Implement AuthModule with:
POST /auth/register — email + password, returns access + refresh tokensPOST /auth/login — local strategy via passport-local.POST /auth/refresh — verify refresh token from httpOnly cookie, issue new pairPOST /auth/logout — delete refresh token from DBJwtStrategy for @UseGuards(JwtAuthGuard) on protected routes- Passwords hashed with
bcryptjs (12 rounds)
- Refresh tokens stored in
refresh_tokens table with expiry
Acceptance criteria:
- Access token expires in 15m, refresh token in 7d
- Replay attack: using a consumed refresh token returns 401
GET /auth/me returns the current user profile
Implement
AuthModulewith:POST /auth/register— email + password, returns access + refresh tokensPOST /auth/login— local strategy viapassport-local.POST /auth/refresh— verify refresh token from httpOnly cookie, issue new pairPOST /auth/logout— delete refresh token from DBJwtStrategyfor@UseGuards(JwtAuthGuard)on protected routesbcryptjs(12 rounds)refresh_tokenstable with expiryAcceptance criteria:
GET /auth/mereturns the current user profile