Merge pull request #102 from bandanadivya/feature/jwt-auth

Add JWT auth: login, refresh, logout, protected endpoints

Author: ritik4ever

backend/.env.example

@@ -185,6 +185,11 @@ MAX_SNAPSHOTS_PER_PORTFOLIO=1000
 # SECURITY CONFIGURATION
 # ============================================
 
+# JWT Authentication (required for token-based auth)
+JWT_SECRET=your-secret-key-min-32-chars-change-in-production
+JWT_ACCESS_EXPIRY_SEC=900
+JWT_REFRESH_EXPIRY_SEC=604800
+
 # API rate limiting
 API_RATE_LIMIT_WINDOW=900000
 API_RATE_LIMIT_MAX_REQUESTS=100

backend/package-lock.json

@@ -1,51 +0,0 @@
-{
-  "name": "stellar-portfolio-backend",
-  "version": "0.1.0",
-  "type": "module",
-  "scripts": {
-    "dev": "tsx watch src/index.ts",
-    "build": "tsc && node -e \"const fs=require('fs'); const p='dist/openapi'; fs.mkdirSync(p,{recursive:true}); fs.copyFileSync('src/openapi/openapi.json', p+'/openapi.json');\"",
-    "start": "node dist/index.js",
-    "db:migrate": "tsx src/db/migrate.ts",
-    "db:migrate:dry-run": "tsx src/db/migrate.ts -- --dry-run",
-    "db:migrate:rollback": "tsx src/db/migrate.ts -- --rollback",
-    "db:migrate:status": "tsx src/db/migrate.ts -- --status",
-    "db:setup": "tsx src/db/migrate.ts",
-    "db:seed:e2e": "tsx src/db/seed.e2e.ts",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "openapi:export": "tsx scripts/export-openapi.ts"
-  },
-  "dependencies": {
-    "@stellar/stellar-sdk": "^12.0.1",
-    "better-sqlite3": "^12.6.2",
-    "bullmq": "^5.69.3",
-    "cors": "^2.8.5",
-    "dotenv": "^16.3.1",
-    "express": "^4.18.2",
-    "express-rate-limit": "^7.4.1",
-    "ioredis": "^5.9.3",
-    "node-cron": "^3.0.3",
-    "nodemailer": "^8.0.1",
-    "pg": "^8.11.3",
-    "pino": "^9.6.0",
-    "swagger-ui-express": "^5.0.1",
-    "ws": "^8.14.2",
-    "zod": "^4.3.6"
-  },
-  "devDependencies": {
-    "@types/better-sqlite3": "^7.6.13",
-    "@types/cors": "^2.8.19",
-    "@types/express": "^4.17.23",
-    "@types/node": "^20.19.13",
-    "@types/node-cron": "^3.0.11",
-    "@types/nodemailer": "^7.0.10",
-    "@types/pg": "^8.10.9",
-    "@types/supertest": "^2.0.12",
-    "@types/ws": "^8.18.1",
-    "supertest": "^6.3.3",
-    "tsx": "^4.1.4",
-    "typescript": "^5.2.2",
-    "vitest": "^4.0.18"
-  }
-}

backend/package.json

@@ -0,0 +1,86 @@
+import { Router, Request, Response } from 'express'
+import {
+    getAuthConfig,
+    issueTokens,
+    refreshTokens,
+    logout
+} from '../services/authService.js'
+import { requireJwt } from '../middleware/requireJwt.js'
+import { ok, fail } from '../utils/apiResponse.js'
+import { getErrorMessage } from '../utils/helpers.js'
+
+const router = Router()
+
+router.post('/login', async (req: Request, res: Response) => {
+    try {
+        const config = getAuthConfig()
+        if (!config.enabled) {
+            return fail(res, 503, 'SERVICE_UNAVAILABLE', 'JWT auth not configured (set JWT_SECRET)')
+        }
+        const address = req.body?.address
+        if (!address || typeof address !== 'string' || !address.trim()) {
+            return fail(res, 400, 'VALIDATION_ERROR', 'address is required')
+        }
+        const trimmed = address.trim()
+        const tokens = await issueTokens(trimmed)
+        return ok(res, {
+            accessToken: tokens.accessToken,
+            refreshToken: tokens.refreshToken,
+            expiresIn: tokens.expiresIn,
+            refreshExpiresIn: tokens.refreshExpiresIn
+        })
+    } catch (error) {
+        return fail(res, 500, 'INTERNAL_ERROR', getErrorMessage(error))
+    }
+})
+
+router.post('/refresh', async (req: Request, res: Response) => {
+    try {
+        const config = getAuthConfig()
+        if (!config.enabled) {
+            return fail(res, 503, 'SERVICE_UNAVAILABLE', 'JWT auth not configured')
+        }
+        const refreshToken = req.body?.refreshToken
+        if (!refreshToken || typeof refreshToken !== 'string') {
+            return fail(res, 400, 'VALIDATION_ERROR', 'refreshToken is required')
+        }
+        const tokens = await refreshTokens(refreshToken)
+        if (!tokens) {
+            return fail(res, 401, 'UNAUTHORIZED', 'Invalid or expired refresh token')
+        }
+        return ok(res, {
+            accessToken: tokens.accessToken,
+            refreshToken: tokens.refreshToken,
+            expiresIn: tokens.expiresIn,
+            refreshExpiresIn: tokens.refreshExpiresIn
+        })
+    } catch (error) {
+        return fail(res, 500, 'INTERNAL_ERROR', getErrorMessage(error))
+    }
+})
+
+router.post('/logout', requireJwt, async (req: Request, res: Response) => {
+    try {
+        const refreshToken = req.body?.refreshToken
+        const address = req.user?.address
+        await logout(refreshToken, address)
+        return ok(res, { message: 'Logged out' })
+    } catch (error) {
+        return fail(res, 500, 'INTERNAL_ERROR', getErrorMessage(error))
+    }
+})
+
+router.post('/logout-all', async (req: Request, res: Response) => {
+    try {
+        const address = req.body?.address
+        if (!address || typeof address !== 'string') {
+            return fail(res, 400, 'VALIDATION_ERROR', 'address is required')
+        }
+        await logout(undefined, address.trim())
+        return ok(res, { message: 'Logged out' })
+    } catch (error) {
+        return fail(res, 500, 'INTERNAL_ERROR', getErrorMessage(error))
+    }
+})
+
+export const authRouter = router