nodejs-quickstart-structure 2.1.2 → 2.2.1

package/templates/common/auth/ts/controllers/authController.ts.ejs

@@ -1,5 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import bcrypt from 'bcryptjs';
+import crypto from 'crypto';
 <% if (architecture === 'MVC') { -%>
 import User from '@/models/User';
 import { JwtService } from '@/services/jwtService';
@@ -7,6 +8,9 @@ import logger from '@/utils/logger';
 <% if (caching !== 'None') { -%>
 import cacheService from '<% if (caching === "Redis") { %>@/config/redisClient<% } else { %>@/config/memoryCache<% } %>';
 <% } -%>
+<% if (socialAuth && socialAuth.filter(a => a !== 'None').length > 0) { -%>
+import { SocialAuthService } from '@/services/socialAuthService';
+<% } -%>
 <% } else { -%>
 import User from '@/infrastructure/database/models/User';
 import { JwtService } from '@/infrastructure/auth/jwtService';
@@ -14,10 +18,24 @@ import logger from '@/infrastructure/log/logger';
 <% if (caching !== 'None') { -%>
 import cacheService from '<% if (caching === "Redis") { %>@/infrastructure/caching/redisClient<% } else { %>@/infrastructure/caching/memoryCache<% } %>';
 <% } -%>
+<% if (socialAuth && socialAuth.filter(a => a !== 'None').length > 0) { -%>
+import { SocialLoginUseCase } from '@/usecases/auth/socialLoginUseCase';
+import { GoogleProvider, GitHubProvider } from '@/infrastructure/auth/socialAuthService';
+import { UserRepository } from '@/infrastructure/repositories/UserRepository';
+<% } -%>
 <% } -%>
 import { HTTP_STATUS } from '@/utils/httpCodes';
 
 export class AuthController {
+  private setOAuthStateCookie(res: Response, state: string) {
+    res.cookie('oauth_state', state, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 10 * 60 * 1000
+    });
+  }
+
   async login(req: Request, res: Response, next: NextFunction) {
     try {
       const { email, password } = req.body;
@@ -42,15 +60,16 @@ export class AuthController {
       const accessToken = JwtService.generateToken({ id: userId, email: user.email, sid: refreshJti });
       
       // Store refresh token
-      <%_ if (caching !== 'None') { -%>
+      <%_ if (caching !== 'None') { _%>
       const cacheKey = `refresh_tokens:${userId}`;
       const activeTokens = await cacheService.get<string[]>(cacheKey) || [];
       activeTokens.push(refreshJti!);
       await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60); // 7 days
-      <%_ } else { -%>
+      <%_ } else { _%>
       const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       activeTokens.push(refreshJti!);
-      JwtService.activeRefreshTokens.set(userId, activeTokens);<% } %>
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
 
       res.json({ token: accessToken, accessToken, refreshToken });
     } catch (error) {
@@ -74,7 +93,7 @@ export class AuthController {
       const userId = String(decoded.id);
       const incomingJti = decoded.jti;
 
-      <% if (caching !== 'None') { %>
+      <%_ if (caching !== 'None') { _%>
       const cacheKey = `refresh_tokens:${userId}`;
       let activeTokens = await cacheService.get<string[]>(cacheKey) || [];
       
@@ -93,7 +112,7 @@ export class AuthController {
       
       activeTokens.push(newRefreshJti!);
       await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
-      <% } else { %>
+      <%_ } else { _%>
       let activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       
       if (!activeTokens.includes(incomingJti)) {
@@ -110,7 +129,7 @@ export class AuthController {
       
       activeTokens.push(newRefreshJti!);
       JwtService.activeRefreshTokens.set(userId, activeTokens);
-      <% } %>
+      <%_ } _%>
       res.json({ accessToken: newAccessToken, refreshToken: newRefreshToken });
     } catch (error) {
       logger.error('Refresh token error:', error);
@@ -146,15 +165,16 @@ export class AuthController {
         const decodedRefresh = JwtService.decodeToken(refreshToken);
         if (decodedRefresh && decodedRefresh.id && decodedRefresh.jti) {
            const userId = String(decodedRefresh.id);
-           <%_ if (caching !== 'None') { -%>
+           <%_ if (caching !== 'None') { _%>
            const cacheKey = `refresh_tokens:${userId}`;
            let activeTokens = await cacheService.get<string[]>(cacheKey) || [];
            activeTokens = activeTokens.filter(t => t !== decodedRefresh.jti);
            await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
-           <% } else { %>
+           <%_ } else { _%>
            let activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
            activeTokens = activeTokens.filter(t => t !== decodedRefresh.jti);
-           JwtService.activeRefreshTokens.set(userId, activeTokens);<% } %>
+           JwtService.activeRefreshTokens.set(userId, activeTokens);
+           <%_ } _%>
         }
       }
 
@@ -164,4 +184,345 @@ export class AuthController {
       next(error);
     }
   }
+
+<% if (socialAuth && socialAuth.filter(a => a !== 'None').length > 0) { -%>
+  async socialExchange(req: Request, res: Response, next: NextFunction) {
+    try {
+      const { code, provider, redirectUri } = req.body;
+      if (!code || !provider) {
+        return res.status(HTTP_STATUS.BAD_REQUEST).json({ message: 'Code and provider are required' });
+      }
+
+      if (!['Google', 'GitHub'].includes(provider)) {
+        return res.status(HTTP_STATUS.BAD_REQUEST).json({ message: 'Invalid social provider' });
+      }
+
+      <% if (architecture === 'Clean Architecture') { -%>
+      let useCase: SocialLoginUseCase | undefined;
+      const userRepository = new UserRepository();
+      <%_ if (socialAuth.includes('Google')) { _%>
+      if (provider === 'Google') useCase = new SocialLoginUseCase(new GoogleProvider(), userRepository);
+      <%_ } _%>
+      <%_ if (socialAuth.includes('GitHub')) { _%>
+      if (provider === 'GitHub') useCase = new SocialLoginUseCase(new GitHubProvider(), userRepository);
+      <%_ } _%>
+
+      if (!useCase) {
+        return res.status(HTTP_STATUS.BAD_REQUEST).json({ message: 'Invalid social provider' });
+      }
+
+      const { user, accessToken, refreshToken } = await useCase.execute(code, redirectUri);
+      const userId = String(user.id || ((user as unknown) as { _id?: string | number })._id);
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+
+      // Store refresh token
+      <%_ if (caching !== 'None') { _%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get<string[]>(cacheKey) || [];
+      activeTokens.push(refreshJti!);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <%_ } else { _%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti!);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
+
+      res.json({ token: accessToken, accessToken, refreshToken });
+      <% } else { -%>
+      let profile;
+<%_ if (socialAuth.includes('Google')) { _%>
+      if (provider === 'Google') {
+        profile = await SocialAuthService.getGoogleProfile(code, redirectUri);
+      }
+<%_ } _%>
+<%_ if (socialAuth.includes('GitHub')) { _%>
+      if (provider === 'GitHub') {
+        profile = await SocialAuthService.getGithubProfile(code);
+      }
+<%_ } _%>
+
+      if (!profile) {
+        return res.status(HTTP_STATUS.BAD_REQUEST).json({ message: 'Invalid social provider' });
+      }
+
+      if (!profile || !profile.email) {
+        return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Failed to retrieve profile from provider' });
+      }
+
+      <%_ if (database === 'MongoDB' || database === 'None') { -%>
+      let user = await User.findOne({ email: profile.email });
+      <%_ } else { -%>
+      let user = await User.findOne({ where: { email: profile.email } });
+      <%_ } -%>
+
+      if (!user) {
+        <%_ if (database === 'MongoDB' || database === 'None') { -%>
+        user = await User.create({ 
+          email: profile.email, 
+          name: profile.name, 
+          password: null,
+          <%_ if (socialAuth.includes('Google')) { _%>
+          googleId: provider === 'Google' ? profile.id : null,
+          <%_ } _%>
+          <%_ if (socialAuth.includes('GitHub')) { _%>
+          githubId: provider === 'GitHub' ? profile.id : null,
+          <%_ } _%>
+        });
+        await (user as unknown as { save: () => Promise<void> }).save();
+        <%_ } else { _%>
+        user = await User.create({
+          email: profile.email,
+          name: profile.name,
+          password: null,
+          <%_ if (socialAuth.includes('Google')) { _%>
+          googleId: provider === 'Google' ? profile.id : null,
+          <%_ } _%>
+          <%_ if (socialAuth.includes('GitHub')) { _%>
+          githubId: provider === 'GitHub' ? profile.id : null,
+          <%_ } _%>
+        }) as unknown as User;
+        <%_ } _%>
+      }
+      
+      const activeUser = user!; 
+      const userId = String(activeUser.id || ((activeUser as unknown) as { _id?: string | number })._id);
+      
+      const refreshToken = JwtService.generateRefreshToken({ id: userId, email: activeUser.email });
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+      const accessToken = JwtService.generateToken({ id: userId, email: activeUser.email, sid: refreshJti });
+      
+      // Store refresh token
+      <%_ if (caching !== 'None') { -%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get<string[]>(cacheKey) || [];
+      activeTokens.push(refreshJti!);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <%_ } else { -%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti!);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
+
+      res.json({ token: accessToken, accessToken, refreshToken });
+      <%_ } _%>
+    } catch (error) {
+      logger.error('Social exchange error:', error);
+      next(error);
+    }
+  }
+
+<% if (socialAuth.includes('Google')) { -%>
+  async googleLogin(req: Request, res: Response) {
+    const rootUrl = 'https://accounts.google.com/o/oauth2/v2/auth';
+    const state = crypto.randomBytes(16).toString('hex');
+    this.setOAuthStateCookie(res, state);
+
+    const options = {
+      redirect_uri: process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback',
+      client_id: process.env.GOOGLE_CLIENT_ID!,
+      access_type: 'offline',
+      response_type: 'code',
+      prompt: 'consent',
+      scope: [
+        'https://www.googleapis.com/auth/userinfo.profile',
+        'https://www.googleapis.com/auth/userinfo.email',
+      ].join(' '),
+      state: state
+    };
+    const qs = new URLSearchParams(options);
+    res.redirect(`${rootUrl}?${qs.toString()}`);
+  }
+
+  async googleCallback(req: Request, res: Response, next: NextFunction) {
+    try {
+      const { code, state } = req.query;
+      const savedState = req.cookies?.oauth_state;
+      res.clearCookie('oauth_state');
+
+      if (!state || state !== savedState) {
+        return res.status(HTTP_STATUS.FORBIDDEN).json({ message: 'Invalid state parameter' });
+      }
+
+      const redirectUri = process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback';
+
+      <%_ if (architecture === 'Clean Architecture') { _%>
+      const useCase = new SocialLoginUseCase(new GoogleProvider(), new UserRepository());
+      const { user, accessToken, refreshToken } = await useCase.execute(code as string, redirectUri);
+      const userId = String(user.id || ((user as unknown) as { _id?: string | number })._id);
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+
+      // Store refresh token
+      <%_ if (caching !== 'None') { _%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get<string[]>(cacheKey) || [];
+      activeTokens.push(refreshJti!);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <%_ } else { _%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti!);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
+
+      res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.redirect('/');
+      <%_ } else { _%>
+      const profile = await SocialAuthService.getGoogleProfile(code as string, redirectUri);
+      
+      <% if (database === 'MongoDB' || database === 'None') { -%>
+      let user = await User.findOne({ email: profile.email });
+      <% } else { -%>
+      let user = await User.findOne({ where: { email: profile.email } });
+      <% } -%>
+
+      if (!user) {
+        <%_ if (database === 'MongoDB' || database === 'None') { -%>
+        user = await User.create({ 
+          email: profile.email, 
+          name: profile.name, 
+          password: null,
+          googleId: profile.id
+        });
+        <%_ } else { -%>
+        user = await User.create({ 
+          email: profile.email, 
+          name: profile.name, 
+          password: null,
+          googleId: profile.id
+        }) as unknown as User;
+        <%_ } -%>
+      }
+
+      const activeUser = user!;
+      const userId = String(activeUser.id || ((activeUser as unknown) as { _id?: string | number })._id);
+      const refreshToken = JwtService.generateRefreshToken({ id: userId, email: activeUser.email });
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+      const accessToken = JwtService.generateToken({ id: userId, email: activeUser.email, sid: refreshJti });
+
+      // Store refresh token
+      <%_ if (caching !== 'None') { _%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get<string[]>(cacheKey) || [];
+      activeTokens.push(refreshJti!);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <%_ } else { _%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti!);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
+
+      res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.redirect('/');
+      <%_ } _%>
+    } catch (error) {
+      logger.error('Google callback error:', error);
+      res.redirect('/login?error=social_auth_failed');
+    }
+  }
+<% } -%>
+
+<% if (socialAuth.includes('GitHub')) { -%>
+  async githubLogin(req: Request, res: Response) {
+    const rootUrl = 'https://github.com/login/oauth/authorize';
+    const state = crypto.randomBytes(16).toString('hex');
+    this.setOAuthStateCookie(res, state);
+
+    const options = {
+      client_id: process.env.GITHUB_CLIENT_ID!,
+      redirect_uri: process.env.GITHUB_CALLBACK_URL || 'http://localhost:3000/api/auth/github/callback',
+      scope: 'user:email',
+      state: state
+    };
+    const qs = new URLSearchParams(options);
+    res.redirect(`${rootUrl}?${qs.toString()}`);
+  }
+
+  async githubCallback(req: Request, res: Response, next: NextFunction) {
+    try {
+      const { code, state } = req.query;
+      const savedState = req.cookies?.oauth_state;
+      res.clearCookie('oauth_state');
+
+      if (!state || state !== savedState) {
+        return res.status(HTTP_STATUS.FORBIDDEN).json({ message: 'Invalid state parameter' });
+      }
+
+      <%_ if (architecture === 'Clean Architecture') { _%>
+      const useCase = new SocialLoginUseCase(new GitHubProvider(), new UserRepository());
+      const { user, accessToken, refreshToken } = await useCase.execute(code as string);
+      const userId = String(user.id || ((user as unknown) as { _id?: string | number })._id);
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+
+      // Store refresh token
+      <%_ if (caching !== 'None') { _%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get<string[]>(cacheKey) || [];
+      activeTokens.push(refreshJti!);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <%_ } else { _%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti!);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
+
+      res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.redirect('/');
+      <%_ } else { _%>
+      const profile = await SocialAuthService.getGithubProfile(code as string);
+      
+      <% if (database === 'MongoDB' || database === 'None') { -%>
+      let user = await User.findOne({ email: profile.email });
+      <% } else { -%>
+      let user = await User.findOne({ where: { email: profile.email } });
+      <% } -%>
+
+      if (!user) {
+        <%_ if (database === 'MongoDB' || database === 'None') { -%>
+        user = await User.create({ 
+          email: profile.email, 
+          name: profile.name, 
+          password: null,
+          githubId: profile.id
+        });
+        <%_ } else { -%>
+        user = await User.create({ 
+          email: profile.email, 
+          name: profile.name, 
+          password: null,
+          githubId: profile.id
+        }) as unknown as User;
+        <%_ } _%>
+      }
+
+      const activeUser = user!;
+      const userId = String(activeUser.id || ((activeUser as unknown) as { _id?: string | number })._id);
+      const refreshToken = JwtService.generateRefreshToken({ id: userId, email: activeUser.email });
+      const refreshJti = JwtService.decodeToken(refreshToken)?.jti;
+      const accessToken = JwtService.generateToken({ id: userId, email: activeUser.email, sid: refreshJti });
+
+      // Store refresh token
+      <%_ if (caching !== 'None') { -%>
+      const cacheKey = `refresh_tokens:${userId}`;
+      const activeTokens = await cacheService.get<string[]>(cacheKey) || [];
+      activeTokens.push(refreshJti!);
+      await cacheService.set(cacheKey, activeTokens, 7 * 24 * 60 * 60);
+      <%_ } else { -%>
+      const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
+      activeTokens.push(refreshJti!);
+      JwtService.activeRefreshTokens.set(userId, activeTokens);
+      <%_ } _%>
+
+      res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
+      res.redirect('/');
+      <%_ } _%>
+    } catch (error) {
+      logger.error('GitHub callback error:', error);
+      res.redirect('/login?error=social_auth_failed');
+    }
+  }
+<% } -%>
+<% } -%>
 }

package/templates/common/auth/ts/middleware/authMiddleware.ts.ejs

@@ -31,27 +31,31 @@ export const authMiddleware = async (req: CustomRequest, res: Response, next: Ne
   }
 
   if (decoded.jti) {
-    <%_ if (caching !== 'None') { -%>
+    <%_ if (caching !== 'None') { _%>
     const isBlacklisted = await cacheService.get(`blacklist:${decoded.jti}`);
     if (isBlacklisted) {
       return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Token revoked' });
-    }<%_ } else { -%>
+    }
+    <%_ } else { _%>
     const expiryDate = JwtService.blacklistedTokens.get(decoded.jti);
     if (expiryDate && Date.now() < expiryDate) {
       return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Token revoked' });
-    }<% } %>
+    }
+    <%_ } _%>
   }
 
   if (decoded.sid) {
-    <%_ if (caching !== 'None') { -%>
+    <%_ if (caching !== 'None') { _%>
     const activeTokens = await cacheService.get<string[]>(`refresh_tokens:${decoded.id}`) || [];
     if (!activeTokens.includes(decoded.sid)) {
       return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Session expired' });
-    }<%_ } else { -%>
+    }
+    <%_ } else { _%>
     const activeTokens = JwtService.activeRefreshTokens.get(String(decoded.id)) || [];
     if (!activeTokens.includes(decoded.sid)) {
       return res.status(HTTP_STATUS.UNAUTHORIZED).json({ message: 'Session expired' });
-    }<% } %>
+    }
+    <%_ } _%>
   }
 
   req.user = decoded;

package/templates/common/auth/ts/routes/authRoutes.ts.ejs

@@ -16,5 +16,16 @@ const authController = new AuthController();
 router.post('/login', (req, res, next) => authController.login(req, res, next));
 router.post('/refresh', (req, res, next) => authController.refresh(req, res, next));
 router.post('/logout', authMiddleware, (req, res, next) => authController.logout(req, res, next));
+<%_ if (socialAuth && socialAuth.filter(a => a !== 'None').length > 0) { _%>
+router.post('/social/exchange', (req, res, next) => authController.socialExchange(req, res, next));
+<%_ if (socialAuth.includes('Google')) { _%>
+router.get('/google', (req, res) => authController.googleLogin(req, res));
+router.get('/google/callback', (req, res, next) => authController.googleCallback(req, res, next));
+<%_ } _%>
+<%_ if (socialAuth.includes('GitHub')) { _%>
+router.get('/github', (req, res) => authController.githubLogin(req, res));
+router.get('/github/callback', (req, res, next) => authController.githubCallback(req, res, next));
+<%_ } _%>
+<%_ } _%>
 
 export default router;

package/templates/common/auth/ts/services/jwtService.spec.ts.ejs

@@ -63,6 +63,12 @@ describe('JwtService', () => {
       expect(jwt.verify).toHaveBeenCalledWith(token, secret);
       expect(result).toEqual(payload);
     });
+
+    it('should return null for an invalid token', () => {
+      (jwt.verify as jest.Mock).mockImplementation(() => { throw new Error('Invalid token'); });
+      const result = JwtService.verifyToken(token);
+      expect(result).toBeNull();
+    });
   });
 
   describe('verifyRefreshToken', () => {
@@ -74,6 +80,12 @@ describe('JwtService', () => {
       expect(jwt.verify).toHaveBeenCalledWith(token, refreshSecret);
       expect(result).toEqual(payload);
     });
+
+    it('should return null for an invalid refresh token', () => {
+      (jwt.verify as jest.Mock).mockImplementation(() => { throw new Error('Invalid token'); });
+      const result = JwtService.verifyRefreshToken(token);
+      expect(result).toBeNull();
+    });
   });
 
   describe('decodeToken', () => {
@@ -85,5 +97,11 @@ describe('JwtService', () => {
       expect(jwt.decode).toHaveBeenCalledWith(token);
       expect(result).toEqual(payload);
     });
+
+    it('should return null if decode fails', () => {
+      (jwt.decode as jest.Mock).mockImplementation(() => { throw new Error('Decode failed'); });
+      const result = JwtService.decodeToken(token);
+      expect(result).toBeNull();
+    });
   });
 });

package/templates/common/auth/ts/services/jwtService.ts.ejs

@@ -33,7 +33,7 @@ export class JwtService {
   static verifyToken(token: string): JwtPayload | null {
     try {
       return jwt.verify(token, this.SECRET) as JwtPayload;
-    } catch {
+    } catch (error) {
       return null;
     }
   }
@@ -41,7 +41,7 @@ export class JwtService {
   static verifyRefreshToken(token: string): JwtPayload | null {
     try {
       return jwt.verify(token, this.REFRESH_SECRET) as JwtPayload;
-    } catch {
+    } catch (error) {
       return null;
     }
   }
@@ -49,7 +49,7 @@ export class JwtService {
   static decodeToken(token: string): JwtPayload | null {
     try {
       return jwt.decode(token) as JwtPayload;
-    } catch {
+    } catch (error) {
       return null;
     }
   }