Summary
AuthModule exists with partial AuthService but there are no registration or login endpoints. JwtAuthGuard is fully implemented but has nothing to authenticate.
Why This Matters
No user can authenticate without login and registration. Every other feature in the platform depends on auth. This is the most foundational missing feature in the application.
What Needs to Be Done
- Build
POST /auth/register: validate DTO, hash password with bcrypt, create user, issue JWT + refresh token
- Build
POST /auth/login: validate credentials, issue tokens
- Build
POST /auth/logout: blacklist refresh token
- Build
POST /auth/refresh: rotate refresh token, issue new JWT
- Implement refresh token family tracking to detect reuse attacks
- Write unit and integration tests covering all flows
Key Files
src/modules/auth/auth.service.ts — add register, login, logout, refreshTokenssrc/modules/auth/auth.controller.ts — create with all endpointssrc/modules/auth/auth.module.ts — register all providerssrc/modules/users/entities/user.entity.ts — ensure password, refreshToken, status fields existsrc/database/migrations/xxxx-auth-fields.ts — add missing auth columnssrc/modules/auth/auth.service.spec.ts — unit teststest/auth.e2e-spec.ts — integration tests
Acceptance Criteria
Constraints
- Refresh tokens must be stored hashed
- JWT payload must include sub, email, role, iat, exp
- Refresh token family tracking must detect reuse attacks
- Complexity: High — 200 points
Summary
AuthModuleexists with partialAuthServicebut there are no registration or login endpoints.JwtAuthGuardis fully implemented but has nothing to authenticate.Why This Matters
No user can authenticate without login and registration. Every other feature in the platform depends on auth. This is the most foundational missing feature in the application.
What Needs to Be Done
POST /auth/register: validate DTO, hash password with bcrypt, create user, issue JWT + refresh tokenPOST /auth/login: validate credentials, issue tokensPOST /auth/logout: blacklist refresh tokenPOST /auth/refresh: rotate refresh token, issue new JWTKey Files
src/modules/auth/auth.service.ts— add register, login, logout, refreshTokenssrc/modules/auth/auth.controller.ts— create with all endpointssrc/modules/auth/auth.module.ts— register all providerssrc/modules/users/entities/user.entity.ts— ensure password, refreshToken, status fields existsrc/database/migrations/xxxx-auth-fields.ts— add missing auth columnssrc/modules/auth/auth.service.spec.ts— unit teststest/auth.e2e-spec.ts— integration testsAcceptance Criteria
POST /auth/registercreates user, hashes password, returns JWT + refresh tokenPOST /auth/loginvalidates credentials and returns tokensPOST /auth/logoutblacklists the refresh tokenPOST /auth/refreshrotates refresh token — old token rejected after rotationSecretsService.getValidSecrets()for signingConstraints