nest-authme 1.0.0

package/dist/generator/templates/jwt/jwt.strategy.ts.hbs

@@ -0,0 +1,61 @@
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { ExtractJwt, Strategy } from 'passport-jwt';
+import { ConfigService } from '@nestjs/config';
+{{#if (eq orm "typeorm")}}
+import { InjectRepository } from '@nestjs/typeorm';
+import { Repository } from 'typeorm';
+import { User } from '../../users/entities/user.entity';
+{{else}}
+import { UsersService } from '../../users/users.service';
+{{/if}}
+
+@Injectable()
+export class JwtStrategy extends PassportStrategy(Strategy) {
+  constructor(
+{{#if (eq orm "typeorm")}}
+    @InjectRepository(User)
+    private usersRepository: Repository<User>,
+{{else}}
+    private usersService: UsersService,
+{{/if}}
+    private configService: ConfigService,
+  ) {
+    const secret = configService.get<string>('JWT_SECRET');
+
+    if (!secret) {
+      throw new Error(
+        'JWT_SECRET is not defined. Please add JWT_SECRET to your .env file.'
+      );
+    }
+
+    super({
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      ignoreExpiration: false,
+      secretOrKey: secret,
+    });
+  }
+
+  async validate(payload: any) {
+{{#if (eq orm "typeorm")}}
+    const user = await this.usersRepository.findOne({
+      where: { id: payload.sub },
+    });
+{{else}}
+    const user = await this.usersService.findById(payload.sub);
+{{/if}}
+
+    if (!user) {
+      throw new UnauthorizedException();
+    }
+
+    // Return user object (will be attached to request.user)
+    return {
+      id: user.id,
+      email: user.email,
+{{#if rbac.enabled}}
+      roles: user.roles,
+{{/if}}
+    };
+  }
+}

package/dist/generator/templates/jwt/local-auth.guard.ts.hbs

@@ -0,0 +1,5 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+
+@Injectable()
+export class LocalAuthGuard extends AuthGuard('local') {}

package/dist/generator/templates/jwt/local.strategy.ts.hbs

@@ -0,0 +1,22 @@
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { Strategy } from 'passport-local';
+import { AuthService } from '../auth.service';
+
+@Injectable()
+export class LocalStrategy extends PassportStrategy(Strategy) {
+  constructor(private authService: AuthService) {
+    super({
+      usernameField: 'email',
+      passwordField: 'password',
+    });
+  }
+
+  async validate(email: string, password: string): Promise<any> {
+    const user = await this.authService.validateUser(email, password);
+    if (!user) {
+      throw new UnauthorizedException('Invalid credentials');
+    }
+    return user;
+  }
+}

package/dist/generator/templates/prisma/prisma.module.ts.hbs

@@ -0,0 +1,9 @@
+import { Global, Module } from '@nestjs/common';
+import { PrismaService } from './prisma.service';
+
+@Global()
+@Module({
+  providers: [PrismaService],
+  exports: [PrismaService],
+})
+export class PrismaModule {}

package/dist/generator/templates/prisma/prisma.service.ts.hbs

@@ -0,0 +1,9 @@
+import { Injectable, OnModuleInit } from '@nestjs/common';
+import { PrismaClient } from '@prisma/client';
+
+@Injectable()
+export class PrismaService extends PrismaClient implements OnModuleInit {
+  async onModuleInit() {
+    await this.$connect();
+  }
+}

package/dist/generator/templates/prisma/schema.prisma.additions.hbs

@@ -0,0 +1,40 @@
+// ============================================================
+// Add these models to your prisma/schema.prisma file
+// Then run: npx prisma migrate dev --name add-auth-models
+// ============================================================
+
+model User {
+  id        String   @id @default(uuid())
+  email     String   @unique
+{{#if features.useUsername}}
+  username  String   @unique
+{{/if}}
+  password  String
+{{#if rbac.enabled}}
+  roles     String[] @default(["User"])
+{{/if}}
+{{#if features.emailVerification}}
+  isEmailVerified        Boolean  @default(false)
+  emailVerificationToken String?
+{{/if}}
+{{#if features.resetPassword}}
+  passwordResetToken     String?
+  passwordResetExpires   DateTime?
+{{/if}}
+{{#if features.refreshTokens}}
+  refreshTokens RefreshToken[]
+{{/if}}
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+}
+{{#if features.refreshTokens}}
+
+model RefreshToken {
+  id        String   @id @default(uuid())
+  token     String   @unique
+  userId    String
+  user      User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  expiresAt DateTime
+  createdAt DateTime @default(now())
+}
+{{/if}}

package/dist/generator/templates/rbac/role.enum.ts.hbs

@@ -0,0 +1,5 @@
+export enum Role {
+{{#each rbac.roles}}
+  {{uppercase this}} = '{{this}}',
+{{/each}}
+}

package/dist/generator/templates/rbac/roles.guard.ts.hbs

@@ -0,0 +1,22 @@
+import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ROLES_KEY } from '../decorators/roles.decorator';
+
+@Injectable()
+export class RolesGuard implements CanActivate {
+  constructor(private reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const requiredRoles = this.reflector.getAllAndOverride<string[]>(ROLES_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    if (!requiredRoles) {
+      return true;
+    }
+
+    const { user } = context.switchToHttp().getRequest();
+    return requiredRoles.some((role) => user.roles?.includes(role));
+  }
+}

package/dist/generator/templates/shared/README.auth.md.hbs

@@ -0,0 +1,306 @@
+# Authentication Module
+
+Generated by **nest-authme** on {{timestamp}}
+
+## Overview
+
+This authentication module provides:
+- ✅ JWT-based authentication
+{{#if rbac.enabled}}
+- ✅ Role-Based Access Control (RBAC)
+{{/if}}
+{{#if features.refreshTokens}}
+- ✅ Refresh token rotation
+{{/if}}
+- ✅ Password hashing with bcrypt
+- ✅ Request validation with class-validator
+{{#if (eq orm "typeorm")}}
+- ✅ TypeORM integration
+{{/if}}
+
+## Endpoints
+
+### Public Endpoints (No authentication required)
+
+#### POST /auth/register
+Register a new user.
+
+**Request body:**
+```json
+{
+  "email": "user@example.com",
+  "password": "your-password"
+}
+```
+
+**Response:**
+```json
+{
+  "accessToken": "eyJhbGciOiJIUzI1NiIs...",
+{{#if features.refreshTokens}}
+  "refreshToken": "eyJhbGciOiJIUzI1NiIs...",
+{{/if}}
+  "user": {
+    "id": "uuid",
+    "email": "user@example.com"{{#if rbac.enabled}},
+    "roles": ["User"]{{/if}}
+  }
+}
+```
+
+#### POST /auth/login
+Login with existing credentials.
+
+**Request body:**
+```json
+{
+  "email": "user@example.com",
+  "password": "your-password"
+}
+```
+
+**Response:** Same as register
+
+{{#if features.refreshTokens}}
+#### POST /auth/refresh
+Refresh access token using refresh token.
+
+**Request body:**
+```json
+{
+  "refreshToken": "eyJhbGciOiJIUzI1NiIs..."
+}
+```
+
+**Response:**
+```json
+{
+  "accessToken": "eyJhbGciOiJIUzI1NiIs..."
+}
+```
+{{/if}}
+
+### Protected Endpoints (Authentication required)
+
+#### GET /users/profile
+Get current user profile.
+
+**Headers:**
+```
+Authorization: Bearer <accessToken>
+```
+
+**Response:**
+```json
+{
+  "id": "uuid",
+  "email": "user@example.com"{{#if rbac.enabled}},
+  "roles": ["User"]{{/if}}
+}
+```
+
+{{#if rbac.enabled}}
+#### GET /users (Admin only)
+Get all users.
+
+**Headers:**
+```
+Authorization: Bearer <accessToken>
+```
+
+**Response:**
+```json
+[
+  {
+    "id": "uuid",
+    "email": "user@example.com",
+    "roles": ["User"],
+    "createdAt": "2026-01-01T00:00:00.000Z"
+  }
+]
+```
+{{/if}}
+
+## Setup
+
+### Enable Global JWT Guard (Recommended)
+
+To automatically protect all routes by default, add the JWT guard globally in your `main.ts`.
+
+**📄 See `main.ts.example` in your project root for a complete setup example.**
+
+Quick setup - add these lines to your `main.ts`:
+
+```typescript
+import { Reflector } from '@nestjs/core';
+import { JwtAuthGuard } from './auth/guards/jwt-auth.guard';
+
+// In bootstrap() function:
+const reflector = app.get(Reflector);
+app.useGlobalGuards(new JwtAuthGuard(reflector));
+```
+
+This makes all routes protected by default. Use `@Public()` to make specific routes public.
+
+**Alternative:** Manually add `@UseGuards(JwtAuthGuard)` to each protected controller/route.
+
+## Usage
+
+### Protect Routes
+
+By default (with global guard), all routes require authentication. Use the `@Public()` decorator to make routes public:
+
+```typescript
+import { Public } from './auth/decorators/public.decorator';
+
+@Public()
+@Get('public')
+getPublicData() {
+  return 'This endpoint is public';
+}
+```
+
+### Get Current User
+
+Use the `@CurrentUser()` decorator to access the authenticated user:
+
+```typescript
+import { CurrentUser } from './auth/decorators/current-user.decorator';
+
+@Get('me')
+getMe(@CurrentUser() user: any) {
+  return user;
+}
+```
+
+{{#if rbac.enabled}}
+### Role-Based Access Control
+
+Use the `@Roles()` decorator to restrict access by role:
+
+```typescript
+import { Roles } from './auth/decorators/roles.decorator';
+import { RolesGuard } from './auth/guards/roles.guard';
+
+@UseGuards(JwtAuthGuard, RolesGuard)
+@Roles('Admin')
+@Get('admin-only')
+adminOnlyRoute() {
+  return 'Only admins can see this';
+}
+```
+
+Available roles: {{#each rbac.roles}}{{this}}{{#unless @last}}, {{/unless}}{{/each}}
+{{/if}}
+
+## Environment Variables
+
+Copy `.env.example` to `.env` and update the values:
+
+```bash
+cp .env.example .env
+```
+
+Required variables:
+- `JWT_SECRET` - Secret key for JWT signing (auto-generated, but you can change it)
+- `JWT_EXPIRES_IN` - Access token expiration (e.g., "1h", "15m")
+{{#if features.refreshTokens}}
+- `JWT_REFRESH_EXPIRES_IN` - Refresh token expiration (e.g., "7d")
+{{/if}}
+{{#if (eq orm "typeorm")}}
+- `DATABASE_*` - Database connection details
+{{/if}}
+
+{{#if (eq orm "typeorm")}}
+## Database Setup
+
+### Create Migration
+
+Generate a migration for the auth tables:
+
+```bash
+npm run migration:generate -- src/migrations/CreateAuthTables
+```
+
+### Run Migration
+
+Apply the migration:
+
+```bash
+npm run migration:run
+```
+
+### Revert Migration
+
+Rollback the migration:
+
+```bash
+npm run migration:revert
+```
+{{/if}}
+
+## Security Best Practices
+
+1. **Never commit .env file** - It contains sensitive secrets
+2. **Use strong JWT secrets** - At least 32 characters, random
+3. **HTTPS in production** - Always use HTTPS to protect tokens
+4. **Short token expiration** - Keep access tokens short-lived
+{{#if features.refreshTokens}}
+5. **Rotate refresh tokens** - Refresh tokens are automatically rotated
+{{/if}}
+6. **Rate limiting** - Add rate limiting to auth endpoints
+7. **Password requirements** - Enforce strong password policies
+
+## Testing
+
+### Register a User
+
+```bash
+curl -X POST http://localhost:3000/auth/register \
+  -H "Content-Type: application/json" \
+  -d '{"email":"test@example.com","password":"Password123!"}'
+```
+
+### Login
+
+```bash
+curl -X POST http://localhost:3000/auth/login \
+  -H "Content-Type: application/json" \
+  -d '{"email":"test@example.com","password":"Password123!"}'
+```
+
+### Access Protected Route
+
+```bash
+curl http://localhost:3000/users/profile \
+  -H "Authorization: Bearer <your-access-token>"
+```
+
+## Troubleshooting
+
+### "JWT secret not found"
+Make sure `.env` file exists and contains `JWT_SECRET`.
+
+### "Database connection failed"
+Check your database is running and credentials in `.env` are correct.
+
+### "Invalid credentials"
+Ensure email and password are correct. Passwords are case-sensitive.
+
+{{#if (eq orm "typeorm")}}
+### "Entity not found"
+Run migrations: `npm run migration:run`
+{{/if}}
+
+## Documentation
+
+- [NestJS Authentication](https://docs.nestjs.com/security/authentication)
+- [Passport.js](http://www.passportjs.org/)
+- [JWT](https://jwt.io/)
+{{#if (eq orm "typeorm")}}
+- [TypeORM](https://typeorm.io/)
+{{/if}}
+
+---
+
+Generated with ❤️ by [nest-authme](https://www.npmjs.com/package/nest-authme)

package/dist/generator/templates/shared/env.hbs

@@ -0,0 +1,36 @@
+# JWT Configuration
+JWT_SECRET={{jwt.secret}}
+JWT_EXPIRES_IN={{jwt.accessExpiration}}
+{{#if features.refreshTokens}}
+JWT_REFRESH_EXPIRES_IN={{jwt.refreshExpiration}}
+{{/if}}
+
+# Bcrypt
+BCRYPT_ROUNDS=10
+
+# Database Configuration
+{{#if (eq orm "prisma")}}
+DATABASE_URL=postgresql://postgres:postgres@localhost:5432/{{projectName}}?schema=public
+{{else}}
+{{#if (eq database "postgres")}}
+DATABASE_HOST=localhost
+DATABASE_PORT=5432
+DATABASE_USER=postgres
+DATABASE_PASSWORD=postgres
+DATABASE_NAME={{projectName}}
+{{/if}}
+{{#if (eq database "mysql")}}
+DATABASE_HOST=localhost
+DATABASE_PORT=3306
+DATABASE_USER=root
+DATABASE_PASSWORD=root
+DATABASE_NAME={{projectName}}
+{{/if}}
+{{#if (eq database "mongodb")}}
+MONGODB_URI=mongodb://localhost:27017/{{projectName}}
+{{/if}}
+{{/if}}
+
+# Application
+NODE_ENV=development
+PORT=3000

package/dist/generator/templates/shared/env.template.hbs

@@ -0,0 +1,36 @@
+# JWT Configuration
+JWT_SECRET=CHANGE_ME_GENERATE_WITH_openssl_rand_base64_32
+JWT_EXPIRES_IN={{jwt.accessExpiration}}
+{{#if features.refreshTokens}}
+JWT_REFRESH_EXPIRES_IN={{jwt.refreshExpiration}}
+{{/if}}
+
+# Bcrypt
+BCRYPT_ROUNDS=10
+
+# Database Configuration
+{{#if (eq orm "prisma")}}
+DATABASE_URL=postgresql://postgres:postgres@localhost:5432/{{projectName}}?schema=public
+{{else}}
+{{#if (eq database "postgres")}}
+DATABASE_HOST=localhost
+DATABASE_PORT=5432
+DATABASE_USER=postgres
+DATABASE_PASSWORD=postgres
+DATABASE_NAME={{projectName}}
+{{/if}}
+{{#if (eq database "mysql")}}
+DATABASE_HOST=localhost
+DATABASE_PORT=3306
+DATABASE_USER=root
+DATABASE_PASSWORD=root
+DATABASE_NAME={{projectName}}
+{{/if}}
+{{#if (eq database "mongodb")}}
+MONGODB_URI=mongodb://localhost:27017/{{projectName}}
+{{/if}}
+{{/if}}
+
+# Application
+NODE_ENV=development
+PORT=3000

package/dist/generator/templates/shared/main.ts.snippet.hbs

@@ -0,0 +1,49 @@
+// Add this to your main.ts for global JWT authentication
+// Location: src/main.ts
+
+import { NestFactory, Reflector } from '@nestjs/core';
+import { AppModule } from './app.module';
+import { JwtAuthGuard } from './auth/guards/jwt-auth.guard';
+import { ValidationPipe } from '@nestjs/common';
+{{#if features.swagger}}
+import { SwaggerModule, DocumentBuilder } from '@nestjs/swagger';
+{{/if}}
+
+async function bootstrap() {
+  const app = await NestFactory.create(AppModule);
+
+  // Enable global validation pipe
+  app.useGlobalPipes(
+    new ValidationPipe({
+      whitelist: true,
+      forbidNonWhitelisted: true,
+      transform: true,
+    }),
+  );
+
+  // Enable global JWT guard (all routes protected by default)
+  const reflector = app.get(Reflector);
+  app.useGlobalGuards(new JwtAuthGuard(reflector));
+
+{{#if features.swagger}}
+  // Swagger API documentation
+  const swaggerConfig = new DocumentBuilder()
+    .setTitle('API Documentation')
+    .setDescription('JWT Authentication API')
+    .setVersion('1.0')
+    .addBearerAuth()
+    .build();
+  const document = SwaggerModule.createDocument(app, swaggerConfig);
+  SwaggerModule.setup('api', app, document);
+
+{{/if}}
+  // Enable CORS if needed
+  app.enableCors();
+
+  await app.listen(3000);
+  console.log('🚀 Application is running on: http://localhost:3000');
+{{#if features.swagger}}
+  console.log('📚 Swagger docs: http://localhost:3000/api');
+{{/if}}
+}
+bootstrap();