stackkit 0.2.7 → 0.2.9

package/modules/auth/better-auth/files/express/utils/token.ts

@@ -0,0 +1,66 @@
+import { Response } from "express";
+import { JwtPayload, SignOptions } from "jsonwebtoken";
+import { envVars } from "../../config/env";
+import { cookieUtils } from "./cookie";
+import { jwtUtils } from "./jwt";
+
+//Creating access token
+const getAccessToken = (payload: JwtPayload) => {
+    const accessToken = jwtUtils.createToken(
+        payload,
+        envVars.ACCESS_TOKEN_SECRET,
+        { expiresIn: envVars.ACCESS_TOKEN_EXPIRES_IN } as SignOptions
+    );
+
+    return accessToken;
+}
+
+const getRefreshToken = (payload: JwtPayload) => {
+    const refreshToken = jwtUtils.createToken(
+        payload,
+        envVars.REFRESH_TOKEN_SECRET,
+        { expiresIn: envVars.REFRESH_TOKEN_EXPIRES_IN } as SignOptions
+    );
+    return refreshToken;
+}
+
+const setAccessTokenCookie = (res: Response, token: string) => {
+    cookieUtils.setCookie(res, 'accessToken', token, {
+        httpOnly: true,
+        secure: true,
+        sameSite: "none",
+        path: '/',
+        //1 day
+        maxAge: 60 * 60 * 24 * 1000,
+    });
+}
+
+const setRefreshTokenCookie = (res: Response, token: string) => {
+    cookieUtils.setCookie(res, 'refreshToken', token, {
+        httpOnly: true,
+        secure: true,
+        sameSite: "none",
+        path: '/',
+        //7d
+        maxAge: 60 * 60 * 24 * 1000 * 7,
+    });
+}
+
+const setBetterAuthSessionCookie = (res: Response, token: string) => {
+    cookieUtils.setCookie(res, "better-auth.session_token", token, {
+        httpOnly: true,
+        secure: true,
+        sameSite: "none",
+        path: '/',
+        //1 day
+        maxAge: 60 * 60 * 24 * 1000,
+    });
+}
+
+export const tokenUtils = {
+    getAccessToken,
+    getRefreshToken,
+    setAccessTokenCookie,
+    setRefreshTokenCookie,
+    setBetterAuthSessionCookie,
+}

package/modules/auth/better-auth/files/nextjs/api/auth/[...all]/route.ts

@@ -1,4 +1,4 @@
-import { auth } from "@/lib/auth";
+import { auth } from "@/server/auth/auth";
 import { toNextJsHandler } from "better-auth/next-js";
 
 export const { GET, POST } = toNextJsHandler(auth);

package/modules/auth/better-auth/files/nextjs/lib/auth/auth-guards.ts

@@ -1,6 +1,6 @@
-import { auth } from "@/lib/auth";
 import { headers } from "next/headers";
 import { redirect } from "next/navigation";
+import { auth } from "./auth";
 
 export async function getSession() {
   const session = await auth.api.getSession({
@@ -10,6 +10,16 @@ export async function getSession() {
   return session;
 }
 
+export async function requireSuperAdmin() {
+  const session = await getSession();
+
+  if (!session || session.user.role !== "SUPER_ADMIN") {
+    redirect("/login");
+  }
+
+  return session.user;
+}
+
 export async function requireAdmin() {
   const session = await getSession();
 

package/modules/auth/better-auth/files/nextjs/templates/email-otp.tsx

@@ -0,0 +1,74 @@
+interface OtpTemplateProps {
+  name?: string | null;
+  otp: string;
+}
+
+const escapeHtml = (value: string) =>
+  value
+    .replaceAll("&", "&")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;")
+    .replaceAll('"', "&quot;")
+    .replaceAll("'", "&#39;");
+
+const renderOtpTemplate = ({ name, otp }: OtpTemplateProps) => {
+  const safeName = name ? escapeHtml(name) : null;
+  const safeOtp = escapeHtml(otp);
+
+  return `<html>
+      <body
+        style="margin:0;padding:24px;background-color:#f8fafc;font-family:Arial,sans-serif;color:#0f172a;"
+      >
+        <table
+          role="presentation"
+          width="100%"
+          cellpadding="0"
+          cellspacing="0"
+          style="max-width:560px;margin:0 auto;background:#ffffff;"
+        >
+          <tbody>
+            <tr>
+              <td style="padding:28px 24px;">
+                <h2 style="margin:0 0 12px;font-size:22px;">Verification Code</h2>
+                <p style="margin:0 0 16px;font-size:15px;line-height:1.6;">
+                  ${safeName ? `Hi ${safeName},` : "Hi,"}
+                </p>
+                <p style="margin:0 0 16px;font-size:15px;line-height:1.6;">
+                  Use the OTP below to continue. This code will expire in 2 minutes.
+                </p>
+                <div
+                  style="display:inline-block;padding:12px 18px;border:1px solid #e2e8f0;border-radius:8px;letter-spacing:6px;font-size:22px;font-weight:700;background-color:#f1f5f9;"
+                >
+                  ${safeOtp}
+                </div>
+                <p style="margin:20px 0 0;font-size:13px;color:#475569;">
+                  If you did not request this code, you can safely ignore this email.
+                </p>
+              </td>
+            </tr>
+          </tbody>
+        </table>
+      </body>
+    </html>`;
+};
+
+export const renderEmailTemplate = (
+  templateName: string,
+  templateData: Record<string, unknown>,
+) => {
+  switch (templateName) {
+    case "otp": {
+      const name =
+        typeof templateData.name === "string" ? templateData.name : null;
+      const otp = typeof templateData.otp === "string" ? templateData.otp : "";
+
+      if (!otp) {
+        throw new Error("OTP value is required for otp template");
+      }
+
+      return `<!DOCTYPE html>${renderOtpTemplate({ name, otp })}`;
+    }
+    default:
+      throw new Error(`Unknown email template: ${templateName}`);
+  }
+};

package/modules/auth/better-auth/files/shared/config/env.ts

@@ -0,0 +1,113 @@
+{{#if framework == "express" }}
+import dotenv from "dotenv";
+import status from "http-status";
+import path from "path";
+import { AppError } from "../shared/errors/app-error";
+
+dotenv.config({ path: path.join(process.cwd(), ".env") });
+{{/if}}
+
+interface EnvConfig {
+  APP_URL?: string;
+  FRONTEND_URL?: string;
+  BETTER_AUTH_URL: string;
+  BETTER_AUTH_SECRET: string;
+  GOOGLE_CLIENT_ID?: string;
+  GOOGLE_CLIENT_SECRET?: string;
+  GOOGLE_CALLBACK_URL: string;
+  EMAIL_SENDER: {
+    SMTP_USER: string;
+    SMTP_PASS: string;
+    SMTP_HOST: string;
+    SMTP_PORT: string;
+    SMTP_FROM: string;
+  };
+  {{#if framework == "express" }}
+  NODE_ENV: string;
+  PORT: string;
+  BETTER_AUTH_SESSION_TOKEN_EXPIRES_IN: string;
+  BETTER_AUTH_SESSION_TOKEN_UPDATE_AGE: string;
+  ACCESS_TOKEN_SECRET: string;
+  ACCESS_TOKEN_EXPIRES_IN: string;
+  REFRESH_TOKEN_SECRET: string;
+  REFRESH_TOKEN_EXPIRES_IN: string;
+  SUPER_ADMIN_EMAIL: string;
+  SUPER_ADMIN_PASSWORD: string;
+  {{/if}}
+}
+
+const loadEnvVars = (): EnvConfig => {
+  const requiredEnvVars = [
+    "FRONTEND_URL",
+    "BETTER_AUTH_URL",
+    "BETTER_AUTH_SECRET",
+    "GOOGLE_CLIENT_ID",
+    "GOOGLE_CLIENT_SECRET",
+    "GOOGLE_CALLBACK_URL",
+    "EMAIL_SENDER_SMTP_USER",
+    "EMAIL_SENDER_SMTP_PASS",
+    "EMAIL_SENDER_SMTP_HOST",
+    "EMAIL_SENDER_SMTP_PORT",
+    "EMAIL_SENDER_SMTP_FROM",
+    {{#if framework == "express" }}
+    "NODE_ENV",
+    "PORT",
+    "BETTER_AUTH_SESSION_TOKEN_EXPIRES_IN",
+    "BETTER_AUTH_SESSION_TOKEN_UPDATE_AGE",
+    "ACCESS_TOKEN_SECRET",
+    "ACCESS_TOKEN_EXPIRES_IN",
+    "REFRESH_TOKEN_SECRET",
+    "REFRESH_TOKEN_EXPIRES_IN",
+    "SUPER_ADMIN_EMAIL",
+    "SUPER_ADMIN_PASSWORD",
+    {{/if}}
+  ];
+
+  requiredEnvVars.forEach((varName) => {
+    if (!process.env[varName]) {
+      {{#if framework == "express" }}
+      throw new AppError(
+        status.INTERNAL_SERVER_ERROR,
+        `Environment variable ${varName} is required but not set in .env file.`,
+      );
+      {{else}}
+      throw new Error(
+        `Environment variable ${varName} is required but not defined.`,
+      );
+      {{/if}}
+    }
+  });
+
+  return {
+    APP_URL: process.env.APP_URL as string,
+    FRONTEND_URL: process.env.FRONTEND_URL as string,
+    BETTER_AUTH_URL: process.env.BETTER_AUTH_URL as string,
+    BETTER_AUTH_SECRET: process.env.BETTER_AUTH_SECRET as string,
+    GOOGLE_CLIENT_ID: process.env.GOOGLE_CLIENT_ID,
+    GOOGLE_CLIENT_SECRET: process.env.GOOGLE_CLIENT_SECRET,
+    GOOGLE_CALLBACK_URL: process.env.GOOGLE_CALLBACK_URL as string,
+    EMAIL_SENDER: {
+      SMTP_USER: process.env.EMAIL_SENDER_SMTP_USER as string,
+      SMTP_PASS: process.env.EMAIL_SENDER_SMTP_PASS as string,
+      SMTP_HOST: process.env.EMAIL_SENDER_SMTP_HOST as string,
+      SMTP_PORT: process.env.EMAIL_SENDER_SMTP_PORT as string,
+      SMTP_FROM: process.env.EMAIL_SENDER_SMTP_FROM as string,
+    },
+    {{#if framework == "express" }}
+    NODE_ENV: process.env.NODE_ENV as string,
+    PORT: process.env.PORT as string,
+        BETTER_AUTH_SESSION_TOKEN_EXPIRES_IN: process.env
+      .BETTER_AUTH_SESSION_TOKEN_EXPIRES_IN as string,
+    BETTER_AUTH_SESSION_TOKEN_UPDATE_AGE: process.env
+      .BETTER_AUTH_SESSION_TOKEN_UPDATE_AGE as string,
+    ACCESS_TOKEN_SECRET: process.env.ACCESS_TOKEN_SECRET as string,
+    ACCESS_TOKEN_EXPIRES_IN: process.env.ACCESS_TOKEN_EXPIRES_IN as string,
+    REFRESH_TOKEN_SECRET: process.env.REFRESH_TOKEN_SECRET as string,
+    REFRESH_TOKEN_EXPIRES_IN: process.env.REFRESH_TOKEN_EXPIRES_IN as string,
+    SUPER_ADMIN_EMAIL: process.env.SUPER_ADMIN_EMAIL as string,
+    SUPER_ADMIN_PASSWORD: process.env.SUPER_ADMIN_PASSWORD as string,
+    {{/if}}
+  };
+};
+
+export const envVars = loadEnvVars();

package/modules/auth/better-auth/files/shared/lib/auth-client.ts

@@ -1,7 +1,7 @@
 import { createAuthClient } from "better-auth/react";
 
 export const authClient = createAuthClient({
-  baseURL: process.env.BETTER_AUTH_URL || "http://localhost:4000",
+  baseURL: process.env.BETTER_AUTH_URL || "http://localhost:5000",
 });
 
 export const { signIn, signUp, signOut, useSession } = authClient;

package/modules/auth/better-auth/files/shared/lib/auth.ts

@@ -1,46 +1,42 @@
+import { Role, UserStatus } from "@prisma/client";
 import { betterAuth } from "better-auth";
+import { bearer, emailOTP } from "better-auth/plugins";
 {{#if combo == "prisma:express"}}
-import { sendEmail } from "../../shared/email/email-service";
-import {
-  getPasswordResetEmailTemplate,
-  getVerificationEmailTemplate,
-} from "../../shared/email/email-templates";
-import { prisma } from "../../database/prisma";
+import { envVars } from "../config/env";
+import { sendEmail } from "../shared/utils/email";
+import { prisma } from "../database/prisma";
 import { prismaAdapter } from "better-auth/adapters/prisma";
 {{/if}}
 
 {{#if combo == "prisma:nextjs"}}
-import { getPasswordResetEmailTemplate, getVerificationEmailTemplate } from "../service/email/email-templates";
 import { sendEmail } from "../service/email/email-service";
 import { prisma } from "../database/prisma";
+import { envVars } from "@/lib/env";
 import { prismaAdapter } from "better-auth/adapters/prisma";
 {{/if}}
 
 {{#if combo == "mongoose:express"}}
+import { envVars } from "../config/env";
 import { sendEmail } from "../../shared/email/email-service";
-import {
-  getPasswordResetEmailTemplate,
-  getVerificationEmailTemplate,
-} from "../../shared/email/email-templates";
 import { mongoose } from "../../database/mongoose";
 import { mongodbAdapter } from "better-auth/adapters/mongodb";
 {{/if}}
 
 {{#if combo == "mongoose:nextjs"}}
-import { getPasswordResetEmailTemplate, getVerificationEmailTemplate } from "../service/email/email-templates";
 import { sendEmail } from "../service/email/email-service";
 import { mongoose } from "../database/mongoose";
+import { envVars } from "@/lib/env";
 import { mongodbAdapter } from "better-auth/adapters/mongodb";
 {{/if}}
 
-export async function initAuth() {
 {{#if database == "mongoose"}}
+export async function initAuth() {
 const mongooseInstance = await mongoose();
 const client = mongooseInstance.connection.getClient();
 const db = client.db();
 {{/if}}
 
-return betterAuth({
+{{#if database == "mongoose"}}return{{else}}export const auth = {{/if}} betterAuth({
 {{#if database == "prisma"}}
   database: prismaAdapter(prisma, {
     provider: "{{prismaProvider}}",
@@ -49,76 +45,169 @@ return betterAuth({
 {{#if database == "mongoose"}}
   database: mongodbAdapter(db, { client }),
 {{/if}}
-  baseURL: process.env.BETTER_AUTH_URL,
-  secret: process.env.BETTER_AUTH_SECRET,
-  trustedOrigins: [process.env.APP_URL!],
-  user: {
-    additionalFields: {
-      role: {
-        type: "string",
-        defaultValue: "USER",
-        required: true,
-      },
-    },
-  },
+  baseURL: envVars.BETTER_AUTH_URL,
+  secret: envVars.BETTER_AUTH_SECRET,
+  trustedOrigins: [
+    envVars.FRONTEND_URL || envVars.BETTER_AUTH_URL || "http://localhost:3000",
+  ],
   emailAndPassword: {
     enabled: true,
     requireEmailVerification: true,
-    sendResetPassword: async ({ user, url }) => {
-    const { html, text } = getPasswordResetEmailTemplate(user, url);
-      await sendEmail({
-        to: user.email,
-        subject: "Reset Your Password",
-        text,
-        html,
-      });
-    },
   },
   socialProviders: {
     google: {
-      accessType: "offline", 
+      clientId: envVars.GOOGLE_CLIENT_ID as string,
+      clientSecret: envVars.GOOGLE_CLIENT_SECRET as string,
+      accessType: "offline",
       prompt: "select_account consent",
-      clientId: process.env.GOOGLE_CLIENT_ID as string,
-      clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
+      mapProfileToUser: () => {
+        return {
+          role: Role.USER,
+          status: UserStatus.ACTIVE,
+          needPasswordChange: false,
+          emailVerified: true,
+          isDeleted: false,
+          deletedAt: null,
+        };
+      },
     },
   },
   emailVerification: {
-    sendVerificationEmail: async ({ user, url }) => {
-      const { html, text } = getVerificationEmailTemplate(user, url);
-      await sendEmail({
-        to: user.email,
-        subject: "Verify Your Email Address",
-        text,
-        html,
-      });
-    },
+    sendOnSignUp: true,
     sendOnSignIn: true,
+    autoSignInAfterVerification: true,
   },
-  rateLimit: {
-    window: 10,
-    max: 100,
-  },
-  account: {
-    accountLinking: {
-      enabled: true,
-      trustedProviders: ["google"],
+  user: {
+    additionalFields: {
+      role: {
+        type: "string",
+        required: true,
+        defaultValue: Role.USER,
+      },
+      status: {
+        type: "string",
+        required: true,
+        defaultValue: UserStatus.ACTIVE,
+      },
+      needPasswordChange: {
+        type: "boolean",
+        required: true,
+        defaultValue: false,
+      },
+      isDeleted: {
+        type: "boolean",
+        required: true,
+        defaultValue: false,
+      },
+      deletedAt: {
+        type: "date",
+        required: false,
+        defaultValue: null,
+      },
     },
   },
+  plugins: [
+    bearer(),
+    emailOTP({
+      overrideDefaultEmailVerification: true,
+      async sendVerificationOTP({ email, otp, type }) {
+        if (type === "email-verification") {
+          const user = await prisma.user.findUnique({
+            where: {
+              email,
+            },
+          });
+
+          if (!user) {
+            console.error(
+              `User with email ${email} not found. Cannot send verification OTP.`,
+            );
+            return;
+          }
+
+          if (user && user.role === Role.SUPER_ADMIN) {
+            console.log(
+              `User with email ${email} is a super admin. Skipping sending verification OTP.`,
+            );
+            return;
+          }
+
+          if (user && !user.emailVerified) {
+            sendEmail({
+              to: email,
+              subject: "Verify your email",
+              templateName: "otp",
+              templateData: {
+                name: user.name,
+                otp,
+              },
+            });
+          }
+        } else if (type === "forget-password") {
+          const user = await prisma.user.findUnique({
+            where: {
+              email,
+            },
+          });
+
+          if (user) {
+            sendEmail({
+              to: email,
+              subject: "Password Reset OTP",
+              templateName: "otp",
+              templateData: {
+                name: user.name,
+                otp,
+              },
+            });
+          }
+        }
+      },
+      expiresIn: 2 * 60, // 2 minutes in seconds
+      otpLength: 6,
+    }),
+  ],
   session: {
+    expiresIn: 60 * 60 * 60 * 24, // 1 day in seconds
+    updateAge: 60 * 60 * 60 * 24, // 1 day in seconds
     cookieCache: {
       enabled: true,
-      maxAge: 60 * 60 * 24 * 7,
+      maxAge: 60 * 60 * 60 * 24, // 1 day in seconds
+    },
+  },
+  redirectURLs: {
+    signIn: `${envVars.BETTER_AUTH_URL}/api/v1/auth/google/success`,
+  },
+  advanced: {
+    // disableCSRFCheck: true,
+    useSecureCookies: false,
+    cookies: {
+      state: {
+        attributes: {
+          sameSite: "none",
+          secure: true,
+          httpOnly: true,
+          path: "/",
+        },
+      },
+      sessionToken: {
+        attributes: {
+          sameSite: "none",
+          secure: true,
+          httpOnly: true,
+          path: "/",
+        },
+      },
     },
-    expiresIn: 60 * 60 * 24 * 7,
-    updateAge: 60 * 60 * 24,
-    cookieName: "better-auth.session_token",
-  }
+  },
  })
+{{#if database == "mongoose"}}
 };
 
-export let auth: any = undefined;
+export let auth: ReturnType<typeof betterAuth> | undefined = undefined;
 
 export async function setupAuth() {
   auth = await initAuth();
   return auth;
-}
+}
+{{/if}}

package/modules/auth/better-auth/files/shared/prisma/schema.prisma

@@ -4,16 +4,20 @@
 {{#var defaultId = @default(cuid())}}
 {{/if}}
 model User {
-    id            String    @id {{defaultId}}
-    name          String
-    email         String
-    emailVerified Boolean   @default(false)
-    image         String?
-    createdAt     DateTime  @default(now())
-    updatedAt     DateTime  @updatedAt
-    sessions      Session[]
-    accounts      Account[]
-    role          Role    @default(USER)
+    id                 String     @id {{defaultId}}
+    name               String
+    email              String
+    emailVerified      Boolean    @default(false)
+    role               Role       @default(USER)
+    status             UserStatus @default(ACTIVE)
+    needPasswordChange Boolean    @default(false)
+    isDeleted          Boolean    @default(false)
+    deletedAt          DateTime?
+    image              String?
+    createdAt          DateTime   @default(now())
+    updatedAt          DateTime   @updatedAt
+    sessions           Session[]
+    accounts           Account[]
 
     @@unique([email])
     @@map("user")
@@ -67,6 +71,13 @@ model Verification {
 }
 
 enum Role {
-    USER
+    SUPER_ADMIN
     ADMIN
+    USER
+}
+
+enum UserStatus {
+    ACTIVE
+    BLOCKED
+    DELETED
 }

package/modules/auth/better-auth/files/shared/utils/email.ts

@@ -0,0 +1,71 @@
+import nodemailer from "nodemailer";
+{{#if framework == "express"}}
+import ejs from "ejs";
+import status from "http-status";
+import path from "path";
+import { envVars } from "../../config/env";
+import { AppError } from "../errors/app-error";
+{{/if}}
+{{#if framework == "nextjs"}}
+import nodemailer from "nodemailer";
+import { renderEmailTemplate } from "../email/otp-template";
+import { envVars } from "../env";
+{{/if}}
+
+const transporter = nodemailer.createTransport({
+  host: envVars.EMAIL_SENDER.SMTP_HOST,
+  secure: true,
+  auth: {
+    user: envVars.EMAIL_SENDER.SMTP_USER,
+    pass: envVars.EMAIL_SENDER.SMTP_PASS,
+  },
+  port: Number(envVars.EMAIL_SENDER.SMTP_PORT),
+});
+
+interface SendEmailOptions {
+  to: string;
+  subject: string;
+  templateName: string;
+  templateData: Record<string, string | number | boolean | object>;
+  attachments?: {
+    filename: string;
+    content: Buffer | string;
+    contentType: string;
+  }[];
+}
+
+export const sendEmail = async ({
+  subject,
+  templateData,
+  templateName,
+  to,
+  attachments,
+}: SendEmailOptions) => {
+  try {
+    {{#if framework == "express"}}
+        const templatePath = path.resolve(
+      process.cwd(),
+      `src/templates/${templateName}.ejs`,
+    );
+
+    const html = await ejs.renderFile(templatePath, templateData);
+    {{/if}}
+    {{#if framework == "nextjs"}}
+    const html = renderEmailTemplate(templateName, templateData);
+    {{/if}}
+
+    await transporter.sendMail({
+      from: envVars.EMAIL_SENDER.SMTP_FROM,
+      to: to,
+      subject: subject,
+      html: html,
+      attachments: attachments?.map((attachment) => ({
+        filename: attachment.filename,
+        content: attachment.content,
+        contentType: attachment.contentType,
+      })),
+    });
+  } catch {
+    throw new AppError(status.INTERNAL_SERVER_ERROR, "Failed to send email");
+  }
+};