create-tigra 2.1.4 → 2.2.0

package/template/server/src/libs/http.ts

@@ -0,0 +1,66 @@
+import axios, {
+  type AxiosInstance,
+  type InternalAxiosRequestConfig,
+  type AxiosResponse,
+  isAxiosError,
+} from 'axios';
+import { logger } from '@libs/logger.js';
+import { InternalError } from '@shared/errors/errors.js';
+
+const TIMEOUT_MS = 30_000;
+
+const httpClient: AxiosInstance = axios.create({
+  timeout: TIMEOUT_MS,
+  headers: {
+    'Content-Type': 'application/json',
+    Accept: 'application/json',
+  },
+});
+
+// Request interceptor — log every outbound call
+httpClient.interceptors.request.use(
+  (config: InternalAxiosRequestConfig): InternalAxiosRequestConfig => {
+    logger.debug(
+      { method: config.method?.toUpperCase(), url: config.url, baseURL: config.baseURL },
+      '[HTTP] Outbound request',
+    );
+    return config;
+  },
+  (error: unknown): never => {
+    logger.error({ err: error }, '[HTTP] Request setup failed');
+    throw new InternalError('Outbound HTTP request could not be constructed');
+  },
+);
+
+// Response interceptor — log responses and convert AxiosError → InternalError
+httpClient.interceptors.response.use(
+  (response: AxiosResponse): AxiosResponse => {
+    logger.debug(
+      {
+        method: response.config.method?.toUpperCase(),
+        url: response.config.url,
+        status: response.status,
+      },
+      '[HTTP] Outbound response',
+    );
+    return response;
+  },
+  (error: unknown): never => {
+    if (isAxiosError(error)) {
+      logger.error(
+        {
+          method: error.config?.method?.toUpperCase(),
+          url: error.config?.url,
+          status: error.response?.status,
+          message: error.message,
+        },
+        '[HTTP] Outbound request failed',
+      );
+    } else {
+      logger.error({ err: error }, '[HTTP] Unexpected outbound error');
+    }
+    throw new InternalError('Outbound HTTP request failed');
+  },
+);
+
+export { httpClient };

package/template/server/src/libs/ip-block.ts

@@ -0,0 +1,145 @@
+/**
+ * IP Blocking Service
+ *
+ * Redis-backed IP blocking with two tiers:
+ * - Permanent blocks: Redis SET (admin-managed via API)
+ * - Auto-blocks: Redis ZSET with expiry timestamps (triggered by excessive rate-limit violations)
+ *
+ * Design decisions:
+ * - Fails open: if Redis is down, requests are NOT blocked (availability > security for rate limiting)
+ * - O(1) lookups: both SISMEMBER and ZSCORE are constant-time operations
+ * - Lazy cleanup: expired auto-blocks are removed on check, no separate cleanup job needed
+ */
+
+import { getRedis } from '@libs/redis.js';
+import { logger } from '@libs/logger.js';
+
+// Redis keys
+const BLOCKED_IPS_KEY = 'blocked_ips';
+const AUTO_BLOCKED_KEY = 'auto_blocked_ips';
+const VIOLATION_PREFIX = 'rl_violations:';
+
+// Auto-block thresholds
+const AUTO_BLOCK_THRESHOLD = 10;         // violations before auto-block
+const AUTO_BLOCK_WINDOW_SECONDS = 300;   // 5-minute sliding window
+const AUTO_BLOCK_DURATION_SECONDS = 3600; // block for 1 hour
+
+/**
+ * Check if an IP is blocked (permanent or auto-blocked).
+ *
+ * @param ip - IP address to check
+ * @returns true if blocked, false otherwise (including Redis failures)
+ */
+export async function isIpBlocked(ip: string): Promise<boolean> {
+  try {
+    const redis = getRedis();
+
+    // Check permanent block list
+    const permanent = await redis.sismember(BLOCKED_IPS_KEY, ip);
+    if (permanent === 1) return true;
+
+    // Check auto-block list (score = expiry Unix timestamp)
+    const score = await redis.zscore(AUTO_BLOCKED_KEY, ip);
+    if (score) {
+      const expiresAt = Number(score);
+      if (expiresAt > Date.now() / 1000) return true;
+
+      // Expired — clean up lazily
+      await redis.zrem(AUTO_BLOCKED_KEY, ip);
+    }
+
+    return false;
+  } catch {
+    // Fail open: if Redis is down, don't block
+    logger.warn('[IP-BLOCK] Redis unavailable, skipping IP block check');
+    return false;
+  }
+}
+
+/**
+ * Add an IP to the permanent block list (admin-managed).
+ *
+ * @param ip - IP address to block
+ */
+export async function blockIp(ip: string): Promise<void> {
+  const redis = getRedis();
+  await redis.sadd(BLOCKED_IPS_KEY, ip);
+  logger.info({ ip }, '[IP-BLOCK] IP permanently blocked');
+}
+
+/**
+ * Remove an IP from the permanent block list.
+ *
+ * @param ip - IP address to unblock
+ */
+export async function unblockIp(ip: string): Promise<void> {
+  const redis = getRedis();
+  await redis.srem(BLOCKED_IPS_KEY, ip);
+  // Also remove from auto-block list if present
+  await redis.zrem(AUTO_BLOCKED_KEY, ip);
+  logger.info({ ip }, '[IP-BLOCK] IP unblocked');
+}
+
+/**
+ * List all currently blocked IPs (permanent + active auto-blocks).
+ *
+ * @returns Object with permanent and autoBlocked arrays
+ */
+export async function getBlockedIps(): Promise<{
+  permanent: string[];
+  autoBlocked: string[];
+}> {
+  const redis = getRedis();
+  const nowSeconds = Date.now() / 1000;
+
+  const permanent = await redis.smembers(BLOCKED_IPS_KEY);
+
+  // Get auto-blocked IPs that haven't expired yet
+  const autoBlockedWithScores = await redis.zrangebyscore(
+    AUTO_BLOCKED_KEY,
+    nowSeconds,
+    '+inf',
+  );
+
+  return { permanent, autoBlocked: autoBlockedWithScores };
+}
+
+/**
+ * Record a rate-limit violation for an IP.
+ *
+ * If the IP exceeds AUTO_BLOCK_THRESHOLD violations within
+ * AUTO_BLOCK_WINDOW_SECONDS, it gets auto-blocked for
+ * AUTO_BLOCK_DURATION_SECONDS.
+ *
+ * Called from the rate-limit `onExceeded` callback.
+ *
+ * @param ip - IP address that violated rate limit
+ */
+export async function recordRateLimitViolation(ip: string): Promise<void> {
+  try {
+    const redis = getRedis();
+    const key = `${VIOLATION_PREFIX}${ip}`;
+
+    const count = await redis.incr(key);
+
+    // Set TTL on first violation (sliding window)
+    if (count === 1) {
+      await redis.expire(key, AUTO_BLOCK_WINDOW_SECONDS);
+    }
+
+    if (count >= AUTO_BLOCK_THRESHOLD) {
+      // Auto-block: add to ZSET with expiry timestamp as score
+      const expiresAt = Math.floor(Date.now() / 1000) + AUTO_BLOCK_DURATION_SECONDS;
+      await redis.zadd(AUTO_BLOCKED_KEY, expiresAt, ip);
+      await redis.del(key); // Reset violation counter
+
+      logger.warn(
+        { ip, violations: count, blockedForSeconds: AUTO_BLOCK_DURATION_SECONDS },
+        '[IP-BLOCK] Auto-blocked IP due to excessive rate-limit violations',
+      );
+    }
+  } catch {
+    // Non-critical: don't break the request if violation tracking fails
+    logger.warn('[IP-BLOCK] Failed to record rate-limit violation');
+  }
+}

package/template/server/src/libs/storage/file-validator.ts

@@ -6,15 +6,16 @@
 
 import type { MultipartFile } from '@fastify/multipart';
 import { ValidationError } from '@shared/errors/errors.js';
+import { env } from '@config/env.js';
 import path from 'path';
 
 /**
  * File upload constants and constraints
  */
 export const FILE_UPLOAD_CONSTANTS = {
-  MAX_FILE_SIZE: 5 * 1024 * 1024, // 5MB in bytes
-  ALLOWED_MIME_TYPES: ['image/jpeg', 'image/png', 'image/webp'] as const,
-  ALLOWED_EXTENSIONS: ['.jpg', '.jpeg', '.png', '.webp'] as const,
+  MAX_FILE_SIZE: env.MAX_FILE_SIZE_MB * 1024 * 1024, // ENV-configurable (default 10MB)
+  ALLOWED_MIME_TYPES: ['image/jpeg', 'image/png', 'image/webp', 'image/heic', 'image/heif'] as const,
+  ALLOWED_EXTENSIONS: ['.jpg', '.jpeg', '.png', '.webp', '.heic', '.heif'] as const,
   AVATAR_MAX_DIMENSION: 512, // pixels
 } as const;
 

package/template/server/src/libs/storage/image-optimizer.service.ts

@@ -120,7 +120,7 @@ class ImageOptimizerService {
       }
 
       // Check if format is supported
-      const supportedFormats = ['jpeg', 'png', 'webp', 'gif'];
+      const supportedFormats = ['jpeg', 'png', 'webp', 'gif', 'heif'];
       if (!supportedFormats.includes(metadata.format)) {
         throw new ValidationError(
           `Image format '${metadata.format}' is not supported`,

package/template/server/src/modules/admin/admin.controller.ts

@@ -0,0 +1,41 @@
+import type { FastifyRequest, FastifyReply } from 'fastify';
+import { z } from 'zod';
+import { successResponse } from '@shared/responses/successResponse.js';
+import { ValidationError } from '@shared/errors/errors.js';
+import { blockIp, unblockIp, getBlockedIps } from '@libs/ip-block.js';
+
+const blockIpSchema = z.object({
+  ip: z.string().ip({ message: 'Invalid IP address' }),
+});
+
+type BlockIpBody = z.infer<typeof blockIpSchema>;
+type UnblockIpParams = { ip: string };
+
+export async function listBlockedIps(
+  _request: FastifyRequest,
+  reply: FastifyReply,
+): Promise<void> {
+  const { permanent, autoBlocked } = await getBlockedIps();
+  reply.send(successResponse('Blocked IPs retrieved', { permanent, autoBlocked }));
+}
+
+export async function blockIpHandler(
+  request: FastifyRequest<{ Body: BlockIpBody }>,
+  reply: FastifyReply,
+): Promise<void> {
+  const parsed = blockIpSchema.safeParse(request.body);
+  if (!parsed.success) {
+    throw new ValidationError(parsed.error.issues[0]?.message ?? 'Invalid IP address', 'INVALID_IP');
+  }
+  await blockIp(parsed.data.ip);
+  reply.status(201).send(successResponse('IP blocked successfully', { ip: parsed.data.ip }));
+}
+
+export async function unblockIpHandler(
+  request: FastifyRequest<{ Params: UnblockIpParams }>,
+  reply: FastifyReply,
+): Promise<void> {
+  const { ip } = request.params;
+  await unblockIp(ip);
+  reply.send(successResponse('IP unblocked successfully', { ip }));
+}

package/template/server/src/modules/admin/admin.routes.ts

@@ -0,0 +1,45 @@
+import type { FastifyInstance } from 'fastify';
+import { authenticate, authorize } from '@libs/auth.js';
+import { RATE_LIMITS } from '@config/rate-limit.config.js';
+import * as adminController from './admin.controller.js';
+
+export async function adminRoutes(fastify: FastifyInstance): Promise<void> {
+  // All admin routes require authentication + ADMIN role
+  fastify.addHook('preValidation', authenticate);
+  fastify.addHook('preValidation', authorize('ADMIN'));
+
+  /**
+   * List blocked IPs
+   *
+   * GET /api/v1/admin/blocked-ips
+   * Auth: Required (ADMIN)
+   * Returns: { permanent: string[], autoBlocked: string[] }
+   */
+  fastify.get('/admin/blocked-ips', {
+    config: { rateLimit: RATE_LIMITS.ADMIN_DEFAULT },
+    handler: adminController.listBlockedIps,
+  });
+
+  /**
+   * Block an IP address (permanent)
+   *
+   * POST /api/v1/admin/blocked-ips
+   * Auth: Required (ADMIN)
+   * Body: { ip: string }
+   */
+  fastify.post('/admin/blocked-ips', {
+    config: { rateLimit: RATE_LIMITS.ADMIN_DEFAULT },
+    handler: adminController.blockIpHandler,
+  });
+
+  /**
+   * Unblock an IP address
+   *
+   * DELETE /api/v1/admin/blocked-ips/:ip
+   * Auth: Required (ADMIN)
+   */
+  fastify.delete('/admin/blocked-ips/:ip', {
+    config: { rateLimit: RATE_LIMITS.ADMIN_DEFAULT },
+    handler: adminController.unblockIpHandler,
+  });
+}

package/template/server/src/modules/auth/auth.routes.ts

@@ -1,5 +1,6 @@
 import type { FastifyInstance } from 'fastify';
 import { authenticate } from '@libs/auth.js';
+import { RATE_LIMITS } from '@config/rate-limit.config.js';
 import * as authController from './auth.controller.js';
 import {
   registerSchema,
@@ -7,30 +8,24 @@ import {
 } from './auth.schemas.js';
 
 export async function authRoutes(fastify: FastifyInstance): Promise<void> {
-  // Register - Strict rate limiting to prevent abuse (5 requests per hour per IP)
+  // Register - Strict rate limiting to prevent abuse
   fastify.post('/auth/register', {
     schema: {
       body: registerSchema,
     },
     config: {
-      rateLimit: {
-        max: 5,
-        timeWindow: '1 hour',
-      },
+      rateLimit: RATE_LIMITS.AUTH_REGISTER,
     },
     handler: authController.register,
   });
 
-  // Login - Strict rate limiting to prevent brute force (10 requests per 15 minutes per IP)
+  // Login - Strict rate limiting to prevent brute force
   fastify.post('/auth/login', {
     schema: {
       body: loginSchema,
     },
     config: {
-      rateLimit: {
-        max: 10,
-        timeWindow: '15 minutes',
-      },
+      rateLimit: RATE_LIMITS.AUTH_LOGIN,
     },
     handler: authController.login,
   });
@@ -38,10 +33,7 @@ export async function authRoutes(fastify: FastifyInstance): Promise<void> {
   // Logout - reads refresh token from cookie, no body schema needed
   fastify.post('/auth/logout', {
     config: {
-      rateLimit: {
-        max: 50,
-        timeWindow: '15 minutes',
-      },
+      rateLimit: RATE_LIMITS.AUTH_LOGOUT,
     },
     handler: authController.logout,
   });
@@ -49,10 +41,7 @@ export async function authRoutes(fastify: FastifyInstance): Promise<void> {
   // Refresh token - reads refresh token from cookie, no body schema needed
   fastify.post('/auth/refresh', {
     config: {
-      rateLimit: {
-        max: 20,
-        timeWindow: '15 minutes',
-      },
+      rateLimit: RATE_LIMITS.AUTH_REFRESH,
     },
     handler: authController.refresh,
   });
@@ -61,10 +50,7 @@ export async function authRoutes(fastify: FastifyInstance): Promise<void> {
   fastify.get('/auth/me', {
     preValidation: [authenticate],
     config: {
-      rateLimit: {
-        max: 60,
-        timeWindow: '1 minute',
-      },
+      rateLimit: RATE_LIMITS.AUTH_ME,
     },
     handler: authController.me,
   });
@@ -73,10 +59,7 @@ export async function authRoutes(fastify: FastifyInstance): Promise<void> {
   fastify.get('/auth/sessions', {
     preValidation: [authenticate],
     config: {
-      rateLimit: {
-        max: 30,
-        timeWindow: '1 minute',
-      },
+      rateLimit: RATE_LIMITS.AUTH_SESSIONS,
     },
     handler: authController.getSessions,
   });
@@ -85,10 +68,7 @@ export async function authRoutes(fastify: FastifyInstance): Promise<void> {
   fastify.post('/auth/logout-all', {
     preValidation: [authenticate],
     config: {
-      rateLimit: {
-        max: 10,
-        timeWindow: '15 minutes',
-      },
+      rateLimit: RATE_LIMITS.AUTH_LOGOUT_ALL,
     },
     handler: authController.logoutAllSessions,
   });

package/template/server/src/modules/users/users.controller.ts

@@ -9,7 +9,8 @@ import path from 'path';
 import { usersService } from './users.service.js';
 import { validateImageFile, validateFileSize } from '@libs/storage/file-validator.js';
 import { successResponse } from '@shared/responses/successResponse.js';
-import type { GetUserAvatarParams } from './users.schemas.js';
+import { clearAuthCookies } from '@libs/cookies.js';
+import type { GetUserAvatarParams, UpdateProfileInput, ChangePasswordInput, DeleteAccountInput } from './users.schemas.js';
 import type { AuthenticatedRequest } from '@shared/types/index.js';
 import { logger } from '@libs/logger.js';
 import { BadRequestError } from '@shared/errors/errors.js';
@@ -114,6 +115,74 @@ class UsersController {
     // Send file directly
     return reply.sendFile(path.basename(filePath), path.dirname(filePath));
   }
+
+  /**
+   * Update profile handler
+   *
+   * PATCH /api/v1/users/me
+   * Auth: Required (JWT)
+   *
+   * @param request - Fastify request (authenticated)
+   * @param reply - Fastify reply
+   */
+  async updateProfile(
+    request: FastifyRequest<{ Body: UpdateProfileInput }>,
+    reply: FastifyReply
+  ): Promise<void> {
+    const userId = request.user.userId;
+
+    logger.info({ msg: 'Update profile request', userId });
+
+    const updatedUser = await usersService.updateProfile(userId, request.body);
+
+    return reply.send(successResponse('Profile updated successfully', updatedUser));
+  }
+
+  /**
+   * Change password handler
+   *
+   * PATCH /api/v1/users/me/password
+   * Auth: Required (JWT)
+   *
+   * @param request - Fastify request (authenticated)
+   * @param reply - Fastify reply
+   */
+  async changePassword(
+    request: FastifyRequest<{ Body: ChangePasswordInput }>,
+    reply: FastifyReply
+  ): Promise<void> {
+    const userId = request.user.userId;
+
+    logger.info({ msg: 'Change password request', userId });
+
+    await usersService.changePassword(userId, request.body);
+
+    return reply.send(successResponse('Password changed successfully', null));
+  }
+
+  /**
+   * Delete account handler
+   *
+   * DELETE /api/v1/users/me
+   * Auth: Required (JWT)
+   *
+   * @param request - Fastify request (authenticated)
+   * @param reply - Fastify reply
+   */
+  async deleteAccount(
+    request: FastifyRequest<{ Body: DeleteAccountInput }>,
+    reply: FastifyReply
+  ): Promise<void> {
+    const userId = request.user.userId;
+
+    logger.info({ msg: 'Delete account request', userId });
+
+    await usersService.deleteAccount(userId, request.body.password);
+
+    clearAuthCookies(reply);
+
+    return reply.send(successResponse('Account deleted successfully', null));
+  }
 }
 
 // Export singleton instance

package/template/server/src/modules/users/users.repo.ts

@@ -71,6 +71,33 @@ class UsersRepository {
       select: userSelect,
     });
   }
+
+  /**
+   * Updates a user's profile fields
+   */
+  async updateUserProfile(
+    userId: string,
+    data: { firstName?: string; lastName?: string }
+  ): Promise<SafeUser> {
+    return prisma.user.update({
+      where: { id: userId },
+      data,
+      select: userSelect,
+    });
+  }
+
+  /**
+   * Soft deletes a user by setting deletedAt and isActive = false
+   */
+  async softDeleteUser(userId: string): Promise<void> {
+    await prisma.user.update({
+      where: { id: userId },
+      data: {
+        deletedAt: new Date(),
+        isActive: false,
+      },
+    });
+  }
 }
 
 // Export singleton instance

package/template/server/src/modules/users/users.routes.ts

@@ -6,20 +6,99 @@
 
 import type { FastifyInstance } from 'fastify';
 import { usersController } from './users.controller.js';
-import { GetUserAvatarSchema } from './users.schemas.js';
+import {
+  GetUserAvatarSchema,
+  UpdateProfileSchema,
+  ChangePasswordSchema,
+  DeleteAccountSchema,
+} from './users.schemas.js';
 import { authenticate } from '@libs/auth.js';
+import { RATE_LIMITS } from '@config/rate-limit.config.js';
 
 /**
  * Users routes plugin
  *
  * Endpoints:
- * - POST   /users/avatar       - Upload avatar (authenticated)
- * - DELETE /users/avatar       - Delete avatar (authenticated)
- * - GET    /users/:userId/avatar - Get avatar (public)
+ * - PATCH  /users/me              - Update profile (authenticated)
+ * - PATCH  /users/me/password     - Change password (authenticated)
+ * - DELETE /users/me              - Delete account (authenticated)
+ * - POST   /users/avatar          - Upload avatar (authenticated)
+ * - DELETE /users/avatar          - Delete avatar (authenticated)
+ * - GET    /users/:userId/avatar  - Get avatar (public)
  *
  * @param fastify - Fastify instance
  */
 export async function usersRoutes(fastify: FastifyInstance): Promise<void> {
+  // --- Profile Management ---
+
+  /**
+   * Update profile
+   *
+   * PATCH /api/v1/users/me
+   * Body: { firstName?, lastName? }
+   * Auth: Required
+   * Rate limit: 10 requests per minute
+   */
+  fastify.patch(
+    '/users/me',
+    {
+      preValidation: [authenticate],
+      schema: {
+        body: UpdateProfileSchema,
+      },
+      config: {
+        rateLimit: RATE_LIMITS.USERS_UPDATE_PROFILE,
+      },
+    },
+    usersController.updateProfile.bind(usersController)
+  );
+
+  /**
+   * Change password
+   *
+   * PATCH /api/v1/users/me/password
+   * Body: { currentPassword, newPassword }
+   * Auth: Required
+   * Rate limit: 5 requests per minute
+   */
+  fastify.patch(
+    '/users/me/password',
+    {
+      preValidation: [authenticate],
+      schema: {
+        body: ChangePasswordSchema,
+      },
+      config: {
+        rateLimit: RATE_LIMITS.USERS_CHANGE_PASSWORD,
+      },
+    },
+    usersController.changePassword.bind(usersController)
+  );
+
+  /**
+   * Delete account
+   *
+   * DELETE /api/v1/users/me
+   * Body: { password }
+   * Auth: Required
+   * Rate limit: 3 requests per minute
+   */
+  fastify.delete(
+    '/users/me',
+    {
+      preValidation: [authenticate],
+      schema: {
+        body: DeleteAccountSchema,
+      },
+      config: {
+        rateLimit: RATE_LIMITS.USERS_DELETE_ACCOUNT,
+      },
+    },
+    usersController.deleteAccount.bind(usersController)
+  );
+
+  // --- Avatar Management ---
+
   /**
    * Upload avatar
    *
@@ -34,10 +113,7 @@ export async function usersRoutes(fastify: FastifyInstance): Promise<void> {
     {
       preValidation: [authenticate],
       config: {
-        rateLimit: {
-          max: 5,
-          timeWindow: '1 minute',
-        },
+        rateLimit: RATE_LIMITS.USERS_UPLOAD_AVATAR,
       },
     },
     usersController.uploadAvatar.bind(usersController)
@@ -55,10 +131,7 @@ export async function usersRoutes(fastify: FastifyInstance): Promise<void> {
     {
       preValidation: [authenticate],
       config: {
-        rateLimit: {
-          max: 10,
-          timeWindow: '1 minute',
-        },
+        rateLimit: RATE_LIMITS.USERS_DELETE_AVATAR,
       },
     },
     usersController.deleteAvatar.bind(usersController)
@@ -78,10 +151,7 @@ export async function usersRoutes(fastify: FastifyInstance): Promise<void> {
         params: GetUserAvatarSchema,
       },
       config: {
-        rateLimit: {
-          max: 100,
-          timeWindow: '1 minute',
-        },
+        rateLimit: RATE_LIMITS.USERS_GET_AVATAR,
       },
     },
     usersController.getAvatar.bind(usersController)