feat: implement core features including auth, courses, ai-quizzes, and admin dashboard

- Auth: implemented JWT strategies, guards, and login/register flows
- Courses: added course management, lesson viewer, and instructor tools
- Quizzes: integrated AI quiz generation and interactive quiz player
- Admin: developed dashboard for user management and course moderation
- UI: updated components with Tailwind CSS v4 and React 19 standards
- E2E: added comprehensive tests for critical user flows
- Infrastructure: configured CI/CD workflows and monorepo settings

Author: PhuocHoan

.github/actions/setup-node-pnpm/action.yml

@@ -14,7 +14,7 @@ inputs:
   pnpm-version:
     description: pnpm version
     required: false
-    default: '10.24.0'
+    default: '10.26.0'
   working-directory:
     description: Working directory for the project
     required: true

.github/workflows/security.yml

@@ -90,7 +90,7 @@ jobs:
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 10.24.0
+          version: 10.26.0
 
       - name: Audit ${{ matrix.project }}
         working-directory: ${{ matrix.project }}

.gitignore

@@ -17,6 +17,7 @@ node_modules
 coverage
 test-results/
 playwright-report/
+.jest-localstorage
 
 # Turbo
 .turbo

apps/api/package.json

@@ -13,15 +13,15 @@
     "start:prod": "node dist/main",
     "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix",
     "typecheck": "tsc -p tsconfig.json --noEmit",
-    "test": "jest",
+    "test": "NODE_OPTIONS='--localstorage-file=.jest-localstorage' jest",
     "test:watch": "jest --watch",
     "test:cov": "jest --coverage",
     "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
     "test:e2e": "jest --config ./test/jest-e2e.json",
     "seed:admin": "ts-node -r tsconfig-paths/register src/scripts/create-admin.ts"
   },
   "dependencies": {
-    "@google/genai": "^1.31.0",
+    "@google/genai": "^1.34.0",
     "@nestjs/common": "^11.1.9",
     "@nestjs/config": "^4.0.2",
     "@nestjs/core": "^11.1.9",
@@ -48,27 +48,27 @@
   "devDependencies": {
     "@eslint/compat": "^2.0.0",
     "@eslint/eslintrc": "^3.3.3",
-    "@eslint/js": "^9.39.1",
+    "@eslint/js": "^9.39.2",
     "@nestjs/cli": "^11.0.14",
     "@nestjs/schematics": "^11.0.9",
     "@nestjs/testing": "^11.1.9",
     "@swc-node/register": "^1.11.1",
     "@swc/cli": "^0.7.9",
-    "@swc/core": "^1.15.3",
+    "@swc/core": "^1.15.6",
     "@types/bcrypt": "^6.0.0",
     "@types/cookie-parser": "^1.4.10",
     "@types/express": "^5.0.6",
     "@types/express-serve-static-core": "^5.1.0",
     "@types/jest": "^30.0.0",
     "@types/ms": "^2.1.0",
     "@types/multer": "^2.0.0",
-    "@types/node": "^24.10.1",
+    "@types/node": "^25.0.3",
     "@types/nodemailer": "^7.0.4",
     "@types/passport-github2": "^1.2.9",
     "@types/passport-google-oauth20": "^2.0.17",
     "@types/passport-jwt": "^4.0.1",
     "@types/supertest": "^6.0.3",
-    "eslint": "^9.39.1",
+    "eslint": "^9.39.2",
     "eslint-config-prettier": "^10.1.8",
     "eslint-import-resolver-typescript": "^4.4.4",
     "eslint-plugin-import-x": "^4.16.1",
@@ -84,7 +84,7 @@
     "tsconfig-paths": "^4.2.0",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
-    "typescript-eslint": "^8.48.1"
+    "typescript-eslint": "^8.50.0"
   },
   "jest": {
     "moduleFileExtensions": [

apps/api/src/auth/auth.controller.ts

@@ -11,6 +11,7 @@ import {
   Query,
   Patch,
   Delete,
+  UnauthorizedException,
 } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 
@@ -124,20 +125,33 @@ export class AuthController {
     @Req() req: Request,
     @Res() res: Response,
   ): Promise<void> {
-    const profile = req.user as unknown as OAuthProfile;
-    const result = await this.authService.validateOAuthLogin(
-      AuthProvider.GOOGLE,
-      profile,
-    );
     const frontendUrl = this.configService.get<string>('FRONTEND_URL');
 
-    // Set HTTP-only cookie - in monorepo deployment, this cookie works directly
-    // since frontend and API are on the same domain
-    res.cookie('access_token', result.access_token, COOKIE_OPTIONS);
-
-    // Redirect to frontend callback page
-    // Token in URL is kept for backward compatibility and as fallback
-    res.redirect(`${frontendUrl}/auth/callback?token=${result.access_token}`);
+    try {
+      const profile = req.user as unknown as OAuthProfile;
+      const result = await this.authService.validateOAuthLogin(
+        AuthProvider.GOOGLE,
+        profile,
+      );
+
+      // Set HTTP-only cookie - in monorepo deployment, this cookie works directly
+      // since frontend and API are on the same domain
+      res.cookie('access_token', result.access_token, COOKIE_OPTIONS);
+
+      // Redirect to frontend callback page
+      // Token in URL is kept for backward compatibility and as fallback
+      res.redirect(`${frontendUrl}/auth/callback?token=${result.access_token}`);
+    } catch (error) {
+      if (
+        error instanceof UnauthorizedException &&
+        error.message.includes('blocked')
+      ) {
+        res.redirect(`${frontendUrl}/blocked`);
+      } else {
+        // Redirect to login with generic error for other issues
+        res.redirect(`${frontendUrl}/login?error=oauth_failed`);
+      }
+    }
   }
 
   @Get('github')
@@ -152,24 +166,42 @@ export class AuthController {
     @Req() req: Request,
     @Res() res: Response,
   ): Promise<void> {
-    const result = await this.authService.validateOAuthLogin(
-      AuthProvider.GITHUB,
-      req.user as unknown as OAuthProfile,
-    );
     const frontendUrl = this.configService.get<string>('FRONTEND_URL');
 
-    // Set HTTP-only cookie - in monorepo deployment, this cookie works directly
-    res.cookie('access_token', result.access_token, COOKIE_OPTIONS);
-
-    // Redirect to frontend callback page
-    res.redirect(`${frontendUrl}/auth/callback?token=${result.access_token}`);
+    try {
+      const result = await this.authService.validateOAuthLogin(
+        AuthProvider.GITHUB,
+        req.user as unknown as OAuthProfile,
+      );
+
+      // Set HTTP-only cookie - in monorepo deployment, this cookie works directly
+      res.cookie('access_token', result.access_token, COOKIE_OPTIONS);
+
+      // Redirect to frontend callback page
+      res.redirect(`${frontendUrl}/auth/callback?token=${result.access_token}`);
+    } catch (error) {
+      if (
+        error instanceof UnauthorizedException &&
+        error.message.includes('blocked')
+      ) {
+        res.redirect(`${frontendUrl}/blocked`);
+      } else {
+        // Redirect to login with generic error for other issues
+        res.redirect(`${frontendUrl}/login?error=oauth_failed`);
+      }
+    }
   }
 
   @Get('me')
   @UseGuards(JwtAuthGuard)
   async getProfile(@CurrentUser() user: User): Promise<User> {
     // Fetch fresh user data from database to get updated role
     const freshUser = await this.authService.getUserById(user.id);
+
+    if (!freshUser.isActive) {
+      throw new UnauthorizedException('Your account has been blocked.');
+    }
+
     return freshUser;
   }
 
@@ -309,12 +341,15 @@ export class AuthController {
       user.id,
       UserRole.INSTRUCTOR,
     );
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const { password, activationToken, passwordResetToken, ...safeUser } =
-      updatedUser;
+    const {
+      password: _p,
+      activationToken: _at,
+      passwordResetToken: _prt,
+      ...safeUser
+    } = updatedUser;
     return {
       message: 'Successfully promoted to Instructor. Please return to the app.',
-      user: safeUser,
+      user: safeUser as SafeUser,
     };
   }
 }

apps/api/src/auth/auth.service.ts

@@ -86,6 +86,13 @@ export class AuthService {
       );
     }
 
+    // Check if account is active (not blocked)
+    if (!user.isActive) {
+      throw new UnauthorizedException(
+        'Your account has been blocked. Please contact support.',
+      );
+    }
+
     const payload = { email: user.email, sub: user.id, role: user.role };
     return {
       access_token: this.jwtService.sign(payload),
@@ -255,6 +262,12 @@ export class AuthService {
     // TypeScript narrows user to non-null after the else block above
     const validUser = user;
 
+    if (!validUser.isActive) {
+      throw new UnauthorizedException(
+        'Your account has been blocked. Please contact support.',
+      );
+    }
+
     const payload = {
       email: validUser.email,
       sub: validUser.id,

apps/api/src/auth/guards/optional-jwt-auth.guard.ts

@@ -3,13 +3,14 @@ import { AuthGuard } from '@nestjs/passport';
 
 @Injectable()
 export class OptionalJwtAuthGuard extends AuthGuard('jwt') {
-  // eslint-disable-next-line @typescript-eslint/explicit-function-return-type, @typescript-eslint/no-explicit-any
-  handleRequest(err: any, user: any) {
+  override handleRequest<TUser = unknown>(
+    err: unknown,
+    user: TUser,
+  ): TUser | null {
     // If error or no user, return null instead of throwing
     if (err || !user) {
       return null;
     }
-    // eslint-disable-next-line @typescript-eslint/no-unsafe-return
     return user;
   }
 }

apps/api/src/auth/strategies/jwt.strategy.ts

@@ -1,10 +1,13 @@
-import { Injectable, Logger } from '@nestjs/common';
+import { Injectable, Logger, UnauthorizedException } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { PassportStrategy } from '@nestjs/passport';
 
 import { Request } from 'express';
 import { Strategy } from 'passport-jwt';
 
+import { User } from '../../users/entities/user.entity';
+import { UsersService } from '../../users/users.service';
+
 interface JwtPayload {
   sub: string;
   email: string;
@@ -18,14 +21,12 @@ const cookieExtractor = (req: Request): string | null => {
   // First try to get token from HTTP-only cookie
   const cookies = req.cookies as Record<string, string> | undefined;
   if (cookies?.access_token) {
-    logger.debug('Token found in cookie');
     return cookies.access_token;
   }
 
   // Fallback to Authorization header (for API clients, testing, etc.)
   const authHeader = req.headers.authorization;
   if (authHeader?.startsWith('Bearer ')) {
-    logger.debug('Token found in Authorization header');
     return authHeader.substring(7);
   }
 
@@ -41,16 +42,28 @@ const cookieExtractor = (req: Request): string | null => {
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy) {
-  constructor(configService: ConfigService) {
+  constructor(
+    configService: ConfigService,
+    private readonly usersService: UsersService,
+  ) {
     super({
       jwtFromRequest: cookieExtractor,
       ignoreExpiration: false,
       secretOrKey: configService.get<string>('JWT_SECRET') ?? 'supersecretkey',
     });
   }
 
-  validate(payload: JwtPayload): { id: string; email: string; role: string } {
-    // Return 'id' instead of 'userId' to match User entity property
-    return { id: payload.sub, email: payload.email, role: payload.role };
+  async validate(payload: JwtPayload): Promise<User> {
+    const user = await this.usersService.findOne(payload.sub);
+
+    if (!user) {
+      throw new UnauthorizedException('User no longer exists');
+    }
+
+    if (!user.isActive) {
+      throw new UnauthorizedException('User is inactive');
+    }
+
+    return user;
   }
 }