create-tigra 1.0.0

package/template/server/src/modules/auth/auth.repo.ts

@@ -0,0 +1,218 @@
+/**
+ * Authentication Repository
+ * 
+ * Database operations for authentication module.
+ * Handles all Prisma queries related to users and sessions.
+ * 
+ * @see /mnt/project/02-general-rules.md
+ */
+
+import { prisma } from '@/libs/db';
+import type { User as PrismaUser, Session as PrismaSession } from '@prisma/client';
+import type { User } from './auth.types';
+
+/**
+ * User with password (internal use only)
+ */
+type UserWithPassword = PrismaUser;
+
+/**
+ * Session with user relation
+ */
+type SessionWithUser = PrismaSession & {
+    user: PrismaUser;
+};
+
+/**
+ * Create a new user
+ * 
+ * @param data - User creation data
+ * @returns User object WITHOUT password field
+ */
+export async function createUser(data: {
+    email: string;
+    password: string;
+    name: string;
+}): Promise<User> {
+    const user = await prisma.user.create({
+        data: {
+            email: data.email,
+            password: data.password,
+            name: data.name,
+            role: 'USER',
+            emailVerified: false,
+        },
+        select: {
+            id: true,
+            email: true,
+            name: true,
+            role: true,
+            emailVerified: true,
+            createdAt: true,
+            updatedAt: true,
+        },
+    });
+
+    return user;
+}
+
+/**
+ * Find user by email (without password)
+ * 
+ * @param email - User email
+ * @returns User object WITHOUT password field, or null if not found
+ */
+export async function findUserByEmail(email: string): Promise<User | null> {
+    const user = await prisma.user.findUnique({
+        where: { email },
+        select: {
+            id: true,
+            email: true,
+            name: true,
+            role: true,
+            emailVerified: true,
+            createdAt: true,
+            updatedAt: true,
+        },
+    });
+
+    return user;
+}
+
+/**
+ * Find user by email WITH password
+ * 
+ * Used for login verification only.
+ * NEVER return this to the client.
+ * 
+ * @param email - User email
+ * @returns User object WITH password field, or null if not found
+ */
+export async function findUserByEmailWithPassword(
+    email: string
+): Promise<UserWithPassword | null> {
+    const user = await prisma.user.findUnique({
+        where: { email },
+    });
+
+    return user;
+}
+
+/**
+ * Find user by ID (without password)
+ * 
+ * @param id - User ID
+ * @returns User object WITHOUT password field, or null if not found
+ */
+export async function findUserById(id: string): Promise<User | null> {
+    const user = await prisma.user.findUnique({
+        where: { id },
+        select: {
+            id: true,
+            email: true,
+            name: true,
+            role: true,
+            emailVerified: true,
+            createdAt: true,
+            updatedAt: true,
+        },
+    });
+
+    return user;
+}
+
+/**
+ * Create a new session
+ * 
+ * @param data - Session creation data
+ * @returns Created session
+ */
+export async function createSession(data: {
+    userId: string;
+    refreshToken: string;
+    expiresAt: Date;
+}): Promise<PrismaSession> {
+    const session = await prisma.session.create({
+        data: {
+            userId: data.userId,
+            refreshToken: data.refreshToken,
+            expiresAt: data.expiresAt,
+        },
+    });
+
+    return session;
+}
+
+/**
+ * Find session by refresh token
+ * 
+ * @param refreshToken - Refresh token
+ * @returns Session with user relation, or null if not found
+ */
+export async function findSessionByToken(
+    refreshToken: string
+): Promise<SessionWithUser | null> {
+    const session = await prisma.session.findFirst({
+        where: { refreshToken },
+        include: {
+            user: true,
+        },
+    });
+
+    return session;
+}
+
+/**
+ * Update session with new refresh token
+ * 
+ * @param oldToken - Current refresh token
+ * @param newToken - New refresh token
+ * @param expiresAt - New expiration date
+ * @returns Updated session
+ */
+export async function updateSession(
+    oldToken: string,
+    newToken: string,
+    expiresAt: Date
+): Promise<PrismaSession> {
+    // Since refreshToken is no longer unique at DB level, we use updateMany
+    // In practice, it should only update one record
+    await prisma.session.updateMany({
+        where: { refreshToken: oldToken },
+        data: {
+            refreshToken: newToken,
+            expiresAt,
+        },
+    });
+
+    // Return the updated session (requires a fetch since updateMany returns a count)
+    const session = await prisma.session.findFirstOrThrow({
+        where: { refreshToken: newToken },
+    });
+
+    return session;
+}
+
+/**
+ * Delete session by refresh token
+ * 
+ * @param refreshToken - Refresh token
+ */
+export async function deleteSession(refreshToken: string): Promise<void> {
+    await prisma.session.deleteMany({
+        where: { refreshToken },
+    });
+}
+
+/**
+ * Delete all sessions for a user
+ * 
+ * Used for logout from all devices.
+ * 
+ * @param userId - User ID
+ */
+export async function deleteAllUserSessions(userId: string): Promise<void> {
+    await prisma.session.deleteMany({
+        where: { userId },
+    });
+}

package/template/server/src/modules/auth/auth.routes.ts

@@ -0,0 +1,204 @@
+/**
+ * Authentication Routes
+ * 
+ * Fastify route definitions for authentication endpoints.
+ * Includes Swagger documentation and rate limiting.
+ * 
+ * @see /mnt/project/09-api-documentation-v2.md
+ * @see /mnt/project/11-rate-limiting-v2.md
+ */
+
+import type { FastifyInstance } from 'fastify';
+import { toJsonSchema, getDefinition } from '@/libs/swagger-schemas';
+import * as authController from './auth.controller';
+import {
+    RegisterSchema,
+    LoginSchema,
+    RefreshTokenSchema,
+    AuthResponseSchema,
+    UserResponseSchema,
+    TokenResponseSchema,
+    ErrorResponseSchema,
+} from './auth.schemas';
+
+/**
+ * Register authentication routes
+ * 
+ * @param fastify - Fastify instance
+ */
+export async function authRoutes(fastify: FastifyInstance): Promise<void> {
+    /**
+     * POST /auth/register
+     * 
+     * Register a new user account
+     */
+    fastify.post('/register', {
+        schema: {
+            description: 'Register a new user account',
+            tags: ['auth'],
+            summary: 'Register user',
+            body: toJsonSchema(RegisterSchema, 'RegisterRequest'),
+            response: {
+                201: getDefinition(AuthResponseSchema, 'AuthResponse'),
+                400: {
+                    description: 'Validation error',
+                    ...getDefinition(ErrorResponseSchema, 'ErrorResponse'),
+                },
+                409: {
+                    description: 'Email already registered',
+                    ...getDefinition(ErrorResponseSchema, 'ErrorResponse'),
+                },
+            },
+        },
+        config: {
+            rateLimit: {
+                max: 3,
+                timeWindow: '1 hour',
+            },
+        },
+        handler: authController.register,
+    });
+
+    /**
+     * POST /auth/login
+     * 
+     * Login with email and password
+     */
+    fastify.post('/login', {
+        schema: {
+            description: 'Login with email and password',
+            tags: ['auth'],
+            summary: 'Login user',
+            body: toJsonSchema(LoginSchema, 'LoginRequest'),
+            response: {
+                200: getDefinition(AuthResponseSchema, 'AuthResponse'),
+                401: {
+                    description: 'Invalid credentials',
+                    ...getDefinition(ErrorResponseSchema, 'ErrorResponse'),
+                },
+            },
+        },
+        config: {
+            rateLimit: {
+                max: 5,
+                timeWindow: '15 minutes',
+            },
+        },
+        handler: authController.login,
+    });
+
+    /**
+     * POST /auth/refresh
+     * 
+     * Refresh access token using refresh token
+     */
+    fastify.post('/refresh', {
+        schema: {
+            description: 'Refresh access token using refresh token',
+            tags: ['auth'],
+            summary: 'Refresh tokens',
+            body: toJsonSchema(RefreshTokenSchema, 'RefreshTokenRequest'),
+            response: {
+                200: {
+                    description: 'Tokens refreshed successfully',
+                    type: 'object',
+                    properties: {
+                        success: { type: 'boolean', enum: [true] },
+                        message: { type: 'string' },
+                        data: {
+                            type: 'object',
+                            properties: {
+                                accessToken: { type: 'string' },
+                                refreshToken: { type: 'string' },
+                            },
+                        },
+                    },
+                },
+                401: {
+                    description: 'Invalid or expired refresh token',
+                    ...getDefinition(ErrorResponseSchema, 'ErrorResponse'),
+                },
+            },
+        },
+        config: {
+            rateLimit: {
+                max: 10,
+                timeWindow: '15 minutes',
+            },
+        },
+        handler: authController.refreshTokens,
+    });
+
+    /**
+     * POST /auth/logout
+     * 
+     * Logout user by invalidating refresh token
+     */
+    fastify.post('/logout', {
+        schema: {
+            description: 'Logout user by invalidating refresh token',
+            tags: ['auth'],
+            summary: 'Logout user',
+            body: toJsonSchema(RefreshTokenSchema, 'RefreshTokenRequest'),
+            response: {
+                200: {
+                    description: 'Logout successful',
+                    type: 'object',
+                    properties: {
+                        success: { type: 'boolean', enum: [true] },
+                        message: { type: 'string' },
+                        data: { type: 'null' },
+                    },
+                },
+            },
+        },
+        handler: authController.logout,
+    });
+
+    /**
+     * GET /auth/me
+     * 
+     * Get current authenticated user information
+     * Requires authentication
+     */
+    fastify.get('/me', {
+        schema: {
+            description: 'Get current authenticated user information',
+            tags: ['auth'],
+            summary: 'Get current user',
+            security: [{ bearerAuth: [] }],
+            response: {
+                200: {
+                    description: 'User retrieved successfully',
+                    type: 'object',
+                    properties: {
+                        success: { type: 'boolean', enum: [true] },
+                        message: { type: 'string' },
+                        data: {
+                            type: 'object',
+                            properties: {
+                                id: { type: 'string', format: 'uuid' },
+                                email: { type: 'string', format: 'email' },
+                                name: { type: 'string', nullable: true },
+                                role: { type: 'string' },
+                                emailVerified: { type: 'boolean' },
+                                createdAt: { type: 'string', format: 'date-time' },
+                                updatedAt: { type: 'string', format: 'date-time' },
+                            },
+                        },
+                    },
+                },
+                401: {
+                    description: 'Unauthorized - Invalid or missing token',
+                    ...getDefinition(ErrorResponseSchema, 'ErrorResponse'),
+                },
+                404: {
+                    description: 'User not found',
+                    ...getDefinition(ErrorResponseSchema, 'ErrorResponse'),
+                },
+            },
+        },
+        preHandler: [fastify.authenticate],
+        handler: authController.getMe,
+    });
+}

package/template/server/src/modules/auth/auth.schemas.ts

@@ -0,0 +1,137 @@
+/**
+ * Authentication Schemas
+ * 
+ * Zod schemas for request validation and Swagger documentation.
+ * These schemas ensure type safety and API documentation consistency.
+ */
+
+import { z } from 'zod';
+
+/**
+ * Password Validation Regex
+ * 
+ * Requirements:
+ * - At least 1 uppercase letter
+ * - At least 1 lowercase letter
+ * - At least 1 number
+ * - Minimum 8 characters
+ */
+const passwordRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).+$/;
+
+/**
+ * Register Schema
+ * 
+ * Validates user registration requests.
+ */
+export const RegisterSchema = z.object({
+    email: z
+        .string()
+        .email('Invalid email format')
+        .toLowerCase()
+        .trim(),
+    password: z
+        .string()
+        .min(8, 'Password must be at least 8 characters')
+        .regex(
+            passwordRegex,
+            'Password must contain at least 1 uppercase letter, 1 lowercase letter, and 1 number'
+        ),
+    name: z
+        .string()
+        .min(2, 'Name must be at least 2 characters')
+        .max(100, 'Name must not exceed 100 characters')
+        .trim(),
+});
+
+/**
+ * Login Schema
+ * 
+ * Validates user login requests.
+ */
+export const LoginSchema = z.object({
+    email: z
+        .string()
+        .email('Invalid email format')
+        .toLowerCase()
+        .trim(),
+    password: z
+        .string()
+        .min(8, 'Password must be at least 8 characters'),
+});
+
+/**
+ * Refresh Token Schema
+ * 
+ * Validates refresh token requests.
+ */
+export const RefreshTokenSchema = z.object({
+    refreshToken: z
+        .string()
+        .min(1, 'Refresh token is required'),
+});
+
+/**
+ * User Response Schema (for Swagger documentation)
+ * 
+ * Defines the structure of user objects in API responses.
+ */
+export const UserResponseSchema = z.object({
+    id: z.string().uuid(),
+    email: z.string().email(),
+    name: z.string().nullable(),
+    role: z.enum(['USER', 'ADMIN']),
+    emailVerified: z.boolean(),
+    createdAt: z.string().datetime(),
+    updatedAt: z.string().datetime(),
+});
+
+/**
+ * Token Response Schema (for Swagger documentation)
+ * 
+ * Defines the structure of token objects in API responses.
+ */
+export const TokenResponseSchema = z.object({
+    accessToken: z.string(),
+    refreshToken: z.string(),
+    expiresIn: z.number().int().positive(),
+});
+
+/**
+ * Auth Response Schema (for Swagger documentation)
+ * 
+ * Complete authentication response structure.
+ * Used for login and register endpoints.
+ */
+export const AuthResponseSchema = z.object({
+    success: z.literal(true),
+    message: z.string(),
+    data: z.object({
+        user: UserResponseSchema,
+        tokens: TokenResponseSchema,
+    }),
+});
+
+/**
+ * Error Response Schema (for Swagger documentation)
+ * 
+ * Standard error response structure.
+ */
+export const ErrorResponseSchema = z.object({
+    success: z.literal(false),
+    error: z.object({
+        code: z.string(),
+        message: z.string(),
+    }),
+});
+
+/**
+ * Type inference from schemas
+ * 
+ * These types can be used in controllers and services.
+ */
+export type RegisterInput = z.infer<typeof RegisterSchema>;
+export type LoginInput = z.infer<typeof LoginSchema>;
+export type RefreshTokenInput = z.infer<typeof RefreshTokenSchema>;
+export type UserResponse = z.infer<typeof UserResponseSchema>;
+export type TokenResponse = z.infer<typeof TokenResponseSchema>;
+export type AuthResponse = z.infer<typeof AuthResponseSchema>;

package/template/server/src/modules/auth/auth.service.test.ts

@@ -0,0 +1,119 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import * as authService from './auth.service';
+import * as authRepo from './auth.repo';
+import bcrypt from 'bcryptjs';
+import jwt from 'jsonwebtoken';
+import { env } from '@/config/env';
+import { ConflictError, UnauthorizedError } from '@/utils/errors';
+
+// Mock dependencies
+vi.mock('./auth.repo');
+vi.mock('bcryptjs');
+vi.mock('jsonwebtoken');
+vi.mock('@/libs/logger', () => ({
+    default: {
+        info: vi.fn(),
+        error: vi.fn(),
+        warn: vi.fn(),
+    },
+}));
+
+describe('Auth Service', () => {
+    beforeEach(() => {
+        vi.resetAllMocks();
+        // Setup default env mocks if needed
+        env.JWT_SECRET = 'test-secret';
+        env.JWT_ACCESS_EXPIRATION = '15m';
+        env.JWT_REFRESH_EXPIRATION = '7d';
+        env.JWT_ISSUER = 'test-issuer';
+    });
+
+    describe('register', () => {
+        const registerData = {
+            email: 'test@example.com',
+            password: 'Password123!',
+            name: 'Test User',
+        };
+
+        it('should successfully register a new user', async () => {
+            // Mocks
+            vi.mocked(authRepo.findUserByEmail).mockResolvedValue(null);
+            vi.mocked(bcrypt.hash).mockResolvedValue('hashed_password' as any);
+            vi.mocked(authRepo.createUser).mockResolvedValue({
+                id: 'user-123',
+                email: registerData.email,
+                name: registerData.name,
+                role: 'USER',
+                emailVerified: false,
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            });
+            vi.mocked(jwt.sign).mockReturnValue('mock_token' as any);
+            vi.mocked(authRepo.createSession).mockResolvedValue({} as any);
+
+            // Execute
+            const result = await authService.register(registerData);
+
+            // Assert
+            expect(result).toBeDefined();
+            expect(result.user.email).toBe(registerData.email);
+            expect(result.tokens.accessToken).toBe('mock_token');
+            expect(authRepo.createUser).toHaveBeenCalled();
+            expect(authRepo.createSession).toHaveBeenCalled();
+        });
+
+        it('should throw ConflictError if email already exists', async () => {
+            // Mocks
+            vi.mocked(authRepo.findUserByEmail).mockResolvedValue({ id: 'existing' } as any);
+
+            // Execute & Assert
+            await expect(authService.register(registerData))
+                .rejects
+                .toThrow(ConflictError);
+        });
+    });
+
+    describe('login', () => {
+        const loginData = {
+            email: 'test@example.com',
+            password: 'Password123!',
+        };
+
+        it('should successfully login user', async () => {
+            // Mocks
+            vi.mocked(authRepo.findUserByEmailWithPassword).mockResolvedValue({
+                id: 'user-123',
+                email: loginData.email,
+                password: 'hashed_password', // Match what bcrypt.compare expects
+                role: 'USER',
+            } as any);
+            vi.mocked(bcrypt.compare).mockResolvedValue(true as any);
+            vi.mocked(authRepo.findUserById).mockResolvedValue({
+                id: 'user-123',
+                email: loginData.email,
+                role: 'USER',
+            } as any);
+            vi.mocked(jwt.sign).mockReturnValue('mock_token' as any);
+            vi.mocked(authRepo.createSession).mockResolvedValue({} as any);
+
+            const result = await authService.login(loginData);
+
+            expect(result).toBeDefined();
+            expect(result.user.id).toBe('user-123');
+            expect(result.tokens.accessToken).toBeDefined();
+        });
+
+        it('should throw UnauthorizedError on invalid password', async () => {
+            // Mocks
+            vi.mocked(authRepo.findUserByEmailWithPassword).mockResolvedValue({
+                id: 'user-123',
+                password: 'hashed_password',
+            } as any);
+            vi.mocked(bcrypt.compare).mockResolvedValue(false as any);
+
+            await expect(authService.login(loginData))
+                .rejects
+                .toThrow(UnauthorizedError);
+        });
+    });
+});