🚀 Initialize Musadaq SaaS: Full Backend + AI + React Dashboard + Docker Setup

2026-04-16 23:26:32 +03:00
commit d66891ba0f
221 changed files with 13079 additions and 0 deletions
--- a/backend/src/modules/auth/auth.controller.ts
+++ b/backend/src/modules/auth/auth.controller.ts
@@ -0,0 +1,74 @@
+/**
+ * ════════════════════════════════════════════════════════════
+ * مُصادَق (Musadaq) — Authentication Controller
+ * ════════════════════════════════════════════════════════════
+ */
+
+import {
+  Controller,
+  Post,
+  Body,
+  UseGuards,
+  Req,
+  HttpCode,
+  HttpStatus,
+} from '@nestjs/common';
+import { AuthService } from './auth.service';
+import { RegisterDto } from './dto/register.dto';
+import { LoginDto } from './dto/login.dto';
+import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
+import { AuthGuard } from '@nestjs/passport';
+import { CurrentUser } from '../../common/decorators/current-user.decorator';
+
+@Controller('auth')
+export class AuthController {
+  constructor(private authService: AuthService) {}
+
+  /**
+   * تسجيل مكتب جديد + مدير مسؤول
+   */
+  @Post('register')
+  @HttpCode(HttpStatus.CREATED)
+  async register(@Body() dto: RegisterDto) {
+    return this.authService.register(dto);
+  }
+
+  /**
+   * تسجيل الدخول
+   */
+  @Post('login')
+  @HttpCode(HttpStatus.OK)
+  async login(@Body() dto: LoginDto) {
+    return this.authService.login(dto);
+  }
+
+  /**
+   * تجديد التوكن
+   */
+  @UseGuards(AuthGuard('jwt-refresh'))
+  @Post('refresh')
+  @HttpCode(HttpStatus.OK)
+  async refresh(@CurrentUser() user: any) {
+    return this.authService.refresh(user.id, user.refreshToken);
+  }
+
+  /**
+   * تسجيل الخروج
+   */
+  @UseGuards(JwtAuthGuard)
+  @Post('logout')
+  @HttpCode(HttpStatus.OK)
+  async logout(@CurrentUser() user: any) {
+    return this.authService.logout(user.id);
+  }
+
+  /**
+   * الملف الشخصي
+   */
+  @UseGuards(JwtAuthGuard)
+  @Post('profile')
+  @HttpCode(HttpStatus.OK)
+  async profile(@CurrentUser() user: any) {
+    return user;
+  }
+}
--- a/backend/src/modules/auth/auth.module.ts
+++ b/backend/src/modules/auth/auth.module.ts
@@ -0,0 +1,30 @@
+/**
+ * ════════════════════════════════════════════════════════════
+ * مُصادَق (Musadaq) — Auth Module
+ * ════════════════════════════════════════════════════════════
+ */
+
+import { Module } from '@nestjs/common';
+import { JwtModule } from '@nestjs/jwt';
+import { PassportModule } from '@nestjs/passport';
+import { ConfigModule } from '@nestjs/config';
+import { TypeOrmModule } from '@nestjs/typeorm';
+import { AuthService } from './auth.service';
+import { AuthController } from './auth.controller';
+import { JwtStrategy } from './strategies/jwt.strategy';
+import { JwtRefreshStrategy } from './strategies/jwt-refresh.strategy';
+import { jwtConfig } from '../../config/jwt.config';
+import { User } from '../users/entities/user.entity';
+
+@Module({
+  imports: [
+    PassportModule.register({ defaultStrategy: 'jwt' }),
+    JwtModule.registerAsync(jwtConfig),
+    TypeOrmModule.forFeature([User]),
+    ConfigModule,
+  ],
+  providers: [AuthService, JwtStrategy, JwtRefreshStrategy],
+  controllers: [AuthController],
+  exports: [AuthService, JwtStrategy, PassportModule],
+})
+export class AuthModule {}
--- a/backend/src/modules/auth/auth.service.ts
+++ b/backend/src/modules/auth/auth.service.ts
@@ -0,0 +1,204 @@
+/**
+ * ════════════════════════════════════════════════════════════
+ * مُصادَق (Musadaq) — Authentication Service
+ * ════════════════════════════════════════════════════════════
+ */
+
+import {
+  Injectable,
+  UnauthorizedException,
+  ConflictException,
+  InternalServerErrorException,
+} from '@nestjs/common';
+import { JwtService } from '@nestjs/jwt';
+import { ConfigService } from '@nestjs/config';
+import { DataSource } from 'typeorm';
+import * as bcrypt from 'bcrypt';
+import { User } from '../../users/entities/user.entity';
+import { Tenant, TenantStatus } from '../../tenants/entities/tenant.entity';
+import { UserRole } from '../../users/enums/role.enum';
+import { RegisterDto } from './dto/register.dto';
+import { LoginDto } from './dto/login.dto';
+import { Subscription, SubscriptionPlan, SubscriptionStatus } from '../../subscriptions/entities/subscription.entity';
+
+@Injectable()
+export class AuthService {
+  constructor(
+    private jwtService: JwtService,
+    private configService: ConfigService,
+    private dataSource: DataSource,
+  ) {}
+
+  /**
+   * تسجيل مستخدم جديد (مدير مكتب)
+   */
+  async register(dto: RegisterDto) {
+    const queryRunner = this.dataSource.createQueryRunner();
+    await queryRunner.connect();
+    await queryRunner.startTransaction();
+
+    try {
+      // 1. Check if user exists
+      const existingUser = await queryRunner.manager.findOne(User, {
+        where: { email: dto.email },
+      });
+      if (existingUser) {
+        throw new ConflictException('Email already registered');
+      }
+
+      // 2. Create Tenant (Accounting Office)
+      const tenant = queryRunner.manager.create(Tenant, {
+        name: dto.tenantName,
+        email: dto.email, // Use same email for office contact initially
+        phone: dto.phone,
+        status: TenantStatus.TRIAL,
+        trial_ends_at: new Date(Date.now() + 14 * 24 * 60 * 60 * 1000), // 14 days trial
+      });
+      const savedTenant = await queryRunner.manager.save(tenant);
+
+      // 3. Create Default Subscription (Trial)
+      const subscription = queryRunner.manager.create(Subscription, {
+        tenant_id: savedTenant.id,
+        plan: SubscriptionPlan.BASIC,
+        max_companies: 1,
+        max_invoices_per_month: 200,
+        price_jod: 15, // Basic price
+        status: SubscriptionStatus.ACTIVE,
+        current_period_start: new Date(),
+        current_period_end: new Date(Date.now() + 14 * 24 * 60 * 60 * 1000),
+      });
+      await queryRunner.manager.save(subscription);
+
+      // 4. Create Admin User
+      const passwordHash = await this.hashPassword(dto.password);
+      const user = queryRunner.manager.create(User, {
+        tenant_id: savedTenant.id,
+        name: dto.name,
+        email: dto.email,
+        password_hash: passwordHash,
+        role: UserRole.ADMIN,
+      });
+      const savedUser = await queryRunner.manager.save(user);
+
+      await queryRunner.commitTransaction();
+
+      return {
+        userId: savedUser.id,
+        tenantId: savedTenant.id,
+        message: 'Registration successful',
+      };
+    } catch (error) {
+      await queryRunner.rollbackTransaction();
+      if (error instanceof ConflictException) throw error;
+      throw new InternalServerErrorException('Registration failed');
+    } finally {
+      await queryRunner.release();
+    }
+  }
+
+  /**
+   * تسجيل دخول
+   */
+  async login(dto: LoginDto) {
+    const user = await this.dataSource.getRepository(User).findOne({
+      where: { email: dto.email, is_active: true },
+    });
+
+    if (!user || !(await this.comparePassword(dto.password, user.password_hash))) {
+      throw new UnauthorizedException('Invalid credentials');
+    }
+
+    const payload = { 
+      sub: user.id, 
+      tenantId: user.tenant_id, 
+      role: user.role 
+    };
+
+    const accessToken = await this.jwtService.signAsync(payload);
+    const refreshToken = await this.generateRefreshToken(payload);
+
+    // Save refresh token hash
+    await this.updateRefreshToken(user.id, refreshToken);
+
+    return {
+      user: {
+        id: user.id,
+        name: user.name,
+        email: user.email,
+        role: user.role,
+        tenantId: user.tenant_id,
+      },
+      accessToken,
+      refreshToken,
+    };
+  }
+
+  /**
+   * تجديد التوكن
+   */
+  async refresh(userId: string, refreshToken: string) {
+    const user = await this.dataSource.getRepository(User).findOne({
+      where: { id: userId, is_active: true },
+      select: ['id', 'tenant_id', 'role', 'refresh_token_hash'],
+    });
+
+    if (!user || !user.refresh_token_hash) {
+      throw new UnauthorizedException('Access Denied');
+    }
+
+    const isMatch = await bcrypt.compare(refreshToken, user.refresh_token_hash);
+    if (!isMatch) {
+      throw new UnauthorizedException('Access Denied');
+    }
+
+    const payload = { 
+      sub: user.id, 
+      tenantId: user.tenant_id, 
+      role: user.role 
+    };
+
+    const accessToken = await this.jwtService.signAsync(payload);
+    const newRefreshToken = await this.generateRefreshToken(payload);
+
+    await this.updateRefreshToken(user.id, newRefreshToken);
+
+    return {
+      accessToken,
+      refreshToken: newRefreshToken,
+    };
+  }
+
+  /**
+   * تسجيل خروج
+   */
+  async logout(userId: string) {
+    await this.dataSource.getRepository(User).update(userId, {
+      refresh_token_hash: undefined,
+    });
+    return { message: 'Logged out' };
+  }
+
+  // ── Helpers ─────────────────────────────────────────────
+
+  private async hashPassword(password: string): Promise<string> {
+    return bcrypt.hash(password, 12);
+  }
+
+  private async comparePassword(password: string, hash: string): Promise<boolean> {
+    return bcrypt.compare(password, hash);
+  }
+
+  private async generateRefreshToken(payload: any): Promise<string> {
+    return this.jwtService.signAsync(payload, {
+      secret: this.configService.getOrThrow<string>('JWT_REFRESH_SECRET'),
+      expiresIn: this.configService.get<string>('JWT_REFRESH_EXPIRY', '7d'),
+    });
+  }
+
+  private async updateRefreshToken(userId: string, refreshToken: string) {
+    const hash = await bcrypt.hash(refreshToken, 10);
+    await this.dataSource.getRepository(User).update(userId, {
+      refresh_token_hash: hash,
+    });
+  }
+}
--- a/backend/src/modules/auth/dto/login.dto.ts
+++ b/backend/src/modules/auth/dto/login.dto.ts
@@ -0,0 +1,16 @@
+/**
+ * ════════════════════════════════════════════════════════════
+ * مُصادَق (Musadaq) — Login DTO
+ * ════════════════════════════════════════════════════════════
+ */
+
+import { IsEmail, IsNotEmpty, IsString } from 'class-validator';
+
+export class LoginDto {
+  @IsEmail()
+  email!: string;
+
+  @IsString()
+  @IsNotEmpty()
+  password!: string;
+}
--- a/backend/src/modules/auth/dto/register.dto.ts
+++ b/backend/src/modules/auth/dto/register.dto.ts
@@ -0,0 +1,31 @@
+/**
+ * ════════════════════════════════════════════════════════════
+ * مُصادَق (Musadaq) — Register DTO
+ * ════════════════════════════════════════════════════════════
+ */
+
+import { IsEmail, IsNotEmpty, IsString, MinLength, IsOptional, Matches } from 'class-validator';
+
+export class RegisterDto {
+  @IsString()
+  @IsNotEmpty()
+  tenantName!: string;
+
+  @IsString()
+  @IsNotEmpty()
+  name!: string;
+
+  @IsEmail()
+  email!: string;
+
+  @IsString()
+  @MinLength(8)
+  @Matches(/((?=.*\d)|(?=.*\W+))(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$/, {
+    message: 'Password is too weak (Must have uppercase, lowercase, and number/special char)',
+  })
+  password!: string;
+
+  @IsString()
+  @IsOptional()
+  phone?: string;
+}
--- a/backend/src/modules/auth/strategies/jwt-refresh.strategy.ts
+++ b/backend/src/modules/auth/strategies/jwt-refresh.strategy.ts
@@ -0,0 +1,43 @@
+/**
+ * ════════════════════════════════════════════════════════════
+ * مُصادَق (Musadaq) — JWT Refresh Strategy
+ * ════════════════════════════════════════════════════════════
+ */
+
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { ExtractJwt, Strategy } from 'passport-jwt';
+import { ConfigService } from '@nestjs/config';
+import { Request } from 'express';
+
+@Injectable()
+export class JwtRefreshStrategy extends PassportStrategy(Strategy, 'jwt-refresh') {
+  constructor(private configService: ConfigService) {
+    super({
+      jwtFromRequest: ExtractJwt.fromExtractors([
+        (request: Request) => {
+          // Extract from HttpOnly Cookie (prod) or Header (dev)
+          return request?.cookies?.refreshToken || request?.headers?.['x-refresh-token'];
+        },
+      ]),
+      ignoreExpiration: false,
+      passReqToCallback: true,
+      secretOrKey: configService.getOrThrow<string>('JWT_REFRESH_SECRET'),
+    });
+  }
+
+  async validate(req: Request, payload: any) {
+    const refreshToken = req?.cookies?.refreshToken || req?.headers?.['x-refresh-token'];
+    
+    if (!refreshToken) {
+      throw new UnauthorizedException('Refresh token missing');
+    }
+
+    return {
+      id: payload.sub,
+      tenantId: payload.tenantId,
+      role: payload.role,
+      refreshToken,
+    };
+  }
+}
--- a/backend/src/modules/auth/strategies/jwt.strategy.ts
+++ b/backend/src/modules/auth/strategies/jwt.strategy.ts
@@ -0,0 +1,43 @@
+/**
+ * ════════════════════════════════════════════════════════════
+ * مُصادَق (Musadaq) — JWT Strategy
+ * ════════════════════════════════════════════════════════════
+ */
+
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { ExtractJwt, Strategy } from 'passport-jwt';
+import { ConfigService } from '@nestjs/config';
+import { DataSource } from 'typeorm';
+import { User } from '../../users/entities/user.entity';
+
+@Injectable()
+export class JwtStrategy extends PassportStrategy(Strategy) {
+  constructor(
+    private configService: ConfigService,
+    private dataSource: DataSource,
+  ) {
+    super({
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      ignoreExpiration: false,
+      secretOrKey: configService.getOrThrow<string>('JWT_SECRET'),
+    });
+  }
+
+  async validate(payload: any) {
+    const user = await this.dataSource.getRepository(User).findOne({
+      where: { id: payload.sub, is_active: true },
+      select: ['id', 'tenant_id', 'role'], // Add only necessary fields to context
+    });
+
+    if (!user) {
+      throw new UnauthorizedException('User not found or inactive');
+    }
+
+    return {
+      id: user.id,
+      tenantId: user.tenant_id,
+      role: user.role,
+    };
+  }
+}