create-warlock 4.0.29 → 4.0.30

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "create-warlock",
-    "version": "4.0.29",
+    "version": "4.0.30",
     "main": "./esm/index.js",
     "license": "MIT",
     "type": "module",

package/templates/warlock/package.json

@@ -27,13 +27,13 @@
         "@mongez/reinforcements": "^2.3.12",
         "@mongez/localization": "^3.2.1",
         "@mongez/supportive-is": "^2.0.4",
-        "@warlock.js/auth": "4.0.29",
-        "@warlock.js/cache": "4.0.29",
-        "@warlock.js/cascade": "4.0.29",
-        "@warlock.js/scheduler": "4.0.29",
-        "@warlock.js/core": "4.0.29",
-        "@warlock.js/logger": "4.0.29",
-        "@warlock.js/seal": "4.0.29",
+        "@warlock.js/auth": "4.0.30",
+        "@warlock.js/cache": "4.0.30",
+        "@warlock.js/cascade": "4.0.30",
+        "@warlock.js/scheduler": "4.0.30",
+        "@warlock.js/core": "4.0.30",
+        "@warlock.js/logger": "4.0.30",
+        "@warlock.js/seal": "4.0.30",
         "dayjs": "^1.11.13"
     },
     "devDependencies": {

package/templates/warlock/src/app/auth/controllers/forgot-password.controller.ts

@@ -0,0 +1,46 @@
+import { t, v, type Request, type RequestHandler, type Response } from "@warlock.js/core";
+import { usersRepository } from "app/users/repositories/users.repository";
+import { createOtpService } from "../services/otp.service";
+
+/**
+ * Forgot password controller
+ * POST /auth/forgot-password
+ */
+export const forgotPassword: RequestHandler = async (request: Request, response: Response) => {
+  const { email } = request.validated();
+
+  // Find user by email (silent fail for security)
+  const user = await usersRepository.first({ email });
+
+  if (!user) {
+    return response.notFound({
+      error: t("auth.userNotFound"),
+    });
+  }
+
+  // Create OTP
+  const otp = await createOtpService({
+    target: email,
+    channel: "email",
+    type: "password-reset",
+    userId: user.id,
+    userType: user.userType,
+  });
+
+  // TODO: Send email with OTP code
+  // await sendPasswordResetEmail(user, otp.get("code"));
+  console.log(`[DEV] Password reset OTP for ${email}: ${otp.get("code")}`);
+
+  // Always return success for security (don't reveal if email exists)
+  return response.success({
+    message: t("auth.otpSent"),
+  });
+};
+
+forgotPassword.description = "Request password reset";
+
+forgotPassword.validation = {
+  schema: v.object({
+    email: v.string().email().required(),
+  }),
+};

package/templates/warlock/src/app/auth/controllers/login.controller.ts

@@ -0,0 +1,31 @@
+import { t, type RequestHandler, type Response } from "@warlock.js/core";
+import { loginSchema, type LoginRequest } from "../requests/login.request";
+import { loginService } from "../services/auth.service";
+
+/**
+ * Login controller
+ * POST /auth/login
+ */
+export const login: RequestHandler = async (request: LoginRequest, response: Response) => {
+  const result = await loginService(request.validated(), {
+    userAgent: request.userAgent,
+    ip: request.ip,
+  });
+
+  if (!result) {
+    return response.unauthorized({
+      error: t("auth.invalidCredentials"),
+    });
+  }
+
+  return response.success({
+    user: result.user,
+    ...result.tokens,
+  });
+};
+
+login.description = "User Login";
+
+login.validation = {
+  schema: loginSchema,
+};

package/templates/warlock/src/app/auth/controllers/logout-all.controller.ts

@@ -0,0 +1,16 @@
+import { t, type Request, type RequestHandler, type Response } from "@warlock.js/core";
+import { logoutAllService } from "../services/auth.service";
+
+/**
+ * Logout from all devices controller
+ * POST /auth/logout-all
+ */
+export const logoutAll: RequestHandler = async (request: Request, response: Response) => {
+  await logoutAllService(request.user);
+
+  return response.success({
+    message: t("auth.loggedOutAll"),
+  });
+};
+
+logoutAll.description = "Logout from all devices";

package/templates/warlock/src/app/auth/controllers/logout.controller.ts

@@ -0,0 +1,16 @@
+import { t, type Request, type RequestHandler, type Response } from "@warlock.js/core";
+import { logoutService } from "../services/auth.service";
+
+/**
+ * Logout controller
+ * POST /auth/logout
+ */
+export const logout: RequestHandler = async (request: Request, response: Response) => {
+  await logoutService(request.user);
+
+  return response.success({
+    message: t("auth.loggedOut"),
+  });
+};
+
+logout.description = "User Logout";

package/templates/warlock/src/app/auth/controllers/me.controller.ts

@@ -0,0 +1,13 @@
+import { type Request, type RequestHandler, type Response } from "@warlock.js/core";
+
+/**
+ * Get current user controller
+ * GET /auth/me
+ */
+export const me: RequestHandler = async (request: Request, response: Response) => {
+  return response.success({
+    user: request.user,
+  });
+};
+
+me.description = "Get Current User";

package/templates/warlock/src/app/auth/controllers/refresh-token.controller.ts

@@ -0,0 +1,31 @@
+import { t, v, type Request, type RequestHandler, type Response } from "@warlock.js/core";
+import { refreshTokensService } from "../services/auth.service";
+
+/**
+ * Refresh token controller
+ * POST /auth/refresh-token
+ */
+export const refreshToken: RequestHandler = async (request: Request, response: Response) => {
+  const token = request.input("refreshToken");
+
+  const result = await refreshTokensService(token, {
+    userAgent: request.userAgent,
+    ip: request.ip,
+  });
+
+  if (!result) {
+    return response.unauthorized({
+      error: t("auth.invalidRefreshToken"),
+    });
+  }
+
+  return response.success(result);
+};
+
+refreshToken.description = "Refresh Access Token";
+
+refreshToken.validation = {
+  schema: v.object({
+    refreshToken: v.string().required(),
+  }),
+};

package/templates/warlock/src/app/auth/controllers/reset-password.controller.ts

@@ -0,0 +1,25 @@
+import { t, type Response } from "@warlock.js/core";
+import { resetPasswordSchema, type ResetPasswordRequest } from "../requests/reset-password.request";
+import { resetPasswordService } from "../services/reset-password.service";
+
+/**
+ * Reset password controller
+ */
+export const resetPasswordController = async (
+  request: ResetPasswordRequest,
+  response: Response,
+) => {
+  const { email, code, newPassword } = request.validated();
+
+  await resetPasswordService(email, code, newPassword);
+
+  return response.success({
+    message: t("auth.passwordResetSuccess"),
+  });
+};
+
+resetPasswordController.description = "Reset password with OTP";
+
+resetPasswordController.validation = {
+  schema: resetPasswordSchema,
+};

package/templates/warlock/src/app/auth/main.ts

@@ -0,0 +1,9 @@
+import { onceConnected } from "@warlock.js/cascade";
+import { Job } from "@warlock.js/scheduler";
+import { scheduler } from "app/shared/services/scheduler.service";
+import { cleanupExpiredOtpsService } from "./services/otp.service";
+
+onceConnected(() => {
+  const cleanupJob = new Job("cleanup-expired-otps", cleanupExpiredOtpsService).everyHour();
+  scheduler.addJob(cleanupJob);
+});

package/templates/warlock/src/app/auth/models/otp/index.ts

@@ -0,0 +1 @@
+export * from "./otp.model";

package/templates/warlock/src/app/auth/models/otp/migrations/22-12-2025_10-30-20.otp-migration.ts

@@ -0,0 +1,22 @@
+import { migrationOffice } from "@warlock.js/cascade";
+import { OTP } from "../otp.model";
+
+const otpBlueprint = OTP.blueprint();
+
+export default migrationOffice.register({
+  name: "otp",
+  createdAt: "22-12-2025_10-30-20",
+  blueprint: otpBlueprint,
+  up: async () => {
+    await otpBlueprint.index("code");
+    await otpBlueprint.index(["target", "type"]);
+    await otpBlueprint.index("expiresAt");
+    await otpBlueprint.index("userId");
+  },
+  down: async () => {
+    await otpBlueprint.dropIndex("code");
+    await otpBlueprint.dropIndex("target", "type");
+    await otpBlueprint.dropIndex("expiresAt");
+    await otpBlueprint.dropIndex("userId");
+  },
+});

package/templates/warlock/src/app/auth/models/otp/otp.model.ts

@@ -0,0 +1,75 @@
+import { Model, type Casts, type Document } from "@warlock.js/cascade";
+
+export class OTP extends Model {
+  /**
+   * Collection name
+   */
+  public static collection = "otps";
+
+  /**
+   * Default value for model data
+   */
+  public defaultValue: Document = {
+    attempts: 0,
+    maxAttempts: 5,
+  };
+
+  /**
+   * Cast data types before saving
+   */
+  protected casts: Casts = {
+    code: "string",
+    type: "string",
+    target: "string",
+    channel: "string",
+    userId: "number",
+    userType: "string",
+    expiresAt: "date",
+    usedAt: "date",
+    attempts: "number",
+    maxAttempts: "number",
+    metadata: "object",
+  };
+
+  /**
+   * Check if OTP is valid (not expired, not used, not max attempts)
+   */
+  public get isValid(): boolean {
+    if (this.get("usedAt")) return false;
+    if (this.get("attempts") >= this.get("maxAttempts")) return false;
+    if (new Date() > new Date(this.get("expiresAt"))) return false;
+    return true;
+  }
+
+  /**
+   * Check if OTP is expired
+   */
+  public get isExpired(): boolean {
+    return new Date() > new Date(this.get("expiresAt"));
+  }
+
+  /**
+   * Check if max attempts exceeded
+   */
+  public get isMaxAttemptsExceeded(): boolean {
+    return this.get("attempts") >= this.get("maxAttempts");
+  }
+
+  /**
+   * Mark OTP as used
+   */
+  public async markAsUsed(): Promise<this> {
+    return this.save({
+      usedAt: new Date(),
+    });
+  }
+
+  /**
+   * Increment failed attempt
+   */
+  public async incrementAttempt(): Promise<this> {
+    return this.save({
+      attempts: this.get("attempts") + 1,
+    });
+  }
+}

package/templates/warlock/src/app/auth/requests/login.request.ts

@@ -0,0 +1,10 @@
+import { v, type Infer, type Request } from "@warlock.js/core";
+
+export const loginSchema = v.object({
+  email: v.string().email().required(),
+  password: v.string().required(),
+});
+
+export type LoginSchema = Infer<typeof loginSchema>;
+
+export type LoginRequest = Request<undefined, LoginSchema>;

package/templates/warlock/src/app/auth/requests/reset-password.request.ts

@@ -0,0 +1,11 @@
+import { v, type Infer, type Request } from "@warlock.js/core";
+
+export const resetPasswordSchema = v.object({
+  email: v.string().email().required(),
+  code: v.string().required(),
+  newPassword: v.string().min(8).required(),
+});
+
+export type ResetPasswordSchema = Infer<typeof resetPasswordSchema>;
+
+export type ResetPasswordRequest = Request<undefined, ResetPasswordSchema>;

package/templates/warlock/src/app/auth/routes.ts

@@ -0,0 +1,22 @@
+import { router } from "@warlock.js/core";
+import { guarded } from "app/utils/router";
+import { forgotPassword } from "./controllers/forgot-password.controller";
+import { login } from "./controllers/login.controller";
+import { logoutAll } from "./controllers/logout-all.controller";
+import { logout } from "./controllers/logout.controller";
+import { me } from "./controllers/me.controller";
+import { refreshToken } from "./controllers/refresh-token.controller";
+import { resetPasswordController } from "./controllers/reset-password.controller";
+
+// Auth routes
+router.prefix("/auth", () => {
+  router.post("/login", login);
+  router.post("/refresh-token", refreshToken);
+  router.post("/forgot-password", forgotPassword);
+  router.post("/reset-password", resetPasswordController);
+  guarded(() => {
+    router.post("/logout", logout);
+    router.post("/logout-all", logoutAll);
+    router.get("/me", me);
+  });
+});

package/templates/warlock/src/app/auth/services/auth.service.ts

@@ -0,0 +1,47 @@
+import type { Auth } from "@warlock.js/auth";
+import { authService, type DeviceInfo, type TokenPair } from "@warlock.js/auth";
+import { User } from "app/users/models/user";
+
+export type LoginCredentials = {
+  email: string;
+  password: string;
+};
+
+export type LoginResult = {
+  user: Auth;
+  tokens: TokenPair;
+};
+
+/**
+ * Login with email and password
+ */
+export async function loginService(
+  credentials: LoginCredentials,
+  deviceInfo?: DeviceInfo,
+): Promise<LoginResult | null> {
+  return authService.login(User, credentials, deviceInfo);
+}
+
+/**
+ * Logout user
+ */
+export async function logoutService(user: Auth): Promise<void> {
+  return authService.logout(user);
+}
+
+/**
+ * Logout from all devices
+ */
+export async function logoutAllService(user: Auth): Promise<void> {
+  return authService.revokeAllTokens(user);
+}
+
+/**
+ * Refresh tokens
+ */
+export async function refreshTokensService(
+  refreshToken: string,
+  deviceInfo?: DeviceInfo,
+): Promise<TokenPair | null> {
+  return authService.refreshTokens(refreshToken, deviceInfo);
+}

package/templates/warlock/src/app/auth/services/otp.service.ts

@@ -0,0 +1,174 @@
+import type { Duration } from "@warlock.js/auth";
+import { ForbiddenError, t } from "@warlock.js/core";
+import { OTP } from "../models/otp";
+import { AuthErrorCode } from "../utils/auth-error-code";
+import type { OTPChannel, OTPType } from "../utils/types";
+
+// Default OTP expiration
+const DEFAULT_OTP_EXPIRATION: Duration = { minutes: 15 };
+
+// Parse duration to milliseconds
+function parseDurationToMs(duration: Duration): number {
+  let ms = 0;
+  if (duration.milliseconds) ms += duration.milliseconds;
+  if (duration.seconds) ms += duration.seconds * 1000;
+  if (duration.minutes) ms += duration.minutes * 60 * 1000;
+  if (duration.hours) ms += duration.hours * 60 * 60 * 1000;
+  if (duration.days) ms += duration.days * 24 * 60 * 60 * 1000;
+  if (duration.weeks) ms += duration.weeks * 7 * 24 * 60 * 60 * 1000;
+  return ms;
+}
+
+export type CreateOTPOptions = {
+  target: string;
+  channel: OTPChannel;
+  type: OTPType;
+  userId?: number;
+  userType?: string;
+  expiresIn?: Duration;
+  length?: number;
+  alphanumeric?: boolean;
+  maxAttempts?: number;
+  metadata?: object;
+};
+
+/**
+ * Generate OTP code
+ */
+function generateCode(length: number = 6, alphanumeric: boolean = false): string {
+  if (alphanumeric) {
+    // Generate alphanumeric code
+    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+    let code = "";
+    for (let i = 0; i < length; i++) {
+      code += chars.charAt(Math.floor(Math.random() * chars.length));
+    }
+    return code;
+  }
+  // Generate numeric code
+  const min = Math.pow(10, length - 1);
+  const max = Math.pow(10, length) - 1;
+  return Math.floor(min + Math.random() * (max - min + 1)).toString();
+}
+
+/**
+ * Create a new OTP
+ */
+export async function createOtpService(options: CreateOTPOptions): Promise<OTP> {
+  const {
+    target,
+    channel,
+    type,
+    userId,
+    userType,
+    expiresIn = DEFAULT_OTP_EXPIRATION,
+    length = 6,
+    alphanumeric = false,
+    maxAttempts = 5,
+    metadata,
+  } = options;
+
+  // Invalidate any existing unused OTPs for this target+type
+  await cleanupOtpService(target, type);
+
+  const code = generateCode(length, alphanumeric);
+  const expiresAt = new Date(Date.now() + parseDurationToMs(expiresIn));
+
+  return OTP.create({
+    code,
+    type,
+    target,
+    channel,
+    userId,
+    userType,
+    expiresAt,
+    maxAttempts,
+    metadata,
+  });
+}
+
+/**
+ * Verify an OTP
+ */
+export async function verifyOtpService(
+  code: string,
+  target: string,
+  type: OTPType,
+): Promise<OTP | never> {
+  const otp = await OTP.first({
+    code,
+    target,
+    type,
+    usedAt: null,
+  });
+
+  if (!otp) {
+    throw new ForbiddenError(t("auth.missingOtp"), {
+      errorCode: AuthErrorCode.OTP_NOT_FOUND,
+    });
+  }
+
+  if (otp.isExpired) {
+    throw new ForbiddenError(t("auth.otpExpired"), {
+      errorCode: AuthErrorCode.OTP_EXPIRED,
+    });
+  }
+
+  if (otp.isMaxAttemptsExceeded) {
+    throw new ForbiddenError(t("auth.otpMaxAttempts"), {
+      errorCode: AuthErrorCode.OTP_MAX_ATTEMPTS,
+    });
+  }
+
+  // Verify code matches
+  if (otp.get("code") !== code) {
+    await otp.incrementAttempt();
+    throw new ForbiddenError(t("auth.otpInvalid"), {
+      errorCode: AuthErrorCode.OTP_INVALID,
+    });
+  }
+
+  // Mark as used
+  await otp.markAsUsed();
+
+  return otp;
+}
+
+export async function cleanupOtpService(target: string, type: OTPType): Promise<void> {
+  await OTP.delete({
+    target,
+    type,
+    usedAt: null,
+  });
+}
+
+/**
+ * Resend OTP (invalidate old and create new)
+ */
+export async function resendOtpService(
+  target: string,
+  type: OTPType,
+  channel: OTPChannel,
+  options?: Partial<CreateOTPOptions>,
+): Promise<OTP> {
+  await cleanupOtpService(target, type);
+  return createOtpService({
+    target,
+    type,
+    channel,
+    ...options,
+  });
+}
+
+/**
+ * Cleanup expired OTPs
+ */
+export async function cleanupExpiredOtpsService(): Promise<number> {
+  const expiredOtps = await OTP.aggregate().where("expiresAt", "<", new Date()).get();
+
+  for (const otp of expiredOtps) {
+    await otp.destroy();
+  }
+
+  return expiredOtps.length;
+}

package/templates/warlock/src/app/auth/services/reset-password.service.ts

@@ -0,0 +1,35 @@
+import { authService } from "@warlock.js/auth";
+import { BadRequestError, t } from "@warlock.js/core";
+import { User } from "app/users/models/user";
+import { AuthErrorCode } from "../utils/auth-error-code";
+import { verifyOtpService } from "./otp.service";
+
+/**
+ * Reset user password using OTP verification
+ */
+export async function resetPasswordService(
+  email: string,
+  code: string,
+  newPassword: string,
+): Promise<User> {
+  // Verify OTP
+  const otp = await verifyOtpService(code, email, "password-reset");
+
+  // Find user
+  const user = await User.find(otp.get("userId"));
+
+  if (!user) {
+    throw new BadRequestError(t("auth.otpInvalid"), {
+      errorCode: AuthErrorCode.OTP_INVALID,
+    });
+  }
+
+  // Update password
+  await user.save({ password: newPassword });
+
+  // Revoke all tokens (force re-login)
+  // Or make it an option through user decision.
+  await authService.revokeAllTokens(user);
+
+  return user;
+}

package/templates/warlock/src/app/auth/utils/auth-error-code.ts

@@ -0,0 +1,6 @@
+export enum AuthErrorCode {
+  OTP_NOT_FOUND = "OTX001", // OTP Not Found
+  OTP_EXPIRED = "OTX002", // OTP Expired
+  OTP_MAX_ATTEMPTS = "OTX003", // OTP Max Attempts
+  OTP_INVALID = "OTX004", // OTP Invalid
+}