feat: add JWT authentication with register, login, refresh, and me endpoints

Adds bcrypt password hashing, JWT access/refresh token generation, requireAuth middleware, and /api/auth routes (POST /register, POST /login, POST /refresh, GET /me). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-02 11:42:11 +08:00
parent 2a15cbaead
commit 2ed957762c
9 changed files with 353 additions and 4 deletions
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -10,13 +10,17 @@
  },
  "dependencies": {
    "@agent-fox/shared": "workspace:*",
-    "express": "^5.0.0",
+    "bcrypt": "^6.0.0",
    "cors": "^2.8.5",
+    "express": "^5.0.0",
+    "jsonwebtoken": "^9.0.3",
    "zod": "^3.24.0"
  },
  "devDependencies": {
-    "@types/express": "^5.0.0",
+    "@types/bcrypt": "^6.0.0",
    "@types/cors": "^2.8.17",
+    "@types/express": "^5.0.0",
+    "@types/jsonwebtoken": "^9.0.10",
    "tsx": "^4.19.0",
    "typescript": "^5.7.0"
  }
--- a/packages/server/src/index.ts
+++ b/packages/server/src/index.ts
@@ -1,5 +1,6 @@
 import express from 'express';
 import cors from 'cors';
+import authRouter from './routes/auth.js';

 const app = express();
 app.use(cors());
@@ -9,6 +10,8 @@ app.get('/api/health', (_req, res) => {
  res.json({ success: true, data: { status: 'ok' } });
 });

+app.use('/api/auth', authRouter);
+
 const port = process.env.SERVER_PORT || 3000;
 app.listen(port, () => {
  console.log(`Server running on port ${port}`);
--- a/packages/server/src/lib/jwt.ts
+++ b/packages/server/src/lib/jwt.ts
@@ -0,0 +1,34 @@
+import jwt from 'jsonwebtoken';
+
+const ACCESS_SECRET = process.env.JWT_SECRET || 'dev-secret';
+const REFRESH_SECRET = process.env.JWT_REFRESH_SECRET || 'dev-refresh-secret';
+const ACCESS_EXPIRY = '15m';
+const REFRESH_EXPIRY = '7d';
+
+export type TokenPayload = {
+  userId: string;
+  email: string;
+};
+
+export function generateAccessToken(payload: TokenPayload): string {
+  return jwt.sign(payload, ACCESS_SECRET, { expiresIn: ACCESS_EXPIRY });
+}
+
+export function generateRefreshToken(payload: TokenPayload): string {
+  return jwt.sign(payload, REFRESH_SECRET, { expiresIn: REFRESH_EXPIRY });
+}
+
+export function verifyAccessToken(token: string): TokenPayload {
+  return jwt.verify(token, ACCESS_SECRET) as TokenPayload;
+}
+
+export function verifyRefreshToken(token: string): TokenPayload {
+  return jwt.verify(token, REFRESH_SECRET) as TokenPayload;
+}
+
+export function generateTokenPair(payload: TokenPayload) {
+  return {
+    accessToken: generateAccessToken(payload),
+    refreshToken: generateRefreshToken(payload),
+  };
+}
--- a/packages/server/src/lib/password.ts
+++ b/packages/server/src/lib/password.ts
@@ -0,0 +1,11 @@
+import bcrypt from 'bcrypt';
+
+const SALT_ROUNDS = 12;
+
+export async function hashPassword(password: string): Promise<string> {
+  return bcrypt.hash(password, SALT_ROUNDS);
+}
+
+export async function verifyPassword(password: string, hash: string): Promise<boolean> {
+  return bcrypt.compare(password, hash);
+}
--- a/packages/server/src/middleware/auth.ts
+++ b/packages/server/src/middleware/auth.ts
@@ -0,0 +1,26 @@
+import type { Request, Response, NextFunction } from 'express';
+import { verifyAccessToken, type TokenPayload } from '../lib/jwt.js';
+
+declare global {
+  namespace Express {
+    interface Request {
+      user?: TokenPayload;
+    }
+  }
+}
+
+export function requireAuth(req: Request, res: Response, next: NextFunction): void {
+  const header = req.headers.authorization;
+  if (!header?.startsWith('Bearer ')) {
+    res.status(401).json({ success: false, error: { code: 'UNAUTHORIZED', message: 'Missing or invalid token' } });
+    return;
+  }
+
+  try {
+    const token = header.slice(7);
+    req.user = verifyAccessToken(token);
+    next();
+  } catch {
+    res.status(401).json({ success: false, error: { code: 'UNAUTHORIZED', message: 'Invalid or expired token' } });
+  }
+}
--- a/packages/server/src/routes/auth.ts
+++ b/packages/server/src/routes/auth.ts
@@ -0,0 +1,103 @@
+import { Router, type Router as RouterType } from 'express';
+import { z } from 'zod';
+import { prisma } from '@agent-fox/shared';
+import { hashPassword, verifyPassword } from '../lib/password.js';
+import { generateTokenPair, verifyRefreshToken } from '../lib/jwt.js';
+import { requireAuth } from '../middleware/auth.js';
+
+const router: RouterType = Router();
+
+const registerSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+  name: z.string().min(1).max(100),
+});
+
+const loginSchema = z.object({
+  email: z.string().email(),
+  password: z.string(),
+});
+
+router.post('/register', async (req, res) => {
+  const parsed = registerSchema.safeParse(req.body);
+  if (!parsed.success) {
+    res.status(400).json({ success: false, error: { code: 'VALIDATION', message: parsed.error.issues[0].message } });
+    return;
+  }
+
+  const { email, password, name } = parsed.data;
+
+  const existing = await prisma.user.findUnique({ where: { email } });
+  if (existing) {
+    res.status(409).json({ success: false, error: { code: 'CONFLICT', message: 'Email already registered' } });
+    return;
+  }
+
+  const passwordHash = await hashPassword(password);
+  const user = await prisma.user.create({
+    data: { email, passwordHash, name },
+  });
+
+  const tokens = generateTokenPair({ userId: user.id, email: user.email });
+  res.status(201).json({ success: true, data: { user: { id: user.id, email: user.email, name: user.name }, ...tokens } });
+});
+
+router.post('/login', async (req, res) => {
+  const parsed = loginSchema.safeParse(req.body);
+  if (!parsed.success) {
+    res.status(400).json({ success: false, error: { code: 'VALIDATION', message: parsed.error.issues[0].message } });
+    return;
+  }
+
+  const { email, password } = parsed.data;
+  const user = await prisma.user.findUnique({ where: { email } });
+
+  if (!user || !user.passwordHash) {
+    res.status(401).json({ success: false, error: { code: 'UNAUTHORIZED', message: 'Invalid credentials' } });
+    return;
+  }
+
+  const valid = await verifyPassword(password, user.passwordHash);
+  if (!valid) {
+    res.status(401).json({ success: false, error: { code: 'UNAUTHORIZED', message: 'Invalid credentials' } });
+    return;
+  }
+
+  const tokens = generateTokenPair({ userId: user.id, email: user.email });
+  res.json({ success: true, data: { user: { id: user.id, email: user.email, name: user.name }, ...tokens } });
+});
+
+router.post('/refresh', async (req, res) => {
+  const { refreshToken } = req.body;
+  if (!refreshToken) {
+    res.status(400).json({ success: false, error: { code: 'VALIDATION', message: 'Refresh token required' } });
+    return;
+  }
+
+  try {
+    const payload = verifyRefreshToken(refreshToken);
+    const user = await prisma.user.findUnique({ where: { id: payload.userId } });
+    if (!user) {
+      res.status(401).json({ success: false, error: { code: 'UNAUTHORIZED', message: 'User not found' } });
+      return;
+    }
+    const tokens = generateTokenPair({ userId: user.id, email: user.email });
+    res.json({ success: true, data: tokens });
+  } catch {
+    res.status(401).json({ success: false, error: { code: 'UNAUTHORIZED', message: 'Invalid refresh token' } });
+  }
+});
+
+router.get('/me', requireAuth, async (req, res) => {
+  const user = await prisma.user.findUnique({
+    where: { id: req.user!.userId },
+    select: { id: true, email: true, name: true, avatarUrl: true },
+  });
+  if (!user) {
+    res.status(404).json({ success: false, error: { code: 'NOT_FOUND', message: 'User not found' } });
+    return;
+  }
+  res.json({ success: true, data: user });
+});
+
+export default router;