }
 
     return jsonSuccess(res, { user });
@@ -95,6 +181,11 @@ export class AuthController extends BaseController {
     // Clear auth cookie (set maxAge to 0)
     res.cookie('auth_token', '', 0, COOKIE_OPTIONS);
 
+    Logger.logAuth('logout', {
+      userId: req.user?.id,
+      ip: req.ip,
+    });
+
     // Redirect to login
     return res.redirect('/login');
   }
@@ -103,14 +194,14 @@ export class AuthController extends BaseController {
     const { email } = await req.json();
 
     if (!email) {
-      res.cookie('error', 'Email is required', 5000);
+      res.cookie('error', 'Email is required', AUTH.ERROR_COOKIE_EXPIRY_MS);
       return res.redirect('/forgot-password');
     }
 
     // TODO: Implement actual password reset email sending
 
     // Set success message and redirect
-    res.cookie('success', 'If an account exists with this email, a reset link has been sent.', 5000);
+    res.cookie('success', 'If an account exists with this email, a reset link has been sent.', AUTH.ERROR_COOKIE_EXPIRY_MS);
     return res.redirect('/login');
   }
 
@@ -118,13 +209,15 @@ export class AuthController extends BaseController {
     const { token, password } = await req.json();
 
     if (!token || !password) {
-      res.cookie('error', 'Reset token and password are required', 5000);
+      res.cookie('error', 'Reset token and password are required', AUTH.ERROR_COOKIE_EXPIRY_MS);
       return res.redirect('/forgot-password');
     }
 
     // TODO: Implement actual password reset
 
-    res.cookie('success', 'Password has been reset successfully.', 5000);
+    res.cookie('success', 'Password has been reset successfully.', AUTH.ERROR_COOKIE_EXPIRY_MS);
     return res.redirect('/login');
   }
 }
+
+export default new AuthController();

package/templates/features/auth/app/controllers/OAuthController.ts

@@ -0,0 +1,148 @@
+/**
+ * OAuthController
+ *
+ * Handles OAuth authentication flows:
+ * - Google OAuth redirect
+ * - Google OAuth callback
+ */
+import { BaseController } from '@nara-web/core';
+import type { NaraRequest, NaraResponse } from '@nara-web/core';
+import { UserModel } from '../models/User.js';
+import { redirectParamsURL } from '../services/GoogleAuth.js';
+import bcrypt from 'bcrypt';
+import jwt from 'jsonwebtoken';
+import { randomUUID } from 'crypto';
+
+const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
+const JWT_EXPIRES_SECONDS = 7 * 24 * 60 * 60; // 7 days in seconds
+
+// Cookie options for auth token
+const COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: process.env.NODE_ENV === 'production',
+  sameSite: 'lax' as const,
+  path: '/',
+};
+
+interface GoogleTokenResponse {
+  access_token: string;
+  expires_in: number;
+  token_type: string;
+  scope: string;
+  refresh_token?: string;
+}
+
+interface GoogleUserInfo {
+  id: string;
+  email: string;
+  verified_email: boolean;
+  name: string;
+  given_name?: string;
+  family_name?: string;
+  picture?: string;
+}
+
+export class OAuthController extends BaseController {
+  /**
+   * Redirect to Google OAuth
+   */
+  async googleRedirect(req: NaraRequest, res: NaraResponse) {
+    const params = redirectParamsURL();
+    const googleLoginUrl = `https://accounts.google.com/o/oauth2/v2/auth?${params}`;
+    return res.redirect(googleLoginUrl);
+  }
+
+  /**
+   * Handle Google OAuth callback
+   */
+  async googleCallback(req: NaraRequest, res: NaraResponse) {
+    const { code } = req.query;
+
+    if (!code) {
+      res.cookie('error', 'Authorization code not provided', 5000);
+      return res.redirect('/login');
+    }
+
+    try {
+      // Exchange authorization code for access token
+      const tokenResponse = await fetch('https://oauth2.googleapis.com/token', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: new URLSearchParams({
+          client_id: process.env.GOOGLE_CLIENT_ID || '',
+          client_secret: process.env.GOOGLE_CLIENT_SECRET || '',
+          redirect_uri: process.env.GOOGLE_REDIRECT_URI || '',
+          grant_type: 'authorization_code',
+          code: code as string,
+        }),
+      });
+
+      if (!tokenResponse.ok) {
+        res.cookie('error', 'Failed to exchange authorization code', 5000);
+        return res.redirect('/login');
+      }
+
+      const tokenData: GoogleTokenResponse = await tokenResponse.json();
+
+      // Get user info from Google
+      const userResponse = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
+        headers: {
+          Authorization: `Bearer ${tokenData.access_token}`,
+        },
+      });
+
+      if (!userResponse.ok) {
+        res.cookie('error', 'Failed to get user info from Google', 5000);
+        return res.redirect('/login');
+      }
+
+      const userData: GoogleUserInfo = await userResponse.json();
+      const email = userData.email.toLowerCase();
+      const name = userData.name;
+
+      // Check if user exists
+      let user = await UserModel.findByEmail(email);
+
+      if (!user) {
+        // Create new user
+        const userId = randomUUID();
+        const hashedPassword = await bcrypt.hash(email + Date.now(), 10);
+
+        await UserModel.create({
+          id: userId,
+          email,
+          password: hashedPassword,
+          name,
+          role: 'user',
+          email_verified_at: userData.verified_email ? new Date().toISOString() : null,
+        });
+
+        user = await UserModel.findById(userId);
+      }
+
+      if (!user) {
+        res.cookie('error', 'Failed to create or find user', 5000);
+        return res.redirect('/login');
+      }
+
+      // Generate JWT token
+      const token = jwt.sign(
+        { userId: user.id, email: user.email, name: user.name },
+        JWT_SECRET,
+        { expiresIn: JWT_EXPIRES_SECONDS }
+      );
+
+      // Set auth cookie
+      res.cookie('auth_token', token, JWT_EXPIRES_SECONDS * 1000, COOKIE_OPTIONS);
+
+      // Redirect to dashboard
+      return res.redirect('/dashboard');
+    } catch (error) {
+      console.error('Google OAuth error:', error);
+      res.cookie('error', 'Authentication failed', 5000);
+      return res.redirect('/login');
+    }
+  }
+}

package/templates/features/auth/app/middlewares/rateLimit.ts

@@ -3,8 +3,30 @@
  *
  * In-memory rate limiting middleware using sliding window algorithm.
  * Tracks requests per key (IP, user, or custom) and returns 429 when limit exceeded.
+ *
+ * Features:
+ * - Configurable max requests and window duration
+ * - Custom key generator (default: IP address)
+ * - Automatic cleanup of expired entries
+ * - Skip function for whitelisting certain requests
+ *
+ * @example
+ * // Basic usage (100 requests per 15 minutes per IP)
+ * Route.use(rateLimit());
+ *
+ * // Custom configuration
+ * Route.use(rateLimit({
+ *   maxRequests: 10,
+ *   windowMs: 60 * 1000, // 1 minute
+ *   keyGenerator: (req) => req.user?.id || req.ip,
+ * }));
+ *
+ * // Per-route rate limiting
+ * Route.post('/api/upload', rateLimit({ maxRequests: 5, windowMs: 60000 }), uploadHandler);
  */
 
+import { RATE_LIMIT } from "../config/index.js";
+import Logger from "../services/Logger.js";
 import type { NaraRequest, NaraResponse, NaraMiddleware } from '@nara-web/core';
 import { jsonError } from '@nara-web/core';
 
@@ -121,14 +143,17 @@ function getResetTime(key: string, windowMs: number): number {
 
 /**
  * Create rate limit middleware
+ *
+ * @param options - Rate limit configuration
+ * @returns Middleware function
  */
 export function rateLimit(options: RateLimitOptions = {}): NaraMiddleware {
   const {
-    maxRequests = 100,
-    windowMs = 15 * 60 * 1000, // 15 minutes
+    maxRequests = RATE_LIMIT.MAX_REQUESTS,
+    windowMs = RATE_LIMIT.WINDOW_MS,
     keyGenerator = (req: NaraRequest) => req.ip || 'unknown',
     skip,
-    message = 'Too many requests, please try again later',
+    message = 'Terlalu banyak permintaan, coba lagi nanti',
     headers = true,
     name = 'default',
   } = options;
@@ -156,13 +181,14 @@ export function rateLimit(options: RateLimitOptions = {}): NaraMiddleware {
 
     // Check if limit exceeded
     if (currentCount >= maxRequests) {
-      console.warn('[RateLimit] Exceeded', {
+      Logger.logSecurity('Rate limit exceeded', {
         key,
         name,
         currentCount,
         maxRequests,
         ip: req.ip,
         path: req.path,
+        method: req.method,
       });
 
       if (headers) {
@@ -181,11 +207,14 @@ export function rateLimit(options: RateLimitOptions = {}): NaraMiddleware {
 
 /**
  * Create a strict rate limiter for sensitive endpoints
+ *
+ * @example
+ * Route.post('/api/login', strictRateLimit(), AuthController.processLogin);
  */
 export function strictRateLimit(options: RateLimitOptions = {}): NaraMiddleware {
   return rateLimit({
-    maxRequests: 10,
-    windowMs: 60 * 1000, // 1 minute
+    maxRequests: RATE_LIMIT.STRICT_MAX_REQUESTS,
+    windowMs: RATE_LIMIT.STRICT_WINDOW_MS,
     name: 'strict',
     ...options,
   });
@@ -193,11 +222,14 @@ export function strictRateLimit(options: RateLimitOptions = {}): NaraMiddleware
 
 /**
  * Create an API rate limiter
+ *
+ * @example
+ * Route.use('/api', apiRateLimit());
  */
 export function apiRateLimit(options: RateLimitOptions = {}): NaraMiddleware {
   return rateLimit({
-    maxRequests: 60,
-    windowMs: 60 * 1000, // 60 requests per minute
+    maxRequests: RATE_LIMIT.API_MAX_REQUESTS,
+    windowMs: RATE_LIMIT.API_WINDOW_MS,
     name: 'api',
     ...options,
   });

package/templates/features/auth/app/services/GoogleAuth.ts

@@ -0,0 +1,33 @@
+/**
+ * Google OAuth Authentication Service
+ * Handles URL parameter generation for Google OAuth authentication flow.
+ */
+
+/**
+ * Generates the URL parameters required for initiating Google OAuth authentication.
+ *
+ * @returns A URL-encoded string containing all necessary OAuth parameters
+ *
+ * Parameters included:
+ * - client_id: Your application's Google Client ID
+ * - redirect_uri: The URL where Google will redirect after authentication
+ * - scope: The permissions requested from the user
+ *   - userinfo.email: Access to user's email
+ *   - userinfo.profile: Access to user's basic profile info
+ * - response_type: Set to 'code' for authorization code flow
+ * - access_type: Set to 'offline' to receive a refresh token
+ * - prompt: Set to 'consent' to always show the consent screen
+ */
+export function redirectParamsURL(): string {
+  return new URLSearchParams({
+    client_id: process.env.GOOGLE_CLIENT_ID || '',
+    redirect_uri: process.env.GOOGLE_REDIRECT_URI || '',
+    scope: [
+      'https://www.googleapis.com/auth/userinfo.email',
+      'https://www.googleapis.com/auth/userinfo.profile',
+    ].join(' '),
+    response_type: 'code',
+    access_type: 'offline',
+    prompt: 'consent',
+  }).toString();
+}