chore: newsletter e2e implementation

backend/package.json

@@ -44,6 +44,7 @@
     "@nestjs/swagger": "^7.4.2",
     "@nestjs/throttler": "^6.4.0",
     "@nestjs/typeorm": "^11.0.0",
+    "@sendgrid/mail": "^8.1.6",
     "@types/cookie-parser": "^1.4.9",
     "@types/handlebars": "^4.0.40",
     "@types/json2csv": "^5.0.7",

backend/src/app.module.ts

@@ -6,10 +6,11 @@ import { TypeOrmModule } from '@nestjs/typeorm';
 import { AuthModule } from './auth/auth.module';
 import { UsersModule } from './users/users.module';
 import { APP_GUARD } from '@nestjs/core';
-import { JwtAuthGuard } from './auth/guards/jwt.guard';
+import { JwtAuthGuard } from './auth/guard/jwt.auth.guard';
 import { ThrottlerModule, ThrottlerGuard } from '@nestjs/throttler';
 import { BullModule } from '@nestjs/bull';
 import { ScheduleModule } from '@nestjs/schedule';
+import { NewsletterModule } from './newsletter/newsletter.module';
 
 @Module({
   imports: [
@@ -33,6 +34,7 @@ import { ScheduleModule } from '@nestjs/schedule';
         ttl: 60000, // 1 minute
         limit: 100, // 100 requests per minute
       },
+      { name: 'newsletter', ttl: 60_000, limit: 10 },
     ]),
     BullModule.forRootAsync({
       imports: [ConfigModule],
@@ -72,6 +74,7 @@ import { ScheduleModule } from '@nestjs/schedule';
     }),
     AuthModule,
     UsersModule,
+    NewsletterModule,
   ],
   controllers: [AppController],
   providers: [

backend/src/auth/auth.module.ts

@@ -10,10 +10,14 @@ import { RolesGuard } from './guard/roles.guard';
 import { PassportModule } from '@nestjs/passport';
 import { JwtStrategy } from './strategy/jwt.strategy';
 import { EmailService } from './helper/email-sender';
+import { HashingProvider } from './providers/hashing.provider';
+import { GenerateTokensProvider } from './providers/generateTokens.provider';
+import { RefreshTokenRepositoryOperations } from './providers/refreshToken.repository';
+import { RefreshToken } from './entities/refreshToken.entity';
 
 @Module({
   imports: [
-    TypeOrmModule.forFeature([User]),
+    TypeOrmModule.forFeature([User, RefreshToken]),
     JwtModule.register({}),
     PassportModule,
   ],
@@ -25,7 +29,15 @@ import { EmailService } from './helper/email-sender';
     JwtStrategy,
     RolesGuard,
     EmailService,
+    HashingProvider,
+    GenerateTokensProvider,
+    RefreshTokenRepositoryOperations,
+  ],
+  exports: [
+    AuthService,
+    HashingProvider,
+    GenerateTokensProvider,
+    RefreshTokenRepositoryOperations,
   ],
-  exports: [AuthService, RolesGuard],
 })
 export class AuthModule {}

backend/src/auth/decorators/getCurrentUser.decorator.ts

@@ -0,0 +1,18 @@
+import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+
+type AnyRequest = { user?: unknown };
+
+export const GetCurrentUser = createParamDecorator(
+  (_data: unknown, ctx: ExecutionContext) => {
+    const request = ctx.switchToHttp().getRequest<AnyRequest>();
+    return request.user;
+  },
+);
+
+export const GetCurrentUserId = createParamDecorator(
+  (_data: unknown, ctx: ExecutionContext) => {
+    const request = ctx.switchToHttp().getRequest<AnyRequest>();
+    const user = request.user as { id?: string } | undefined;
+    return user?.id;
+  },
+);

backend/src/auth/decorators/public.decorator.ts

@@ -0,0 +1,4 @@
+import { SetMetadata } from '@nestjs/common';
+
+export const PUBLIC = 'public';
+export const Public = () => SetMetadata(PUBLIC, true);

backend/src/auth/entities/refreshToken.entity.ts

@@ -0,0 +1,39 @@
+import {
+  Column,
+  CreateDateColumn,
+  Entity,
+  Index,
+  ManyToOne,
+  PrimaryGeneratedColumn,
+  UpdateDateColumn,
+} from 'typeorm';
+import { User } from '../../users/entities/user.entity';
+
+@Entity('refresh_tokens')
+@Index(['token'], { unique: true })
+@Index(['userId'])
+export class RefreshToken {
+  @PrimaryGeneratedColumn('uuid')
+  id: string;
+
+  @Column('uuid')
+  userId: string;
+
+  @ManyToOne(() => User, (user) => user.refreshTokens, { onDelete: 'CASCADE' })
+  user: User;
+
+  @Column({ type: 'text' })
+  token: string;
+
+  @Column({ type: 'timestamptz', nullable: true })
+  expiresAt?: Date;
+
+  @Column({ type: 'boolean', default: false })
+  revoked: boolean;
+
+  @CreateDateColumn()
+  createdAt: Date;
+
+  @UpdateDateColumn()
+  updatedAt: Date;
+}

backend/src/auth/guard/jwt.auth.guard.ts

@@ -1,4 +1,24 @@
-import { Injectable } from '@nestjs/common';
+import { ExecutionContext, Injectable } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
 import { AuthGuard } from '@nestjs/passport';
+import { PUBLIC } from '../decorators/public.decorator';
+
 @Injectable()
-export class JwtAuthGuard extends AuthGuard('jwt') {}
+export class JwtAuthGuard extends AuthGuard('jwt') {
+  constructor(private reflector: Reflector) {
+    super();
+  }
+
+  canActivate(context: ExecutionContext) {
+    const isPublic = this.reflector.getAllAndOverride<boolean>(PUBLIC, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    if (isPublic) {
+      return true;
+    }
+
+    return super.canActivate(context);
+  }
+}

backend/src/auth/interface/authResponse.interface.ts

@@ -0,0 +1,6 @@
+import { User } from '../../users/entities/user.entity';
+
+export interface AuthResponse {
+  user: User;
+  accessToken: string;
+}

backend/src/auth/providers/generateTokens.provider.ts

@@ -0,0 +1,33 @@
+import { Injectable } from '@nestjs/common';
+import { JwtService } from '@nestjs/jwt';
+import { User } from '../../users/entities/user.entity';
+
+@Injectable()
+export class GenerateTokensProvider {
+  constructor(private readonly jwtService: JwtService) {}
+
+  async generateAccessToken(user: User): Promise<string> {
+    return this.jwtService.signAsync(
+      { sub: user.id, role: user.role, email: user.email },
+      { expiresIn: process.env.JWT_ACCESS_EXPIRATION ?? '15m' },
+    );
+  }
+
+  async generateRefreshToken(user: User): Promise<string> {
+    return this.jwtService.signAsync(
+      { sub: user.id },
+      { expiresIn: process.env.JWT_REFRESH_EXPIRATION ?? '7d' },
+    );
+  }
+
+  async generateBothTokens(
+    user: User,
+  ): Promise<{ accessToken: string; refreshToken: string }> {
+    const [accessToken, refreshToken] = await Promise.all([
+      this.generateAccessToken(user),
+      this.generateRefreshToken(user),
+    ]);
+
+    return { accessToken, refreshToken };
+  }
+}

backend/src/auth/providers/hashing.provider.ts

@@ -0,0 +1,14 @@
+import { Injectable } from '@nestjs/common';
+import * as bcrypt from 'bcrypt';
+
+@Injectable()
+export class HashingProvider {
+  async hash(plain: string): Promise<string> {
+    const saltRounds = 10;
+    return bcrypt.hash(plain, saltRounds);
+  }
+
+  async compare(plain: string, hashed: string): Promise<boolean> {
+    return bcrypt.compare(plain, hashed);
+  }
+}

backend/src/auth/providers/refreshToken.repository.ts

@@ -0,0 +1,54 @@
+import { Injectable } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+import { Repository } from 'typeorm';
+import { RefreshToken } from '../entities/refreshToken.entity';
+import { User } from '../../users/entities/user.entity';
+
+@Injectable()
+export class RefreshTokenRepositoryOperations {
+  constructor(
+    @InjectRepository(RefreshToken)
+    private readonly repo: Repository<RefreshToken>,
+  ) {}
+
+  async saveRefreshToken(user: User, token: string): Promise<RefreshToken> {
+    const expiresAt = this.computeExpiryFromEnv();
+
+    const rt = this.repo.create({
+      userId: user.id,
+      token,
+      expiresAt,
+      revoked: false,
+    });
+
+    return this.repo.save(rt);
+  }
+
+  async revokeToken(token: string): Promise<void> {
+    await this.repo.update({ token }, { revoked: true });
+  }
+
+  async findValidToken(token: string): Promise<RefreshToken | null> {
+    const rt = await this.repo.findOne({ where: { token } });
+    if (!rt) return null;
+    if (rt.revoked) return null;
+    if (rt.expiresAt && rt.expiresAt < new Date()) return null;
+    return rt;
+  }
+
+  private computeExpiryFromEnv(): Date | undefined {
+    // supports ms number or '7d' etc? We'll keep ms for now.
+    const raw = process.env.JWT_REFRESH_EXPIRATION;
+    if (!raw) return undefined;
+
+    const ms = Number(raw);
+    if (Number.isFinite(ms) && ms > 0) {
+      return new Date(Date.now() + ms);
+    }
+    return undefined;
+  }
+
+  async revokeAllRefreshTokens(userId: string): Promise<void> {
+    await this.repo.update({ userId }, { revoked: true });
+  }
+}

backend/src/common/middlewares/httpLogger.middleware.ts

@@ -0,0 +1,24 @@
+import { Request, Response, NextFunction } from 'express';
+import { Injectable, NestMiddleware, Logger } from '@nestjs/common';
+
+@Injectable()
+export class HttpLogger implements NestMiddleware {
+  use(request: Request, response: Response, next: NextFunction): void {
+    const startAt = process.hrtime();
+    const { ip, method, originalUrl } = request;
+    const userAgent = request.get('user-agent') || '';
+
+    response.on('finish', () => {
+      const logger = new Logger('HttpLogger');
+      const { statusCode } = response;
+      const contentLength = response.get('content-length');
+      const diff = process.hrtime(startAt);
+      const responseTime = diff[0] * 1e3 + diff[1] * 1e-6;
+      logger.log(
+        `${method} ${originalUrl} ${statusCode} ${responseTime}ms ${contentLength} - ${userAgent} ${ip}`,
+      );
+    });
+
+    next();
+  }
+}

backend/src/common/transformers/sanitize-string.transformer.ts

@@ -0,0 +1,33 @@
+import { Transform } from 'class-transformer';
+
+/**
+ * Sanitizes string inputs by:
+ * - Trimming whitespace
+ * - Removing control characters
+ * - Removing obvious script injection vectors
+ *
+ * Runs during transformation phase (before validation).
+ */
+export function SanitizeString() {
+  return Transform(({ value }) => {
+    if (typeof value !== 'string') {
+      return value;
+    }
+
+    let sanitized = value;
+
+    // Trim leading/trailing whitespace
+    sanitized = sanitized.trim();
+
+    // Remove ASCII control characters (0–31 and 127)
+    sanitized = sanitized.replace(/[\u0000-\u001F\u007F]/g, '');
+
+    // Remove obvious script tags (case-insensitive)
+    sanitized = sanitized.replace(/<\s*\/?\s*script[^>]*>/gi, '');
+
+    // Collapse multiple spaces into one
+    sanitized = sanitized.replace(/\s{2,}/g, ' ');
+
+    return sanitized;
+  });
+}