create-tigra 1.1.0 → 2.0.1

package/template/server/src/modules/auth/auth.repo.ts

@@ -1,218 +1,120 @@
-/**
- * Authentication Repository
- * 
- * Database operations for authentication module.
- * Handles all Prisma queries related to users and sessions.
- * 
- * @see /mnt/project/02-general-rules.md
- */
-
-import { prisma } from '../../libs/db.js';
-import type { User as PrismaUser, Session as PrismaSession } from '@prisma/client';
-import type { User } from './auth.types.js';
-
-/**
- * User with password (internal use only)
- */
-type UserWithPassword = PrismaUser;
-
-/**
- * Session with user relation
- */
-type SessionWithUser = PrismaSession & {
-    user: PrismaUser;
-};
-
-/**
- * Create a new user
- * 
- * @param data - User creation data
- * @returns User object WITHOUT password field
- */
-export async function createUser(data: {
-    email: string;
-    password: string;
-    name: string;
-}): Promise<User> {
-    const user = await prisma.user.create({
-        data: {
-            email: data.email,
-            password: data.password,
-            name: data.name,
-            role: 'USER',
-            emailVerified: false,
-        },
-        select: {
-            id: true,
-            email: true,
-            name: true,
-            role: true,
-            emailVerified: true,
-            createdAt: true,
-            updatedAt: true,
-        },
-    });
-
-    return user;
-}
-
-/**
- * Find user by email (without password)
- * 
- * @param email - User email
- * @returns User object WITHOUT password field, or null if not found
- */
-export async function findUserByEmail(email: string): Promise<User | null> {
-    const user = await prisma.user.findUnique({
-        where: { email },
-        select: {
-            id: true,
-            email: true,
-            name: true,
-            role: true,
-            emailVerified: true,
-            createdAt: true,
-            updatedAt: true,
-        },
-    });
-
-    return user;
-}
-
-/**
- * Find user by email WITH password
- * 
- * Used for login verification only.
- * NEVER return this to the client.
- * 
- * @param email - User email
- * @returns User object WITH password field, or null if not found
- */
-export async function findUserByEmailWithPassword(
-    email: string
-): Promise<UserWithPassword | null> {
-    const user = await prisma.user.findUnique({
-        where: { email },
-    });
-
-    return user;
-}
-
-/**
- * Find user by ID (without password)
- * 
- * @param id - User ID
- * @returns User object WITHOUT password field, or null if not found
- */
-export async function findUserById(id: string): Promise<User | null> {
-    const user = await prisma.user.findUnique({
-        where: { id },
-        select: {
-            id: true,
-            email: true,
-            name: true,
-            role: true,
-            emailVerified: true,
-            createdAt: true,
-            updatedAt: true,
-        },
-    });
-
-    return user;
-}
-
-/**
- * Create a new session
- * 
- * @param data - Session creation data
- * @returns Created session
- */
-export async function createSession(data: {
-    userId: string;
-    refreshToken: string;
-    expiresAt: Date;
-}): Promise<PrismaSession> {
-    const session = await prisma.session.create({
-        data: {
-            userId: data.userId,
-            refreshToken: data.refreshToken,
-            expiresAt: data.expiresAt,
-        },
-    });
-
-    return session;
-}
-
-/**
- * Find session by refresh token
- * 
- * @param refreshToken - Refresh token
- * @returns Session with user relation, or null if not found
- */
-export async function findSessionByToken(
-    refreshToken: string
-): Promise<SessionWithUser | null> {
-    const session = await prisma.session.findFirst({
-        where: { refreshToken },
-        include: {
-            user: true,
-        },
-    });
-
-    return session;
-}
-
-/**
- * Update session with new refresh token
- * 
- * @param oldToken - Current refresh token
- * @param newToken - New refresh token
- * @param expiresAt - New expiration date
- * @returns Updated session
- */
-export async function updateSession(
-    oldToken: string,
-    newToken: string,
-    expiresAt: Date
-): Promise<PrismaSession> {
-    // Since refreshToken is no longer unique at DB level, we use updateMany
-    // In practice, it should only update one record
-    await prisma.session.updateMany({
-        where: { refreshToken: oldToken },
-        data: {
-            refreshToken: newToken,
-            expiresAt,
-        },
-    });
-
-    // Return the updated session (requires a fetch since updateMany returns a count)
-    const session = await prisma.session.findFirstOrThrow({
-        where: { refreshToken: newToken },
-    });
-
-    return session;
-}
-
-/**
- * Delete session by refresh token
- * 
- * @param refreshToken - Refresh token
- */
-export async function deleteSession(refreshToken: string): Promise<void> {
-    await prisma.session.deleteMany({
-        where: { refreshToken },
-    });
-}
-
-/**
- * Delete all sessions for a user
- * 
- * Used for logout from all devices.
- * 
- * @param userId - User ID
- */
-export async function deleteAllUserSessions(userId: string): Promise<void> {
-    await prisma.session.deleteMany({
-        where: { userId },
-    });
-}
+import { prisma } from '@libs/prisma.js';
+
+export async function findUserByEmail(email: string) {
+  return prisma.user.findUnique({
+    where: { email, deletedAt: null },
+  });
+}
+
+export async function findUserById(id: string) {
+  return prisma.user.findUnique({
+    where: { id, deletedAt: null },
+  });
+}
+
+export async function createUser(data: {
+  email: string;
+  password: string;
+  firstName: string;
+  lastName: string;
+}) {
+  return prisma.user.create({
+    data,
+  });
+}
+
+export async function createRefreshToken(data: {
+  token: string;
+  userId: string;
+  expiresAt: Date;
+}) {
+  return prisma.refreshToken.create({
+    data,
+  });
+}
+
+export async function findRefreshToken(token: string) {
+  return prisma.refreshToken.findUnique({
+    where: { token },
+  });
+}
+
+export async function deleteRefreshToken(token: string): Promise<void> {
+  try {
+    await prisma.refreshToken.delete({
+      where: { token },
+    });
+  } catch (error) {
+    // P2025: Record not found — token was already deleted (e.g. concurrent request)
+    if (
+      error instanceof Error &&
+      'code' in error &&
+      (error as { code: string }).code === 'P2025'
+    ) {
+      return;
+    }
+    throw error;
+  }
+}
+
+export async function rotateRefreshToken(
+  oldToken: string,
+  newData: { token: string; userId: string; expiresAt: Date },
+): Promise<boolean> {
+  try {
+    await prisma.$transaction([
+      prisma.refreshToken.delete({ where: { token: oldToken } }),
+      prisma.refreshToken.create({ data: newData }),
+    ]);
+    return true;
+  } catch (error) {
+    // P2025: Old token not found — already consumed by a concurrent request
+    if (
+      error instanceof Error &&
+      'code' in error &&
+      (error as { code: string }).code === 'P2025'
+    ) {
+      return false;
+    }
+    throw error;
+  }
+}
+
+export async function deleteRefreshTokensByUserId(userId: string) {
+  return prisma.refreshToken.deleteMany({
+    where: { userId },
+  });
+}
+
+export async function incrementFailedAttempts(userId: string): Promise<void> {
+  await prisma.user.update({
+    where: { id: userId },
+    data: {
+      failedLoginAttempts: { increment: 1 },
+    },
+  });
+}
+
+export async function setAccountLock(userId: string, lockedUntil: Date): Promise<void> {
+  await prisma.user.update({
+    where: { id: userId },
+    data: { lockedUntil },
+  });
+}
+
+export async function resetFailedAttempts(userId: string): Promise<void> {
+  await prisma.user.update({
+    where: { id: userId },
+    data: {
+      failedLoginAttempts: 0,
+      lockedUntil: null,
+    },
+  });
+}
+
+export async function updateUserPassword(userId: string, hashedPassword: string): Promise<void> {
+  await prisma.user.update({
+    where: { id: userId },
+    data: { password: hashedPassword },
+  });
+}

package/template/server/src/modules/auth/auth.routes.ts

@@ -1,83 +1,96 @@
-/**
- * Authentication Routes
- *
- * Fastify route definitions for authentication endpoints.
- * Includes rate limiting for security.
- *
- * @see /mnt/project/11-rate-limiting-v2.md
- */
-
-import type { FastifyInstance } from 'fastify';
-import * as authController from './auth.controller.js';
-
-/**
- * Register authentication routes
- * 
- * @param fastify - Fastify instance
- */
-export async function authRoutes(fastify: FastifyInstance): Promise<void> {
-    /**
-     * POST /auth/register
-     *
-     * Register a new user account
-     */
-    fastify.post('/register', {
-        config: {
-            rateLimit: {
-                max: 3,
-                timeWindow: '1 hour',
-            },
-        },
-        handler: authController.register,
-    });
-
-    /**
-     * POST /auth/login
-     *
-     * Login with email and password
-     */
-    fastify.post('/login', {
-        config: {
-            rateLimit: {
-                max: 5,
-                timeWindow: '15 minutes',
-            },
-        },
-        handler: authController.login,
-    });
-
-    /**
-     * POST /auth/refresh
-     *
-     * Refresh access token using refresh token
-     */
-    fastify.post('/refresh', {
-        config: {
-            rateLimit: {
-                max: 10,
-                timeWindow: '15 minutes',
-            },
-        },
-        handler: authController.refreshTokens,
-    });
-
-    /**
-     * POST /auth/logout
-     *
-     * Logout user by invalidating refresh token
-     */
-    fastify.post('/logout', {
-        handler: authController.logout,
-    });
-
-    /**
-     * GET /auth/me
-     *
-     * Get current authenticated user information
-     * Requires authentication
-     */
-    fastify.get('/me', {
-        preHandler: [fastify.authenticate],
-        handler: authController.getMe,
-    });
-}
+import type { FastifyInstance } from 'fastify';
+import { authenticate } from '@libs/auth.js';
+import * as authController from './auth.controller.js';
+import {
+  registerSchema,
+  loginSchema,
+} from './auth.schemas.js';
+
+export async function authRoutes(fastify: FastifyInstance): Promise<void> {
+  // Register - Strict rate limiting to prevent abuse (5 requests per hour per IP)
+  fastify.post('/auth/register', {
+    schema: {
+      body: registerSchema,
+    },
+    config: {
+      rateLimit: {
+        max: 5,
+        timeWindow: '1 hour',
+      },
+    },
+    handler: authController.register,
+  });
+
+  // Login - Strict rate limiting to prevent brute force (10 requests per 15 minutes per IP)
+  fastify.post('/auth/login', {
+    schema: {
+      body: loginSchema,
+    },
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '15 minutes',
+      },
+    },
+    handler: authController.login,
+  });
+
+  // Logout - reads refresh token from cookie, no body schema needed
+  fastify.post('/auth/logout', {
+    config: {
+      rateLimit: {
+        max: 50,
+        timeWindow: '15 minutes',
+      },
+    },
+    handler: authController.logout,
+  });
+
+  // Refresh token - reads refresh token from cookie, no body schema needed
+  fastify.post('/auth/refresh', {
+    config: {
+      rateLimit: {
+        max: 20,
+        timeWindow: '15 minutes',
+      },
+    },
+    handler: authController.refresh,
+  });
+
+  // Get current user
+  fastify.get('/auth/me', {
+    preValidation: [authenticate],
+    config: {
+      rateLimit: {
+        max: 60,
+        timeWindow: '1 minute',
+      },
+    },
+    handler: authController.me,
+  });
+
+  // Get user sessions
+  fastify.get('/auth/sessions', {
+    preValidation: [authenticate],
+    config: {
+      rateLimit: {
+        max: 30,
+        timeWindow: '1 minute',
+      },
+    },
+    handler: authController.getSessions,
+  });
+
+  // Logout from all sessions
+  fastify.post('/auth/logout-all', {
+    preValidation: [authenticate],
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '15 minutes',
+      },
+    },
+    handler: authController.logoutAllSessions,
+  });
+
+}