create-velox-app 0.6.31 → 0.6.51

package/src/templates/source/rsc-auth/src/api/procedures/auth.ts

@@ -0,0 +1,262 @@
+/**
+ * Auth Procedures
+ *
+ * Authentication procedures for user registration, login, and token management.
+ *
+ * REST Endpoints:
+ * - POST /auth/register - Create new account
+ * - POST /auth/login    - Authenticate and get tokens
+ * - POST /auth/refresh  - Refresh access token
+ * - POST /auth/logout   - Revoke current token
+ * - GET  /auth/me       - Get current user (protected)
+ */
+
+import {
+  AuthError,
+  authenticated,
+  createAuthRateLimiter,
+  hashPassword,
+  jwtManager,
+  verifyPassword,
+} from '@veloxts/auth';
+import { procedure, procedures } from '@veloxts/router';
+
+import {
+  LoginInput,
+  LogoutResponse,
+  RefreshInput,
+  RegisterInput,
+  TokenResponse,
+  UserResponse,
+} from '../schemas/auth.js';
+import { getJwtSecrets, parseUserRoles, tokenStore } from '../utils/auth.js';
+
+// ============================================================================
+// Rate Limiter
+// ============================================================================
+
+const rateLimiter = createAuthRateLimiter({
+  login: {
+    maxAttempts: 5,
+    windowMs: 15 * 60 * 1000,
+    lockoutDurationMs: 15 * 60 * 1000,
+    progressiveBackoff: true,
+  },
+  register: {
+    maxAttempts: 3,
+    windowMs: 60 * 60 * 1000,
+    lockoutDurationMs: 60 * 60 * 1000,
+  },
+  refresh: {
+    maxAttempts: 10,
+    windowMs: 60 * 1000,
+    lockoutDurationMs: 60 * 1000,
+  },
+});
+
+// ============================================================================
+// Password Blacklist (runtime-only, not in type chain)
+// ============================================================================
+
+const COMMON_PASSWORDS = new Set([
+  'password',
+  'password123',
+  '12345678',
+  '123456789',
+  'qwerty123',
+  'letmein',
+  'welcome',
+  'admin123',
+]);
+
+// Enhanced password validation with common password check
+const EnhancedRegisterInput = RegisterInput.extend({
+  password: RegisterInput.shape.password
+    .refine((pwd) => /[a-z]/.test(pwd), 'Password must contain at least one lowercase letter')
+    .refine((pwd) => /[A-Z]/.test(pwd), 'Password must contain at least one uppercase letter')
+    .refine((pwd) => /[0-9]/.test(pwd), 'Password must contain at least one number')
+    .refine(
+      (pwd) => !COMMON_PASSWORDS.has(pwd.toLowerCase()),
+      'Password is too common. Please choose a stronger password.'
+    ),
+});
+
+// ============================================================================
+// JWT Manager
+// ============================================================================
+
+const { jwtSecret, refreshSecret } = getJwtSecrets();
+
+const jwt = jwtManager({
+  secret: jwtSecret,
+  refreshSecret: refreshSecret,
+  accessTokenExpiry: '15m',
+  refreshTokenExpiry: '7d',
+  issuer: 'velox-app',
+  audience: 'velox-app-client',
+});
+
+// Dummy hash for timing attack prevention
+const DUMMY_HASH = '$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/X4.uy7dPSSXB5G6Uy';
+
+// ============================================================================
+// Auth Procedures
+// ============================================================================
+
+export const authProcedures = procedures('auth', {
+  createAccount: procedure()
+    .rest({ method: 'POST', path: '/auth/register' })
+    .use(rateLimiter.register())
+    .input(EnhancedRegisterInput)
+    .output(TokenResponse)
+    .mutation(async ({ input, ctx }) => {
+      const normalizedEmail = input.email.toLowerCase().trim();
+
+      const existing = await ctx.db.user.findUnique({
+        where: { email: normalizedEmail },
+      });
+
+      if (existing) {
+        throw new AuthError(
+          'Registration failed. If this email is not already registered, please try again.',
+          400,
+          'REGISTRATION_FAILED'
+        );
+      }
+
+      const hashedPassword = await hashPassword(input.password);
+
+      const user = await ctx.db.user.create({
+        data: {
+          name: input.name.trim(),
+          email: normalizedEmail,
+          password: hashedPassword,
+          roles: JSON.stringify(['user']),
+        },
+      });
+
+      return jwt.createTokenPair({
+        id: user.id,
+        email: user.email,
+        roles: ['user'],
+      });
+    }),
+
+  createSession: procedure()
+    .rest({ method: 'POST', path: '/auth/login' })
+    .use(
+      rateLimiter.login((ctx) => {
+        const input = ctx.input as { email?: string } | undefined;
+        return input?.email?.toLowerCase() ?? '';
+      })
+    )
+    .input(LoginInput)
+    .output(TokenResponse)
+    .mutation(async ({ input, ctx }) => {
+      const normalizedEmail = input.email.toLowerCase().trim();
+
+      const user = await ctx.db.user.findUnique({
+        where: { email: normalizedEmail },
+      });
+
+      const hashToVerify = user?.password || DUMMY_HASH;
+      const isValid = await verifyPassword(input.password, hashToVerify);
+
+      if (!user || !user.password || !isValid) {
+        throw new AuthError('Invalid email or password', 401, 'INVALID_CREDENTIALS');
+      }
+
+      const roles = parseUserRoles(user.roles);
+
+      return jwt.createTokenPair({
+        id: user.id,
+        email: user.email,
+        roles,
+      });
+    }),
+
+  createRefresh: procedure()
+    .rest({ method: 'POST', path: '/auth/refresh' })
+    .use(rateLimiter.refresh())
+    .input(RefreshInput)
+    .output(TokenResponse)
+    .mutation(async ({ input, ctx }) => {
+      try {
+        const payload = jwt.verifyToken(input.refreshToken);
+
+        if (payload.type !== 'refresh') {
+          throw new AuthError('Invalid token type', 401, 'INVALID_TOKEN_TYPE');
+        }
+
+        if (payload.jti && tokenStore.isRevoked(payload.jti)) {
+          throw new AuthError('Token has been revoked', 401, 'TOKEN_REVOKED');
+        }
+
+        if (payload.jti) {
+          const previousUserId = tokenStore.isRefreshTokenUsed(payload.jti);
+          if (previousUserId) {
+            tokenStore.revokeAllUserTokens(previousUserId);
+            throw new AuthError(
+              'Security alert: Refresh token reuse detected.',
+              401,
+              'TOKEN_REUSE_DETECTED'
+            );
+          }
+          tokenStore.markRefreshTokenUsed(payload.jti, payload.sub);
+        }
+
+        const user = await ctx.db.user.findUnique({
+          where: { id: payload.sub },
+        });
+
+        if (!user) {
+          throw new AuthError('User not found', 401, 'USER_NOT_FOUND');
+        }
+
+        return jwt.createTokenPair({
+          id: user.id,
+          email: user.email,
+          roles: parseUserRoles(user.roles),
+        });
+      } catch (error) {
+        if (error instanceof AuthError) throw error;
+        throw new AuthError('Invalid refresh token', 401, 'INVALID_REFRESH_TOKEN');
+      }
+    }),
+
+  deleteSession: procedure()
+    .rest({ method: 'POST', path: '/auth/logout' })
+    .guard(authenticated)
+    .output(LogoutResponse)
+    .mutation(async ({ ctx }) => {
+      const tokenId = ctx.auth?.token?.jti;
+
+      if (tokenId) {
+        tokenStore.revoke(tokenId, 15 * 60 * 1000);
+      }
+
+      return {
+        success: true,
+        message: 'Successfully logged out',
+      };
+    }),
+
+  getMe: procedure()
+    .rest({ method: 'GET', path: '/auth/me' })
+    .guard(authenticated)
+    .output(UserResponse)
+    .query(async ({ ctx }) => {
+      const user = ctx.user;
+
+      if (!user) {
+        throw new AuthError('Not authenticated', 401, 'NOT_AUTHENTICATED');
+      }
+
+      return {
+        id: user.id,
+        name: (user.name as string) || '',
+        email: user.email,
+        roles: Array.isArray(user.roles) ? user.roles : ['user'],
+      };
+    }),
+});

package/src/templates/source/rsc-auth/src/api/procedures/health.ts

@@ -0,0 +1,48 @@
+/**
+ * Health Check Procedures
+ *
+ * API endpoints for application health monitoring.
+ */
+
+import { procedure, procedures } from '@veloxts/router';
+
+import { db } from '../database.js';
+
+export const healthProcedures = procedures('health', {
+  /**
+   * Basic health check
+   * GET /api/health
+   */
+  getHealth: procedure()
+    .rest({ method: 'GET', path: '/health' })
+    .query(() => ({
+      status: 'healthy',
+      timestamp: new Date().toISOString(),
+      uptime: process.uptime(),
+    })),
+
+  /**
+   * Readiness check (includes database)
+   * GET /api/health/ready
+   */
+  getReady: procedure()
+    .rest({ method: 'GET', path: '/health/ready' })
+    .query(async () => {
+      try {
+        // Test database connection
+        await db.$queryRaw`SELECT 1`;
+
+        return {
+          status: 'ready',
+          database: 'connected',
+          timestamp: new Date().toISOString(),
+        };
+      } catch {
+        return {
+          status: 'not_ready',
+          database: 'disconnected',
+          timestamp: new Date().toISOString(),
+        };
+      }
+    }),
+});

package/src/templates/source/rsc-auth/src/api/procedures/users.ts

@@ -0,0 +1,87 @@
+/**
+ * User Procedures
+ *
+ * CRUD operations for user management.
+ * Uses direct db import for proper PrismaClient typing.
+ */
+
+import { procedure, procedures } from '@veloxts/router';
+import { z } from 'zod';
+
+import { db } from '../database.js';
+import { CreateUserSchema, UpdateUserSchema, UserSchema } from '../schemas/user.js';
+
+export const userProcedures = procedures('users', {
+  /**
+   * List all users
+   * GET /api/users
+   */
+  listUsers: procedure()
+    .output(z.array(UserSchema))
+    .query(async () => {
+      return db.user.findMany({
+        orderBy: { createdAt: 'desc' },
+      });
+    }),
+
+  /**
+   * Get a single user by ID
+   * GET /api/users/:id
+   */
+  getUser: procedure()
+    .input(z.object({ id: z.string().uuid() }))
+    .output(UserSchema)
+    .query(async ({ input }) => {
+      const user = await db.user.findUnique({
+        where: { id: input.id },
+      });
+
+      if (!user) {
+        throw Object.assign(new Error('User not found'), { statusCode: 404 });
+      }
+
+      return user;
+    }),
+
+  /**
+   * Create a new user
+   * POST /api/users
+   */
+  createUser: procedure()
+    .input(CreateUserSchema)
+    .output(UserSchema)
+    .mutation(async ({ input }) => {
+      return db.user.create({
+        data: input,
+      });
+    }),
+
+  /**
+   * Update an existing user
+   * PUT /api/users/:id
+   */
+  updateUser: procedure()
+    .input(UpdateUserSchema.extend({ id: z.string().uuid() }))
+    .output(UserSchema)
+    .mutation(async ({ input }) => {
+      const { id, ...data } = input;
+      return db.user.update({
+        where: { id },
+        data,
+      });
+    }),
+
+  /**
+   * Delete a user
+   * DELETE /api/users/:id
+   */
+  deleteUser: procedure()
+    .input(z.object({ id: z.string().uuid() }))
+    .output(z.object({ success: z.boolean() }))
+    .mutation(async ({ input }) => {
+      await db.user.delete({
+        where: { id: input.id },
+      });
+      return { success: true };
+    }),
+});

package/src/templates/source/rsc-auth/src/api/schemas/auth.ts

@@ -0,0 +1,79 @@
+/**
+ * Auth Schemas
+ *
+ * BROWSER-SAFE: This file imports ONLY from 'zod'.
+ * Never import from @veloxts/* packages here.
+ */
+
+import { z } from 'zod';
+
+// ============================================================================
+// Password Schema (for validation display)
+// ============================================================================
+
+export const PasswordSchema = z
+  .string()
+  .min(12, 'Password must be at least 12 characters')
+  .max(128, 'Password must not exceed 128 characters');
+
+// ============================================================================
+// Email Schema
+// ============================================================================
+
+export const EmailSchema = z
+  .string()
+  .email('Invalid email address')
+  .transform((email) => email.toLowerCase().trim());
+
+// ============================================================================
+// Input Schemas
+// ============================================================================
+
+export const RegisterInput = z.object({
+  name: z.string().min(2).max(100).trim(),
+  email: EmailSchema,
+  password: PasswordSchema,
+});
+
+export const LoginInput = z.object({
+  email: EmailSchema,
+  password: z.string().min(1),
+});
+
+export const RefreshInput = z.object({
+  refreshToken: z.string(),
+});
+
+// ============================================================================
+// Response Schemas
+// ============================================================================
+
+export const TokenResponse = z.object({
+  accessToken: z.string(),
+  refreshToken: z.string(),
+  expiresIn: z.number(),
+  tokenType: z.literal('Bearer'),
+});
+
+export const UserResponse = z.object({
+  id: z.string(),
+  name: z.string(),
+  email: z.string(),
+  roles: z.array(z.string()),
+});
+
+export const LogoutResponse = z.object({
+  success: z.boolean(),
+  message: z.string(),
+});
+
+// ============================================================================
+// Type Exports
+// ============================================================================
+
+export type RegisterData = z.infer<typeof RegisterInput>;
+export type LoginData = z.infer<typeof LoginInput>;
+export type RefreshData = z.infer<typeof RefreshInput>;
+export type TokenResponseData = z.infer<typeof TokenResponse>;
+export type UserResponseData = z.infer<typeof UserResponse>;
+export type LogoutResponseData = z.infer<typeof LogoutResponse>;

package/src/templates/source/rsc-auth/src/api/schemas/user.ts

@@ -0,0 +1,38 @@
+/**
+ * User Schemas
+ *
+ * Zod schemas for user validation.
+ */
+
+import { z } from 'zod';
+
+/**
+ * User entity schema
+ */
+export const UserSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  email: z.string().email(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+});
+
+/**
+ * Create user input schema
+ */
+export const CreateUserSchema = z.object({
+  name: z.string().min(1, 'Name is required'),
+  email: z.string().email('Invalid email address'),
+});
+
+/**
+ * Update user input schema (all fields optional)
+ */
+export const UpdateUserSchema = z.object({
+  name: z.string().min(1).optional(),
+  email: z.string().email().optional(),
+});
+
+export type User = z.infer<typeof UserSchema>;
+export type CreateUser = z.infer<typeof CreateUserSchema>;
+export type UpdateUser = z.infer<typeof UpdateUserSchema>;

package/src/templates/source/rsc-auth/src/api/utils/auth.ts

@@ -0,0 +1,157 @@
+/**
+ * Auth Utilities
+ *
+ * Shared utilities for authentication that don't require database access.
+ * These are safe to import from procedures without pulling in server-only code.
+ */
+
+// ============================================================================
+// Role Parsing
+// ============================================================================
+
+const ALLOWED_ROLES = ['user', 'admin', 'moderator', 'editor'] as const;
+
+export function parseUserRoles(rolesJson: string | null): string[] {
+  if (!rolesJson) return ['user'];
+
+  try {
+    const parsed: unknown = JSON.parse(rolesJson);
+
+    if (!Array.isArray(parsed)) {
+      return ['user'];
+    }
+
+    const validRoles = parsed
+      .filter((role): role is string => typeof role === 'string')
+      .filter((role) => ALLOWED_ROLES.includes(role as (typeof ALLOWED_ROLES)[number]));
+
+    return validRoles.length > 0 ? validRoles : ['user'];
+  } catch {
+    return ['user'];
+  }
+}
+
+// ============================================================================
+// Token Revocation Store
+// ============================================================================
+
+/**
+ * In-memory token revocation store.
+ *
+ * PRODUCTION NOTE: Replace with Redis or database-backed store for:
+ * - Persistence across server restarts
+ * - Horizontal scaling (multiple server instances)
+ */
+class InMemoryTokenStore {
+  private revokedTokens: Map<string, number> = new Map();
+  private usedRefreshTokens: Map<string, string> = new Map();
+  private cleanupInterval: NodeJS.Timeout | null = null;
+
+  constructor() {
+    this.cleanupInterval = setInterval(() => this.cleanup(), 5 * 60 * 1000);
+  }
+
+  revoke(jti: string, expiresInMs: number = 7 * 24 * 60 * 60 * 1000): void {
+    this.revokedTokens.set(jti, Date.now() + expiresInMs);
+  }
+
+  isRevoked(jti: string): boolean {
+    const expiry = this.revokedTokens.get(jti);
+    if (!expiry) return false;
+    if (Date.now() > expiry) {
+      this.revokedTokens.delete(jti);
+      return false;
+    }
+    return true;
+  }
+
+  markRefreshTokenUsed(jti: string, userId: string): void {
+    this.usedRefreshTokens.set(jti, userId);
+    setTimeout(() => this.usedRefreshTokens.delete(jti), 7 * 24 * 60 * 60 * 1000);
+  }
+
+  isRefreshTokenUsed(jti: string): string | undefined {
+    return this.usedRefreshTokens.get(jti);
+  }
+
+  revokeAllUserTokens(userId: string): void {
+    console.warn(
+      `[Security] Token reuse detected for user ${userId}. ` +
+        'All tokens should be revoked. Implement proper user->token mapping for production.'
+    );
+  }
+
+  private cleanup(): void {
+    const now = Date.now();
+    for (const [jti, expiry] of this.revokedTokens.entries()) {
+      if (now > expiry) {
+        this.revokedTokens.delete(jti);
+      }
+    }
+  }
+
+  destroy(): void {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+  }
+}
+
+export const tokenStore = new InMemoryTokenStore();
+
+// ============================================================================
+// JWT Configuration Helper
+// ============================================================================
+
+/**
+ * Gets required JWT secrets from environment variables.
+ * Throws a clear error in production if secrets are not configured.
+ */
+export function getJwtSecrets(): { jwtSecret: string; refreshSecret: string } {
+  const jwtSecret = process.env.JWT_SECRET;
+  const refreshSecret = process.env.JWT_REFRESH_SECRET;
+
+  const isDevelopment = process.env.NODE_ENV !== 'production';
+
+  if (!jwtSecret || !refreshSecret) {
+    if (isDevelopment) {
+      console.warn(
+        '\n' +
+          '='.repeat(70) +
+          '\n' +
+          '  WARNING: JWT secrets not configured!\n' +
+          '  Using temporary development secrets. DO NOT USE IN PRODUCTION!\n' +
+          '\n' +
+          '  To configure secrets, add to .env:\n' +
+          '    JWT_SECRET=<generate with: openssl rand -base64 64>\n' +
+          '    JWT_REFRESH_SECRET=<generate with: openssl rand -base64 64>\n' +
+          '='.repeat(70) +
+          '\n'
+      );
+      return {
+        jwtSecret:
+          jwtSecret || `dev-only-jwt-secret-${Math.random().toString(36).substring(2).repeat(4)}`,
+        refreshSecret:
+          refreshSecret ||
+          `dev-only-refresh-secret-${Math.random().toString(36).substring(2).repeat(4)}`,
+      };
+    }
+
+    throw new Error(
+      '\n' +
+        'CRITICAL: JWT secrets are required but not configured.\n' +
+        '\n' +
+        'Required environment variables:\n' +
+        '  - JWT_SECRET: Secret for signing access tokens (64+ characters)\n' +
+        '  - JWT_REFRESH_SECRET: Secret for signing refresh tokens (64+ characters)\n' +
+        '\n' +
+        'Generate secure secrets with:\n' +
+        '  openssl rand -base64 64\n' +
+        '\n' +
+        'Add them to your environment or .env file before starting the server.\n'
+    );
+  }
+
+  return { jwtSecret, refreshSecret };
+}