insforge 0.3.3 → 1.3.0

package/auth/src/lib/utils.ts

@@ -0,0 +1,11 @@
+import { type ClassValue, clsx } from 'clsx';
+import { twMerge } from 'tailwind-merge';
+
+export function cn(...inputs: ClassValue[]) {
+  return twMerge(clsx(inputs));
+}
+
+export const getBackendUrl = () => {
+  const isHttp = window.location.protocol === 'http:';
+  return isHttp ? 'http://localhost:7130' : window.location.origin;
+};

package/auth/src/main.tsx

@@ -0,0 +1,22 @@
+import { StrictMode } from 'react';
+import { createRoot } from 'react-dom/client';
+import { BrowserRouter } from 'react-router-dom';
+import { InsforgeProvider } from '@insforge/react';
+import './index.css';
+import App from './App';
+import { getBackendUrl } from './lib/utils';
+
+const backendUrl = getBackendUrl();
+
+const rootElement = document.getElementById('root');
+if (rootElement) {
+  createRoot(rootElement).render(
+    <StrictMode>
+      <BrowserRouter>
+        <InsforgeProvider baseUrl={backendUrl}>
+          <App />
+        </InsforgeProvider>
+      </BrowserRouter>
+    </StrictMode>
+  );
+}

package/auth/src/pages/ForgotPasswordPage.tsx

@@ -0,0 +1,11 @@
+import { ForgotPassword } from '@insforge/react';
+
+export function ForgotPasswordPage() {
+  return (
+    <ForgotPassword
+      onError={(error) => {
+        console.error('Failed to send reset code:', error);
+      }}
+    />
+  );
+}

package/auth/src/pages/ResetPasswordPage.tsx

@@ -0,0 +1,11 @@
+import { ResetPassword } from '@insforge/react';
+
+export function ResetPasswordPage() {
+  return (
+    <ResetPassword
+      onError={(error) => {
+        console.error('Failed to reset password:', error);
+      }}
+    />
+  );
+}

package/auth/src/pages/SignInPage.tsx

@@ -0,0 +1,60 @@
+import { useCallback, useEffect } from 'react';
+import { useSearchParams } from 'react-router-dom';
+import { SignIn } from '@insforge/react';
+import broadcastService, { BroadcastEventType, BroadcastEvent } from '../lib/broadcastService';
+import { ErrorCard } from '../components/ErrorCard';
+
+export function SignInPage() {
+  const [searchParams] = useSearchParams();
+  const redirectUrl = searchParams.get('redirect');
+
+  // Listen for email verification success from other tabs
+  useEffect(() => {
+    if (!redirectUrl) {
+      return;
+    }
+
+    const unsubscribeVerified = broadcastService.subscribe(
+      BroadcastEventType.EMAIL_VERIFIED_SUCCESS,
+      (event: BroadcastEvent) => {
+        const { accessToken, user, csrfToken } = event.data || {};
+        if (accessToken && user) {
+          // Email verified in another tab, redirect with token
+          try {
+            const finalUrl = new URL(redirectUrl, window.location.origin);
+            const params = new URLSearchParams();
+            params.set('access_token', accessToken);
+            params.set('user_id', user.id);
+            params.set('email', user.email);
+            params.set('name', user.name);
+            if (csrfToken) {
+              params.set('csrf_token', csrfToken);
+            }
+            finalUrl.search = params.toString();
+            window.location.href = finalUrl.toString();
+          } catch {
+            console.error('Failed to redirect to final URL');
+          }
+        }
+      }
+    );
+
+    return () => {
+      unsubscribeVerified();
+    };
+  }, [redirectUrl]);
+
+  const handleError = useCallback((error: Error) => {
+    console.error('Sign in failed:', error);
+  }, []);
+
+  if (!redirectUrl) {
+    return (
+      <ErrorCard title="Missing Redirect URL">
+        <p>No redirect URL provided. Please check the URL and try again.</p>
+      </ErrorCard>
+    );
+  }
+
+  return <SignIn onError={handleError} />;
+}

package/auth/src/pages/SignUpPage.tsx

@@ -0,0 +1,60 @@
+import { useCallback, useEffect } from 'react';
+import { useSearchParams } from 'react-router-dom';
+import { SignUp } from '@insforge/react';
+import broadcastService, { BroadcastEventType, BroadcastEvent } from '../lib/broadcastService';
+import { ErrorCard } from '../components/ErrorCard';
+
+export function SignUpPage() {
+  const [searchParams] = useSearchParams();
+  const redirectUrl = searchParams.get('redirect');
+
+  // Listen for email verification success from other tabs
+  useEffect(() => {
+    if (!redirectUrl) {
+      return;
+    }
+
+    const unsubscribeVerified = broadcastService.subscribe(
+      BroadcastEventType.EMAIL_VERIFIED_SUCCESS,
+      (event: BroadcastEvent) => {
+        const { accessToken, user, csrfToken } = event.data || {};
+        if (accessToken && user) {
+          // Email verified in another tab, redirect with token
+          try {
+            const finalUrl = new URL(redirectUrl, window.location.origin);
+            const params = new URLSearchParams();
+            params.set('access_token', accessToken);
+            params.set('user_id', user.id);
+            params.set('email', user.email);
+            params.set('name', user.name);
+            if (csrfToken) {
+              params.set('csrf_token', csrfToken);
+            }
+            finalUrl.search = params.toString();
+            window.location.href = finalUrl.toString();
+          } catch {
+            console.error('Failed to redirect to final URL');
+          }
+        }
+      }
+    );
+
+    return () => {
+      unsubscribeVerified();
+    };
+  }, [redirectUrl]);
+
+  const handleError = useCallback((error: Error) => {
+    console.error('Sign up failed:', error);
+  }, []);
+
+  if (!redirectUrl) {
+    return (
+      <ErrorCard title="Missing Redirect URL">
+        <p>No redirect URL provided. Please check the URL and try again.</p>
+      </ErrorCard>
+    );
+  }
+
+  return <SignUp onError={handleError} />;
+}

package/auth/src/pages/VerifyEmailPage.tsx

@@ -0,0 +1,20 @@
+import { useSearchParams } from 'react-router-dom';
+import { VerifyEmail } from '@insforge/react';
+import broadcastService, { BroadcastEventType } from '../lib/broadcastService';
+
+export function VerifyEmailPage() {
+  const [searchParams] = useSearchParams();
+  const token = searchParams.get('token');
+
+  return (
+    <VerifyEmail
+      token={token || ''}
+      onSuccess={(data) => {
+        broadcastService.broadcast(BroadcastEventType.EMAIL_VERIFIED_SUCCESS, data);
+      }}
+      onError={(error) => {
+        console.error('Email verification failed:', error);
+      }}
+    />
+  );
+}

package/auth/src/vite-env.d.ts

@@ -0,0 +1,10 @@
+/// <reference types="vite/client" />
+/// <reference types="vite-plugin-svgr/client" />
+
+interface ImportMetaEnv {
+  readonly VITE_API_BASE_URL?: string;
+}
+
+interface ImportMeta {
+  readonly env: ImportMetaEnv;
+}

package/auth/tsconfig.json

@@ -0,0 +1,32 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "useDefineForClassFields": true,
+    "lib": ["ES2020", "DOM", "DOM.Iterable"],
+    "module": "ESNext",
+    "skipLibCheck": true,
+
+    /* Bundler mode */
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "noEmit": true,
+    "jsx": "react-jsx",
+
+    /* Linting */
+    "strict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noFallthroughCasesInSwitch": true,
+
+    /* Path mapping */
+    "baseUrl": ".",
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  },
+  "include": ["src"],
+  "references": [{ "path": "./tsconfig.node.json" }]
+}
+

package/auth/tsconfig.node.json

@@ -0,0 +1,11 @@
+{
+  "compilerOptions": {
+    "composite": true,
+    "skipLibCheck": true,
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "allowSyntheticDefaultImports": true
+  },
+  "include": ["vite.config.ts"]
+}
+

package/auth/vite.config.ts

@@ -0,0 +1,25 @@
+import { defineConfig } from 'vite';
+import react from '@vitejs/plugin-react';
+import tailwindcss from '@tailwindcss/vite';
+import path from 'path';
+
+export default defineConfig({
+  base: '/auth/',
+  plugins: [react(), tailwindcss()],
+  resolve: {
+    alias: {
+      '@': path.resolve(__dirname, './src'),
+    },
+  },
+  server: {
+    port: 7132,
+    host: true,
+    strictPort: false,
+    watch: {
+      usePolling: true,
+    },
+  },
+  build: {
+    outDir: '../dist/auth',
+  },
+});

package/backend/package.json

@@ -1,75 +1,78 @@
-{
-  "name": "insforge-backend",
-  "version": "1.0.0",
-  "author": "Insforge",
-  "description": "Open source backend-as-a-service with PostgreSQL and MCP integration",
-  "type": "module",
-  "main": "../dist/server.js",
-  "scripts": {
-    "start": "node ../dist/server.js",
-    "dev": "tsx watch src/server.ts",
-    "build": "tsup",
-    "clean": "rimraf dist",
-    "prebuild": "npm run clean",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "test:coverage": "vitest run --coverage",
-    "test:ui": "vitest --ui",
-    "test:e2e": "./tests/run-all-tests.sh",
-    "migrate:up": "node-pg-migrate up --migrations-table _migrations",
-    "migrate:down": "node-pg-migrate down --migrations-table _migrations",
-    "migrate:create": "node-pg-migrate create --migrations-table _migrations",
-    "migrate:redo": "node-pg-migrate redo --migrations-table _migrations",
-    "migrate:up:local": "dotenv -e ../.env -- node-pg-migrate up --migrations-table _migrations",
-    "migrate:down:local": "dotenv -e ../.env -- node-pg-migrate down --migrations-table _migrations"
-  },
-  "keywords": [
-    "backend-as-a-service",
-    "postgresql",
-    "jwt"
-  ],
-  "dependencies": {
-    "@asteasolutions/zod-to-openapi": "^7.3.4",
-    "@aws-sdk/client-cloudwatch-logs": "^3.713.0",
-    "@aws-sdk/client-s3": "^3.713.0",
-    "@aws-sdk/s3-presigned-post": "^3.879.0",
-    "@aws-sdk/s3-request-presigner": "^3.879.0",
-    "@databases/split-sql-query": "^1.0.4",
-    "@databases/sql": "^3.3.0",
-    "@types/multer": "^1.4.13",
-    "@types/node-pg-migrate": "^2.3.1",
-    "@types/pg": "^8.15.4",
-    "@types/socket.io": "^3.0.2",
-    "axios": "^1.11.0",
-    "bcryptjs": "^3.0.2",
-    "cors": "^2.8.5",
-    "csv-parse": "^6.1.0",
-    "dotenv": "^16.4.5",
-    "express": "^4.19.2",
-    "express-rate-limit": "^7.1.5",
-    "google-auth-library": "^10.1.0",
-    "jose": "^6.0.12",
-    "jsonwebtoken": "^9.0.2",
-    "multer": "^2.0.2",
-    "node-fetch": "^3.3.2",
-    "node-pg-migrate": "^8.0.3",
-    "openai": "^5.19.1",
-    "pg": "^8.16.3",
-    "pg-format": "^1.0.4",
-    "socket.io": "^4.8.1",
-    "winston": "^3.17.0",
-    "zod": "^3.23.8"
-  },
-  "devDependencies": {
-    "@types/cors": "^2.8.17",
-    "@types/express": "^4.17.21",
-    "@types/jsonwebtoken": "^9.0.9",
-    "@types/node": "^20.11.24",
-    "@types/pg-format": "^1.0.5",
-    "dotenv-cli": "^10.0.0",
-    "tsup": "^8.5.0",
-    "tsx": "^4.7.1",
-    "typescript": "^5.3.3",
-    "vitest": "^3.2.4"
-  }
-}
+{
+  "name": "insforge-backend",
+  "version": "1.0.0",
+  "author": "Insforge",
+  "description": "Open source backend-as-a-service with PostgreSQL and MCP integration",
+  "type": "module",
+  "main": "../dist/server.js",
+  "scripts": {
+    "start": "node ../dist/server.js",
+    "dev": "tsx watch src/server.ts",
+    "build": "tsup",
+    "clean": "rimraf dist",
+    "prebuild": "npm run clean",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "test:ui": "vitest --ui",
+    "test:e2e": "./tests/run-all-tests.sh",
+    "migrate:up": "node-pg-migrate up --migrations-dir src/infra/database/migrations --migrations-table _migrations",
+    "migrate:down": "node-pg-migrate down --migrations-dir src/infra/database/migrations --migrations-table _migrations",
+    "migrate:create": "node-pg-migrate create --migrations-dir src/infra/database/migrations --migrations-table _migrations",
+    "migrate:redo": "node-pg-migrate redo --migrations-dir src/infra/database/migrations --migrations-table _migrations",
+    "migrate:up:local": "dotenv -e ../.env -- node-pg-migrate up --migrations-dir src/infra/database/migrations --migrations-table _migrations",
+    "migrate:down:local": "dotenv -e ../.env -- node-pg-migrate down --migrations-dir src/infra/database/migrations --migrations-table _migrations"
+  },
+  "keywords": [
+    "backend-as-a-service",
+    "postgresql",
+    "jwt"
+  ],
+  "dependencies": {
+    "@asteasolutions/zod-to-openapi": "^7.3.4",
+    "@aws-sdk/client-cloudwatch-logs": "^3.713.0",
+    "@aws-sdk/client-s3": "^3.713.0",
+    "@aws-sdk/cloudfront-signer": "^3.901.0",
+    "@aws-sdk/s3-presigned-post": "^3.879.0",
+    "@aws-sdk/s3-request-presigner": "^3.879.0",
+    "@databases/split-sql-query": "^1.0.4",
+    "@databases/sql": "^3.3.0",
+    "@types/multer": "^1.4.13",
+    "@types/pg": "^8.15.4",
+    "axios": "^1.11.0",
+    "bcryptjs": "^3.0.2",
+    "cookie-parser": "^1.4.7",
+    "cors": "^2.8.5",
+    "csv-parse": "^6.1.0",
+    "dotenv": "^16.4.5",
+    "express": "^4.19.2",
+    "express-rate-limit": "^7.1.5",
+    "google-auth-library": "^10.1.0",
+    "jose": "^6.1.0",
+    "jsonwebtoken": "^9.0.2",
+    "libpg-query": "^17.6.0",
+    "multer": "^2.0.2",
+    "node-fetch": "^3.3.2",
+    "node-pg-migrate": "^8.0.3",
+    "openai": "^5.19.1",
+    "pg": "^8.16.3",
+    "pg-format": "^1.0.4",
+    "socket.io": "^4.8.1",
+    "winston": "^3.17.0",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/cookie-parser": "^1.4.8",
+    "@types/cors": "^2.8.17",
+    "@types/express": "^4.17.21",
+    "@types/jsonwebtoken": "^9.0.9",
+    "@types/node": "^20.11.24",
+    "@types/pg-format": "^1.0.5",
+    "dotenv-cli": "^10.0.0",
+    "tsup": "^8.5.0",
+    "tsx": "^4.7.1",
+    "typescript": "^5.3.3",
+    "vite-tsconfig-paths": "^5.1.4",
+    "vitest": "^3.2.4"
+  }
+}

package/backend/src/api/{middleware → middlewares}/auth.ts

@@ -1,9 +1,8 @@
 import { Request, Response, NextFunction } from 'express';
-import { AuthService } from '@/core/auth/auth.js';
+import { TokenManager } from '@/infra/security/token.manager.js';
 import { AppError } from './error.js';
 import { ERROR_CODES, NEXT_ACTION } from '@/types/error-constants.js';
-import { verifyCloudToken } from '@/utils/cloud-token.js';
-import { SecretsService } from '@/core/secrets/secrets.js';
+import { SecretService } from '@/services/secrets/secret.service.js';
 
 export interface AuthRequest extends Request {
   user?: {
@@ -16,8 +15,8 @@ export interface AuthRequest extends Request {
   projectId?: string;
 }
 
-const authService = AuthService.getInstance();
-const secretService = new SecretsService();
+const tokenManager = TokenManager.getInstance();
+const secretService = SecretService.getInstance();
 
 // Helper function to extract Bearer token
 function extractBearerToken(authHeader: string | undefined): string | null {
@@ -86,7 +85,7 @@ export async function verifyAdmin(req: AuthRequest, res: Response, next: NextFun
     }
 
     // For admin, we use JWT tokens
-    const payload = authService.verifyToken(token);
+    const payload = tokenManager.verifyToken(token);
 
     if (payload.role !== 'project_admin') {
       throw new AppError(
@@ -167,7 +166,7 @@ export function verifyToken(req: AuthRequest, _res: Response, next: NextFunction
     }
 
     // Verify JWT token
-    const payload = authService.verifyToken(token);
+    const payload = tokenManager.verifyToken(token);
 
     // Validate token has a role
     if (!payload.role) {
@@ -215,8 +214,8 @@ export async function verifyCloudBackend(req: AuthRequest, _res: Response, next:
       );
     }
 
-    // Use helper function to verify cloud token
-    const { projectId } = await verifyCloudToken(token);
+    // Use TokenManager to verify cloud token
+    const { projectId } = await tokenManager.verifyCloudToken(token);
 
     // Set project_id on request for use in route handlers
     req.projectId = projectId;

package/backend/src/api/middlewares/rate-limiters.ts

@@ -0,0 +1,127 @@
+import rateLimit from 'express-rate-limit';
+import { Request, Response, NextFunction } from 'express';
+import { AppError } from './error.js';
+import { ERROR_CODES } from '@/types/error-constants.js';
+
+/**
+ * Store for tracking per-email cooldowns
+ * Maps email -> last request timestamp
+ */
+const emailCooldowns = new Map<string, number>();
+
+/**
+ * Cleanup old cooldown entries every 5 minutes
+ */
+setInterval(
+  () => {
+    const now = Date.now();
+    const fiveMinutes = 5 * 60 * 1000;
+
+    for (const [email, timestamp] of emailCooldowns.entries()) {
+      if (now - timestamp > fiveMinutes) {
+        emailCooldowns.delete(email);
+      }
+    }
+  },
+  5 * 60 * 1000
+);
+
+/**
+ * Per-IP rate limiter for email otp requests
+ * Prevents brute-force attacks, resource exhaustion, and enumeration from single IP
+ *
+ * Limits: 5 requests per 15 minutes per IP
+ * Counts ALL requests (both successful and failed) to prevent abuse
+ */
+export const sendEmailOTPRateLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5, // Limit each IP to 5 requests per windowMs
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+  handler: (_req: Request, _res: Response, next: NextFunction) => {
+    next(
+      new AppError(
+        'Too many send email verification requests from this IP. Please try again in 15 minutes.',
+        429,
+        ERROR_CODES.TOO_MANY_REQUESTS
+      )
+    );
+  },
+  // Count all requests (both successes and failures) to prevent resource exhaustion and enumeration
+  skipSuccessfulRequests: false,
+  skipFailedRequests: false,
+});
+
+/**
+ * Per-IP rate limiter for email OTP verification attempts
+ * Prevents brute-force code guessing
+ *
+ * Limits: 10 attempts per 15 minutes per IP
+ */
+export const verifyOTPRateLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 10, // Limit each IP to 10 verification attempts per windowMs
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: (_req: Request, _res: Response, next: NextFunction) => {
+    next(
+      new AppError(
+        'Too many verification attempts from this IP. Please try again in 15 minutes.',
+        429,
+        ERROR_CODES.TOO_MANY_REQUESTS
+      )
+    );
+  },
+  skipSuccessfulRequests: true, // Don't count successful verifications
+  skipFailedRequests: false, // Count failed attempts to prevent brute force
+});
+
+/**
+ * Per-email cooldown middleware
+ * Prevents enumeration attacks by enforcing minimum time between requests for same email
+ *
+ * Cooldown: 60 seconds between requests for same email
+ */
+export const perEmailCooldown = (cooldownMs: number = 60000) => {
+  return (req: Request, _res: Response, next: NextFunction) => {
+    const email = req.body?.email?.toLowerCase();
+
+    if (!email) {
+      // If no email in body, let it pass (will be caught by validation)
+      return next();
+    }
+
+    const now = Date.now();
+    const lastRequest = emailCooldowns.get(email);
+
+    if (lastRequest && now - lastRequest < cooldownMs) {
+      const remainingMs = cooldownMs - (now - lastRequest);
+      const remainingSec = Math.ceil(remainingMs / 1000);
+
+      throw new AppError(
+        `Please wait ${remainingSec} seconds before requesting another code for this email`,
+        429,
+        ERROR_CODES.TOO_MANY_REQUESTS
+      );
+    }
+
+    // Update last request time
+    emailCooldowns.set(email, now);
+    next();
+  };
+};
+
+/**
+ * Combined rate limiter for sending email otp requests
+ * Applies both per-IP and per-email limits
+ */
+export const sendEmailOTPLimiter = [
+  sendEmailOTPRateLimiter,
+  perEmailCooldown(60000), // 60 second cooldown per email
+];
+
+/**
+ * Rate limiter for OTP verification attempts (email OTP verification)
+ * Only per-IP limit, no per-email limit (to allow legitimate retries)
+ */
+export const verifyOTPLimiter = [verifyOTPRateLimiter];