kybernus 3.1.0 → 3.2.0

package/templates/ecommerce/apps/api/src/infrastructure/services/token/token.service.ts

@@ -0,0 +1,136 @@
+import jwt from 'jsonwebtoken';
+import { randomUUID } from 'crypto';
+import { AppError } from '../../../domain/shared/AppError';
+import { InMemoryTokenBlacklist } from './token.blacklist';
+import type { ITokenBlacklist } from '../../../application/ports/token-blacklist.port';
+import type { ITokenService, TokenPayload } from '../../../application/ports/token.port';
+import type { PrismaClient } from '@prisma/client';
+
+export class TokenService implements ITokenService {
+  // in-memory fallback used in tests (no DB)
+  private readonly resetTokensFallback = new Map<string, string>();
+
+  constructor(
+    private readonly blacklist: ITokenBlacklist = new InMemoryTokenBlacklist(),
+    private readonly prismaClient?: PrismaClient,
+  ) {}
+
+  private get jwtSecret(): string {
+    const s = process.env['JWT_SECRET'];
+    if (!s) throw new Error('JWT_SECRET is not set');
+    return s;
+  }
+
+  private get jwtRefreshSecret(): string {
+    const s = process.env['JWT_REFRESH_SECRET'];
+    if (!s) throw new Error('JWT_REFRESH_SECRET is not set');
+    return s;
+  }
+
+  private get jwtResetSecret(): string {
+    const s = process.env['JWT_RESET_SECRET'] ?? process.env['JWT_SECRET'];
+    if (!s) throw new Error('JWT_RESET_SECRET is not set');
+    return s;
+  }
+
+  generateAccessToken(payload: TokenPayload): string {
+    return jwt.sign(payload, this.jwtSecret, {
+      expiresIn: (process.env['JWT_EXPIRES_IN'] as jwt.SignOptions['expiresIn']) ?? '15m',
+    });
+  }
+
+  generateRefreshToken(payload: TokenPayload): string {
+    return jwt.sign(
+      { ...payload, jti: randomUUID() },
+      this.jwtRefreshSecret,
+      {
+        expiresIn:
+          (process.env['JWT_REFRESH_EXPIRES_IN'] as jwt.SignOptions['expiresIn']) ?? '7d',
+      },
+    );
+  }
+
+  verifyAccessToken(token: string): TokenPayload {
+    try {
+      return jwt.verify(token, this.jwtSecret) as TokenPayload;
+    } catch {
+      throw new AppError('Token inválido ou expirado', 401);
+    }
+  }
+
+  verifyRefreshToken(token: string): TokenPayload {
+    return jwt.verify(token, this.jwtRefreshSecret) as TokenPayload;
+  }
+
+  async invalidateRefreshToken(token: string): Promise<undefined> {
+    const decoded = jwt.decode(token) as (TokenPayload & { exp?: number }) | null;
+    const jti = decoded?.jti;
+    if (!jti) return undefined;
+    const exp = decoded?.exp ?? 0;
+    const ttlSeconds = Math.max(0, exp - Math.floor(Date.now() / 1000));
+    await this.blacklist.add(jti, ttlSeconds);
+    return undefined;
+  }
+
+  async isRefreshTokenBlacklisted(token: string): Promise<boolean> {
+    const decoded = jwt.decode(token) as (TokenPayload & { exp?: number }) | null;
+    const jti = decoded?.jti;
+    if (!jti) return false;
+    return this.blacklist.has(jti);
+  }
+
+  async generatePasswordResetToken(userId: string): Promise<string> {
+    const token = jwt.sign({ sub: userId }, this.jwtResetSecret, { expiresIn: '1h' });
+    if (this.prismaClient) {
+      // Invalidate any existing tokens for this user, then create a new one
+      await this.prismaClient.passwordResetToken.deleteMany({ where: { userId } });
+      await this.prismaClient.passwordResetToken.create({
+        data: {
+          token,
+          userId,
+          expiresAt: new Date(Date.now() + 60 * 60 * 1000), // 1 hour
+        },
+      });
+    } else {
+      this.resetTokensFallback.set(token, userId);
+    }
+    return token;
+  }
+
+  async verifyPasswordResetToken(token: string): Promise<string> {
+    try {
+      const payload = jwt.verify(token, this.jwtResetSecret) as { sub: string };
+      if (this.prismaClient) {
+        const record = await this.prismaClient.passwordResetToken.findUnique({
+          where: { token },
+        });
+        if (!record || record.usedAt !== null) {
+          throw new AppError('Token de recuperação inválido ou já utilizado', 400);
+        }
+        if (record.expiresAt < new Date()) {
+          throw new AppError('Token de recuperação expirado', 400);
+        }
+        return record.userId;
+      } else {
+        const storedUserId = this.resetTokensFallback.get(token);
+        if (!storedUserId) throw new Error('Token not found');
+        return payload.sub;
+      }
+    } catch (err) {
+      if (err instanceof AppError) throw err;
+      throw new AppError('Token de recuperação inválido ou expirado', 400);
+    }
+  }
+
+  async invalidatePasswordResetToken(token: string): Promise<undefined> {
+    if (this.prismaClient) {
+      await this.prismaClient.passwordResetToken.updateMany({
+        where: { token },
+        data: { usedAt: new Date() },
+      });
+    } else {
+      this.resetTokensFallback.delete(token);
+    }
+    return undefined;
+  }
+}

package/templates/ecommerce/apps/api/src/modules/admin/__tests__/admin.routes.integration.test.ts

@@ -0,0 +1,250 @@
+import request from 'supertest';
+import bcrypt from 'bcryptjs';
+import app from '../../../app';
+import { userRepository } from '../../auth/auth.registry';
+import { orderRepository } from '../../checkout/checkout.registry';
+import { UserEntity } from '../../auth/user.entity';
+import { OrderEntity } from '../../checkout/order.entity';
+
+describe('Admin Routes — Integration', () => {
+  let adminToken: string;
+  let adminId: string;
+  let customerToken: string;
+  let customer1Id: string;
+  let customer2Id: string;
+
+  beforeAll(async () => {
+    // ── Users ──────────────────────────────────────────────────────────────
+    const adminHash = await bcrypt.hash('admin123', 1);
+    const admin = UserEntity.create({
+      name: 'Admin',
+      email: 'admin6@test.com',
+      passwordHash: adminHash,
+      role: 'ADMIN',
+    });
+    await userRepository.create(admin);
+    adminId = admin.id;
+
+    const adminRes = await request(app)
+      .post('/api/auth/login')
+      .send({ email: 'admin6@test.com', password: 'admin123' });
+    adminToken = adminRes.body.accessToken as string;
+
+    const c1Hash = await bcrypt.hash('pass123', 1);
+    const customer1 = UserEntity.create({
+      name: 'Alice',
+      email: 'alice6@test.com',
+      passwordHash: c1Hash,
+    });
+    await userRepository.create(customer1);
+    customer1Id = customer1.id;
+
+    const c1Res = await request(app)
+      .post('/api/auth/login')
+      .send({ email: 'alice6@test.com', password: 'pass123' });
+    customerToken = c1Res.body.accessToken as string;
+
+    const c2Hash = await bcrypt.hash('pass456', 1);
+    const customer2 = UserEntity.create({
+      name: 'Bob',
+      email: 'bob6@test.com',
+      passwordHash: c2Hash,
+    });
+    await userRepository.create(customer2);
+    customer2Id = customer2.id;
+
+    // ── Seed orders ────────────────────────────────────────────────────────
+    // Order 1: PAID, customer1, total=100, prod-1 qty=3
+    const order1 = OrderEntity.create({
+      userId: customer1Id,
+      items: [
+        {
+          id: 'i1',
+          productId: 'prod-1',
+          variantId: 'v1',
+          name: 'Camiseta',
+          sku: 'CAM-1',
+          price: 33.33,
+          qty: 3,
+          image: null,
+        },
+      ],
+      subtotal: 100,
+      discount: 0,
+      shippingCost: 0,
+      tax: 0,
+      total: 100,
+      couponCode: null,
+      paymentIntentId: 'pi_adm1',
+      shippingAddress: null,
+    }).pay();
+    await orderRepository.create(order1);
+
+    // Order 2: SHIPPED, customer2, total=200, prod-2 qty=1
+    const order2 = OrderEntity.create({
+      userId: customer2Id,
+      items: [
+        {
+          id: 'i2',
+          productId: 'prod-2',
+          variantId: 'v2',
+          name: 'Calça',
+          sku: 'CAL-1',
+          price: 200,
+          qty: 1,
+          image: null,
+        },
+      ],
+      subtotal: 200,
+      discount: 0,
+      shippingCost: 0,
+      tax: 0,
+      total: 200,
+      couponCode: null,
+      paymentIntentId: 'pi_adm2',
+      shippingAddress: null,
+    })
+      .pay()
+      .ship();
+    await orderRepository.create(order2);
+
+    // Order 3: PENDING (should NOT count for revenue)
+    const order3 = OrderEntity.create({
+      userId: customer1Id,
+      items: [
+        {
+          id: 'i3',
+          productId: 'prod-1',
+          variantId: 'v1',
+          name: 'Camiseta',
+          sku: 'CAM-1',
+          price: 50,
+          qty: 1,
+          image: null,
+        },
+      ],
+      subtotal: 50,
+      discount: 0,
+      shippingCost: 0,
+      tax: 0,
+      total: 50,
+      couponCode: null,
+      paymentIntentId: null,
+      shippingAddress: null,
+    });
+    await orderRepository.create(order3);
+  });
+
+  // ── GET /api/admin/dashboard/stats ────────────────────────────────────────
+  describe('GET /api/admin/dashboard/stats', () => {
+    it('403: deve bloquear não-admins', async () => {
+      const res = await request(app)
+        .get('/api/admin/dashboard/stats')
+        .set('Authorization', `Bearer ${customerToken}`);
+      expect(res.status).toBe(403);
+    });
+
+    it('deve retornar totalRevenue, totalOrders, totalCustomers, avgOrderValue', async () => {
+      const res = await request(app)
+        .get('/api/admin/dashboard/stats')
+        .set('Authorization', `Bearer ${adminToken}`);
+      expect(res.status).toBe(200);
+      expect(res.body).toMatchObject({
+        totalRevenue: 300,    // PAID(100) + SHIPPED(200)
+        totalOrders: 3,       // all 3 orders
+        totalCustomers: 2,    // customer1 + customer2 have revenue orders
+        avgOrderValue: 150,   // 300 / 2 revenue orders
+      });
+    });
+
+    it('deve aceitar filtro period=today', async () => {
+      const res = await request(app)
+        .get('/api/admin/dashboard/stats?period=today')
+        .set('Authorization', `Bearer ${adminToken}`);
+      expect(res.status).toBe(200);
+      // All orders were created during this test run (today)
+      expect(res.body.totalOrders).toBe(3);
+    });
+
+    it('deve aceitar filtro period=month', async () => {
+      const res = await request(app)
+        .get('/api/admin/dashboard/stats?period=month')
+        .set('Authorization', `Bearer ${adminToken}`);
+      expect(res.status).toBe(200);
+      expect(res.body.totalRevenue).toBe(300);
+    });
+  });
+
+  // ── GET /api/admin/dashboard/top-products ─────────────────────────────────
+  describe('GET /api/admin/dashboard/top-products', () => {
+    it('deve retornar produtos mais vendidos ordenados por qty desc', async () => {
+      const res = await request(app)
+        .get('/api/admin/dashboard/top-products')
+        .set('Authorization', `Bearer ${adminToken}`);
+      expect(res.status).toBe(200);
+      expect(Array.isArray(res.body.items)).toBe(true);
+      // prod-1: qty=3 (order1 PAID); prod-2: qty=1 (order2 SHIPPED)
+      // order3 is PENDING — must NOT be counted
+      expect(res.body.items[0]).toMatchObject({ productId: 'prod-1', totalQty: 3 });
+      expect(res.body.items[1]).toMatchObject({ productId: 'prod-2', totalQty: 1 });
+    });
+  });
+
+  // ── GET /api/admin/users ──────────────────────────────────────────────────
+  describe('GET /api/admin/users', () => {
+    it('403: deve bloquear não-admins', async () => {
+      const res = await request(app)
+        .get('/api/admin/users')
+        .set('Authorization', `Bearer ${customerToken}`);
+      expect(res.status).toBe(403);
+    });
+
+    it('200: deve listar usuários com paginação', async () => {
+      const res = await request(app)
+        .get('/api/admin/users')
+        .set('Authorization', `Bearer ${adminToken}`);
+      expect(res.status).toBe(200);
+      expect(Array.isArray(res.body.items)).toBe(true);
+      expect(res.body.items.length).toBeGreaterThanOrEqual(3); // admin + 2 customers
+      expect(res.body).toHaveProperty('nextCursor');
+    });
+
+    it('deve filtrar por role=CUSTOMER', async () => {
+      const res = await request(app)
+        .get('/api/admin/users?role=CUSTOMER')
+        .set('Authorization', `Bearer ${adminToken}`);
+      expect(res.status).toBe(200);
+      expect(
+        res.body.items.every((u: { role: string }) => u.role === 'CUSTOMER'),
+      ).toBe(true);
+      expect(res.body.items.length).toBeGreaterThanOrEqual(2);
+    });
+  });
+
+  // ── PATCH /api/admin/users/:id ────────────────────────────────────────────
+  describe('PATCH /api/admin/users/:id', () => {
+    it('200: deve atualizar role de CUSTOMER para ADMIN', async () => {
+      const res = await request(app)
+        .patch(`/api/admin/users/${customer1Id}`)
+        .set('Authorization', `Bearer ${adminToken}`)
+        .send({ role: 'ADMIN' });
+      expect(res.status).toBe(200);
+      expect(res.body).toMatchObject({ message: expect.any(String) });
+
+      // Verify the change persisted
+      const listRes = await request(app)
+        .get('/api/admin/users?role=ADMIN')
+        .set('Authorization', `Bearer ${adminToken}`);
+      const ids = listRes.body.items.map((u: { id: string }) => u.id);
+      expect(ids).toContain(customer1Id);
+    });
+
+    it('403: deve bloquear admin de alterar o próprio role', async () => {
+      const res = await request(app)
+        .patch(`/api/admin/users/${adminId}`)
+        .set('Authorization', `Bearer ${adminToken}`)
+        .send({ role: 'CUSTOMER' });
+      expect(res.status).toBe(403);
+    });
+  });
+});

package/templates/ecommerce/apps/api/src/modules/admin/admin.controller.ts

@@ -0,0 +1,116 @@
+import { Request, Response, NextFunction } from 'express';
+import { z } from 'zod';
+import type { DashboardService } from './admin.service';
+import type { AdminUserService } from './admin.user.service';
+import { createCouponSchema, CouponAdminService } from '../cart/coupon.service';
+
+// ── Zod schemas ───────────────────────────────────────────────────────────────
+const periodSchema = z.object({
+  period: z.enum(['today', 'week', 'month', 'custom']).optional(),
+  from: z.string().optional(),
+  to: z.string().optional(),
+  limit: z.coerce.number().int().min(1).max(100).optional(),
+});
+
+const userListSchema = z.object({
+  role: z.enum(['ADMIN', 'CUSTOMER']).optional(),
+  cursor: z.string().optional(),
+  limit: z.coerce.number().int().min(1).max(100).optional(),
+});
+
+const updateRoleSchema = z.object({
+  role: z.enum(['ADMIN', 'CUSTOMER']),
+});
+
+// ── AdminController ───────────────────────────────────────────────────────────
+export class AdminController {
+  constructor(
+    private readonly dashboardService: DashboardService,
+    private readonly adminUserService: AdminUserService,
+    private readonly couponAdminService: CouponAdminService,
+  ) {}
+
+  getStats = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+    try {
+      const query = periodSchema.parse(req.query);
+      const stats = await this.dashboardService.getStats(query);
+      res.json(stats);
+    } catch (err) {
+      next(err);
+    }
+  };
+
+  getTopProducts = async (
+    req: Request,
+    res: Response,
+    next: NextFunction,
+  ): Promise<void> => {
+    try {
+      const query = periodSchema.parse(req.query);
+      const products = await this.dashboardService.getTopProducts(query);
+      res.json({ items: products });
+    } catch (err) {
+      next(err);
+    }
+  };
+
+  listUsers = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+    try {
+      const query = userListSchema.parse(req.query);
+      const result = await this.adminUserService.listUsers(query);
+      res.json({
+        items: result.items.map((u) => u.toPublic()),
+        nextCursor: result.nextCursor,
+      });
+    } catch (err) {
+      next(err);
+    }
+  };
+
+  updateUserRole = async (
+    req: Request,
+    res: Response,
+    next: NextFunction,
+  ): Promise<void> => {
+    try {
+      const { id } = req.params;
+      const { role } = updateRoleSchema.parse(req.body);
+      const requesterId = (req.user as { id: string }).id;
+      await this.adminUserService.updateUserRole(id, role, requesterId);
+      res.json({ message: 'Role atualizado com sucesso' });
+    } catch (err) {
+      next(err);
+    }
+  };
+
+  // ── Coupon handlers ───────────────────────────────────────────────────────
+
+  createCoupon = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+    try {
+      const dto = createCouponSchema.parse(req.body);
+      const coupon = await this.couponAdminService.create(dto);
+      res.status(201).json(coupon.toRecord());
+    } catch (err) {
+      next(err);
+    }
+  };
+
+  listCoupons = async (_req: Request, res: Response, next: NextFunction): Promise<void> => {
+    try {
+      const coupons = await this.couponAdminService.list();
+      res.json({ items: coupons.map((c) => c.toRecord()) });
+    } catch (err) {
+      next(err);
+    }
+  };
+
+  deleteCoupon = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+    try {
+      const { id } = req.params;
+      await this.couponAdminService.delete(id);
+      res.status(204).send();
+    } catch (err) {
+      next(err);
+    }
+  };
+}

package/templates/ecommerce/apps/api/src/modules/admin/admin.registry.ts

@@ -0,0 +1 @@
+export * from '../../infrastructure/config/registry/admin.registry';

package/templates/ecommerce/apps/api/src/modules/admin/admin.routes.ts

@@ -0,0 +1,21 @@
+import { Router } from 'express';
+import { authenticate } from '../../shared/middlewares/authenticate';
+import { authorize } from '../../shared/middlewares/authorize';
+import { validateUuidParam } from '../../shared/validators/uuidParam';
+import { adminController } from './admin.registry';
+
+const adminRoutes = Router();
+
+adminRoutes.use(authenticate, authorize('ADMIN'));
+
+adminRoutes.get('/dashboard/stats', adminController.getStats);
+adminRoutes.get('/dashboard/top-products', adminController.getTopProducts);
+adminRoutes.get('/users', adminController.listUsers);
+adminRoutes.patch('/users/:id', validateUuidParam(), adminController.updateUserRole);
+
+// Coupon management (Phase 13)
+adminRoutes.post('/coupons', adminController.createCoupon);
+adminRoutes.get('/coupons', adminController.listCoupons);
+adminRoutes.delete('/coupons/:id', validateUuidParam(), adminController.deleteCoupon);
+
+export { adminRoutes };

package/templates/ecommerce/apps/api/src/modules/admin/admin.service.ts

@@ -0,0 +1 @@
+export * from '../../application/admin/dashboard.service';

package/templates/ecommerce/apps/api/src/modules/admin/admin.user.service.ts

@@ -0,0 +1 @@
+export * from '../../application/admin/admin-user.service';

package/templates/ecommerce/apps/api/src/modules/auth/__tests__/auth.logout.redis.test.ts

@@ -0,0 +1,104 @@
+/**
+ * Redis-backed logout integration tests.
+ * Verifies that JTIs are stored in Redis upon logout and that blacklisted
+ * tokens are rejected by the /api/auth/refresh endpoint.
+ *
+ * Requires PostgreSQL + Redis running (docker-compose up).
+ * Run with: npm run test:db
+ */
+import request from 'supertest';
+import Redis from 'ioredis';
+import app from '../../../app';
+
+const REDIS_URL = process.env['REDIS_URL'] ?? 'redis://localhost:6379';
+
+const USER = {
+  name: 'Redis Logout User',
+  email: 'redis.logout@email.com',
+  password: 'senha1234',
+};
+
+describe('Auth Logout — Redis Integration', () => {
+  let redis: Redis;
+
+  beforeAll(async () => {
+    redis = new Redis(REDIS_URL, { lazyConnect: true, maxRetriesPerRequest: 3 });
+    await redis.connect();
+    // Register user once for all tests
+    await request(app).post('/api/auth/register').send(USER);
+  });
+
+  afterAll(async () => {
+    // Clean up blacklist keys created during tests
+    const keys = await redis.keys('blacklist:*');
+    if (keys.length > 0) await redis.del(...keys);
+    // Close the local client AND the shared registry Redis singleton
+    const { redis: sharedRedis } = await import('../../../shared/infra/redis');
+    await Promise.allSettled([redis.quit(), sharedRedis.quit()]);
+  });
+
+  it('deve adicionar jti do refreshToken ao Redis após logout', async () => {
+    const loginRes = await request(app)
+      .post('/api/auth/login')
+      .send({ email: USER.email, password: USER.password });
+
+    const cookies: string[] = loginRes.headers['set-cookie'] as unknown as string[];
+    const cookieHeader = cookies.find((c) => c.startsWith('refreshToken=')) ?? '';
+    const cookieValue = cookieHeader.split(';')[0] ?? '';
+
+    const logoutRes = await request(app)
+      .post('/api/auth/logout')
+      .set('Cookie', cookieValue);
+
+    expect(logoutRes.status).toBe(204);
+
+    // At least one blacklist:* key should now exist in Redis
+    const keys = await redis.keys('blacklist:*');
+    expect(keys.length).toBeGreaterThan(0);
+  });
+
+  it('deve rejeitar refreshToken com jti na blacklist com 401', async () => {
+    const loginRes = await request(app)
+      .post('/api/auth/login')
+      .send({ email: USER.email, password: USER.password });
+
+    const cookies: string[] = loginRes.headers['set-cookie'] as unknown as string[];
+    const cookieHeader = cookies.find((c) => c.startsWith('refreshToken=')) ?? '';
+    const cookieValue = cookieHeader.split(';')[0] ?? '';
+
+    // Logout — JTI enters Redis blacklist
+    await request(app).post('/api/auth/logout').set('Cookie', cookieValue);
+
+    // Re-use the same cookie → should be rejected
+    const refreshRes = await request(app)
+      .post('/api/auth/refresh')
+      .set('Cookie', cookieValue);
+
+    expect(refreshRes.status).toBe(401);
+  });
+
+  it('token de novo login deve ser aceito mesmo após logout do anterior', async () => {
+    // First login + logout
+    const firstLogin = await request(app)
+      .post('/api/auth/login')
+      .send({ email: USER.email, password: USER.password });
+    const firstCookies: string[] = firstLogin.headers['set-cookie'] as unknown as string[];
+    const firstCookieHeader = firstCookies.find((c) => c.startsWith('refreshToken=')) ?? '';
+    const firstCookieValue = firstCookieHeader.split(';')[0] ?? '';
+    await request(app).post('/api/auth/logout').set('Cookie', firstCookieValue);
+
+    // Second login — new JTI, should be accepted
+    const secondLogin = await request(app)
+      .post('/api/auth/login')
+      .send({ email: USER.email, password: USER.password });
+    const secondCookies: string[] = secondLogin.headers['set-cookie'] as unknown as string[];
+    const secondCookieHeader = secondCookies.find((c) => c.startsWith('refreshToken=')) ?? '';
+    const secondCookieValue = secondCookieHeader.split(';')[0] ?? '';
+
+    const refreshRes = await request(app)
+      .post('/api/auth/refresh')
+      .set('Cookie', secondCookieValue);
+
+    expect(refreshRes.status).toBe(200);
+  });
+});