create-tigra 2.6.8 → 2.7.1

package/modules/email-verification/server/verification.service.ts

@@ -0,0 +1,190 @@
+import crypto from 'node:crypto';
+import { signAccessToken, generateRefreshToken, getRefreshTokenExpiresAt } from '@libs/auth.js';
+import { getRedis } from '@libs/redis.js';
+import { sendEmail } from '@libs/email.js';
+import { logger } from '@libs/logger.js';
+import { env } from '@config/env.js';
+import {
+  BadRequestError,
+  NotFoundError,
+} from '@shared/errors/errors.js';
+import * as authRepo from './auth.repo.js';
+import { sessionRepository } from './session.repo.js';
+import { sanitizeUser } from './auth.service.js';
+
+import type { AuthResult } from './auth.service.js';
+
+const VERIFICATION_TTL = 3600; // 1 hour in seconds
+const VERIFICATION_PREFIX = 'verify:';
+const VERIFICATION_USER_PREFIX = 'verify-user:';
+
+/**
+ * Send a verification email to a user.
+ * Public endpoint — accepts email, silent return if user not found (prevents enumeration).
+ * Also called internally by the register flow for auto-sending.
+ */
+export async function sendVerification(email: string): Promise<void> {
+  const user = await authRepo.findUserByEmail(email);
+
+  // Silent return if user not found — prevents email enumeration (same pattern as forgotPassword)
+  if (!user) return;
+
+  // Silent return if already verified — no need to reveal account status
+  if (user.isActive) return;
+
+  const redis = getRedis();
+
+  // Invalidate any existing verification token for this user
+  const existingToken = await redis.get(`${VERIFICATION_USER_PREFIX}${user.id}`);
+  if (existingToken) {
+    await redis.del(`${VERIFICATION_PREFIX}${existingToken}`);
+    await redis.del(`${VERIFICATION_USER_PREFIX}${user.id}`);
+  }
+
+  // Generate secure token and store in Redis with 1 hour TTL
+  const token = crypto.randomBytes(32).toString('hex');
+
+  await redis.set(`${VERIFICATION_PREFIX}${token}`, user.id, 'EX', VERIFICATION_TTL);
+  await redis.set(`${VERIFICATION_USER_PREFIX}${user.id}`, token, 'EX', VERIFICATION_TTL);
+
+  // Build verification URL and send email
+  const verifyUrl = `${env.CLIENT_URL}/verify-account?token=${token}`;
+  const safeName = user.firstName.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+
+  try {
+    await sendEmail({
+      to: user.email,
+      subject: 'Verify your account',
+      html: `
+        <table width="100%" cellpadding="0" cellspacing="0" style="background-color: #f4f3ee; padding: 40px 20px; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;">
+          <tr>
+            <td align="center">
+              <table width="100%" cellpadding="0" cellspacing="0" style="max-width: 480px; background-color: #ffffff; border-radius: 16px; overflow: hidden; box-shadow: 0 1px 3px rgba(0,0,0,0.06); border-left: 4px solid #c15f3c;">
+                <tr>
+                  <td style="padding: 40px;">
+                    <p style="margin: 0 0 20px; font-size: 12px; font-weight: 600; color: #c15f3c; text-transform: uppercase; letter-spacing: 1.5px;">Account Verification</p>
+                    <h1 style="margin: 0 0 8px; font-size: 22px; font-weight: 600; color: #1a170f;">Verify your account</h1>
+                    <p style="margin: 0 0 28px; font-size: 15px; color: #6b6560; line-height: 1.6;">
+                      Hi ${safeName}, please verify your email address to activate your account and get started.
+                    </p>
+                    <a href="${verifyUrl}" style="display: inline-block; background-color: #1a170f; color: #ffffff; padding: 14px 32px; border-radius: 10px; text-decoration: none; font-size: 15px; font-weight: 600;">
+                      Verify account &rarr;
+                    </a>
+                    <p style="margin: 28px 0 0; font-size: 13px; color: #9b958e; line-height: 1.6;">
+                      This link expires in 1 hour. If you didn't create an account, you can safely ignore this email.
+                    </p>
+                  </td>
+                </tr>
+                <tr>
+                  <td style="padding: 0 40px 32px;">
+                    <div style="border-top: 1px solid #e8e6e1; padding-top: 20px;">
+                      <p style="margin: 0; font-size: 12px; color: #b5b0a8; line-height: 1.5;">
+                        If the button doesn't work, copy this link:<br/>
+                        <a href="${verifyUrl}" style="color: #c15f3c; text-decoration: underline; word-break: break-all;">${verifyUrl}</a>
+                      </p>
+                    </div>
+                  </td>
+                </tr>
+              </table>
+            </td>
+          </tr>
+        </table>
+      `,
+    });
+
+    logger.info({ userId: user.id }, '[AUTH] Verification email sent');
+  } catch (error) {
+    // Log but don't throw — prevents leaking email existence via 500 vs 200
+    logger.error({ userId: user.id, err: error }, '[AUTH] Failed to send verification email');
+  }
+}
+
+export async function verifyAccount(
+  token: string,
+  deviceInfo?: string,
+  ipAddress?: string,
+): Promise<AuthResult> {
+  const redis = getRedis();
+
+  // Atomic get-and-delete to prevent token reuse via concurrent requests
+  const userId = await redis.getDel(`${VERIFICATION_PREFIX}${token}`);
+  if (!userId) {
+    throw new BadRequestError('Invalid or expired verification token', 'INVALID_VERIFICATION_TOKEN');
+  }
+
+  const user = await authRepo.findUserById(userId);
+  if (!user) {
+    throw new NotFoundError('User not found', 'USER_NOT_FOUND');
+  }
+
+  // Activate the user account
+  await authRepo.activateUser(userId);
+
+  // Clean up the reverse-lookup key
+  await redis.del(`${VERIFICATION_USER_PREFIX}${userId}`);
+
+  // Generate tokens and create session (same pattern as login)
+  const accessToken = signAccessToken({
+    userId: user.id,
+    role: user.role,
+  });
+  const refreshToken = generateRefreshToken();
+  const refreshTokenExpiresAt = getRefreshTokenExpiresAt();
+
+  const session = await sessionRepository.createSession({
+    userId: user.id,
+    deviceInfo,
+    ipAddress,
+    expiresAt: refreshTokenExpiresAt,
+  });
+
+  await authRepo.createRefreshToken({
+    token: refreshToken,
+    userId: user.id,
+    sessionId: session.id,
+    expiresAt: refreshTokenExpiresAt,
+  });
+
+  logger.info({ userId }, '[AUTH] Account verified');
+
+  // Send welcome email (best-effort — don't fail verification if email fails)
+  const safeName = user.firstName.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+  const dashboardUrl = `${env.CLIENT_URL}/dashboard`;
+
+  try {
+    await sendEmail({
+      to: user.email,
+      subject: 'Welcome — your account is verified!',
+      html: `
+        <table width="100%" cellpadding="0" cellspacing="0" style="background-color: #f4f3ee; padding: 40px 20px; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;">
+          <tr>
+            <td align="center">
+              <table width="100%" cellpadding="0" cellspacing="0" style="max-width: 480px; background-color: #ffffff; border-radius: 16px; overflow: hidden; box-shadow: 0 1px 3px rgba(0,0,0,0.06); border-left: 4px solid #c15f3c;">
+                <tr>
+                  <td style="padding: 40px;">
+                    <p style="margin: 0 0 20px; font-size: 12px; font-weight: 600; color: #c15f3c; text-transform: uppercase; letter-spacing: 1.5px;">Welcome</p>
+                    <h1 style="margin: 0 0 8px; font-size: 22px; font-weight: 600; color: #1a170f;">You're all set!</h1>
+                    <p style="margin: 0 0 28px; font-size: 15px; color: #6b6560; line-height: 1.6;">
+                      Hi ${safeName}, your account has been verified. You can now access all features of the app.
+                    </p>
+                    <a href="${dashboardUrl}" style="display: inline-block; background-color: #1a170f; color: #ffffff; padding: 14px 32px; border-radius: 10px; text-decoration: none; font-size: 15px; font-weight: 600;">
+                      Go to dashboard &rarr;
+                    </a>
+                  </td>
+                </tr>
+              </table>
+            </td>
+          </tr>
+        </table>
+      `,
+    });
+  } catch (error) {
+    logger.error({ userId, err: error }, '[AUTH] Failed to send welcome email');
+  }
+
+  return {
+    user: sanitizeUser({ ...user, isActive: true }),
+    accessToken,
+    refreshToken,
+  };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-tigra",
-  "version": "2.6.8",
+    "version": "2.7.1",
   "type": "module",
   "description": "Create a production-ready full-stack app with Next.js 16 + Fastify 5 + Prisma + Redis",
   "bin": {
@@ -8,6 +8,8 @@
   },
   "files": [
     "bin",
+    "lib",
+    "modules",
     "template"
   ],
   "engines": {
@@ -47,6 +49,7 @@
     "commander": "^13.1.0",
     "fs-extra": "^11.3.0",
     "ora": "^8.2.0",
-    "prompts": "^2.4.2"
+    "prompts": "^2.4.2",
+    "ts-morph": "^27.0.2"
   }
 }

package/template/client/src/features/auth/components/AuthInitializer.tsx

@@ -5,8 +5,11 @@ import { useEffect } from 'react';
 
 import { usePathname, useRouter } from 'next/navigation';
 
+import { toast } from 'sonner';
+
 import { useAppDispatch, useAppSelector } from '@/store/hooks';
 import { ROUTES } from '@/lib/constants/routes';
+import { isErrorCode, ERROR_CODES } from '@/lib/utils/error';
 import { authService } from '../services/auth.service';
 import { setUser, setInitialized } from '../store/authSlice';
 
@@ -15,7 +18,7 @@ const PROTECTED_PATHS: string[] = [ROUTES.DASHBOARD, ROUTES.PROFILE, '/admin'];
 // Auth pages where getMe() should never fire — there is no session to hydrate
 // on login/register/reset-password, and calling getMe() here would trigger the
 // 401 → refresh → fail → redirect chain for no reason.
-const AUTH_PATHS: string[] = [ROUTES.LOGIN, ROUTES.REGISTER, ROUTES.RESET_PASSWORD, ROUTES.VERIFY_EMAIL];
+const AUTH_PATHS: string[] = [ROUTES.LOGIN, ROUTES.REGISTER, ROUTES.RESET_PASSWORD, ROUTES.VERIFY_ACCOUNT];
 
 interface AuthInitializerProps {
   children: React.ReactNode;
@@ -65,6 +68,9 @@ export const AuthInitializer = ({ children }: AuthInitializerProps): React.React
         // Only redirect on auth errors (401/403), not network failures
         const status = error?.response?.status;
         if (status === 401 || status === 403) {
+          if (isErrorCode(error, ERROR_CODES.ACCOUNT_NOT_ACTIVE)) {
+            toast.error('Your account is not yet activated. Please verify your account.');
+          }
           router.push(ROUTES.LOGIN);
         }
       });

package/template/client/src/features/auth/hooks/useAuth.ts

@@ -7,7 +7,7 @@ import { useRouter, useSearchParams } from 'next/navigation';
 import { toast } from 'sonner';
 
 import { useAppDispatch, useAppSelector } from '@/store/hooks';
-import { getErrorMessage } from '@/lib/utils/error';
+import { getErrorMessage, isErrorCode, ERROR_CODES } from '@/lib/utils/error';
 import { ROUTES } from '@/lib/constants/routes';
 import { authService } from '../services/auth.service';
 import { setUser, setLoggingOut, logout as logoutAction } from '../store/authSlice';
@@ -42,6 +42,10 @@ export const useAuth = (): UseAuthReturn => {
       router.push(redirectTo);
     },
     onError: (error) => {
+      if (isErrorCode(error, ERROR_CODES.ACCOUNT_NOT_ACTIVE)) {
+        toast.error('Your account is not yet activated. Please verify your account to continue.');
+        return;
+      }
       toast.error(getErrorMessage(error));
     },
   });
@@ -49,6 +53,11 @@ export const useAuth = (): UseAuthReturn => {
   const registerMutation = useMutation({
     mutationFn: (data: IRegisterRequest) => authService.register(data),
     onSuccess: (data) => {
+      if (!data.user.isActive) {
+        toast.success('Account created! Please verify your account to continue.');
+        router.push(ROUTES.VERIFY_ACCOUNT);
+        return;
+      }
       dispatch(setUser(data.user));
       toast.success('Account created successfully');
       router.push(ROUTES.DASHBOARD);

package/template/client/src/features/auth/hooks/usePasswordReset.ts

@@ -0,0 +1,57 @@
+'use client';
+
+import { useMutation } from '@tanstack/react-query';
+import { useRouter } from 'next/navigation';
+import { toast } from 'sonner';
+
+import { ROUTES } from '@/lib/constants/routes';
+import { getErrorMessage } from '@/lib/utils/error';
+import { authService } from '../services/auth.service';
+
+interface UseForgotPasswordReturn {
+  forgotPassword: (email: string) => void;
+  isPending: boolean;
+}
+
+export const useForgotPassword = (): UseForgotPasswordReturn => {
+  const mutation = useMutation({
+    mutationFn: (email: string) => authService.forgotPassword(email),
+    onSuccess: () => {
+      toast.success('Check your email for reset instructions');
+    },
+    onError: (error: unknown) => {
+      toast.error(getErrorMessage(error));
+    },
+  });
+
+  return {
+    forgotPassword: mutation.mutate,
+    isPending: mutation.isPending,
+  };
+};
+
+interface UseResetPasswordReturn {
+  resetPassword: (data: { token: string; newPassword: string }) => void;
+  isPending: boolean;
+}
+
+export const useResetPassword = (): UseResetPasswordReturn => {
+  const router = useRouter();
+
+  const mutation = useMutation({
+    mutationFn: (data: { token: string; newPassword: string }) =>
+      authService.resetPassword(data.token, data.newPassword),
+    onSuccess: () => {
+      toast.success('Password reset successfully. Please sign in.');
+      router.push(ROUTES.LOGIN);
+    },
+    onError: (error: unknown) => {
+      toast.error(getErrorMessage(error));
+    },
+  });
+
+  return {
+    resetPassword: mutation.mutate,
+    isPending: mutation.isPending,
+  };
+};

package/template/client/src/features/auth/services/auth.service.ts

@@ -36,8 +36,8 @@ class AuthService {
     return response.data.data;
   }
 
-  async requestPasswordReset(email: string): Promise<void> {
-    await apiClient.post(API_ENDPOINTS.AUTH.REQUEST_PASSWORD_RESET, { email });
+  async forgotPassword(email: string): Promise<void> {
+    await apiClient.post(API_ENDPOINTS.AUTH.FORGOT_PASSWORD, { email });
   }
 
   async resetPassword(token: string, newPassword: string): Promise<void> {

package/template/client/src/lib/constants/api-endpoints.ts

@@ -5,7 +5,7 @@ export const API_ENDPOINTS = {
     LOGOUT: '/auth/logout',
     REFRESH: '/auth/refresh',
     ME: '/auth/me',
-    REQUEST_PASSWORD_RESET: '/auth/request-password-reset',
+    FORGOT_PASSWORD: '/auth/forgot-password',
     RESET_PASSWORD: '/auth/reset-password',
   },
   USERS: {

package/template/client/src/lib/constants/routes.ts

@@ -2,7 +2,7 @@ export const ROUTES = {
   HOME: '/',
   LOGIN: '/login',
   REGISTER: '/register',
-  VERIFY_EMAIL: '/verify-email',
+  VERIFY_ACCOUNT: '/verify-account',
   RESET_PASSWORD: '/reset-password',
   DASHBOARD: '/dashboard',
   PROFILE: '/profile',

package/template/client/src/lib/utils/error.ts

@@ -30,3 +30,7 @@ export const getErrorCode = (error: unknown): string | undefined => {
 export const isErrorCode = (error: unknown, code: string): boolean => {
   return getErrorCode(error) === code;
 };
+
+export const ERROR_CODES = {
+  ACCOUNT_NOT_ACTIVE: 'ACCOUNT_NOT_ACTIVE',
+} as const;

package/template/server/.env.example

@@ -67,6 +67,17 @@ RATE_LIMIT_MULTIPLIER=1
 # RATE_LIMIT_AUTH_LOGIN_MAX=10
 # RATE_LIMIT_AUTH_REGISTER_MAX=5
 
+# ===================================================================
+# ACCOUNT ACTIVATION
+# ===================================================================
+
+# When true (default), new users are created as inactive and must
+# verify their account before they can log in.
+# When false, users are active immediately after registration.
+# NOTE: When this variable is not provided, users are NOT activated
+# by default — you must explicitly set it to false to skip verification.
+REQUIRE_USER_VERIFICATION=true
+
 # ===================================================================
 # FILE UPLOAD
 # ===================================================================
@@ -138,6 +149,24 @@ JWT_REFRESH_EXPIRY="7d"
 #   Local dev: CORS_ORIGIN="http://localhost:3001"
 # CORS_ORIGIN="http://localhost:3001"
 
+# ===================================================================
+# EMAIL (Resend)
+# ===================================================================
+
+# Resend API key for transactional emails (password reset, verification, etc.)
+# Get your API key from: https://resend.com/api-keys
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+RESEND_API_KEY="re_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+# Sender email address
+# Development: Use Resend's test address (onboarding@resend.dev) — delivers to your Resend dashboard
+# Production: Use a verified domain email (e.g., noreply@yourdomain.com)
+RESEND_FROM_EMAIL="onboarding@resend.dev"
+
+# Frontend URL used to build links in emails (e.g., password reset links)
+# Must match the URL where your Next.js client is running
+CLIENT_URL="http://localhost:3000"
+
 # ===================================================================
 # LOGGING
 # ===================================================================

package/template/server/.env.example.production

@@ -65,6 +65,14 @@ RATE_LIMIT_MULTIPLIER=1
 RATE_LIMIT_AUTH_LOGIN_MAX=10
 RATE_LIMIT_AUTH_REGISTER_MAX=5
 
+# ===================================================================
+# ACCOUNT ACTIVATION
+# ===================================================================
+
+# Require account verification before users can log in
+# Set to true in production for security
+REQUIRE_USER_VERIFICATION=true
+
 # ===================================================================
 # FILE UPLOAD
 # ===================================================================
@@ -112,6 +120,20 @@ CORS_ORIGIN="https://yourdomain.com,https://app.yourdomain.com"
 # Without it, login will silently fail (server returns 200 but browser drops cookies).
 COOKIE_DOMAIN=".yourdomain.com"
 
+# ===================================================================
+# EMAIL (Resend)
+# ===================================================================
+
+# Resend API key for transactional emails
+# COOLIFY: Runtime only. Do NOT check "Available at Buildtime" — this is a secret!
+RESEND_API_KEY="re_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+# Sender email — must be from a verified domain in Resend
+RESEND_FROM_EMAIL="noreply@yourdomain.com"
+
+# Frontend URL for email links (password reset, verification, etc.)
+CLIENT_URL="https://yourdomain.com"
+
 # ===================================================================
 # LOGGING
 # ===================================================================