create-tigra 2.8.0 → 3.0.2

package/template/server/src/modules/auth/auth.controller.ts

@@ -1,127 +1,128 @@
-import type { FastifyRequest, FastifyReply } from 'fastify';
-import { successResponse } from '@shared/responses/successResponse.js';
-import { UnauthorizedError, ForbiddenError } from '@shared/errors/errors.js';
-import { setAuthCookies, clearAuthCookies } from '@libs/cookies.js';
-import type {
-  RegisterInput,
-  LoginInput,
-  ForgotPasswordInput,
-  ResetPasswordInput,
-} from './auth.schemas.js';
-import * as authService from './auth.service.js';
-
-export async function register(
-  request: FastifyRequest<{ Body: RegisterInput }>,
-  reply: FastifyReply,
-): Promise<void> {
-  const deviceInfo = request.headers['user-agent'];
-  const ipAddress = request.ip;
-
-  const result = await authService.register(request.body, deviceInfo, ipAddress);
-
-  if (result.requiresVerification) {
-    reply.status(201).send(
-      successResponse('Registration successful. Please verify your account to continue.', { user: result.user }),
-    );
-    return;
-  }
-
-  setAuthCookies(reply, result.accessToken!, result.refreshToken!);
-  reply.status(201).send(successResponse('User registered successfully', { user: result.user }));
-}
-
-export async function login(
-  request: FastifyRequest<{ Body: LoginInput }>,
-  reply: FastifyReply,
-): Promise<void> {
-  const deviceInfo = request.headers['user-agent'];
-  const ipAddress = request.ip;
-
-  const result = await authService.login(request.body, deviceInfo, ipAddress);
-
-  setAuthCookies(reply, result.accessToken, result.refreshToken);
-  reply.send(successResponse('Logged in successfully', { user: result.user }));
-}
-
-export async function refresh(
-  request: FastifyRequest,
-  reply: FastifyReply,
-): Promise<void> {
-  const refreshToken = request.cookies.refresh_token;
-  if (!refreshToken) {
-    clearAuthCookies(reply);
-    throw new UnauthorizedError('Refresh token not provided', 'MISSING_REFRESH_TOKEN');
-  }
-
-  try {
-    const tokens = await authService.refresh(refreshToken);
-    setAuthCookies(reply, tokens.accessToken, tokens.refreshToken);
-    reply.send(successResponse('Token refreshed successfully', null));
-  } catch (error) {
-    // Session is definitively dead (refresh token revoked, user gone, inactive).
-    // Clear all auth cookies so the browser stops replaying them — otherwise the
-    // client keeps retrying refresh and middleware keeps redirecting, producing
-    // an infinite loop that trips the rate limiter.
-    if (error instanceof UnauthorizedError || error instanceof ForbiddenError) {
-      clearAuthCookies(reply);
-    }
-    throw error;
-  }
-}
-
-export async function logout(
-  request: FastifyRequest,
-  reply: FastifyReply,
-): Promise<void> {
-  const refreshToken = request.cookies.refresh_token;
-  if (refreshToken) {
-    await authService.logout(refreshToken);
-  }
-
-  clearAuthCookies(reply);
-  reply.send(successResponse('Logged out successfully', null));
-}
-
-export async function me(
-  request: FastifyRequest,
-  reply: FastifyReply,
-): Promise<void> {
-  const user = await authService.getCurrentUser(request.user.userId);
-  reply.send(successResponse('Current user retrieved', user));
-}
-
-export async function getSessions(
-  request: FastifyRequest,
-  reply: FastifyReply,
-): Promise<void> {
-  const sessions = await authService.getUserSessions(request.user.userId);
-  reply.send(successResponse('User sessions retrieved', sessions));
-}
-
-export async function logoutAllSessions(
-  request: FastifyRequest,
-  reply: FastifyReply,
-): Promise<void> {
-  const count = await authService.logoutAllSessions(request.user.userId);
-  clearAuthCookies(reply);
-  reply.send(
-    successResponse(`Successfully logged out from ${count} session(s)`, { count }),
-  );
-}
-
-export async function forgotPassword(
-  request: FastifyRequest<{ Body: ForgotPasswordInput }>,
-  reply: FastifyReply,
-): Promise<void> {
-  await authService.forgotPassword(request.body.email);
-  // Always return success to prevent email enumeration
-  reply.send(successResponse('If an account exists with that email, a reset link has been sent', null));
-}
-
-export async function resetPassword(
-  request: FastifyRequest<{ Body: ResetPasswordInput }>,
-  reply: FastifyReply,
-): Promise<void> {
-  await authService.resetPassword(request.body.token, request.body.newPassword);
-  reply.send(successResponse('Password reset successfully', null));
-}
+import type { FastifyRequest, FastifyReply } from 'fastify';
+import { successResponse } from '@shared/responses/successResponse.js';
+import { UnauthorizedError, ForbiddenError } from '@shared/errors/errors.js';
+import { setAuthCookies, clearAuthCookies } from '@libs/cookies.js';
+import { getClientIp } from '@libs/client-ip.js';
+import type {
+  RegisterInput,
+  LoginInput,
+  ForgotPasswordInput,
+  ResetPasswordInput,
+} from './auth.schemas.js';
+import * as authService from './auth.service.js';
+
+export async function register(
+  request: FastifyRequest<{ Body: RegisterInput }>,
+  reply: FastifyReply,
+): Promise<void> {
+  const deviceInfo = request.headers['user-agent'];
+  const ipAddress = getClientIp(request);
+
+  const result = await authService.register(request.body, deviceInfo, ipAddress);
+
+  if (result.requiresVerification) {
+    reply.status(201).send(
+      successResponse('Registration successful. Please verify your account to continue.', { user: result.user }),
+    );
+    return;
+  }
+
+  setAuthCookies(reply, result.accessToken!, result.refreshToken!);
+  reply.status(201).send(successResponse('User registered successfully', { user: result.user }));
+}
+
+export async function login(
+  request: FastifyRequest<{ Body: LoginInput }>,
+  reply: FastifyReply,
+): Promise<void> {
+  const deviceInfo = request.headers['user-agent'];
+  const ipAddress = getClientIp(request);
+
+  const result = await authService.login(request.body, deviceInfo, ipAddress);
+
+  setAuthCookies(reply, result.accessToken, result.refreshToken);
+  reply.send(successResponse('Logged in successfully', { user: result.user }));
+}
+
+export async function refresh(
+  request: FastifyRequest,
+  reply: FastifyReply,
+): Promise<void> {
+  const refreshToken = request.cookies.refresh_token;
+  if (!refreshToken) {
+    clearAuthCookies(reply);
+    throw new UnauthorizedError('Refresh token not provided', 'MISSING_REFRESH_TOKEN');
+  }
+
+  try {
+    const tokens = await authService.refresh(refreshToken);
+    setAuthCookies(reply, tokens.accessToken, tokens.refreshToken);
+    reply.send(successResponse('Token refreshed successfully', null));
+  } catch (error) {
+    // Session is definitively dead (refresh token revoked, user gone, inactive).
+    // Clear all auth cookies so the browser stops replaying them — otherwise the
+    // client keeps retrying refresh and middleware keeps redirecting, producing
+    // an infinite loop that trips the rate limiter.
+    if (error instanceof UnauthorizedError || error instanceof ForbiddenError) {
+      clearAuthCookies(reply);
+    }
+    throw error;
+  }
+}
+
+export async function logout(
+  request: FastifyRequest,
+  reply: FastifyReply,
+): Promise<void> {
+  const refreshToken = request.cookies.refresh_token;
+  if (refreshToken) {
+    await authService.logout(refreshToken);
+  }
+
+  clearAuthCookies(reply);
+  reply.send(successResponse('Logged out successfully', null));
+}
+
+export async function me(
+  request: FastifyRequest,
+  reply: FastifyReply,
+): Promise<void> {
+  const user = await authService.getCurrentUser(request.user.userId);
+  reply.send(successResponse('Current user retrieved', user));
+}
+
+export async function getSessions(
+  request: FastifyRequest,
+  reply: FastifyReply,
+): Promise<void> {
+  const sessions = await authService.getUserSessions(request.user.userId);
+  reply.send(successResponse('User sessions retrieved', sessions));
+}
+
+export async function logoutAllSessions(
+  request: FastifyRequest,
+  reply: FastifyReply,
+): Promise<void> {
+  const count = await authService.logoutAllSessions(request.user.userId);
+  clearAuthCookies(reply);
+  reply.send(
+    successResponse(`Successfully logged out from ${count} session(s)`, { count }),
+  );
+}
+
+export async function forgotPassword(
+  request: FastifyRequest<{ Body: ForgotPasswordInput }>,
+  reply: FastifyReply,
+): Promise<void> {
+  await authService.forgotPassword(request.body.email);
+  // Always return success to prevent email enumeration
+  reply.send(successResponse('If an account exists with that email, a reset link has been sent', null));
+}
+
+export async function resetPassword(
+  request: FastifyRequest<{ Body: ResetPasswordInput }>,
+  reply: FastifyReply,
+): Promise<void> {
+  await authService.resetPassword(request.body.token, request.body.newPassword);
+  reply.send(successResponse('Password reset successfully', null));
+}

package/template/server/src/modules/auth/auth.repo.ts

@@ -93,6 +93,7 @@ export async function deleteRefreshTokensByUserId(userId: string): Promise<void>
   });
 }
 
+/** @deprecated Lockout moved to Redis email+IP keys in auth.service.ts; kept for back-compat, slated for removal. */
 export async function incrementFailedAttempts(userId: string): Promise<void> {
   await prisma.user.update({
     where: { id: userId },
@@ -102,6 +103,7 @@ export async function incrementFailedAttempts(userId: string): Promise<void> {
   });
 }
 
+/** @deprecated Lockout moved to Redis email+IP keys in auth.service.ts; kept for back-compat, slated for removal. */
 export async function setAccountLock(userId: string, lockedUntil: Date): Promise<void> {
   await prisma.user.update({
     where: { id: userId },

package/template/server/src/modules/auth/auth.service.ts

@@ -21,6 +21,18 @@ const PASSWORD_RESET_TTL = 3600; // 1 hour in seconds
 const PASSWORD_RESET_PREFIX = 'pw-reset:';
 const PASSWORD_RESET_USER_PREFIX = 'pw-reset-user:';
 
+// --- Account lockout (scoped to email + IP) ---
+// Failed-login attempts are tracked in Redis keyed by the (email, IP) PAIR.
+// Keying by email alone let anyone lock a victim out remotely by spamming bad
+// passwords at the victim's email (lockout DoS). Scoped to email+IP, an
+// attacker only ever locks out their own address; distributed attempts are
+// still throttled by the per-IP rate limit on the login route.
+// Redis failures fail OPEN (no lockout) — consistent with ip-block.ts:
+// availability over lockout, and rate limiting still applies.
+const LOGIN_FAIL_PREFIX = 'login-fail:';
+const LOGIN_LOCK_PREFIX = 'login-lock:';
+const LOGIN_FAIL_WINDOW_SECONDS = 60 * 60; // failed attempts expire after 1 hour
+
 // Account lockout configuration
 const LOCKOUT_THRESHOLDS = [
   { attempts: 5, durationMs: 15 * 60 * 1000 },   // 5 failures → 15 min
@@ -37,6 +49,55 @@ function getLockoutDuration(failedAttempts: number): number | null {
   return null;
 }
 
+function lockoutKey(prefix: string, email: string, ipAddress?: string): string {
+  return `${prefix}${email.toLowerCase()}:${ipAddress ?? 'unknown'}`;
+}
+
+async function isLoginLocked(email: string, ipAddress?: string): Promise<boolean> {
+  try {
+    const locked = await getRedis().exists(lockoutKey(LOGIN_LOCK_PREFIX, email, ipAddress));
+    return locked === 1;
+  } catch {
+    return false; // fail open — Redis down must not block all logins
+  }
+}
+
+async function recordFailedLogin(email: string, ipAddress?: string): Promise<void> {
+  try {
+    const redis = getRedis();
+    const failKey = lockoutKey(LOGIN_FAIL_PREFIX, email, ipAddress);
+
+    const attempts = await redis.incr(failKey);
+    if (attempts === 1) {
+      await redis.expire(failKey, LOGIN_FAIL_WINDOW_SECONDS);
+    }
+
+    const lockDurationMs = getLockoutDuration(attempts);
+    if (lockDurationMs) {
+      await redis.set(
+        lockoutKey(LOGIN_LOCK_PREFIX, email, ipAddress),
+        '1',
+        'EX',
+        Math.ceil(lockDurationMs / 1000),
+      );
+    }
+  } catch {
+    // Non-critical: don't break the login error path if tracking fails
+    logger.warn('[AUTH] Failed to record failed login attempt');
+  }
+}
+
+async function clearFailedLogins(email: string, ipAddress?: string): Promise<void> {
+  try {
+    await getRedis().del(
+      lockoutKey(LOGIN_FAIL_PREFIX, email, ipAddress),
+      lockoutKey(LOGIN_LOCK_PREFIX, email, ipAddress),
+    );
+  } catch {
+    // Non-critical: keys expire on their own
+  }
+}
+
 interface SanitizedUser {
   id: string;
   email: string;
@@ -167,12 +228,23 @@ export async function login(
       throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
     }
 
+    // Same email+IP lockout as the normal path — the restore flow must not be
+    // a brute-force side door around the lockout.
+    if (await isLoginLocked(input.email, ipAddress)) {
+      throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
+    }
+
     // Verify password before restoring — don't restore on wrong password
     const validPassword = await verifyPassword(input.password, deletedUser.password);
     if (!validPassword) {
+      await recordFailedLogin(input.email, ipAddress);
       throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
     }
 
+    // Successful restore-login — clear the email+IP failure counter, same as
+    // the normal path.
+    await clearFailedLogins(input.email, ipAddress);
+
     // Restore account: clears deletedAt, sets isActive = true, resets lockout
     await authRepo.restoreUser(deletedUser.id);
     user = { ...deletedUser, deletedAt: null, isActive: true, failedLoginAttempts: 0, lockedUntil: null };
@@ -184,7 +256,14 @@ export async function login(
       throw new ForbiddenError('Account is not activated. Please verify your account.', 'ACCOUNT_NOT_ACTIVE');
     }
 
-    // Check account lockout
+    // Check account lockout — scoped to this email+IP pair (Redis), so an
+    // attacker spamming bad passwords only locks out their OWN address and
+    // cannot remotely lock the real user out (lockout DoS).
+    if (await isLoginLocked(input.email, ipAddress)) {
+      throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
+    }
+
+    // DB-level lock (legacy data or manual admin lock) is still honored.
     if (user.lockedUntil && user.lockedUntil > new Date()) {
       throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
     }
@@ -192,20 +271,13 @@ export async function login(
     const valid = await verifyPassword(input.password, user.password);
 
     if (!valid) {
-      // Increment failed attempts
-      const newAttempts = user.failedLoginAttempts + 1;
-      await authRepo.incrementFailedAttempts(user.id);
-
-      // Check if we need to lock the account
-      const lockDuration = getLockoutDuration(newAttempts);
-      if (lockDuration) {
-        await authRepo.setAccountLock(user.id, new Date(Date.now() + lockDuration));
-      }
-
+      await recordFailedLogin(input.email, ipAddress);
       throw new UnauthorizedError('Invalid email or password', 'INVALID_CREDENTIALS');
     }
 
-    // Successful login — reset failed attempts
+    // Successful login — clear the email+IP failure counter and any stale
+    // DB-level lockout state from before lockout moved to Redis.
+    await clearFailedLogins(input.email, ipAddress);
     if (user.failedLoginAttempts > 0 || user.lockedUntil) {
       await authRepo.resetFailedAttempts(user.id);
     }
@@ -274,6 +346,25 @@ export async function refresh(refreshToken: string): Promise<{ accessToken: stri
   });
 
   if (!rotated) {
+    // REUSE DETECTED: the token existed when we looked it up but was consumed
+    // by a concurrent request before we could rotate it — two parties presented
+    // the same single-use token. We cannot tell which one is the attacker, and
+    // whichever redeemed it first already holds a freshly rotated valid token.
+    // Revoke the entire token family: every refresh token and session for this
+    // user. Both legit client and attacker must re-authenticate.
+    //
+    // NOTE: this covers the *detectable* reuse path. Refresh tokens are opaque
+    // random UUIDs (no JWT claims), so a token that is not found in the DB at
+    // all (deleted in an earlier rotation) cannot be attributed to a user, and
+    // the initial not-found lookup above can only reject it. Full replay
+    // attribution would require tombstoning consumed tokens (e.g. a revokedAt
+    // column) instead of deleting them — a schema change out of scope here.
+    logger.warn(
+      { userId: user.id },
+      '[AUTH] Refresh token reuse detected — revoking all sessions and refresh tokens for user',
+    );
+    await authRepo.deleteRefreshTokensByUserId(user.id);
+    await sessionRepository.deleteAllUserSessions(user.id);
     throw new UnauthorizedError('Refresh token already used', 'INVALID_REFRESH_TOKEN');
   }
 

package/template/server/src/test/setup.ts

@@ -1,6 +1,10 @@
 import { vi } from 'vitest';
 
-// Mock environment variables for testing
+// Mock environment variables for testing.
+// This setup file runs BEFORE any test file is imported (vitest setupFiles),
+// so these must form a COMPLETE valid env: src/config/env.ts validates on
+// import and calls process.exit(1) on failure, killing the whole suite before
+// a single test runs.
 process.env.NODE_ENV = 'test';
 process.env.DATABASE_URL = 'mysql://test:test@localhost:3306/test_db';
 process.env.REDIS_URL = 'redis://localhost:6379';
@@ -9,6 +13,9 @@ process.env.JWT_ACCESS_EXPIRY = '15m';
 process.env.JWT_REFRESH_EXPIRY = '7d';
 process.env.PORT = '3000';
 process.env.HOST = '0.0.0.0';
+// REQUIRE_USER_VERIFICATION defaults to 'true', and env.ts exits when it is
+// enabled without RESEND_API_KEY. Tests don't send email — disable it.
+process.env.REQUIRE_USER_VERIFICATION = 'false';
 
 // Test user data
 export const testUsers = {
@@ -59,15 +66,28 @@ export const testUsers = {
   },
 };
 
-// Test refresh token data
+// Test refresh token data — fields must match the Prisma RefreshToken model
+// exactly (id, token, userId, sessionId, expiresAt, createdAt)
 export const testRefreshToken = {
   id: 'test-token-id-1',
   token: 'test-refresh-token-uuid',
   userId: testUsers.validUser.id,
+  sessionId: null,
   expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days from now
   createdAt: new Date(),
 };
 
+// Test session data — fields must match the Prisma Session model exactly
+export const testSession = {
+  id: 'test-session-id-1',
+  userId: testUsers.validUser.id,
+  deviceInfo: null,
+  ipAddress: null,
+  lastActiveAt: new Date('2024-01-01T00:00:00Z'),
+  expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
+  createdAt: new Date('2024-01-01T00:00:00Z'),
+};
+
 // Reset all mocks before each test
 export const resetMocks = (): void => {
   vi.clearAllMocks();

package/template/server/vitest.config.ts

@@ -1,43 +1,43 @@
-import { defineConfig } from 'vitest/config';
-import { resolve } from 'path';
-
-export default defineConfig({
-  test: {
-    globals: true,
-    environment: 'node',
-    coverage: {
-      provider: 'v8',
-      reporter: ['text', 'json', 'html', 'lcov'],
-      exclude: [
-        'node_modules/**',
-        'dist/**',
-        '**/*.config.ts',
-        '**/*.config.js',
-        '**/test/**',
-        '**/__tests__/**',
-        'prisma/**',
-        'scripts/**',
-      ],
-      thresholds: {
-        lines: 80,
-        functions: 80,
-        branches: 80,
-        statements: 80,
-      },
-    },
-    setupFiles: ['./src/test/setup.ts'],
-    include: ['**/__tests__/**/*.test.ts', '**/*.test.ts'],
-    exclude: ['node_modules', 'dist'],
-    testTimeout: 10000,
-    hookTimeout: 10000,
-  },
-  resolve: {
-    alias: {
-      '@': resolve(__dirname, './src'),
-      '@modules': resolve(__dirname, './src/modules'),
-      '@libs': resolve(__dirname, './src/libs'),
-      '@config': resolve(__dirname, './src/config'),
-      '@shared': resolve(__dirname, './src/shared'),
-    },
-  },
-});
+import { defineConfig } from 'vitest/config';
+import { resolve } from 'path';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'node',
+    coverage: {
+      provider: 'v8',
+      reporter: ['text', 'json', 'html', 'lcov'],
+      exclude: [
+        'node_modules/**',
+        'dist/**',
+        '**/*.config.ts',
+        '**/*.config.js',
+        '**/test/**',
+        '**/__tests__/**',
+        'prisma/**',
+        'scripts/**',
+      ],
+      thresholds: {
+        lines: 80,
+        functions: 80,
+        branches: 80,
+        statements: 80,
+      },
+    },
+    setupFiles: ['./src/test/setup.ts'],
+    include: ['**/__tests__/**/*.test.ts', '**/*.test.ts'],
+    exclude: ['node_modules', 'dist'],
+    testTimeout: 10000,
+    hookTimeout: 10000,
+  },
+  resolve: {
+    alias: {
+      '@': resolve(__dirname, './src'),
+      '@modules': resolve(__dirname, './src/modules'),
+      '@libs': resolve(__dirname, './src/libs'),
+      '@config': resolve(__dirname, './src/config'),
+      '@shared': resolve(__dirname, './src/shared'),
+    },
+  },
+});