rex
/
aurganize-backend
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
17 Commits 1 Branch 0 Tags 212 KiB
Go 82.6%
Shell 7.9%
PLpgSQL 7.3%
Makefile 2.2%
Go to file
Rezon Philip 060cf8c78b feat(auth): Implement comprehensive JWT authentication system with token rotation 
This commit introduces a complete authentication system using JWT-based access and refresh
tokens, secure session management, and refresh token rotation to enhance overall security.

Core Authentication Features:
- Dual-token system: Short-lived access tokens (15 min) + long-lived refresh tokens (7 days)
- Hybrid security model: JWT signatures + SHA-256 hashed refresh tokens in database
- Session tracking: Device info, IP address, and user agent for security auditing
- Token rotation: Automatically rotates refresh tokens on each use to reduce theft exposure
- Multi-tenant support: TenantID embedded in access tokens for data isolation

Security Implementations:
- bcrypt password hashing for user credentials
- SHA-256 hashing for refresh token persistence and fast lookup
- HttpOnly + Secure + SameSite cookies for XSS/CSRF protection
- Token type validation to prevent misuse of refresh tokens as access tokens
- Robust input validation (email structure, password strength, uniqueness)
- Generic authentication errors to prevent email enumeration attacks

Authentication Middleware:
- Required authentication: Rejects unauthorized requests with 401
- Optional authentication: Allows public/private hybrid endpoints
- Dual token source support: Cookies (web) + Authorization header (mobile/API)
- Injects user claims into request context for downstream handlers

Rate Limiting:
- Sliding window algorithm to prevent brute force and DoS attacks
- Configurable per-IP limits with automatic counter cleanup
- Thread-safe design using mutex locks
- Returns 429 Too Many Requests on rate limit violations

Password & Email Validation:
- Password rules: Minimum length, mixed character types, no personal info
- Email validation: RFC-compliant parsing + normalization (lowercase/trim)
- Case-insensitive uniqueness checks during registration

Session Management:
- Database-backed sessions for immediate revocation and device tracking
- View active sessions per user (with metadata)
- Revoke single or all sessions
- Automatic cleanup of expired/revoked sessions

API Endpoints Added:
- POST /api/v1/auth/login   – Authenticate user and issue tokens
- POST /api/v1/auth/refresh – Rotate refresh token and issue new access token
- POST /api/v1/auth/logout  – Revoke session and clear cookies
- GET  /api/v1/health       – Protected health check route

Service Layer Enhancements:
- AuthService: Token generation/validation, session lifecycle management
- UserService: Registration, authentication, and password updates

CORS Configuration:
- Localhost origins for development (5173, 3000)
- Configurable allowed methods/headers/credentials
- 1-hour preflight caching
- Production-ready whitelist via environment config

Files Added:
- pkg/auth/claims.go
- internal/services/auth_service.go
- internal/services/user_service.go
- internal/repositories/session_repository.go
- internal/repositories/user_repository.go
- internal/handlers/auth_handler.go
- internal/middleware/auth_middleware.go
- internal/middleware/cors.go
- internal/middleware/rate_limiter.go
- internal/models/session.go
- internal/models/user.go
- internal/config/config.go
- internal/routes/routes.go

Technical Stack:
- Echo v4, golang-jwt/jwt v5, sqlx, bcrypt, PostgreSQL

Testing Considerations:
- Dependency injection for easy mocking
- Service-layer testing independent of HTTP stack
- Repository abstraction supporting mock DBs
- Time-based logic testable via injected clock

Future Enhancements:
- Redis-powered rate limiting for scaling
- Password history enforcement
- Have I Been Pwned integration
- Email verification workflow
- Two-factor authentication (2FA)
- OAuth/social login support
- Monitoring/metrics (Prometheus)
- Structured logging with request IDs

Story: E2-001-2 – JWT Authentication System Implementation
 		2025-12-08 02:10:21 +05:30
.github docs: add contribution guidelines and code owners 2025-11-28 15:58:35 +05:30
backend feat(auth): Implement comprehensive JWT authentication system with token rotation 2025-12-08 02:10:21 +05:30
database feat(auth): Implement comprehensive JWT authentication system with token rotation 2025-12-08 02:10:21 +05:30
infrastructure/docker feat(auth): Implement comprehensive JWT authentication system with token rotation 2025-12-08 02:10:21 +05:30
.gitignore init : initial repo setup[200~ 2025-11-27 00:56:57 +05:30
README.md Remove support information from README 2025-11-27 01:43:12 +05:30

README.md

Aurganize V6.2

Comprehensive Business Operating System for project-based work between vendors and consumers.

🎯 Project Overview

Aurganize V6.2 is a multi-tenant SaaS platform that enables seamless project management and collaboration between service vendors and their consumers. Built with modern technologies, it provides:

  • Dynamic Workflow Engine: AI-powered conversations for work item management
  • Milestone Logic System: Configurable conditions for milestone achievement
  • Payment Management: Structured proof workflow without payment processing
  • Real-time Collaboration: WebSocket-based live updates
  • Enterprise Security: Row-Level Security (RLS) for data isolation

🏗️ Architecture

----- TO DO ---------

📋 Prerequisites

Before you begin, ensure you have the following installed:

  • Go: 1.21 or higher (Download)
  • Node.js: 18 or higher (Download)
  • PostgreSQL: 14 or higher (Download)
  • Docker: Latest version (Download)
  • Docker Compose: Included with Docker Desktop
  • Git: Latest version (Download)

Verify installations:

go version        # Should show: go version go1.21.x
node --version    # Should show: v18.x.x or higher
npm --version     # Should show: 9.x.x or higher
docker --version  # Should show: Docker version 24.x.x
psql --version    # Should show: psql (PostgreSQL) 14.x
git --version     # Should show: git version 2.x.x

🚀 Quick Start

Option 1: Docker (Recommended)

Fastest way to get started - everything runs in containers:

# 1. Clone the repository
git clone https://github.com/yourorg/aurganize-v62.git
cd aurganize-v62

# 2. Start all services
docker-compose up -d

# 3. Run database migrations
docker-compose exec backend make migrate-up

# 4. Access the application
# Frontend: http://localhost:5173
# Backend:  http://localhost:8080
# API Docs: http://localhost:8080/api/v1/docs

To stop services:

docker-compose down

To see logs:

docker-compose logs -f backend    # Backend logs
docker-compose logs -f frontend   # Frontend logs

Option 2: Local Development

Run services natively (for development):

Step 1: Setup Backend

cd backend

# Copy environment template
cp .env.example .env

# Edit .env with your database credentials
# nano .env

# Install dependencies
go mod download

# Run database migrations
make migrate-up

# Start development server (with hot reload)
make dev

Backend should now be running at http://localhost:8080

Step 2: Setup Frontend

Open a new terminal:

cd frontend

# Install dependencies
npm install

# Start development server
npm run dev

Frontend should now be running at http://localhost:5173

Step 3: Verify Everything Works

# Test backend health check
curl http://localhost:8080/health

# Expected response:
# {
#   "status": "healthy",
#   "version": "6.2.0",
#   "timestamp": "2025-11-26T10:00:00Z"
# }

# Open frontend in browser
# Visit: http://localhost:5173

📁 Project Structure

----- TO DO ---------

🛠️ Development Workflow

Creating a New Feature

# 1. Ensure you're on develop branch
git checkout develop
git pull origin develop

# 2. Create feature branch
git checkout -b feature/your-feature-name

# 3. Make your changes
# ... code, code, code ...

# 4. Run tests
cd backend && make test
cd frontend && npm test

# 5. Commit with conventional commit message
git add .
git commit -m "feat: add user authentication system"

# 6. Push to remote
git push origin feature/your-feature-name

# 7. Create Pull Request on GitHub

Running Tests

Backend tests:

cd backend
make test                    # Run all tests
make test-coverage          # With coverage report
go test ./internal/services # Test specific package

Frontend tests:

cd frontend
npm test                    # Run all tests
npm run test:unit          # Unit tests only
npm run test:e2e           # E2E tests

Database Migrations

Create new migration:

cd backend
make migration-create NAME=add_users_table

# Creates:
# migrations/000002_add_users_table.up.sql
# migrations/000002_add_users_table.down.sql

Apply migrations:

make migrate-up             # Apply all pending migrations
make migrate-down           # Rollback last migration
make migrate-reset          # Rollback all, then apply all

🔧 Common Commands

Backend (Makefile commands)

make dev                    # Start development server
make build                  # Build production binary
make test                   # Run tests
make lint                   # Run linter
make fmt                    # Format code
make clean                  # Clean build artifacts
make migrate-up             # Run migrations
make migrate-down           # Rollback migrations

Frontend (npm scripts)

npm run dev                 # Start dev server
npm run build               # Build for production
npm run preview             # Preview production build
npm test                    # Run tests
npm run lint                # Run ESLint
npm run format              # Run Prettier

Docker Commands

docker-compose up           # Start all services
docker-compose up -d        # Start in background
docker-compose down         # Stop all services
docker-compose ps           # List running services
docker-compose logs -f      # View logs (follow)
docker-compose exec backend sh   # Shell into backend container

📚 Documentation

🛡️ Security

  • Data Isolation: PostgreSQL Row-Level Security (RLS)
  • Authentication: JWT-based with refresh tokens
  • Password Hashing: bcrypt with cost factor 12
  • HTTPS Only: TLS 1.3 in production
  • Rate Limiting: Per-IP and per-user limits
  • Input Validation: Server-side validation on all inputs
  • SQL Injection Protection: Parameterized queries only

🧪 Testing

Test Coverage Goals

  • Backend: > 80% code coverage
  • Frontend: > 70% code coverage
  • Critical paths: 100% coverage

Test Types

  1. Unit Tests: Test individual functions
  2. Integration Tests: Test component interactions
  3. E2E Tests: Test complete user flows
  4. Performance Tests: Load testing with k6

🚢 Deployment

Development

# Local development with hot reload
make dev (backend)
npm run dev (frontend)

Staging

# Deploy to staging environment
./scripts/deploy-staging.sh

Production

# Deploy to production (requires approvals)
./scripts/deploy-production.sh

🐛 Troubleshooting

Backend won't start

Error: "database connection failed"

# Check PostgreSQL is running
docker ps | grep postgres

# Check connection string in .env
cat backend/.env | grep DB_

# Test connection manually
psql -h localhost -U aurganize -d aurganize_v62

Frontend build fails

Error: "node_modules not found"

# Delete and reinstall dependencies
rm -rf frontend/node_modules
cd frontend && npm install

Port already in use

Error: "address already in use"

# Find process using port 8080
lsof -i :8080

# Kill the process
kill -9 <PID>

👥 Team

  • Developer 1: Backend (Go/PostgreSQL/API)
  • Developer 2: Frontend (Svelte/TypeScript/UI)

📝 License

Proprietary - All Rights Reserved

🤝 Contributing

  1. Fork the repository
  2. Create feature branch (feature/amazing-feature)
  3. Commit changes (feat: add amazing feature)
  4. Push to branch
  5. Create Pull Request

See CONTRIBUTING.md for detailed guidelines.

Made with ❤️ by the Aurganize Team EOF