nodejs-quickstart-structure 2.0.1 → 2.1.0

package/templates/common/.cursorrules.ejs

@@ -58,3 +58,12 @@ When indexing or searching the workspace, ignore the following paths to prevent
   - `controllers`: Request handlers and business logic.
   - `routes`: Define endpoints routing to controllers.
 <% } -%>
+
+### 5. Security & Authentication
+<% if (auth.includes('JWT')) { -%>
+- **Protected Routes**: When adding new routes, consider if they need `authMiddleware`.
+- **User Identity**: Extract user info from `req.user` (populated by middleware).
+- **Sensitive Data**: Never return passwords in API responses (ensure `.toJSON()` or DTOs handle this).
+<% } -%>
+- **Input Validation**: Always validate user input using schemas or controller-level checks.
+- **Sanitization**: Ensure inputs are sanitized before being used in DB queries (though our ORMs like Sequelize/Mongoose handle much of this).

package/templates/common/.env.example.ejs

@@ -1,8 +1,8 @@
 # Application
 PORT=3000
 NODE_ENV=development
-
 <%_ if (database !== 'None') { -%>
+
 # Database
 <%_ if (database === 'MySQL') { -%>
 DB_HOST=localhost
@@ -10,32 +10,39 @@ DB_PORT=3306
 DB_USER=root
 DB_PASSWORD=root
 DB_NAME=<%= dbName %>
-<%_ } -%>
+<% } -%>
 <%_ if (database === 'PostgreSQL') { -%>
 DB_HOST=localhost
 DB_PORT=5432
 DB_USER=postgres
 DB_PASSWORD=root
 DB_NAME=<%= dbName %>
-<%_ } -%>
+<% } -%>
 <%_ if (database === 'MongoDB') { -%>
 DB_HOST=localhost
 DB_PORT=27017
 DB_NAME=<%= dbName %>
-<%_ } -%>
-<%_ } -%>
-
-
+<% } -%>
+<% } -%>
 <%_ if (communication === 'Kafka') { -%>
+
 # Communication
 KAFKA_BROKER=localhost:9093
 KAFKA_CLIENT_ID=<%= projectName %>
 KAFKA_GROUP_ID=<%= projectName %>-group
-<%_ } -%>
-
+<% } -%>
 <%_ if (caching === 'Redis') { -%>
+
 # Caching
 REDIS_HOST=localhost
 REDIS_PORT=6379
 REDIS_PASSWORD=
-<%_ } -%>
+<% } -%>
+<%_ if (auth.includes('JWT')) { -%>
+
+# Authentication
+JWT_SECRET=your_jwt_secret_key_here_change_it
+JWT_REFRESH_SECRET=your_jwt_refresh_secret_key_here_change_it
+JWT_EXPIRES_IN=15m
+JWT_REFRESH_EXPIRES_IN=7d
+<% } -%>

package/templates/common/README.md.ejs

@@ -29,6 +29,7 @@ This project follows a strict **7-Step Production-Ready Process** to ensure qual
 
 -   **Architecture**: <%= architecture %> (<% if (architecture === 'Clean Architecture') { %>Domain, UseCases, Infrastructure<% } else { %>MVC Pattern<% } %>).
 -   **Database**: <%= database %> <% if (database !== 'None') { %>(via <%= database === 'MongoDB' ? 'Mongoose' : 'Sequelize' %>)<% } %>.
+<% if (auth.includes('JWT')) { %>-   **Authentication**: JWT-based Auth (Sign Up, Login, Protected Routes).<% } %>
 -   **Security**: Helmet, CORS, Rate Limiting, HPP, Snyk SCA.
 -   **Quality**: 80%+ Test Coverage, Eslint, Prettier, Husky.
 -   **DevOps**: Multi-stage Docker, CI/CD ready (GitHub/GitLab/Jenkins/Bitbucket/CircleCI).
@@ -95,6 +96,21 @@ Microservices communication handled via **Kafka**.
 API is exposed via **GraphQL**.
 The Apollo Sandbox UI for API exploration and documentation is available natively, fully embedded for offline development:
 - **URL**: `http://localhost:3000/graphql` (Dynamic based on PORT)
+
+<%_ if (auth.includes('JWT')) { _%>
+### 🔐 Authorization
+To access protected resolvers (Query: `getAllUsers`, Mutations: `updateUser`, `deleteUser`), you must provide a valid JWT token in the headers.
+
+**How to authenticate:**
+1. Use the REST login endpoint: `POST /api/auth/login` (with your email and password).
+2. Copy the `accessToken` from the response.
+3. In the Apollo Sandbox "HTTP Headers" tab (bottom section), add:
+```json
+{
+  "Authorization": "Bearer YOUR_ACCESS_TOKEN_HERE"
+}
+```<%_ } _%>
+
 If you are opening `http://localhost:3000/graphql` in your browser, you can directly run the following in the Apollo Sandbox UI:
 
 **Query to get all users:**
@@ -111,7 +127,7 @@ query GetAllUsers {
 **Mutation to create a user:**
 ```graphql
 mutation CreateUser {
-  createUser(name: "John Doe", email: "john@example.com") {
+  createUser(name: "John Doe", email: "john@example.com"<%_ if (auth.includes('JWT')) { _%>, password: "yourpassword123"<%_ } _%>) {
     id
     name
     email
@@ -119,7 +135,7 @@ mutation CreateUser {
 }
 ```
 
-**Mutation to update a user:**
+**Mutation to update a user (Protected):**
 ```graphql
 mutation UpdateUser {
   updateUser(id: "1", name: "John Updated") {
@@ -130,7 +146,7 @@ mutation UpdateUser {
 }
 ```
 
-**Mutation to delete a user:**
+**Mutation to delete a user (Protected):**
 ```graphql
 mutation DeleteUser {
   deleteUser(id: "1")
@@ -143,32 +159,61 @@ A Swagger UI for API documentation is available at:
 
 ### 🛣️ User Endpoints:
 - `GET /api/users`: List all users.
+- `GET /api/users/:id`: Get a user by ID.
 - `POST /api/users`: Create a new user.
 - `PATCH /api/users/:id`: Partially update a user.
 - `DELETE /api/users/:id`: Delete a user (Soft Delete).
-<%_ } -%>
-
+<%_ if (auth.includes('JWT')) { %>
+### 🔐 Auth Endpoints:
+- `POST /api/auth/login`: Exchange credentials for a short-lived `accessToken` and a long-lived `refreshToken`.
+- `POST /api/auth/refresh`: Submit a `refreshToken` to receive a new pair of tokens. (Includes theft-detection logic).
+- `POST /api/auth/logout`: Revoke (blacklist) the active `accessToken` and delete the `refreshToken`.
+- `POST /api/users`: Acts as Sign Up when password is provided.
+  *Note: To access protected user endpoints (GET/PATCH/DELETE), include `Authorization: Bearer <your_accessToken>` in the headers.*
+<% } -%>
+<% } -%>
 <% if (communication === 'Kafka') { -%>
 ## 📡 Testing Kafka Asynchronous Flow
 This project demonstrates a production-ready Kafka flow:
-1. **Producer**: When a user is created via the API, a `USER_CREATED` event is sent to `user-topic`.
-2. **Consumer**: `WelcomeEmailConsumer` listens to `user-topic` and simulates sending an email.
+1. **Producer**: When a user is created, updated, or deleted via the API, a corresponding event (`USER_CREATED`, `USER_UPDATED`, `USER_DELETED`) is sent to `user-topic`.
+2. **Consumer**: `WelcomeEmailConsumer` listens to `user-topic` and simulates processing (e.g., sending an email on creation).
 
 ### How to verify:
 1. Ensure infrastructure is running: `docker-compose up -d<% if (database !== 'None') { %> db<% } %><% if (caching === 'Redis') { %> redis<% } %><% if (communication === 'Kafka') { %> kafka<% } %>`
 2. Start the app: `npm run dev`
-3. Trigger an event by creating a user (via Postman or curl):
-   ```bash
-   curl -X POST http://localhost:3000/api/users \
-     -H "Content-Type: application/json" \
-     -d '{"name": "Kafka Tester", "email": "kafka@example.com"}'
-   ```
+3. Trigger internal events:
+ 
+**Create User (Sign Up - Public):**
+```bash
+curl -X POST http://localhost:3000/api/users \
+  -H "Content-Type: application/json" \
+  -d '{"name": "Kafka Tester", "email": "kafka@example.com"<%_ if (auth.includes('JWT')) { _%>, "password": "password123"<%_ } _%>}'
+```
+
+<%_ if (auth.includes('JWT')) { _%>
+**Update User (Protected - Requires Auth):**
+1. Login to get token: `POST /api/auth/login`
+2. Update user with token:
+```bash
+curl -X PATCH http://localhost:3000/api/users/1 \
+  -H "Authorization: Bearer <YOUR_TOKEN>" \
+  -H "Content-Type: application/json" \
+  -d '{"name": "Updated Name"}'
+```
+<%_ } else { _%>
+**Update User:**
+```bash
+curl -X PATCH http://localhost:3000/api/users/1 \
+  -H "Content-Type: application/json" \
+  -d '{"name": "Updated Name"}'
+```
+<%_ } _%>
 4. Observe the logs:
-   ```text
-   [Kafka] Producer: Sent USER_CREATED event for 'kafka@example.com'
-   [Kafka] Consumer: Received USER_CREATED. 
-   [Kafka] Consumer: 📧 Sending welcome email to 'kafka@example.com'... Done!
-   ```
+```text
+[Kafka] Producer: Sent USER_CREATED event for 'kafka@example.com'
+[Kafka] Consumer: Received USER_CREATED. 
+[Kafka] Consumer: 📧 Sending welcome email to 'kafka@example.com'... Done!
+```
 
 ### 🛠️ Kafka Troubleshooting
 If the connection or events are failing:

package/templates/common/auth/js/controllers/authController.js.ejs

@@ -0,0 +1,168 @@
+const bcrypt = require('bcryptjs');
+<% if (architecture === 'MVC') { -%>
+const User = require('../models/User');
+const JwtService = require('../services/jwtService');
+<% if (caching !== 'None') { -%>
+const cacheService = require('<% if (caching === "Redis") { %>../config/redisClient<% } else { %>../config/memoryCache<% } %>');
+<% } -%>
+const logger = require('../utils/logger');
+<% } else { -%>
+const User = require('../../../infrastructure/database/models/User');
+const JwtService = require('../../../infrastructure/auth/jwtService');
+<% if (caching !== 'None') { -%>
+const cacheService = require('<% if (caching === "Redis") { %>../../../infrastructure/caching/redisClient<% } else { %>../../../infrastructure/caching/memoryCache<% } %>');
+<% } -%>
+const logger = require('../../../infrastructure/log/logger');
+<% } -%>
+const HTTP_STATUS = require('<% if (architecture === "MVC") { %>../utils/httpCodes<% } else { %>../../../utils/httpCodes<% } %>');
+
+class AuthController {
+  constructor() {
+    this.login = this.login.bind(this);
+    this.refresh = this.refresh.bind(this);
+    this.logout = this.logout.bind(this);
+  }
+
+  async login(req, res, next) {
+    try {
+      const { email, password } = req.body;
+      <% if (database === 'MongoDB' || database === 'None') { %>
+      const user = await User.findOne({ email });
+      <% } else { %>
+      const user = await User.findOne({ where: { email } });
+      <% } %>
+      if (!user) {
+        return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Invalid credentials' });
+      }
+
+      const isPasswordValid = await bcrypt.compare(password, user.password);
+      if (!isPasswordValid) {
+        return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Invalid credentials' });
+      }
+
+      const userId = String(user.id || user._id);
+      const refreshToken = JwtService.generateRefreshToken({ id: userId, email: user.email });
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+      const accessToken = JwtService.generateToken({ id: userId, email: user.email, sid: refreshJti });
+
+      <% if (caching !== 'None') { %>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get(cacheKey) || [];
+      activeTokens.push(refreshJti);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <% } else { -%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <% } %>
+
+      res.json({ token: accessToken, accessToken, refreshToken });
+    } catch (error) {
+      logger.error('Login error:', error);
+      next(error);
+    }
+  }
+
+  async refresh(req, res, next) {
+    try {
+      const { refreshToken } = req.body;
+      if (!refreshToken) {
+        return res.status(HTTP_STATUS.BAD_REQUEST).json({ message: 'Refresh token is required' });
+      }
+
+      const decoded = JwtService.verifyRefreshToken(refreshToken);
+      if (!decoded || !decoded.id || !decoded.jti) {
+        return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Invalid refresh token' });
+      }
+
+      const userId = String(decoded.id);
+      const incomingJti = decoded.jti;
+
+      <% if (caching !== 'None') { %>
+      const cacheKey = `refresh_tokens:${userId}`;
+      let activeTokens = await cacheService.get(cacheKey) || [];
+      
+      if (!activeTokens.includes(incomingJti)) {
+        logger.warn(`Token theft detected for user ${userId}. Revoking all sessions.`);
+        await cacheService.del(cacheKey);
+        return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Invalid session' });
+      }
+
+      activeTokens = activeTokens.filter(t => t !== incomingJti);
+      const newRefreshToken = JwtService.generateRefreshToken({ id: userId, email: decoded.email });
+      const newRefreshJti = JwtService.decodeToken(newRefreshToken)?.jti;
+      const newAccessToken = JwtService.generateToken({ id: userId, email: decoded.email, sid: newRefreshJti });
+      
+      activeTokens.push(newRefreshJti);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <% } else { -%>
+      let activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      
+      if (!activeTokens.includes(incomingJti)) {
+        logger.warn(`Token theft detected for user ${userId}. Revoking all sessions.`);
+        JwtService.activeRefreshTokens.delete(userId);
+        return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Invalid session' });
+      }
+
+      activeTokens = activeTokens.filter(t => t !== incomingJti);
+      const newRefreshToken = JwtService.generateRefreshToken({ id: userId, email: decoded.email });
+      const newRefreshJti = JwtService.decodeToken(newRefreshToken)?.jti;
+      const newAccessToken = JwtService.generateToken({ id: userId, email: decoded.email, sid: newRefreshJti });
+      
+      activeTokens.push(newRefreshJti);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <% } %>
+      res.json({ accessToken: newAccessToken, refreshToken: newRefreshToken });
+    } catch (error) {
+      logger.error('Refresh token error:', error);
+      next(error);
+    }
+  }
+
+  async logout(req, res, next) {
+    try {
+      const authHeader = req.headers.authorization;
+      if (!authHeader) {
+        return res.status(HTTP_STATUS.BAD_REQUEST).json({ message: 'No token provided' });
+      }
+
+      const accessTokenStr = authHeader.split(' ')[1];
+      const decodedAccess = JwtService.decodeToken(accessTokenStr);
+      
+      if (decodedAccess && decodedAccess.jti && decodedAccess.exp) {
+        const remainingTime = Math.max(0, decodedAccess.exp - Math.floor(Date.now() / 1000));
+        <%_ if (caching !== 'None') { -%>
+        if (remainingTime > 0) {
+            await cacheService.set(`blacklist:${decodedAccess.jti}`, true, remainingTime);
+        }<%_ } else { -%>
+        if (remainingTime > 0) {
+            JwtService.blacklistedTokens.set(decodedAccess.jti, Date.now() + remainingTime * 1000);
+        }<%_ } -%>
+      }
+
+      const { refreshToken } = req.body;
+      if (refreshToken) {
+        const decodedRefresh = JwtService.decodeToken(refreshToken);
+        if (decodedRefresh && decodedRefresh.id && decodedRefresh.jti) {
+           const userId = String(decodedRefresh.id);
+           <%_ if (caching !== 'None') { -%>
+           const cacheKey = `refresh_tokens:${userId}`;
+           let activeTokens = await cacheService.get(cacheKey) || [];
+           activeTokens = activeTokens.filter(t => t !== decodedRefresh.jti);
+           await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+           <%_ } else { -%>
+           let activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+           activeTokens = activeTokens.filter(t => t !== decodedRefresh.jti);
+           JwtService.activeRefreshTokens.set(userId, activeTokens);<% } %>
+        }
+      }
+
+      res.json({ message: 'Logged out successfully' });
+    } catch (error) {
+      logger.error('Logout error:', error);
+      next(error);
+    }
+  }
+}
+
+module.exports = AuthController;

package/templates/common/auth/js/controllers/authController.spec.js.ejs

@@ -0,0 +1,148 @@
+<%_ if (architecture === 'Clean Architecture') { _%>
+const AuthController = require('@/interfaces/controllers/auth/authController');
+const JwtService = require('@/infrastructure/auth/jwtService');
+<%_ } else { _%>
+const AuthController = require('@/controllers/authController');
+const JwtService = require('@/services/jwtService');
+<%_ } _%>
+const HTTP_STATUS = require('@/utils/httpCodes');
+const bcrypt = require('bcryptjs');
+
+jest.mock('bcryptjs');
+<%_ if (architecture === 'Clean Architecture') { _%>
+jest.mock('@/infrastructure/auth/jwtService');
+jest.mock('@/infrastructure/database/models/User', () => ({
+    findOne: jest.fn()
+}));
+const User = require('@/infrastructure/database/models/User');
+<%_ } else { _%>
+jest.mock('@/services/jwtService');
+jest.mock('@/models/User', () => ({
+    findOne: jest.fn()
+}));
+const User = require('@/models/User');
+<%_ } _%>
+<%_ if (caching !== 'None') { _%>
+<%_ const cachePath = (architecture === "MVC") ? (caching === "Redis" ? "@/config/redisClient" : "@/config/memoryCache") : (caching === "Redis" ? "@/infrastructure/caching/redisClient" : "@/infrastructure/caching/memoryCache"); _%>
+jest.mock('<%= cachePath %>', () => ({
+    get: jest.fn(),
+    set: jest.fn(),
+    del: jest.fn()
+}), { virtual: true });
+const cacheService = require('<%= cachePath %>');
+<%_ } _%>
+
+describe('AuthController', () => {
+    let controller;
+    let mockReq;
+    let mockRes;
+    let next;
+
+    beforeEach(() => {
+        controller = new AuthController();
+        mockReq = {
+            body: {},
+            headers: {}
+        };
+        mockRes = {
+            status: jest.fn().mockReturnThis(),
+            json: jest.fn()
+        };
+        next = jest.fn();
+        jest.clearAllMocks();
+    });
+
+    describe('login', () => {
+        it('should return tokens on success', async () => {
+            const user = { id: 1, email: 'test@test.com', password: 'hashedpassword' };
+            mockReq.body = { email: 'test@test.com', password: 'password123' };
+            User.findOne.mockResolvedValue(user);
+            bcrypt.compare.mockResolvedValue(true);
+            JwtService.generateToken.mockReturnValue('mock-access-token');
+            JwtService.generateRefreshToken.mockReturnValue('mock-refresh-token');
+            JwtService.decodeToken.mockReturnValue({ jti: 'test-jti' });
+
+            // Mock cacheService
+            <% if (caching !== 'None') { %>
+            cacheService.get.mockResolvedValue([]);
+            cacheService.set.mockResolvedValue();<% } %>
+
+            await controller.login(mockReq, mockRes, next);
+
+            expect(JwtService.generateToken).toHaveBeenCalledWith(expect.objectContaining({ sid: 'test-jti' }));
+            expect(mockRes.json).toHaveBeenCalledWith({ token: 'mock-access-token', accessToken: 'mock-access-token', refreshToken: 'mock-refresh-token' });
+        });
+
+        it('should return 401 on invalid email', async () => {
+            mockReq.body = { email: 'wrong@test.com', password: 'password123' };
+            User.findOne.mockResolvedValue(null);
+
+            await controller.login(mockReq, mockRes, next);
+
+            expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+        });
+
+        it('should return 401 on invalid password', async () => {
+            const user = { id: 1, email: 'test@test.com', password: 'hashedpassword' };
+            mockReq.body = { email: 'test@test.com', password: 'wrongpassword' };
+            User.findOne.mockResolvedValue(user);
+            bcrypt.compare.mockResolvedValue(false);
+
+            await controller.login(mockReq, mockRes, next);
+
+            expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+        });
+    });
+
+    describe('refresh', () => {
+        it('should return new tokens for a valid refresh token', async () => {
+            mockReq.body = { refreshToken: 'valid-refresh' };
+            const decoded = { id: '1', email: 'test@test.com', jti: 'old-jti' };
+            JwtService.verifyRefreshToken.mockReturnValue(decoded);
+            JwtService.generateToken.mockReturnValue('new-access');
+            JwtService.generateRefreshToken.mockReturnValue('new-refresh');
+            JwtService.decodeToken.mockReturnValue({ jti: 'new-jti' });
+
+            <% if (caching !== 'None') { %>
+            cacheService.get.mockResolvedValue(['old-jti']);
+            cacheService.set.mockResolvedValue();
+            <% } else { %>
+            JwtService.activeRefreshTokens.set('1', ['old-jti']);<% } %>
+
+            await controller.refresh(mockReq, mockRes, next);
+
+            expect(JwtService.generateToken).toHaveBeenCalledWith(expect.objectContaining({ sid: 'new-jti' }));
+            expect(mockRes.json).toHaveBeenCalledWith({ accessToken: 'new-access', refreshToken: 'new-refresh' });
+        });
+
+        it('should detect theft and revoke if jti is not active', async () => {
+            mockReq.body = { refreshToken: 'stolen-refresh' };
+            const decoded = { id: '1', email: 'test@test.com', jti: 'stolen-jti' };
+            JwtService.verifyRefreshToken.mockReturnValue(decoded);
+
+            <% if (caching !== 'None') { %>
+            cacheService.get.mockResolvedValue(['different-jti']);
+            <% } else { %>
+            JwtService.activeRefreshTokens.set('1', ['different-jti']);<% } %>
+
+            await controller.refresh(mockReq, mockRes, next);
+
+            expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.UNAUTHORIZED);
+        });
+    });
+
+    describe('logout', () => {
+        it('should blacklist access jti and remove refresh jti', async () => {
+            mockReq.headers.authorization = 'Bearer access-token';
+            mockReq.body = { refreshToken: 'refresh-token' };
+            
+            JwtService.decodeToken
+                .mockReturnValueOnce({ jti: 'access-jti', exp: Math.floor(Date.now() / 1000) + 3600 })
+                .mockReturnValueOnce({ id: '1', jti: 'refresh-jti' });
+
+            await controller.logout(mockReq, mockRes, next);
+
+            expect(mockRes.json).toHaveBeenCalledWith({ message: 'Logged out successfully' });
+        });
+    });
+});

package/templates/common/auth/js/middleware/authMiddleware.js.ejs

@@ -0,0 +1,58 @@
+<% if (architecture === 'MVC') { -%>
+const JwtService = require('../services/jwtService');
+const HTTP_STATUS = require('../utils/httpCodes');
+<% if (caching !== 'None') { -%>
+const cacheService = require('<% if (caching === "Redis") { %>../config/redisClient<% } else { %>../config/memoryCache<% } %>');
+<% } -%>
+<% } else { -%>
+const JwtService = require('../../../infrastructure/auth/jwtService');
+const HTTP_STATUS = require('../../../utils/httpCodes');
+<% if (caching !== 'None') { -%>
+const cacheService = require('<% if (caching === "Redis") { %>../../../infrastructure/caching/redisClient<% } else { %>../../../infrastructure/caching/memoryCache<% } %>');
+<% } -%>
+<% } -%>
+
+const authMiddleware = async (req, res, next) => {
+  const authHeader = req.headers.authorization;
+
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'No token provided' });
+  }
+
+  const token = authHeader.split(' ')[1];
+  const decoded = JwtService.verifyToken(token);
+
+  if (!decoded) {
+    return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Invalid or expired token' });
+  }
+
+  if (decoded.jti) {
+    <%_ if (caching !== 'None') { -%>
+    const isBlacklisted = await cacheService.get(`blacklist:${decoded.jti}`);
+    if (isBlacklisted) {
+      return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Token revoked' });
+    }<%_ } else { -%>
+    const expiryDate = JwtService.blacklistedTokens.get(decoded.jti);
+    if (expiryDate && Date.now() < expiryDate) {
+      return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Token revoked' });
+    }<% } %>
+  }
+
+  if (decoded.sid) {
+    <%_ if (caching !== 'None') { %>
+    const cacheKey = `refresh_tokens:${decoded.id}`;
+    const activeTokens = await cacheService.get(cacheKey) || [];
+    if (!activeTokens.includes(decoded.sid)) {
+      return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Session expired' });
+    }<%_ } else { -%>
+    const activeTokens = JwtService.activeRefreshTokens.get(String(decoded.id)) || [];
+    if (!activeTokens.includes(decoded.sid)) {
+      return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Session expired' });
+    }<%_ } -%>
+  }
+
+  req.user = decoded;
+  next();
+};
+
+module.exports = authMiddleware;