servcraft 0.1.0

package/src/modules/audit/audit.service.ts

@@ -0,0 +1,192 @@
+import { randomUUID } from 'crypto';
+import { logger } from '../../core/logger.js';
+import type { AuditLogEntry, AuditLogQuery } from './types.js';
+import type { PaginatedResult } from '../../types/index.js';
+import { createPaginatedResult } from '../../utils/pagination.js';
+
+// In-memory storage (will be replaced by Prisma in production)
+const auditLogs: Map<string, AuditLogEntry & { id: string; createdAt: Date }> = new Map();
+
+export class AuditService {
+  async log(entry: AuditLogEntry): Promise<void> {
+    const id = randomUUID();
+    const auditEntry = {
+      ...entry,
+      id,
+      createdAt: new Date(),
+    };
+
+    auditLogs.set(id, auditEntry);
+
+    // Also log to structured logger
+    logger.info(
+      {
+        audit: true,
+        userId: entry.userId,
+        action: entry.action,
+        resource: entry.resource,
+        resourceId: entry.resourceId,
+        ipAddress: entry.ipAddress,
+      },
+      `Audit: ${entry.action} on ${entry.resource}`
+    );
+  }
+
+  async query(
+    params: AuditLogQuery
+  ): Promise<PaginatedResult<AuditLogEntry & { id: string; createdAt: Date }>> {
+    const { page = 1, limit = 20 } = params;
+    let logs = Array.from(auditLogs.values());
+
+    // Apply filters
+    if (params.userId) {
+      logs = logs.filter((log) => log.userId === params.userId);
+    }
+    if (params.action) {
+      logs = logs.filter((log) => log.action === params.action);
+    }
+    if (params.resource) {
+      logs = logs.filter((log) => log.resource === params.resource);
+    }
+    if (params.resourceId) {
+      logs = logs.filter((log) => log.resourceId === params.resourceId);
+    }
+    if (params.startDate) {
+      logs = logs.filter((log) => log.createdAt >= params.startDate!);
+    }
+    if (params.endDate) {
+      logs = logs.filter((log) => log.createdAt <= params.endDate!);
+    }
+
+    // Sort by date descending
+    logs.sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime());
+
+    const total = logs.length;
+    const skip = (page - 1) * limit;
+    const data = logs.slice(skip, skip + limit);
+
+    return createPaginatedResult(data, total, { page, limit });
+  }
+
+  async findByUser(userId: string, limit = 50): Promise<(AuditLogEntry & { id: string; createdAt: Date })[]> {
+    const result = await this.query({ userId, limit });
+    return result.data;
+  }
+
+  async findByResource(
+    resource: string,
+    resourceId: string,
+    limit = 50
+  ): Promise<(AuditLogEntry & { id: string; createdAt: Date })[]> {
+    const result = await this.query({ resource, resourceId, limit });
+    return result.data;
+  }
+
+  // Shortcut methods for common audit events
+  async logCreate(
+    resource: string,
+    resourceId: string,
+    userId?: string,
+    newValue?: Record<string, unknown>,
+    meta?: { ipAddress?: string; userAgent?: string }
+  ): Promise<void> {
+    await this.log({
+      action: 'create',
+      resource,
+      resourceId,
+      userId,
+      newValue,
+      ...meta,
+    });
+  }
+
+  async logUpdate(
+    resource: string,
+    resourceId: string,
+    userId?: string,
+    oldValue?: Record<string, unknown>,
+    newValue?: Record<string, unknown>,
+    meta?: { ipAddress?: string; userAgent?: string }
+  ): Promise<void> {
+    await this.log({
+      action: 'update',
+      resource,
+      resourceId,
+      userId,
+      oldValue,
+      newValue,
+      ...meta,
+    });
+  }
+
+  async logDelete(
+    resource: string,
+    resourceId: string,
+    userId?: string,
+    oldValue?: Record<string, unknown>,
+    meta?: { ipAddress?: string; userAgent?: string }
+  ): Promise<void> {
+    await this.log({
+      action: 'delete',
+      resource,
+      resourceId,
+      userId,
+      oldValue,
+      ...meta,
+    });
+  }
+
+  async logLogin(
+    userId: string,
+    meta?: { ipAddress?: string; userAgent?: string }
+  ): Promise<void> {
+    await this.log({
+      action: 'login',
+      resource: 'auth',
+      userId,
+      ...meta,
+    });
+  }
+
+  async logLogout(
+    userId: string,
+    meta?: { ipAddress?: string; userAgent?: string }
+  ): Promise<void> {
+    await this.log({
+      action: 'logout',
+      resource: 'auth',
+      userId,
+      ...meta,
+    });
+  }
+
+  async logPasswordChange(
+    userId: string,
+    meta?: { ipAddress?: string; userAgent?: string }
+  ): Promise<void> {
+    await this.log({
+      action: 'password_change',
+      resource: 'auth',
+      userId,
+      ...meta,
+    });
+  }
+
+  // Clear all logs (for testing)
+  async clear(): Promise<void> {
+    auditLogs.clear();
+  }
+}
+
+let auditService: AuditService | null = null;
+
+export function getAuditService(): AuditService {
+  if (!auditService) {
+    auditService = new AuditService();
+  }
+  return auditService;
+}
+
+export function createAuditService(): AuditService {
+  return new AuditService();
+}

package/src/modules/audit/index.ts

@@ -0,0 +1,2 @@
+export { AuditService, getAuditService, createAuditService } from './audit.service.js';
+export type { AuditLogEntry, AuditLogQuery, AuditAction } from './types.js';

package/src/modules/audit/types.ts

@@ -0,0 +1,37 @@
+export type AuditAction =
+  | 'create'
+  | 'read'
+  | 'update'
+  | 'delete'
+  | 'login'
+  | 'logout'
+  | 'register'
+  | 'password_change'
+  | 'password_reset'
+  | 'email_verify'
+  | 'role_change'
+  | 'status_change'
+  | 'settings_change';
+
+export interface AuditLogEntry {
+  userId?: string;
+  action: AuditAction | string;
+  resource: string;
+  resourceId?: string;
+  oldValue?: Record<string, unknown>;
+  newValue?: Record<string, unknown>;
+  ipAddress?: string;
+  userAgent?: string;
+  metadata?: Record<string, unknown>;
+}
+
+export interface AuditLogQuery {
+  userId?: string;
+  action?: string;
+  resource?: string;
+  resourceId?: string;
+  startDate?: Date;
+  endDate?: Date;
+  page?: number;
+  limit?: number;
+}

package/src/modules/auth/auth.controller.ts

@@ -0,0 +1,182 @@
+import type { FastifyRequest, FastifyReply } from 'fastify';
+import type { AuthService } from './auth.service.js';
+import type { UserService } from '../user/user.service.js';
+import {
+  loginSchema,
+  registerSchema,
+  refreshTokenSchema,
+  changePasswordSchema,
+} from './schemas.js';
+import { success, created } from '../../utils/response.js';
+import { BadRequestError, UnauthorizedError } from '../../utils/errors.js';
+import { validateBody } from '../validation/validator.js';
+import type { AuthenticatedRequest } from './types.js';
+
+export class AuthController {
+  constructor(
+    private authService: AuthService,
+    private userService: UserService
+  ) {}
+
+  async register(request: FastifyRequest, reply: FastifyReply): Promise<void> {
+    const data = validateBody(registerSchema, request.body);
+
+    // Check if user already exists
+    const existingUser = await this.userService.findByEmail(data.email);
+    if (existingUser) {
+      throw new BadRequestError('Email already registered');
+    }
+
+    // Hash password and create user
+    const hashedPassword = await this.authService.hashPassword(data.password);
+    const user = await this.userService.create({
+      email: data.email,
+      password: hashedPassword,
+      name: data.name,
+    });
+
+    // Generate tokens
+    const tokens = this.authService.generateTokenPair({
+      id: user.id,
+      email: user.email,
+      role: user.role,
+    });
+
+    created(reply, {
+      user: {
+        id: user.id,
+        email: user.email,
+        name: user.name,
+        role: user.role,
+      },
+      ...tokens,
+    });
+  }
+
+  async login(request: FastifyRequest, reply: FastifyReply): Promise<void> {
+    const data = validateBody(loginSchema, request.body);
+
+    // Find user
+    const user = await this.userService.findByEmail(data.email);
+    if (!user) {
+      throw new UnauthorizedError('Invalid credentials');
+    }
+
+    // Check if user is active
+    if (user.status !== 'active') {
+      throw new UnauthorizedError('Account is not active');
+    }
+
+    // Verify password
+    const isValidPassword = await this.authService.verifyPassword(data.password, user.password);
+    if (!isValidPassword) {
+      throw new UnauthorizedError('Invalid credentials');
+    }
+
+    // Update last login
+    await this.userService.updateLastLogin(user.id);
+
+    // Generate tokens
+    const tokens = this.authService.generateTokenPair({
+      id: user.id,
+      email: user.email,
+      role: user.role,
+    });
+
+    success(reply, {
+      user: {
+        id: user.id,
+        email: user.email,
+        name: user.name,
+        role: user.role,
+      },
+      ...tokens,
+    });
+  }
+
+  async refresh(request: FastifyRequest, reply: FastifyReply): Promise<void> {
+    const data = validateBody(refreshTokenSchema, request.body);
+
+    // Verify refresh token
+    const payload = await this.authService.verifyRefreshToken(data.refreshToken);
+
+    // Get fresh user data
+    const user = await this.userService.findById(payload.sub);
+    if (!user || user.status !== 'active') {
+      throw new UnauthorizedError('User not found or inactive');
+    }
+
+    // Blacklist old refresh token (token rotation)
+    this.authService.blacklistToken(data.refreshToken);
+
+    // Generate new tokens
+    const tokens = this.authService.generateTokenPair({
+      id: user.id,
+      email: user.email,
+      role: user.role,
+    });
+
+    success(reply, tokens);
+  }
+
+  async logout(request: FastifyRequest, reply: FastifyReply): Promise<void> {
+    const authHeader = request.headers.authorization;
+    if (authHeader?.startsWith('Bearer ')) {
+      const token = authHeader.substring(7);
+      this.authService.blacklistToken(token);
+    }
+
+    success(reply, { message: 'Logged out successfully' });
+  }
+
+  async me(request: FastifyRequest, reply: FastifyReply): Promise<void> {
+    const authRequest = request as AuthenticatedRequest;
+    const user = await this.userService.findById(authRequest.user.id);
+
+    if (!user) {
+      throw new UnauthorizedError('User not found');
+    }
+
+    success(reply, {
+      id: user.id,
+      email: user.email,
+      name: user.name,
+      role: user.role,
+      status: user.status,
+      createdAt: user.createdAt,
+    });
+  }
+
+  async changePassword(request: FastifyRequest, reply: FastifyReply): Promise<void> {
+    const authRequest = request as AuthenticatedRequest;
+    const data = validateBody(changePasswordSchema, request.body);
+
+    // Get current user
+    const user = await this.userService.findById(authRequest.user.id);
+    if (!user) {
+      throw new UnauthorizedError('User not found');
+    }
+
+    // Verify current password
+    const isValidPassword = await this.authService.verifyPassword(
+      data.currentPassword,
+      user.password
+    );
+    if (!isValidPassword) {
+      throw new BadRequestError('Current password is incorrect');
+    }
+
+    // Hash and update password
+    const hashedPassword = await this.authService.hashPassword(data.newPassword);
+    await this.userService.updatePassword(user.id, hashedPassword);
+
+    success(reply, { message: 'Password changed successfully' });
+  }
+}
+
+export function createAuthController(
+  authService: AuthService,
+  userService: UserService
+): AuthController {
+  return new AuthController(authService, userService);
+}

package/src/modules/auth/auth.middleware.ts

@@ -0,0 +1,87 @@
+import type { FastifyRequest, FastifyReply } from 'fastify';
+import { UnauthorizedError, ForbiddenError } from '../../utils/errors.js';
+import type { AuthService } from './auth.service.js';
+import type { AuthUser } from './types.js';
+
+export function createAuthMiddleware(authService: AuthService) {
+  return async function authenticate(
+    request: FastifyRequest,
+    reply: FastifyReply
+  ): Promise<void> {
+    const authHeader = request.headers.authorization;
+
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      throw new UnauthorizedError('Missing or invalid authorization header');
+    }
+
+    const token = authHeader.substring(7);
+    const payload = await authService.verifyAccessToken(token);
+
+    request.user = {
+      id: payload.sub,
+      email: payload.email,
+      role: payload.role,
+    };
+  };
+}
+
+export function createRoleMiddleware(allowedRoles: string[]) {
+  return async function authorize(
+    request: FastifyRequest,
+    _reply: FastifyReply
+  ): Promise<void> {
+    const user = request.user as AuthUser | undefined;
+
+    if (!user) {
+      throw new UnauthorizedError('Authentication required');
+    }
+
+    if (!allowedRoles.includes(user.role)) {
+      throw new ForbiddenError('Insufficient permissions');
+    }
+  };
+}
+
+export function createPermissionMiddleware(requiredPermissions: string[]) {
+  return async function checkPermissions(
+    request: FastifyRequest,
+    _reply: FastifyReply
+  ): Promise<void> {
+    const user = request.user as AuthUser | undefined;
+
+    if (!user) {
+      throw new UnauthorizedError('Authentication required');
+    }
+
+    // This would check against a permissions system
+    // For now, we'll implement a basic role-based check
+    // In a full implementation, you'd query the user's permissions from the database
+  };
+}
+
+// Optional authentication - doesn't throw if no token
+export function createOptionalAuthMiddleware(authService: AuthService) {
+  return async function optionalAuthenticate(
+    request: FastifyRequest,
+    _reply: FastifyReply
+  ): Promise<void> {
+    const authHeader = request.headers.authorization;
+
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      return;
+    }
+
+    try {
+      const token = authHeader.substring(7);
+      const payload = await authService.verifyAccessToken(token);
+
+      request.user = {
+        id: payload.sub,
+        email: payload.email,
+        role: payload.role,
+      };
+    } catch {
+      // Silently ignore auth errors for optional auth
+    }
+  };
+}

package/src/modules/auth/auth.routes.ts

@@ -0,0 +1,123 @@
+import type { FastifyInstance } from 'fastify';
+import type { AuthController } from './auth.controller.js';
+import type { AuthService } from './auth.service.js';
+import { createAuthMiddleware } from './auth.middleware.js';
+import { commonResponses } from '../swagger/index.js';
+
+const credentialsBody = {
+  type: 'object',
+  required: ['email', 'password'],
+  properties: {
+    email: { type: 'string', format: 'email' },
+    password: { type: 'string', minLength: 8 },
+  },
+};
+
+const changePasswordBody = {
+  type: 'object',
+  required: ['currentPassword', 'newPassword'],
+  properties: {
+    currentPassword: { type: 'string', minLength: 8 },
+    newPassword: { type: 'string', minLength: 8 },
+  },
+};
+
+export function registerAuthRoutes(
+  app: FastifyInstance,
+  controller: AuthController,
+  authService: AuthService
+): void {
+  const authenticate = createAuthMiddleware(authService);
+
+  // Public routes
+  app.post('/auth/register', {
+    schema: {
+      tags: ['Auth'],
+      summary: 'Register a new user',
+      body: credentialsBody,
+      response: {
+        201: commonResponses.success,
+        400: commonResponses.error,
+        409: commonResponses.error,
+      },
+    },
+    handler: controller.register.bind(controller),
+  });
+
+  app.post('/auth/login', {
+    schema: {
+      tags: ['Auth'],
+      summary: 'Login and obtain tokens',
+      body: credentialsBody,
+      response: {
+        200: commonResponses.success,
+        400: commonResponses.error,
+        401: commonResponses.unauthorized,
+      },
+    },
+    handler: controller.login.bind(controller),
+  });
+
+  app.post('/auth/refresh', {
+    schema: {
+      tags: ['Auth'],
+      summary: 'Refresh access token',
+      body: {
+        type: 'object',
+        required: ['refreshToken'],
+        properties: {
+          refreshToken: { type: 'string' },
+        },
+      },
+      response: {
+        200: commonResponses.success,
+        401: commonResponses.unauthorized,
+      },
+    },
+    handler: controller.refresh.bind(controller),
+  });
+
+  // Protected routes
+  app.post('/auth/logout', {
+    preHandler: [authenticate],
+    schema: {
+      tags: ['Auth'],
+      summary: 'Logout current user',
+      security: [{ bearerAuth: [] }],
+      response: {
+        200: commonResponses.success,
+        401: commonResponses.unauthorized,
+      },
+    },
+    handler: controller.logout.bind(controller),
+  });
+  app.get('/auth/me', {
+    preHandler: [authenticate],
+    schema: {
+      tags: ['Auth'],
+      summary: 'Get current user profile',
+      security: [{ bearerAuth: [] }],
+      response: {
+        200: commonResponses.success,
+        401: commonResponses.unauthorized,
+      },
+    },
+    handler: controller.me.bind(controller),
+  });
+
+  app.post('/auth/change-password', {
+    preHandler: [authenticate],
+    schema: {
+      tags: ['Auth'],
+      summary: 'Change current user password',
+      security: [{ bearerAuth: [] }],
+      body: changePasswordBody,
+      response: {
+        200: commonResponses.success,
+        400: commonResponses.error,
+        401: commonResponses.unauthorized,
+      },
+    },
+    handler: controller.changePassword.bind(controller),
+  });
+}