i18n-dashboard 0.11.0 → 0.12.1

package/README.md

@@ -70,6 +70,7 @@
 - **GitHub Actions CI** — E2E tests run automatically on every push to `develop` and `main`; Cypress screenshots uploaded as artifacts on failure
 - **Vitest unit test suite** — 344 unit tests covering all composables, services, and server utilities; runs in under 2 minutes with zero infrastructure required
 - **Dual CI pipelines** — unit tests (`unit.yml`) and E2E tests (`e2e.yml`) run in parallel on every push; any regression blocks the pipeline
+- **`src/` layout** — all source files live under `src/` (components, composables, pages, server, services, etc.) for a clean project root
 ---
 
 ## Requirements

package/nuxt.config.ts

@@ -3,6 +3,9 @@ export default defineNuxtConfig({
   compatibilityDate: '2025-01-01',
   devtools: { enabled: false },
 
+  srcDir: 'src',
+  serverDir: 'src/server',
+
   modules: ['@nuxt/ui'],
 
   css: ['~/assets/css/main.css'],
@@ -51,7 +54,7 @@ export default defineNuxtConfig({
     serverAssets: [
       {
         baseName: 'locales',
-        dir: './assets/locales',
+        dir: './src/assets/locales',
       },
     ],
   },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "i18n-dashboard",
-  "version": "0.11.0",
+  "version": "0.12.1",
   "description": "A web dashboard to manage vue-i18n translation keys with database persistence",
   "type": "module",
   "bin": {
@@ -50,22 +50,8 @@
     "node": ">=18.0.0"
   },
   "files": [
-    "assets/",
+    "src/",
     "bin/",
-    "components/",
-    "composables/",
-    "consts/",
-    "enums/",
-    "interfaces/",
-    "layouts/",
-    "middleware/",
-    "pages/",
-    "plugins/",
-    "server/",
-    "services/",
-    "types/",
-    "utils/",
-    "app.vue",
     "nuxt.config.ts",
     "tsconfig.json",
     "i18n-dashboard.config.example.js"

package/{server → src/server}/api/auth/login.post.ts

@@ -1,6 +1,6 @@
 import bcrypt from 'bcryptjs'
 import { getDb } from '../../db/index'
-import { getSession } from '../../utils/auth.util'
+import { getSession, createRefreshToken } from '../../utils/auth.util'
 
 export default defineEventHandler(async (event) => {
   const { email, password } = await readBody(event)
@@ -19,9 +19,10 @@ export default defineEventHandler(async (event) => {
   // Update last login
   await db('users').where({ id: user.id }).update({ last_login_at: db.fn.now() })
 
-  // Set session
+  // Issue session (15 min) + refresh token (7 days, HttpOnly cookie)
   const session = await getSession(event)
   await session.update({ userId: user.id })
+  await createRefreshToken(event, user.id)
 
   const { password_hash, ...safeUser } = user
   return safeUser

package/src/server/api/auth/logout.post.ts

@@ -0,0 +1,11 @@
+import { getSession, clearRefreshToken } from '../../utils/auth.util'
+
+export default defineEventHandler(async (event) => {
+  const session = await getSession(event)
+  const userId = (session.data as any).userId as number | undefined
+
+  await clearRefreshToken(event, userId)
+  await session.clear()
+
+  return { success: true }
+})

package/src/server/api/auth/refresh.post.ts

@@ -0,0 +1,12 @@
+import { verifyAndRotateRefreshToken, getUserProfile } from '../../utils/auth.util'
+
+export default defineEventHandler(async (event) => {
+  const userId = await verifyAndRotateRefreshToken(event)
+
+  const user = await getUserProfile(userId)
+  if (!user || !user.is_active) {
+    throw createError({ statusCode: 401, message: 'Compte désactivé' })
+  }
+
+  return user
+})

package/{server → src/server}/api/setup.post.ts

@@ -1,6 +1,6 @@
 import bcrypt from 'bcryptjs'
 import { getDb } from '../db/index'
-import { getSession } from '../utils/auth.util'
+import { getSession, createRefreshToken } from '../utils/auth.util'
 
 export default defineEventHandler(async (event) => {
   const db = getDb()
@@ -29,9 +29,10 @@ export default defineEventHandler(async (event) => {
     is_active: true,
   })
 
-  // Auto-login
+  // Auto-login: session (15 min) + refresh token (7 days)
   const session = await getSession(event)
   await session.update({ userId: id })
+  await createRefreshToken(event, id)
 
   console.log(`[i18n-dashboard] Super admin créé : ${email}`)
 

package/{server → src/server}/consts/commons.const.ts

@@ -2,6 +2,7 @@ export const PUBLIC_ROUTES = [
 	'/api/auth/login',
 	'/api/auth/logout',
 	'/api/auth/me',
+	'/api/auth/refresh',
 	'/api/auth/status',
 	'/api/setup',
 	'/api/ui-locale',

package/{server → src/server}/db/index.ts

@@ -1017,4 +1017,18 @@ export async function initDb(): Promise<void> {
   await addColumnIfMissing(db, 'projects', 'git_repos', (t) =>
     t.text('git_repos').nullable(),
   )
+
+  // ── refresh_tokens ────────────────────────────────────────────────────────
+  const hasRefreshTokens = await db.schema.hasTable('refresh_tokens')
+  if (!hasRefreshTokens) {
+    await db.schema.createTable('refresh_tokens', (table) => {
+      table.increments('id').primary()
+      table.integer('user_id').notNullable().references('id').inTable('users').onDelete('CASCADE')
+      table.string('token_hash', 64).notNullable() // SHA-256 hex of the raw token
+      table.timestamp('expires_at').notNullable()
+      table.timestamp('created_at').defaultTo(db.fn.now())
+      table.index(['user_id'])
+      table.index(['token_hash'])
+    })
+  }
 }

package/src/server/utils/auth.util.ts

@@ -0,0 +1,185 @@
+import { randomBytes, createHash } from 'node:crypto'
+import type { H3Event } from 'h3'
+import { useSession, getCookie, setCookie, deleteCookie } from 'h3'
+import { useRuntimeConfig } from '#imports'
+
+import { getDb } from '../db/index'
+import { ROLES } from '../enums/auth.enum'
+import type { Role } from '../types/auth.type'
+
+// ── Constants ─────────────────────────────────────────────────────────────────
+
+const REFRESH_COOKIE = 'i18n-refresh-token'
+const REFRESH_TTL_SECONDS = 60 * 60 * 24 * 7 // 7 days
+
+// ── Session (access token) ─────────────────────────────────────────────────────
+
+export function sessionConfig() {
+  const config = useRuntimeConfig()
+  return {
+    password: config.sessionSecret as string,
+    name: 'i18n-dashboard-session',
+    maxAge: 60 * 15, // 15 minutes
+  }
+}
+
+/** Get the current session data */
+export async function getSession(event: H3Event) {
+  return useSession(event, sessionConfig())
+}
+
+/** Require a logged-in user. Returns user row or throws 401. */
+export async function requireAuth(event: H3Event) {
+  const session = await getSession(event)
+  const userId = (session.data as any).userId
+  if (!userId) throw createError({ statusCode: 401, message: 'Non authentifié' })
+
+  const db = getDb()
+  const user = await db('users').where({ id: userId, is_active: true }).first()
+  if (!user) throw createError({ statusCode: 401, message: 'Session invalide' })
+
+  return user
+}
+
+// ── Refresh token helpers ──────────────────────────────────────────────────────
+
+function hashToken(token: string): string {
+  return createHash('sha256').update(token).digest('hex')
+}
+
+/**
+ * Issue a new refresh token for a user.
+ * Stores the SHA-256 hash in DB and sets an HttpOnly cookie.
+ * Also removes expired tokens for that user (housekeeping).
+ */
+export async function createRefreshToken(event: H3Event, userId: number): Promise<void> {
+  const db = getDb()
+  const token = randomBytes(32).toString('hex')
+  const hash = hashToken(token)
+  const expiresAt = new Date(Date.now() + REFRESH_TTL_SECONDS * 1000)
+
+  // Housekeeping: remove expired tokens for this user
+  await db('refresh_tokens')
+    .where({ user_id: userId })
+    .where('expires_at', '<', new Date())
+    .delete()
+
+  await db('refresh_tokens').insert({
+    user_id: userId,
+    token_hash: hash,
+    expires_at: expiresAt,
+  })
+
+  setCookie(event, REFRESH_COOKIE, token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    maxAge: REFRESH_TTL_SECONDS,
+    path: '/',
+  })
+}
+
+/**
+ * Verify the refresh token cookie, rotate it (delete old, issue new),
+ * and return the associated userId.
+ * Throws 401 if invalid or expired.
+ */
+export async function verifyAndRotateRefreshToken(event: H3Event): Promise<number> {
+  const token = getCookie(event, REFRESH_COOKIE)
+  if (!token) throw createError({ statusCode: 401, message: 'Refresh token manquant' })
+
+  const hash = hashToken(token)
+  const db = getDb()
+  const row = await db('refresh_tokens')
+    .where({ token_hash: hash })
+    .where('expires_at', '>', new Date())
+    .first()
+
+  if (!row) throw createError({ statusCode: 401, message: 'Refresh token invalide ou expiré' })
+
+  // Rotation: delete consumed token immediately
+  await db('refresh_tokens').where({ id: row.id }).delete()
+
+  const userId = row.user_id
+
+  // Issue new session + new refresh token
+  const session = await getSession(event)
+  await session.update({ userId })
+  await createRefreshToken(event, userId)
+
+  return userId
+}
+
+/**
+ * Delete all refresh tokens for a user and clear the cookie.
+ */
+export async function clearRefreshToken(event: H3Event, userId?: number): Promise<void> {
+  const db = getDb()
+  if (userId) {
+    await db('refresh_tokens').where({ user_id: userId }).delete()
+  } else {
+    // Best-effort: delete by hash from cookie
+    const token = getCookie(event, REFRESH_COOKIE)
+    if (token) {
+      await db('refresh_tokens').where({ token_hash: hashToken(token) }).delete()
+    }
+  }
+  deleteCookie(event, REFRESH_COOKIE, { path: '/' })
+}
+
+// ── Role helpers ───────────────────────────────────────────────────────────────
+
+/** Get effective role for a user on a specific project. Returns null if no access. */
+export async function getUserRole(userId: number, projectId: number): Promise<Role | null> {
+  const db = getDb()
+
+  // Specific project role takes priority
+  const specific = await db('user_project_roles')
+    .where({ user_id: userId, project_id: projectId })
+    .first()
+  if (specific) return specific.role as Role
+
+  // Global role (project_id IS NULL) — access to all projects
+  const global_ = await db('user_project_roles')
+    .where({ user_id: userId })
+    .whereNull('project_id')
+    .first()
+  if (global_) return global_.role as Role
+
+  return null
+}
+
+/** Check if user can edit translations (translator+) */
+export function canEdit(role: Role | null, isSuperAdmin: boolean) {
+  return isSuperAdmin || role !== null
+}
+
+/** Check if user can approve translations (moderator+) */
+export function canApprove(role: Role | null, isSuperAdmin: boolean) {
+  return isSuperAdmin || role === ROLES.MODERATOR || role === ROLES.ADMIN
+}
+
+/** Check if user can manage project settings, scan, sync (admin+) */
+export function canManageProject(role: Role | null, isSuperAdmin: boolean) {
+  return isSuperAdmin || role === ROLES.ADMIN
+}
+
+/** Check if user can manage users (admin+ of that project, or super_admin) */
+export function canManageUsers(role: Role | null, isSuperAdmin: boolean) {
+  return isSuperAdmin || role === ROLES.ADMIN
+}
+
+/** Full user profile with roles */
+export async function getUserProfile(userId: number) {
+  const db = getDb()
+  const user = await db('users').where({ id: userId }).first()
+  if (!user) return null
+
+  const roles = await db('user_project_roles as r')
+    .leftJoin('projects as p', 'r.project_id', 'p.id')
+    .where('r.user_id', userId)
+    .select('r.role', 'r.project_id', 'p.name as project_name')
+
+  const { password_hash, ...safeUser } = user
+  return { ...safeUser, roles }
+}

package/{services → src/services}/base.service.ts

@@ -39,7 +39,7 @@ export abstract class BaseService {
 
   private async _tryRefresh(): Promise<boolean> {
     if (_refreshing) return _refreshing
-    _refreshing = $fetch('/api/auth/me')
+    _refreshing = $fetch('/api/auth/refresh', { method: 'POST' })
       .then(() => true)
       .catch(() => false)
       .finally(() => { _refreshing = null })

package/server/api/auth/logout.post.ts

@@ -1,7 +0,0 @@
-import { getSession } from '../../utils/auth.util'
-
-export default defineEventHandler(async (event) => {
-  const session = await getSession(event)
-  await session.clear()
-  return { success: true }
-})

package/server/utils/auth.util.ts

@@ -1,89 +0,0 @@
-import type { H3Event } from 'h3'
-import { useSession } from 'h3'
-import { useRuntimeConfig } from '#imports'
-
-import { getDb } from '../db/index'
-import { ROLES } from '../enums/auth.enum'
-import type { Role } from '../types/auth.type'
-
-export function sessionConfig() {
-  const config = useRuntimeConfig()
-  return {
-    password: config.sessionSecret as string,
-    name: 'i18n-dashboard-session',
-    maxAge: 60 * 60 * 24 * 7, // 7 days
-  }
-}
-
-/** Get the current session data */
-export async function getSession(event: H3Event) {
-  return useSession(event, sessionConfig())
-}
-
-/** Require a logged-in user. Returns user row or throws 401. */
-export async function requireAuth(event: H3Event) {
-  const session = await getSession(event)
-  const userId = (session.data as any).userId
-  if (!userId) throw createError({ statusCode: 401, message: 'Non authentifié' })
-
-  const db = getDb()
-  const user = await db('users').where({ id: userId, is_active: true }).first()
-  if (!user) throw createError({ statusCode: 401, message: 'Session invalide' })
-
-  return user
-}
-
-/** Get effective role for a user on a specific project. Returns null if no access. */
-export async function getUserRole(userId: number, projectId: number): Promise<Role | null> {
-  const db = getDb()
-
-  // Specific project role takes priority
-  const specific = await db('user_project_roles')
-    .where({ user_id: userId, project_id: projectId })
-    .first()
-  if (specific) return specific.role as Role
-
-  // Global role (project_id IS NULL) — access to all projects
-  const global_ = await db('user_project_roles')
-    .where({ user_id: userId })
-    .whereNull('project_id')
-    .first()
-  if (global_) return global_.role as Role
-
-  return null
-}
-
-/** Check if user can edit translations (translator+) */
-export function canEdit(role: Role | null, isSuperAdmin: boolean) {
-  return isSuperAdmin || role !== null
-}
-
-/** Check if user can approve translations (moderator+) */
-export function canApprove(role: Role | null, isSuperAdmin: boolean) {
-  return isSuperAdmin || role === ROLES.MODERATOR || role === ROLES.ADMIN
-}
-
-/** Check if user can manage project settings, scan, sync (admin+) */
-export function canManageProject(role: Role | null, isSuperAdmin: boolean) {
-  return isSuperAdmin || role === ROLES.ADMIN
-}
-
-/** Check if user can manage users (admin+ of that project, or super_admin) */
-export function canManageUsers(role: Role | null, isSuperAdmin: boolean) {
-  return isSuperAdmin || role === ROLES.ADMIN
-}
-
-/** Full user profile with roles */
-export async function getUserProfile(userId: number) {
-  const db = getDb()
-  const user = await db('users').where({ id: userId }).first()
-  if (!user) return null
-
-  const roles = await db('user_project_roles as r')
-    .leftJoin('projects as p', 'r.project_id', 'p.id')
-    .where('r.user_id', userId)
-    .select('r.role', 'r.project_id', 'p.name as project_name')
-
-  const { password_hash, ...safeUser } = user
-  return { ...safeUser, roles }
-}