create-nara 1.0.46 → 1.0.47

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-nara",
-  "version": "1.0.46",
+  "version": "1.0.47",
   "description": "CLI to scaffold NARA projects",
   "type": "module",
   "bin": {

package/templates/features/auth/app/controllers/AuthController.ts

@@ -1,16 +1,18 @@
 import { BaseController, jsonSuccess, jsonError } from '@nara-web/core';
 import type { NaraRequest, NaraResponse } from '@nara-web/core';
 import { UserModel } from '../models/User.js';
+import { SessionModel } from '../models/Session.js';
+import Authenticate from '../services/Authenticate.js';
 import LoginThrottle from '../services/LoginThrottle.js';
 import Logger from '../services/Logger.js';
-import bcrypt from 'bcrypt';
-import jwt from 'jsonwebtoken';
+import { randomUUID } from 'crypto';
 import { AUTH, ERROR_MESSAGES } from '../config/index.js';
 
-const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
-const JWT_EXPIRES_SECONDS = AUTH.JWT_EXPIRY_SECONDS;
+// Session cookie configuration
+const SESSION_COOKIE_NAME = 'auth_id';
+const SESSION_EXPIRY_MS = 1000 * 60 * 60 * 24 * 60; // 60 days
 
-// Cookie options for auth token
+// Cookie options for auth session
 const COOKIE_OPTIONS = {
   httpOnly: true,
   secure: process.env.NODE_ENV === 'production',
@@ -68,7 +70,8 @@ export class AuthController extends BaseController {
       return res.redirect('/login');
     }
 
-    const passwordMatch = await bcrypt.compare(password, user.password);
+    // Verify password using PBKDF2
+    const passwordMatch = await Authenticate.compare(password, user.password);
     if (!passwordMatch) {
       const throttleResult = LoginThrottle.recordFailedAttempt(email, ip);
 
@@ -96,17 +99,18 @@ export class AuthController extends BaseController {
       ip,
     });
 
-    // Generate JWT token with user info
-    const token = jwt.sign(
-      { userId: user.id, email: user.email, name: user.name },
-      JWT_SECRET,
-      { expiresIn: AUTH.JWT_EXPIRY_SECONDS }
-    );
+    // Create session in database
+    const sessionId = randomUUID();
+    await SessionModel.create({
+      id: sessionId,
+      user_id: user.id,
+      user_agent: req.headers['user-agent'] || null,
+    });
 
-    // Set auth cookie for web routes (maxAge in ms)
-    res.cookie('auth_token', token, JWT_EXPIRES_SECONDS * 1000, COOKIE_OPTIONS);
+    // Set session cookie
+    res.cookie(SESSION_COOKIE_NAME, sessionId, SESSION_EXPIRY_MS, COOKIE_OPTIONS);
 
-    // Redirect to dashboard (Inertia will handle it)
+    // Redirect to dashboard
     return res.redirect('/dashboard');
   }
 
@@ -135,12 +139,13 @@ export class AuthController extends BaseController {
       return res.redirect('/register');
     }
 
-    // Hash password
-    const hashedPassword = await bcrypt.hash(password, AUTH.BCRYPT_SALT_ROUNDS);
+    // Hash password using PBKDF2
+    const hashedPassword = await Authenticate.hash(password);
 
     try {
-      // Create user in database
-      const [userId] = await UserModel.create({ name, email, password: hashedPassword });
+      // Create user in database with UUID
+      const userId = randomUUID();
+      await UserModel.create({ id: userId, name, email, password: hashedPassword });
 
       Logger.logAuth('registration_success', {
         userId,
@@ -148,15 +153,16 @@ export class AuthController extends BaseController {
         ip: req.ip,
       });
 
-      // Generate JWT token
-      const token = jwt.sign(
-        { userId, email, name },
-        JWT_SECRET,
-        { expiresIn: AUTH.JWT_EXPIRY_SECONDS }
-      );
+      // Create session
+      const sessionId = randomUUID();
+      await SessionModel.create({
+        id: sessionId,
+        user_id: userId,
+        user_agent: req.headers['user-agent'] || null,
+      });
 
-      // Set auth cookie for web routes (maxAge in ms)
-      res.cookie('auth_token', token, JWT_EXPIRES_SECONDS * 1000, COOKIE_OPTIONS);
+      // Set session cookie
+      res.cookie(SESSION_COOKIE_NAME, sessionId, SESSION_EXPIRY_MS, COOKIE_OPTIONS);
 
       // Redirect to dashboard
       return res.redirect('/dashboard');
@@ -178,8 +184,14 @@ export class AuthController extends BaseController {
   }
 
   async logout(req: NaraRequest, res: NaraResponse) {
-    // Clear auth cookie (set maxAge to 0)
-    res.cookie('auth_token', '', 0, COOKIE_OPTIONS);
+    // Delete session from database
+    const sessionId = req.cookies?.[SESSION_COOKIE_NAME];
+    if (sessionId) {
+      await SessionModel.delete(sessionId);
+    }
+
+    // Clear session cookie
+    res.cookie(SESSION_COOKIE_NAME, '', 0, COOKIE_OPTIONS);
 
     Logger.logAuth('logout', {
       userId: req.user?.id,
@@ -198,9 +210,8 @@ export class AuthController extends BaseController {
       return res.redirect('/forgot-password');
     }
 
-    // TODO: Implement actual password reset email sending
+    // TODO: Implement password reset (requires email service)
 
-    // Set success message and redirect
     res.cookie('success', 'If an account exists with this email, a reset link has been sent.', AUTH.ERROR_COOKIE_EXPIRY_MS);
     return res.redirect('/login');
   }
@@ -213,7 +224,7 @@ export class AuthController extends BaseController {
       return res.redirect('/forgot-password');
     }
 
-    // TODO: Implement actual password reset
+    // TODO: Implement password reset (requires email service)
 
     res.cookie('success', 'Password has been reset successfully.', AUTH.ERROR_COOKIE_EXPIRY_MS);
     return res.redirect('/login');

package/templates/features/auth/app/middlewares/auth.ts

@@ -1,80 +1,64 @@
 import type { NaraRequest, NaraResponse } from '@nara-web/core';
-import { UserModel } from '../models/User.js';
-import jwt from 'jsonwebtoken';
+import { SessionModel } from '../models/Session.js';
 
-const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
+const SESSION_COOKIE_NAME = 'auth_id';
 
 /**
- * Auth middleware for API routes (Bearer token)
+ * Auth middleware for API routes
+ * Returns 401 JSON if not authenticated
  */
 export function authMiddleware(req: NaraRequest, res: NaraResponse, next: () => void) {
-  const authHeader = req.headers.authorization;
-
-  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+  if (!req.user) {
     res.status(401).json({ success: false, message: 'Unauthorized' });
     return;
   }
-
-  const token = authHeader.substring(7);
-
-  try {
-    const decoded = jwt.verify(token, JWT_SECRET) as { userId: string; email: string };
-    req.user = { id: decoded.userId, email: decoded.email, name: '' };
-    next();
-  } catch (error) {
-    res.status(401).json({ success: false, message: 'Invalid token' });
-  }
+  next();
 }
 
 /**
- * Auth middleware for web/Inertia routes (cookie-based)
+ * Auth middleware for web/Inertia routes (session-based)
  * Redirects to login if not authenticated
  */
 export async function webAuthMiddleware(req: NaraRequest, res: NaraResponse, next: () => void) {
-  // Check for auth token in cookie
-  const token = req.cookies?.auth_token;
+  const sessionId = req.cookies?.[SESSION_COOKIE_NAME];
   const isApiRoute = req.path.startsWith('/api/');
 
-  if (!token) {
+  if (!sessionId) {
     if (isApiRoute) {
-      // API routes return JSON
       res.status(401).json({ success: false, message: 'Unauthorized. Please log in.' });
     } else if (req.headers['x-inertia']) {
-      // Inertia requests get redirect header
       res.status(409).setHeader('X-Inertia-Location', '/login').send('');
     } else {
-      // Regular requests get redirected
       res.redirect('/login');
     }
     return;
   }
 
   try {
-    const decoded = jwt.verify(token, JWT_SECRET) as { userId: string; email: string; name: string };
+    // Get user from session using optimized JOIN query
+    const user = await SessionModel.getUserBySessionId(sessionId);
 
-    // Fetch fresh user data from database to include avatar and other fields
-    const dbUser = await UserModel.findById(decoded.userId);
-    if (dbUser) {
-      (req as any).user = {
-        id: dbUser.id,
-        email: dbUser.email,
-        name: dbUser.name,
-        phone: dbUser.phone,
-        avatar: dbUser.avatar,
-        role: dbUser.role,
-        is_admin: dbUser.role === 'admin',
-        is_verified: !!dbUser.email_verified_at
-      };
-    } else {
-      req.user = { id: decoded.userId, email: decoded.email, name: decoded.name };
+    if (!user) {
+      // Session not found or invalid, clear cookie
+      res.cookie(SESSION_COOKIE_NAME, '', 0);
+      if (isApiRoute) {
+        res.status(401).json({ success: false, message: 'Session expired. Please log in again.' });
+      } else if (req.headers['x-inertia']) {
+        res.status(409).setHeader('X-Inertia-Location', '/login').send('');
+      } else {
+        res.redirect('/login');
+      }
+      return;
     }
 
+    // Attach user to request
+    (req as any).user = user;
     next();
   } catch (error) {
-    // Clear invalid token
-    res.cookie('auth_token', '', 0);
+    // Clear invalid session
+    res.cookie(SESSION_COOKIE_NAME, '', 0);
     if (isApiRoute) {
-      res.status(401).json({ success: false, message: 'Session expired. Please log in again.' });
+      res.status(401).json({ success: false, message: 'Session error. Please log in again.' });
     } else if (req.headers['x-inertia']) {
       res.status(409).setHeader('X-Inertia-Location', '/login').send('');
     } else {
@@ -87,22 +71,24 @@ export async function webAuthMiddleware(req: NaraRequest, res: NaraResponse, nex
  * Guest middleware - only allow unauthenticated users
  * Redirects to dashboard if already logged in
  */
-export function guestMiddleware(req: NaraRequest, res: NaraResponse, next: () => void) {
-  const token = req.cookies?.auth_token;
+export async function guestMiddleware(req: NaraRequest, res: NaraResponse, next: () => void) {
+  const sessionId = req.cookies?.[SESSION_COOKIE_NAME];
 
-  if (token) {
+  if (sessionId) {
     try {
-      jwt.verify(token, JWT_SECRET);
-      // User is authenticated, redirect to dashboard
-      if (req.headers['x-inertia']) {
-        res.status(409).setHeader('X-Inertia-Location', '/dashboard').send('');
-      } else {
-        res.redirect('/dashboard');
+      const user = await SessionModel.getUserBySessionId(sessionId);
+      if (user) {
+        // User is authenticated, redirect to dashboard
+        if (req.headers['x-inertia']) {
+          res.status(409).setHeader('X-Inertia-Location', '/dashboard').send('');
+        } else {
+          res.redirect('/dashboard');
+        }
+        return;
       }
-      return;
     } catch {
-      // Invalid token, clear it and continue
-      res.cookie('auth_token', '', 0);
+      // Invalid session, clear it and continue
+      res.cookie(SESSION_COOKIE_NAME, '', 0);
     }
   }
 

package/templates/features/auth/app/services/Authenticate.ts

@@ -0,0 +1,89 @@
+/**
+ * Authentication Service
+ * Handles user authentication operations including password hashing, verification,
+ * session management, and login/logout functionality.
+ */
+
+import { SessionModel } from '../models/Session.js';
+import type { NaraRequest, NaraResponse } from '@nara-web/core';
+import { randomUUID, pbkdf2Sync, randomBytes, timingSafeEqual } from 'crypto';
+
+// PBKDF2 configuration
+const ITERATIONS = 100000;
+const KEYLEN = 64;
+const DIGEST = 'sha512';
+const SALT_SIZE = 16;
+
+// Session cookie configuration
+const SESSION_COOKIE_NAME = 'auth_id';
+const SESSION_EXPIRY_MS = 1000 * 60 * 60 * 24 * 60; // 60 days
+
+/**
+ * Secure cookie options
+ */
+const getSecureCookieOptions = () => ({
+  httpOnly: true,
+  secure: process.env.NODE_ENV === 'production',
+  sameSite: 'lax' as const,
+  path: '/',
+});
+
+class Authenticate {
+  /**
+   * Hashes a plain text password using PBKDF2
+   */
+  async hash(password: string) {
+    const salt = randomBytes(SALT_SIZE).toString('hex');
+    const hash = pbkdf2Sync(password, salt, ITERATIONS, KEYLEN, DIGEST).toString('hex');
+    return `${salt}:${hash}`;
+  }
+
+  /**
+   * Compares a plain text password with a hashed password
+   * Uses timing-safe comparison to prevent timing attacks
+   */
+  async compare(password: string, storedHash: string) {
+    const [salt, hash] = storedHash.split(':');
+    if (!salt || !hash) return false;
+
+    const newHash = pbkdf2Sync(password, salt, ITERATIONS, KEYLEN, DIGEST).toString('hex');
+
+    // Use timing-safe comparison to prevent timing attacks
+    const hashBuffer = Buffer.from(hash, 'hex');
+    const newHashBuffer = Buffer.from(newHash, 'hex');
+
+    if (hashBuffer.length !== newHashBuffer.length) return false;
+
+    return timingSafeEqual(hashBuffer, newHashBuffer);
+  }
+
+  /**
+   * Processes user login by creating a new session
+   */
+  async process(user: any, request: NaraRequest, response: NaraResponse) {
+    const token = randomUUID();
+
+    await SessionModel.create({
+      id: token,
+      user_id: user.id,
+      user_agent: request.headers['user-agent'] || null,
+    });
+
+    response
+      .cookie(SESSION_COOKIE_NAME, token, SESSION_EXPIRY_MS, getSecureCookieOptions())
+      .redirect('/dashboard');
+  }
+
+  /**
+   * Handles user logout by removing the session
+   */
+  async logout(request: NaraRequest, response: NaraResponse) {
+    await SessionModel.delete(request.cookies[SESSION_COOKIE_NAME]);
+
+    response
+      .cookie(SESSION_COOKIE_NAME, '', 0, getSecureCookieOptions())
+      .redirect('/login');
+  }
+}
+
+export default new Authenticate();

package/templates/features/db/app/models/Session.ts

@@ -0,0 +1,61 @@
+/**
+ * Session Model
+ * 
+ * Handles session-related database operations.
+ */
+import { db } from '../config/database.js';
+
+export interface Session {
+  id: string;
+  user_id: string;
+  user_agent: string | null;
+}
+
+export class SessionModel {
+  static tableName = 'sessions';
+
+  static async findById(id: string): Promise<Session | undefined> {
+    return db(this.tableName).where({ id }).first();
+  }
+
+  static async findByUserId(userId: string): Promise<Session[]> {
+    return db(this.tableName).where({ user_id: userId });
+  }
+
+  static async create(data: Partial<Session>): Promise<number[]> {
+    return db(this.tableName).insert(data);
+  }
+
+  static async delete(id: string): Promise<number> {
+    return db(this.tableName).where({ id }).delete();
+  }
+
+  static async deleteByUserId(userId: string): Promise<number> {
+    return db(this.tableName).where({ user_id: userId }).delete();
+  }
+
+  /**
+   * Get user by session ID (optimized JOIN query)
+   */
+  static async getUserBySessionId(sessionId: string): Promise<{
+    id: string;
+    name: string | null;
+    email: string;
+    phone: string | null;
+    avatar: string | null;
+    is_admin: boolean;
+  } | undefined> {
+    return db('sessions')
+      .join('users', 'sessions.user_id', 'users.id')
+      .where('sessions.id', sessionId)
+      .select([
+        'users.id',
+        'users.name',
+        'users.email',
+        'users.phone',
+        'users.avatar',
+        db.raw("CASE WHEN users.role = 'admin' THEN 1 ELSE 0 END as is_admin")
+      ])
+      .first();
+  }
+}

package/templates/features/db/app/models/User.ts

@@ -8,7 +8,6 @@ export interface User {
   phone?: string;
   avatar?: string;
   role: string;
-  email_verified_at: string | null;
   created_at: string;
   updated_at: string;
 }

package/templates/features/db/migrations/20230514062913_sessions.ts

@@ -0,0 +1,13 @@
+import type { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.createTable('sessions', (table) => {
+    table.string('id').primary();
+    table.string('user_id').index();
+    table.text('user_agent');
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists('sessions');
+}

package/templates/features/db/migrations/20240101000001_create_users.ts

@@ -9,7 +9,6 @@ export async function up(knex: Knex): Promise<void> {
     table.string('phone').nullable();
     table.string('avatar').nullable();
     table.string('role').defaultTo('user');
-    table.datetime('email_verified_at').nullable();
     table.datetime('created_at').defaultTo(knex.fn.now());
     table.datetime('updated_at').defaultTo(knex.fn.now());
   });

package/templates/features/db/app/models/EmailVerificationToken.ts

@@ -1,77 +0,0 @@
-/**
- * EmailVerificationToken Model
- *
- * Handles email verification token database operations.
- */
-import { db } from '../config/database.js';
-
-/**
- * EmailVerificationToken record interface
- */
-export interface EmailVerificationTokenRecord {
-  id: number;
-  user_id: string;
-  token: string;
-  created_at: number;
-  expires_at: number;
-}
-
-/**
- * Data for creating a new email verification token
- */
-export interface CreateEmailVerificationTokenData {
-  user_id: string;
-  token: string;
-  expires_at: number;
-}
-
-class EmailVerificationTokenModel {
-  private tableName = 'email_verification_tokens';
-
-  /**
-   * Find valid token for user (not expired)
-   */
-  async findValidToken(userId: string, token: string): Promise<EmailVerificationTokenRecord | undefined> {
-    return db(this.tableName)
-      .where('user_id', userId)
-      .where('token', token)
-      .where('expires_at', '>', Date.now())
-      .first();
-  }
-
-  /**
-   * Find by user ID
-   */
-  async findByUserId(userId: string): Promise<EmailVerificationTokenRecord | undefined> {
-    return db(this.tableName).where('user_id', userId).first();
-  }
-
-  /**
-   * Create a new email verification token
-   */
-  async createToken(data: CreateEmailVerificationTokenData): Promise<void> {
-    await db(this.tableName).insert({
-      user_id: data.user_id,
-      token: data.token,
-      expires_at: data.expires_at,
-      created_at: Date.now(),
-    });
-  }
-
-  /**
-   * Delete all tokens for a user
-   */
-  async deleteByUserId(userId: string): Promise<number> {
-    return db(this.tableName).where('user_id', userId).delete();
-  }
-
-  /**
-   * Delete expired tokens
-   */
-  async deleteExpired(): Promise<number> {
-    return db(this.tableName).where('expires_at', '<', Date.now()).delete();
-  }
-}
-
-export const EmailVerificationToken = new EmailVerificationTokenModel();
-export default EmailVerificationToken;

package/templates/features/db/migrations/20240101000003_create_email_verification_tokens.ts

@@ -1,18 +0,0 @@
-import type { Knex } from 'knex';
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.createTable('email_verification_tokens', (table) => {
-    table.increments('id').primary();
-    table.uuid('user_id').notNullable().index();
-    table.string('token').notNullable().unique();
-    table.bigInteger('created_at').notNullable();
-    table.bigInteger('expires_at').notNullable().index();
-
-    // Foreign key to users table
-    table.foreign('user_id').references('id').inTable('users').onDelete('CASCADE');
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists('email_verification_tokens');
-}