nest-authme 1.0.0

package/dist/generator/templates/jwt/auth.controller.ts.hbs

@@ -0,0 +1,177 @@
+import { Controller, Post, Body, HttpCode, HttpStatus{{#if features.refreshTokens}}, Req{{/if}}{{#if features.emailVerification}}, Get, Query{{/if}} } from '@nestjs/common';
+{{#if features.rateLimiting}}
+import { Throttle, SkipThrottle } from '@nestjs/throttler';
+{{/if}}
+{{#if features.swagger}}
+import { ApiTags, ApiOperation, ApiResponse, ApiBearerAuth } from '@nestjs/swagger';
+{{/if}}
+import { AuthService } from './auth.service';
+import { LoginDto } from './dto/login.dto';
+import { RegisterDto } from './dto/register.dto';
+import { ChangePasswordDto } from './dto/change-password.dto';
+{{#if features.resetPassword}}
+import { ForgotPasswordDto } from './dto/forgot-password.dto';
+import { ResetPasswordDto } from './dto/reset-password.dto';
+{{/if}}
+import { AuthResponseDto } from './dto/auth-response.dto';
+import { Public } from './decorators/public.decorator';
+import { CurrentUser } from './decorators/current-user.decorator';
+
+@Controller('auth')
+{{#if features.swagger}}
+@ApiTags('Authentication')
+{{/if}}
+export class AuthController {
+  constructor(private readonly authService: AuthService) {}
+
+  @Public()
+  @Post('login')
+  @HttpCode(HttpStatus.OK)
+{{#if features.rateLimiting}}
+  @Throttle({ default: { limit: 5, ttl: 60000 } })
+{{/if}}
+{{#if features.swagger}}
+  @ApiOperation({ summary: 'User login' })
+  @ApiResponse({ status: 200, description: 'Login successful', type: AuthResponseDto })
+  @ApiResponse({ status: 401, description: 'Invalid credentials' })
+{{/if}}
+  async login(@Body() loginDto: LoginDto): Promise<AuthResponseDto> {
+    return this.authService.login(loginDto);
+  }
+
+  @Public()
+  @Post('register')
+{{#if features.rateLimiting}}
+  @Throttle({ default: { limit: 3, ttl: 60000 } })
+{{/if}}
+{{#if features.swagger}}
+  @ApiOperation({ summary: 'Register new user' })
+  @ApiResponse({ status: 201, description: 'User registered successfully', type: AuthResponseDto })
+  @ApiResponse({ status: 409, description: 'User already exists' })
+{{/if}}
+  async register(@Body() registerDto: RegisterDto): Promise<AuthResponseDto> {
+    return this.authService.register(registerDto);
+  }
+
+  @Post('change-password')
+  @HttpCode(HttpStatus.OK)
+{{#if features.swagger}}
+  @ApiBearerAuth()
+  @ApiOperation({ summary: 'Change password' })
+  @ApiResponse({ status: 200, description: 'Password changed successfully' })
+  @ApiResponse({ status: 401, description: 'Invalid current password' })
+{{/if}}
+  async changePassword(
+    @CurrentUser() user: any,
+    @Body() changePasswordDto: ChangePasswordDto,
+  ): Promise<{ message: string }> {
+    await this.authService.changePassword(user.id, changePasswordDto);
+    return { message: 'Password changed successfully' };
+  }
+
+{{#if features.emailVerification}}
+  @Public()
+  @Get('verify-email')
+  @HttpCode(HttpStatus.OK)
+{{#if features.swagger}}
+  @ApiOperation({ summary: 'Verify email address' })
+  @ApiResponse({ status: 200, description: 'Email verified successfully' })
+  @ApiResponse({ status: 404, description: 'Invalid verification token' })
+{{/if}}
+  async verifyEmail(@Query('token') token: string): Promise<{ message: string }> {
+    return this.authService.verifyEmail(token);
+  }
+
+  @Public()
+  @Post('resend-verification')
+  @HttpCode(HttpStatus.OK)
+{{#if features.rateLimiting}}
+  @Throttle({ default: { limit: 3, ttl: 60000 } })
+{{/if}}
+{{#if features.swagger}}
+  @ApiOperation({ summary: 'Resend verification email' })
+  @ApiResponse({ status: 200, description: 'Verification token generated' })
+  @ApiResponse({ status: 404, description: 'User not found' })
+{{/if}}
+  async resendVerification(@Body('email') email: string): Promise<{ verificationToken: string; message: string }> {
+    return this.authService.resendVerification(email);
+  }
+{{/if}}
+
+{{#if features.resetPassword}}
+  @Public()
+  @Post('forgot-password')
+  @HttpCode(HttpStatus.OK)
+{{#if features.rateLimiting}}
+  @Throttle({ default: { limit: 3, ttl: 60000 } })
+{{/if}}
+{{#if features.swagger}}
+  @ApiOperation({ summary: 'Request password reset' })
+  @ApiResponse({ status: 200, description: 'Reset token generated if email exists' })
+{{/if}}
+  async forgotPassword(@Body() forgotPasswordDto: ForgotPasswordDto): Promise<{ resetToken: string; message: string }> {
+    return this.authService.forgotPassword(forgotPasswordDto);
+  }
+
+  @Public()
+  @Post('reset-password')
+  @HttpCode(HttpStatus.OK)
+{{#if features.rateLimiting}}
+  @Throttle({ default: { limit: 3, ttl: 60000 } })
+{{/if}}
+{{#if features.swagger}}
+  @ApiOperation({ summary: 'Reset password with token' })
+  @ApiResponse({ status: 200, description: 'Password reset successfully' })
+  @ApiResponse({ status: 400, description: 'Invalid or expired reset token' })
+{{/if}}
+  async resetPassword(@Body() resetPasswordDto: ResetPasswordDto): Promise<{ message: string }> {
+    return this.authService.resetPassword(resetPasswordDto);
+  }
+{{/if}}
+
+{{#if features.refreshTokens}}
+  @Public()
+  @Post('refresh')
+  @HttpCode(HttpStatus.OK)
+{{#if features.swagger}}
+  @ApiOperation({ summary: 'Refresh access token' })
+  @ApiResponse({ status: 200, description: 'Token refreshed successfully', type: AuthResponseDto })
+  @ApiResponse({ status: 401, description: 'Invalid refresh token' })
+{{/if}}
+  async refresh(@Body('refreshToken') refreshToken: string): Promise<AuthResponseDto> {
+    return this.authService.refreshAccessToken(refreshToken);
+  }
+
+{{#if features.rateLimiting}}
+  @SkipThrottle()
+{{/if}}
+  @Post('logout')
+  @HttpCode(HttpStatus.OK)
+{{#if features.swagger}}
+  @ApiBearerAuth()
+  @ApiOperation({ summary: 'Logout (invalidate refresh token)' })
+  @ApiResponse({ status: 200, description: 'Logged out successfully' })
+  @ApiResponse({ status: 401, description: 'Unauthorized' })
+{{/if}}
+  async logout(@Body('refreshToken') refreshToken: string): Promise<{ message: string }> {
+    await this.authService.logout(refreshToken);
+    return { message: 'Logged out successfully' };
+  }
+
+{{#if features.rateLimiting}}
+  @SkipThrottle()
+{{/if}}
+  @Post('logout-all')
+  @HttpCode(HttpStatus.OK)
+{{#if features.swagger}}
+  @ApiBearerAuth()
+  @ApiOperation({ summary: 'Logout from all devices' })
+  @ApiResponse({ status: 200, description: 'Logged out from all devices' })
+  @ApiResponse({ status: 401, description: 'Unauthorized' })
+{{/if}}
+  async logoutAll(@Req() req: any): Promise<{ message: string }> {
+    await this.authService.logoutAll(req.user.id);
+    return { message: 'Logged out from all devices' };
+  }
+{{/if}}
+}

package/dist/generator/templates/jwt/auth.module.ts.hbs

@@ -0,0 +1,81 @@
+import { Module } from '@nestjs/common';
+import { JwtModule } from '@nestjs/jwt';
+import { PassportModule } from '@nestjs/passport';
+import { ConfigModule, ConfigService } from '@nestjs/config';
+{{#if features.rateLimiting}}
+import { ThrottlerModule, ThrottlerGuard } from '@nestjs/throttler';
+import { APP_GUARD } from '@nestjs/core';
+{{/if}}
+{{#if (eq orm "typeorm")}}
+import { TypeOrmModule } from '@nestjs/typeorm';
+{{/if}}
+{{#if (eq orm "prisma")}}
+import { PrismaService } from '../prisma/prisma.service';
+{{/if}}
+import { AuthService } from './auth.service';
+import { AuthController } from './auth.controller';
+import { JwtStrategy } from './strategies/jwt.strategy';
+import { LocalStrategy } from './strategies/local.strategy';
+import { UsersModule } from '../users/users.module';
+{{#if (eq orm "typeorm")}}
+import { User } from '../users/entities/user.entity';
+{{#if features.refreshTokens}}
+import { RefreshToken } from '../users/entities/refresh-token.entity';
+{{/if}}
+{{/if}}
+
+@Module({
+  imports: [
+    UsersModule,
+    PassportModule,
+    ConfigModule,
+{{#if features.rateLimiting}}
+    ThrottlerModule.forRoot([{
+      ttl: 60000,
+      limit: 10,
+    }]),
+{{/if}}
+    JwtModule.registerAsync({
+      imports: [ConfigModule],
+      inject: [ConfigService],
+      useFactory: async (configService: ConfigService) => {
+        const secret = configService.get<string>('JWT_SECRET');
+        const expiresIn = configService.get<string>('JWT_EXPIRES_IN', '{{jwt.accessExpiration}}');
+
+        return {
+          secret,
+          signOptions: {
+            expiresIn: expiresIn as any, // NestJS accepts string or number
+          },
+        };
+      },
+    }),
+{{#if (eq orm "typeorm")}}
+    TypeOrmModule.forFeature([
+      User,
+{{#if features.refreshTokens}}
+      RefreshToken,
+{{/if}}
+    ]),
+{{/if}}
+  ],
+  controllers: [AuthController],
+  providers: [
+    AuthService,
+    JwtStrategy,
+    LocalStrategy,
+{{#if (eq orm "prisma")}}
+{{#if features.refreshTokens}}
+    PrismaService,
+{{/if}}
+{{/if}}
+{{#if features.rateLimiting}}
+    {
+      provide: APP_GUARD,
+      useClass: ThrottlerGuard,
+    },
+{{/if}}
+  ],
+  exports: [AuthService],
+})
+export class AuthModule {}

package/dist/generator/templates/jwt/auth.service.ts.hbs

@@ -0,0 +1,416 @@
+import { Injectable, UnauthorizedException{{#if features.resetPassword}}, BadRequestException{{/if}}{{#if features.emailVerification}}, NotFoundException{{/if}} } from '@nestjs/common';
+{{#if (or features.emailVerification features.resetPassword)}}
+import * as crypto from 'crypto';
+{{/if}}
+import { JwtService } from '@nestjs/jwt';
+import { ConfigService } from '@nestjs/config';
+{{#if (eq orm "typeorm")}}
+import { InjectRepository } from '@nestjs/typeorm';
+import { Repository } from 'typeorm';
+{{/if}}
+{{#if (eq orm "prisma")}}
+import { PrismaService } from '../prisma/prisma.service';
+{{/if}}
+import * as bcrypt from 'bcrypt';
+import { UsersService } from '../users/users.service';
+{{#if (eq orm "typeorm")}}
+import { User } from '../users/entities/user.entity';
+{{#if features.refreshTokens}}
+import { RefreshToken } from '../users/entities/refresh-token.entity';
+{{/if}}
+{{/if}}
+import { LoginDto } from './dto/login.dto';
+import { RegisterDto } from './dto/register.dto';
+import { ChangePasswordDto } from './dto/change-password.dto';
+{{#if features.resetPassword}}
+import { ForgotPasswordDto } from './dto/forgot-password.dto';
+import { ResetPasswordDto } from './dto/reset-password.dto';
+{{/if}}
+import { AuthResponseDto } from './dto/auth-response.dto';
+
+@Injectable()
+export class AuthService {
+  constructor(
+    private usersService: UsersService,
+    private jwtService: JwtService,
+    private configService: ConfigService,
+{{#if (eq orm "typeorm")}}
+{{#if features.refreshTokens}}
+    @InjectRepository(RefreshToken)
+    private refreshTokenRepository: Repository<RefreshToken>,
+{{/if}}
+{{/if}}
+{{#if (eq orm "prisma")}}
+{{#if features.refreshTokens}}
+    private prisma: PrismaService,
+{{/if}}
+{{/if}}
+  ) {}
+
+  /**
+   * Validate user credentials
+   */
+  async validateUser(email: string, password: string): Promise<any> {
+    const user = await this.usersService.findByEmail(email);
+    if (!user) {
+      return null;
+    }
+
+    const isPasswordValid = await bcrypt.compare(password, user.password);
+    if (!isPasswordValid) {
+      return null;
+    }
+
+    const { password: _, ...result } = user;
+    return result;
+  }
+
+  /**
+   * User login
+   */
+  async login(loginDto: LoginDto): Promise<AuthResponseDto> {
+    const user = await this.validateUser(loginDto.email, loginDto.password);
+    if (!user) {
+      throw new UnauthorizedException('Invalid credentials');
+    }
+
+    const payload = { email: user.email, sub: user.id{{#if rbac.enabled}}, roles: user.roles{{/if}} };
+    const accessToken = this.jwtService.sign(payload);
+
+{{#if features.refreshTokens}}
+    const refreshToken = await this.createRefreshToken(user.id);
+
+    return {
+      accessToken,
+      refreshToken: refreshToken.token,
+      user: {
+        id: user.id,
+        email: user.email,
+{{#if features.useUsername}}
+        username: user.username,
+{{/if}}
+{{#if rbac.enabled}}
+        roles: user.roles,
+{{/if}}
+      },
+    };
+{{else}}
+    return {
+      accessToken,
+      user: {
+        id: user.id,
+        email: user.email,
+{{#if features.useUsername}}
+        username: user.username,
+{{/if}}
+{{#if rbac.enabled}}
+        roles: user.roles,
+{{/if}}
+      },
+    };
+{{/if}}
+  }
+
+  /**
+   * User registration
+   */
+  async register(registerDto: RegisterDto): Promise<AuthResponseDto> {
+    const bcryptRounds = parseInt(this.configService.get('BCRYPT_ROUNDS', '10'), 10);
+    const hashedPassword = await bcrypt.hash(registerDto.password, bcryptRounds);
+
+    const user = await this.usersService.create({
+      email: registerDto.email,
+{{#if features.useUsername}}
+      username: registerDto.username,
+{{/if}}
+      password: hashedPassword,
+{{#if rbac.enabled}}
+      roles: ['User'], // Default role for new users. Admin roles should be assigned by admins only.
+{{/if}}
+    });
+
+{{#if features.emailVerification}}
+    // Generate email verification token
+    const verificationToken = crypto.randomBytes(32).toString('hex');
+    await this.usersService.setVerificationToken(user.id, verificationToken);
+    // TODO: Send verification email with token to user.email
+{{/if}}
+
+    const payload = { email: user.email, sub: user.id{{#if rbac.enabled}}, roles: user.roles{{/if}} };
+    const accessToken = this.jwtService.sign(payload);
+
+{{#if features.refreshTokens}}
+    const refreshToken = await this.createRefreshToken(user.id);
+
+    return {
+      accessToken,
+      refreshToken: refreshToken.token,
+{{#if features.emailVerification}}
+      verificationToken,
+{{/if}}
+      user: {
+        id: user.id,
+        email: user.email,
+{{#if features.useUsername}}
+        username: user.username,
+{{/if}}
+{{#if rbac.enabled}}
+        roles: user.roles,
+{{/if}}
+      },
+    };
+{{else}}
+    return {
+      accessToken,
+{{#if features.emailVerification}}
+      verificationToken,
+{{/if}}
+      user: {
+        id: user.id,
+        email: user.email,
+{{#if features.useUsername}}
+        username: user.username,
+{{/if}}
+{{#if rbac.enabled}}
+        roles: user.roles,
+{{/if}}
+      },
+    };
+{{/if}}
+  }
+
+  /**
+   * Change password
+   */
+  async changePassword(userId: string, changePasswordDto: ChangePasswordDto): Promise<void> {
+    const user = await this.usersService.findById(userId);
+    if (!user) {
+      throw new UnauthorizedException('User not found');
+    }
+
+    const isCurrentValid = await bcrypt.compare(changePasswordDto.currentPassword, user.password);
+    if (!isCurrentValid) {
+      throw new UnauthorizedException('Current password is incorrect');
+    }
+
+    const bcryptRounds = parseInt(this.configService.get('BCRYPT_ROUNDS', '10'), 10);
+    const hashedPassword = await bcrypt.hash(changePasswordDto.newPassword, bcryptRounds);
+    await this.usersService.updatePassword(userId, hashedPassword);
+  }
+
+{{#if features.emailVerification}}
+  /**
+   * Verify email with token
+   */
+  async verifyEmail(token: string): Promise<{ message: string }> {
+    const user = await this.usersService.findByVerificationToken(token);
+    if (!user) {
+      throw new NotFoundException('Invalid verification token');
+    }
+
+    await this.usersService.markEmailVerified(user.id);
+    return { message: 'Email verified successfully' };
+  }
+
+  /**
+   * Resend verification email
+   */
+  async resendVerification(email: string): Promise<{ verificationToken: string; message: string }> {
+    const user = await this.usersService.findByEmail(email);
+    if (!user) {
+      throw new NotFoundException('User not found');
+    }
+
+    if (user.isEmailVerified) {
+      return { verificationToken: '', message: 'Email is already verified' };
+    }
+
+    const verificationToken = crypto.randomBytes(32).toString('hex');
+    await this.usersService.setVerificationToken(user.id, verificationToken);
+    // TODO: Send verification email with token to user.email
+
+    return { verificationToken, message: 'Verification token generated' };
+  }
+{{/if}}
+
+{{#if features.resetPassword}}
+  /**
+   * Forgot password - generate reset token
+   */
+  async forgotPassword(forgotPasswordDto: ForgotPasswordDto): Promise<{ resetToken: string; message: string }> {
+    const user = await this.usersService.findByEmail(forgotPasswordDto.email);
+    if (!user) {
+      // Return success even if user not found to prevent email enumeration
+      return { resetToken: '', message: 'If the email exists, a reset token has been generated' };
+    }
+
+    const resetToken = crypto.randomBytes(32).toString('hex');
+    const expires = new Date();
+    expires.setHours(expires.getHours() + 1); // Token expires in 1 hour
+
+    await this.usersService.setResetToken(user.id, resetToken, expires);
+    // TODO: Send password reset email with token to user.email
+
+    return { resetToken, message: 'Password reset token generated' };
+  }
+
+  /**
+   * Reset password with token
+   */
+  async resetPassword(resetPasswordDto: ResetPasswordDto): Promise<{ message: string }> {
+    const user = await this.usersService.findByResetToken(resetPasswordDto.token);
+    if (!user) {
+      throw new BadRequestException('Invalid or expired reset token');
+    }
+
+    if (user.passwordResetExpires && user.passwordResetExpires < new Date()) {
+      throw new BadRequestException('Reset token has expired');
+    }
+
+    const bcryptRounds = parseInt(this.configService.get('BCRYPT_ROUNDS', '10'), 10);
+    const hashedPassword = await bcrypt.hash(resetPasswordDto.newPassword, bcryptRounds);
+    await this.usersService.updatePassword(user.id, hashedPassword);
+    await this.usersService.clearResetToken(user.id);
+
+    return { message: 'Password reset successfully' };
+  }
+{{/if}}
+
+{{#if features.refreshTokens}}
+  /**
+   * Create a refresh token
+   */
+  private async createRefreshToken(userId: string): Promise<any> {
+    const token = this.jwtService.sign(
+      { sub: userId },
+      { expiresIn: '{{jwt.refreshExpiration}}' }
+    );
+
+    const expiresAt = new Date();
+    expiresAt.setDate(expiresAt.getDate() + 7); // 7 days
+
+{{#if (eq orm "typeorm")}}
+    const refreshToken = this.refreshTokenRepository.create({
+      token,
+      userId,
+      expiresAt,
+    });
+
+    return await this.refreshTokenRepository.save(refreshToken);
+{{else if (eq orm "prisma")}}
+    return await this.prisma.refreshToken.create({
+      data: {
+        token,
+        userId,
+        expiresAt,
+      },
+    });
+{{else}}
+    // TODO: Implement refresh token storage for your ORM
+    return { token, userId, expiresAt } as any;
+{{/if}}
+  }
+
+  /**
+   * Refresh access token (with token rotation)
+   */
+  async refreshAccessToken(refreshToken: string): Promise<AuthResponseDto> {
+    try {
+      const payload = this.jwtService.verify(refreshToken);
+
+{{#if (eq orm "typeorm")}}
+      const storedToken = await this.refreshTokenRepository.findOne({
+        where: { token: refreshToken },
+      });
+
+      if (!storedToken || storedToken.expiresAt < new Date()) {
+        throw new UnauthorizedException('Invalid refresh token');
+      }
+
+      // Delete the old refresh token (one-time use)
+      await this.refreshTokenRepository.remove(storedToken);
+{{else if (eq orm "prisma")}}
+      const storedToken = await this.prisma.refreshToken.findUnique({
+        where: { token: refreshToken },
+      });
+
+      if (!storedToken || storedToken.expiresAt < new Date()) {
+        throw new UnauthorizedException('Invalid refresh token');
+      }
+
+      // Delete the old refresh token (one-time use)
+      await this.prisma.refreshToken.delete({
+        where: { id: storedToken.id },
+      });
+{{/if}}
+
+      const user = await this.usersService.findById(payload.sub);
+      if (!user) {
+        throw new UnauthorizedException('User not found');
+      }
+
+      const newPayload = { email: user.email, sub: user.id{{#if rbac.enabled}}, roles: user.roles{{/if}} };
+      const accessToken = this.jwtService.sign(newPayload);
+
+      // Issue a new refresh token (rotation)
+      const newRefreshToken = await this.createRefreshToken(user.id);
+
+      return {
+        accessToken,
+        refreshToken: newRefreshToken.token,
+        user: {
+          id: user.id,
+          email: user.email,
+{{#if features.useUsername}}
+          username: user.username,
+{{/if}}
+{{#if rbac.enabled}}
+          roles: user.roles,
+{{/if}}
+        },
+      };
+    } catch (error) {
+      if (error instanceof UnauthorizedException) {
+        throw error;
+      }
+      throw new UnauthorizedException('Invalid refresh token');
+    }
+  }
+
+  /**
+   * Logout - delete the specific refresh token
+   */
+  async logout(refreshToken: string): Promise<void> {
+{{#if (eq orm "typeorm")}}
+    const storedToken = await this.refreshTokenRepository.findOne({
+      where: { token: refreshToken },
+    });
+
+    if (storedToken) {
+      await this.refreshTokenRepository.remove(storedToken);
+    }
+{{else if (eq orm "prisma")}}
+    await this.prisma.refreshToken.deleteMany({
+      where: { token: refreshToken },
+    });
+{{else}}
+    // TODO: Implement refresh token deletion for your ORM
+{{/if}}
+  }
+
+  /**
+   * Logout from all devices - delete all refresh tokens for user
+   */
+  async logoutAll(userId: string): Promise<void> {
+{{#if (eq orm "typeorm")}}
+    await this.refreshTokenRepository.delete({ userId });
+{{else if (eq orm "prisma")}}
+    await this.prisma.refreshToken.deleteMany({
+      where: { userId },
+    });
+{{else}}
+    // TODO: Implement all refresh token deletion for your ORM
+{{/if}}
+  }
+{{/if}}
+}

package/dist/generator/templates/jwt/jwt-auth.guard.ts.hbs

@@ -0,0 +1,24 @@
+import { Injectable, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { AuthGuard } from '@nestjs/passport';
+import { IS_PUBLIC_KEY } from '../decorators/public.decorator';
+
+@Injectable()
+export class JwtAuthGuard extends AuthGuard('jwt') {
+  constructor(private reflector: Reflector) {
+    super();
+  }
+
+  canActivate(context: ExecutionContext) {
+    const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    if (isPublic) {
+      return true;
+    }
+
+    return super.canActivate(context);
+  }
+}