nodejs-quickstart-structure 2.1.2 → 2.2.0

package/templates/common/.env.example.ejs

@@ -45,4 +45,14 @@ JWT_SECRET=your_jwt_secret_key_here_change_it
 JWT_REFRESH_SECRET=your_jwt_refresh_secret_key_here_change_it
 JWT_EXPIRES_IN=15m
 JWT_REFRESH_EXPIRES_IN=7d
+<%_ if (socialAuth && socialAuth.includes('Google')) { -%>
+GOOGLE_CLIENT_ID=your_google_client_id
+GOOGLE_CLIENT_SECRET=your_google_client_secret
+GOOGLE_CALLBACK_URL=http://localhost:3000/api/auth/google/callback
+<%_ } -%>
+<%_ if (socialAuth && socialAuth.includes('GitHub')) { -%>
+GITHUB_CLIENT_ID=your_github_client_id
+GITHUB_CLIENT_SECRET=your_github_client_secret
+GITHUB_CALLBACK_URL=http://localhost:3000/api/auth/github/callback
+<%_ } -%>
 <% } -%>

package/templates/common/README.md.ejs

@@ -13,7 +13,7 @@ This project follows a strict **7-Step Production-Ready Process** to ensure qual
 
 ---
 
-## 🚀 7-Step Production-Ready Process
+## 7-Step Production-Ready Process
 
 1.  **Initialize Git**: `git init` (Required for Husky hooks and security gates).
 2.  **Install Dependencies**: `npm install`.
@@ -25,7 +25,7 @@ This project follows a strict **7-Step Production-Ready Process** to ensure qual
 
 ---
 
-## 🚀 Key Features
+## Key Features
 
 -   **Architecture**: <%= architecture %> (<% if (architecture === 'Clean Architecture') { %>Domain, UseCases, Infrastructure<% } else { %>MVC Pattern<% } %>).
 -   **Database**: <%= database %> <% if (database !== 'None') { %>(via <%= database === 'MongoDB' ? 'Mongoose' : 'Sequelize' %>)<% } %>.
@@ -157,20 +157,71 @@ API is exposed via **REST**.
 A Swagger UI for API documentation is available at:
 - **URL**: `http://localhost:3000/api-docs` (Dynamic based on PORT)
 
-### 🛣️ User Endpoints:
+### User Endpoints:
 - `GET /api/users`: List all users.
 - `GET /api/users/:id`: Get a user by ID.
 - `POST /api/users`: Create a new user.
 - `PATCH /api/users/:id`: Partially update a user.
 - `DELETE /api/users/:id`: Delete a user (Soft Delete).
 <%_ if (auth.includes('JWT')) { %>
-### 🔐 Auth Endpoints:
+### Auth Endpoints:
 - `POST /api/auth/login`: Exchange credentials for a short-lived `accessToken` and a long-lived `refreshToken`.
 - `POST /api/auth/refresh`: Submit a `refreshToken` to receive a new pair of tokens. (Includes theft-detection logic).
 - `POST /api/auth/logout`: Revoke (blacklist) the active `accessToken` and delete the `refreshToken`.
 - `POST /api/users`: Acts as Sign Up when password is provided.
+<%_ if (socialAuth && socialAuth.filter(a => a !== 'None').length > 0) { _%>
+### Social Authentication Flows
+
+This project supports two distinct social authentication flows:
+
+#### 1. The Redirection Flow (Best for MVC/Web)
+Standard OAuth2 flow using browser redirects.
+- **Start**: `GET /api/auth/google` (or `/github`)
+- **Callback**: Handled automatically by the backend via `/google/callback`.
+- **Result**: User is logged in and redirected to home; `accessToken` and `refreshToken` are securely saved as **HttpOnly cookies** in the browser.
+- **Callback URL**: `http://localhost:3000/api/auth/google/callback` (Standardized for both MVC and Clean Architecture).
+
+  > [!TIP]
+  > **Testing in Swagger**: The "Execute" button in Swagger UI will show a "Failed to fetch" error for this route because browsers block redirects to external domains (like Google) inside AJAX requests. To test this, simply open `http://localhost:3000/api/auth/google` directly in your browser tab.
+
+#### 2. The Exchange Flow (Best for SPAs/Mobile Apps)
+A headless flow where the client provides the OAuth code.
+- **API**: `POST /api/auth/social/exchange`
+- **Body**: `{ "code": "AUTH_CODE", "provider": "Google" }`
+- **Result**: Returns JWT tokens (`accessToken`, `refreshToken`) in the JSON response.
+
+---
+<%_ } _%>
   *Note: To access protected user endpoints (GET/PATCH/DELETE), include `Authorization: Bearer <your_accessToken>` in the headers.*
 <% } -%>
+<% if (socialAuth && socialAuth.filter(a => a !== 'None').length > 0) { -%>
+### Social Authentication Setup
+To use social login, you must configure the following in your `.env`:
+
+#### Callback URL Configuration
+For the best practice standardized API structure, you **must** configure the Redirect URIs in your developer portals (Google/GitHub) as follows:
+
+| Provider | Redirect URI (Callback URL) |
+| :--- | :--- |
+| **Google** | `http://localhost:3000/api/auth/google/callback` |
+| **GitHub** | `http://localhost:3000/api/auth/github/callback` |
+
+> [!IMPORTANT]
+> This standardized path works for both **MVC** and **Clean Architecture** templates.
+
+#### <% if (socialAuth.includes('Google')) { %>1. Google Integration<% } %>
+1. Go to [Google Cloud Console](https://console.cloud.google.com/).
+2. Create/Select a project and go to **APIs & Services > Credentials**.
+3. Create an **OAuth client ID** for a **Web application**.
+4. Add Redirect URI: `http://localhost:3000/api/auth/google/callback`.
+5. Set `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, and `GOOGLE_CALLBACK_URL` in `.env`.
+
+#### <% if (socialAuth.includes('GitHub')) { %>2. GitHub Integration<% } %>
+1. Go to [GitHub Developer Settings](https://github.com/settings/developers).
+2. Register a **New OAuth App**.
+3. Set Callback URL: `http://localhost:3000/api/auth/github/callback`.
+4. Set `GITHUB_CLIENT_ID`, `GITHUB_CLIENT_SECRET`, and `GITHUB_CALLBACK_URL` in `.env`.
+<% } -%>
 <% } -%>
 <% if (communication === 'Kafka') { -%>
 ## 📡 Testing Kafka Asynchronous Flow
@@ -212,10 +263,10 @@ curl -X PATCH http://localhost:3000/api/users/1 \
 ```text
 [Kafka] Producer: Sent USER_CREATED event for 'kafka@example.com'
 [Kafka] Consumer: Received USER_CREATED. 
-[Kafka] Consumer: 📧 Sending welcome email to 'kafka@example.com'... Done!
+[Kafka] Consumer: Sending welcome email to 'kafka@example.com'... Done!
 ```
 
-### 🛠️ Kafka Troubleshooting
+### Kafka Troubleshooting
 If the connection or events are failing:
 1. **Check Docker**: Ensure Kafka container is running (`docker ps`).
 2. **Verify Broker**: `KAFKA_BROKER` in `.env` must match your host/port (standard: 9093).
@@ -224,24 +275,24 @@ If the connection or events are failing:
 <% } -%>
 
 <% if (caching === 'Redis') { -%>
-## ⚡ Caching
+## Caching
 This project uses **Redis** for caching.
 - **Client**: `ioredis`
 - **Connection**: Configured via `REDIS_HOST`, `REDIS_PORT`, `REDIS_PASSWORD` in `.env`.
 <% } else if (caching === 'Memory Cache') { -%>
-## ⚡ Caching
+## Caching
 This project uses **Memory Cache** for in-memory caching.
 - **Client**: `node-cache`
 <% } -%>
 
-## 📝 Logging
+## Logging
 This project uses **Winston** for structured logging.
 - **Development**: Logs are printed to the console.
 - **Production**: Logs are saved to files:
   - `error.log`: Only error level logs.
   - `combined.log`: All logs.
 
-## 🐳 Docker Deployment
+## Docker Deployment
 This project uses a **Multi-Stage Dockerfile** for optimized production images.
 
 <% if (database !== 'None' || caching === 'Redis' || communication === 'Kafka') { -%>
@@ -288,7 +339,7 @@ docker build -t <%= projectName %> .
 docker run -p 3000:3000 <%= projectName %>
 ```
 <% } -%>
-## 🚀 PM2 Deployment (VPS/EC2)
+## PM2 Deployment (VPS/EC2)
 This project is pre-configured for direct deployment to a VPS/EC2 instance using **PM2** (via `ecosystem.config.js`).
 1. Install dependencies
 ```bash
@@ -324,17 +375,17 @@ docker-compose down
 -   **Rate Limiting**: Protects against DDoS / Brute-force.
 -   **HPP**: Prevents HTTP Parameter Pollution attacks.
 <% if (includeSecurity) { %>
-### 🛡️ Enterprise Hardening (Big Tech Standard)
+### Enterprise Hardening (Big Tech Standard)
 -   **Snyk SCA**: Run `npm run snyk:test` for dependency scanning.
 -   **SonarCloud**: Automated SAST on every Push/PR.
 -   **Digital Guardians**: Recommended Gitleaks integration for secret protection.
 -   **Security Policy**: Standard `SECURITY.md` for vulnerability reporting.
 <% } %>
-## 🤖 AI-Native Development
+## AI-Native Development
 
 This project is "AI-Ready" out of the box. We have pre-configured industry-leading AI context files to bridge the gap between "Generated Code" and "AI-Assisted Development."
 
 - **Magic Defaults**: We've automatically tailored your AI context to focus on **<%= projectName %>** and its specific architectural stack (<%= architecture %>, <%= database %>, etc.).
 - **Use Cursor?** We've configured **`.cursorrules`** at the root. It enforces project standards (80% coverage, MVC/Clean) directly within the editor. 
-  - *Pro-tip*: You can customize the `Project Goal` placeholder in `.cursorrules` to help the AI understand your specific business logic!
+- *Pro-tip*: You can customize the `Project Goal` placeholder in `.cursorrules` to help the AI understand your specific business logic!
 - **Use ChatGPT/Gemini/Claude?** Check the **`prompts/`** directory. It contains highly-specialized Agent Skill templates. You can copy-paste these into any LLM to give it a "Senior Developer" understanding of your codebase immediately.

package/templates/common/auth/js/controllers/authController.js.ejs

@@ -1,19 +1,27 @@
 const bcrypt = require('bcryptjs');
-<% if (architecture === 'MVC') { -%>
+<%_ if (architecture === 'MVC') { _%>
 const User = require('../models/User');
 const JwtService = require('../services/jwtService');
-<% if (caching !== 'None') { -%>
+<%_ if (socialAuth && socialAuth.filter(a => a !== 'None').length > 0) { _%>
+const { SocialAuthService } = require('../services/socialAuthService');
+<%_ } _%>
+<%_ if (caching !== 'None') { _%>
 const cacheService = require('<% if (caching === "Redis") { %>../config/redisClient<% } else { %>../config/memoryCache<% } %>');
-<% } -%>
+<%_ } _%>
 const logger = require('../utils/logger');
-<% } else { -%>
+<%_ } else { _%>
 const User = require('../../../infrastructure/database/models/User');
 const JwtService = require('../../../infrastructure/auth/jwtService');
-<% if (caching !== 'None') { -%>
+<%_ if (socialAuth && socialAuth.filter(a => a !== 'None').length > 0) { _%>
+const { SocialLoginUseCase } = require('../../../usecases/auth/socialLoginUseCase');
+const { GoogleProvider, GitHubProvider } = require('../../../infrastructure/auth/socialAuthService');
+const UserRepository = require('../../../infrastructure/repositories/UserRepository');
+<%_ } _%>
+<%_ if (caching !== 'None') { _%>
 const cacheService = require('<% if (caching === "Redis") { %>../../../infrastructure/caching/redisClient<% } else { %>../../../infrastructure/caching/memoryCache<% } %>');
-<% } -%>
+<%_ } _%>
 const logger = require('../../../infrastructure/log/logger');
-<% } -%>
+<%_ } _%>
 const HTTP_STATUS = require('<% if (architecture === "MVC") { %>../utils/httpCodes<% } else { %>../../../utils/httpCodes<% } %>');
 
 class AuthController {
@@ -21,6 +29,17 @@ class AuthController {
     this.login = this.login.bind(this);
     this.refresh = this.refresh.bind(this);
     this.logout = this.logout.bind(this);
+<% if (socialAuth && socialAuth.filter(a => a !== 'None').length > 0) { -%>
+    this.socialExchange = this.socialExchange.bind(this);
+<% if (socialAuth.includes('Google')) { -%>
+    this.googleLogin = this.googleLogin.bind(this);
+    this.googleCallback = this.googleCallback.bind(this);
+<% } -%>
+<% if (socialAuth.includes('GitHub')) { -%>
+    this.githubLogin = this.githubLogin.bind(this);
+    this.githubCallback = this.githubCallback.bind(this);
+<% } -%>
+<% } -%>
   }
 
   async login(req, res, next) {
@@ -45,16 +64,16 @@ class AuthController {
       const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
       const accessToken = JwtService.generateToken({ id: userId, email: user.email, sid: refreshJti });
 
-<%_ if (caching !== 'None') { -%>
+<%_ if (caching !== 'None') { _%>
       const cacheKey = `refresh_tokens:${userId}`;
       const activeTokens = await cacheService.get(cacheKey) || [];
       activeTokens.push(refreshJti);
       await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
-<% } else { %>
+<%_ } else { _%>
       const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       activeTokens.push(refreshJti);
       JwtService.activeRefreshTokens.set(userId, activeTokens);
-<%_ } -%>
+<%_ } _%>
 
       res.json({ token: accessToken, accessToken, refreshToken });
     } catch (error) {
@@ -78,7 +97,7 @@ class AuthController {
       const userId = String(decoded.id);
       const incomingJti = decoded.jti;
 
-<%_ if (caching !== 'None') { -%>
+<%_ if (caching !== 'None') { _%>
       const cacheKey = `refresh_tokens:${userId}`;
       let activeTokens = await cacheService.get(cacheKey) || [];
       
@@ -95,7 +114,7 @@ class AuthController {
       
       activeTokens.push(newRefreshJti);
       await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
-<% } else { %>
+<%_ } else { _%>
       let activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       
       if (!activeTokens.includes(incomingJti)) {
@@ -111,7 +130,7 @@ class AuthController {
       
       activeTokens.push(newRefreshJti);
       JwtService.activeRefreshTokens.set(userId, activeTokens);
-<%_ } -%>
+<%_ } _%>
       res.json({ accessToken: newAccessToken, refreshToken: newRefreshToken });
     } catch (error) {
       logger.error('Refresh token error:', error);
@@ -165,6 +184,300 @@ class AuthController {
       next(error);
     }
   }
+
+<% if (socialAuth && socialAuth.filter(a => a !== 'None').length > 0) { -%>
+  async socialExchange(req, res, next) {
+    try {
+      const { code, provider, redirectUri } = req.body;
+      if (!code || !provider) {
+        return res.status(HTTP_STATUS.BAD_REQUEST).json({ message: 'Code and provider are required' });
+      }
+
+      <% if (architecture === 'Clean Architecture') { -%>
+      let useCase;
+      const userRepository = new UserRepository();
+      <% if (socialAuth.includes('Google')) { -%>
+      if (provider === 'Google') useCase = new SocialLoginUseCase(new GoogleProvider(), userRepository);
+      <% } -%>
+      <% if (socialAuth.includes('GitHub')) { -%>
+      if (provider === 'GitHub') useCase = new SocialLoginUseCase(new GitHubProvider(), userRepository);
+      <% } -%>
+
+      if (!useCase) {
+        return res.status(HTTP_STATUS.BAD_REQUEST).json({ message: 'Invalid social provider' });
+      }
+
+      const { user, accessToken, refreshToken } = await useCase.execute(code, redirectUri);
+      const userId = String(user.id || user._id);
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+
+      // Store refresh token
+      <% if (caching !== 'None') { -%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get(cacheKey) || [];
+      activeTokens.push(refreshJti);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <% } else { -%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <% } -%>
+
+      res.json({ token: accessToken, accessToken, refreshToken });
+      <% } else { -%>
+      let profile;
+<% if (socialAuth.includes('Google')) { -%>
+      if (provider === 'Google') {
+        profile = await SocialAuthService.getGoogleProfile(code, redirectUri);
+      }
+<% } -%>
+<% if (socialAuth.includes('GitHub')) { -%>
+      if (provider === 'GitHub') {
+        profile = await SocialAuthService.getGithubProfile(code);
+      }
+<% } -%>
+
+      if (!profile) {
+        return res.status(HTTP_STATUS.BAD_REQUEST).json({ message: 'Invalid social provider' });
+      }
+
+      if (!profile || !profile.email) {
+        return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Failed to retrieve profile from provider' });
+      }
+
+      <%_ if (database === 'MongoDB' || database === 'None') { _%>
+      let user = await User.findOne({ email: profile.email });
+      <%_ } else { _%>
+      let user = await User.findOne({ where: { email: profile.email } });
+      <%_ } _%>
+
+      if (!user) {
+        // Create new user without password
+        <%_ if (database === 'MongoDB' || database === 'None') { _%>
+        user = await User.create({ email: profile.email, name: profile.name, password: null });
+        <%_ if (socialAuth.includes('Google')) { _%>
+        if (provider === 'Google') user.googleId = profile.id;
+        <%_ } _%>
+        <%_ if (socialAuth.includes('GitHub')) { _%>
+        if (provider === 'GitHub') user.githubId = profile.id;
+        <%_ } _%>
+        await user.save();
+        <%_ } else { _%>
+        user = await User.create({ 
+          email: profile.email, 
+          name: profile.name, 
+          password: null,
+          <%_ if (socialAuth.includes('Google')) { _%>
+          googleId: provider === 'Google' ? profile.id : null,
+          <%_ } _%>
+          <%_ if (socialAuth.includes('GitHub')) { _%>
+          githubId: provider === 'GitHub' ? profile.id : null,
+          <%_ } _%>
+        });
+        <%_ } _%>
+      }
+
+      const userId = String(user.id || user._id);
+      
+      const refreshToken = JwtService.generateRefreshToken({ id: userId, email: user.email });
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+      const accessToken = JwtService.generateToken({ id: userId, email: user.email, sid: refreshJti });
+      
+      // Store refresh token
+      <%_ if (caching !== 'None') { -%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get(cacheKey) || [];
+      activeTokens.push(refreshJti);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <%_ } else { -%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
+
+      res.json({ token: accessToken, accessToken, refreshToken });
+      <%_ } _%>
+    } catch (error) {
+      logger.error('Social exchange error:', error);
+      next(error);
+    }
+  }
+<% } -%>
+
+<% if (socialAuth.includes('Google')) { -%>
+  async googleLogin(req, res) {
+    const rootUrl = 'https://accounts.google.com/o/oauth2/v2/auth';
+    const options = {
+      redirect_uri: process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback',
+      client_id: process.env.GOOGLE_CLIENT_ID,
+      access_type: 'offline',
+      response_type: 'code',
+      prompt: 'consent',
+      scope: [
+        'https://www.googleapis.com/auth/userinfo.profile',
+        'https://www.googleapis.com/auth/userinfo.email',
+      ].join(' '),
+      state: 'google'
+    };
+    const qs = new URLSearchParams(options);
+    res.redirect(`${rootUrl}?${qs.toString()}`);
+  }
+
+  async googleCallback(req, res, next) {
+    try {
+      const { code } = req.query;
+      const redirectUri = process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback';
+
+      <%_ if (architecture === 'Clean Architecture') { _%>
+      const useCase = new SocialLoginUseCase(new GoogleProvider(), new UserRepository());
+      const { user, accessToken, refreshToken } = await useCase.execute(code, redirectUri);
+      const userId = String(user.id || user._id);
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+
+      // Store refresh token
+      <%_ if (caching !== 'None') { _%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get(cacheKey) || [];
+      activeTokens.push(refreshJti);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <%_ } else { _%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
+
+      res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.redirect('/');
+      <%_ } else { _%>
+      const profile = await SocialAuthService.getGoogleProfile(code, redirectUri);
+      
+      <%_ if (database === 'MongoDB' || database === 'None') { -%>
+      let user = await User.findOne({ email: profile.email });
+      <%_ } else { -%>
+      let user = await User.findOne({ where: { email: profile.email } });
+      <%_ } -%>
+
+      if (!user) {
+        user = await User.create({ 
+          email: profile.email, 
+          name: profile.name, 
+          password: null,
+          googleId: profile.id
+        });
+      }
+
+      const userId = String(user.id || user._id);
+      const refreshToken = JwtService.generateRefreshToken({ id: userId, email: user.email });
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+      const accessToken = JwtService.generateToken({ id: userId, email: user.email, sid: refreshJti });
+
+      // Store refresh token
+      <%_ if (caching !== 'None') { -%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get(cacheKey) || [];
+      activeTokens.push(refreshJti);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <%_ } else { _%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
+
+      res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.redirect('/');
+      <%_ } _%>
+    } catch (error) {
+      logger.error('Google callback error:', error);
+      res.redirect('/login?error=social_auth_failed');
+    }
+  }
+<% } -%>
+
+<% if (socialAuth.includes('GitHub')) { -%>
+  async githubLogin(req, res) {
+    const rootUrl = 'https://github.com/login/oauth/authorize';
+    const options = {
+      client_id: process.env.GITHUB_CLIENT_ID,
+      redirect_uri: process.env.GITHUB_CALLBACK_URL || 'http://localhost:3000/api/auth/github/callback',
+      scope: 'user:email',
+      state: 'github'
+    };
+    const qs = new URLSearchParams(options);
+    res.redirect(`${rootUrl}?${qs.toString()}`);
+  }
+
+  async githubCallback(req, res, next) {
+    try {
+      const { code } = req.query;
+
+      <%_ if (architecture === 'Clean Architecture') { _%>
+      const useCase = new SocialLoginUseCase(new GitHubProvider(), new UserRepository());
+      const { user, accessToken, refreshToken } = await useCase.execute(code);
+      const userId = String(user.id || user._id);
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+
+      // Store refresh token
+      <%_ if (caching !== 'None') { _%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get(cacheKey) || [];
+      activeTokens.push(refreshJti);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <%_ } else { _%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
+
+      res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.redirect('/');
+      <%_ } else { _%>
+      const profile = await SocialAuthService.getGithubProfile(code);
+      
+      <%_ if (database === 'MongoDB' || database === 'None') { -%>
+      let user = await User.findOne({ email: profile.email });
+      <%_ } else { -%>
+      let user = await User.findOne({ where: { email: profile.email } });
+      <%_ } -%>
+
+      if (!user) {
+        user = await User.create({ 
+          email: profile.email, 
+          name: profile.name, 
+          password: null,
+          githubId: profile.id
+        });
+      }
+
+      const userId = String(user.id || user._id);
+      const refreshToken = JwtService.generateRefreshToken({ id: userId, email: user.email });
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+      const accessToken = JwtService.generateToken({ id: userId, email: user.email, sid: refreshJti });
+
+      // Store refresh token
+      <%_ if (caching !== 'None') { -%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get(cacheKey) || [];
+      activeTokens.push(refreshJti);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <%_ } else { -%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
+
+      res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.redirect('/');
+      <%_ } _%>
+    } catch (error) {
+      logger.error('GitHub callback error:', error);
+      res.redirect('/login?error=social_auth_failed');
+    }
+  }
+<% } -%>
 }
 
 module.exports = AuthController;