nodejs-quickstart-structure 2.2.0 → 2.3.0

package/CHANGELOG.md

@@ -1,5 +1,20 @@
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.3.0] - 2026-05-21
+
+### Added
+- **Terraform Infrastructure Integration (IaC)**: Integrated modular, production-ready AWS Terraform templates with Multi-AZ VPC network isolation, WAF, ALB, RDS, and ElastiCache.
+- **Expanded Validation Matrix**: Scaled the mathematical validation matrix to **23,760+ unique project scenarios** (representing a 3x expansion), ensuring 100% template rendering accuracy across all permutations including the new Infrastructure options.
+
+## [2.2.1] - 2026-05-12
+
+### Added
+- **Secure OAuth CSRF Protection**: Implemented robust state-validation using cryptographically secure random tokens and `HttpOnly` cookies to mitigate CSRF attacks in social authentication flows.
+- **Improved CLI Robustness**: Enhanced argument parsing to support comma-separated strings for variadic flags like `--social-auth` and `--auth`.
+
+### Fixed
+- **Architectural Parity & Type Safety**: Standardized `HTTP_STATUS.FORBIDDEN` across all templates and resolved TypeScript type inference issues (`never` type) in generated Clean Architecture controllers.
+
 ## [2.2.0] - 2026-05-05
 
 ### Added

package/README.md

@@ -17,7 +17,7 @@ A powerful ecosystem to scaffold production-ready Node.js microservices with bui
 - [What's New](#whats-new-in-v21-the-authentication-release)
 - [Key Features](#key-features)
 - [Professional Standards](#professional-standards)
-- [7,920+ Project Combinations](#7920-project-combinations)
+- [23,760+ Project Combinations](#23760-project-combinations)
 - [Configuration Options](#configuration-options)
 - [Generated Project Structure](#generated-project-structure)
 - [Documentation](#documentation)
@@ -27,8 +27,8 @@ A powerful ecosystem to scaffold production-ready Node.js microservices with bui
  
 | **Path A: Next-Gen Web UI** (Recommended) | **Path B: Interactive CLI** |
 | :--- | :--- |
-| <a href="https://paudang.github.io/nodejs-quickstart-structure/#configurator"><img src="docs/public/v2-preview.png" width="100%" alt="UI Preview"></a> | <img src="docs/demo.gif" width="100%" alt="CLI Demo"> |
-| [Try Visual Configurator →](https://paudang.github.io/nodejs-quickstart-structure/#configurator) | [See CLI Commands ↓](#path-b-interactive-cli) |
+| <a href="https://nodejs-quickstart-generator.netlify.app/#configurator"><img src="docs/public/v2-preview.png" width="100%" alt="UI Preview"></a> | <img src="docs/demo.gif" width="100%" alt="CLI Demo"> |
+| [Try Visual Configurator →](https://nodejs-quickstart-generator.netlify.app/#configurator) | [See CLI Commands ↓](#path-b-interactive-cli) |
 | **Visual Preview**: Real-time folder simulation. | **Fast & Direct**: Quickly scaffold in terminal. |
 | **Zero-Prompt**: Paste a tailored command. | **AI-Ready**: Generates `.cursorrules`. |
 
@@ -50,12 +50,12 @@ nodejs-quickstart init
 
 ---
 
-## What's New in v2.2 (The Social Auth Release)
+## What's New in v2.3 (The Infrastructure & Terraform Release)
  
- The v2.2.0 release brings enterprise-grade identity management to your microservices:
+ The v2.3.0 release brings professional-grade Infrastructure as Code (IaC) to your generated projects:
  
-- **OAuth2 Social Login**: Seamlessly integrate **Google** and **GitHub** authentication with automatic user provisioning and JWT session linking.
-- **Massive Matrix Expansion**: Now supporting **7,920+ unique project scenarios**, mathematically validated for template consistency.
+- **Terraform Infrastructure Integration (IaC)**: Support for modular, production-ready AWS Terraform scaffolding with Multi-AZ VPC network isolation, WAF, application load balancers, database layers, and ElastiCache.
+- **Massive Matrix Expansion**: Now supporting **23,760+ unique project scenarios**, mathematically validated for template consistency.
 
 ---
 
@@ -85,14 +85,14 @@ We don't just generate boilerplate; we generate **production-ready** foundations
 
 ---
 
-## 7,920+ Project Combinations
+## 23,760+ Project Combinations
 
 The CLI supports a massive number of configurations to fit your exact needs:
 
-- **720 Core Combinations**:
-  - **MVC Architecture**: 540 variants (Languages × View Engines × Databases × Communication Patterns × Caching × Auth)
-  - **Clean Architecture**: 180 variants (Languages × Databases × Communication Patterns × Caching × Auth)
-- **7,920+ Total Scenarios**:
+- **2,160 Core Combinations**:
+  - **MVC Architecture**: 1,620 variants (Languages × View Engines × Databases × Communication Patterns × Caching × Auth × Infrastructure)
+  - **Clean Architecture**: 540 variants (Languages × Databases × Communication Patterns × Caching × Auth × Infrastructure)
+- **23,760+ Total Scenarios**:
   - Every combination can be generated across 5 CI/CD providers.
   - Optional **Enterprise-Grade Security Hardening** doubles the scenarios.
   - Every single scenario is verified to be compatible with our **80% Coverage Threshold** policy.
@@ -112,6 +112,7 @@ The CLI will guide you through:
 8. **Auth**: `None` | `JWT` | `OAuth2 (Google/GitHub) + JWT`
 9. **CI/CD**: `GitHub Actions` | `Jenkins` | `GitLab CI` | `CircleCI` | `Bitbucket Pipelines`
 10. **Security**: (Optional) Snyk & SonarCloud Hardening
+11. **Infrastructure**: (Optional IaC) `None` | `Standard` (Single EC2) | `Production` (WAF + ALB + Multi-AZ VPC)
 
 ---
 
@@ -139,7 +140,7 @@ Depending on your choices, the structure adapts. Here is a **TypeScript + Clean
 
 ## Documentation
 
-For full guides, architecture deep-dives, and feature references, visit our **[Official Documentation Site](https://paudang.github.io/nodejs-quickstart-structure/guide/getting-started.html)**.
+For full guides, architecture deep-dives, and feature references, visit our **[Official Documentation Site](https://nodejs-quickstart-generator.netlify.app/guide/getting-started.html)**.
 
 ---
 

package/bin/index.js

@@ -15,7 +15,7 @@ const program = new Command();
 
 program
     .name('nodejs-quickstart')
-    .description('🚀 CLI to scaffold production-ready Node.js microservices.\n\nGenerates projects with:\n- MVC or Clean Architecture\n- REST, GraphQL or Kafka\n- MySQL, PostgreSQL, or MongoDB\n- Auth (None, JWT)\n- Docker, Flyway & Mongoose support')
+    .description('🚀 CLI to scaffold production-ready Node.js microservices.\n\nGenerates projects with:\n- MVC or Clean Architecture\n- REST, GraphQL or Kafka\n- MySQL, PostgreSQL, or MongoDB\n- Auth (None, JWT)\n- Terraform (Standard, Production)\n- Docker, Flyway & Mongoose support')
     .version(pkg.version, '-v, --version', 'Output the current version')
     .addHelpText('after', `\n${chalk.yellow('Example:')}\n  $ nodejs-quickstart init   ${chalk.gray('# Start the interactive setup')}\n`);
 
@@ -35,6 +35,7 @@ program
     .option('--caching <type>', 'Caching Layer (None/Redis/Memory Cache)')
     .option('--auth <modes...>', 'Authentication Modes (None, JWT)')
     .option('--social-auth <providers...>', 'Social Authentication Providers (None, Google, GitHub)')
+    .option('--terraform <tier>', 'Infrastructure Tier (None, Standard, Production)')
     .option('--advanced-options', 'Enable Advanced Options')
     .option('--no-advanced-options', 'Disable Advanced Options')
     .action(async (options) => {

package/lib/generator.js

@@ -1,11 +1,12 @@
 import path from 'path';
 import { fileURLToPath } from 'url';
-import { setupProjectDirectory, copyBaseStructure, copyCommonFiles } from './modules/project-setup.js';
+import { setupProjectDirectory, copyBaseStructure, copyCommonFiles, cleanGeneratedFiles } from './modules/project-setup.js';
 import { renderPackageJson, renderDockerCompose, renderReadme, renderDockerfile, renderProfessionalConfig, setupCiCd, renderTestSample, renderEnvExample, renderPm2Config, renderAiNativeFiles } from './modules/config-files.js';
 import { renderIndexFile, renderEnvConfig, renderErrorMiddleware, renderDynamicComponents, renderSwaggerConfig, setupViews as setupSrcViews, processAllTests } from './modules/app-setup.js';
 import { setupDatabase } from './modules/database-setup.js';
 import { setupKafka, setupViews } from './modules/kafka-setup.js';
 import { setupCaching } from './modules/caching-setup.js';
+import { setupTerraform } from './modules/terraform-setup.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -23,6 +24,7 @@ export const generateProject = async (config) => {
         database: 'None',
         includeSecurity: false,
         auth: ['None'],
+        terraform: 'None',
         ...config
     };
 
@@ -99,6 +101,12 @@ export const generateProject = async (config) => {
     // 16. PM2 Configuration
     await renderPm2Config(templatesDir, targetDir, config);
 
+    // 16a. Terraform Setup
+    await setupTerraform(templatesDir, targetDir, config);
+
+    // 16b. Auto-format generated files (clean trailing whitespaces, collapse EJS conditional blank lines)
+    await cleanGeneratedFiles(targetDir);
+
     // 17. Process All Tests
     await processAllTests(targetDir, config);
 
@@ -122,6 +130,7 @@ export const generateProject = async (config) => {
       ✅  Security: Helmet, CORS, Rate-Limiting added${config.includeSecurity ? '\n      ✅  Enterprise Security: Snyk (SCA) & SonarCloud (SAST) integration' : ''}
       ✅  Testing: Jest setup for Unit/Integration tests
       ✅  Docker: Production-ready multi-stage build
+      ${config.terraform && config.terraform !== 'None' ? `✅  Infrastructure (IaC): Terraform (${config.terraform}) ready` : ''}
       ${config.ciProvider !== 'None' ? `✅  CI/CD: ${config.ciProvider} Workflow ready` : '❌  CI/CD: Skipped (User preferred)'}
 
       ----------------------------------------------------

package/lib/modules/project-setup.js

@@ -31,3 +31,44 @@ export const copyCommonFiles = async (templatesDir, targetDir, language) => {
         await fs.copy(path.join(templatesDir, 'common', 'tsconfig.eslint.json'), path.join(targetDir, 'tsconfig.eslint.json'));
     }
 };
+
+export const cleanGeneratedFiles = async (dir) => {
+    const items = await fs.readdir(dir);
+    for (const item of items) {
+        const fullPath = path.join(dir, item);
+        const stat = await fs.stat(fullPath);
+        if (stat.isDirectory()) {
+            if (item !== 'node_modules' && item !== '.git') {
+                await cleanGeneratedFiles(fullPath);
+            }
+        } else {
+            const ext = path.extname(item);
+            if (['.ts', '.js', '.json', '.yml', '.yaml', '.md', '.env', '.example', '.cursorrules'].includes(ext) || item === 'Dockerfile' || item === 'Jenkinsfile') {
+                let content = await fs.readFile(fullPath, 'utf-8');
+                const original = content;
+                
+                content = content.replace(/\r\n/g, '\n');
+                
+                // 1. Remove trailing spaces on lines
+                content = content.replace(/[ \t]+$/gm, '');
+                
+                // 2. Collapse 3+ consecutive newlines to maximum 2 newlines (double spacing)
+                content = content.replace(/\n{3,}/g, '\n\n');
+                
+                // 3. Remove blank lines immediately before closing braces/brackets, preserving indentation
+                content = content.replace(/\n\s*\n(\s*)([\}|\]])/g, '\n$1$2');
+                
+                // 4. Remove blank lines immediately after opening braces/brackets, preserving indentation
+                content = content.replace(/({\s*)\n\s*\n(\s*)/g, '$1\n$2');
+                content = content.replace(/(\[\s*)\n\s*\n(\s*)/g, '$1\n$2');
+                
+                // 5. Ensure exactly one trailing newline at the end of the file
+                content = content.trim() + '\n';
+                
+                if (content !== original) {
+                    await fs.writeFile(fullPath, content, 'utf-8');
+                }
+            }
+        }
+    }
+};

package/lib/modules/terraform-setup.js

@@ -0,0 +1,131 @@
+import path from 'path';
+import fs from 'fs-extra';
+import chalk from 'chalk';
+
+export const setupTerraform = async (templatesDir, targetDir, config) => {
+    const { terraform, projectName } = config;
+
+    if (!terraform || terraform === 'None') {
+        return;
+    }
+
+    const terraformSourceDir = path.join(templatesDir, 'common/terraform');
+    const terraformTargetDir = path.join(targetDir, 'terraform');
+
+    try {
+        // Ensure the source directory exists
+        if (!(await fs.pathExists(terraformSourceDir))) {
+            console.warn(chalk.yellow(`\n  Terraform templates not found at ${terraformSourceDir}. Skipping...`));
+            return;
+        }
+
+        // Create target directory
+        await fs.ensureDir(terraformTargetDir);
+
+        // Copy everything first
+        await fs.copy(terraformSourceDir, terraformTargetDir);
+
+        // --- Customization ---
+
+        // 1. Customize variables.tf
+        const variablesPath = path.join(terraformTargetDir, 'variables.tf');
+        if (await fs.pathExists(variablesPath)) {
+            let content = await fs.readFile(variablesPath, 'utf8');
+            content = content.replace(/default\s*=\s*"nodejs-quickstart"/, `default = "${projectName}"`);
+            
+            // Map database engine
+            if (config.database === 'PostgreSQL') {
+                content = content.replace(/variable "db_engine" {[\s\S]*?default\s*=\s*"mysql"/, 'variable "db_engine" {\n  description = "Database engine (mysql or postgres)"\n  default     = "postgres"');
+            } else if (config.database === 'MySQL') {
+                content = content.replace(/default\s*=\s*"myappdb"/, `default = "${config.dbName || 'demo'}"`);
+            }
+
+            // Set is_production flag
+            if (terraform === 'Production') {
+                content = content.replace(/variable "is_production" \{[\s\S]*?default\s*=\s*false/, 'variable "is_production" {\n  description = "Enable production-grade features (Multi-AZ, WAF, Scaling)"\n  type        = bool\n  default     = true');
+            }
+            
+            await fs.writeFile(variablesPath, content);
+        }
+
+        // 2. Handle Database "None" case
+        if (config.database === 'None') {
+            // REMOVE database module call from main.tf
+            const mainTfPath = path.join(terraformTargetDir, 'main.tf');
+            if (await fs.pathExists(mainTfPath)) {
+                let content = await fs.readFile(mainTfPath, 'utf8');
+                // Remove the database module block entirely (from comment to closing brace)
+                content = content.replace(/# --- Data Layer \(RDS Isolated\) ---[\s\S]*?module "database" \{[\s\S]*?\}\n/g, '');
+                await fs.writeFile(mainTfPath, content);
+            }
+
+            // REMOVE database outputs from outputs.tf
+            const outputsTfPath = path.join(terraformTargetDir, 'outputs.tf');
+            if (await fs.pathExists(outputsTfPath)) {
+                let content = await fs.readFile(outputsTfPath, 'utf8');
+                // Remove individual database outputs
+                content = content.replace(/output "database_[\s\S]*?\}\n/g, '');
+                await fs.writeFile(outputsTfPath, content);
+            }
+
+            // DELETE the database module folder
+            const dbModuleDir = path.join(terraformTargetDir, 'modules/database');
+            if (await fs.pathExists(dbModuleDir)) {
+                await fs.remove(dbModuleDir);
+            }
+        }
+
+        // 3. Handle Caching case (Delete if NOT Redis)
+        if (config.caching !== 'Redis') {
+            // REMOVE cache module call from main.tf
+            const mainTfPath = path.join(terraformTargetDir, 'main.tf');
+            if (await fs.pathExists(mainTfPath)) {
+                let content = await fs.readFile(mainTfPath, 'utf8');
+                // Remove the cache module block entirely
+                content = content.replace(/# --- Cache Layer \(Redis ElastiCache\) ---[\s\S]*?module "cache" \{[\s\S]*?\}\n/g, '');
+                await fs.writeFile(mainTfPath, content);
+            }
+
+            // REMOVE redis output from outputs.tf
+            const outputsTfPath = path.join(terraformTargetDir, 'outputs.tf');
+            if (await fs.pathExists(outputsTfPath)) {
+                let content = await fs.readFile(outputsTfPath, 'utf8');
+                content = content.replace(/output "redis_endpoint" \{[\s\S]*?\}\n/g, '');
+                await fs.writeFile(outputsTfPath, content);
+            }
+
+            // DELETE the cache module folder
+            const cacheModuleDir = path.join(terraformTargetDir, 'modules/cache');
+            if (await fs.pathExists(cacheModuleDir)) {
+                await fs.remove(cacheModuleDir);
+            }
+        }
+        // If caching IS Redis, it's already uncommented in the template, so no action needed here.
+
+        // 4. Customize Compute module based on language
+        const computeMainPath = path.join(terraformTargetDir, 'modules/compute/main.tf');
+        if (await fs.pathExists(computeMainPath)) {
+            let content = await fs.readFile(computeMainPath, 'utf8');
+            const startHint = config.language === 'TypeScript' 
+                ? 'npm run build && node dist/index.js' 
+                : 'node src/index.js';
+            
+            content = content.replace(/# docker run -d -p 3000:3000 my-node-app:latest/, 
+                `# For ${config.language}: ${startHint}\n              # docker run -d -p 3000:3000 my-node-app:latest`);
+            await fs.writeFile(computeMainPath, content);
+        }
+
+        // 5. Handle "Standard" tier (Optional: disable WAF for cost)
+        if (terraform === 'Standard') {
+            const mainTfPath = path.join(terraformTargetDir, 'main.tf');
+            if (await fs.pathExists(mainTfPath)) {
+                let content = await fs.readFile(mainTfPath, 'utf8');
+                // In Standard tier, we might want to tell the security module to skip WAF
+                // For now, we'll keep it simple, but we could add a variable 'enable_waf'
+            }
+        }
+
+    } catch (error) {
+        console.error(chalk.red(`\n Error setting up Terraform: ${error.message}`));
+    }
+};

package/lib/prompts.js

@@ -89,7 +89,7 @@ export const getProjectDetails = async (options = {}) => {
         {
             type: 'select',
             name: 'advancedOptions',
-            message: 'Enable Advanced Options (Authentication, etc.)?',
+            message: 'Enable Advanced Options (Authentication, Terraform, etc.)?',
             choices: ['No', 'Yes'],
             default: 'No',
             when: options.advancedOptions === undefined
@@ -104,6 +104,21 @@ export const getProjectDetails = async (options = {}) => {
                 const advanced = options.advancedOptions !== undefined ? options.advancedOptions : answers.advancedOptions;
                 return (advanced === 'Yes' || advanced === true) && !options.auth;
             }
+        },
+        {
+            type: 'select',
+            name: 'terraform',
+            message: 'Select Infrastructure (IaC - Terraform):',
+            choices: [
+                { name: 'None (No infrastructure files)', value: 'None' },
+                { name: 'Standard (Single EC2 - Cost Efficient)', value: 'Standard' },
+                { name: 'Production (WAF + ALB + Private Subnets - High Availability)', value: 'Production' }
+            ],
+            default: 'None',
+            when: (answers) => {
+                const advanced = options.advancedOptions !== undefined ? options.advancedOptions : answers.advancedOptions;
+                return (advanced === 'Yes' || advanced === true) && !options.terraform;
+            }
         }
     ];
 
@@ -139,7 +154,9 @@ export const getProjectDetails = async (options = {}) => {
 
     // Normalize auth to array if it's a string from the options
     if (typeof result.auth === 'string') {
-        result.auth = [result.auth];
+        result.auth = result.auth.split(',').map(s => s.trim());
+    } else if (Array.isArray(result.auth)) {
+        result.auth = result.auth.flatMap(s => s.split(',').map(ss => ss.trim()));
     }
 
     // Map friendly CLI strings to actual values
@@ -162,7 +179,9 @@ export const getProjectDetails = async (options = {}) => {
 
     // Normalize socialAuth to array from options
     if (typeof result.socialAuth === 'string') {
-        result.socialAuth = [result.socialAuth];
+        result.socialAuth = result.socialAuth.split(',').map(s => s.trim());
+    } else if (Array.isArray(result.socialAuth)) {
+        result.socialAuth = result.socialAuth.flatMap(s => s.split(',').map(ss => ss.trim()));
     }
 
     // Default socialAuth if not provided

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodejs-quickstart-structure",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "type": "module",
   "description": "The ultimate nodejs quickstart structure CLI to scaffold Node.js microservices with MVC or Clean Architecture",
   "main": "bin/index.js",

package/templates/clean-architecture/js/src/infrastructure/webserver/server.js.ejs

@@ -1,5 +1,6 @@
 const express = require('express');
 const cors = require('cors');
+const cookieParser = require('cookie-parser');
 const logger = require('../log/logger');
 const morgan = require('morgan');
 const { errorMiddleware } = require('./middleware/errorMiddleware');
@@ -30,6 +31,7 @@ const startServer = async () => {
     const app = express();
 
     app.use(cors());
+    app.use(cookieParser());
     app.use(express.json());
     app.use(morgan('combined', { stream: { write: message => logger.info(message.trim()) } }));
     <%_ if (communication === 'REST APIs' || communication === 'Kafka') { -%>

package/templates/clean-architecture/js/src/usecases/CreateUser.js.ejs

@@ -13,12 +13,15 @@ class CreateUser {
     }
 
     async execute(name, email, password) {
+<%_ if (auth.includes('JWT')) { -%>
         let finalPassword = password;
-        <%_ if (auth.includes('JWT')) { -%>
         if (password) {
             finalPassword = await bcrypt.hash(password, 10);
-        }<%_ } -%>
+        }
         const user = new User(null, name, email, finalPassword);
+<%_ } else { -%>
+        const user = new User(null, name, email, password);
+<%_ } -%>
         const savedUser = await this.userRepository.save(user);
         <%_ if (caching !== 'None') { -%>
         try {

package/templates/clean-architecture/ts/src/index.ts.ejs

@@ -4,6 +4,7 @@ import cors from 'cors';
 import helmet from 'helmet';
 import hpp from 'hpp';
 import rateLimit from 'express-rate-limit';
+import cookieParser from 'cookie-parser';
 import logger from '@/infrastructure/log/logger';
 import morgan from 'morgan';
 import { errorMiddleware } from '@/utils/errorMiddleware';
@@ -50,6 +51,7 @@ app.use(cors({ origin: '*', methods: ['GET', 'POST', 'PUT', 'DELETE'] }));
 const limiter = rateLimit({ windowMs: 10 * 60 * 1000, max: 100 });
 app.use(limiter);
 
+app.use(cookieParser());
 app.use(express.json());
 app.use(morgan('combined', { stream: { write: (message) => logger.info(message.trim()) } }));
 

package/templates/clean-architecture/ts/src/usecases/createUser.ts.ejs

@@ -14,13 +14,15 @@ export default class CreateUser {
     constructor(private userRepository: UserRepository) {}
 
     async execute(name: string, email: string, password?: string) {
-        let finalPassword = password;
 <% if (auth.includes('JWT')) { -%>
+        let finalPassword = password;
         if (password) {
             finalPassword = await bcrypt.hash(password, 10);
         }
-<% } -%>
         const user = new User(null, name, email, finalPassword);
+<% } else { -%>
+        const user = new User(null, name, email, password);
+<% } -%>
         const savedUser = await this.userRepository.save(user);
 <% if (caching !== 'None') { -%>
         try {

package/templates/clean-architecture/ts/src/utils/httpCodes.ts

@@ -3,6 +3,7 @@ export const HTTP_STATUS = {
     CREATED: 201,
     BAD_REQUEST: 400,
     UNAUTHORIZED: 401,
+    FORBIDDEN: 403,
     NOT_FOUND: 404,
     INTERNAL_SERVER_ERROR: 500
 } as const;

package/templates/common/auth/js/controllers/authController.js.ejs

@@ -1,4 +1,5 @@
 const bcrypt = require('bcryptjs');
+const crypto = require('crypto');
 <%_ if (architecture === 'MVC') { _%>
 const User = require('../models/User');
 const JwtService = require('../services/jwtService');
@@ -40,6 +41,16 @@ class AuthController {
     this.githubCallback = this.githubCallback.bind(this);
 <% } -%>
 <% } -%>
+    this.setOAuthStateCookie = this.setOAuthStateCookie.bind(this);
+  }
+
+  setOAuthStateCookie(res, state) {
+    res.cookie('oauth_state', state, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 10 * 60 * 1000
+    });
   }
 
   async login(req, res, next) {
@@ -296,7 +307,7 @@ class AuthController {
       <%_ } _%>
 
       res.json({ token: accessToken, accessToken, refreshToken });
-      <%_ } _%>
+      <% } %>
     } catch (error) {
       logger.error('Social exchange error:', error);
       next(error);
@@ -307,6 +318,9 @@ class AuthController {
 <% if (socialAuth.includes('Google')) { -%>
   async googleLogin(req, res) {
     const rootUrl = 'https://accounts.google.com/o/oauth2/v2/auth';
+    const state = crypto.randomBytes(16).toString('hex');
+    this.setOAuthStateCookie(res, state);
+
     const options = {
       redirect_uri: process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback',
       client_id: process.env.GOOGLE_CLIENT_ID,
@@ -317,15 +331,22 @@ class AuthController {
         'https://www.googleapis.com/auth/userinfo.profile',
         'https://www.googleapis.com/auth/userinfo.email',
       ].join(' '),
-      state: 'google'
+      state: state
     };
     const qs = new URLSearchParams(options);
     res.redirect(`${rootUrl}?${qs.toString()}`);
   }
 
-  async googleCallback(req, res, next) {
+  async googleCallback(req, res, _next) {
     try {
-      const { code } = req.query;
+      const { code, state } = req.query;
+      const savedState = req.cookies?.oauth_state;
+      res.clearCookie('oauth_state');
+
+      if (!state || state !== savedState) {
+        return res.status(HTTP_STATUS.FORBIDDEN).json({ message: 'Invalid state parameter' });
+      }
+
       const redirectUri = process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback';
 
       <%_ if (architecture === 'Clean Architecture') { _%>
@@ -344,7 +365,7 @@ class AuthController {
       const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       activeTokens.push(refreshJti);
       JwtService.activeRefreshTokens.set(userId, activeTokens);
-      <%_ } _%>
+      <% } %>
 
       res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
       res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
@@ -382,12 +403,12 @@ class AuthController {
       const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       activeTokens.push(refreshJti);
       JwtService.activeRefreshTokens.set(userId, activeTokens);
-      <%_ } _%>
+      <% } %>
 
       res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
       res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
       res.redirect('/');
-      <%_ } _%>
+      <% } %>
     } catch (error) {
       logger.error('Google callback error:', error);
       res.redirect('/login?error=social_auth_failed');
@@ -398,19 +419,28 @@ class AuthController {
 <% if (socialAuth.includes('GitHub')) { -%>
   async githubLogin(req, res) {
     const rootUrl = 'https://github.com/login/oauth/authorize';
+    const state = crypto.randomBytes(16).toString('hex');
+    this.setOAuthStateCookie(res, state);
+
     const options = {
       client_id: process.env.GITHUB_CLIENT_ID,
       redirect_uri: process.env.GITHUB_CALLBACK_URL || 'http://localhost:3000/api/auth/github/callback',
       scope: 'user:email',
-      state: 'github'
+      state: state
     };
     const qs = new URLSearchParams(options);
     res.redirect(`${rootUrl}?${qs.toString()}`);
   }
 
-  async githubCallback(req, res, next) {
+  async githubCallback(req, res, _next) {
     try {
-      const { code } = req.query;
+      const { code, state } = req.query;
+      const savedState = req.cookies?.oauth_state;
+      res.clearCookie('oauth_state');
+
+      if (!state || state !== savedState) {
+        return res.status(HTTP_STATUS.FORBIDDEN).json({ message: 'Invalid state parameter' });
+      }
 
       <%_ if (architecture === 'Clean Architecture') { _%>
       const useCase = new SocialLoginUseCase(new GitHubProvider(), new UserRepository());
@@ -428,7 +458,7 @@ class AuthController {
       const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       activeTokens.push(refreshJti);
       JwtService.activeRefreshTokens.set(userId, activeTokens);
-      <%_ } _%>
+      <% } %>
 
       res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
       res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
@@ -466,7 +496,7 @@ class AuthController {
       const activeTokens = JwtService.activeRefreshTokens.get(userId) || [];
       activeTokens.push(refreshJti);
       JwtService.activeRefreshTokens.set(userId, activeTokens);
-      <%_ } _%>
+      <% } %>
 
       res.cookie('accessToken', accessToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });
       res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });