create-stackr 0.2.0

package/templates/base/backend/domain/user/repository.prisma.ts

@@ -0,0 +1,115 @@
+import { db } from "../../utils/db";
+import { ErrorFactory } from "../../utils/errors";
+
+/**
+ * User Repository
+ *
+ * Note: User creation and authentication is handled by BetterAuth.
+ * This repository provides helper functions for user lookups and profile updates.
+ */
+
+export const getUser = async (id: string) => {
+  try {
+    const user = await db.user.findUnique({
+      where: { id },
+      select: {
+        id: true,
+        email: true,
+        emailVerified: true,
+        name: true,
+        image: true,
+        createdAt: true,
+        updatedAt: true,
+      },
+    });
+    return user;
+  } catch (error) {
+    throw ErrorFactory.databaseError({
+      operation: 'getUser',
+      userId: id,
+      originalError: error instanceof Error ? error.message : String(error)
+    });
+  }
+};
+
+export const getUserByEmail = async (email: string) => {
+  try {
+    const user = await db.user.findUnique({
+      where: { email },
+      select: {
+        id: true,
+        email: true,
+        emailVerified: true,
+        name: true,
+        image: true,
+        createdAt: true,
+        updatedAt: true,
+      },
+    });
+    return user;
+  } catch (error) {
+    throw ErrorFactory.databaseError({
+      operation: 'getUserByEmail',
+      email,
+      originalError: error instanceof Error ? error.message : String(error)
+    });
+  }
+};
+
+export const isUserExistByEmail = async (email: string): Promise<boolean> => {
+  try {
+    const userCount = await db.user.count({
+      where: { email },
+    });
+    return userCount > 0;
+  } catch (error) {
+    throw ErrorFactory.databaseError({
+      operation: 'isUserExistByEmail',
+      email,
+      originalError: error instanceof Error ? error.message : String(error)
+    });
+  }
+};
+
+export const updateUserProfile = async (
+  userId: string,
+  data: { name?: string }
+) => {
+  try {
+    const user = await db.user.update({
+      where: { id: userId },
+      data,
+      select: {
+        id: true,
+        email: true,
+        emailVerified: true,
+        name: true,
+        image: true,
+        createdAt: true,
+        updatedAt: true,
+      },
+    });
+    return user;
+  } catch (error) {
+    throw ErrorFactory.databaseError({
+      operation: 'updateUserProfile',
+      userId,
+      updateData: data,
+      originalError: error instanceof Error ? error.message : String(error)
+    });
+  }
+};
+
+export const deleteUser = async (userId: string): Promise<void> => {
+  try {
+    await db.user.delete({
+      where: { id: userId },
+    });
+  } catch (error) {
+    throw ErrorFactory.databaseError({
+      operation: 'deleteUser',
+      userId,
+      originalError: error instanceof Error ? error.message : String(error)
+    });
+  }
+};

package/templates/base/backend/domain/user/schema.ts

@@ -0,0 +1,14 @@
+import { Static, Type } from "@sinclair/typebox";
+
+// User schema matching BetterAuth's user model
+export const UserSchema = Type.Object({
+  id: Type.String(),
+  email: Type.String(),
+  emailVerified: Type.Boolean(),
+  name: Type.Union([Type.String(), Type.Null()]),
+  image: Type.Union([Type.String(), Type.Null()]),
+  createdAt: Type.String({ format: 'date-time' }),
+  updatedAt: Type.String({ format: 'date-time' }),
+});
+
+export type User = Static<typeof UserSchema>;

package/templates/base/backend/drizzle/schema.drizzle.ts

@@ -0,0 +1,111 @@
+/**
+ * Drizzle ORM Schema for BetterAuth + Application
+ *
+ * IMPORTANT: The user, session, account, and verification tables MUST match
+ * BetterAuth's expected schema structure. Do not modify column names or types
+ * in these tables without verifying compatibility with BetterAuth.
+ *
+ * @see https://www.better-auth.com/docs/adapters/drizzle
+ * @see https://www.better-auth.com/docs/concepts/database
+ */
+
+import { pgTable, text, boolean, timestamp, varchar, uniqueIndex } from 'drizzle-orm/pg-core';
+import { relations } from 'drizzle-orm';
+
+// ==================== BetterAuth Tables ====================
+// WARNING: These tables are managed by BetterAuth. Modify with caution.
+
+// BetterAuth User model
+export const user = pgTable('user', {
+  id: text('id').primaryKey().$defaultFn(() => crypto.randomUUID()),
+  email: varchar('email', { length: 255 }).notNull().unique(),
+  emailVerified: boolean('email_verified').default(false).notNull(),
+  name: text('name'),
+  image: text('image'),
+  createdAt: timestamp('created_at', { mode: 'date' }).defaultNow().notNull(),
+  updatedAt: timestamp('updated_at', { mode: 'date' }).defaultNow().notNull().$onUpdate(() => new Date()),
+});
+
+// BetterAuth Session model
+export const session = pgTable('session', {
+  id: text('id').primaryKey().$defaultFn(() => crypto.randomUUID()),
+  userId: text('user_id').notNull().references(() => user.id, { onDelete: 'cascade' }),
+  token: text('token').notNull().unique(),
+  expiresAt: timestamp('expires_at', { mode: 'date' }).notNull(),
+  ipAddress: text('ip_address'),
+  userAgent: text('user_agent'),
+  createdAt: timestamp('created_at', { mode: 'date' }).defaultNow().notNull(),
+  updatedAt: timestamp('updated_at', { mode: 'date' }).defaultNow().notNull().$onUpdate(() => new Date()),
+});
+
+// BetterAuth Account model (OAuth connections)
+export const account = pgTable('account', {
+  id: text('id').primaryKey().$defaultFn(() => crypto.randomUUID()),
+  userId: text('user_id').notNull().references(() => user.id, { onDelete: 'cascade' }),
+  accountId: text('account_id').notNull(),
+  providerId: text('provider_id').notNull(),
+  accessToken: text('access_token'),
+  refreshToken: text('refresh_token'),
+  accessTokenExpiresAt: timestamp('access_token_expires_at', { mode: 'date' }),
+  refreshTokenExpiresAt: timestamp('refresh_token_expires_at', { mode: 'date' }),
+  scope: text('scope'),
+  idToken: text('id_token'),
+  password: text('password'),
+  createdAt: timestamp('created_at', { mode: 'date' }).defaultNow().notNull(),
+  updatedAt: timestamp('updated_at', { mode: 'date' }).defaultNow().notNull().$onUpdate(() => new Date()),
+}, (table) => ({
+  providerAccountIdx: uniqueIndex('provider_account_idx').on(table.providerId, table.accountId),
+}));
+
+// BetterAuth Verification model
+export const verification = pgTable('verification', {
+  id: text('id').primaryKey().$defaultFn(() => crypto.randomUUID()),
+  identifier: text('identifier').notNull(),
+  value: text('value').notNull(),
+  expiresAt: timestamp('expires_at', { mode: 'date' }).notNull(),
+  createdAt: timestamp('created_at', { mode: 'date' }).defaultNow().notNull(),
+  updatedAt: timestamp('updated_at', { mode: 'date' }).defaultNow().notNull().$onUpdate(() => new Date()),
+});
+
+// ==================== App-Specific Tables ====================
+
+// Device Session model (anonymous sessions before authentication)
+export const deviceSession = pgTable('device_session', {
+  id: text('id').primaryKey().$defaultFn(() => crypto.randomUUID()),
+  deviceId: text('device_id').notNull(),
+  sessionToken: text('session_token').notNull().unique().$defaultFn(() => crypto.randomUUID()),
+  createdAt: timestamp('created_at', { mode: 'date' }).defaultNow().notNull(),
+  lastActiveAt: timestamp('last_active_at', { mode: 'date' }).defaultNow().notNull(),
+  migrated: boolean('migrated').default(false).notNull(),
+  migratedToUserId: text('migrated_to_user_id').references(() => user.id, { onDelete: 'set null' }),
+  preferredCurrency: varchar('preferred_currency', { length: 3 }).default('USD').notNull(),
+});
+
+// ==================== Relations ====================
+
+export const userRelations = relations(user, ({ many }) => ({
+  sessions: many(session),
+  accounts: many(account),
+  deviceSessions: many(deviceSession),
+}));
+
+export const sessionRelations = relations(session, ({ one }) => ({
+  user: one(user, {
+    fields: [session.userId],
+    references: [user.id],
+  }),
+}));
+
+export const accountRelations = relations(account, ({ one }) => ({
+  user: one(user, {
+    fields: [account.userId],
+    references: [user.id],
+  }),
+}));
+
+export const deviceSessionRelations = relations(deviceSession, ({ one }) => ({
+  migratedToUser: one(user, {
+    fields: [deviceSession.migratedToUserId],
+    references: [user.id],
+  }),
+}));

package/templates/base/backend/drizzle.config.drizzle.ts

@@ -0,0 +1,13 @@
+import 'dotenv/config';
+import { defineConfig } from 'drizzle-kit';
+
+export default defineConfig({
+  out: './drizzle/migrations',
+  schema: './drizzle/schema.ts',
+  dialect: 'postgresql',
+  dbCredentials: {
+    url: process.env.DATABASE_URL!,
+  },
+  verbose: true,
+  strict: true,
+});

package/templates/base/backend/lib/auth.drizzle.ts.ejs

@@ -0,0 +1,104 @@
+import { betterAuth } from "better-auth";
+import { drizzleAdapter } from "better-auth/adapters/drizzle";
+import { expo } from "@better-auth/expo";
+<% if (features.authentication.twoFactor) { %>
+import { twoFactor } from "better-auth/plugins";
+<% } %>
+import { db } from "../utils/db";
+import * as schema from "../drizzle/schema";
+<% if (features.authentication.emailVerification || features.authentication.passwordReset) { %>
+import { sendEmail } from "../utils/email";
+<% } %>
+
+export const auth = betterAuth({
+  database: drizzleAdapter(db, {
+    provider: "pg",
+    schema: {
+      user: schema.user,
+      session: schema.session,
+      account: schema.account,
+      verification: schema.verification,
+    },
+  }),
+  basePath: "/api/auth", // BetterAuth endpoints will be at /api/auth/*
+  emailAndPassword: {
+    enabled: true,
+    requireEmailVerification: <%= features.authentication.emailVerification %>,
+<% if (features.authentication.passwordReset) { %>
+    sendResetPassword: async ({ user, url }) => {
+      await sendEmail({
+        to: user.email,
+        subject: "Reset your password",
+        html: `
+          <h1>Reset your password</h1>
+          <p>Click the link below to reset your password:</p>
+          <a href="${url}">Reset Password</a>
+          <p>If you didn't request this, you can safely ignore this email.</p>
+        `,
+      });
+    },
+<% } %>
+  },
+<% if (features.authentication.emailVerification) { %>
+  emailVerification: {
+    sendVerificationEmail: async ({ user, url }) => {
+      await sendEmail({
+        to: user.email,
+        subject: "Verify your email address",
+        html: `
+          <h1>Verify your email</h1>
+          <p>Click the link below to verify your email address:</p>
+          <a href="${url}">Verify Email</a>
+        `,
+      });
+    },
+  },
+<% } %>
+<% if (features.authentication.providers.google || features.authentication.providers.apple || features.authentication.providers.github) { %>
+  socialProviders: {
+<% if (features.authentication.providers.google) { %>
+    google: {
+      clientId: process.env.GOOGLE_WEB_CLIENT_ID!,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+    },
+<% } %>
+<% if (features.authentication.providers.apple) { %>
+    apple: {
+      clientId: process.env.APPLE_SERVICE_ID!,
+      clientSecret: process.env.APPLE_CLIENT_SECRET!,
+      appBundleIdentifier: process.env.APPLE_BUNDLE_ID!,
+    },
+<% } %>
+<% if (features.authentication.providers.github) { %>
+    github: {
+      clientId: process.env.GITHUB_CLIENT_ID!,
+      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+    },
+<% } %>
+  },
+<% } %>
+  plugins: [
+    expo(), // Required for React Native/Expo OAuth deep link handling
+<% if (features.authentication.twoFactor) { %>
+    twoFactor(),
+<% } %>
+  ],
+  session: {
+    expiresIn: 60 * 60 * 24 * 7, // 7 days
+    updateAge: 60 * 60 * 24, // 1 day
+  },
+  trustedOrigins: [
+    // Web origins (includes development and production URLs)
+    ...(process.env.TRUSTED_ORIGINS?.split(",").map(o => o.trim()) || ["http://localhost:3000"]),
+    // Mobile deep link scheme (required for OAuth callbacks)
+    "<%= appScheme %>://",
+    // Expo development URLs (development only)
+    ...(process.env.NODE_ENV === "development" ? ["exp://*/*", "exp://192.168.*.*:*/*"] : []),
+<% if (features.authentication.providers.apple) { %>
+    // Apple Sign In origin (required for native iOS sign-in)
+    "https://appleid.apple.com",
+<% } %>
+  ],
+});
+
+export type Session = typeof auth.$Infer.Session;

package/templates/base/backend/lib/auth.prisma.ts.ejs

@@ -0,0 +1,97 @@
+import { betterAuth } from "better-auth";
+import { prismaAdapter } from "better-auth/adapters/prisma";
+import { expo } from "@better-auth/expo";
+<% if (features.authentication.twoFactor) { %>
+import { twoFactor } from "better-auth/plugins";
+<% } %>
+import { db } from "../utils/db";
+<% if (features.authentication.emailVerification || features.authentication.passwordReset) { %>
+import { sendEmail } from "../utils/email";
+<% } %>
+
+export const auth = betterAuth({
+  database: prismaAdapter(db, {
+    provider: "postgresql",
+  }),
+  basePath: "/api/auth", // BetterAuth endpoints will be at /api/auth/*
+  emailAndPassword: {
+    enabled: true,
+    requireEmailVerification: <%= features.authentication.emailVerification %>,
+<% if (features.authentication.passwordReset) { %>
+    sendResetPassword: async ({ user, url }) => {
+      await sendEmail({
+        to: user.email,
+        subject: "Reset your password",
+        html: `
+          <h1>Reset your password</h1>
+          <p>Click the link below to reset your password:</p>
+          <a href="${url}">Reset Password</a>
+          <p>If you didn't request this, you can safely ignore this email.</p>
+        `,
+      });
+    },
+<% } %>
+  },
+<% if (features.authentication.emailVerification) { %>
+  emailVerification: {
+    sendVerificationEmail: async ({ user, url }) => {
+      await sendEmail({
+        to: user.email,
+        subject: "Verify your email address",
+        html: `
+          <h1>Verify your email</h1>
+          <p>Click the link below to verify your email address:</p>
+          <a href="${url}">Verify Email</a>
+        `,
+      });
+    },
+  },
+<% } %>
+<% if (features.authentication.providers.google || features.authentication.providers.apple || features.authentication.providers.github) { %>
+  socialProviders: {
+<% if (features.authentication.providers.google) { %>
+    google: {
+      clientId: process.env.GOOGLE_WEB_CLIENT_ID!,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+    },
+<% } %>
+<% if (features.authentication.providers.apple) { %>
+    apple: {
+      clientId: process.env.APPLE_SERVICE_ID!,
+      clientSecret: process.env.APPLE_CLIENT_SECRET!,
+      appBundleIdentifier: process.env.APPLE_BUNDLE_ID!,
+    },
+<% } %>
+<% if (features.authentication.providers.github) { %>
+    github: {
+      clientId: process.env.GITHUB_CLIENT_ID!,
+      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+    },
+<% } %>
+  },
+<% } %>
+  plugins: [
+    expo(), // Required for React Native/Expo OAuth deep link handling
+<% if (features.authentication.twoFactor) { %>
+    twoFactor(),
+<% } %>
+  ],
+  session: {
+    expiresIn: 60 * 60 * 24 * 7, // 7 days
+    updateAge: 60 * 60 * 24, // 1 day
+  },
+  trustedOrigins: [
+    // Web origins (includes development and production URLs)
+    ...(process.env.TRUSTED_ORIGINS?.split(",").map(o => o.trim()) || ["http://localhost:3000"]),
+    // Mobile deep link scheme (required for OAuth callbacks)
+    "<%= appScheme %>://",
+    // Expo development URLs (development only)
+    ...(process.env.NODE_ENV === "development" ? ["exp://*/*", "exp://192.168.*.*:*/*"] : []),
+<% if (features.authentication.providers.apple) { %>
+    // Apple Sign In origin (required for native iOS sign-in)
+    "https://appleid.apple.com",
+<% } %>
+  ],
+});
+
+export type Session = typeof auth.$Infer.Session;

package/templates/base/backend/lib/constants.ts.ejs

@@ -0,0 +1,29 @@
+/**
+ * Shared constants for authentication
+ * Centralized to avoid magic strings scattered across the codebase
+ */
+
+// Better Auth cookie name pattern
+export const BETTER_AUTH_COOKIE_NAME = 'better-auth.session_token';
+
+// Web-specific cookie names
+export const SESSION_COOKIE_NAME = 'session_token';
+export const DEVICE_SESSION_COOKIE_NAME = 'device_session_token';
+
+// OAuth-related cookie names (used in PKCE flow)
+export const OAUTH_PKCE_VERIFIER_COOKIE = 'oauth_pkce_verifier';
+export const OAUTH_STATE_COOKIE = 'oauth_state';
+
+// Redis key prefixes
+export const REDIS_KEYS = {
+  OAUTH_WEB_STATE: 'oauth:web:', // oauth:web:{state}
+  OAUTH_EXCHANGE: 'oauth:exchange:', // oauth:exchange:{token}
+} as const;
+
+// TTLs in seconds
+export const TTL = {
+  OAUTH_STATE: 600, // 10 minutes
+  EXCHANGE_TOKEN: 60, // 1 minute (very short!)
+  SESSION: 60 * 60 * 24 * 7, // 7 days
+  DEVICE_SESSION: 60 * 60 * 24 * 30, // 30 days
+} as const;

package/templates/base/backend/package.json.ejs

@@ -0,0 +1,50 @@
+{
+  "name": "<%= projectName %>-backend",
+  "version": "1.0.0",
+  "description": "Backend API for <%= projectName %>",
+  "type": "module",
+  "main": "controllers/rest-api/index.ts",
+  "scripts": {
+    "dev:rest-api": "bun --watch ./controllers/rest-api/index.ts | pino-pretty --colorize",<% if (backend.eventQueue) { %>
+    "dev:event-queue": "bun --watch ./controllers/event-queue/index.ts | pino-pretty --colorize",<% } %>
+    "build": "bun run tsc",
+    "start:rest-api": "bun run dist/controllers/rest-api/index.js",<% if (backend.eventQueue) { %>
+    "start:event-queue": "bun run dist/controllers/event-queue/index.js",<% } %><% if (backend.orm === 'prisma') { %>
+    "db:generate": "prisma generate",
+    "db:push": "prisma db push",
+    "db:migrate": "prisma migrate dev",
+    "db:studio": "prisma studio",
+    "postinstall": "prisma generate"<% } %><% if (backend.orm === 'drizzle') { %>
+    "db:generate": "drizzle-kit generate",
+    "db:push": "drizzle-kit push",
+    "db:migrate": "drizzle-kit migrate",
+    "db:studio": "drizzle-kit studio"<% } %>
+  },
+  "dependencies": {
+    "@fastify/cors": "^11.0.1",<% if (backend.orm === 'prisma') { %>
+    "@prisma/adapter-pg": "^7.0.0",
+    "@prisma/client": "^7.0.0",<% } %><% if (backend.orm === 'drizzle') { %>
+    "drizzle-orm": "^0.44.0",
+    "pg": "^8.13.0",<% } %>
+    "@sinclair/typebox": "^0.34.33",
+    "ajv": "^8.17.1",
+    "better-auth": "^1.4.5",
+    "@better-auth/expo": "^1.4.5",
+    "dotenv": "^16.5.0",
+    "fastify": "^5.3.3",
+    "fastify-plugin": "^5.0.1",
+    "ioredis": "^5.4.1",
+    "pino-pretty": "^13.0.0"<% if (backend.eventQueue) { %>,
+    "bullmq": "^5.40.3"<% } %><% if (features.authentication.emailVerification || features.authentication.passwordReset) { %>,
+    "nodemailer": "^6.9.0"<% } %>
+  },
+  "devDependencies": {
+    "@types/node": "^24.0.0",<% if (backend.orm === 'prisma') { %>
+    "prisma": "^7.0.0",<% } %><% if (backend.orm === 'drizzle') { %>
+    "drizzle-kit": "^0.30.0",
+    "@types/pg": "^8.11.0",<% } %>
+    "tsx": "^4.20.1",
+    "typescript": "^5.8.3"<% if (features.authentication.emailVerification || features.authentication.passwordReset) { %>,
+    "@types/nodemailer": "^6.4.0"<% } %>
+  }
+}

package/templates/base/backend/prisma/schema.prisma.ejs

@@ -0,0 +1,102 @@
+// This is your Prisma schema file,
+// learn more about it in the docs: https://pris.ly/d/prisma-schema
+
+generator client {
+  provider = "prisma-client"
+  output   = "./generated/prisma"
+}
+
+datasource db {
+  provider = "postgresql"
+}
+
+// BetterAuth User model
+// Uses BetterAuth default table name: "user"
+model User {
+  id            String    @id @default(cuid())
+  email         String    @unique
+  emailVerified Boolean   @default(false)
+  name          String?
+  image         String?
+  createdAt     DateTime  @default(now())
+  updatedAt     DateTime  @updatedAt
+
+  // BetterAuth relations
+  sessions      Session[]
+  accounts      Account[]
+
+  // Device session migration relation
+  deviceSessions DeviceSession[]
+
+  @@map("user")
+}
+
+// BetterAuth Session model (authenticated sessions)
+// Uses BetterAuth default table name: "session"
+model Session {
+  id        String   @id @default(cuid())
+  userId    String
+  token     String   @unique
+  expiresAt DateTime
+  ipAddress String?
+  userAgent String?
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@map("session")
+}
+
+// BetterAuth Account model (OAuth connections)
+// Uses BetterAuth default table name: "account"
+model Account {
+  id                    String    @id @default(cuid())
+  userId                String
+  accountId             String
+  providerId            String
+  accessToken           String?
+  refreshToken          String?
+  accessTokenExpiresAt  DateTime?
+  refreshTokenExpiresAt DateTime?
+  scope                 String?
+  idToken               String?
+  password              String?   // For email/password auth
+  createdAt             DateTime  @default(now())
+  updatedAt             DateTime  @updatedAt
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([providerId, accountId])
+  @@map("account")
+}
+
+// BetterAuth Verification model (email verification, password reset)
+// Uses BetterAuth default table name: "verification"
+model Verification {
+  id         String   @id @default(cuid())
+  identifier String
+  value      String
+  expiresAt  DateTime
+  createdAt  DateTime @default(now())
+  updatedAt  DateTime @updatedAt
+
+  @@map("verification")
+}
+
+// Device Session model (anonymous device sessions before authentication)
+// Renamed from Session to avoid conflict with BetterAuth's Session model
+model DeviceSession {
+  id                String    @id @default(cuid())
+  deviceId          String
+  sessionToken      String    @unique @default(uuid())
+  createdAt         DateTime  @default(now())
+  lastActiveAt      DateTime  @default(now())
+  migrated          Boolean   @default(false)
+  migratedToUserId  String?
+  preferredCurrency String    @default("USD")
+
+  migratedToUser User? @relation(fields: [migratedToUserId], references: [id], onDelete: SetNull)
+
+  @@map("device_session")
+}

package/templates/base/backend/prisma.config.prisma.ts

@@ -0,0 +1,12 @@
+import "dotenv/config";
+import { defineConfig, env } from "prisma/config";
+
+export default defineConfig({
+  schema: "prisma/schema.prisma",
+  migrations: {
+    path: "prisma/migrations",
+  },
+  datasource: {
+    url: env("DATABASE_URL"),
+  },
+});