feat: add JWT authentication with register, login, refresh, and me endpoints

Adds bcrypt password hashing, JWT access/refresh token generation, requireAuth middleware, and /api/auth routes (POST /register, POST /login, POST /refresh, GET /me).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/server/src/routes/auth.ts

@@ -0,0 +1,103 @@
+import { Router, type Router as RouterType } from 'express';
+import { z } from 'zod';
+import { prisma } from '@agent-fox/shared';
+import { hashPassword, verifyPassword } from '../lib/password.js';
+import { generateTokenPair, verifyRefreshToken } from '../lib/jwt.js';
+import { requireAuth } from '../middleware/auth.js';
+
+const router: RouterType = Router();
+
+const registerSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+  name: z.string().min(1).max(100),
+});
+
+const loginSchema = z.object({
+  email: z.string().email(),
+  password: z.string(),
+});
+
+router.post('/register', async (req, res) => {
+  const parsed = registerSchema.safeParse(req.body);
+  if (!parsed.success) {
+    res.status(400).json({ success: false, error: { code: 'VALIDATION', message: parsed.error.issues[0].message } });
+    return;
+  }
+
+  const { email, password, name } = parsed.data;
+
+  const existing = await prisma.user.findUnique({ where: { email } });
+  if (existing) {
+    res.status(409).json({ success: false, error: { code: 'CONFLICT', message: 'Email already registered' } });
+    return;
+  }
+
+  const passwordHash = await hashPassword(password);
+  const user = await prisma.user.create({
+    data: { email, passwordHash, name },
+  });
+
+  const tokens = generateTokenPair({ userId: user.id, email: user.email });
+  res.status(201).json({ success: true, data: { user: { id: user.id, email: user.email, name: user.name }, ...tokens } });
+});
+
+router.post('/login', async (req, res) => {
+  const parsed = loginSchema.safeParse(req.body);
+  if (!parsed.success) {
+    res.status(400).json({ success: false, error: { code: 'VALIDATION', message: parsed.error.issues[0].message } });
+    return;
+  }
+
+  const { email, password } = parsed.data;
+  const user = await prisma.user.findUnique({ where: { email } });
+
+  if (!user || !user.passwordHash) {
+    res.status(401).json({ success: false, error: { code: 'UNAUTHORIZED', message: 'Invalid credentials' } });
+    return;
+  }
+
+  const valid = await verifyPassword(password, user.passwordHash);
+  if (!valid) {
+    res.status(401).json({ success: false, error: { code: 'UNAUTHORIZED', message: 'Invalid credentials' } });
+    return;
+  }
+
+  const tokens = generateTokenPair({ userId: user.id, email: user.email });
+  res.json({ success: true, data: { user: { id: user.id, email: user.email, name: user.name }, ...tokens } });
+});
+
+router.post('/refresh', async (req, res) => {
+  const { refreshToken } = req.body;
+  if (!refreshToken) {
+    res.status(400).json({ success: false, error: { code: 'VALIDATION', message: 'Refresh token required' } });
+    return;
+  }
+
+  try {
+    const payload = verifyRefreshToken(refreshToken);
+    const user = await prisma.user.findUnique({ where: { id: payload.userId } });
+    if (!user) {
+      res.status(401).json({ success: false, error: { code: 'UNAUTHORIZED', message: 'User not found' } });
+      return;
+    }
+    const tokens = generateTokenPair({ userId: user.id, email: user.email });
+    res.json({ success: true, data: tokens });
+  } catch {
+    res.status(401).json({ success: false, error: { code: 'UNAUTHORIZED', message: 'Invalid refresh token' } });
+  }
+});
+
+router.get('/me', requireAuth, async (req, res) => {
+  const user = await prisma.user.findUnique({
+    where: { id: req.user!.userId },
+    select: { id: true, email: true, name: true, avatarUrl: true },
+  });
+  if (!user) {
+    res.status(404).json({ success: false, error: { code: 'NOT_FOUND', message: 'User not found' } });
+    return;
+  }
+  res.json({ success: true, data: user });
+});
+
+export default router;