millas 0.2.11 → 0.2.12-beta-1

package/package.json

@@ -1,13 +1,12 @@
 {
   "name": "millas",
-  "version": "0.2.11",
+  "version": "0.2.12-beta-1",
   "description": "A modern batteries-included backend framework for Node.js — built on Express, inspired by Laravel, Django, and FastAPI",
   "main": "src/index.js",
   "exports": {
     ".": "./src/index.js",
-    "./src": "./src/index.js",
-    "./src/*": "./src/*.js",
-    "./bin/*": "./bin/*.js"
+    "./core/*": "./src/core/*.js",
+    "./facades/*": "./src/facades/*.js"
   },
   "bin": {
     "millas": "./bin/millas.js"
@@ -39,6 +38,7 @@
   "dependencies": {
     "bcryptjs": "3.0.2",
     "chalk": "4.1.2",
+    "chokidar": "^3.6.0",
     "commander": "^11.0.0",
     "fs-extra": "^11.0.0",
     "inquirer": "8.2.6",
@@ -46,7 +46,8 @@
     "knex": "^3.1.0",
     "nodemailer": "^6.9.0",
     "nunjucks": "^3.2.4",
-    "ora": "5.4.1"
+    "ora": "5.4.1",
+    "sqlite3": "^5.1.7"
   },
   "peerDependencies": {
     "express": "^4.18.0"

package/src/auth/Auth.js

@@ -230,13 +230,18 @@ class Auth {
   }
 
   _buildTokenPayload(user) {
-    return {
-      id:    user.id,
-      sub:   user.id,
-      email: user.email,
-      role:  user.role || null,
-      iat:   Math.floor(Date.now() / 1000),
-    };
+    // If the model defines tokenPayload(), use it — allows custom JWT claims.
+    // Otherwise fall back to the standard shape.
+    const base = typeof user.tokenPayload === 'function'
+      ? user.tokenPayload()
+      : {
+          id:    user.id,
+          sub:   user.id,
+          email: user.email,
+          role:  user.role || null,
+        };
+
+    return { ...base, iat: Math.floor(Date.now() / 1000) };
   }
 
   _requireUserModel() {
@@ -251,4 +256,4 @@ class Auth {
 
 // Singleton facade
 module.exports = new Auth();
-module.exports.Auth = Auth;
+module.exports.Auth = Auth;

package/src/auth/AuthController.js

@@ -2,62 +2,42 @@
 
 const Controller = require('../controller/Controller');
 const Auth       = require('./Auth');
+const { string, email } = require('../validation/Validator');
 
 /**
  * AuthController
  *
- * Drop-in authentication controller.
- * Register its routes in routes/api.js:
- *
- *   const AuthController = require('millas/src/auth/AuthController');
- *
- *   Route.post('/auth/register', AuthController, 'register');
- *   Route.post('/auth/login',    AuthController, 'login');
- *   Route.post('/auth/logout',   AuthController, 'logout');
- *   Route.get('/auth/me',        AuthController, 'me');
- *   Route.post('/auth/refresh',  AuthController, 'refresh');
- *   Route.post('/auth/forgot-password',  AuthController, 'forgotPassword');
- *   Route.post('/auth/reset-password',   AuthController, 'resetPassword');
- *
- * Or use the convenience helper:
- *   Route.auth()  — registers all routes above under /auth
+ * Drop-in authentication controller using the new ctx signature.
+ * All methods receive RequestContext and return MillasResponse.
  */
 class AuthController extends Controller {
 
-  /**
-   * POST /auth/register
-   * Body: { name, email, password, password_confirmation? }
-   */
-  async register(req, res) {
-    const data = await this.validate(req, {
-      name:     'required|string|min:2|max:100',
-      email:    'required|email',
-      password: 'required|string|min:8',
+  async register({ body }) {
+    const data = await body.validate({
+      name:     string().required().min(2).max(100),
+      email:    email().required(),
+      password: string().required().min(8),
     });
 
     const user  = await Auth.register(data);
     const token = Auth.issueToken(user);
 
-    return this.created(res, {
+    return this.created({
       message: 'Registration successful',
       user:    this._safeUser(user),
       token,
     });
   }
 
-  /**
-   * POST /auth/login
-   * Body: { email, password }
-   */
-  async login(req, res) {
-    const { email, password } = await this.validate(req, {
-      email:    'required|email',
-      password: 'required|string',
+  async login({ body }) {
+    const { email: emailVal, password } = await body.validate({
+      email:    email().required(),
+      password: string().required(),
     });
 
-    const { user, token, refreshToken } = await Auth.login(email, password);
+    const { user, token, refreshToken } = await Auth.login(emailVal, password);
 
-    return this.ok(res, {
+    return this.ok({
       message: 'Login successful',
       user:    this._safeUser(user),
       token,
@@ -65,124 +45,55 @@ class AuthController extends Controller {
     });
   }
 
-  /**
-   * POST /auth/logout
-   * Header: Authorization: Bearer <token>
-   *
-   * JWT is stateless — logout just instructs the client to discard the token.
-   * Phase 11 (cache) will add token blocklisting.
-   */
-  async logout(req, res) {
-    return this.ok(res, { message: 'Logged out successfully' });
+  async logout() {
+    return this.ok({ message: 'Logged out successfully' });
   }
 
-  /**
-   * GET /auth/me
-   * Header: Authorization: Bearer <token>
-   */
-  async me(req, res) {
-    try {
-      const user = await Auth.userOrFail(req);
-      return this.ok(res, { user: this._safeUser(user) });
-    } catch (err) {
-      if (err.status === 401) return this.unauthorized(res, err.message);
-      return this.unauthorized(res, 'Unauthenticated');
+  async me({ user }) {
+    if (!user) {
+      const HttpError = require('../errors/HttpError');
+      throw new HttpError(401, 'Unauthenticated');
     }
+    return this.ok({ user: this._safeUser(user) });
   }
 
-  /**
-   * POST /auth/refresh
-   * Body: { refresh_token }
-   */
-  async refresh(req, res) {
-    const { refresh_token } = await this.validate(req, {
-      refresh_token: 'required|string',
+  async refresh({ body }) {
+    const { refresh_token } = await body.validate({
+      refresh_token: string().required(),
     });
 
-    // Verify the refresh token
-    let payload;
-    try {
-      payload = Auth.verify(refresh_token);
-    } catch {
-      return this.unauthorized(res, 'Invalid or expired refresh token');
-    }
-
-    const user = await Auth.user({ headers: { authorization: `Bearer ${refresh_token}` } });
-    if (!user) return this.unauthorized(res, 'User not found');
-
-    const newToken        = Auth.issueToken(user);
-    const newRefreshToken = Auth.issueToken(user, { expiresIn: '30d' });
-
-    return this.ok(res, {
-      token:         newToken,
-      refresh_token: newRefreshToken,
-    });
+    const tokens = await Auth.refresh(refresh_token);
+    return this.ok(tokens);
   }
 
-  /**
-   * POST /auth/forgot-password
-   * Body: { email }
-   */
-  async forgotPassword(req, res) {
-    const { email } = await this.validate(req, {
-      email: 'required|email',
+  async forgotPassword({ body }) {
+    const { email: emailVal } = await body.validate({
+      email: email().required(),
     });
 
-    // Always return 200 to prevent email enumeration
-    try {
-      const user = await Auth.user({ headers: {} });
-      if (user) {
-        const resetToken = Auth.generateResetToken(user);
-        // Phase 8: Mail.send({ to: email, template: 'password-reset', data: { resetToken } })
-        // For now, return token in dev mode only
-        if (process.env.APP_ENV !== 'production') {
-          return this.ok(res, {
-            message:     'Reset link sent (dev mode — token exposed)',
-            reset_token: resetToken,
-          });
-        }
-      }
-    } catch { /* silent */ }
-
-    return this.ok(res, {
-      message: 'If that email exists, a reset link has been sent.',
-    });
+    await Auth.sendPasswordResetEmail(emailVal);
+    return this.ok({ message: 'Password reset email sent' });
   }
 
-  /**
-   * POST /auth/reset-password
-   * Body: { token, password }
-   */
-  async resetPassword(req, res) {
-    const { token, password } = await this.validate(req, {
-      token:    'required|string',
-      password: 'required|string|min:8',
-    });
-
-    const payload = Auth.verifyResetToken(token);
-    const user    = await Auth.user({
-      headers: { authorization: `Bearer ${token}` },
+  async resetPassword({ body }) {
+    const { token, password } = await body.validate({
+      token:    string().required(),
+      password: string().required().min(8).confirmed(),
     });
 
-    if (!user || user.email !== payload.email) {
-      return this.badRequest(res, 'Invalid reset token');
-    }
-
-    const hashed = await Auth.hashPassword(password);
-    await user.update({ password: hashed });
-
-    return this.ok(res, { message: 'Password reset successfully' });
+    await Auth.resetPassword(token, password);
+    return this.ok({ message: 'Password reset successfully' });
   }
 
-  // ─── Internal ─────────────────────────────────────────────────────────────
-
   _safeUser(user) {
     if (!user) return null;
-    const obj = user.toJSON ? user.toJSON() : { ...user };
-    delete obj.password;
-    delete obj.remember_token;
-    return obj;
+    // Use the model's toSafeObject() if defined (AuthUser and subclasses provide this)
+    if (typeof user.toSafeObject === 'function') return user.toSafeObject();
+    const data = user.toJSON ? user.toJSON() : { ...user };
+    delete data.password;
+    delete data.remember_token;
+    return data;
   }
 }
 
-module.exports = AuthController;
+module.exports = AuthController;

package/src/auth/AuthMiddleware.js

@@ -8,25 +8,15 @@ const Auth       = require('./Auth');
  * AuthMiddleware
  *
  * Guards routes from unauthenticated access using JWT.
- *
  * Reads the Bearer token from the Authorization header,
- * verifies it, loads the user from the database,
- * and attaches them to req.user.
- *
- * Throws 401 if:
- *   - No Authorization header
- *   - Token is malformed / expired
- *   - User no longer exists in DB
+ * verifies it, loads the user, and attaches them to req.user.
  *
- * Register in bootstrap/app.js:
- *   app.middleware('auth', AuthMiddleware)
- *
- * Apply to routes:
- *   Route.prefix('/api').middleware(['auth']).group(() => { ... })
+ * Uses the Millas middleware signature: handle(req, next)
+ * No Express res — returns a MillasResponse or calls next().
  */
 class AuthMiddleware extends Middleware {
-  async handle(req, res, next) {
-    const header = req.headers['authorization'];
+  async handle({ headers, req }, next) {
+    const header = headers.authorization || headers.Authorization;
 
     if (!header) {
       throw new HttpError(401, 'Authorization header missing');
@@ -41,26 +31,25 @@ class AuthMiddleware extends Middleware {
       throw new HttpError(401, 'Token is empty');
     }
 
-    // Verify token — throws 401 if expired or invalid
     const payload = Auth.verify(token);
 
-    // Load user from DB
     let user;
     try {
-      user = await Auth.user(req);
+      user = await Auth.user(req.raw);
     } catch {
       throw new HttpError(401, 'Authentication service not configured');
     }
+
     if (!user) {
       throw new HttpError(401, 'User not found or has been deleted');
     }
 
-    // Attach to request
-    req.user     = user;
-    req.token    = token;
-    req.tokenPayload = payload;
+    // Attach to the underlying request so downstream handlers see req.user
+    req.raw.user         = user;
+    req.raw.token        = token;
+    req.raw.tokenPayload = payload;
 
-    next();
+    return next();
   }
 }
 

package/src/auth/AuthUser.js

@@ -0,0 +1,98 @@
+'use strict';
+
+const Model  = require('../orm/model/Model');
+const fields = require('../orm/fields/index').fields;
+
+/**
+ * AuthUser
+ *
+ * Base model for authentication. Ships with Millas.
+ * Covers the exact contract that Auth, AuthMiddleware, and AuthController expect:
+ *   - email       (unique, required for login)
+ *   - password    (hashed by Auth.register / Auth.hashPassword)
+ *   - role        (read by RoleMiddleware)
+ *
+ * ── Extending ────────────────────────────────────────────────────────────────
+ *
+ * Extend this instead of writing a User model from scratch.
+ * Add your own fields on top — all Auth behaviour is inherited.
+ *
+ *   class User extends AuthUser {
+ *     static table = 'users';
+ *     static fields = {
+ *       ...AuthUser.fields,
+ *       phone:      fields.string({ nullable: true }),
+ *       avatar_url: fields.string({ nullable: true }),
+ *       bio:        fields.text({ nullable: true }),
+ *     };
+ *   }
+ *
+ * ── Customising the token payload ─────────────────────────────────────────
+ *
+ * Override tokenPayload() to add custom claims to the JWT:
+ *
+ *   class User extends AuthUser {
+ *     tokenPayload() {
+ *       return {
+ *         ...super.tokenPayload(),
+ *         plan:  this.plan,
+ *         orgId: this.org_id,
+ *       };
+ *     }
+ *   }
+ *
+ * ── Customising register / login hooks ────────────────────────────────────
+ *
+ * Override static hooks to run logic around auth operations:
+ *
+ *   class User extends AuthUser {
+ *     static async afterCreate(instance) {
+ *       await emit('user.registered', { user: instance });
+ *     }
+ *   }
+ */
+class AuthUser extends Model {
+  static table = 'users';
+
+  static fields = {
+    id:         fields.id(),
+    name:       fields.string({ max: 100 }),
+    email:      fields.string({ unique: true }),
+    password:   fields.string(),
+    role:       fields.enum(['admin', 'user'], { default: 'user' }),
+    created_at: fields.timestamp(),
+    updated_at: fields.timestamp(),
+  };
+
+  // ── Auth contract helpers ──────────────────────────────────────────────────
+
+  /**
+   * The fields to include in the JWT payload.
+   * Override to add custom claims.
+   *
+   * @returns {object}
+   */
+  tokenPayload() {
+    return {
+      id:    this.id,
+      sub:   this.id,
+      email: this.email,
+      role:  this.role || null,
+    };
+  }
+
+  /**
+   * Safe representation — strips sensitive fields.
+   * Used by AuthController._safeUser().
+   *
+   * @returns {object}
+   */
+  toSafeObject() {
+    const data = { ...this };
+    delete data.password;
+    delete data.remember_token;
+    return data;
+  }
+}
+
+module.exports = AuthUser;

package/src/auth/RoleMiddleware.js

@@ -6,38 +6,28 @@ const HttpError  = require('../errors/HttpError');
 /**
  * RoleMiddleware
  *
- * Restricts route access to users with specific roles.
- * Must be used AFTER AuthMiddleware (requires req.user).
- *
- * Usage:
- *   middlewareRegistry.register('admin', new RoleMiddleware(['admin']));
- *   middlewareRegistry.register('staff', new RoleMiddleware(['admin', 'staff']));
- *
- *   Route.prefix('/admin').middleware(['auth', 'admin']).group(() => { ... });
+ * Restricts access to users with specific roles.
+ * Must run after AuthMiddleware (requires ctx.user).
  */
 class RoleMiddleware extends Middleware {
-  /**
-   * @param {string[]} roles — list of allowed role values
-   */
   constructor(roles = []) {
     super();
     this.roles = Array.isArray(roles) ? roles : [roles];
   }
 
-  async handle(req, res, next) {
-    if (!req.user) {
-      throw new HttpError(401, 'Unauthenticated — run AuthMiddleware before RoleMiddleware');
+  async handle({ user }, next) {
+    if (!user) {
+      throw new HttpError(401, 'Unauthenticated — AuthMiddleware must run first');
     }
 
-    const userRole = req.user.role || null;
-
+    const userRole = user.role || null;
     if (!userRole || !this.roles.includes(userRole)) {
       throw new HttpError(403,
         `Access denied. Required role: ${this.roles.join(' or ')}`
       );
     }
 
-    next();
+    return next();
   }
 }
 

package/src/cli.js

@@ -7,7 +7,7 @@ const program = new Command();
 program
   .name('millas')
   .description(chalk.cyan('⚡ Millas — A modern batteries-included Node.js framework'))
-  .version('0.1.0');
+  .version('0.2.12-beta-1');
 
 // Load all command modules
 require('./commands/new')(program);