millas 0.2.13 → 0.2.14

package/src/auth/Auth.js

@@ -19,23 +19,35 @@ const HttpError = require('../errors/HttpError');
  *     password: 'secret123',
  *   });
  *
- *   // Login
+ *   // Login — throws 401 on failure
  *   const { user, token } = await Auth.login('alice@example.com', 'secret123');
  *
+ *   // Attempt — returns user | null (Laravel/Rails style, never throws)
+ *   const user = await Auth.attempt(email, password);
+ *   if (!user) return this.unauthorized('Invalid credentials');
+ *
  *   // Verify a token
  *   const payload = Auth.verify(token);
  *
  *   // Get logged-in user from a request
  *   const user = await Auth.user(req);
  *
+ *   // Revoke a token (adds to in-memory denylist — resets on restart)
+ *   await Auth.revokeToken(user, token);
+ *
  *   // Check password
  *   const ok = await Auth.checkPassword('plain', user.password);
  */
 class Auth {
   constructor() {
-    this._jwt    = null;
-    this._config = null;
+    this._jwt       = null;
+    this._config    = null;
     this._UserModel = null;
+    // In-memory token denylist for revokeToken().
+    // Resets on server restart — sufficient for short-lived JWTs.
+    // For persistent revocation across restarts/processes, set a cache
+    // store via Auth.configure({ revocationStore: redisClient }).
+    this._revokedTokens = new Set();
   }
 
   // ─── Configuration ───────────────────────────────────────────────────────
@@ -124,6 +136,41 @@ class Auth {
     return { user, token, refreshToken };
   }
 
+  /**
+   * Attempt to authenticate with email + password.
+   *
+   * Laravel / Rails style — returns the user on success, null on failure.
+   * Never throws for bad credentials; throws only for unexpected errors.
+   *
+   * The caller is responsible for status checks (banned, inactive, etc.)
+   * because attempt() intentionally skips them — it only validates identity.
+   *
+   *   const user = await Auth.attempt(email, password);
+   *   if (!user) return this.unauthorized('Invalid email or password.');
+   *   if (user.status === 'banned') return this.forbidden('Account suspended.');
+   *   const token = Auth.issueToken(user);
+   *
+   * @param {string} email
+   * @param {string} password
+   * @returns {Promise<object|null>} user instance or null
+   */
+  async attempt(email, password) {
+    this._requireUserModel();
+
+    const user = await this._UserModel.findBy('email', email);
+    if (!user) return null;
+
+    const ok = await Hasher.check(password, user.password);
+    if (!ok) return null;
+
+    // Record last login (fire-and-forget)
+    try {
+      await this._UserModel.where('id', user.id).update({ last_login: new Date().toISOString() });
+    } catch { /* non-fatal */ }
+
+    return user;
+  }
+
   /**
    * Verify and decode a token string.
    * Throws 401 if expired or invalid.
@@ -176,6 +223,68 @@ class Auth {
     return u;
   }
 
+  /**
+   * Revoke a token so it cannot be used again.
+   *
+   * Adds the token's unique identifier (jti / sub+iat) to an in-memory denylist.
+   * The denylist resets on server restart — acceptable for short-lived JWTs (≤7d).
+   *
+   * For persistence across restarts or multi-process deployments, configure a
+   * cache store (Redis) in config/auth.js:
+   *
+   *   guards: { jwt: { revocationStore: redisClient } }
+   *
+   * The token string can be passed directly, or extracted from the request
+   * by AuthMiddleware and attached to req.token / ctx.token.
+   *
+   *   // In a logout controller:
+   *   await Auth.revokeToken(user, ctx.token);
+   *
+   * @param {object} user  — the authenticated user (used to scope the key)
+   * @param {string} token — the raw JWT string to revoke
+   */
+  async revokeToken(user, token) {
+    if (!token) return;
+
+    // Decode without verifying — we want to revoke even if it's expiring soon
+    const payload = this._jwt.decode(token);
+    if (!payload) return;
+
+    // Use jti if present, otherwise fall back to sub+iat which is unique per-issue
+    const key = payload.jti || `${payload.sub || user?.id}:${payload.iat}`;
+    this._revokedTokens.add(key);
+
+    // Prune stale entries occasionally to prevent unbounded growth
+    if (this._revokedTokens.size > 10000) {
+      this._pruneExpiredRevocations();
+    }
+  }
+
+  /**
+   * Check whether a token has been revoked.
+   * Called automatically by AuthMiddleware on every authenticated request.
+   *
+   * @param {string} token — raw JWT string
+   * @returns {boolean}
+   */
+  isRevoked(token) {
+    if (!token || this._revokedTokens.size === 0) return false;
+    const payload = this._jwt.decode(token);
+    if (!payload) return false;
+    const key = payload.jti || `${payload.sub}:${payload.iat}`;
+    return this._revokedTokens.has(key);
+  }
+
+  _pruneExpiredRevocations() {
+    // No expiry metadata stored — just trim the oldest half as a safety valve.
+    // In production use a Redis TTL-based store instead.
+    const entries = [...this._revokedTokens];
+    const half    = Math.floor(entries.length / 2);
+    for (let i = 0; i < half; i++) {
+      this._revokedTokens.delete(entries[i]);
+    }
+  }
+
   /**
    * Hash a plain-text password.
    */

package/src/auth/AuthMiddleware.js

@@ -11,40 +11,43 @@ const Auth       = require('./Auth');
  * Reads the Bearer token from the Authorization header,
  * verifies it, loads the user, and attaches them to req.user.
  *
- * Uses the Millas middleware signature: handle(req, next)
+ * Uses the Millas middleware signature: handle(ctx, next)
  * No Express res — returns a MillasResponse or calls next().
  */
 class AuthMiddleware extends Middleware {
-  async handle({ headers, req }, next) {
-    const header = headers.authorization || headers.Authorization;
-
+  async handle({ req, headers }, next) {
+    const header = headers?.authorization || headers?.Authorization;
+    //
     if (!header) {
       throw new HttpError(401, 'Authorization header missing');
     }
-
+    //
     if (!header.startsWith('Bearer ')) {
       throw new HttpError(401, 'Invalid authorization format. Use: Bearer <token>');
     }
-
+    //
     const token = header.slice(7);
     if (!token) {
       throw new HttpError(401, 'Token is empty');
     }
-
+    //
+    if (Auth.isRevoked(token)) {
+      throw new HttpError(401, 'Token has been revoked');
+    }
+    //
     const payload = Auth.verify(token);
-
+    //
     let user;
     try {
-      user = await Auth.user(req.raw);
-    } catch {
-      throw new HttpError(401, 'Authentication service not configured');
+      user = await Auth.user(req);
+    } catch (err) {
+      throw new HttpError(401, 'Authentication failed: ' + err.message);
     }
-
+    //
     if (!user) {
       throw new HttpError(401, 'User not found or has been deleted');
     }
-
-    // Attach to the underlying request so downstream handlers see req.user
+    //
     req.raw.user         = user;
     req.raw.token        = token;
     req.raw.tokenPayload = payload;
@@ -53,4 +56,4 @@ class AuthMiddleware extends Middleware {
   }
 }
 
-module.exports = AuthMiddleware;
+module.exports = AuthMiddleware;

package/src/auth/Hasher.js

@@ -1,51 +1,23 @@
 'use strict';
 
-const bcrypt = require('bcryptjs');
-
 /**
  * Hasher
  *
- * Wraps bcrypt for password hashing and verification.
+ * Thin re-export of the canonical Hash singleton from hashing/Hash.js.
+ *
+ * All password hashing in the framework — Auth.register(), Auth.login(),
+ * Auth.attempt(), AdminAuth.login(), createsuperuser CLI — flows through
+ * this single file, which delegates to HashManager (hashing/Hash.js).
+ *
+ * This means one algorithm, one rounds config, one place to change either.
+ *
+ * Developers who need hashing directly should prefer the Hash facade:
+ *   const { Hash } = require('millas/facades/Hash');
  *
- * Usage:
- *   const hash = await Hasher.make('my-password');
- *   const ok   = await Hasher.check('my-password', hash);
+ * Internal framework code uses this file so it works before the container
+ * is booted (CLI commands, early bootstrap).
  */
-class Hasher {
-  constructor(rounds = 12) {
-    this.rounds = rounds;
-  }
-
-  /**
-   * Hash a plain-text password.
-   * @param {string} plain
-   * @returns {Promise<string>}
-   */
-  async make(plain) {
-    return bcrypt.hash(String(plain), this.rounds);
-  }
-
-  /**
-   * Verify a plain-text password against a hash.
-   * @param {string} plain
-   * @param {string} hash
-   * @returns {Promise<boolean>}
-   */
-  async check(plain, hash) {
-    if (!plain || !hash) return false;
-    return bcrypt.compare(String(plain), String(hash));
-  }
-
-  /**
-   * Determine if a value needs to be re-hashed
-   * (e.g. rounds have changed).
-   */
-  needsRehash(hash) {
-    const rounds = bcrypt.getRounds(hash);
-    return rounds !== this.rounds;
-  }
-}
+const Hash = require('../hashing/Hash');
 
-// Singleton with default rounds
-module.exports = new Hasher(12);
-module.exports.Hasher = Hasher;
+module.exports = Hash;
+module.exports.Hasher = Hash.constructor;

package/src/cli.js

@@ -5,6 +5,7 @@ const chalk = require('chalk');
 const program = new Command();
 
 program
+  .enablePositionalOptions()
   .name('millas')
   .description(chalk.cyan('⚡ Millas — A modern batteries-included Node.js framework'))
   .version('0.2.12-beta-1');
@@ -18,6 +19,8 @@ require('./commands/route')(program);
 require('./commands/queue')(program);
 require('./commands/createsuperuser')(program);
 require('./commands/lang')(program);
+require('./commands/key')(program);
+require('./commands/call')(program);
 
 // Unknown command handler
 program.on('command:*', ([cmd]) => {

package/src/commands/call.js

@@ -0,0 +1,190 @@
+'use strict';
+
+const chalk = require('chalk');
+const path  = require('path');
+const fs    = require('fs');
+
+/**
+ * `millas call <signature> [args] [options]`
+ *
+ * Discovers all commands in app/commands/, then either:
+ *   - Runs the matched command directly, OR
+ *   - Lists all available commands when no signature is given
+ *
+ * Each command in app/commands/ must extend Command and have a static `signature`.
+ *
+ * ── Examples ─────────────────────────────────────────────────────────────────
+ *
+ *   millas call                        — list all custom commands
+ *   millas call email:digest           — run with defaults
+ *   millas call email:digest weekly    — positional arg
+ *   millas call email:digest --dry-run — flag
+ */
+module.exports = function (program) {
+  const commandsDir = path.resolve(process.cwd(), 'app/commands');
+  const CommandLoader = require('../console/CommandLoader');
+
+  // ── Bootstrap helpers ──────────────────────────────────────────────────────
+  async function bootstrapApp() {
+    const bootstrapPath = path.join(process.cwd(), 'bootstrap/app.js');
+    if (!fs.existsSync(bootstrapPath)) return;
+    
+    require('dotenv').config({ path: path.resolve(process.cwd(), '.env') });
+    
+    const basePath = process.cwd();
+    const AppServiceProvider = require(path.join(basePath, 'providers/AppServiceProvider'));
+    const AppInitializer = require('../container/AppInitializer');
+    
+    const config = {
+      basePath,
+      providers: [AppServiceProvider],
+      routes: null,
+      middleware: [],
+      logging: true,
+      database: true,
+      auth: true,
+      cache: true,
+      storage: true,
+      mail: true,
+      queue: true,
+      events: true,
+      admin: null,
+      docs: null,
+      adapterMiddleware: [],
+    };
+    
+    const initializer = new AppInitializer(config);
+    await initializer.bootKernel();
+  }
+
+  async function closeDb() {
+    try {
+      const DatabaseManager = require('../orm/drivers/DatabaseManager');
+      await DatabaseManager.closeAll();
+    } catch {}
+  }
+
+  // ── millas list ────────────────────────────────────────────────────────────
+  program
+    .command('list')
+    .description('List all available custom commands')
+    .action(() => {
+      if (!fs.existsSync(commandsDir)) {
+        console.log(chalk.yellow('\n  No app/commands/ directory found.\n'));
+        console.log(chalk.dim('  Run: millas make:command <Name>  to create your first command.\n'));
+        return;
+      }
+
+      const loader = new CommandLoader(commandsDir);
+      loader.load();
+      const sigs = loader.signatures();
+
+      if (sigs.length === 0) {
+        console.log(chalk.yellow('\n  No custom commands found in app/commands/.\n'));
+        console.log(chalk.dim('  Run: millas make:command <Name>  to create one.\n'));
+        return;
+      }
+
+      const maxLen = Math.max(...sigs.map(s => s.length));
+
+      console.log(chalk.bold('\n  Available commands:\n'));
+      for (const [sig, CommandClass] of loader._commands) {
+        const desc = CommandClass.description || '';
+        console.log(
+          '  ' + chalk.cyan(sig.padEnd(maxLen + 2)) +
+          chalk.dim(desc)
+        );
+      }
+      console.log();
+    });
+
+  // ── millas call <signature> ────────────────────────────────────────────────
+  // Uses Commander's allowUnknownOption + passThroughOptions so we can
+  // forward all args/options to the matched command.
+  const callCmd = program
+    .command('call <signature> [args...]')
+    .description('Run a custom command from app/commands/')
+    .allowUnknownOption(true)
+    .passThroughOptions(true)
+    .action((signature, extraArgs, options, cmd) => {
+      if (!fs.existsSync(commandsDir)) {
+        console.error(chalk.red('\n  ✖  No app/commands/ directory found.\n'));
+        console.error(chalk.dim('  Run: millas make:command <Name>  to create your first command.\n'));
+        process.exit(1);
+      }
+
+      const loader = new CommandLoader(commandsDir);
+      loader.load();
+
+      const CommandClass = loader._commands.get(signature);
+
+      if (!CommandClass) {
+        const sigs = loader.signatures();
+        console.error(chalk.red(`\n  ✖  Unknown command: ${chalk.bold(signature)}\n`));
+        if (sigs.length) {
+          console.log(chalk.dim('  Available commands:'));
+          for (const s of sigs) console.log(chalk.dim(`    ${s}`));
+        } else {
+          console.log(chalk.dim('  No custom commands found. Run: millas make:command <Name>'));
+        }
+        console.log();
+        process.exit(1);
+      }
+
+      // Re-parse args + options against the command's own definition
+      const { Command: CommanderCmd } = require('commander');
+      const sub = new CommanderCmd(signature);
+
+      const argsDef = CommandClass.args    || [];
+      const optsDef = CommandClass.options || [];
+
+      for (const a of argsDef) {
+        sub.argument(
+          a.default !== undefined ? `[${a.name}]` : `<${a.name}>`,
+          a.description || '',
+          a.default
+        );
+      }
+      for (const o of optsDef) {
+        if (o.default !== undefined) {
+          sub.option(o.flag, o.description || '', o.default);
+        } else {
+          sub.option(o.flag, o.description || '');
+        }
+      }
+
+      // Combine extraArgs back with the raw unknown options Commander captured
+      const rawArgs = [...(extraArgs || []), ...(cmd.args || [])];
+
+      // Re-deduplicate (Commander may put some into cmd.args already)
+      const allRaw = [...new Set([...extraArgs, ...rawArgs])];
+
+      sub.parse([process.execPath, signature, ...allRaw]);
+
+      const parsedOpts    = sub.opts();
+      const parsedPosArgs = sub.args;
+
+      const argMap = {};
+      for (let i = 0; i < argsDef.length; i++) {
+        argMap[argsDef[i].name] = parsedPosArgs[i] !== undefined
+          ? parsedPosArgs[i]
+          : argsDef[i].default;
+      }
+
+      const instance = new CommandClass();
+      instance._hydrate(argMap, parsedOpts);
+
+      // Prevent HTTP server from starting during CLI commands
+      process.env.MILLAS_CLI_MODE = '1';
+
+      Promise.resolve()
+        .then(() => bootstrapApp())
+        .then(() => instance.handle())
+        .catch(err => {
+          console.error(chalk.red(`\n  ✖  ${signature} failed: ${err.message}\n`));
+          if (process.env.DEBUG) console.error(err.stack);
+          process.exit(1);
+        })
+        .finally(() => closeDb());
+    });
+};

package/src/commands/createsuperuser.js

@@ -4,6 +4,7 @@ const chalk    = require('chalk');
 const path     = require('path');
 const fs       = require('fs-extra');
 const readline = require('readline');
+const Hasher   = require('../auth/Hasher');
 
 const Log = require("../logger/internal")
 
@@ -65,8 +66,7 @@ module.exports = function (program) {
 
         // ── Create via Auth.register path but with staff flags ───
         // Hash manually so we can pass the flags in the same create() call.
-        const Hasher = require('../auth/Hasher');
-        const hash   = await Hasher.make(plainPassword);
+        const hash = await Hasher.make(plainPassword);
 
         await User.create({
           email,
@@ -109,8 +109,7 @@ module.exports = function (program) {
         if (plain !== confirm) throw new Error('Passwords do not match.');
         validatePassword(plain);
 
-        const Hasher = require('../auth/Hasher');
-        const hash   = await Hasher.make(plain);
+        const hash = await Hasher.make(plain);
 
         await User.where('id', user.id).update({
           password:   hash,

package/src/commands/key.js

@@ -0,0 +1,97 @@
+'use strict';
+
+const chalk  = require('chalk');
+const fs     = require('fs');
+const path   = require('path');
+
+/**
+ * `millas key:generate`
+ *
+ * Generates a cryptographically random APP_KEY and writes it into the
+ * project's .env file — exactly like Laravel's `php artisan key:generate`.
+ *
+ * ── Behaviour ────────────────────────────────────────────────────────────────
+ *
+ *   - Reads the .env file in the current working directory
+ *   - Replaces (or appends) the APP_KEY= line with the new key
+ *   - Prints the key to stdout
+ *   - Use --show to print the key without writing to .env
+ *   - Use --force to overwrite an existing non-empty APP_KEY without prompting
+ *
+ * ── Examples ─────────────────────────────────────────────────────────────────
+ *
+ *   millas key:generate               — generate and write to .env
+ *   millas key:generate --show        — print only, don't write
+ *   millas key:generate --force       — overwrite existing key without prompt
+ *   millas key:generate --cipher AES-128-CBC
+ */
+module.exports = function (program) {
+  program
+    .command('key:generate')
+    .description('Generate a new application key and write it to .env')
+    .option('--show',           'Print the key without writing to .env')
+    .option('--force',          'Overwrite existing APP_KEY without confirmation')
+    .option('--cipher <cipher>', 'Cipher to use (default: AES-256-CBC)', 'AES-256-CBC')
+    .action(async (options) => {
+      const { Encrypter } = require('../encryption/Encrypter');
+
+      // Generate the key
+      let key;
+      try {
+        key = Encrypter.generateKey(options.cipher);
+      } catch (err) {
+        process.stderr.write(chalk.red(`\n  ✖  ${err.message}\n\n`));
+        process.exit(1);
+      }
+
+      // --show: just print, don't touch .env
+      if (options.show) {
+        console.log('\n  ' + chalk.cyan(key) + '\n');
+        return;
+      }
+
+      const envPath = path.resolve(process.cwd(), '.env');
+
+      if (!fs.existsSync(envPath)) {
+        process.stderr.write(chalk.red('\n  ✖  .env file not found.\n'));
+        process.stderr.write(chalk.dim('     Run: millas new <project>  or create a .env file first.\n\n'));
+        process.exit(1);
+      }
+
+      let envContent = fs.readFileSync(envPath, 'utf8');
+
+      // Check if APP_KEY already has a value
+      const existing = envContent.match(/^APP_KEY=(.+)$/m);
+      const hasValue = existing && existing[1] && existing[1].trim() !== '';
+
+      if (hasValue && !options.force) {
+        // Prompt for confirmation
+        const readline = require('readline');
+        const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+        const answer = await new Promise(resolve => {
+          rl.question(
+            chalk.yellow('\n  ⚠  APP_KEY already set. Overwrite? (y/N) '),
+            ans => { rl.close(); resolve(ans); }
+          );
+        });
+        if ((answer || '').trim().toLowerCase() !== 'y') {
+          console.log(chalk.dim('\n  Key not changed.\n'));
+          return;
+        }
+      }
+
+      // Write the key into .env
+      if (/^APP_KEY=/m.test(envContent)) {
+        // Replace existing line
+        envContent = envContent.replace(/^APP_KEY=.*$/m, `APP_KEY=${key}`);
+      } else {
+        // Append if APP_KEY line is missing entirely
+        envContent += `\nAPP_KEY=${key}\n`;
+      }
+
+      fs.writeFileSync(envPath, envContent, 'utf8');
+
+      console.log(chalk.green('\n  ✔  Application key set.\n'));
+      console.log('  ' + chalk.dim('APP_KEY=') + chalk.cyan(key) + '\n');
+    });
+};

package/src/commands/make.js

@@ -1,7 +1,7 @@
 'use strict';
 
 const chalk = require('chalk');
-const { makeController, makeModel, makeMiddleware, makeService, makeJob, makeMigration } = require('../scaffold/maker');
+const { makeController, makeModel, makeMiddleware, makeService, makeJob, makeMigration, makeShape, makeCommand } = require('../scaffold/maker');
 
 module.exports = function (program) {
 
@@ -48,6 +48,20 @@ module.exports = function (program) {
     .action(async (name) => {
       await run('Migration', () => makeMigration(name));
     });
+
+  program
+    .command('make:shape <n>')
+    .description('Generate a shape file with Create/Update contracts (app/shapes/)')
+    .action(async (name) => {
+      await run('Shape', () => makeShape(name));
+    });
+  program
+    .command('make:command <n>')
+    .description('Generate a new custom console command in app/commands/')
+    .action(async (name) => {
+      await run('Command', () => makeCommand(name));
+    });
+
 };
 
 async function run(type, fn) {
@@ -58,4 +72,4 @@ async function run(type, fn) {
     console.error(chalk.red(`\n  ✖ Failed to create ${type}: ${err.message}\n`));
     process.exit(1);
   }
-}
+}

package/src/commands/new.js

@@ -36,6 +36,21 @@ module.exports = function (program) {
           installSpinner.succeed(chalk.green('  Dependencies installed!'));
         }
 
+        // Auto-generate APP_KEY into the new project's .env
+        try {
+          const { Encrypter } = require('../encryption/Encrypter');
+          const envPath = path.join(targetDir, '.env');
+          const key = Encrypter.generateKey('AES-256-CBC');
+          if (fs.existsSync(envPath)) {
+            let envContent = fs.readFileSync(envPath, 'utf8');
+            envContent = /^APP_KEY=/m.test(envContent)
+              ? envContent.replace(/^APP_KEY=.*$/m, `APP_KEY=${key}`)
+              : envContent + `\nAPP_KEY=${key}\n`;
+            fs.writeFileSync(envPath, envContent, 'utf8');
+            console.log(chalk.green('  ✔  Application key generated.'));
+          }
+        } catch { /* non-fatal — developer can run millas key:generate */ }
+
         console.log();
         console.log(chalk.bold('  Next steps:'));
         console.log(chalk.cyan(`    cd ${projectName}`));
@@ -47,4 +62,4 @@ module.exports = function (program) {
         process.exit(1);
       }
     });
-};
+};