till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 19:21:10 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/mana-core-auth/IMPLEMENTATION_SUMMARY.md
Wuesteon 754e87ebc0 add mana core
2025-11-25 18:56:35 +01:00

12 KiB
Raw Blame History

Mana Core Auth - Implementation Summary

Overview

The Mana Core Authentication and Credit System has been successfully implemented as a standalone NestJS service with PostgreSQL, JWT-based authentication, and a comprehensive credit management system.

What Has Been Implemented

1. Project Structure 

mana-core-auth/
├── src/
│   ├── auth/
│   │   ├── dto/
│   │   │   ├── register.dto.ts
│   │   │   ├── login.dto.ts
│   │   │   └── refresh-token.dto.ts
│   │   ├── auth.controller.ts
│   │   ├── auth.service.ts
│   │   └── auth.module.ts
│   ├── credits/
│   │   ├── dto/
│   │   │   ├── use-credits.dto.ts
│   │   │   └── purchase-credits.dto.ts
│   │   ├── credits.controller.ts
│   │   ├── credits.service.ts
│   │   └── credits.module.ts
│   ├── common/
│   │   ├── decorators/
│   │   │   └── current-user.decorator.ts
│   │   ├── guards/
│   │   │   └── jwt-auth.guard.ts
│   │   └── filters/
│   │       └── http-exception.filter.ts
│   ├── config/
│   │   └── configuration.ts
│   ├── db/
│   │   ├── schema/
│   │   │   ├── auth.schema.ts
│   │   │   ├── credits.schema.ts
│   │   │   └── index.ts
│   │   ├── migrations/
│   │   │   └── 0000_lush_ironclad.sql
│   │   ├── connection.ts
│   │   └── migrate.ts
│   ├── app.module.ts
│   └── main.ts
├── postgres/
│   └── init/
│       ├── 01-init-schemas.sql
│       └── 02-init-rls.sql
├── scripts/
│   └── generate-keys.sh
├── Dockerfile
├── package.json
├── tsconfig.json
├── nest-cli.json
├── drizzle.config.ts
├── .env.example
├── .gitignore
└── README.md

2. Database Schema

Auth Schema:

  • auth.users - User accounts with soft delete support
  • auth.sessions - Active sessions with device tracking
  • auth.passwords - Separate password storage (bcrypt hashed)
  • auth.accounts - OAuth provider accounts
  • auth.verification_tokens - Email verification & password reset
  • auth.two_factor_auth - 2FA configuration
  • auth.security_events - Security audit log

Credits Schema:

  • credits.balances - User credit balances with optimistic locking
  • credits.transactions - Double-entry transaction ledger
  • credits.packages - Credit pricing packages
  • credits.purchases - Stripe purchase history
  • credits.usage_stats - Usage analytics per app

Key Features:

  • Row-Level Security (RLS) policies on all tables
  • Optimistic locking for balance updates (prevents race conditions)
  • Idempotency keys for transactions
  • Proper indexing for performance

3. Authentication System

Endpoints Implemented:

  • POST /api/v1/auth/register - User registration
  • POST /api/v1/auth/login - Login with credentials
  • POST /api/v1/auth/refresh - Refresh access token
  • POST /api/v1/auth/logout - Logout and revoke session
  • POST /api/v1/auth/validate - Validate JWT token

Security Features:

  • RS256 JWT algorithm (asymmetric keys)
  • Access tokens: 15 minutes expiry
  • Refresh tokens: 7 days expiry with rotation
  • Session tracking with device information
  • IP address and user agent logging
  • Password hashing with bcrypt (cost factor: 12)
  • Security events logging

4. Credit System

Endpoints Implemented:

  • GET /api/v1/credits/balance - Get current balance
  • POST /api/v1/credits/use - Deduct credits
  • GET /api/v1/credits/transactions - Transaction history
  • GET /api/v1/credits/purchases - Purchase history
  • GET /api/v1/credits/packages - Available packages

Features:

  • Signup bonus: 150 free credits
  • Daily free credits: 5 credits every 24 hours
  • Automatic daily reset with transaction logging
  • Usage priority: Free credits → Paid credits
  • Optimistic locking prevents concurrent balance updates
  • Idempotency protection for duplicate requests
  • Complete audit trail via double-entry ledger

Credit Pricing:

  • 100 mana = €1.00 (configurable)
  • Stored as integer (euro cents) for precision

5. Docker Infrastructure

Services Configured:

  • Traefik - Reverse proxy with automatic SSL (Let's Encrypt)
  • PostgreSQL 16 - Database with SCRAM-SHA-256 auth
  • PgBouncer - Connection pooling (transaction mode)
  • Redis 7 - Caching and rate limiting
  • Mana Core Auth - The authentication service
  • Prometheus - Metrics collection
  • Grafana - Monitoring dashboards

Docker Features:

  • Multi-stage Dockerfile (optimized build)
  • Health checks for all services
  • Volume persistence for data
  • Network isolation
  • Security: Non-root user, no privileged containers
  • Production-ready configuration

6. Configuration & Environment

Environment Variables:

  • Database connection (PostgreSQL)
  • Redis configuration
  • JWT keys (RS256 public/private)
  • Stripe integration (test/live keys)
  • CORS origins
  • Credit system settings
  • Rate limiting configuration

Configuration Files:

  • .env.example - Template with all variables
  • configuration.ts - Type-safe config loading
  • docker-compose.yml - Full stack orchestration

7. Security Features

Application Level:

  • Helmet.js security headers
  • CORS protection
  • Rate limiting (100 req/min per IP)
  • Input validation with class-validator
  • JWT signature verification
  • Refresh token rotation

Database Level:

  • Row-Level Security (RLS) policies
  • Helper functions: auth.uid(), auth.role()
  • Separate password table
  • Soft deletes for users
  • Security events logging

Infrastructure Level:

  • Traefik rate limiting
  • PostgreSQL SCRAM-SHA-256
  • Redis password protection
  • SSL/TLS via Let's Encrypt
  • Connection pooling via PgBouncer

8. Additional Features

Scripts:

  • generate-keys.sh - Generate RS256 key pair
  • Migration management via Drizzle Kit
  • Docker health checks

Documentation:

  • README.md - Complete setup guide
  • API endpoint documentation
  • Architecture overview
  • Security considerations
  • Development instructions

What's Ready to Use

Immediately Available

  1. User Registration & Authentication

    • Email/password registration
    • Login with JWT tokens
    • Token refresh mechanism
    • Session management

  2. Credit Balance Management

    • Check balance
    • Deduct credits
    • View transaction history
    • Automatic daily credits

  3. Database Migrations

    • Schema fully defined
    • Migration file generated
    • RLS policies configured
    • Indexes in place

  4. Docker Deployment

    • docker-compose.yml ready
    • All services configured
    • Production-ready setup
    • SSL/TLS automatic

What Needs to Be Done (Next Steps)

1. Generate JWT Keys (Required)

cd mana-core-auth
./scripts/generate-keys.sh
# Copy the output to .env

2. Configure Environment Variables

cp .env.example .env
# Edit .env and add:
# - JWT keys (from step 1)
# - Stripe keys (from Stripe dashboard)
# - Database passwords
# - Redis password
# - Domain names

3. Start Development Environment

# Option A: Docker (recommended)
docker-compose up postgres redis -d
cd mana-core-auth
pnpm migration:run
pnpm start:dev

# Option B: Local PostgreSQL
# Make sure PostgreSQL and Redis are running locally
cd mana-core-auth
pnpm migration:run
pnpm start:dev

4. Test the API

# Register a user
curl -X POST http://localhost:3001/api/v1/auth/register \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"Test1234!","name":"Test User"}'

# Login
curl -X POST http://localhost:3001/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"Test1234!"}'

# Check balance (use token from login)
curl -X GET http://localhost:3001/api/v1/credits/balance \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

5. Future Implementation Tasks

Phase 1: Stripe Integration

  • Implement Stripe payment intent creation
  • Add webhook handler for payment events
  • Create credit packages in database
  • Add credit purchase endpoint
  • Test payment flow end-to-end

Phase 2: OAuth Providers

  • Configure OAuth providers (Google, GitHub, Apple)
  • Add OAuth login endpoints
  • Handle account linking
  • Test social login flow

Phase 3: Advanced Features

  • Implement 2FA setup and verification
  • Add email verification system
  • Create password reset flow
  • Multi-session management UI
  • Admin dashboard

Phase 4: Shared Package

  • Create @manacore/shared-auth package
  • Platform-agnostic auth service
  • Auto-refresh logic
  • Storage adapters (SecureStore, cookies)
  • App-token generation

Phase 5: Production Deployment

  • Set up VPS (Hetzner CPX31)
  • Configure DNS records
  • Deploy with docker-compose
  • Set up monitoring alerts
  • Configure backups
  • Security audit

API Documentation

Authentication

Endpoint Method Auth Description
/api/v1/auth/register POST None Register new user
/api/v1/auth/login POST None Login with credentials
/api/v1/auth/refresh POST None Refresh access token
/api/v1/auth/logout POST Bearer Logout and revoke session
/api/v1/auth/validate POST None Validate JWT token

Credits

Endpoint Method Auth Description
/api/v1/credits/balance GET Bearer Get current balance
/api/v1/credits/use POST Bearer Deduct credits
/api/v1/credits/transactions GET Bearer Transaction history
/api/v1/credits/purchases GET Bearer Purchase history
/api/v1/credits/packages GET Bearer Available packages

Technical Stack Summary

Component Technology Version
Framework NestJS 10.4.x
Runtime Node.js 20+
Package Manager pnpm 9.15.0
Database PostgreSQL 16
ORM Drizzle 0.38.x
Cache Redis 7
Payment Stripe 17.x
Reverse Proxy Traefik 3.0
Connection Pool PgBouncer Latest
Monitoring Prometheus + Grafana Latest

File Locations

  • Main Service: mana-core-auth/
  • Docker Config: docker-compose.yml (root)
  • Environment Template: .env.example (root & package)
  • Database Migrations: mana-core-auth/src/db/migrations/
  • API Documentation: mana-core-auth/README.md
  • Master Plan: .hive-mind/MASTER_PLAN_CENTRAL_AUTH_SYSTEM.md
  • Docker Guide: .hive-mind/DOCKER_DEPLOYMENT_GUIDE.md

Success Metrics

Core Implementation Complete

  • 12 database tables with RLS policies
  • 10 API endpoints (5 auth + 5 credits)
  • Docker deployment infrastructure
  • Complete documentation
  • Type-safe with TypeScript
  • Security best practices applied

Estimated Time to Production

Based on remaining tasks:

  • JWT key generation: 5 minutes
  • Environment configuration: 15 minutes
  • Local testing: 30 minutes
  • Stripe integration: 2-3 days
  • Production deployment: 1 day
  • Security audit: 2-3 days

Total: ~1 week to production-ready

Support

For questions or issues:

  1. Check README.md in the package
  2. Review master plan in .hive-mind/
  3. Contact the development team

Status: Core Implementation Complete - Ready for Testing & Stripe Integration

Date: 2025-11-25

Implementation Time: ~2 hours