Skip to content

feat(ui): [#3] Build registration and login forms #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Zafar7645 wants to merge 8 commits into
base: main
Choose a base branch
from
Open

feat(ui): [#3] Build registration and login forms #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8686e81
chore(github): add permissions block to linting check action
Zafar7645 Oct 27, 2025
3fff76e
chore(lint): update parserOptions for both frontend and backend
Zafar7645 Oct 27, 2025
bff195f
chore(frontend): add --open to npm start script
Zafar7645 Oct 27, 2025
1aba74d
feat(ui): setup auth module with components and service
Zafar7645 Oct 27, 2025
e43ea0d
chore(monorepo): configure shared library path aliases
Zafar7645 Nov 6, 2025
03b36ca
refactor(backend): update dto to use shared validations and remove re…
Zafar7645 Nov 6, 2025
833a43c
chore(monorepo): move dtos from backend to the shared library
Zafar7645 Dec 20, 2025
7f03a38
feat(ui|auth): build registration and login forms
Zafar7645 Dec 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: Linting Check

permissions:
contents: read

on:
pull_request:
branches: ['main']
Expand Down
2 changes: 1 addition & 1 deletion apps/backend/eslint.config.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ export default tseslint.config(
},
sourceType: 'commonjs',
parserOptions: {
projectService: true,
project: true,
tsconfigRootDir: import.meta.dirname,
},
},
Expand Down
1 change: 1 addition & 0 deletions apps/backend/nest-cli.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"collection": "@nestjs/schematics",
"sourceRoot": "src",
"compilerOptions": {
"builder": "webpack",
"deleteOutDir": true
}
}
8 changes: 5 additions & 3 deletions apps/backend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"@nestjs/jwt": "^11.0.1",
"@nestjs/platform-express": "^11.0.1",
"@nestjs/typeorm": "^11.0.0",
"bcrypt": "^6.0.0",
"bcryptjs": "^3.0.3",
"class-transformer": "^0.5.1",
"class-validator": "^0.14.2",
"passport-jwt": "^4.0.1",
Expand All @@ -41,7 +41,7 @@
"@nestjs/cli": "^11.0.0",
"@nestjs/schematics": "^11.0.0",
"@nestjs/testing": "^11.0.1",
"@types/bcrypt": "^6.0.0",
"@types/bcryptjs": "^2.4.6",
"@types/express": "^5.0.0",
"@types/jest": "^30.0.0",
"@types/node": "^22.10.7",
Expand Down Expand Up @@ -81,7 +81,9 @@
"coverageDirectory": "../coverage",
"testEnvironment": "node",
"moduleNameMapper": {
"@/(.*)$": "<rootDir>/$1"
"@/(.*)$": "<rootDir>/$1",
"@shared/validation/(.*)": "<rootDir>/../../../libs/shared-validation/src/$1",
"@shared/dtos/(.*)": "<rootDir>/../../../libs/shared-dtos/src/$1"
}
}
}
8 changes: 4 additions & 4 deletions apps/backend/src/auth/auth.controller.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
import { Test, TestingModule } from '@nestjs/testing';
import { AuthController } from '@/auth/auth.controller';
import { AuthService } from '@/auth/auth.service';
import { RegisterUserDto } from '@/auth/dto/register-user.dto';
import { UserResponseDto } from '@/users/user-response.dto';
import { LoginUserDto } from '@/auth/dto/login-user.dto';
import { AccessTokenDto } from '@/auth/dto/access-token.dto';
import { RegisterUserDto } from '@shared/dtos/auth/register-user.dto';
import { UserResponseDto } from '@shared/dtos/user/user-response.dto';
import { LoginUserDto } from '@shared/dtos/auth/login-user.dto';
import { AccessTokenDto } from '@shared/dtos/auth/access-token.dto';
import { ConflictException, UnauthorizedException } from '@nestjs/common';

const mockAuthService = {
Expand Down
8 changes: 4 additions & 4 deletions apps/backend/src/auth/auth.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
import { Body, Controller, Post } from '@nestjs/common';
import { RegisterUserDto } from '@/auth/dto/register-user.dto';
import { RegisterUserDto } from '@shared/dtos/auth/register-user.dto';
import { AuthService } from '@/auth/auth.service';
import { UserResponseDto } from '@/users/user-response.dto';
import { LoginUserDto } from '@/auth/dto/login-user.dto';
import { AccessTokenDto } from '@/auth/dto/access-token.dto';
import { UserResponseDto } from '@shared/dtos/user/user-response.dto';
import { LoginUserDto } from '@shared/dtos/auth/login-user.dto';
import { AccessTokenDto } from '@shared/dtos/auth/access-token.dto';

@Controller('auth')
export class AuthController {
Expand Down
10 changes: 5 additions & 5 deletions apps/backend/src/auth/auth.service.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
import { Test, TestingModule } from '@nestjs/testing';
import { AuthService } from '@/auth/auth.service';
import { DataSource } from 'typeorm';
import { RegisterUserDto } from '@/auth/dto/register-user.dto';
import { RegisterUserDto } from '@shared/dtos/auth/register-user.dto';
import { User } from '@/users/user.entity';
import * as bcrypt from 'bcrypt';
import * as bcrypt from 'bcryptjs';
Copy link

@coderabbitai coderabbitai bot Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Find package.json to check bcryptjs version
find . -name "package.json" -type f | head -20

Repository: Zafar7645/syncup

Length of output: 131

🏁 Script executed:

# Read the spec file to understand context
cat -n apps/backend/src/auth/auth.service.spec.ts | head -30

Repository: Zafar7645/syncup

Length of output: 1231

🌐 Web query:

bcryptjs security vulnerability maintenance status 2024 2025

💡 Result:

Short summary — status (2024–2025)

  • bcryptjs itself: No public direct CVE for bcryptjs in 2024–2025 and security scanners (Snyk) report “no known security issues” for the latest bcryptjs package and classify its maintenance as healthy (recent commits/releases). [1][2]

  • Known behavior to be aware of: bcrypt (and bcryptjs) only uses the first 72 bytes of input — this is an inherent algorithm limitation (not a new bug). Several downstream advisories in 2025 surfaced because apps using bcryptjs (e.g., Strapi) did not enforce or document a max-password length, leading to a medium-severity advisory (CVE-2025-25298) about silent truncation in affected Strapi versions; the fix was to enforce/handle the 72‑byte limit in the application. [3][4][5]

What to do

  • Treat bcryptjs as actively maintained but continue to: (a) enforce a max password length (≤72 bytes) or explicitly truncate before hashing, (b) keep bcryptjs and dependent packages up to date, and (c) monitor advisories for downstream integrations (e.g., frameworks that use bcryptjs). [1][3][4]

Sources

  • Snyk package page — bcryptjs (maintenance/health). [1]
  • Snyk/npm health data for bcrypt/bcryptjs. [2]
  • NVD / Tenable / dbugs coverage of CVE-2025-25298 (Strapi using bcryptjs and 72‑byte truncation). [3][4][5]

🌐 Web query:

bcryptjs vs bcrypt performance comparison production use

💡 Result:

Short answer: use native bcrypt in production when you can — it's noticeably faster (~20–30%+) and offloads work to libuv worker threads so it doesn't block the event loop. Use bcryptjs only when native compilation / native bindings are impossible (browser, some edge runtimes or constrained CI/builds) or you need a zero-dependency JS implementation; expect slower hashing and avoid synchronous calls (they block). [1][2][3][4]

Notes (very brief):

  • Performance: native bcrypt (C++ binding) wins in benchmarks vs bcryptjs (pure JS) — typically faster by ~20–30%. [3][4]
  • Non-blocking behavior: bcrypt (native) runs in libuv threadpool for async calls; bcryptjs is pure JS so async still runs on the main thread unless you use worker threads — avoid hashSync. [3][5]
  • Production recommendation: prefer native bcrypt or (better) Argon2 for new projects; use bcryptjs only for environments where native modules are not viable. [1][2]

Sources:
[1] npm bcryptjs package readme / notes on performance.
[2] bcrypt vs bcryptjs comparison articles and package comparisons.
[3] Benchmarks / blog posts and community benchmarks showing native bcrypt speed advantage.
[4] Practical guides / tutorials advising native bcrypt and warning about sync blocking.

🏁 Script executed:

# Check bcryptjs version in backend package.json
cat apps/backend/package.json | grep -A 2 -B 2 bcrypt

Repository: Zafar7645/syncup

Length of output: 400

🏁 Script executed:

# Check if the actual service implementation (not spec) uses bcryptjs
find apps/backend/src/auth -name "auth.service.ts" | head -5

Repository: Zafar7645/syncup

Length of output: 97

🏁 Script executed:

# Read the actual auth service to see how bcryptjs is used in production
cat -n apps/backend/src/auth/auth.service.ts | head -100

Repository: Zafar7645/syncup

Length of output: 3664

Remove security concern; performance trade-off is acceptable for async password hashing.

bcryptjs 3.0.3 is actively maintained and has no known security vulnerabilities. However, it is ~20–30% slower than native bcrypt. Since the service correctly uses async methods (bcrypt.hash() and bcrypt.compare()), it avoids blocking the event loop. For password hashing operations—which are intentionally computationally expensive—this performance difference is acceptable for most applications.

If production performance is a critical concern, consider evaluating native bcrypt (requires compiler toolchain) or Argon2 (better security properties) for future improvements.

🤖 Prompt for AI Agents 
In apps/backend/src/auth/auth.service.spec.ts around line 6, the import of
bcryptjs is flagged as a security concern; keep the import as-is (import * as
bcrypt from 'bcryptjs') because the code uses async bcrypt.hash/compare and
bcryptjs has no known vulnerabilities; update the file by adding a short inline
comment next to the import noting that async methods are used so the event loop
is not blocked and that native bcrypt/Argon2 can be considered later if
production performance becomes critical.

import { ConflictException, UnauthorizedException } from '@nestjs/common';
import { ConfigService } from '@nestjs/config';
import { UsersService } from '@/users/users.service';
import { JwtService } from '@nestjs/jwt';
import { LoginUserDto } from '@/auth/dto/login-user.dto';
import { AccessTokenDto } from '@/auth/dto/access-token.dto';
import { LoginUserDto } from '@shared/dtos/auth/login-user.dto';
import { AccessTokenDto } from '@shared/dtos/auth/access-token.dto';

jest.mock('bcrypt', () => ({
jest.mock('bcryptjs', () => ({
hash: jest.fn(),
compare: jest.fn(),
}));
Expand Down
10 changes: 5 additions & 5 deletions apps/backend/src/auth/auth.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,16 @@ import {
Injectable,
UnauthorizedException,
} from '@nestjs/common';
import { RegisterUserDto } from '@/auth/dto/register-user.dto';
import * as bcrypt from 'bcrypt';
import { RegisterUserDto } from '@shared/dtos/auth/register-user.dto';
import * as bcrypt from 'bcryptjs';
import { DataSource } from 'typeorm';
import { User } from '@/users/user.entity';
import { UserResponseDto } from '@/users/user-response.dto';
import { UserResponseDto } from '@shared/dtos/user/user-response.dto';
import { ConfigService } from '@nestjs/config';
import { UsersService } from '@/users/users.service';
import { JwtService } from '@nestjs/jwt';
import { LoginUserDto } from '@/auth/dto/login-user.dto';
import { AccessTokenDto } from '@/auth/dto/access-token.dto';
import { LoginUserDto } from '@shared/dtos/auth/login-user.dto';
import { AccessTokenDto } from '@shared/dtos/auth/access-token.dto';

@Injectable()
export class AuthService {
Expand Down
3 changes: 0 additions & 3 deletions apps/backend/src/auth/dto/access-token.dto.ts
View file
Open in desktop

This file was deleted.

25 changes: 0 additions & 25 deletions apps/backend/src/auth/dto/register-user.dto.ts
View file
Open in desktop

This file was deleted.

5 changes: 5 additions & 0 deletions apps/backend/src/main.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,11 @@ async function bootstrap(): Promise<void> {
transform: true,
}),
);
app.enableCors({
origin: 'http://localhost:4200',
methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
credentials: true,
});
Comment on lines +14 to +18
Copy link

@coderabbitai coderabbitai bot Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Hardcoded origin will break production deployments.

The CORS origin is hardcoded to http://localhost:4200, which will prevent the frontend from making requests in production or staging environments.

🔎 Recommended fix: Use environment variables 
  app.enableCors({
-    origin: 'http://localhost:4200',
+    origin: process.env.FRONTEND_URL ?? 'http://localhost:4200',
    methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
    credentials: true,
  });

Add FRONTEND_URL to your .env files for each environment (production, staging, etc.).

Optional: Since the PR mentions storing JWT in localStorage, the credentials: true flag may not be strictly necessary (it's primarily for cookies/auth headers). However, keeping it doesn't cause issues and provides flexibility for future auth patterns.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
app.enableCors({
origin: 'http://localhost:4200',
methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
credentials: true,
});
app.enableCors({
origin: process.env.FRONTEND_URL ?? 'http://localhost:4200',
methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
credentials: true,
});
🤖 Prompt for AI Agents 
In apps/backend/src/main.ts around lines 14 to 18, the CORS origin is hardcoded
to 'http://localhost:4200' which will break non-local environments; replace the
literal with an environment-driven value (e.g. process.env.FRONTEND_URL or via
your config service) and provide a sensible default/fallback for local dev, and
if needed support multiple origins by parsing a comma-separated env var into an
array or using a regex; keep credentials: true if you want cookie support but
it's optional for token-in-localStorage flows.

await app.listen(process.env.PORT ?? 3000);
}
void bootstrap();
7 changes: 5 additions & 2 deletions apps/backend/tsconfig.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@
"outDir": "./dist",
"baseUrl": "./",
"paths": {
"@/*": ["src/*"]
"@/*": ["src/*"],
"@shared/validation/*": ["../../libs/shared-validation/src/*"],
"@shared/dtos/*": ["../../libs/shared-dtos/src/*"]
},
"types": ["node", "jest"],
"incremental": true,
Expand All @@ -26,5 +28,6 @@
"strictBindCallApply": false,
"noFallthroughCasesInSwitch": false,
"useUnknownInCatchVariables": true
}
},
"include": ["src/**/*", "../../libs/**/*"]
}
6 changes: 6 additions & 0 deletions apps/frontend/eslint.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,12 @@ module.exports = tseslint.config(
},
],
},
languageOptions: {
parserOptions: {
project: ['tsconfig.app.json', 'tsconfig.spec.json'],
tsconfigRootDir: __dirname,
},
},
},
{
files: ['**/*.html'],
Expand Down
4 changes: 3 additions & 1 deletion apps/frontend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"version": "0.0.0",
"scripts": {
"ng": "ng",
"start": "ng serve",
"start": "ng serve --open",
"build": "ng build",
"watch": "ng build --watch --configuration development",
"test": "ng test",
Expand All @@ -29,6 +29,8 @@
"@angular/forms": "^20.3.0",
"@angular/platform-browser": "^20.3.0",
"@angular/router": "^20.3.0",
"class-transformer": "^0.5.1",
"class-validator": "^0.14.2",
Comment on lines +32 to +33
Copy link

@coderabbitai coderabbitai bot Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

class-transformer npm latest version security advisories December 2025

💡 Result:

Summary (as of Dec 24, 2025)

  • Latest official class-transformer release on npm: 0.5.1. [1][2]
  • Known security advisory: CVE-2020-7637 — Prototype Pollution in classToPlainFromExist affecting versions < 0.3.1; fixed in 0.3.1. [3][4]
  • Current status: no known vulnerabilities affecting the latest 0.5.1 (Snyk reports no direct vulnerabilities for 0.5.1). [2]

Sources

  1. npm / jsDelivr package metadata showing version 0.5.1. [1]
  2. Snyk package page (latest version 0.5.1; no known security issues on latest). [2]
  3. GitLab Advisory / CVE-2020-7637 (details, affected versions <0.3.1, fixed in 0.3.1). [3]
  4. NVD / third‑party vulnerability summaries (CVE-2020-7637 writeups). [4]

If you want, I can: (a) show which of your projects depend on vulnerable versions, (b) provide an npm update/patch plan, or (c) fetch the exact npm package page / changelog for 0.5.1.

🌐 Web query:

class-validator npm latest version security advisories December 2025

💡 Result:

Summary (as of Dec 24, 2025)

  • Latest class-validator release: 0.14.3. [1][2]
  • Direct security status: no known vulnerabilities in 0.14.3; earlier versions (<0.14.0) are affected by an improper-input-validation issue and should be upgraded. [3][4]
  • Related dependency advisory: validator.js (used by class-validator) had CVE-2025-12758 (fixed in validator >= 13.15.22); ensure transitive dependency is up-to-date. [5]

Recommended action

  • Upgrade to class-validator@0.14.3 and confirm your lockfile (package-lock / yarn.lock / pnpm-lock) picks a patched validator.js (>=13.15.22). Re-scan with your SCA tooling (Snyk/OSS-Scanner/etc.). [3][5]

Sources

  1. jsDelivr/npm package info for class-validator (v0.14.3). [turn1search4]
  2. Snyk / package page showing latest version and security status (class-validator latest = 0.14.3). [turn1search1]
  3. Snyk vulnerability notes advising upgrade to >=0.14.0 to fix an improper input validation bypass. [turn1search3]
  4. Snyk package vulnerability list / changelog entries referencing 0.14.3 as latest. [turn0search6]
  5. GitLab / advisory for validator.js CVE-2025-12758 (fixed in 13.15.22). [turn0search3]

🌐 Web query:

class-transformer 0.5.1 CVE security vulnerabilities

💡 Result:

Short answer: class-transformer v0.5.1 has no publicly listed CVE affecting that version. The known CVE (CVE‑2020‑7637 / prototype pollution) affects versions < 0.3.1 and was fixed in 0.3.1 — later releases including 0.5.1 are not listed as vulnerable. [1][2][3]

Sources:

  • Snyk vulnerability entry (CVE-2020-7637) — affected <0.3.1, fixed in 0.3.1. [1]
  • Snyk package page for class-transformer — no direct vulnerabilities for latest (0.5.1). [2]
  • GitLab/NPM advisory summarizing the prototype-pollution issue and fixed versions. [3]

If you want, I can search again for any newer advisories (post‑Dec 24, 2025) or scan your project dependency tree for transitive issues.

🌐 Web query:

class-validator 0.14.2 CVE security vulnerabilities

💡 Result:

Short answer: There are no known CVEs published that affect class-validator version 0.14.2. [1]

Notes and sources:

  • Snyk’s database shows no direct vulnerabilities for class-validator@0.14.2 and marks 0.14.3 as the latest non‑vulnerable version. [1]
  • A previously published issue (CVE-2019-18413) describes an input‑validation bypass that was fixed by upgrading to 0.14.0 or later — i.e., versions >=0.14.0 (including 0.14.2) are not vulnerable to that CVE. [2]
  • Official package release info (npm / release history) showing 0.14.x releases. [3]

Sources:
[1] Snyk — class-validator@0.14.2 vulnerabilities. (security.snyk.io)
[2] Vulert / CVE-2019-18413 (disclosure & mitigation notes). (vulert.com)
[3] npm / release history for class-validator (0.14.x). (npmjs.com)

If you want, I can (a) scan your project for indirect vulnerabilities that affect class-validator via dependencies, or (b) monitor for any newly published advisories.

Citations:

Consider upgrading class-validator to 0.14.3 and verify transitive dependencies.

  • class-transformer@0.5.1 is current and secure (no known vulnerabilities).
  • class-validator@0.14.2 is secure but patch version 0.14.3 is available; upgrade recommended for consistency.
  • Verify that the lockfile (package-lock.json, yarn.lock, or pnpm-lock.yaml) pulls validator.js@≥13.15.22 to address CVE-2025-12758 in the transitive dependency chain.
🤖 Prompt for AI Agents 
In apps/frontend/package.json around lines 32 to 33, update the class-validator
dependency from 0.14.2 to 0.14.3 and then regenerate the lockfile (npm install /
yarn install / pnpm install) to ensure transitive dependencies are refreshed;
after installing, inspect the resulting lockfile to confirm validator.js
resolves to >=13.15.22 (or patch it via resolutions/overrides if your package
manager supports it), run your test suite, and commit the updated package.json
and lockfile.

"rxjs": "~7.8.0",
"tslib": "^2.3.0",
"zone.js": "~0.15.0"
Expand Down
12 changes: 9 additions & 3 deletions apps/frontend/src/app/app.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,18 @@
import { ApplicationConfig, provideBrowserGlobalErrorListeners, provideZoneChangeDetection } from '@angular/core';
import {
ApplicationConfig,
provideBrowserGlobalErrorListeners,
provideZoneChangeDetection,
} from '@angular/core';
import { provideRouter } from '@angular/router';

import { routes } from './app.routes';
import { provideHttpClient } from '@angular/common/http';

export const appConfig: ApplicationConfig = {
providers: [
provideBrowserGlobalErrorListeners(),
provideZoneChangeDetection({ eventCoalescing: true }),
provideRouter(routes)
]
provideRouter(routes),
provideHttpClient(),
],
};
Loading
Loading