servcraft 0.1.0

package/src/modules/auth/auth.service.ts

@@ -0,0 +1,142 @@
+import type { FastifyInstance } from 'fastify';
+import bcrypt from 'bcryptjs';
+import { config } from '../../config/index.js';
+import { logger } from '../../core/logger.js';
+import {
+  UnauthorizedError,
+  BadRequestError,
+  ConflictError,
+  NotFoundError,
+} from '../../utils/errors.js';
+import type { TokenPair, JwtPayload, AuthUser } from './types.js';
+import type { LoginInput, RegisterInput, ChangePasswordInput } from './schemas.js';
+
+// Token blacklist (in production, use Redis)
+const tokenBlacklist = new Set<string>();
+
+export class AuthService {
+  private app: FastifyInstance;
+  private readonly SALT_ROUNDS = 12;
+
+  constructor(app: FastifyInstance) {
+    this.app = app;
+  }
+
+  async hashPassword(password: string): Promise<string> {
+    return bcrypt.hash(password, this.SALT_ROUNDS);
+  }
+
+  async verifyPassword(password: string, hash: string): Promise<boolean> {
+    return bcrypt.compare(password, hash);
+  }
+
+  generateTokenPair(user: AuthUser): TokenPair {
+    const accessPayload: Omit<JwtPayload, 'iat' | 'exp'> = {
+      sub: user.id,
+      email: user.email,
+      role: user.role,
+      type: 'access',
+    };
+
+    const refreshPayload: Omit<JwtPayload, 'iat' | 'exp'> = {
+      sub: user.id,
+      email: user.email,
+      role: user.role,
+      type: 'refresh',
+    };
+
+    const accessToken = this.app.jwt.sign(accessPayload, {
+      expiresIn: config.jwt.accessExpiresIn,
+    });
+
+    const refreshToken = this.app.jwt.sign(refreshPayload, {
+      expiresIn: config.jwt.refreshExpiresIn,
+    });
+
+    // Parse expiration time to seconds
+    const expiresIn = this.parseExpiration(config.jwt.accessExpiresIn);
+
+    return { accessToken, refreshToken, expiresIn };
+  }
+
+  private parseExpiration(expiration: string): number {
+    const match = expiration.match(/^(\d+)([smhd])$/);
+    if (!match) return 900; // default 15 minutes
+
+    const value = parseInt(match[1] || '0', 10);
+    const unit = match[2];
+
+    switch (unit) {
+      case 's':
+        return value;
+      case 'm':
+        return value * 60;
+      case 'h':
+        return value * 3600;
+      case 'd':
+        return value * 86400;
+      default:
+        return 900;
+    }
+  }
+
+  async verifyAccessToken(token: string): Promise<JwtPayload> {
+    try {
+      if (this.isTokenBlacklisted(token)) {
+        throw new UnauthorizedError('Token has been revoked');
+      }
+
+      const payload = this.app.jwt.verify<JwtPayload>(token);
+
+      if (payload.type !== 'access') {
+        throw new UnauthorizedError('Invalid token type');
+      }
+
+      return payload;
+    } catch (error) {
+      if (error instanceof UnauthorizedError) throw error;
+      logger.debug({ err: error }, 'Token verification failed');
+      throw new UnauthorizedError('Invalid or expired token');
+    }
+  }
+
+  async verifyRefreshToken(token: string): Promise<JwtPayload> {
+    try {
+      if (this.isTokenBlacklisted(token)) {
+        throw new UnauthorizedError('Token has been revoked');
+      }
+
+      const payload = this.app.jwt.verify<JwtPayload>(token);
+
+      if (payload.type !== 'refresh') {
+        throw new UnauthorizedError('Invalid token type');
+      }
+
+      return payload;
+    } catch (error) {
+      if (error instanceof UnauthorizedError) throw error;
+      logger.debug({ err: error }, 'Refresh token verification failed');
+      throw new UnauthorizedError('Invalid or expired refresh token');
+    }
+  }
+
+  blacklistToken(token: string): void {
+    tokenBlacklist.add(token);
+    logger.debug('Token blacklisted');
+  }
+
+  isTokenBlacklisted(token: string): boolean {
+    return tokenBlacklist.has(token);
+  }
+
+  // Clear expired tokens from blacklist periodically
+  cleanupBlacklist(): void {
+    // In production, this should be handled by Redis TTL
+    tokenBlacklist.clear();
+    logger.debug('Token blacklist cleared');
+  }
+}
+
+export function createAuthService(app: FastifyInstance): AuthService {
+  return new AuthService(app);
+}

package/src/modules/auth/index.ts

@@ -0,0 +1,49 @@
+import type { FastifyInstance } from 'fastify';
+import jwt from '@fastify/jwt';
+import cookie from '@fastify/cookie';
+import { config } from '../../config/index.js';
+import { logger } from '../../core/logger.js';
+import { AuthService, createAuthService } from './auth.service.js';
+import { AuthController, createAuthController } from './auth.controller.js';
+import { registerAuthRoutes } from './auth.routes.js';
+import { createUserService } from '../user/user.service.js';
+
+export async function registerAuthModule(app: FastifyInstance): Promise<AuthService> {
+  // Register JWT plugin
+  await app.register(jwt, {
+    secret: config.jwt.secret,
+    sign: {
+      algorithm: 'HS256',
+    },
+  });
+
+  // Register cookie plugin for refresh tokens
+  await app.register(cookie, {
+    secret: config.jwt.secret,
+    hook: 'onRequest',
+  });
+
+  // Create services
+  const authService = createAuthService(app);
+  const userService = createUserService();
+
+  // Create controller
+  const authController = createAuthController(authService, userService);
+
+  // Register routes
+  registerAuthRoutes(app, authController, authService);
+
+  logger.info('Auth module registered');
+  return authService;
+}
+
+export { AuthService, createAuthService } from './auth.service.js';
+export { AuthController, createAuthController } from './auth.controller.js';
+export {
+  createAuthMiddleware,
+  createRoleMiddleware,
+  createPermissionMiddleware,
+  createOptionalAuthMiddleware,
+} from './auth.middleware.js';
+export * from './types.js';
+export * from './schemas.js';

package/src/modules/auth/schemas.ts

@@ -0,0 +1,52 @@
+import { z } from 'zod';
+
+export const loginSchema = z.object({
+  email: z.string().email('Invalid email address'),
+  password: z.string().min(1, 'Password is required'),
+});
+
+export const registerSchema = z.object({
+  email: z.string().email('Invalid email address'),
+  password: z
+    .string()
+    .min(8, 'Password must be at least 8 characters')
+    .regex(/[A-Z]/, 'Password must contain at least one uppercase letter')
+    .regex(/[a-z]/, 'Password must contain at least one lowercase letter')
+    .regex(/[0-9]/, 'Password must contain at least one number'),
+  name: z.string().min(2, 'Name must be at least 2 characters').optional(),
+});
+
+export const refreshTokenSchema = z.object({
+  refreshToken: z.string().min(1, 'Refresh token is required'),
+});
+
+export const passwordResetRequestSchema = z.object({
+  email: z.string().email('Invalid email address'),
+});
+
+export const passwordResetConfirmSchema = z.object({
+  token: z.string().min(1, 'Token is required'),
+  password: z
+    .string()
+    .min(8, 'Password must be at least 8 characters')
+    .regex(/[A-Z]/, 'Password must contain at least one uppercase letter')
+    .regex(/[a-z]/, 'Password must contain at least one lowercase letter')
+    .regex(/[0-9]/, 'Password must contain at least one number'),
+});
+
+export const changePasswordSchema = z.object({
+  currentPassword: z.string().min(1, 'Current password is required'),
+  newPassword: z
+    .string()
+    .min(8, 'Password must be at least 8 characters')
+    .regex(/[A-Z]/, 'Password must contain at least one uppercase letter')
+    .regex(/[a-z]/, 'Password must contain at least one lowercase letter')
+    .regex(/[0-9]/, 'Password must contain at least one number'),
+});
+
+export type LoginInput = z.infer<typeof loginSchema>;
+export type RegisterInput = z.infer<typeof registerSchema>;
+export type RefreshTokenInput = z.infer<typeof refreshTokenSchema>;
+export type PasswordResetRequestInput = z.infer<typeof passwordResetRequestSchema>;
+export type PasswordResetConfirmInput = z.infer<typeof passwordResetConfirmSchema>;
+export type ChangePasswordInput = z.infer<typeof changePasswordSchema>;

package/src/modules/auth/types.ts

@@ -0,0 +1,69 @@
+import type { FastifyRequest } from 'fastify';
+
+export interface JwtPayload {
+  sub: string; // user id
+  email: string;
+  role: string;
+  type: 'access' | 'refresh';
+  iat?: number;
+  exp?: number;
+}
+
+export interface TokenPair {
+  accessToken: string;
+  refreshToken: string;
+  expiresIn: number;
+}
+
+export interface AuthUser {
+  id: string;
+  email: string;
+  role: string;
+}
+
+export interface AuthenticatedRequest extends FastifyRequest {
+  user: AuthUser;
+}
+
+export interface LoginCredentials {
+  email: string;
+  password: string;
+}
+
+export interface RegisterData {
+  email: string;
+  password: string;
+  name?: string;
+}
+
+export interface RefreshTokenData {
+  refreshToken: string;
+}
+
+export interface PasswordResetRequest {
+  email: string;
+}
+
+export interface PasswordResetConfirm {
+  token: string;
+  password: string;
+}
+
+export interface ChangePasswordData {
+  currentPassword: string;
+  newPassword: string;
+}
+
+// Extend Fastify types
+declare module 'fastify' {
+  interface FastifyRequest {
+    user: AuthUser;
+  }
+}
+
+declare module '@fastify/jwt' {
+  interface FastifyJWT {
+    payload: JwtPayload;
+    user: AuthUser;
+  }
+}

package/src/modules/email/email.service.ts

@@ -0,0 +1,212 @@
+import nodemailer from 'nodemailer';
+import type { Transporter } from 'nodemailer';
+import { config } from '../../config/index.js';
+import { logger } from '../../core/logger.js';
+import { renderTemplate, renderCustomTemplate } from './templates.js';
+import type { EmailOptions, EmailResult, EmailConfig, TemplateData } from './types.js';
+
+export class EmailService {
+  private transporter: Transporter | null = null;
+  private config: EmailConfig | null = null;
+
+  constructor(emailConfig?: Partial<EmailConfig>) {
+    if (emailConfig?.host || config.email.host) {
+      this.config = {
+        host: emailConfig?.host || config.email.host || '',
+        port: emailConfig?.port || config.email.port || 587,
+        secure: (emailConfig?.port || config.email.port || 587) === 465,
+        auth: {
+          user: emailConfig?.auth?.user || config.email.user || '',
+          pass: emailConfig?.auth?.pass || config.email.pass || '',
+        },
+        from: emailConfig?.from || config.email.from || 'noreply@localhost',
+      };
+
+      this.transporter = nodemailer.createTransport({
+        host: this.config.host,
+        port: this.config.port,
+        secure: this.config.secure,
+        auth: {
+          user: this.config.auth.user,
+          pass: this.config.auth.pass,
+        },
+      });
+
+      logger.info('Email service initialized');
+    } else {
+      logger.warn('Email service not configured - emails will be logged only');
+    }
+  }
+
+  async send(options: EmailOptions): Promise<EmailResult> {
+    try {
+      let html = options.html;
+      let text = options.text;
+
+      // Render template if provided
+      if (options.template && options.data) {
+        html = renderTemplate(options.template, options.data);
+      }
+
+      // Generate plain text from HTML if not provided
+      if (html && !text) {
+        text = this.htmlToText(html);
+      }
+
+      const mailOptions = {
+        from: this.config?.from || 'noreply@localhost',
+        to: Array.isArray(options.to) ? options.to.join(', ') : options.to,
+        subject: options.subject,
+        html,
+        text,
+        replyTo: options.replyTo,
+        cc: options.cc,
+        bcc: options.bcc,
+        attachments: options.attachments,
+      };
+
+      // If no transporter, just log the email
+      if (!this.transporter) {
+        logger.info({ email: mailOptions }, 'Email would be sent (no transporter configured)');
+        return { success: true, messageId: 'dev-mode' };
+      }
+
+      const result = await this.transporter.sendMail(mailOptions);
+
+      logger.info(
+        { messageId: result.messageId, to: options.to },
+        'Email sent successfully'
+      );
+
+      return {
+        success: true,
+        messageId: result.messageId,
+      };
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+      logger.error({ err: error, to: options.to }, 'Failed to send email');
+
+      return {
+        success: false,
+        error: errorMessage,
+      };
+    }
+  }
+
+  async sendTemplate(
+    to: string,
+    template: string,
+    data: TemplateData
+  ): Promise<EmailResult> {
+    const subjects: Record<string, string> = {
+      welcome: `Welcome to ${data.appName || 'Servcraft'}!`,
+      'verify-email': 'Verify Your Email',
+      'password-reset': 'Reset Your Password',
+      'password-changed': 'Password Changed Successfully',
+      'login-alert': 'New Login Detected',
+      'account-suspended': 'Account Suspended',
+    };
+
+    return this.send({
+      to,
+      subject: subjects[template] || 'Notification',
+      template,
+      data,
+    });
+  }
+
+  async sendWelcome(email: string, name: string, verifyUrl?: string): Promise<EmailResult> {
+    return this.sendTemplate(email, 'welcome', {
+      userName: name,
+      userEmail: email,
+      actionUrl: verifyUrl,
+    });
+  }
+
+  async sendVerifyEmail(email: string, name: string, verifyUrl: string): Promise<EmailResult> {
+    return this.sendTemplate(email, 'verify-email', {
+      userName: name,
+      userEmail: email,
+      actionUrl: verifyUrl,
+      expiresIn: '24 hours',
+    });
+  }
+
+  async sendPasswordReset(email: string, name: string, resetUrl: string): Promise<EmailResult> {
+    return this.sendTemplate(email, 'password-reset', {
+      userName: name,
+      userEmail: email,
+      actionUrl: resetUrl,
+      expiresIn: '1 hour',
+    });
+  }
+
+  async sendPasswordChanged(
+    email: string,
+    name: string,
+    ipAddress?: string,
+    userAgent?: string
+  ): Promise<EmailResult> {
+    return this.sendTemplate(email, 'password-changed', {
+      userName: name,
+      userEmail: email,
+      ipAddress: ipAddress || 'Unknown',
+      userAgent: userAgent || 'Unknown',
+      timestamp: new Date().toISOString(),
+    });
+  }
+
+  async sendLoginAlert(
+    email: string,
+    name: string,
+    ipAddress: string,
+    userAgent: string,
+    location?: string
+  ): Promise<EmailResult> {
+    return this.sendTemplate(email, 'login-alert', {
+      userName: name,
+      userEmail: email,
+      ipAddress,
+      userAgent,
+      location: location || 'Unknown',
+      timestamp: new Date().toISOString(),
+    });
+  }
+
+  async verify(): Promise<boolean> {
+    if (!this.transporter) {
+      return false;
+    }
+
+    try {
+      await this.transporter.verify();
+      logger.info('Email service connection verified');
+      return true;
+    } catch (error) {
+      logger.error({ err: error }, 'Email service connection failed');
+      return false;
+    }
+  }
+
+  private htmlToText(html: string): string {
+    return html
+      .replace(/<style[^>]*>[\s\S]*?<\/style>/gi, '')
+      .replace(/<script[^>]*>[\s\S]*?<\/script>/gi, '')
+      .replace(/<[^>]+>/g, ' ')
+      .replace(/\s+/g, ' ')
+      .trim();
+  }
+}
+
+let emailService: EmailService | null = null;
+
+export function getEmailService(): EmailService {
+  if (!emailService) {
+    emailService = new EmailService();
+  }
+  return emailService;
+}
+
+export function createEmailService(config?: Partial<EmailConfig>): EmailService {
+  return new EmailService(config);
+}

package/src/modules/email/index.ts

@@ -0,0 +1,10 @@
+export { EmailService, getEmailService, createEmailService } from './email.service.js';
+export { renderTemplate, renderCustomTemplate } from './templates.js';
+export type {
+  EmailConfig,
+  EmailOptions,
+  EmailResult,
+  EmailAttachment,
+  EmailTemplate,
+  TemplateData,
+} from './types.js';