nodejs-quickstart-structure 2.2.0 → 2.2.1

package/CHANGELOG.md

@@ -1,4 +1,13 @@
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+ 
+## [2.2.1] - 2026-05-12
+
+### Added
+- **Secure OAuth CSRF Protection**: Implemented robust state-validation using cryptographically secure random tokens and `HttpOnly` cookies to mitigate CSRF attacks in social authentication flows.
+- **Improved CLI Robustness**: Enhanced argument parsing to support comma-separated strings for variadic flags like `--social-auth` and `--auth`.
+
+### Fixed
+- **Architectural Parity & Type Safety**: Standardized `HTTP_STATUS.FORBIDDEN` across all templates and resolved TypeScript type inference issues (`never` type) in generated Clean Architecture controllers.
 
 ## [2.2.0] - 2026-05-05
 

package/lib/prompts.js

@@ -139,7 +139,9 @@ export const getProjectDetails = async (options = {}) => {
 
     // Normalize auth to array if it's a string from the options
     if (typeof result.auth === 'string') {
-        result.auth = [result.auth];
+        result.auth = result.auth.split(',').map(s => s.trim());
+    } else if (Array.isArray(result.auth)) {
+        result.auth = result.auth.flatMap(s => s.split(',').map(ss => ss.trim()));
     }
 
     // Map friendly CLI strings to actual values
@@ -162,7 +164,9 @@ export const getProjectDetails = async (options = {}) => {
 
     // Normalize socialAuth to array from options
     if (typeof result.socialAuth === 'string') {
-        result.socialAuth = [result.socialAuth];
+        result.socialAuth = result.socialAuth.split(',').map(s => s.trim());
+    } else if (Array.isArray(result.socialAuth)) {
+        result.socialAuth = result.socialAuth.flatMap(s => s.split(',').map(ss => ss.trim()));
     }
 
     // Default socialAuth if not provided

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodejs-quickstart-structure",
-  "version": "2.2.0",
+  "version": "2.2.1",
   "type": "module",
   "description": "The ultimate nodejs quickstart structure CLI to scaffold Node.js microservices with MVC or Clean Architecture",
   "main": "bin/index.js",

package/templates/clean-architecture/js/src/infrastructure/webserver/server.js.ejs

@@ -1,5 +1,6 @@
 const express = require('express');
 const cors = require('cors');
+const cookieParser = require('cookie-parser');
 const logger = require('../log/logger');
 const morgan = require('morgan');
 const { errorMiddleware } = require('./middleware/errorMiddleware');
@@ -30,6 +31,7 @@ const startServer = async () => {
     const app = express();
 
     app.use(cors());
+    app.use(cookieParser());
     app.use(express.json());
     app.use(morgan('combined', { stream: { write: message => logger.info(message.trim()) } }));
     <%_ if (communication === 'REST APIs' || communication === 'Kafka') { -%>

package/templates/clean-architecture/ts/src/index.ts.ejs

@@ -4,6 +4,7 @@ import cors from 'cors';
 import helmet from 'helmet';
 import hpp from 'hpp';
 import rateLimit from 'express-rate-limit';
+import cookieParser from 'cookie-parser';
 import logger from '@/infrastructure/log/logger';
 import morgan from 'morgan';
 import { errorMiddleware } from '@/utils/errorMiddleware';
@@ -50,6 +51,7 @@ app.use(cors({ origin: '*', methods: ['GET', 'POST', 'PUT', 'DELETE'] }));
 const limiter = rateLimit({ windowMs: 10 * 60 * 1000, max: 100 });
 app.use(limiter);
 
+app.use(cookieParser());
 app.use(express.json());
 app.use(morgan('combined', { stream: { write: (message) => logger.info(message.trim()) } }));
 

package/templates/clean-architecture/ts/src/utils/httpCodes.ts

@@ -3,6 +3,7 @@ export const HTTP_STATUS = {
     CREATED: 201,
     BAD_REQUEST: 400,
     UNAUTHORIZED: 401,
+    FORBIDDEN: 403,
     NOT_FOUND: 404,
     INTERNAL_SERVER_ERROR: 500
 } as const;

package/templates/common/auth/js/controllers/authController.js.ejs

@@ -1,4 +1,5 @@
 const bcrypt = require('bcryptjs');
+const crypto = require('crypto');
 <%_ if (architecture === 'MVC') { _%>
 const User = require('../models/User');
 const JwtService = require('../services/jwtService');
@@ -40,6 +41,16 @@ class AuthController {
     this.githubCallback = this.githubCallback.bind(this);
 <% } -%>
 <% } -%>
+    this.setOAuthStateCookie = this.setOAuthStateCookie.bind(this);
+  }
+
+  setOAuthStateCookie(res, state) {
+    res.cookie('oauth_state', state, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 10 * 60 * 1000
+    });
   }
 
   async login(req, res, next) {
@@ -296,7 +307,7 @@ class AuthController {
       <%_ } _%>
 
       res.json({ token: accessToken, accessToken, refreshToken });
-      <%_ } _%>
+      <% } %>
     } catch (error) {
       logger.error('Social exchange error:', error);
       next(error);
@@ -307,6 +318,9 @@ class AuthController {
 <% if (socialAuth.includes('Google')) { -%>
   async googleLogin(req, res) {
     const rootUrl = 'https://accounts.google.com/o/oauth2/v2/auth';
+    const state = crypto.randomBytes(16).toString('hex');
+    this.setOAuthStateCookie(res, state);
+
     const options = {
       redirect_uri: process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback',
       client_id: process.env.GOOGLE_CLIENT_ID,
@@ -317,15 +331,22 @@ class AuthController {
         'https://www.googleapis.com/auth/userinfo.profile',
         'https://www.googleapis.com/auth/userinfo.email',
       ].join(' '),
-      state: 'google'
+      state: state
     };
     const qs = new URLSearchParams(options);
     res.redirect(`${rootUrl}?${qs.toString()}`);
   }
 
-  async googleCallback(req, res, next) {
+  async googleCallback(req, res, _next) {
     try {
-      const { code } = req.query;
+      const { code, state } = req.query;
+      const savedState = req.cookies?.oauth_state;
+      res.clearCookie('oauth_state');
+
+      if (!state || state !== savedState) {
+        return res.status(HTTP_STATUS.FORBIDDEN).json({ message: 'Invalid state parameter' });
+      }
+
       const redirectUri = process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback';
 
       <%_ if (architecture === 'Clean Architecture') { _%>
@@ -344,7 +365,7 @@ class AuthController {
       const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       activeTokens.push(refreshJti);
       JwtService.activeRefreshTokens.set(userId, activeTokens);
-      <%_ } _%>
+      <% } %>
 
       res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
       res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
@@ -382,12 +403,12 @@ class AuthController {
       const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       activeTokens.push(refreshJti);
       JwtService.activeRefreshTokens.set(userId, activeTokens);
-      <%_ } _%>
+      <% } %>
 
       res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
       res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
       res.redirect('/');
-      <%_ } _%>
+      <% } %>
     } catch (error) {
       logger.error('Google callback error:', error);
       res.redirect('/login?error=social_auth_failed');
@@ -398,19 +419,28 @@ class AuthController {
 <% if (socialAuth.includes('GitHub')) { -%>
   async githubLogin(req, res) {
     const rootUrl = 'https://github.com/login/oauth/authorize';
+    const state = crypto.randomBytes(16).toString('hex');
+    this.setOAuthStateCookie(res, state);
+
     const options = {
       client_id: process.env.GITHUB_CLIENT_ID,
       redirect_uri: process.env.GITHUB_CALLBACK_URL || 'http://localhost:3000/api/auth/github/callback',
       scope: 'user:email',
-      state: 'github'
+      state: state
     };
     const qs = new URLSearchParams(options);
     res.redirect(`${rootUrl}?${qs.toString()}`);
   }
 
-  async githubCallback(req, res, next) {
+  async githubCallback(req, res, _next) {
     try {
-      const { code } = req.query;
+      const { code, state } = req.query;
+      const savedState = req.cookies?.oauth_state;
+      res.clearCookie('oauth_state');
+
+      if (!state || state !== savedState) {
+        return res.status(HTTP_STATUS.FORBIDDEN).json({ message: 'Invalid state parameter' });
+      }
 
       <%_ if (architecture === 'Clean Architecture') { _%>
       const useCase = new SocialLoginUseCase(new GitHubProvider(), new UserRepository());
@@ -428,7 +458,7 @@ class AuthController {
       const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       activeTokens.push(refreshJti);
       JwtService.activeRefreshTokens.set(userId, activeTokens);
-      <%_ } _%>
+      <% } %>
 
       res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
       res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
@@ -466,7 +496,7 @@ class AuthController {
       const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       activeTokens.push(refreshJti);
       JwtService.activeRefreshTokens.set(userId, activeTokens);
-      <%_ } _%>
+      <% } %>
 
       res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
       res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });

package/templates/common/auth/js/controllers/authController.spec.js.ejs

@@ -6,7 +6,8 @@ jest.mock('@/usecases/auth/socialLoginUseCase');
 jest.mock('@/infrastructure/repositories/UserRepository');
 <%_ } _%>
 jest.mock('@/infrastructure/database/models/User', () => ({
-    findOne: jest.fn()
+    findOne: jest.fn(),
+    create: jest.fn()
 }));
 <%_ } else { _%>
 jest.mock('@/services/jwtService');
@@ -14,7 +15,8 @@ jest.mock('@/services/jwtService');
 jest.mock('@/services/socialAuthService');
 <%_ } _%>
 jest.mock('@/models/User', () => ({
-    findOne: jest.fn()
+    findOne: jest.fn(),
+    create: jest.fn()
 }));
 <%_ } _%>
 jest.mock('bcryptjs');
@@ -58,12 +60,14 @@ describe('AuthController', () => {
         mockReq = {
             body: {},
             headers: {},
-            query: {}
+            query: {},
+            cookies: {}
         };
         mockRes = {
             status: jest.fn().mockReturnThis(),
             json: jest.fn(),
             cookie: jest.fn(),
+            clearCookie: jest.fn(),
             redirect: jest.fn()
         };
         next = jest.fn();
@@ -269,7 +273,8 @@ describe('AuthController', () => {
         });
 
         it('googleCallback should handle Google callback', async () => {
-            mockReq.query = { code: 'test-code' };
+            mockReq.query = { code: 'test-code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
             const user = { id: 1, email: 'google@test.com' };
             
             <% if (architecture === 'Clean Architecture') { %>
@@ -294,6 +299,48 @@ describe('AuthController', () => {
             expect(mockRes.cookie).toHaveBeenCalledWith('accessToken', 'mock-token', expect.any(Object));
             expect(mockRes.redirect).toHaveBeenCalledWith('/');
         });
+
+        it('googleCallback should return 403 if state is invalid', async () => {
+            mockReq.query = { code: 'test-code', state: 'invalid-state' };
+            mockReq.cookies = { oauth_state: 'valid-state' };
+            await controller.googleCallback(mockReq, mockRes, next);
+            expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.FORBIDDEN);
+        });
+
+        it('googleCallback should create user if not exists (MVC)', async () => {
+            <% if (architecture === 'MVC') { %>
+            mockReq.query = { code: 'test-code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
+            SocialAuthService.getGoogleProfile.mockResolvedValue({ email: 'new@google.com', id: 'google-id' });
+            User.findOne.mockResolvedValue(null);
+            User.create.mockResolvedValue({ id: '2', email: 'new@google.com' });
+            JwtService.generateToken.mockReturnValue('at');
+            JwtService.generateRefreshToken.mockReturnValue('rt');
+            JwtService.decodeToken.mockReturnValue({ jti: 'jti' });
+
+            await controller.googleCallback(mockReq, mockRes, next);
+            expect(User.create).toHaveBeenCalled();
+            <% } else { %>
+            expect(true).toBe(true);
+            <% } %>
+        });
+
+        it('googleCallback should redirect to login on error', async () => {
+            const error = new Error('Callback failed');
+            mockReq.query = { code: 'code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
+            <% if (architecture === 'Clean Architecture') { %>
+            const mockUseCase = {
+                execute: jest.fn().mockRejectedValue(error)
+            };
+            SocialLoginUseCase.mockImplementation(() => mockUseCase);
+            <% } else { %>
+            SocialAuthService.getGoogleProfile.mockRejectedValue(error);
+            <% } %>
+
+            await controller.googleCallback(mockReq, mockRes, next);
+            expect(mockRes.redirect).toHaveBeenCalledWith('/login?error=social_auth_failed');
+        });
         <% } %>
 
         <% if (socialAuth.includes('GitHub')) { %>
@@ -303,7 +350,8 @@ describe('AuthController', () => {
         });
 
         it('githubCallback should handle GitHub callback', async () => {
-            mockReq.query = { code: 'test-code' };
+            mockReq.query = { code: 'test-code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
             const user = { id: 1, email: 'github@test.com' };
             
             <% if (architecture === 'Clean Architecture') { %>
@@ -328,6 +376,48 @@ describe('AuthController', () => {
             expect(mockRes.cookie).toHaveBeenCalledWith('accessToken', 'mock-token', expect.any(Object));
             expect(mockRes.redirect).toHaveBeenCalledWith('/');
         });
+
+        it('githubCallback should return 403 if state is invalid', async () => {
+            mockReq.query = { code: 'test-code', state: 'invalid-state' };
+            mockReq.cookies = { oauth_state: 'valid-state' };
+            await controller.githubCallback(mockReq, mockRes, next);
+            expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.FORBIDDEN);
+        });
+
+        it('githubCallback should create user if not exists (MVC)', async () => {
+            <% if (architecture === 'MVC') { %>
+            mockReq.query = { code: 'test-code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
+            SocialAuthService.getGithubProfile.mockResolvedValue({ email: 'new@github.com', id: 'github-id' });
+            User.findOne.mockResolvedValue(null);
+            User.create.mockResolvedValue({ id: '2', email: 'new@github.com' });
+            JwtService.generateToken.mockReturnValue('at');
+            JwtService.generateRefreshToken.mockReturnValue('rt');
+            JwtService.decodeToken.mockReturnValue({ jti: 'jti' });
+
+            await controller.githubCallback(mockReq, mockRes, next);
+            expect(User.create).toHaveBeenCalled();
+            <% } else { %>
+            expect(true).toBe(true);
+            <% } %>
+        });
+
+        it('githubCallback should redirect to login on error', async () => {
+            const error = new Error('Callback failed');
+            mockReq.query = { code: 'code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
+            <% if (architecture === 'Clean Architecture') { %>
+            const mockUseCase = {
+                execute: jest.fn().mockRejectedValue(error)
+            };
+            SocialLoginUseCase.mockImplementation(() => mockUseCase);
+            <% } else { %>
+            SocialAuthService.getGithubProfile.mockRejectedValue(error);
+            <% } %>
+
+            await controller.githubCallback(mockReq, mockRes, next);
+            expect(mockRes.redirect).toHaveBeenCalledWith('/login?error=social_auth_failed');
+        });
         <% } %>
     });
 <% } -%>

package/templates/common/auth/js/services/jwtService.js.ejs

@@ -25,7 +25,7 @@ class JwtService {
   static verifyToken(token) {
     try {
       return jwt.verify(token, this.SECRET);
-    } catch (error) {
+    } catch {
       return null;
     }
   }
@@ -33,7 +33,7 @@ class JwtService {
   static verifyRefreshToken(token) {
     try {
       return jwt.verify(token, this.REFRESH_SECRET);
-    } catch (error) {
+    } catch {
       return null;
     }
   }
@@ -41,7 +41,7 @@ class JwtService {
   static decodeToken(token) {
     try {
       return jwt.decode(token);
-    } catch (error) {
+    } catch {
       return null;
     }
   }

package/templates/common/auth/js/services/socialAuthService.spec.js.ejs

@@ -2,8 +2,6 @@ const axios = require('axios');
 <% if (architecture === 'MVC') { -%>
 const { SocialAuthService } = require('@/services/socialAuthService');
 const logger = require('@/utils/logger');
-<% } else { -%>
-const logger = require('@/infrastructure/log/logger');
 <% } -%>
 
 jest.mock('axios');

package/templates/common/auth/ts/controllers/authController.spec.ts.ejs

@@ -56,12 +56,14 @@ describe('AuthController', () => {
     mockRequest = {
       body: {},
       headers: {},
-      query: {}
+      query: {},
+      cookies: {}
     };
     mockResponse = {
       status: jest.fn().mockReturnThis(),
       json: jest.fn(),
       cookie: jest.fn(),
+      clearCookie: jest.fn(),
       redirect: jest.fn()
     };
     jest.clearAllMocks();
@@ -335,7 +337,8 @@ describe('AuthController', () => {
 
     <% if (socialAuth.includes('Google')) { %>
     it('googleCallback should handle Google callback', async () => {
-      mockRequest.query = { code: 'test-code' };
+      mockRequest.query = { code: 'test-code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       const user = { id: 1, email: 'google@test.com' };
       <%_ if (architecture === 'Clean Architecture') { _%>
       const mockUseCaseInstance = { execute: jest.fn().mockResolvedValue({ user, accessToken: 'at', refreshToken: 'rt' }) };
@@ -354,9 +357,17 @@ describe('AuthController', () => {
       expect(mockResponse.redirect).toHaveBeenCalledWith('/');
     });
 
+    it('googleCallback should return 403 if state is invalid', async () => {
+      mockRequest.query = { code: 'test-code', state: 'invalid-state' };
+      mockRequest.cookies = { oauth_state: 'valid-state' };
+      await authController.googleCallback(mockRequest as Request, mockResponse as Response, nextFunction);
+      expect(mockResponse.status).toHaveBeenCalledWith(HTTP_STATUS.FORBIDDEN);
+    });
+
     it('googleCallback should create user if not exists (MVC)', async () => {
       <% if (architecture === 'MVC') { %>
-      mockRequest.query = { code: 'test-code' };
+      mockRequest.query = { code: 'test-code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       const { SocialAuthService } = require('@/services/socialAuthService');
       (SocialAuthService.getGoogleProfile as jest.Mock).mockResolvedValue({ email: 'new@google.com', id: 'google-id' });
       (User.findOne as jest.Mock).mockResolvedValue(null);
@@ -372,7 +383,8 @@ describe('AuthController', () => {
 
     it('googleCallback should redirect to login on error', async () => {
       const error = new Error('Callback failed');
-      mockRequest.query = { code: 'code' };
+      mockRequest.query = { code: 'code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       <% if (architecture === 'MVC') { %>
       const { SocialAuthService } = require('@/services/socialAuthService');
       (SocialAuthService.getGoogleProfile as jest.Mock).mockRejectedValue(error);
@@ -387,7 +399,8 @@ describe('AuthController', () => {
 
     <% if (socialAuth.includes('GitHub')) { %>
     it('githubCallback should handle GitHub callback', async () => {
-      mockRequest.query = { code: 'test-code' };
+      mockRequest.query = { code: 'test-code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       const user = { id: 1, email: 'github@test.com' };
       <%_ if (architecture === 'Clean Architecture') { _%>
       const mockUseCaseInstance = { execute: jest.fn().mockResolvedValue({ user, accessToken: 'at', refreshToken: 'rt' }) };
@@ -406,9 +419,17 @@ describe('AuthController', () => {
       expect(mockResponse.redirect).toHaveBeenCalledWith('/');
     });
 
+    it('githubCallback should return 403 if state is invalid', async () => {
+      mockRequest.query = { code: 'test-code', state: 'invalid-state' };
+      mockRequest.cookies = { oauth_state: 'valid-state' };
+      await authController.githubCallback(mockRequest as Request, mockResponse as Response, nextFunction);
+      expect(mockResponse.status).toHaveBeenCalledWith(HTTP_STATUS.FORBIDDEN);
+    });
+
     it('githubCallback should create user if not exists (MVC)', async () => {
       <% if (architecture === 'MVC') { %>
-      mockRequest.query = { code: 'test-code' };
+      mockRequest.query = { code: 'test-code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       const { SocialAuthService } = require('@/services/socialAuthService');
       (SocialAuthService.getGithubProfile as jest.Mock).mockResolvedValue({ email: 'new@github.com', id: 'github-id' });
       (User.findOne as jest.Mock).mockResolvedValue(null);
@@ -424,7 +445,8 @@ describe('AuthController', () => {
 
     it('githubCallback should redirect to login on error', async () => {
       const error = new Error('Callback failed');
-      mockRequest.query = { code: 'code' };
+      mockRequest.query = { code: 'code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       <% if (architecture === 'MVC') { %>
       const { SocialAuthService } = require('@/services/socialAuthService');
       (SocialAuthService.getGithubProfile as jest.Mock).mockRejectedValue(error);

package/templates/common/auth/ts/controllers/authController.ts.ejs

@@ -1,5 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import bcrypt from 'bcryptjs';
+import crypto from 'crypto';
 <% if (architecture === 'MVC') { -%>
 import User from '@/models/User';
 import { JwtService } from '@/services/jwtService';
@@ -26,6 +27,15 @@ import { UserRepository } from '@/infrastructure/repositories/UserRepository';
 import { HTTP_STATUS } from '@/utils/httpCodes';
 
 export class AuthController {
+  private setOAuthStateCookie(res: Response, state: string) {
+    res.cookie('oauth_state', state, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 10 * 60 * 1000
+    });
+  }
+
   async login(req: Request, res: Response, next: NextFunction) {
     try {
       const { email, password } = req.body;
@@ -188,7 +198,7 @@ export class AuthController {
       }
 
       <% if (architecture === 'Clean Architecture') { -%>
-      let useCase;
+      let useCase: SocialLoginUseCase | undefined;
       const userRepository = new UserRepository();
       <%_ if (socialAuth.includes('Google')) { _%>
       if (provider === 'Google') useCase = new SocialLoginUseCase(new GoogleProvider(), userRepository);
@@ -304,6 +314,9 @@ export class AuthController {
 <% if (socialAuth.includes('Google')) { -%>
   async googleLogin(req: Request, res: Response) {
     const rootUrl = 'https://accounts.google.com/o/oauth2/v2/auth';
+    const state = crypto.randomBytes(16).toString('hex');
+    this.setOAuthStateCookie(res, state);
+
     const options = {
       redirect_uri: process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback',
       client_id: process.env.GOOGLE_CLIENT_ID!,
@@ -314,7 +327,7 @@ export class AuthController {
         'https://www.googleapis.com/auth/userinfo.profile',
         'https://www.googleapis.com/auth/userinfo.email',
       ].join(' '),
-      state: 'google'
+      state: state
     };
     const qs = new URLSearchParams(options);
     res.redirect(`${rootUrl}?${qs.toString()}`);
@@ -322,7 +335,14 @@ export class AuthController {
 
   async googleCallback(req: Request, res: Response, next: NextFunction) {
     try {
-      const { code } = req.query;
+      const { code, state } = req.query;
+      const savedState = req.cookies?.oauth_state;
+      res.clearCookie('oauth_state');
+
+      if (!state || state !== savedState) {
+        return res.status(HTTP_STATUS.FORBIDDEN).json({ message: 'Invalid state parameter' });
+      }
+
       const redirectUri = process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback';
 
       <%_ if (architecture === 'Clean Architecture') { _%>
@@ -405,11 +425,14 @@ export class AuthController {
 <% if (socialAuth.includes('GitHub')) { -%>
   async githubLogin(req: Request, res: Response) {
     const rootUrl = 'https://github.com/login/oauth/authorize';
+    const state = crypto.randomBytes(16).toString('hex');
+    this.setOAuthStateCookie(res, state);
+
     const options = {
       client_id: process.env.GITHUB_CLIENT_ID!,
       redirect_uri: process.env.GITHUB_CALLBACK_URL || 'http://localhost:3000/api/auth/github/callback',
       scope: 'user:email',
-      state: 'github'
+      state: state
     };
     const qs = new URLSearchParams(options);
     res.redirect(`${rootUrl}?${qs.toString()}`);
@@ -417,7 +440,13 @@ export class AuthController {
 
   async githubCallback(req: Request, res: Response, next: NextFunction) {
     try {
-      const { code } = req.query;
+      const { code, state } = req.query;
+      const savedState = req.cookies?.oauth_state;
+      res.clearCookie('oauth_state');
+
+      if (!state || state !== savedState) {
+        return res.status(HTTP_STATUS.FORBIDDEN).json({ message: 'Invalid state parameter' });
+      }
 
       <%_ if (architecture === 'Clean Architecture') { _%>
       const useCase = new SocialLoginUseCase(new GitHubProvider(), new UserRepository());

package/templates/common/eslint.config.mjs.ejs

@@ -73,7 +73,10 @@ export default [
     },
     rules: {
       "no-console": "warn",
-      "no-unused-vars": "warn",
+      "no-unused-vars": ["warn", { 
+        "argsIgnorePattern": "^_",
+        "varsIgnorePattern": "^_"
+      }],
       "import/no-unresolved": [2, { "caseSensitive": false }]
     }
   }

package/templates/common/kafka/js/services/kafkaService.js.ejs

@@ -34,7 +34,7 @@ const connectKafka = async (retries = 10) => {
                     await consumer.run({
                         eachMessage: async (payload) => welcomeConsumer.onMessage(payload),
                     });
-                } catch (error) {
+                } catch {
                     // Fallback or no consumers found
                     await consumer.subscribe({ topic: 'user-topic', fromBeginning: true });
                     await consumer.run({

package/templates/common/package.json.ejs

@@ -62,6 +62,7 @@
 <% } -%>
     "cors": "^2.8.5",
     "helmet": "^7.1.0",
+    "cookie-parser": "^1.4.6",
     "hpp": "^0.2.3",
     "express-rate-limit": "^7.1.5",
     "winston": "^3.11.0",
@@ -80,6 +81,7 @@
     "ts-node": "^10.9.2",
     "@types/node": "^20.10.5",
     "@types/express": "^4.17.21",
+    "@types/cookie-parser": "^1.4.6",
     "@types/cors": "^2.8.17",
     "@types/hpp": "^0.2.3",
 <% if (caching === 'Memory Cache') { %>    "@types/node-cache": "^4.2.5",

package/templates/mvc/js/src/index.js.ejs

@@ -1,6 +1,7 @@
 const { env } = require('./config/env');
 const express = require('express');
 const cors = require('cors');
+const cookieParser = require('cookie-parser');
 <%_ if (communication === 'REST APIs' || communication === 'Kafka') { -%>const apiRoutes = require('./routes/api');<%_ } %>
 const healthRoutes = require('./routes/healthRoute');
 <%_ if (communication === 'Kafka') { -%>const { connectKafka, sendMessage } = require('./services/kafkaService');<%_ } -%>
@@ -28,6 +29,7 @@ const morgan = require('morgan');
 const { errorMiddleware } = require('./utils/errorMiddleware');
 
 app.use(cors());
+app.use(cookieParser());
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 app.use(morgan('combined', { stream: { write: message => logger.info(message.trim()) } }));

package/templates/mvc/js/src/utils/httpCodes.js

@@ -3,6 +3,7 @@ const HTTP_STATUS = {
     CREATED: 201,
     BAD_REQUEST: 400,
     UNAUTHORIZED: 401,
+    FORBIDDEN: 403,
     NOT_FOUND: 404,
     INTERNAL_SERVER_ERROR: 500
 };

package/templates/mvc/ts/src/index.ts.ejs

@@ -7,6 +7,7 @@ import cors from 'cors';
 import helmet from 'helmet';
 import hpp from 'hpp';
 import rateLimit from 'express-rate-limit';
+import cookieParser from 'cookie-parser';
 import logger from '@/utils/logger';
 import morgan from 'morgan';
 import { errorMiddleware } from '@/utils/errorMiddleware';
@@ -52,6 +53,7 @@ app.use(cors({ origin: '*', methods: ['GET', 'POST', 'PUT', 'DELETE'] }));
 const limiter = rateLimit({ windowMs: 10 * 60 * 1000, max: 100 });
 app.use(limiter);
 
+app.use(cookieParser());
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 app.use(morgan('combined', { stream: { write: (message) => logger.info(message.trim()) } }));

package/templates/mvc/ts/src/utils/httpCodes.ts

@@ -3,6 +3,7 @@ export const HTTP_STATUS = {
     CREATED: 201,
     BAD_REQUEST: 400,
     UNAUTHORIZED: 401,
+    FORBIDDEN: 403,
     NOT_FOUND: 404,
     INTERNAL_SERVER_ERROR: 500
 } as const;