Add role system to auth + remember me functionality

Author: CarboxyDev

apps/backend/package.json

@@ -32,6 +32,7 @@
     "@repo/shared-config": "workspace:*",
     "@repo/shared-types": "workspace:*",
     "@scalar/nestjs-api-reference": "^1.0.4",
+    "bcryptjs": "^3.0.2",
     "better-auth": "^1.3.27",
     "dotenv-flow": "^4.1.0",
     "helmet": "^8.1.0",
@@ -48,6 +49,7 @@
     "@nestjs/schematics": "^11.0.7",
     "@nestjs/testing": "^11.1.6",
     "@repo/shared-utils": "workspace:*",
+    "@types/bcryptjs": "^3.0.0",
     "@types/express": "^5.0.0",
     "@types/node": "^24.7.1",
     "@typescript-eslint/eslint-plugin": "^8.20.0",

apps/backend/prisma/migrations/20251019142208_add_user_role_enum/migration.sql

@@ -0,0 +1,5 @@
+-- CreateEnum
+CREATE TYPE "Role" AS ENUM ('user', 'admin', 'super_admin');
+
+-- AlterTable
+ALTER TABLE "users" ADD COLUMN     "role" "Role" NOT NULL DEFAULT 'user';

apps/backend/prisma/schema.prisma

@@ -10,13 +10,24 @@ datasource db {
   url      = env("DATABASE_URL")
 }
 
+// Role enum for user permissions
+enum Role {
+  user
+  admin
+  super_admin
+}
+
 // User model with better-auth support
 model User {
   id            String    @id @default(cuid())
   email         String    @unique
   emailVerified Boolean   @default(false)
   name          String?
   image         String?
+  role          Role      @default(user)
+  banned        Boolean   @default(false)
+  banReason     String?
+  banExpires    DateTime?
   createdAt     DateTime  @default(now())
   updatedAt     DateTime  @updatedAt
 
@@ -28,14 +39,15 @@ model User {
 
 // Session model for better-auth
 model Session {
-  id        String   @id @default(cuid())
-  userId    String
-  expiresAt DateTime
-  token     String   @unique
-  ipAddress String?
-  userAgent String?
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
+  id             String   @id @default(cuid())
+  userId         String
+  expiresAt      DateTime
+  token          String   @unique
+  ipAddress      String?
+  userAgent      String?
+  impersonatedBy String?
+  createdAt      DateTime @default(now())
+  updatedAt      DateTime @updatedAt
 
   user User @relation(fields: [userId], references: [id], onDelete: Cascade)
 

apps/backend/prisma/seed.ts

@@ -1,14 +1,60 @@
-import { PrismaClient } from '@prisma/client';
+import { PrismaClient, Role } from '@prisma/client';
+import * as bcrypt from 'bcryptjs';
 
 const prisma = new PrismaClient();
 
 async function main() {
   console.log('🌱 Seeding database...');
 
+  const superAdminEmail = 'admin@example.com';
+  const superAdminPassword = 'Admin@123456';
+
+  const hashedPassword = await bcrypt.hash(superAdminPassword, 10);
+
+  const superAdmin = await prisma.user.upsert({
+    where: { email: superAdminEmail },
+    update: {
+      role: Role.super_admin,
+    },
+    create: {
+      email: superAdminEmail,
+      name: 'Super Admin',
+      role: Role.super_admin,
+      emailVerified: true,
+    },
+  });
+
+  await prisma.account.upsert({
+    where: {
+      providerId_accountId: {
+        providerId: 'credential',
+        accountId: superAdmin.id,
+      },
+    },
+    update: {
+      password: hashedPassword,
+    },
+    create: {
+      userId: superAdmin.id,
+      accountId: superAdmin.id,
+      providerId: 'credential',
+      password: hashedPassword,
+    },
+  });
+
+  console.log('✅ Super admin user created:');
+  console.log(`   Email: ${superAdminEmail}`);
+  console.log(`   Password: ${superAdminPassword}`);
+  console.log(`   Role: ${superAdmin.role}`);
+  console.log('');
+  console.log(
+    '⚠️  IMPORTANT: Change the super_admin password after first login!'
+  );
+
   const usersData = [
-    { email: 'alice@example.com', name: 'Alice Johnson' },
-    { email: 'bob@example.com', name: 'Bob Smith' },
-    { email: 'charlie@example.com', name: 'Charlie Davis' },
+    { email: 'alice@example.com', name: 'Alice Johnson', role: Role.user },
+    { email: 'bob@example.com', name: 'Bob Smith', role: Role.admin },
+    { email: 'charlie@example.com', name: 'Charlie Davis', role: Role.user },
   ];
 
   for (const user of usersData) {
@@ -19,7 +65,7 @@ async function main() {
     });
   }
 
-  console.log(`✅ Seeded ${usersData.length} users`);
+  console.log(`✅ Seeded ${usersData.length} additional users`);
 }
 
 main()

apps/backend/src/auth/auth.config.ts

@@ -1,6 +1,7 @@
 import { PrismaClient } from '@prisma/client';
 import { betterAuth } from 'better-auth';
 import { prismaAdapter } from 'better-auth/adapters/prisma';
+import { admin } from 'better-auth/plugins';
 
 import { PrismaService } from '@/database/prisma/prisma.service';
 
@@ -17,8 +18,12 @@ export function createAuthInstance(prisma: PrismaService) {
       requireEmailVerification: false, // IMPORTANT: Set to true in production with email service
     },
     session: {
-      expiresIn: 60 * 60 * 24 * 7, // 7 days
+      expiresIn: 60 * 60 * 24 * 7, // 7 days (default session)
       updateAge: 60 * 60 * 24, // Update session every 24 hours
+      cookieCache: {
+        enabled: true,
+        maxAge: 60 * 60 * 24 * 30, // 30 days when remember me is enabled
+      },
     },
     trustedOrigins: [process.env.FRONTEND_URL || 'http://localhost:3000'],
     socialProviders: {
@@ -32,6 +37,12 @@ export function createAuthInstance(prisma: PrismaService) {
       //   clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
       // },
     },
+    plugins: [
+      admin({
+        defaultRole: 'user',
+        adminRoles: ['admin', 'super_admin'],
+      }),
+    ],
   });
 }
 

apps/backend/src/auth/auth.module.ts

@@ -1,13 +1,26 @@
 import { Module } from '@nestjs/common';
+import { APP_GUARD } from '@nestjs/core';
 
 import { AuthController } from '@/auth/auth.controller';
 import { AuthService } from '@/auth/auth.service';
+import { AuthGuard } from '@/auth/guards/auth.guard';
+import { RolesGuard } from '@/auth/guards/roles.guard';
 import { PrismaModule } from '@/database/prisma/prisma.module';
 
 @Module({
   imports: [PrismaModule],
   controllers: [AuthController],
-  providers: [AuthService],
+  providers: [
+    AuthService,
+    {
+      provide: APP_GUARD,
+      useClass: AuthGuard,
+    },
+    {
+      provide: APP_GUARD,
+      useClass: RolesGuard,
+    },
+  ],
   exports: [AuthService],
 })
 export class AuthModule {}

apps/backend/src/auth/decorators/roles.decorator.ts

@@ -0,0 +1,5 @@
+import { SetMetadata } from '@nestjs/common';
+import type { Role } from '@repo/shared-types';
+
+export const ROLES_KEY = 'roles';
+export const Roles = (...roles: Role[]) => SetMetadata(ROLES_KEY, roles);

apps/backend/src/auth/guards/roles.guard.ts

@@ -0,0 +1,44 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+  Injectable,
+} from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import type { Role } from '@repo/shared-types';
+import type { Request } from 'express';
+
+import { ROLES_KEY } from '@/auth/decorators/roles.decorator';
+
+@Injectable()
+export class RolesGuard implements CanActivate {
+  constructor(private readonly reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const requiredRoles = this.reflector.getAllAndOverride<Role[]>(ROLES_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    if (!requiredRoles || requiredRoles.length === 0) {
+      return true;
+    }
+
+    const request = context.switchToHttp().getRequest<Request>();
+    const user = (request as any).user;
+
+    if (!user) {
+      throw new ForbiddenException('User not authenticated');
+    }
+
+    const hasRole = requiredRoles.includes(user.role);
+
+    if (!hasRole) {
+      throw new ForbiddenException(
+        `Insufficient permissions. Required roles: ${requiredRoles.join(', ')}`
+      );
+    }
+
+    return true;
+  }
+}

apps/backend/src/modules/users/users.controller.spec.ts

@@ -31,7 +31,11 @@ describe('UsersController', () => {
     });
 
     it('should return paginated users from service', () => {
-      service.createUser({ email: 'test@example.com', name: 'Test User' });
+      service.createUser({
+        email: 'test@example.com',
+        name: 'Test User',
+        role: 'user',
+      });
 
       const result = controller.getUsers(defaultQuery);
 
@@ -55,6 +59,7 @@ describe('UsersController', () => {
       const created = service.createUser({
         email: 'test@example.com',
         name: 'Test User',
+        role: 'user',
       });
 
       const result = controller.getUserById({ id: created.id });
@@ -68,6 +73,7 @@ describe('UsersController', () => {
       const created = service.createUser({
         email: 'test@example.com',
         name: 'Test User',
+        role: 'user',
       });
       const spy = vi.spyOn(service, 'getUserById');
 
@@ -83,6 +89,7 @@ describe('UsersController', () => {
       const createUserDto = {
         email: 'newuser@example.com',
         name: 'New User',
+        role: 'user' as const,
       };
 
       const result = controller.createUser(createUserDto);
@@ -99,6 +106,7 @@ describe('UsersController', () => {
       const createUserDto = {
         email: 'valid@example.com',
         name: 'Valid User',
+        role: 'user' as const,
       };
 
       expect(() => controller.createUser(createUserDto)).not.toThrow();
@@ -109,6 +117,7 @@ describe('UsersController', () => {
       const createUserDto = {
         email: 'test@example.com',
         name: 'Test User',
+        role: 'user' as const,
       };
 
       controller.createUser(createUserDto);
@@ -123,6 +132,7 @@ describe('UsersController', () => {
       const created = service.createUser({
         email: 'test@example.com',
         name: 'Test User',
+        role: 'user',
       });
 
       const updateUserDto = {
@@ -141,6 +151,7 @@ describe('UsersController', () => {
       const created = service.createUser({
         email: 'test@example.com',
         name: 'Test User',
+        role: 'user',
       });
       const spy = vi.spyOn(service, 'updateUser');
       const updateUserDto = { name: 'Updated Name' };
@@ -157,6 +168,7 @@ describe('UsersController', () => {
       const created = service.createUser({
         email: 'test@example.com',
         name: 'Test User',
+        role: 'user',
       });
 
       const result = controller.deleteUser({ id: created.id });
@@ -169,6 +181,7 @@ describe('UsersController', () => {
       const created = service.createUser({
         email: 'test@example.com',
         name: 'Test User',
+        role: 'user',
       });
       const spy = vi.spyOn(service, 'deleteUser');
 

apps/backend/src/modules/users/users.controller.ts

@@ -26,6 +26,7 @@ import { User } from '@repo/shared-types';
 import { ApiResponse } from '@repo/shared-types';
 import { createZodDto } from 'nestjs-zod';
 
+import { Roles } from '@/auth/decorators/roles.decorator';
 import { UsersService } from '@/modules/users/users.service';
 
 class CreateUserDto extends createZodDto(CreateUserSchema) {}
@@ -86,8 +87,10 @@ export class UsersController {
   }
 
   @Delete(':id')
-  @ApiOperation({ summary: 'Delete user by ID' })
+  @Roles('admin', 'super_admin')
+  @ApiOperation({ summary: 'Delete user by ID (Admin only)' })
   @SwaggerResponse({ status: 200, description: 'User deleted successfully' })
+  @SwaggerResponse({ status: 403, description: 'Insufficient permissions' })
   @SwaggerResponse({ status: 404, description: 'User not found' })
   deleteUser(@Param() params: GetUserByIdDto): ApiResponse<void> {
     this.usersService.deleteUser(params.id);