till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-19 19:01:25 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
managarten/services/mana-core-auth/IMPLEMENTATION_SUMMARY.md
Wuesteon d36b321d9d style: auto-format codebase with Prettier 
Applied formatting to 1487+ files using pnpm format:write
  - TypeScript/JavaScript files
  - Svelte components
  - Astro pages
  - JSON configs
  - Markdown docs

  13 files still need manual review (Astro JSX comments)
2025-11-27 18:33:16 +01:00

430 lines
12 KiB
Markdown
Raw Blame History

# Mana Core Auth - Implementation Summary
## Overview
The Mana Core Authentication and Credit System has been successfully implemented as a standalone NestJS service with PostgreSQL, JWT-based authentication, and a comprehensive credit management system.
## What Has Been Implemented
### 1. Project Structure ✅
```
mana-core-auth/
├── src/
│ ├── auth/
│ │ ├── dto/
│ │ │ ├── register.dto.ts
│ │ │ ├── login.dto.ts
│ │ │ └── refresh-token.dto.ts
│ │ ├── auth.controller.ts
│ │ ├── auth.service.ts
│ │ └── auth.module.ts
│ ├── credits/
│ │ ├── dto/
│ │ │ ├── use-credits.dto.ts
│ │ │ └── purchase-credits.dto.ts
│ │ ├── credits.controller.ts
│ │ ├── credits.service.ts
│ │ └── credits.module.ts
│ ├── common/
│ │ ├── decorators/
│ │ │ └── current-user.decorator.ts
│ │ ├── guards/
│ │ │ └── jwt-auth.guard.ts
│ │ └── filters/
│ │ └── http-exception.filter.ts
│ ├── config/
│ │ └── configuration.ts
│ ├── db/
│ │ ├── schema/
│ │ │ ├── auth.schema.ts
│ │ │ ├── credits.schema.ts
│ │ │ └── index.ts
│ │ ├── migrations/
│ │ │ └── 0000_lush_ironclad.sql
│ │ ├── connection.ts
│ │ └── migrate.ts
│ ├── app.module.ts
│ └── main.ts
├── postgres/
│ └── init/
│ ├── 01-init-schemas.sql
│ └── 02-init-rls.sql
├── scripts/
│ └── generate-keys.sh
├── Dockerfile
├── package.json
├── tsconfig.json
├── nest-cli.json
├── drizzle.config.ts
├── .env.example
├── .gitignore
└── README.md
```
### 2. Database Schema ✅
**Auth Schema:**
- `auth.users` - User accounts with soft delete support
- `auth.sessions` - Active sessions with device tracking
- `auth.passwords` - Separate password storage (bcrypt hashed)
- `auth.accounts` - OAuth provider accounts
- `auth.verification_tokens` - Email verification & password reset
- `auth.two_factor_auth` - 2FA configuration
- `auth.security_events` - Security audit log
**Credits Schema:**
- `credits.balances` - User credit balances with optimistic locking
- `credits.transactions` - Double-entry transaction ledger
- `credits.packages` - Credit pricing packages
- `credits.purchases` - Stripe purchase history
- `credits.usage_stats` - Usage analytics per app
**Key Features:**
- Row-Level Security (RLS) policies on all tables
- Optimistic locking for balance updates (prevents race conditions)
- Idempotency keys for transactions
- Proper indexing for performance
### 3. Authentication System ✅
**Endpoints Implemented:**
- `POST /api/v1/auth/register` - User registration
- `POST /api/v1/auth/login` - Login with credentials
- `POST /api/v1/auth/refresh` - Refresh access token
- `POST /api/v1/auth/logout` - Logout and revoke session
- `POST /api/v1/auth/validate` - Validate JWT token
**Security Features:**
- RS256 JWT algorithm (asymmetric keys)
- Access tokens: 15 minutes expiry
- Refresh tokens: 7 days expiry with rotation
- Session tracking with device information
- IP address and user agent logging
- Password hashing with bcrypt (cost factor: 12)
- Security events logging
### 4. Credit System ✅
**Endpoints Implemented:**
- `GET /api/v1/credits/balance` - Get current balance
- `POST /api/v1/credits/use` - Deduct credits
- `GET /api/v1/credits/transactions` - Transaction history
- `GET /api/v1/credits/purchases` - Purchase history
- `GET /api/v1/credits/packages` - Available packages
**Features:**
- Signup bonus: 150 free credits
- Daily free credits: 5 credits every 24 hours
- Automatic daily reset with transaction logging
- Usage priority: Free credits → Paid credits
- Optimistic locking prevents concurrent balance updates
- Idempotency protection for duplicate requests
- Complete audit trail via double-entry ledger
**Credit Pricing:**
- 100 mana = €1.00 (configurable)
- Stored as integer (euro cents) for precision
### 5. Docker Infrastructure ✅
**Services Configured:**
- **Traefik** - Reverse proxy with automatic SSL (Let's Encrypt)
- **PostgreSQL 16** - Database with SCRAM-SHA-256 auth
- **PgBouncer** - Connection pooling (transaction mode)
- **Redis 7** - Caching and rate limiting
- **Mana Core Auth** - The authentication service
- **Prometheus** - Metrics collection
- **Grafana** - Monitoring dashboards
**Docker Features:**
- Multi-stage Dockerfile (optimized build)
- Health checks for all services
- Volume persistence for data
- Network isolation
- Security: Non-root user, no privileged containers
- Production-ready configuration
### 6. Configuration & Environment ✅
**Environment Variables:**
- Database connection (PostgreSQL)
- Redis configuration
- JWT keys (RS256 public/private)
- Stripe integration (test/live keys)
- CORS origins
- Credit system settings
- Rate limiting configuration
**Configuration Files:**
- `.env.example` - Template with all variables
- `configuration.ts` - Type-safe config loading
- `docker-compose.yml` - Full stack orchestration
### 7. Security Features ✅
**Application Level:**
- Helmet.js security headers
- CORS protection
- Rate limiting (100 req/min per IP)
- Input validation with class-validator
- JWT signature verification
- Refresh token rotation
**Database Level:**
- Row-Level Security (RLS) policies
- Helper functions: `auth.uid()`, `auth.role()`
- Separate password table
- Soft deletes for users
- Security events logging
**Infrastructure Level:**
- Traefik rate limiting
- PostgreSQL SCRAM-SHA-256
- Redis password protection
- SSL/TLS via Let's Encrypt
- Connection pooling via PgBouncer
### 8. Additional Features ✅
**Scripts:**
- `generate-keys.sh` - Generate RS256 key pair
- Migration management via Drizzle Kit
- Docker health checks
**Documentation:**
- README.md - Complete setup guide
- API endpoint documentation
- Architecture overview
- Security considerations
- Development instructions
## What's Ready to Use
### Immediately Available
1. **User Registration & Authentication**
- Email/password registration
- Login with JWT tokens
- Token refresh mechanism
- Session management
2. **Credit Balance Management**
- Check balance
- Deduct credits
- View transaction history
- Automatic daily credits
3. **Database Migrations**
- Schema fully defined
- Migration file generated
- RLS policies configured
- Indexes in place
4. **Docker Deployment**
- docker-compose.yml ready
- All services configured
- Production-ready setup
- SSL/TLS automatic
## What Needs to Be Done (Next Steps)
### 1. Generate JWT Keys (Required)
```bash
cd mana-core-auth
./scripts/generate-keys.sh
# Copy the output to .env
```
### 2. Configure Environment Variables
```bash
cp .env.example .env
# Edit .env and add:
# - JWT keys (from step 1)
# - Stripe keys (from Stripe dashboard)
# - Database passwords
# - Redis password
# - Domain names
```
### 3. Start Development Environment
```bash
# Option A: Docker (recommended)
docker-compose up postgres redis -d
cd mana-core-auth
pnpm migration:run
pnpm start:dev
# Option B: Local PostgreSQL
# Make sure PostgreSQL and Redis are running locally
cd mana-core-auth
pnpm migration:run
pnpm start:dev
```
### 4. Test the API
```bash
# Register a user
curl -X POST http://localhost:3001/api/v1/auth/register \
-H "Content-Type: application/json" \
-d '{"email":"test@example.com","password":"Test1234!","name":"Test User"}'
# Login
curl -X POST http://localhost:3001/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"test@example.com","password":"Test1234!"}'
# Check balance (use token from login)
curl -X GET http://localhost:3001/api/v1/credits/balance \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
```
### 5. Future Implementation Tasks
**Phase 1: Stripe Integration**
- [ ] Implement Stripe payment intent creation
- [ ] Add webhook handler for payment events
- [ ] Create credit packages in database
- [ ] Add credit purchase endpoint
- [ ] Test payment flow end-to-end
**Phase 2: OAuth Providers**
- [ ] Configure OAuth providers (Google, GitHub, Apple)
- [ ] Add OAuth login endpoints
- [ ] Handle account linking
- [ ] Test social login flow
**Phase 3: Advanced Features**
- [ ] Implement 2FA setup and verification
- [ ] Add email verification system
- [ ] Create password reset flow
- [ ] Multi-session management UI
- [ ] Admin dashboard
**Phase 4: Shared Package**
- [ ] Create `@manacore/shared-auth` package
- [ ] Platform-agnostic auth service
- [ ] Auto-refresh logic
- [ ] Storage adapters (SecureStore, cookies)
- [ ] App-token generation
**Phase 5: Production Deployment**
- [ ] Set up VPS (Hetzner CPX31)
- [ ] Configure DNS records
- [ ] Deploy with docker-compose
- [ ] Set up monitoring alerts
- [ ] Configure backups
- [ ] Security audit
## API Documentation
### Authentication
| Endpoint | Method | Auth | Description |
| ----------------------- | ------ | ------ | ------------------------- |
| `/api/v1/auth/register` | POST | None | Register new user |
| `/api/v1/auth/login` | POST | None | Login with credentials |
| `/api/v1/auth/refresh` | POST | None | Refresh access token |
| `/api/v1/auth/logout` | POST | Bearer | Logout and revoke session |
| `/api/v1/auth/validate` | POST | None | Validate JWT token |
### Credits
| Endpoint | Method | Auth | Description |
| ------------------------------ | ------ | ------ | ------------------- |
| `/api/v1/credits/balance` | GET | Bearer | Get current balance |
| `/api/v1/credits/use` | POST | Bearer | Deduct credits |
| `/api/v1/credits/transactions` | GET | Bearer | Transaction history |
| `/api/v1/credits/purchases` | GET | Bearer | Purchase history |
| `/api/v1/credits/packages` | GET | Bearer | Available packages |
## Technical Stack Summary
| Component | Technology | Version |
| --------------- | -------------------- | ------- |
| Framework | NestJS | 10.4.x |
| Runtime | Node.js | 20+ |
| Package Manager | pnpm | 9.15.0 |
| Database | PostgreSQL | 16 |
| ORM | Drizzle | 0.38.x |
| Cache | Redis | 7 |
| Payment | Stripe | 17.x |
| Reverse Proxy | Traefik | 3.0 |
| Connection Pool | PgBouncer | Latest |
| Monitoring | Prometheus + Grafana | Latest |
## File Locations
- **Main Service:** `mana-core-auth/`
- **Docker Config:** `docker-compose.yml` (root)
- **Environment Template:** `.env.example` (root & package)
- **Database Migrations:** `mana-core-auth/src/db/migrations/`
- **API Documentation:** `mana-core-auth/README.md`
- **Master Plan:** `.hive-mind/MASTER_PLAN_CENTRAL_AUTH_SYSTEM.md`
- **Docker Guide:** `.hive-mind/DOCKER_DEPLOYMENT_GUIDE.md`
## Success Metrics
**Core Implementation Complete**
- 12 database tables with RLS policies
- 10 API endpoints (5 auth + 5 credits)
- Docker deployment infrastructure
- Complete documentation
- Type-safe with TypeScript
- Security best practices applied
## Estimated Time to Production
Based on remaining tasks:
- JWT key generation: 5 minutes
- Environment configuration: 15 minutes
- Local testing: 30 minutes
- Stripe integration: 2-3 days
- Production deployment: 1 day
- Security audit: 2-3 days
**Total: ~1 week to production-ready**
## Support
For questions or issues:
1. Check README.md in the package
2. Review master plan in .hive-mind/
3. Contact the development team
---
**Status:** ✅ Core Implementation Complete - Ready for Testing & Stripe Integration
**Date:** 2025-11-25
**Implementation Time:** ~2 hours
Reference in a new issue View git blame Copy permalink