Merge pull request #18 from asepindrak/dev

Dev

Author: asepindrak

backend/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "commitflow-api",
-  "version": "1.1.6",
+  "version": "1.1.7",
   "description": "Backend CommitFlow",
   "author": "asepindrak",
   "private": false,
@@ -35,6 +35,7 @@
     "@nestjs/websockets": "^11.1.6",
     "@prisma/client": "^6.18.0",
     "axios": "^1.12.2",
+    "bcrypt": "^6.0.0",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.2",
     "dayjs": "^1.11.19",
@@ -62,6 +63,7 @@
     "@nestjs/cli": "^11.0.0",
     "@nestjs/schematics": "^11.0.0",
     "@nestjs/testing": "^11.0.1",
+    "@types/bcrypt": "^6.0.0",
     "@types/express": "^5.0.5",
     "@types/jest": "^30.0.0",
     "@types/multer": "^2.0.0",

backend/package.json

@@ -48,17 +48,19 @@ model chatMessage {
 }
 
 model User {
-  id            String        @id @default(cuid())
-  email         String?       @unique
-  phone         String?
-  name          String?
-  photo         String?
-  role          Role?         @default(USER)
-  password      String?       // kalau pake password
-  session_token String?       @unique
-  createdAt     DateTime      @default(now())
-  updatedAt     DateTime      @updatedAt
-  members       TeamMember[]  @relation("UserMembers")
+  id                    String        @id @default(cuid())
+  email                 String?       @unique
+  phone                 String?
+  name                  String?
+  photo                 String?
+  role                  Role?         @default(USER)
+  password              String?       // kalau pake password
+  session_token         String?       @unique
+  refreshTokenHash      String?  // simpan hash dari refresh token
+  refreshTokenExpiresAt DateTime? 
+  createdAt             DateTime      @default(now())
+  updatedAt             DateTime      @updatedAt
+  members               TeamMember[]  @relation("UserMembers")
 
 }
 

backend/prisma/schema.prisma

@@ -3,6 +3,6 @@ import { Injectable } from "@nestjs/common";
 @Injectable()
 export class AppService {
   getHello(): string {
-    return `CommitFlow API (1.1.6) is running!`;
+    return `CommitFlow API (1.1.7) is running!`;
   }
 }

backend/src/app.service.ts

@@ -1,25 +1,77 @@
-// src/auth/auth.controller.ts
-import { Body, Controller, Post, UnauthorizedException } from "@nestjs/common";
+/* eslint-disable @typescript-eslint/no-unused-vars */
+import {
+  Body,
+  Controller,
+  Post,
+  UnauthorizedException,
+  Req,
+  Res,
+  HttpCode,
+} from "@nestjs/common";
 import { AuthService } from "./auth.service";
 import { RegisterDto } from "./dto/register.dto";
 import { LoginDto } from "./dto/login.dto";
+import type { Request, Response } from "express";
+
+const REFRESH_COOKIE_NAME = "refresh_token";
+const COOKIE_MAX_AGE = 7 * 24 * 60 * 60 * 1000; // 7 days in ms
+
+// Environment-aware cookie options
+const isProd = process.env.NODE_ENV === "production";
+const FE_URL =
+  process.env.FE_URL || process.env.FRONTEND_ORIGIN || "http://localhost:3000";
+const BACKEND_ORIGIN =
+  process.env.BACKEND_ORIGIN || `http://localhost:${process.env.PORT || 8000}`;
+const isCrossOrigin = FE_URL !== BACKEND_ORIGIN;
+
+// For cross-origin cookies in production you MUST use sameSite: 'none' AND secure: true.
+// For local dev over HTTP, browsers disallow SameSite=None without Secure, so we fall back to 'lax'.
+const COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: isProd, // true in production (HTTPS)
+  sameSite: isProd && isCrossOrigin ? ("none" as const) : ("lax" as const),
+  path: "/",
+};
 
 @Controller("auth")
 export class AuthController {
   constructor(private authService: AuthService) {}
 
   @Post("anon")
-  async anonLogin(@Body("userId") userId?: string) {
-    const { token, user } = await this.authService.createOrGetAnonymousUser(
-      userId
-    );
-    return { token, userId: user.id }; // kirim userId juga
+  async anonLogin(
+    @Body("userId") userId?: string,
+    @Res({ passthrough: true }) res?: Response
+  ) {
+    const result = await this.authService.createOrGetAnonymousUser(userId);
+
+    // if service returned a refreshToken, set it as httpOnly cookie
+    if (result?.refreshToken && res) {
+      res.cookie(REFRESH_COOKIE_NAME, result.refreshToken, {
+        ...COOKIE_OPTIONS,
+        maxAge: COOKIE_MAX_AGE,
+      });
+    }
+
+    // keep the same response shape you had before
+    return { token: result.token, userId: result.user.id };
   }
 
   @Post("register")
-  async register(@Body() dto: RegisterDto) {
+  async register(
+    @Body() dto: RegisterDto,
+    @Res({ passthrough: true }) res?: Response
+  ) {
     const result = await this.authService.register(dto);
-    // return mapping so FE bisa replace optimistic client id with real teamMember.id
+
+    // if service returned a refreshToken, set cookie
+    if (result?.refreshToken && res) {
+      res.cookie(REFRESH_COOKIE_NAME, result.refreshToken, {
+        ...COOKIE_OPTIONS,
+        maxAge: COOKIE_MAX_AGE,
+      });
+    }
+
+    // keep your existing response mapping
     return {
       token: result.token,
       userId: result.user.id,
@@ -31,15 +83,78 @@ export class AuthController {
   }
 
   @Post("login")
-  async login(@Body() dto: LoginDto) {
+  async login(
+    @Body() dto: LoginDto,
+    @Res({ passthrough: true }) res?: Response
+  ) {
     const result = await this.authService.login(dto);
     if (!result) throw new UnauthorizedException("Invalid credentials");
-    // return similar shape as register (token + user + optional member)
+
+    // set refresh cookie if present (service should ideally return refreshToken)
+    if (result.refreshToken && res) {
+      res.cookie(REFRESH_COOKIE_NAME, result.refreshToken, {
+        ...COOKIE_OPTIONS,
+        maxAge: COOKIE_MAX_AGE,
+        // set domain if backend is serving under a hostname different than localhost (optional)
+      });
+    }
+
+    // return similar shape as before (token + user + optional member)
     return {
       token: result.token,
       userId: result?.user?.id ?? "",
       user: result.user,
       teamMemberId: result?.teamMemberId,
     };
   }
+
+  // refresh endpoint: reads refresh_token cookie, verifies, rotates
+  @HttpCode(200)
+  @Post("refresh")
+  async refresh(
+    @Req() req: Request,
+    @Res({ passthrough: true }) res: Response
+  ) {
+    const token = req.cookies?.[REFRESH_COOKIE_NAME];
+    if (!token) throw new UnauthorizedException("No refresh token");
+
+    // attempt to verify and refresh via AuthService
+    let payload: any;
+    try {
+      payload = (this.authService as any).jwtService.verify(token);
+    } catch (e: any) {
+      throw new UnauthorizedException("Invalid refresh token");
+    }
+
+    const userId = payload.sub;
+    const newTokens = await this.authService.refreshTokens(userId, token);
+    if (!newTokens) throw new UnauthorizedException("Refresh failed");
+
+    // rotate cookie
+    res.cookie(REFRESH_COOKIE_NAME, newTokens.refreshToken, {
+      ...COOKIE_OPTIONS,
+      maxAge: COOKIE_MAX_AGE,
+    });
+
+    // return access token
+    return { token: newTokens.accessToken };
+  }
+
+  @Post("logout")
+  async logout(@Req() req: Request, @Res({ passthrough: true }) res: Response) {
+    const token = req.cookies?.[REFRESH_COOKIE_NAME];
+    if (token) {
+      try {
+        const payload: any = (this.authService as any).jwtService.verify(token);
+        await this.authService.revokeRefreshToken(payload.sub);
+      } catch (e: any) {
+        // ignore verification errors during logout
+        console.log(e);
+      }
+    }
+
+    // clear cookie with same attributes so browser accepts deletion
+    res.clearCookie(REFRESH_COOKIE_NAME, { ...COOKIE_OPTIONS, path: "/" });
+    return { ok: true };
+  }
 }