feat(api): authentication

AGENTS.md

@@ -27,6 +27,7 @@ Conventions
 - Prefer named exports in libraries. Avoid barrel files unless necessary.
 - Use `workspace:*` for internal dependencies; do not hardcode versions.
 - Keep changes minimal and localized; avoid cross-cutting refactors without discussion.
+- When using tRPC in React, always compose `useQuery`/`useMutation` from TanStack with `trpc.*.queryOptions`/`mutationOptions` instead of calling `trpc.*.useQuery`/`useMutation` helpers directly (they are deprecated).
 
 Tasks & Commands
 - Install: `bun install` (run at repo root only).
@@ -67,4 +68,3 @@ Gotchas
 Contact Points
 - Architecture overview: `docs/architecture.md`.
 - Forms handling patterns: `docs/forms-handling.md`.
-

apps/api/src/trpc/init.ts

@@ -1,11 +1,11 @@
 import { Database, db } from "@basango/db/client";
-import { initTRPC } from "@trpc/server";
+import { TRPCError, initTRPC } from "@trpc/server";
 import type { Context } from "hono";
 import superjson from "superjson";
 
 import { withAuthentication } from "#api/trpc/middlewares/auth";
 import { withDatabase } from "#api/trpc/middlewares/db";
-import { Session, verifyAccessToken } from "#api/utils/auth";
+import { Session, getSession } from "#api/utils/auth";
 import { getGeoContext } from "#api/utils/geo";
 
 type TRPCContext = {
@@ -16,7 +16,7 @@ type TRPCContext = {
 
 export const createTRPCContext = async (_: unknown, c: Context): Promise<TRPCContext> => {
   const accessToken = c.req.header("Authorization")?.split(" ")[1];
-  const session = await verifyAccessToken(accessToken);
+  const session = await getSession(db, accessToken);
   const geo = getGeoContext(c.req);
 
   return {
@@ -51,13 +51,13 @@ export const publicProcedure = t.procedure.use(withDatabaseMiddleware);
 
 export const protectedProcedure = t.procedure
   .use(withDatabaseMiddleware)
-  .use(withAutenticationMiddleware) // NOTE: This is needed to ensure that the teamId is set in the context
+  .use(withAutenticationMiddleware)
   .use(async (opts) => {
     const { session } = opts.ctx;
 
-    // if (!session) {
+    if (!session) {
-    //   throw new TRPCError({ code: "UNAUTHORIZED" });
+      throw new TRPCError({ code: "UNAUTHORIZED" });
-    // }
+    }
 
     return opts.next({
       ctx: {

apps/api/src/trpc/middlewares/auth.ts

@@ -1,6 +1,5 @@
 import type { Database } from "@basango/db/client";
-
+import { TRPCError } from "@trpc/server";
-// import { TRPCError } from "@trpc/server";
 
 import type { Session } from "#api/utils/auth";
 
@@ -18,14 +17,12 @@ export const withAuthentication = async <TReturn>(opts: {
 }) => {
   const { ctx, next } = opts;
 
-  //   const userId = ctx.session?.user?.id;
+  if (!ctx.session) {
-
+    throw new TRPCError({
-  //   if (!userId) {
+      code: "UNAUTHORIZED",
-  //     throw new TRPCError({
+      message: "Authentication is required to access this resource.",
-  //       code: "UNAUTHORIZED",
+    });
-  //       message: "No permission to access",
+  }
-  //     });
-  //   }
 
   return next({
     ctx: {

apps/api/src/trpc/routers/_app.ts

@@ -2,10 +2,12 @@ import type { inferRouterInputs, inferRouterOutputs } from "@trpc/server";
 
 import { createTRPCRouter } from "#api/trpc/init";
 import { articlesRouter } from "#api/trpc/routers/articles";
+import { authRouter } from "#api/trpc/routers/auth";
 import { sourcesRouter } from "#api/trpc/routers/sources";
 
 export const appRouter = createTRPCRouter({
   articles: articlesRouter,
+  auth: authRouter,
   sources: sourcesRouter,
 });
 

apps/api/src/trpc/routers/auth.ts

@@ -0,0 +1,86 @@
+import { getUserByEmail, getUserById } from "@basango/db/queries";
+import { loginSchema, refreshSessionSchema } from "@basango/domain/models";
+import { verifyPassword } from "@basango/encryption";
+import { TRPCError } from "@trpc/server";
+
+import { createTRPCRouter, protectedProcedure, publicProcedure } from "#api/trpc/init";
+import { createSessionTokens, verifyRefreshToken } from "#api/utils/auth";
+
+export const authRouter = createTRPCRouter({
+  login: publicProcedure.input(loginSchema).mutation(async ({ ctx, input }) => {
+    const user = await getUserByEmail(ctx.db, input.email);
+
+    if (!user || user.isLocked) {
+      throw new TRPCError({
+        code: "UNAUTHORIZED",
+        message: "Invalid credentials.",
+      });
+    }
+
+    const isValidPassword = await verifyPassword(input.password, user.password);
+
+    if (!isValidPassword) {
+      throw new TRPCError({
+        code: "UNAUTHORIZED",
+        message: "Invalid credentials.",
+      });
+    }
+
+    const session = {
+      user: {
+        email: user.email,
+        id: user.id,
+        name: user.name,
+      },
+    };
+
+    const tokens = await createSessionTokens(session);
+
+    return {
+      ...tokens,
+      user: session.user,
+    };
+  }),
+
+  refresh: publicProcedure.input(refreshSessionSchema).mutation(async ({ ctx, input }) => {
+    const session = await verifyRefreshToken(input.refreshToken);
+
+    if (!session) {
+      throw new TRPCError({
+        code: "UNAUTHORIZED",
+        message: "Invalid refresh token.",
+      });
+    }
+
+    const user = await getUserById(ctx.db, {
+      email: session.user.email,
+      id: session.user.id,
+    });
+
+    if (!user || user.isLocked) {
+      throw new TRPCError({
+        code: "UNAUTHORIZED",
+        message: "Invalid refresh token.",
+      });
+    }
+
+    const tokens = await createSessionTokens({
+      user: {
+        email: user.email,
+        id: user.id,
+        name: user.name,
+      },
+    });
+
+    return {
+      ...tokens,
+      user: {
+        email: user.email,
+        id: user.id,
+        name: user.name,
+      },
+    };
+  }),
+
+  session: protectedProcedure.query(({ ctx }) => ctx.session.user),
+});

apps/api/src/utils/auth.ts

@@ -1,4 +1,12 @@
-import { type JWTPayload, jwtVerify } from "jose";
+import { Database } from "@basango/db/client";
+import { getUserById } from "@basango/db/queries";
+import {
+  DEFAULT_ACCESS_TOKEN_TTL,
+  DEFAULT_REFRESH_TOKEN_TTL,
+  DEFAULT_TOKEN_AUDIENCE,
+  DEFAULT_TOKEN_ISSUER,
+} from "@basango/domain/constants";
+import { type JWTPayload, SignJWT, jwtVerify } from "jose";
 
 import { env } from "#api/config";
 
@@ -6,35 +14,144 @@ export type Session = {
   user: {
     id: string;
     email: string;
-    full_name?: string;
+    name?: string;
   };
 };
 
 export type VerifiedJWTPayload = JWTPayload & {
+  tokenType: TokenType;
   user: {
     id: string;
     email: string;
-    full_name?: string;
+    name?: string;
   };
 };
 
+type TokenType = "access" | "refresh";
+
+export type SessionTokens = {
+  accessToken: string;
+  refreshToken: string;
+  accessTokenExpiresAt: string;
+  refreshTokenExpiresAt: string;
+};
+
+const encoder = new TextEncoder();
+
+function getSecretKey() {
+  return encoder.encode(env("BASANGO_JWT_SECRET"));
+}
+
+export async function getSession(db: Database, accessToken?: string): Promise<Session | null> {
+  const session = await verifyAccessToken(accessToken);
+
+  if (!session) {
+    return null;
+  }
+
+  const user = await getUserById(db, {
+    email: session.user.email,
+    id: session.user.id,
+  });
+
+  if (!user || user.isLocked) {
+    return null;
+  }
+
+  return {
+    user: {
+      email: user.email,
+      id: user.id,
+      name: user.name,
+    },
+  };
+}
+
+async function createToken(session: Session, tokenType: TokenType, expiresIn: string) {
+  return new SignJWT({
+    tokenType,
+    user: session.user,
+  })
+    .setProtectedHeader({ alg: "HS256" })
+    .setIssuedAt()
+    .setAudience(DEFAULT_TOKEN_AUDIENCE)
+    .setIssuer(DEFAULT_TOKEN_ISSUER)
+    .setExpirationTime(expiresIn)
+    .sign(getSecretKey());
+}
+
+export async function createSessionTokens(session: Session): Promise<SessionTokens> {
+  const [accessToken, refreshToken] = await Promise.all([
+    createToken(session, "access", DEFAULT_ACCESS_TOKEN_TTL),
+    createToken(session, "refresh", DEFAULT_REFRESH_TOKEN_TTL),
+  ]);
+
+  const issuedAt = Date.now();
+  const accessTokenExpiresAt = new Date(
+    issuedAt + formatTTL(DEFAULT_ACCESS_TOKEN_TTL),
+  ).toISOString();
+  const refreshTokenExpiresAt = new Date(
+    issuedAt + formatTTL(DEFAULT_REFRESH_TOKEN_TTL),
+  ).toISOString();
+
+  return {
+    accessToken,
+    accessTokenExpiresAt,
+    refreshToken,
+    refreshTokenExpiresAt,
+  };
+}
+
 export async function verifyAccessToken(accessToken?: string): Promise<Session | null> {
-  if (!accessToken) return null;
+  return verifyToken(accessToken, "access");
+}
+
+export async function verifyRefreshToken(refreshToken?: string): Promise<Session | null> {
+  return verifyToken(refreshToken, "refresh");
+}
+
+async function verifyToken(
+  token: string | undefined,
+  expectedType: TokenType,
+): Promise<Session | null> {
+  if (!token) return null;
 
   try {
-    const { payload } = await jwtVerify<VerifiedJWTPayload>(
+    const { payload } = await jwtVerify<VerifiedJWTPayload>(token, getSecretKey(), {
-      accessToken,
+      audience: DEFAULT_TOKEN_AUDIENCE,
-      new TextEncoder().encode(env("BASANGO_JWT_SECRET")),
+      issuer: DEFAULT_TOKEN_ISSUER,
-    );
+    });
+
+    if (payload.tokenType !== expectedType) {
+      return null;
+    }
 
     return {
       user: {
         email: payload.user.email,
-        full_name: payload.user.full_name,
         id: payload.user.id,
+        name: payload.user.name,
       },
     };
   } catch (_error: unknown) {
     return null;
   }
 }
+
+function formatTTL(ttl: string) {
+  const match = ttl.match(/^(\d+)([smhd])$/);
+  if (!match) return 0;
+  const [, rawValue, rawUnit] = match;
+  if (!rawValue || !rawUnit) {
+    return 0;
+  }
+  const value = Number.parseInt(rawValue, 10);
+  const multipliers = {
+    d: 86_400_000,
+    h: 3_600_000,
+    m: 60_000,
+    s: 1_000,
+  } as const;
+  const unit = rawUnit as keyof typeof multipliers;
+  return value * (multipliers[unit] ?? 1_000);
+}

apps/dashboard/package.json

@@ -12,7 +12,7 @@
     "@trpc/server": "^11.7.1",
     "@trpc/tanstack-react-query": "^11.7.1",
     "client-only": "^0.0.1",
-    "date-fns": "^4.1.0",
+    "date-fns": "catalog:",
     "lucide-react": "^0.553.0",
     "next": "catalog:",
     "next-international": "^1.3.1",
@@ -26,7 +26,7 @@
     "server-only": "^0.0.1",
     "sonner": "^2.0.7",
     "superjson": "^2.2.5",
-    "zod": "^4.1.12",
+    "zod": "catalog:",
     "zustand": "^5.0.8"
   },
   "devDependencies": {

apps/dashboard/src/app/[locale]/(public)/login/page.tsx

@@ -1,19 +1,9 @@
-import { GalleryVerticalEnd } from "lucide-react";
-
 import { LoginForm } from "#dashboard/components/forms/login-form";
 
-export default function LoginPage() {
+export default function Page() {
   return (
     <div className="grid min-h-svh lg:grid-cols-2">
       <div className="flex flex-col gap-4 p-6 md:p-10">
-        <div className="flex justify-center gap-2 md:justify-start">
-          <a className="flex items-center gap-2 font-medium" href="#">
-            <div className="bg-primary text-primary-foreground flex size-6 items-center justify-center rounded-md">
-              <GalleryVerticalEnd className="size-4" />
-            </div>
-            Acme Inc.
-          </a>
-        </div>
         <div className="flex flex-1 items-center justify-center">
           <div className="w-full max-w-xs">
             <LoginForm />
@@ -24,7 +14,7 @@ export default function LoginPage() {
         <img
           alt="verification placeholder"
           className="absolute inset-0 h-full w-full object-cover dark:brightness-[0.2] dark:grayscale"
-          src="/placeholder.svg"
+          src="https://images.pexels.com/photos/30690932/pexels-photo-30690932.jpeg"
         />
       </div>
     </div>

apps/dashboard/src/app/[locale]/page.tsx

@@ -0,0 +1,5 @@
+import { redirect } from "next/navigation";
+
+export default function Page() {
+  redirect("/dashboard");
+}

apps/dashboard/src/app/api/session/refresh/route.ts

@@ -0,0 +1,49 @@
+import type { AppRouter } from "@basango/api/trpc/routers/_app";
+import { DEFAULT_REFRESH_TOKEN_COOKIE } from "@basango/domain/constants";
+import { createTRPCProxyClient, httpBatchLink } from "@trpc/client";
+import { cookies } from "next/headers";
+import { NextRequest, NextResponse } from "next/server";
+import superjson from "superjson";
+
+const client = createTRPCProxyClient<AppRouter>({
+  links: [
+    httpBatchLink({
+      transformer: superjson,
+      url: `${process.env.NEXT_PUBLIC_API_URL ?? "http://localhost:3080"}/trpc`,
+    }),
+  ],
+});
+
+export async function POST(request: NextRequest) {
+  const cookieStore = await cookies();
+  const refreshToken =
+    cookieStore.get(DEFAULT_REFRESH_TOKEN_COOKIE)?.value ??
+    (await getRefreshTokenFromBody(request));
+
+  if (!refreshToken) {
+    return NextResponse.json({ error: "Missing refresh token" }, { status: 401 });
+  }
+
+  try {
+    const tokens = await client.auth.refresh.mutate({
+      refreshToken,
+    });
+
+    return NextResponse.json(tokens);
+  } catch {
+    return NextResponse.json({ error: "Invalid refresh token" }, { status: 401 });
+  }
+}
+
+async function getRefreshTokenFromBody(request: NextRequest) {
+  try {
+    const body = await request.json();
+    if (typeof body?.refreshToken === "string") {
+      return body.refreshToken;
+    }
+  } catch {
+    // Ignore malformed bodies
+  }
+
+  return undefined;
+}

apps/dashboard/src/components/forms/login-form.tsx

@@ -1,51 +1,136 @@
-import { Button } from "@basango/ui/components/button";
+"use client";
+
+import { loginSchema } from "@basango/domain/models";
 import {
   Field,
   FieldDescription,
+  FieldError,
   FieldGroup,
   FieldLabel,
-  FieldSeparator,
 } from "@basango/ui/components/field";
 import { Input } from "@basango/ui/components/input";
+import { SubmitButton } from "@basango/ui/components/submit-button";
 import { cn } from "@basango/ui/lib/utils";
+import { useMutation } from "@tanstack/react-query";
+import { useParams, useRouter, useSearchParams } from "next/navigation";
+import { useCallback } from "react";
+import { Controller } from "react-hook-form";
+import { toast } from "sonner";
+import { z } from "zod";
+
+import { useZodForm } from "#dashboard/hooks/use-zod-form";
+import { useUserStore } from "#dashboard/stores/user-store";
+import { useTRPC } from "#dashboard/trpc/client";
+import { persistSessionTokens } from "#dashboard/utils/auth/client";
+
+type LoginValues = z.infer<typeof loginSchema>;
 
 export function LoginForm({ className, ...props }: React.ComponentProps<"form">) {
+  const router = useRouter();
+  const params = useParams<{ locale?: string }>();
+  const searchParams = useSearchParams();
+  const trpc = useTRPC();
+  const setUser = useUserStore((state) => state.setUser);
+  const locale = params?.locale ?? "en";
+
+  const form = useZodForm(loginSchema, {
+    defaultValues: {
+      email: "",
+      password: "",
+    },
+  });
+
+  const mutation = useMutation(
+    trpc.auth.login.mutationOptions({
+      onError(error) {
+        toast.error(error.message ?? "Unable to login. Try again.");
+      },
+      async onSuccess(data) {
+        persistSessionTokens({
+          accessToken: data.accessToken,
+          accessTokenExpiresAt: data.accessTokenExpiresAt,
+          refreshToken: data.refreshToken,
+          refreshTokenExpiresAt: data.refreshTokenExpiresAt,
+        });
+        setUser(data.user);
+
+        form.reset();
+        router.push(searchParams?.get("return_to") ?? `/${locale}/dashboard`);
+        router.refresh();
+      },
+    }),
+  );
+
+  const handleSubmit = useCallback(
+    (values: LoginValues) => {
+      mutation.mutate(values);
+    },
+    [mutation],
+  );
+
   return (
-    <form className={cn("flex flex-col gap-6", className)} {...props}>
+    <form
+      className={cn("flex flex-col gap-6", className)}
+      onSubmit={form.handleSubmit(handleSubmit)}
+      {...props}
+    >
       <FieldGroup>
         <div className="flex flex-col items-center gap-1 text-center">
-          <h1 className="text-2xl font-bold">Login to your account</h1>
+          <h1 className="text-2xl font-bold">Basango Dashboard</h1>
           <p className="text-muted-foreground text-sm text-balance">
             Enter your email below to login to your account
           </p>
         </div>
-        <Field>
+
-          <FieldLabel htmlFor="email">Email</FieldLabel>
+        <Controller
-          <Input id="email" placeholder="m@example.com" required type="email" />
+          control={form.control}
+          name="email"
+          render={({ field, fieldState }) => (
+            <Field data-invalid={fieldState.invalid}>
+              <FieldLabel htmlFor={field.name}>Email</FieldLabel>
+              <Input
+                {...field}
+                aria-invalid={fieldState.invalid}
+                autoComplete="email"
+                disabled={mutation.isPending}
+                id={field.name}
+                placeholder="m@example.com"
+                type="email"
+              />
+              {fieldState.invalid && <FieldError errors={[fieldState.error]} />}
             </Field>
-        <Field>
+          )}
+        />
+
+        <Controller
+          control={form.control}
+          name="password"
+          render={({ field, fieldState }) => (
+            <Field data-invalid={fieldState.invalid}>
               <div className="flex items-center">
-            <FieldLabel htmlFor="password">Password</FieldLabel>
+                <FieldLabel htmlFor={field.name}>Password</FieldLabel>
                 <a className="ml-auto text-sm underline-offset-4 hover:underline" href="#">
                   Forgot your password?
                 </a>
               </div>
-          <Input id="password" required type="password" />
+              <Input
-        </Field>
+                {...field}
-        <Field>
+                aria-invalid={fieldState.invalid}
-          <Button type="submit">Login</Button>
+                autoComplete="current-password"
-        </Field>
+                disabled={mutation.isPending}
-        <FieldSeparator>Or continue with</FieldSeparator>
+                id={field.name}
-        <Field>
+                type="password"
-          <Button type="button" variant="outline">
-            <svg viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
-              <path
-                d="M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12"
-                fill="currentColor"
               />
-            </svg>
+              {fieldState.invalid && <FieldError errors={[fieldState.error]} />}
-            Login with GitHub
+            </Field>
-          </Button>
+          )}
+        />
+
+        <SubmitButton className="w-full" isSubmitting={mutation.isPending} type="submit">
+          Login
+        </SubmitButton>
+
+        <Field>
           <FieldDescription className="text-center">
             Don&apos;t have an account?{" "}
             <a className="underline underline-offset-4" href="#">

apps/dashboard/src/components/shell/page-header.tsx

@@ -1,54 +1,18 @@
-import {
-  Breadcrumb,
-  BreadcrumbItem,
-  BreadcrumbLink,
-  BreadcrumbList,
-  BreadcrumbPage,
-  BreadcrumbSeparator,
-} from "@basango/ui/components/breadcrumb";
 import { Separator } from "@basango/ui/components/separator";
-//import { LanguageSelector, ThemeSelector } from "@/components/ui/shared/settings";
 import { SidebarTrigger } from "@basango/ui/components/sidebar";
 
+import { ThemeToggle } from "#dashboard/components/theme-toggle";
+
 export function PageHeader() {
   return (
-    <header className="flex h-16 shrink-0 items-center gap-2 border-b transition-[width,height] ease-linear group-has-data-[collapsible=icon]/sidebar-wrapper:h-12">
+    <header className="border-b flex h-16 shrink-0 items-center justify-between gap-2 transition-[width,height] ease-linear group-has-data-[collapsible=icon]/sidebar-wrapper:h-12">
       <div className="flex items-center gap-2 px-4">
         <SidebarTrigger className="-ml-1" />
         <Separator className="mr-2 data-[orientation=vertical]:h-4" orientation="vertical" />
-        <Breadcrumb>
+      </div>
-          <BreadcrumbList>
+      <div className="flex items-center gap-2 px-4">
-            <BreadcrumbItem className="hidden md:block">
+        <ThemeToggle />
-              <BreadcrumbLink href="#">Building Your Application</BreadcrumbLink>
-            </BreadcrumbItem>
-            <BreadcrumbSeparator className="hidden md:block" />
-            <BreadcrumbItem>
-              <BreadcrumbPage>Data Fetching</BreadcrumbPage>
-            </BreadcrumbItem>
-          </BreadcrumbList>
-        </Breadcrumb>
       </div>
     </header>
   );
 }
-
-//  <header className="border-b flex h-16 shrink-0 items-center justify-between gap-2 transition-[width,height] ease-linear group-has-data-[collapsible=icon]/sidebar-wrapper:h-12">
-//       <div className="flex items-center gap-2 px-4">
-//         <SidebarTrigger className="-ml-1" />
-//         <Separator className="mr-2 data-[orientation=vertical]:h-4" orientation="vertical" />
-//         <Breadcrumb>
-//           <BreadcrumbList>
-//             <BreadcrumbItem className="hidden md:block">
-//               <Button className="cursor-pointer" onClick={() => navigate(-1)} variant="ghost">
-//                 <ArrowLeftIcon />
-//                 <span>{t("ui.shared.shell.page_header.go_back")}</span>
-//               </Button>
-//             </BreadcrumbItem>
-//           </BreadcrumbList>
-//         </Breadcrumb>
-//       </div>
-//       <div className="flex items-center gap-2 px-4">
-//         <LanguageSelector />
-//         <ThemeSelector />
-//       </div>
-//     </header>

apps/dashboard/src/components/sidebar/app-sidebar-info.tsx

@@ -12,11 +12,8 @@ export function AppSidebarInfo() {
           className="data-[state=open]:bg-sidebar-accent data-[state=open]:text-sidebar-accent-foreground"
           size="lg"
         >
-          <div className="bg-sidebar-primary text-sidebar-primary-foreground flex aspect-square size-8 items-center justify-center rounded-lg">
-            <img alt="Logo" className="size-8 rounded-lg object-cover" src="/logo.svg" />
-          </div>
           <div className="grid flex-1 text-left text-sm leading-tight">
-            <span className="truncate font-medium">Basango</span>
+            <span className="truncate font-medium">Basango Dashboard</span>
             <span className="truncate text-xs">v{version}</span>
           </div>
         </SidebarMenuButton>

apps/dashboard/src/components/sidebar/app-sidebar-user.tsx

@@ -4,7 +4,6 @@ import { Avatar, AvatarFallback } from "@basango/ui/components/avatar";
 import {
   DropdownMenu,
   DropdownMenuContent,
-  DropdownMenuGroup,
   DropdownMenuItem,
   DropdownMenuLabel,
   DropdownMenuSeparator,
@@ -16,10 +15,24 @@ import {
   SidebarMenuItem,
   useSidebar,
 } from "@basango/ui/components/sidebar";
-import { BadgeCheck, Bell, ChevronsUpDown, CreditCard, LogOut, Sparkles } from "lucide-react";
+import { ChevronsUpDown, LogOut } from "lucide-react";
+import { useRouter } from "next/navigation";
+
+import { useUser } from "#dashboard/hooks/use-user";
+import { clearSessionTokens } from "#dashboard/utils/auth/client";
+import { getInitials } from "#dashboard/utils/utils";
 
 export function AppSidebarUser() {
   const { isMobile } = useSidebar();
+  const router = useRouter();
+  const { user, setUser } = useUser();
+
+  const handleLogout = () => {
+    clearSessionTokens();
+    setUser(null);
+    router.push(`/login`);
+    router.refresh();
+  };
 
   return (
     <SidebarMenu>
@@ -31,11 +44,13 @@ export function AppSidebarUser() {
               size="lg"
             >
               <Avatar className="h-8 w-8 rounded-lg">
-                <AvatarFallback className="rounded-lg">BN</AvatarFallback>
+                <AvatarFallback className="rounded-lg">
+                  {getInitials(user?.name ?? user?.email ?? "")}
+                </AvatarFallback>
               </Avatar>
               <div className="grid flex-1 text-left text-sm leading-tight">
-                <span className="truncate font-medium">Bernard Ng</span>
+                <span className="truncate font-medium">{user?.name ?? user?.email ?? ""}</span>
-                <span className="truncate text-xs">bernard.ng@example.com</span>
+                <span className="truncate text-xs">{user?.email ?? ""}</span>
               </div>
               <ChevronsUpDown className="ml-auto size-4" />
             </SidebarMenuButton>
@@ -49,38 +64,18 @@ export function AppSidebarUser() {
             <DropdownMenuLabel className="p-0 font-normal">
               <div className="flex items-center gap-2 px-1 py-1.5 text-left text-sm">
                 <Avatar className="h-8 w-8 rounded-lg">
-                  <AvatarFallback className="rounded-lg">BN</AvatarFallback>
+                  <AvatarFallback className="rounded-lg">
+                    {getInitials(user?.name ?? user?.email ?? "")}
+                  </AvatarFallback>
                 </Avatar>
                 <div className="grid flex-1 text-left text-sm leading-tight">
-                  <span className="truncate font-medium">Bernard Ng</span>
+                  <span className="truncate font-medium">{user?.name ?? user?.email ?? ""}</span>
-                  <span className="truncate text-xs">bernard.ng@example.com</span>
+                  <span className="truncate text-xs">{user?.email ?? ""}</span>
                 </div>
               </div>
             </DropdownMenuLabel>
             <DropdownMenuSeparator />
-            <DropdownMenuGroup>
+            <DropdownMenuItem onClick={handleLogout}>
-              <DropdownMenuItem>
-                <Sparkles />
-                Upgrade to Pro
-              </DropdownMenuItem>
-            </DropdownMenuGroup>
-            <DropdownMenuSeparator />
-            <DropdownMenuGroup>
-              <DropdownMenuItem>
-                <BadgeCheck />
-                Account
-              </DropdownMenuItem>
-              <DropdownMenuItem>
-                <CreditCard />
-                Billing
-              </DropdownMenuItem>
-              <DropdownMenuItem>
-                <Bell />
-                Notifications
-              </DropdownMenuItem>
-            </DropdownMenuGroup>
-            <DropdownMenuSeparator />
-            <DropdownMenuItem>
               <LogOut />
               Log out
             </DropdownMenuItem>

apps/dashboard/src/components/theme-toggle.tsx

@@ -0,0 +1,58 @@
+"use client";
+
+import { Button } from "@basango/ui/components/button";
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+} from "@basango/ui/components/dropdown-menu";
+import { Laptop, Moon, Sun } from "lucide-react";
+import { useTheme } from "next-themes";
+import * as React from "react";
+
+export function ThemeToggle() {
+  const { theme, setTheme } = useTheme();
+
+  // To avoid a hydration error caused by mismatched server/client rendering,
+  // we wait for the component to mount before using `theme` from `next-themes`,
+  // since it relies on localStorage and is not available during SSR.s
+  const [mounted, setMounted] = React.useState(false);
+
+  React.useEffect(() => {
+    setMounted(true);
+  }, []);
+
+  if (!mounted) return null;
+
+  return (
+    <DropdownMenu>
+      <DropdownMenuTrigger asChild>
+        <Button className="h-8 w-8 shrink-0" size="icon" variant="ghost">
+          {theme === "light" ? (
+            <Sun className="h-4 w-4" />
+          ) : theme === "dark" ? (
+            <Moon className="h-4 w-4" />
+          ) : (
+            <Laptop className="h-4 w-4" />
+          )}
+          <span className="sr-only">Toggle theme</span>
+        </Button>
+      </DropdownMenuTrigger>
+      <DropdownMenuContent align="end">
+        <DropdownMenuItem onClick={() => setTheme("light")}>
+          <Sun className="mr-2 h-4 w-4" />
+          <span>Light</span>
+        </DropdownMenuItem>
+        <DropdownMenuItem onClick={() => setTheme("dark")}>
+          <Moon className="mr-2 h-4 w-4" />
+          <span>Dark</span>
+        </DropdownMenuItem>
+        <DropdownMenuItem onClick={() => setTheme("system")}>
+          <Laptop className="mr-2 h-4 w-4" />
+          <span>System</span>
+        </DropdownMenuItem>
+      </DropdownMenuContent>
+    </DropdownMenu>
+  );
+}

apps/dashboard/src/hooks/use-user.ts

@@ -0,0 +1,33 @@
+"use client";
+
+import { useQuery } from "@tanstack/react-query";
+import { useEffect } from "react";
+
+import { useUserStore } from "#dashboard/stores/user-store";
+import { useTRPC } from "#dashboard/trpc/client";
+
+export function useUser() {
+  const trpc = useTRPC();
+  const { user, setUser } = useUserStore();
+
+  const queryOptions = trpc.auth.session.queryOptions();
+  const query = useQuery({
+    ...queryOptions,
+    enabled: queryOptions.enabled ?? !user,
+    staleTime: queryOptions.staleTime ?? 5 * 60 * 1000,
+  });
+
+  useEffect(() => {
+    if (query.data) {
+      setUser(query.data);
+    } else if (query.isError) {
+      setUser(null);
+    }
+  }, [query.data, query.isError, setUser]);
+
+  return {
+    ...query,
+    setUser,
+    user,
+  };
+}

apps/dashboard/src/proxy.ts

@@ -1,50 +1,127 @@
-import { type NextRequest } from "next/server";
+import {
+  DEFAULT_ACCESS_TOKEN_COOKIE,
+  DEFAULT_REFRESH_TOKEN_COOKIE,
+} from "@basango/domain/constants";
+import { type NextRequest, NextResponse } from "next/server";
 import { createI18nMiddleware } from "next-international/middleware";
 
+const SUPPORTED_LOCALES = ["en"] as const;
+const DEFAULT_LOCALE = SUPPORTED_LOCALES[0];
+
 const I18nMiddleware = createI18nMiddleware({
-  defaultLocale: "en",
+  defaultLocale: DEFAULT_LOCALE,
-  locales: ["en"],
+  locales: SUPPORTED_LOCALES as unknown as string[],
   urlMappingStrategy: "rewrite",
 });
 
+const PUBLIC_PATHS = new Set(["/login"]);
+
+type SessionTokens = {
+  accessToken: string;
+  refreshToken: string;
+  accessTokenExpiresAt: string;
+  refreshTokenExpiresAt: string;
+};
+
 export default async function proxy(request: NextRequest) {
-  const response = await I18nMiddleware(request);
+  const { locale, pathname } = extractLocaleAndPath(request);
+  let accessToken = request.cookies.get(DEFAULT_ACCESS_TOKEN_COOKIE)?.value;
+  const refreshToken = request.cookies.get(DEFAULT_REFRESH_TOKEN_COOKIE)?.value;
+  const isPublicRoute = PUBLIC_PATHS.has(pathname);
+  let refreshedTokens: SessionTokens | null = null;
 
-  // const nextUrl = request.nextUrl;
+  if (!accessToken && refreshToken) {
+    refreshedTokens = await refreshSession(request);
+    accessToken = refreshedTokens?.accessToken;
+  }
 
-  // const pathnameLocale = nextUrl.pathname.split("/", 2)?.[1];
+  if (!isPublicRoute && !accessToken) {
+    return redirectToLogin(request, locale);
+  }
 
-  // // Remove the locale from the pathname
+  if (accessToken && pathname === "/login") {
-  // const pathnameWithoutLocale = pathnameLocale
+    const redirectUrl = new URL(`/${locale}/dashboard`, request.url);
-  //   ? nextUrl.pathname.slice(pathnameLocale.length + 1)
+    return NextResponse.redirect(redirectUrl);
-  //   : nextUrl.pathname;
+  }
 
-  // // Create a new URL without the locale in the pathname
+  const i18nResponse = await I18nMiddleware(request);
-  // const newUrl = new URL(pathnameWithoutLocale || "/", request.url);
-  // const encodedSearchParams = `${newUrl?.pathname?.substring(1)}${newUrl.search}`;
-  // const session = request.cookies.get("token")?.value;
 
-  // // 1. Not authenticated
+  if (refreshedTokens) {
-  // if (
+    setSessionCookies(i18nResponse, refreshedTokens, request);
-  //   !session &&
+  }
-  //   newUrl.pathname !== "/login" &&
-  //   !newUrl.pathname.includes("/i/") &&
-  //   !newUrl.pathname.includes("/s/") &&
-  //   !newUrl.pathname.includes("/verify")
-  // ) {
-  //   const url = new URL("/login", request.url);
 
-  //   if (encodedSearchParams) {
+  return i18nResponse;
-  //     url.searchParams.append("return_to", encodedSearchParams);
-  //   }
-
-  //   return NextResponse.redirect(url);
-  // }
-
-  // If all checks pass, return the original or updated response
-  return response;
 }
 
 export const config = {
   matcher: ["/((?!_next/static|_next/image|favicon.ico|api).*)"],
 };
+
+function extractLocaleAndPath(request: NextRequest) {
+  const segments = request.nextUrl.pathname.split("/").filter(Boolean);
+  const maybeLocale = segments[0];
+  const localeFromPath =
+    maybeLocale && SUPPORTED_LOCALES.find((supportedLocale) => supportedLocale === maybeLocale);
+  const locale = localeFromPath ?? DEFAULT_LOCALE;
+  const pathSegments = localeFromPath ? segments.slice(1) : segments;
+  const pathname = `/${pathSegments.join("/")}`.replace(/\/+/g, "/") || "/";
+
+  return { locale, pathname };
+}
+
+function redirectToLogin(request: NextRequest, locale: string) {
+  const target = new URL(`/${locale}/login`, request.url);
+  const returnTo = buildReturnToParam(request);
+
+  if (returnTo) {
+    target.searchParams.set("return_to", returnTo);
+  }
+
+  return NextResponse.redirect(target);
+}
+
+function buildReturnToParam(request: NextRequest) {
+  const path = `${request.nextUrl.pathname}${request.nextUrl.search}`;
+  return path !== "/" ? path : null;
+}
+
+async function refreshSession(request: NextRequest): Promise<SessionTokens | null> {
+  try {
+    const response = await fetch(new URL("/api/session/refresh", request.url), {
+      headers: {
+        cookie: request.headers.get("cookie") ?? "",
+      },
+      method: "POST",
+    });
+
+    if (!response.ok) {
+      return null;
+    }
+
+    return (await response.json()) as SessionTokens;
+  } catch {
+    return null;
+  }
+}
+
+function setSessionCookies(response: NextResponse, tokens: SessionTokens, request: NextRequest) {
+  const secure = request.nextUrl.protocol === "https:";
+
+  response.cookies.set({
+    expires: new Date(tokens.accessTokenExpiresAt),
+    name: DEFAULT_ACCESS_TOKEN_COOKIE,
+    path: "/",
+    sameSite: "lax",
+    secure,
+    value: tokens.accessToken,
+  });
+
+  response.cookies.set({
+    expires: new Date(tokens.refreshTokenExpiresAt),
+    name: DEFAULT_REFRESH_TOKEN_COOKIE,
+    path: "/",
+    sameSite: "lax",
+    secure,
+    value: tokens.refreshToken,
+  });
+}

apps/dashboard/src/stores/user-store.ts

@@ -0,0 +1,26 @@
+"use client";
+
+import type { RouterOutputs } from "@basango/api/trpc/routers/_app";
+import { create } from "zustand";
+import { createJSONStorage, persist } from "zustand/middleware";
+
+type SessionUser = RouterOutputs["auth"]["session"];
+
+type UserState = {
+  user: SessionUser | null;
+  setUser: (user: SessionUser | null) => void;
+};
+
+export const useUserStore = create<UserState>()(
+  persist(
+    (set) => ({
+      setUser: (user) => set({ user }),
+      user: null,
+    }),
+    {
+      name: "basango/user",
+      partialize: (state) => ({ user: state.user }),
+      storage: createJSONStorage(() => sessionStorage),
+    },
+  ),
+);

apps/dashboard/src/trpc/client.tsx

@@ -8,6 +8,8 @@ import { createTRPCContext } from "@trpc/tanstack-react-query";
 import { useState } from "react";
 import superjson from "superjson";
 
+import { getClientAccessToken } from "#dashboard/utils/auth/client";
+
 import { makeQueryClient } from "./query-client";
 
 export const { TRPCProvider, useTRPC } = createTRPCContext<AppRouter>();
@@ -44,11 +46,12 @@ export function TRPCReactProvider(
       links: [
         httpBatchLink({
           headers: async () => {
-            //const token = window.localStorage.getItem("auth_token");
+            const token = getClientAccessToken();
-
+            return token
-            return {
+              ? {
-              //Authorization: `Bearer ${token}`,
+                  Authorization: `Bearer ${token}`,
-            };
+                }
+              : {};
           },
           transformer: superjson,
           url: `${process.env.NEXT_PUBLIC_API_URL}/trpc`,

apps/dashboard/src/trpc/server.tsx

@@ -12,6 +12,8 @@ import {
 import { cache } from "react";
 import superjson from "superjson";
 
+import { getServerAccessToken } from "#dashboard/utils/auth/server";
+
 import { makeQueryClient } from "./query-client";
 
 // IMPORTANT: Create a stable getter for the query client that
@@ -23,14 +25,16 @@ export const trpc = createTRPCOptionsProxy<AppRouter>({
     links: [
       httpBatchLink({
         async headers() {
-          //const token = window.localStorage.getItem("auth_token");
+          const token = await getServerAccessToken();
 
-          return {
+          return token
-            //Authorization: `Bearer ${token}`,
+            ? {
+                Authorization: `Bearer ${token}`,
                 // "x-user-country": await getCountryCode(),
                 // "x-user-locale": await getLocale(),
                 // "x-user-timezone": await getTimezone(),
-          };
+              }
+            : {};
         },
         transformer: superjson,
         url: `${process.env.NEXT_PUBLIC_API_URL}/trpc`,

apps/dashboard/src/utils/auth/client.ts

@@ -0,0 +1,49 @@
+"use client";
+
+import {
+  DEFAULT_ACCESS_TOKEN_COOKIE,
+  DEFAULT_REFRESH_TOKEN_COOKIE,
+} from "@basango/domain/constants";
+
+type PersistTokensParams = {
+  accessToken: string;
+  refreshToken: string;
+  accessTokenExpiresAt: string;
+  refreshTokenExpiresAt: string;
+};
+
+export function getClientAccessToken() {
+  return readCookie(DEFAULT_ACCESS_TOKEN_COOKIE);
+}
+
+export function getClientRefreshToken() {
+  return readCookie(DEFAULT_REFRESH_TOKEN_COOKIE);
+}
+
+export function persistSessionTokens(tokens: PersistTokensParams) {
+  setCookie(DEFAULT_ACCESS_TOKEN_COOKIE, tokens.accessToken, tokens.accessTokenExpiresAt);
+  setCookie(DEFAULT_REFRESH_TOKEN_COOKIE, tokens.refreshToken, tokens.refreshTokenExpiresAt);
+}
+
+export function clearSessionTokens() {
+  deleteCookie(DEFAULT_ACCESS_TOKEN_COOKIE);
+  deleteCookie(DEFAULT_REFRESH_TOKEN_COOKIE);
+}
+
+function readCookie(name: string) {
+  const cookies = document.cookie.split(";").map((cookie) => cookie.trim());
+  const cookie = cookies.find((item) => item.startsWith(`${name}=`));
+  return cookie ? decodeURIComponent(cookie.slice(name.length + 1)) : undefined;
+}
+
+function setCookie(name: string, value: string, expiresAt: string) {
+  const expires = new Date(expiresAt).toUTCString();
+  const secure = window.location.protocol === "https:" ? "; Secure" : "";
+  const encodedValue = encodeURIComponent(value);
+  document.cookie = `${name}=${encodedValue}; Expires=${expires}; Path=/; SameSite=Lax${secure}`;
+}
+
+function deleteCookie(name: string) {
+  const secure = window.location.protocol === "https:" ? "; Secure" : "";
+  document.cookie = `${name}=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; SameSite=Lax${secure}`;
+}

apps/dashboard/src/utils/auth/server.ts

@@ -0,0 +1,15 @@
+import "server-only";
+
+import { cookies } from "next/headers";
+
+import { DEFAULT_ACCESS_TOKEN_COOKIE, DEFAULT_REFRESH_TOKEN_COOKIE } from "#domain/constants";
+
+export async function getServerAccessToken() {
+  const cookiesStore = await cookies();
+  return cookiesStore.get(DEFAULT_ACCESS_TOKEN_COOKIE)?.value;
+}
+
+export async function getServerRefreshToken() {
+  const cookiesStore = await cookies();
+  return cookiesStore.get(DEFAULT_REFRESH_TOKEN_COOKIE)?.value;
+}

apps/dashboard/src/utils/utils.ts

@@ -15,7 +15,7 @@ export function formatSize(bytes: number): string {
   }).format(+Math.round(bytes / 1024 ** unitIndex));
 }
 
-export function secondsToHoursAndMinutes(seconds: number) {
+export function formatHoursMinutes(seconds: number) {
   const hours = Math.floor(seconds / 3600);
   const minutes = Math.floor((seconds % 3600) / 60);
 

biome.json

@@ -1,5 +1,5 @@
 {
-  "$schema": "https://biomejs.dev/schemas/2.3.4/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.3.6/schema.json",
   "assist": {
     "actions": {
       "source": {

bun.lock

@@ -5,17 +5,17 @@
       "name": "basango",
       "devDependencies": {
         "@basango/tsconfig": "workspace:*",
-        "@biomejs/biome": "^2.3.1",
+        "@biomejs/biome": "latest",
-        "@commitlint/cli": "^20.1.0",
+        "@commitlint/cli": "latest",
-        "@commitlint/config-conventional": "^20.0.0",
+        "@commitlint/config-conventional": "latest",
-        "@manypkg/cli": "^0.25.1",
+        "@manypkg/cli": "latest",
-        "@types/bun": "catalog:",
+        "@types/bun": "latest",
-        "@types/node": "catalog:",
+        "@types/node": "latest",
-        "commitizen": "^4.3.1",
+        "commitizen": "latest",
-        "cz-conventional-changelog": "^3.3.0",
+        "cz-conventional-changelog": "latest",
-        "husky": "^9.1.7",
+        "husky": "latest",
-        "turbo": "^2.6.1",
+        "turbo": "latest",
-        "typescript": "catalog:",
+        "typescript": "latest",
       },
     },
     "apps/api": {
@@ -73,7 +73,7 @@
         "@trpc/server": "^11.7.1",
         "@trpc/tanstack-react-query": "^11.7.1",
         "client-only": "^0.0.1",
-        "date-fns": "^4.1.0",
+        "date-fns": "catalog:",
         "lucide-react": "^0.553.0",
         "next": "catalog:",
         "next-international": "^1.3.1",
@@ -87,7 +87,7 @@
         "server-only": "^0.0.1",
         "sonner": "^2.0.7",
         "superjson": "^2.2.5",
-        "zod": "^4.1.12",
+        "zod": "catalog:",
         "zustand": "^5.0.8",
       },
       "devDependencies": {
@@ -169,7 +169,12 @@
     "packages/encryption": {
       "name": "@basango/encryption",
       "dependencies": {
+        "@basango/domain": "workspace:*",
         "@devscast/config": "catalog:",
+        "bcrypt": "^6.0.0",
+      },
+      "devDependencies": {
+        "@types/bcrypt": "^6.0.0",
       },
     },
     "packages/logger": {
@@ -467,23 +472,23 @@
 
     "@basango/ui": ["@basango/ui@workspace:packages/ui"],
 
-    "@biomejs/biome": ["@biomejs/biome@2.3.4", "", { "optionalDependencies": { "@biomejs/cli-darwin-arm64": "2.3.4", "@biomejs/cli-darwin-x64": "2.3.4", "@biomejs/cli-linux-arm64": "2.3.4", "@biomejs/cli-linux-arm64-musl": "2.3.4", "@biomejs/cli-linux-x64": "2.3.4", "@biomejs/cli-linux-x64-musl": "2.3.4", "@biomejs/cli-win32-arm64": "2.3.4", "@biomejs/cli-win32-x64": "2.3.4" }, "bin": { "biome": "bin/biome" } }, "sha512-TU08LXjBHdy0mEY9APtEtZdNQQijXUDSXR7IK1i45wgoPD5R0muK7s61QcFir6FpOj/RP1+YkPx5QJlycXUU3w=="],
+    "@biomejs/biome": ["@biomejs/biome@2.3.6", "", { "optionalDependencies": { "@biomejs/cli-darwin-arm64": "2.3.6", "@biomejs/cli-darwin-x64": "2.3.6", "@biomejs/cli-linux-arm64": "2.3.6", "@biomejs/cli-linux-arm64-musl": "2.3.6", "@biomejs/cli-linux-x64": "2.3.6", "@biomejs/cli-linux-x64-musl": "2.3.6", "@biomejs/cli-win32-arm64": "2.3.6", "@biomejs/cli-win32-x64": "2.3.6" }, "bin": { "biome": "bin/biome" } }, "sha512-oqUhWyU6tae0MFsr/7iLe++QWRg+6jtUhlx9/0GmCWDYFFrK366sBLamNM7D9Y+c7YSynUFKr8lpEp1r6Sk7eA=="],
 
-    "@biomejs/cli-darwin-arm64": ["@biomejs/cli-darwin-arm64@2.3.4", "", { "os": "darwin", "cpu": "arm64" }, "sha512-w40GvlNzLaqmuWYiDU6Ys9FNhJiclngKqcGld3iJIiy2bpJ0Q+8n3haiaC81uTPY/NA0d8Q/I3Z9+ajc14102Q=="],
+    "@biomejs/cli-darwin-arm64": ["@biomejs/cli-darwin-arm64@2.3.6", "", { "os": "darwin", "cpu": "arm64" }, "sha512-P4JWE5d8UayBxYe197QJwyW4ZHp0B+zvRIGCusOm1WbxmlhpAQA1zEqQuunHgSIzvyEEp4TVxiKGXNFZPg7r9Q=="],
 
-    "@biomejs/cli-darwin-x64": ["@biomejs/cli-darwin-x64@2.3.4", "", { "os": "darwin", "cpu": "x64" }, "sha512-3s7TLVtjJ7ni1xADXsS7x7GMUrLBZXg8SemXc3T0XLslzvqKj/dq1xGeBQ+pOWQzng9MaozfacIHdK2UlJ3jGA=="],
+    "@biomejs/cli-darwin-x64": ["@biomejs/cli-darwin-x64@2.3.6", "", { "os": "darwin", "cpu": "x64" }, "sha512-I4rTebj+F/L9K93IU7yTFs8nQ6EhaCOivxduRha4w4WEZK80yoZ8OAdR1F33m4yJ/NfUuTUbP/Wjs+vKjlCoWA=="],
 
-    "@biomejs/cli-linux-arm64": ["@biomejs/cli-linux-arm64@2.3.4", "", { "os": "linux", "cpu": "arm64" }, "sha512-y7efHyyM2gYmHy/AdWEip+VgTMe9973aP7XYKPzu/j8JxnPHuSUXftzmPhkVw0lfm4ECGbdBdGD6+rLmTgNZaA=="],
+    "@biomejs/cli-linux-arm64": ["@biomejs/cli-linux-arm64@2.3.6", "", { "os": "linux", "cpu": "arm64" }, "sha512-JjYy83eVBnvuINZiqyFO7xx72v8Srh4hsgaacSBCjC22DwM6+ZvnX1/fj8/SBiLuUOfZ8YhU2pfq2Dzakeyg1A=="],
 
-    "@biomejs/cli-linux-arm64-musl": ["@biomejs/cli-linux-arm64-musl@2.3.4", "", { "os": "linux", "cpu": "arm64" }, "sha512-IruVGQRwMURivWazchiq7gKAqZSFs5so6gi0hJyxk7x6HR+iwZbO2IxNOqyLURBvL06qkIHs7Wffl6Bw30vCbQ=="],
+    "@biomejs/cli-linux-arm64-musl": ["@biomejs/cli-linux-arm64-musl@2.3.6", "", { "os": "linux", "cpu": "arm64" }, "sha512-oK1NpIXIixbJ/4Tcx40cwiieqah6rRUtMGOHDeK2ToT7yUFVEvXUGRKqH0O4hqZ9tW8TcXNZKfgRH6xrsjVtGg=="],
 
-    "@biomejs/cli-linux-x64": ["@biomejs/cli-linux-x64@2.3.4", "", { "os": "linux", "cpu": "x64" }, "sha512-gKfjWR/6/dfIxPJCw8REdEowiXCkIpl9jycpNVHux8aX2yhWPLjydOshkDL6Y/82PcQJHn95VCj7J+BRcE5o1Q=="],
+    "@biomejs/cli-linux-x64": ["@biomejs/cli-linux-x64@2.3.6", "", { "os": "linux", "cpu": "x64" }, "sha512-ZjPXzy5yN9wusIoX+8Zp4p6cL8r0NzJCXg/4r1KLVveIPXd2jKVlqZ6ZyzEq385WwU3OX5KOwQYLQsOc788waQ=="],
 
-    "@biomejs/cli-linux-x64-musl": ["@biomejs/cli-linux-x64-musl@2.3.4", "", { "os": "linux", "cpu": "x64" }, "sha512-mzKFFv/w66e4/jCobFmD3kymCqG+FuWE7sVa4Yjqd9v7qt2UhXo67MSZKY9Ih18V2IwPzRKQPCw6KwdZs6AXSA=="],
+    "@biomejs/cli-linux-x64-musl": ["@biomejs/cli-linux-x64-musl@2.3.6", "", { "os": "linux", "cpu": "x64" }, "sha512-QvxB8GHQeaO4FCtwJpJjCgJkbHBbWxRHUxQlod+xeaYE6gtJdSkYkuxdKAQUZEOIsec+PeaDAhW9xjzYbwmOFA=="],
 
-    "@biomejs/cli-win32-arm64": ["@biomejs/cli-win32-arm64@2.3.4", "", { "os": "win32", "cpu": "arm64" }, "sha512-5TJ6JfVez+yyupJ/iGUici2wzKf0RrSAxJhghQXtAEsc67OIpdwSKAQboemILrwKfHDi5s6mu7mX+VTCTUydkw=="],
+    "@biomejs/cli-win32-arm64": ["@biomejs/cli-win32-arm64@2.3.6", "", { "os": "win32", "cpu": "arm64" }, "sha512-YM7hLHpwjdt8R7+O2zS1Vo2cKgqEeptiXB1tWW1rgjN5LlpZovBVKtg7zfwfRrFx3i08aNZThYpTcowpTlczug=="],
 
-    "@biomejs/cli-win32-x64": ["@biomejs/cli-win32-x64@2.3.4", "", { "os": "win32", "cpu": "x64" }, "sha512-FGCijXecmC4IedQ0esdYNlMpx0Jxgf4zceCaMu6fkjWyjgn50ZQtMiqZZQ0Q/77yqPxvtkgZAvt5uGw0gAAjig=="],
+    "@biomejs/cli-win32-x64": ["@biomejs/cli-win32-x64@2.3.6", "", { "os": "win32", "cpu": "x64" }, "sha512-psgNEYgMAobY5h+QHRBVR9xvg2KocFuBKm6axZWB/aD12NWhQjiVFQUjV6wMXhlH4iT0Q9c3yK5JFRiDC/rzHA=="],
 
     "@commitlint/cli": ["@commitlint/cli@20.1.0", "", { "dependencies": { "@commitlint/format": "^20.0.0", "@commitlint/lint": "^20.0.0", "@commitlint/load": "^20.1.0", "@commitlint/read": "^20.0.0", "@commitlint/types": "^20.0.0", "tinyexec": "^1.0.0", "yargs": "^17.0.0" }, "bin": { "commitlint": "./cli.js" } }, "sha512-pW5ujjrOovhq5RcYv5xCpb4GkZxkO2+GtOdBW2/qrr0Ll9tl3PX0aBBobGQl3mdZUbOBgwAexEQLeH6uxL0VYg=="],
 
@@ -1019,6 +1024,8 @@
 
     "@types/babel__traverse": ["@types/babel__traverse@7.28.0", "", { "dependencies": { "@babel/types": "^7.28.2" } }, "sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q=="],
 
+    "@types/bcrypt": ["@types/bcrypt@6.0.0", "", { "dependencies": { "@types/node": "*" } }, "sha512-/oJGukuH3D2+D+3H4JWLaAsJ/ji86dhRidzZ/Od7H/i8g+aCmvkeCc6Ni/f9uxGLSQVCRZkX2/lqEFG2BvWtlQ=="],
+
     "@types/bun": ["@types/bun@1.3.2", "", { "dependencies": { "bun-types": "1.3.2" } }, "sha512-t15P7k5UIgHKkxwnMNkJbWlh/617rkDGEdSsDbu+qNHTaz9SKf7aC8fiIlUdD5RPpH6GEkP0cK7WlvmrEBRtWg=="],
 
     "@types/conventional-commits-parser": ["@types/conventional-commits-parser@5.0.2", "", { "dependencies": { "@types/node": "*" } }, "sha512-BgT2szDXnVypgpNxOK8aL5SGjUdaQbC++WZNjF1Qge3Og2+zhHj+RWhmehLhYyvQwqAmvezruVfOf8+3m74W+g=="],
@@ -1057,7 +1064,7 @@
 
     "@types/minimatch": ["@types/minimatch@6.0.0", "", { "dependencies": { "minimatch": "*" } }, "sha512-zmPitbQ8+6zNutpwgcQuLcsEpn/Cj54Kbn7L5pX0Os5kdWplB7xPgEh/g+SWOB/qmows2gpuCaPyduq8ZZRnxA=="],
 
-    "@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+    "@types/node": ["@types/node@24.10.1", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ=="],
 
     "@types/pg": ["@types/pg@8.15.6", "", { "dependencies": { "@types/node": "*", "pg-protocol": "*", "pg-types": "^2.2.0" } }, "sha512-NoaMtzhxOrubeL/7UZuNTrejB4MPAJ0RpxZqXQf2qXuVlTPuG6Y8p4u9dKRaue4yjmC7ZhzVO2/Yyyn25znrPQ=="],
 
@@ -1175,6 +1182,8 @@
 
     "basic-ftp": ["basic-ftp@5.0.5", "", {}, "sha512-4Bcg1P8xhUuqcii/S0Z9wiHIrQVPMermM1any+MX5GeGD7faD3/msQUDGLol9wOcz4/jbg/WJnGqoJF6LiBdtg=="],
 
+    "bcrypt": ["bcrypt@6.0.0", "", { "dependencies": { "node-addon-api": "^8.3.0", "node-gyp-build": "^4.8.4" } }, "sha512-cU8v/EGSrnH+HnxV2z0J7/blxH8gq7Xh2JFT6Aroax7UohdmiJJlxApMxtKfuI7z68NvvVcmR78k2LbT6efhRg=="],
+
     "better-opn": ["better-opn@3.0.2", "", { "dependencies": { "open": "^8.0.4" } }, "sha512-aVNobHnJqLiUelTaHat9DZ1qM2w0C0Eym4LPI/3JxOnSokGVdsl1T1kN7TFvsEAD8G47A6VKQ0TVHqbBnYMJlQ=="],
 
     "big-integer": ["big-integer@1.6.52", "", {}, "sha512-QxD8cf2eVqJOOz63z6JIN9BzvVs/dlySa5HGSBH5xtR8dPteIRQnBxxKqkNTiT6jbDTF6jAfrd4oMcND9RGbQg=="],
@@ -1971,10 +1980,14 @@
 
     "node-abort-controller": ["node-abort-controller@3.1.1", "", {}, "sha512-AGK2yQKIjRuqnc6VkX2Xj5d+QW8xZ87pa1UK6yA6ouUyuxfHuMP6umE5QK7UmTeOAymo+Zx1Fxiuw9rVx8taHQ=="],
 
+    "node-addon-api": ["node-addon-api@8.5.0", "", {}, "sha512-/bRZty2mXUIFY/xU5HLvveNHlswNJej+RnxBjOMkidWfwZzgTbPG1E3K5TOxRLOR+5hX7bSofy8yf1hZevMS8A=="],
+
     "node-fetch": ["node-fetch@2.7.0", "", { "dependencies": { "whatwg-url": "^5.0.0" }, "peerDependencies": { "encoding": "^0.1.0" }, "optionalPeers": ["encoding"] }, "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A=="],
 
     "node-forge": ["node-forge@1.3.1", "", {}, "sha512-dPEtOeMvF9VMcYV/1Wb8CPoVAXtp6MKMlcbAt4ddqmGqUJ6fQZFXkNZNkNlfevtNkGtaSoXf/vNNNSvgrdXwtA=="],
 
+    "node-gyp-build": ["node-gyp-build@4.8.4", "", { "bin": { "node-gyp-build": "bin.js", "node-gyp-build-optional": "optional.js", "node-gyp-build-test": "build-test.js" } }, "sha512-LA4ZjwlnUblHVgq0oBF3Jl/6h/Nvs5fzBLwdEF4nuxnFdsfajde4WfxtJr3CaiH+F6ewcIB/q4jQ4UzPyid+CQ=="],
+
     "node-gyp-build-optional-packages": ["node-gyp-build-optional-packages@5.2.2", "", { "dependencies": { "detect-libc": "^2.0.1" }, "bin": { "node-gyp-build-optional-packages": "bin.js", "node-gyp-build-optional-packages-optional": "optional.js", "node-gyp-build-optional-packages-test": "build-test.js" } }, "sha512-s+w+rBWnpTMwSFbaE0UXsRlg7hU4FjekKU4eyAih5T8nJuNZT1nNsskXpxmeqSK9UzkBl6UgRlnKc8hz8IEqOw=="],
 
     "node-html-parser": ["node-html-parser@7.0.1", "", { "dependencies": { "css-select": "^5.1.0", "he": "1.2.0" } }, "sha512-KGtmPY2kS0thCWGK0VuPyOS+pBKhhe8gXztzA2ilAOhbUbxa9homF1bOyKvhGzMLXUoRds9IOmr/v5lr/lqNmA=="],
@@ -2613,8 +2626,6 @@
 
     "@babel/traverse--for-generate-function-map/@babel/code-frame": ["@babel/code-frame@7.27.1", "", { "dependencies": { "@babel/helper-validator-identifier": "^7.27.1", "js-tokens": "^4.0.0", "picocolors": "^1.1.1" } }, "sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg=="],
 
-    "@basango/dashboard/date-fns": ["date-fns@4.1.0", "", {}, "sha512-Ukq0owbQXxa/U3EGtsdVBkR1w7KOQ5gIBqdH2hkvknzZPYvBxb/aa6E8L7tmjFtkwZBu3UXBbjIgPo/Ez4xaNg=="],
-
     "@commitlint/format/chalk": ["chalk@5.6.2", "", {}, "sha512-7NzBL0rN6fMUW+f7A6Io4h40qQlG+xGmtMxfbnH/K7TAtt8JQWVQK+6g0UXKMeVJoyV5EkkNsErQ8pVD3bLHbA=="],
 
     "@commitlint/load/chalk": ["chalk@5.6.2", "", {}, "sha512-7NzBL0rN6fMUW+f7A6Io4h40qQlG+xGmtMxfbnH/K7TAtt8JQWVQK+6g0UXKMeVJoyV5EkkNsErQ8pVD3bLHbA=="],
@@ -2693,8 +2704,14 @@
 
     "@istanbuljs/load-nyc-config/js-yaml": ["js-yaml@3.14.1", "", { "dependencies": { "argparse": "^1.0.7", "esprima": "^4.0.0" }, "bin": { "js-yaml": "bin/js-yaml.js" } }, "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g=="],
 
+    "@jest/environment/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
+    "@jest/fake-timers/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
     "@jest/transform/chalk": ["chalk@4.1.2", "", { "dependencies": { "ansi-styles": "^4.1.0", "supports-color": "^7.1.0" } }, "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA=="],
 
+    "@jest/types/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
     "@jest/types/chalk": ["chalk@4.1.2", "", { "dependencies": { "ansi-styles": "^4.1.0", "supports-color": "^7.1.0" } }, "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA=="],
 
     "@radix-ui/react-alert-dialog/@radix-ui/react-slot": ["@radix-ui/react-slot@1.2.3", "", { "dependencies": { "@radix-ui/react-compose-refs": "1.1.2" }, "peerDependencies": { "@types/react": "*", "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" }, "optionalPeers": ["@types/react"] }, "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A=="],
@@ -2759,8 +2776,20 @@
 
     "@turbo/workspaces/semver": ["semver@7.6.2", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-FNAIBWCx9qcRhoHcgcJ0gvU7SN1lYU2ZXuSfl04bSC5OpvDHFyJCjdNHomPXxjQlCBU67YW64PzY7/VIEH7F2w=="],
 
+    "@types/bcrypt/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
+    "@types/conventional-commits-parser/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
+    "@types/glob/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
+    "@types/graceful-fs/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
     "@types/inquirer/rxjs": ["rxjs@6.6.7", "", { "dependencies": { "tslib": "^1.9.0" } }, "sha512-hTdwr+7yYNIT5n4AMYp85KA6yw2Va0FLa3Rguvbpa4W3I5xynaBZo41cM3XM+4Q6fRMj3sBYIR1VAmZMXYJvRQ=="],
 
+    "@types/pg/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
+    "@types/through/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
     "ansi-escapes/type-fest": ["type-fest@0.21.3", "", {}, "sha512-t0rzBq87m3fVcduHDUFhKmyyX+9eo6WQjZvf51Ea/M0Q7+T374Jp1aUiyUl0GKxp8M/OETVHSDvmkyPgvX+X2w=="],
 
     "ansi-styles/color-convert": ["color-convert@1.9.3", "", { "dependencies": { "color-name": "1.1.3" } }, "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg=="],
@@ -2777,8 +2806,14 @@
 
     "bullmq/uuid": ["uuid@9.0.1", "", { "bin": { "uuid": "dist/bin/uuid" } }, "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA=="],
 
+    "bun-types/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
     "chalk/escape-string-regexp": ["escape-string-regexp@1.0.5", "", {}, "sha512-vbRorB5FUQWvla16U8R/qgaFIya2qGzwDrNmCZuYKrbdSUMG6I1ZCGQRefkRVhuOkIGVne7BQ35DSfo1qvJqFg=="],
 
+    "chrome-launcher/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
+    "chromium-edge-launcher/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
     "chromium-edge-launcher/mkdirp": ["mkdirp@1.0.4", "", { "bin": { "mkdirp": "bin/cmd.js" } }, "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw=="],
 
     "cmdk/@radix-ui/react-primitive": ["@radix-ui/react-primitive@2.1.4", "", { "dependencies": { "@radix-ui/react-slot": "1.2.4" }, "peerDependencies": { "@types/react": "*", "@types/react-dom": "*", "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" }, "optionalPeers": ["@types/react", "@types/react-dom"] }, "sha512-9hQc4+GNVtJAIEPEqlYqW5RiYdrr8ea5XQ0ZOnD6fgru+83kqT15mq2OCcbe8KnjRZl5vF3ks69AKz3kh1jrhg=="],
@@ -2845,10 +2880,18 @@
 
     "istanbul-lib-instrument/semver": ["semver@6.3.1", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA=="],
 
+    "jest-environment-node/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
+    "jest-haste-map/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
     "jest-message-util/@babel/code-frame": ["@babel/code-frame@7.27.1", "", { "dependencies": { "@babel/helper-validator-identifier": "^7.27.1", "js-tokens": "^4.0.0", "picocolors": "^1.1.1" } }, "sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg=="],
 
     "jest-message-util/chalk": ["chalk@4.1.2", "", { "dependencies": { "ansi-styles": "^4.1.0", "supports-color": "^7.1.0" } }, "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA=="],
 
+    "jest-mock/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
+    "jest-util/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
     "jest-util/chalk": ["chalk@4.1.2", "", { "dependencies": { "ansi-styles": "^4.1.0", "supports-color": "^7.1.0" } }, "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA=="],
 
     "jest-util/picomatch": ["picomatch@2.3.1", "", {}, "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA=="],
@@ -2857,6 +2900,8 @@
 
     "jest-validate/chalk": ["chalk@4.1.2", "", { "dependencies": { "ansi-styles": "^4.1.0", "supports-color": "^7.1.0" } }, "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA=="],
 
+    "jest-worker/@types/node": ["@types/node@24.10.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A=="],
+
     "jest-worker/supports-color": ["supports-color@8.1.1", "", { "dependencies": { "has-flag": "^4.0.0" } }, "sha512-MpUEN2OodtUzxvKQl72cUF7RQ5EiHsGvSsVG0ia9c5RbWGL2CI4C7EpPS8UTBIplnlzZiNuV56w+FuNxy3ty2Q=="],
 
     "lighthouse-logger/debug": ["debug@2.6.9", "", { "dependencies": { "ms": "2.0.0" } }, "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA=="],

package.json

@@ -24,17 +24,17 @@
   },
   "devDependencies": {
     "@basango/tsconfig": "workspace:*",
-    "@biomejs/biome": "^2.3.1",
+    "@biomejs/biome": "^2.3.6",
     "@commitlint/cli": "^20.1.0",
     "@commitlint/config-conventional": "^20.0.0",
     "@manypkg/cli": "^0.25.1",
-    "@types/bun": "catalog:",
+    "@types/bun": "^1.3.2",
-    "@types/node": "catalog:",
+    "@types/node": "^24.10.1",
     "commitizen": "^4.3.1",
     "cz-conventional-changelog": "^3.3.0",
     "husky": "^9.1.7",
     "turbo": "^2.6.1",
-    "typescript": "catalog:"
+    "typescript": "^5.9.3"
   },
   "engines": {
     "node": ">=22"

packages/db/src/queries/index.ts

@@ -1,2 +1,3 @@
 export * from "./articles";
 export * from "./sources";
+export * from "./users";

packages/db/src/queries/users.ts

@@ -0,0 +1,23 @@
+import { and, eq, ilike } from "drizzle-orm";
+
+import { Database } from "#db/client";
+import { users } from "#db/schema";
+
+export type User = typeof users.$inferSelect;
+
+export async function getUserByEmail(db: Database, email: string): Promise<User | undefined> {
+  return db.query.users.findFirst({
+    where: ilike(users.email, email),
+  });
+}
+
+export async function getUserById(
+  db: Database,
+  params: { id: string; email?: string },
+): Promise<User | undefined> {
+  const { id, email } = params;
+
+  return db.query.users.findFirst({
+    where: email ? and(eq(users.id, id), ilike(users.email, email)) : eq(users.id, id),
+  });
+}

packages/domain/src/constants.ts

@@ -23,3 +23,14 @@ export const DEFAULT_SOURCE_IMAGE = "https://devscast.org/images/sources/";
 export const DEFAULT_PUBLICATION_GRAPH_DAYS = 30;
 export const DEFAULT_CATEGORY_SHARES_LIMIT = 10;
 export const DEFAULT_TIMEZONE = "Africa/Lubumbashi";
+
+export const DEFAULT_ACCESS_TOKEN_COOKIE = "basango.access_token";
+export const DEFAULT_REFRESH_TOKEN_COOKIE = "basango.refresh_token";
+export const DEFAULT_ENCRYPTION_ALGORITHM = "aes-256-gcm";
+export const DEFAULT_IV_LENGTH = 16;
+export const DEFAULT_AUTH_TAG_LENGTH = 16;
+export const DEFAULT_BCRYPT_SALT_ROUNDS = 12;
+export const DEFAULT_TOKEN_AUDIENCE = "basango_dashboard";
+export const DEFAULT_TOKEN_ISSUER = "basango_api";
+export const DEFAULT_ACCESS_TOKEN_TTL = "15m";
+export const DEFAULT_REFRESH_TOKEN_TTL = "7d";

packages/domain/src/models/auth.ts

@@ -0,0 +1,18 @@
+import { z } from "@hono/zod-openapi";
+
+export const loginSchema = z.object({
+  email: z.email().openapi({
+    description: "Email address used to authenticate the user.",
+    example: "user@example.com",
+  }),
+  password: z.string().min(8).openapi({
+    description: "Account password.",
+    example: "••••••••",
+  }),
+});
+
+export const refreshSessionSchema = z.object({
+  refreshToken: z.string().min(1).openapi({
+    description: "Refresh token returned when logging in.",
+  }),
+});

packages/domain/src/models/index.ts

@@ -1,4 +1,5 @@
 export * from "./articles";
+export * from "./auth";
 export * from "./shared";
 export * from "./sources";
 export * from "./users";

packages/encryption/package.json

@@ -1,6 +1,11 @@
 {
   "dependencies": {
-    "@devscast/config": "catalog:"
+    "@basango/domain": "workspace:*",
+    "@devscast/config": "catalog:",
+    "bcrypt": "^6.0.0"
+  },
+  "devDependencies": {
+    "@types/bcrypt": "^6.0.0"
   },
   "main": "src/index.ts",
   "name": "@basango/encryption",

packages/encryption/src/index.ts

@@ -1,13 +1,16 @@
 import crypto from "node:crypto";
 
+import {
+  DEFAULT_AUTH_TAG_LENGTH,
+  DEFAULT_BCRYPT_SALT_ROUNDS,
+  DEFAULT_ENCRYPTION_ALGORITHM,
+  DEFAULT_IV_LENGTH,
+} from "@basango/domain/constants";
 import { createEnvAccessor } from "@devscast/config";
+import * as bcrypt from "bcrypt";
 
 export const env = createEnvAccessor(["BASANGO_ENCRYPTION_KEY"] as const);
 
-const ALGORITHM = "aes-256-gcm";
-const IV_LENGTH = 16;
-const AUTH_TAG_LENGTH = 16;
-
 function getKey(): Buffer {
   const key = env("BASANGO_ENCRYPTION_KEY");
 
@@ -24,8 +27,8 @@ function getKey(): Buffer {
  */
 export function encrypt(text: string): string {
   const key = getKey();
-  const iv = crypto.randomBytes(IV_LENGTH);
+  const iv = crypto.randomBytes(DEFAULT_IV_LENGTH);
-  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const cipher = crypto.createCipheriv(DEFAULT_ENCRYPTION_ALGORITHM, key, iv);
 
   let encrypted = cipher.update(text, "utf8", "hex");
   encrypted += cipher.final("hex");
@@ -50,11 +53,14 @@ export function decrypt(encryptedPayload: string): string {
   const dataBuffer = Buffer.from(encryptedPayload, "base64");
 
   // Extract IV, auth tag, and encrypted data
-  const iv = dataBuffer.subarray(0, IV_LENGTH);
+  const iv = dataBuffer.subarray(0, DEFAULT_IV_LENGTH);
-  const authTag = dataBuffer.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
+  const authTag = dataBuffer.subarray(
-  const encryptedText = dataBuffer.subarray(IV_LENGTH + AUTH_TAG_LENGTH);
+    DEFAULT_IV_LENGTH,
+    DEFAULT_IV_LENGTH + DEFAULT_AUTH_TAG_LENGTH,
+  );
+  const encryptedText = dataBuffer.subarray(DEFAULT_IV_LENGTH + DEFAULT_AUTH_TAG_LENGTH);
 
-  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+  const decipher = crypto.createDecipheriv(DEFAULT_ENCRYPTION_ALGORITHM, key, iv);
   decipher.setAuthTag(authTag);
 
   let decrypted = decipher.update(encryptedText.toString("hex"), "hex", "utf8");
@@ -74,3 +80,11 @@ export function md5(str: string): string {
 export function generateRandomBytes(size: number): string {
   return crypto.randomBytes(size).toString("hex");
 }
+
+export async function hashPassword(password: string): Promise<string> {
+  return bcrypt.hash(password, DEFAULT_BCRYPT_SALT_ROUNDS);
+}
+
+export async function verifyPassword(password: string, hashed: string): Promise<boolean> {
+  return bcrypt.compare(password, hashed);
+}

packages/encryption/tsconfig.json

@@ -1,4 +1,10 @@
 {
+  "compilerOptions": {
+    "paths": {
+      "#domain/*": ["../../domain/src/*"],
+      "#encryption/*": ["./src/*"]
+    }
+  },
   "exclude": ["node_modules"],
   "extends": "@basango/tsconfig/base.json",
   "include": ["src/**/*"]