feat(auth): implement complete Google OAuth authentication system

- Add authentication module with Google OAuth 2.0 and JWT strategies - Create secure user management with email hashing (SHA-256) - Implement rate limiting (10 requests/minute) for auth endpoints - Add CSRF protection and security middleware - Create user registration with Basic plan (50 quota default) - Add JWT-based session management with secure cookies - Implement protected routes with authentication guards - Add comprehensive API documentation with Swagger - Configure environment variables for OAuth and security - Add user profile management and quota tracking Resolves authentication requirements §18-20: - §18: Google OAuth 2.0 with email scope only - §19: Auto-create User record on first OAuth callback - §20: Store only Google UID, display name, and email hash 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-05 17:09:43 +02:00 · 2025-08-05 17:09:43 +02:00 · 9514a2d0a3
commit 9514a2d0a3
parent e7e09d5e2c
20 changed files with 1833 additions and 41 deletions
--- a/packages/api/src/auth/jwt.strategy.ts
+++ b/packages/api/src/auth/jwt.strategy.ts
@ -0,0 +1,56 @@
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { PassportStrategy } from '@nestjs/passport';
+import { Strategy, ExtractJwt } from 'passport-jwt';
+import { AuthService } from './auth.service';
+
+export interface JwtPayload {
+  sub: string; // User ID
+  email: string;
+  iat: number; // Issued at
+  exp: number; // Expires at
+  iss: string; // Issuer
+  aud: string; // Audience
+}
+
+@Injectable()
+export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
+  constructor(
+    private readonly configService: ConfigService,
+    private readonly authService: AuthService,
+  ) {
+    super({
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      ignoreExpiration: false,
+      secretOrKey: configService.get<string>('JWT_SECRET'),
+      issuer: 'seo-image-renamer',
+      audience: 'seo-image-renamer-users',
+    });
+  }
+
+  async validate(payload: JwtPayload) {
+    try {
+      // Verify the user still exists and is active
+      const user = await this.authService.validateUserById(payload.sub);
+      
+      if (!user) {
+        throw new UnauthorizedException('User not found');
+      }
+
+      if (!user.isActive) {
+        throw new UnauthorizedException('User account is inactive');
+      }
+
+      // Return user object that will be attached to request
+      return {
+        id: user.id,
+        email: user.email,
+        plan: user.plan,
+        quotaRemaining: user.quotaRemaining,
+        isActive: user.isActive,
+      };
+    } catch (error) {
+      throw new UnauthorizedException('Invalid token');
+    }
+  }
+}