feat(auth): implement Auth module with register, login, JWT, guards, and CQRS

- Add RefreshToken and OAuthAccount models to Prisma schema
- Implement clean architecture: domain (entities, VOs, events, repo interfaces),
  infrastructure (Prisma repos, Passport strategies, token service),
  application (CQRS command/query handlers), presentation (controller, guards, DTOs)
- Endpoints: POST /auth/register, /auth/login, /auth/refresh, GET /auth/profile,
  GET /auth/profile/agent, PATCH /auth/kyc
- JWT access + refresh token rotation with family-based revocation
- Role-based guards (BUYER, SELLER, AGENT, ADMIN)
- 16 unit tests (value objects, entity) + integration test suite
- All 80 tests passing, clean TypeScript build

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/modules/auth/presentation/controllers/auth.controller.ts

@@ -0,0 +1,78 @@
+import {
+  Body,
+  Controller,
+  Get,
+  Patch,
+  Post,
+  UseGuards,
+} from '@nestjs/common';
+import { CommandBus, QueryBus } from '@nestjs/cqrs';
+import { RegisterUserCommand } from '../../application/commands/register-user/register-user.command';
+import { LoginUserCommand } from '../../application/commands/login-user/login-user.command';
+import { RefreshTokenCommand } from '../../application/commands/refresh-token/refresh-token.command';
+import { VerifyKycCommand } from '../../application/commands/verify-kyc/verify-kyc.command';
+import { GetProfileQuery } from '../../application/queries/get-profile/get-profile.query';
+import { GetAgentByUserIdQuery } from '../../application/queries/get-agent-by-user-id/get-agent-by-user-id.query';
+import { RegisterDto } from '../dto/register.dto';
+import { RefreshTokenDto } from '../dto/refresh-token.dto';
+import { VerifyKycDto } from '../dto/verify-kyc.dto';
+import { JwtAuthGuard } from '../guards/jwt-auth.guard';
+import { LocalAuthGuard } from '../guards/local-auth.guard';
+import { RolesGuard } from '../guards/roles.guard';
+import { CurrentUser } from '../decorators/current-user.decorator';
+import { Roles } from '../decorators/roles.decorator';
+import { type JwtPayload, type TokenPair } from '../../infrastructure/services/token.service';
+import { type UserProfileDto } from '../../application/queries/get-profile/get-profile.handler';
+import { type AgentDto } from '../../application/queries/get-agent-by-user-id/get-agent-by-user-id.handler';
+
+@Controller('auth')
+export class AuthController {
+  constructor(
+    private readonly commandBus: CommandBus,
+    private readonly queryBus: QueryBus,
+  ) {}
+
+  @Post('register')
+  async register(@Body() dto: RegisterDto): Promise<TokenPair> {
+    return this.commandBus.execute(
+      new RegisterUserCommand(dto.phone, dto.password, dto.fullName, dto.email),
+    );
+  }
+
+  @UseGuards(LocalAuthGuard)
+  @Post('login')
+  async login(@CurrentUser() user: { id: string; phone: string; role: string }): Promise<TokenPair> {
+    return this.commandBus.execute(
+      new LoginUserCommand(user.id, user.phone, user.role),
+    );
+  }
+
+  @Post('refresh')
+  async refresh(@Body() dto: RefreshTokenDto): Promise<TokenPair> {
+    return this.commandBus.execute(new RefreshTokenCommand(dto.refreshToken));
+  }
+
+  @UseGuards(JwtAuthGuard)
+  @Get('profile')
+  async getProfile(@CurrentUser() user: JwtPayload): Promise<UserProfileDto> {
+    return this.queryBus.execute(new GetProfileQuery(user.sub));
+  }
+
+  @UseGuards(JwtAuthGuard)
+  @Get('profile/agent')
+  async getAgentProfile(@CurrentUser() user: JwtPayload): Promise<AgentDto | null> {
+    return this.queryBus.execute(new GetAgentByUserIdQuery(user.sub));
+  }
+
+  @UseGuards(JwtAuthGuard, RolesGuard)
+  @Roles('ADMIN')
+  @Patch('kyc')
+  async verifyKyc(
+    @Body() dto: VerifyKycDto & { userId: string },
+  ): Promise<{ message: string }> {
+    await this.commandBus.execute(
+      new VerifyKycCommand(dto.userId, dto.kycStatus, dto.kycData),
+    );
+    return { message: 'KYC status đã được cập nhật' };
+  }
+}

apps/api/src/modules/auth/presentation/controllers/index.ts

@@ -0,0 +1 @@
+export { AuthController } from './auth.controller';

apps/api/src/modules/auth/presentation/decorators/current-user.decorator.ts

@@ -0,0 +1,9 @@
+import { createParamDecorator, type ExecutionContext } from '@nestjs/common';
+import { type JwtPayload } from '../../infrastructure/services/token.service';
+
+export const CurrentUser = createParamDecorator(
+  (_data: unknown, ctx: ExecutionContext): JwtPayload => {
+    const request = ctx.switchToHttp().getRequest();
+    return request.user;
+  },
+);

apps/api/src/modules/auth/presentation/decorators/index.ts

@@ -0,0 +1,2 @@
+export { Roles, ROLES_KEY } from './roles.decorator';
+export { CurrentUser } from './current-user.decorator';

apps/api/src/modules/auth/presentation/decorators/roles.decorator.ts

@@ -0,0 +1,5 @@
+import { SetMetadata } from '@nestjs/common';
+import { type UserRole } from '@prisma/client';
+
+export const ROLES_KEY = 'roles';
+export const Roles = (...roles: UserRole[]) => SetMetadata(ROLES_KEY, roles);

apps/api/src/modules/auth/presentation/dto/index.ts

@@ -0,0 +1,4 @@
+export { RegisterDto } from './register.dto';
+export { LoginDto } from './login.dto';
+export { RefreshTokenDto } from './refresh-token.dto';
+export { VerifyKycDto } from './verify-kyc.dto';

apps/api/src/modules/auth/presentation/dto/login.dto.ts

@@ -0,0 +1,9 @@
+import { IsString } from 'class-validator';
+
+export class LoginDto {
+  @IsString()
+  phone!: string;
+
+  @IsString()
+  password!: string;
+}

apps/api/src/modules/auth/presentation/dto/refresh-token.dto.ts

@@ -0,0 +1,6 @@
+import { IsString } from 'class-validator';
+
+export class RefreshTokenDto {
+  @IsString()
+  refreshToken!: string;
+}

apps/api/src/modules/auth/presentation/dto/register.dto.ts

@@ -0,0 +1,18 @@
+import { IsString, IsOptional, IsEmail, MinLength } from 'class-validator';
+
+export class RegisterDto {
+  @IsString()
+  phone!: string;
+
+  @IsString()
+  @MinLength(8)
+  password!: string;
+
+  @IsString()
+  @MinLength(1)
+  fullName!: string;
+
+  @IsOptional()
+  @IsEmail()
+  email?: string;
+}

apps/api/src/modules/auth/presentation/dto/verify-kyc.dto.ts

@@ -0,0 +1,11 @@
+import { IsEnum, IsOptional, IsObject } from 'class-validator';
+import { KYCStatus } from '@prisma/client';
+
+export class VerifyKycDto {
+  @IsEnum(KYCStatus)
+  kycStatus!: KYCStatus;
+
+  @IsOptional()
+  @IsObject()
+  kycData?: Record<string, unknown>;
+}

apps/api/src/modules/auth/presentation/guards/index.ts

@@ -0,0 +1,3 @@
+export { JwtAuthGuard } from './jwt-auth.guard';
+export { LocalAuthGuard } from './local-auth.guard';
+export { RolesGuard } from './roles.guard';

apps/api/src/modules/auth/presentation/guards/jwt-auth.guard.ts

@@ -0,0 +1,5 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+
+@Injectable()
+export class JwtAuthGuard extends AuthGuard('jwt') {}

apps/api/src/modules/auth/presentation/guards/local-auth.guard.ts

@@ -0,0 +1,5 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+
+@Injectable()
+export class LocalAuthGuard extends AuthGuard('local') {}

apps/api/src/modules/auth/presentation/guards/roles.guard.ts

@@ -0,0 +1,23 @@
+import { Injectable, type CanActivate, type ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { type UserRole } from '@prisma/client';
+import { ROLES_KEY } from '../decorators/roles.decorator';
+
+@Injectable()
+export class RolesGuard implements CanActivate {
+  constructor(private readonly reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const requiredRoles = this.reflector.getAllAndOverride<UserRole[]>(ROLES_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    if (!requiredRoles || requiredRoles.length === 0) {
+      return true;
+    }
+
+    const { user } = context.switchToHttp().getRequest();
+    return requiredRoles.includes(user?.role);
+  }
+}

apps/api/src/modules/auth/presentation/index.ts

@@ -0,0 +1,4 @@
+export * from './controllers';
+export * from './guards';
+export * from './decorators';
+export * from './dto';