create-theta-code 1.0.1

package/templates/mongo-js/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "my-awesome-app",
+  "version": "1.0.0",
+  "description": "Production-grade Node.js API built with create-theta-code",
+  "type": "module",
+  "main": "server.js",
+  "scripts": {
+    "start": "node server.js",
+    "dev": "nodemon server.js",
+    "test": "vitest",
+    "test:coverage": "vitest --coverage",
+    "lint": "eslint src/",
+    "lint:fix": "eslint src/ --fix",
+    "format": "prettier --write \"src/**/*.js\"",
+    "migrate": "echo 'Run migrations here'"
+  },
+  "keywords": [
+    "nodejs",
+    "express",
+    "mongodb",
+    "api"
+  ],
+  "author": "Arpit Shukla <arpit@techvault.in>",
+  "license": "MIT",
+  "dependencies": {
+    "bcryptjs": "^2.4.3",
+    "cookie-parser": "^1.4.7",
+    "cors": "^2.8.5",
+    "dotenv": "^16.3.1",
+    "express": "^4.18.2",
+    "express-rate-limit": "^7.1.5",
+    "helmet": "^7.1.0",
+    "jsonwebtoken": "^9.0.2",
+    "mongoose": "^8.0.0",
+    "zod": "^3.22.4"
+  },
+  "devDependencies": {
+    "eslint": "^8.54.0",
+    "morgan": "^1.10.0",
+    "nodemon": "^3.0.1",
+    "prettier": "^3.1.0",
+    "supertest": "^6.3.3",
+    "vitest": "^0.34.6"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}

package/templates/mongo-js/server.js

@@ -0,0 +1,67 @@
+// server.js — HTTP server startup and graceful shutdown. Zero other logic.
+
+import { createApp } from './src/config/app.config.js';
+import { connectDB, disconnectDB } from './src/config/db.config.js';
+import envConfig from './src/config/env.config.js';
+
+let server;
+
+async function startServer() {
+  try {
+    // Connect to database
+    await connectDB();
+
+    // Create Express app
+    const app = createApp();
+
+    // Start HTTP server
+    server = app.listen(envConfig.PORT, () => {
+      console.log(`✅ Server running on port ${envConfig.PORT}`);
+    });
+  } catch (err) {
+    console.error('❌ Failed to start server:', err.message);
+    process.exit(1);
+  }
+}
+
+const shutdown = async (signal) => {
+  console.log(`\n${signal} received. Shutting down gracefully...`);
+
+  // Force exit if graceful shutdown takes too long
+  const forceExit = setTimeout(() => {
+    console.error('Forced shutdown: graceful shutdown timed out after 10s');
+    process.exit(1);
+  }, 10000);
+  forceExit.unref(); // Don't keep process alive just for this timer
+
+  if (server) {
+    server.close(async () => {
+      console.log('HTTP server closed.');
+      await disconnectDB();
+      clearTimeout(forceExit);
+      process.exit(0);
+    });
+  } else {
+    await disconnectDB();
+    clearTimeout(forceExit);
+    process.exit(0);
+  }
+};
+
+process.on('SIGTERM', () => shutdown('SIGTERM'));
+process.on('SIGINT', () => shutdown('SIGINT'));
+
+// Unhandled promise rejections
+process.on('unhandledRejection', (reason, promise) => {
+  console.error('❌ Unhandled Rejection at:', promise, 'reason:', reason);
+  process.exit(1);
+});
+
+// Uncaught exceptions
+process.on('uncaughtException', (err) => {
+  console.error('❌ Uncaught Exception:', err);
+  process.exit(1);
+});
+
+// Start server
+startServer();

package/templates/mongo-js/src/config/app.config.js

@@ -0,0 +1,72 @@
+// src/config/app.config.js — Express app factory. Middleware registration. Middleware order sacred.
+
+import express from 'express';
+import helmet from 'helmet';
+import cors from 'cors';
+import morgan from 'morgan';
+import cookieParser from 'cookie-parser';
+import envConfig from './env.config.js';
+import { globalRateLimiter } from './rateLimiter.config.js';
+import { notFoundMiddleware } from '../middlewares/notFound.middleware.js';
+import { errorMiddleware } from '../middlewares/error.middleware.js';
+import { requestIdMiddleware } from '../middlewares/requestId.middleware.js';
+import { REQUEST_BODY_LIMIT } from '../utils/constants.js';
+import userRoutes from '../modules/user/user.routes.js';
+
+function createApp() {
+  const app = express();
+
+  // Request correlation ID middleware must be first for tracing
+  app.use(requestIdMiddleware);
+
+  // Security middleware
+  app.use(helmet());
+  app.use(cookieParser());
+  app.use(cors({
+    origin: (origin, callback) => {
+      if (!origin) return callback(null, true); // allow server-to-server
+      const allowed = envConfig.CORS_ORIGIN.split(',').map(o => o.trim());
+      if (allowed.includes('*') || allowed.includes(origin)) {
+        return callback(null, true);
+      }
+      return callback(new Error(`CORS: origin ${origin} not allowed`));
+    },
+    credentials: true,
+  }));
+
+  // Body parser with 10kb limit
+  app.use(express.json({ limit: REQUEST_BODY_LIMIT }));
+  app.use(express.urlencoded({ limit: REQUEST_BODY_LIMIT }));
+
+  // Logging in development only
+  if (envConfig.NODE_ENV === 'development') {
+    app.use(morgan('dev'));
+  }
+
+  // Health check (before rate limiter)
+  app.get('/health', (_req, res) => {
+    res.status(200).json({
+      status: 'UP',
+      environment: envConfig.NODE_ENV,
+      uptime: process.uptime(),
+      timestamp: new Date().toISOString(),
+      memory: process.memoryUsage(),
+    });
+  });
+
+  // Rate limiter on all /api routes
+  app.use('/api/', globalRateLimiter);
+
+  // API routes
+  app.use('/api/v1/users', userRoutes);
+
+  // 404 handler
+  app.use(notFoundMiddleware);
+
+  // Global error handler (must be last)
+  app.use(errorMiddleware);
+
+  return app;
+}
+
+export { createApp };

package/templates/mongo-js/src/config/db.config.js

@@ -0,0 +1,32 @@
+// src/config/db.config.js — MongoDB connection. Mongoose initialization and connection pooling.
+
+import mongoose from 'mongoose';
+import envConfig from './env.config.js';
+
+async function connectDB() {
+  try {
+    const mongooseInstance = await mongoose.connect(envConfig.MONGODB_URI, {
+      maxPoolSize: 10,
+      minPoolSize: 5,
+      serverSelectionTimeoutMS: 5000,
+      socketTimeoutMS: 45000,
+    });
+
+    console.log('✅ MongoDB connected successfully');
+    return mongooseInstance;
+  } catch (err) {
+    console.error('❌ MongoDB connection failed:', err.message);
+    process.exit(1);
+  }
+}
+
+async function disconnectDB() {
+  try {
+    await mongoose.disconnect();
+    console.log('✅ MongoDB disconnected');
+  } catch (err) {
+    console.error('❌ MongoDB disconnection failed:', err.message);
+  }
+}
+
+export { connectDB, disconnectDB };

package/templates/mongo-js/src/config/env.config.js

@@ -0,0 +1,49 @@
+// src/config/env.config.js — Validates ALL required env vars at startup. App refuses to boot if missing.
+
+import 'dotenv/config';
+import { z } from 'zod';
+
+const envSchema = z.object({
+  NODE_ENV: z.enum(['development', 'production', 'test']).default('development'),
+  PORT: z.string().transform(Number).default('3000'),
+  MONGODB_URI: z.string().url('Invalid MongoDB URI'),
+  JWT_SECRET: z.string().min(32, 'JWT_SECRET must be at least 32 characters'),
+  JWT_REFRESH_SECRET: z.string().min(32, 'JWT_REFRESH_SECRET must be at least 32 characters'),
+  JWT_EXPIRES_IN: z.string().default('7d'),
+  JWT_REFRESH_EXPIRES_IN: z.string().default('30d'),
+  BCRYPT_SALT_ROUNDS: z.string().transform(Number).default('12'),
+  RATE_LIMIT_WINDOW_MS: z.string().transform(Number).default('900000'),
+  RATE_LIMIT_MAX: z.string().transform(Number).default('100'),
+  AUTH_RATE_LIMIT_MAX: z.string().transform(Number).default('10'),
+  CORS_ORIGIN: z.string().default('http://localhost:3000'),
+  LOG_LEVEL: z.enum(['error', 'warn', 'info', 'debug']).default('info'),
+});
+
+let envConfig;
+
+try {
+  const rawEnv = {
+    NODE_ENV: process.env.NODE_ENV,
+    PORT: process.env.PORT,
+    MONGODB_URI: process.env.MONGODB_URI,
+    JWT_SECRET: process.env.JWT_SECRET,
+    JWT_REFRESH_SECRET: process.env.JWT_REFRESH_SECRET,
+    JWT_EXPIRES_IN: process.env.JWT_EXPIRES_IN,
+    JWT_REFRESH_EXPIRES_IN: process.env.JWT_REFRESH_EXPIRES_IN,
+    BCRYPT_SALT_ROUNDS: process.env.BCRYPT_SALT_ROUNDS,
+    RATE_LIMIT_WINDOW_MS: process.env.RATE_LIMIT_WINDOW_MS,
+    RATE_LIMIT_MAX: process.env.RATE_LIMIT_MAX,
+    AUTH_RATE_LIMIT_MAX: process.env.AUTH_RATE_LIMIT_MAX,
+    CORS_ORIGIN: process.env.CORS_ORIGIN,
+    LOG_LEVEL: process.env.LOG_LEVEL,
+  };
+
+  envConfig = envSchema.parse(rawEnv);
+  Object.freeze(envConfig);
+} catch (err) {
+  console.error('❌ Environment validation failed:');
+  console.error(err.errors || err.message);
+  process.exit(1);
+}
+
+export default envConfig;

package/templates/mongo-js/src/config/rateLimiter.config.js

@@ -0,0 +1,32 @@
+// src/config/rateLimiter.config.js — Global and auth-specific rate limiters. Non-negotiable.
+
+import rateLimit from 'express-rate-limit';
+import envConfig from './env.config.js';
+
+const globalRateLimiter = rateLimit({
+  windowMs: envConfig.RATE_LIMIT_WINDOW_MS,
+  max: envConfig.RATE_LIMIT_MAX,
+  message: {
+    success: false,
+    message: 'Too many requests, please try again later.',
+    data: null,
+    timestamp: new Date().toISOString(),
+  },
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const authRateLimiter = rateLimit({
+  windowMs: envConfig.RATE_LIMIT_WINDOW_MS,
+  max: envConfig.AUTH_RATE_LIMIT_MAX,
+  message: {
+    success: false,
+    message: 'Too many login attempts, please try again later.',
+    data: null,
+    timestamp: new Date().toISOString(),
+  },
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+export { globalRateLimiter, authRateLimiter };

package/templates/mongo-js/src/middlewares/auth.middleware.js

@@ -0,0 +1,20 @@
+// src/middlewares/auth.middleware.js — Verifies JWT from Authorization header. Attaches req.user.
+
+import { HTTP_STATUS } from '../utils/constants.js';
+import { AppError } from '../utils/AppError.js';
+import { verifyToken } from '../utils/jwt.utils.js';
+import { asyncHandler } from '../utils/asyncHandler.js';
+
+const authMiddleware = asyncHandler((req, res, next) => {
+  const token = req.cookies?.accessToken || req.headers.authorization?.replace('Bearer ', '');
+
+  if (!token) {
+    throw new AppError('Authentication required', HTTP_STATUS.UNAUTHORIZED);
+  }
+
+  const decoded = verifyToken(token);
+  req.user = decoded;
+  next();
+});
+
+export { authMiddleware };

package/templates/mongo-js/src/middlewares/error.middleware.js

@@ -0,0 +1,61 @@
+// src/middlewares/error.middleware.js — Global error handler. Operational vs programmer errors. No stack in prod.
+
+import { HTTP_STATUS } from '../utils/constants.js';
+import { sendError } from '../utils/apiResponse.js';
+
+const errorMiddleware = (err, req, res, next) => {
+  const isDevelopment = process.env.NODE_ENV === 'development';
+
+  if (req?.requestId) {
+    res.setHeader('X-Request-Id', req.requestId);
+  }
+
+  // Mongoose CastError
+  if (err.name === 'CastError') {
+    return sendError(
+      res,
+      HTTP_STATUS.BAD_REQUEST,
+      `Invalid ${err.path}: ${err.value}`,
+      isDevelopment ? err : null
+    );
+  }
+
+  // Mongoose ValidationError
+  if (err.name === 'ValidationError') {
+    const messages = Object.values(err.errors).map((e) => e.message);
+    return sendError(res, HTTP_STATUS.BAD_REQUEST, messages.join(', '), isDevelopment ? err : null);
+  }
+
+  // Mongoose duplicate key (11000)
+  if (err.code === 11000) {
+    const field = Object.keys(err.keyValue)[0];
+    const message = `${field} already in use`;
+    return sendError(res, HTTP_STATUS.CONFLICT, message, isDevelopment ? err : null);
+  }
+
+  // JWT TokenExpiredError
+  if (err.name === 'TokenExpiredError') {
+    return sendError(res, HTTP_STATUS.UNAUTHORIZED, 'Token expired', isDevelopment ? err : null);
+  }
+
+  // JWT JsonWebTokenError
+  if (err.name === 'JsonWebTokenError') {
+    return sendError(res, HTTP_STATUS.UNAUTHORIZED, 'Invalid token', isDevelopment ? err : null);
+  }
+
+  // AppError (operational)
+  if (err.isOperational) {
+    return sendError(res, err.statusCode, err.message, isDevelopment ? { stack: err.stack } : null);
+  }
+
+  // Programmer error (unhandled)
+  console.error('UNHANDLED ERROR:', err);
+  return sendError(
+    res,
+    HTTP_STATUS.INTERNAL_SERVER_ERROR,
+    'Internal server error',
+    isDevelopment ? { error: err.message, stack: err.stack } : null
+  );
+};
+
+export { errorMiddleware };

package/templates/mongo-js/src/middlewares/notFound.middleware.js

@@ -0,0 +1,11 @@
+// src/middlewares/notFound.middleware.js — Catches 404s. Creates AppError, passes to error handler.
+
+import { HTTP_STATUS } from '../utils/constants.js';
+import { AppError } from '../utils/AppError.js';
+
+const notFoundMiddleware = (req, res, next) => {
+  const error = new AppError(`Route ${req.originalUrl} not found`, HTTP_STATUS.NOT_FOUND);
+  next(error);
+};
+
+export { notFoundMiddleware };

package/templates/mongo-js/src/middlewares/requestId.middleware.js

@@ -0,0 +1,10 @@
+// src/middlewares/requestId.middleware.js — Adds request correlation ID for tracing.
+
+import crypto from 'node:crypto';
+
+export const requestIdMiddleware = (req, res, next) => {
+  const requestId = crypto.randomUUID();
+  req.requestId = requestId;
+  res.setHeader('X-Request-Id', requestId);
+  next();
+};

package/templates/mongo-js/src/middlewares/requireRole.middleware.js

@@ -0,0 +1,13 @@
+// src/middlewares/requireRole.middleware.js — Role-based access control guard.
+// Responsibility: Verify req.user.role matches allowed roles.
+// Must be used AFTER authMiddleware — never standalone.
+
+import { AppError } from '../utils/AppError.js';
+import { HTTP_STATUS } from '../utils/constants.js';
+
+export const requireRole = (...roles) => (req, res, next) => {
+  if (!req.user || !roles.includes(req.user.role)) {
+    return next(new AppError('Access denied. Insufficient permissions.', HTTP_STATUS.FORBIDDEN));
+  }
+  next();
+};

package/templates/mongo-js/src/middlewares/validate.middleware.js

@@ -0,0 +1,21 @@
+// src/middlewares/validate.middleware.js — Validates req.body with Zod schema. 400 on fail.
+
+import { HTTP_STATUS } from '../utils/constants.js';
+import { sendError } from '../utils/apiResponse.js';
+
+const validate = (schema) => (req, res, next) => {
+  const result = schema.safeParse(req.body);
+
+  if (!result.success) {
+    const errors = result.error.errors.map((err) => ({
+      field: err.path.join('.'),
+      message: err.message,
+    }));
+    return sendError(res, HTTP_STATUS.BAD_REQUEST, 'Validation failed', errors);
+  }
+
+  req.body = result.data;
+  next();
+};
+
+export { validate };

package/templates/mongo-js/src/modules/user/user.controller.js

@@ -0,0 +1,88 @@
+// src/modules/user/user.controller.js — HTTP only. Read req, call service, send res. No business logic.
+
+import { HTTP_STATUS } from '../../utils/constants.js';
+import { sendSuccess, sendError } from '../../utils/apiResponse.js';
+import { asyncHandler } from '../../utils/asyncHandler.js';
+import envConfig from '../../config/env.config.js';
+import * as userService from './user.service.js';
+
+const register = asyncHandler(async (req, res) => {
+  const { email, firstName, lastName, password } = req.body;
+
+  const user = await userService.register(email, firstName, lastName, password);
+
+  return sendSuccess(res, HTTP_STATUS.CREATED, 'User registered successfully', {
+    user,
+  });
+});
+
+const login = asyncHandler(async (req, res) => {
+  const { email, password } = req.body;
+
+  const result = await userService.login(email, password);
+
+  res.cookie('accessToken', result.token, {
+    httpOnly: true,
+    secure: envConfig.NODE_ENV === 'production',
+    sameSite: 'strict',
+    maxAge: 7 * 24 * 60 * 60 * 1000,
+  });
+
+  res.cookie('refreshToken', result.refreshToken, {
+    httpOnly: true,
+    secure: envConfig.NODE_ENV === 'production',
+    sameSite: 'strict',
+    maxAge: 30 * 24 * 60 * 60 * 1000,
+  });
+
+  return sendSuccess(res, HTTP_STATUS.OK, 'Login successful', {
+    user: result.user,
+  });
+});
+
+const getAllUsers = asyncHandler(async (req, res) => {
+  const rawLimit = Number(req.query.limit);
+  const rawSkip = Number(req.query.skip);
+  const limit = Math.min(isNaN(rawLimit) || rawLimit < 1 ? 10 : rawLimit, 100);
+  const skip = isNaN(rawSkip) || rawSkip < 0 ? 0 : rawSkip;
+
+  const users = await userService.getAllUsers(limit, skip);
+
+  return sendSuccess(res, HTTP_STATUS.OK, 'Users retrieved', { users });
+});
+
+const logout = asyncHandler(async (req, res) => {
+  res.clearCookie('accessToken');
+  res.clearCookie('refreshToken');
+
+  return sendSuccess(res, HTTP_STATUS.OK, 'Logged out successfully', null);
+});
+
+const getProfile = asyncHandler(async (req, res) => {
+  const user = await userService.getUserById(req.user.id);
+
+  return sendSuccess(res, HTTP_STATUS.OK, 'User profile retrieved', {
+    user,
+  });
+});
+
+const updateProfile = asyncHandler(async (req, res) => {
+  const { firstName, lastName } = req.body;
+
+  const user = await userService.updateUser(req.user.id, {
+    firstName,
+    lastName,
+  });
+
+  return sendSuccess(res, HTTP_STATUS.OK, 'User profile updated', {
+    user,
+  });
+});
+
+const deleteAccount = asyncHandler(async (req, res) => {
+  await userService.deleteUser(req.user.id);
+
+  return sendSuccess(res, HTTP_STATUS.OK, 'Account deleted successfully', null);
+});
+
+export { register, login, logout, getAllUsers, getProfile, updateProfile, deleteAccount };

package/templates/mongo-js/src/modules/user/user.model.js

@@ -0,0 +1,45 @@
+// src/modules/user/user.model.js — Mongoose schema. DB layer only. No business logic.
+
+import mongoose from 'mongoose';
+
+const userSchema = new mongoose.Schema(
+  {
+    email: {
+      type: String,
+      required: [true, 'Email is required'],
+      unique: true,
+      lowercase: true,
+      trim: true,
+      match: [/^\w+([.-]?\w+)*@\w+([.-]?\w+)*(\.\w{2,3})+$/, 'Invalid email format'],
+    },
+    firstName: {
+      type: String,
+      required: [true, 'First name is required'],
+      trim: true,
+    },
+    lastName: {
+      type: String,
+      required: [true, 'Last name is required'],
+      trim: true,
+    },
+    password: {
+      type: String,
+      required: [true, 'Password is required'],
+      select: false,
+    },
+    role: {
+      type: String,
+      enum: ['user', 'admin'],
+      default: 'user',
+    },
+    isActive: {
+      type: Boolean,
+      default: true,
+    },
+  },
+  { timestamps: true, versionKey: false, collection: 'users' }
+);
+
+const User = mongoose.model('User', userSchema);
+
+export { User };

package/templates/mongo-js/src/modules/user/user.repository.js

@@ -0,0 +1,47 @@
+// src/modules/user/user.repository.js — DB queries only. Never business logic, never HTTP.
+
+import { User } from './user.model.js';
+
+async function findById(id) {
+  return User.findById(id).select('-password');
+}
+
+async function findByEmail(email) {
+  return User.findOne({ email }).select('+password');
+}
+
+async function findByEmailPublic(email) {
+  return User.findOne({ email }).select('-password');
+}
+
+async function create(userData) {
+  const user = new User(userData);
+  await user.save();
+  return user.toObject({ transform: (doc, ret) => { delete ret.password; return ret; } });
+}
+
+async function updateById(id, updateData) {
+  return User.findByIdAndUpdate(id, updateData, { new: true, runValidators: true }).select('-password');
+}
+
+async function deleteById(id) {
+  return User.findByIdAndDelete(id);
+}
+
+async function findAll(limit = 10, skip = 0) {
+  return User.find()
+    .select('-password')
+    .limit(limit)
+    .skip(skip)
+    .sort({ createdAt: -1 });
+}
+
+export {
+  findById,
+  findByEmail,
+  findByEmailPublic,
+  create,
+  updateById,
+  deleteById,
+  findAll,
+};

package/templates/mongo-js/src/modules/user/user.routes.js

@@ -0,0 +1,32 @@
+// src/modules/user/user.routes.js — Route definitions. Middleware chain per route. Validation before controller.
+
+import { Router } from 'express';
+import { validate } from '../../middlewares/validate.middleware.js';
+import { authMiddleware } from '../../middlewares/auth.middleware.js';
+import { requireRole } from '../../middlewares/requireRole.middleware.js';
+import { authRateLimiter } from '../../config/rateLimiter.config.js';
+import { registerSchema, loginSchema, updateUserSchema } from './user.validator.js';
+import {
+  register,
+  login,
+  logout,
+  getAllUsers,
+  getProfile,
+  updateProfile,
+  deleteAccount,
+} from './user.controller.js';
+
+const router = Router();
+
+// Public routes
+router.post('/register', authRateLimiter, validate(registerSchema), register);
+router.post('/login', authRateLimiter, validate(loginSchema), login);
+
+// Protected routes
+router.get('/users', authMiddleware, requireRole('admin'), getAllUsers);
+router.post('/logout', authMiddleware, logout);
+router.get('/profile', authMiddleware, getProfile);
+router.put('/profile', authMiddleware, validate(updateUserSchema), updateProfile);
+router.delete('/account', authMiddleware, deleteAccount);
+
+export default router;