chore: bump version to 0.1.0

.env.example

@@ -19,6 +19,11 @@ JWT_ISSUER=friendolls
 JWT_AUDIENCE=friendolls-api
 JWT_EXPIRES_IN_SECONDS=3600
 
+# Auth cleanup
+AUTH_CLEANUP_ENABLED=true
+AUTH_CLEANUP_INTERVAL_MS=900000
+AUTH_SESSION_REVOKED_RETENTION_DAYS=7
+
 # Google OAuth
 GOOGLE_CLIENT_ID="replace-with-google-client-id"
 GOOGLE_CLIENT_SECRET="replace-with-google-client-secret"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "friendolls-server",
-  "version": "0.0.1",
+  "version": "0.1.0",
   "description": "",
   "author": "",
   "private": true,
@@ -49,6 +49,7 @@
     "jsonwebtoken": "^9.0.2",
     "passport": "^0.7.0",
     "passport-discord": "^0.1.4",
+    "helmet": "^8.1.0",
     "passport-google-oauth20": "^2.0.0",
     "passport-jwt": "^4.0.1",
     "pg": "^8.16.3",

prisma/schema.prisma

@@ -3,6 +3,7 @@
 
 generator client {
   provider = "prisma-client-js"
+  output   = "../node_modules/.prisma/client"
 }
 
 datasource db {

src/auth/auth.module.ts

@@ -10,6 +10,7 @@ import { UsersModule } from '../users/users.module';
 import { AuthController } from './auth.controller';
 import { GoogleAuthGuard } from './guards/google-auth.guard';
 import { DiscordAuthGuard } from './guards/discord-auth.guard';
+import { AuthCleanupService } from './services/auth-cleanup.service';
 
 @Module({
   imports: [
@@ -26,6 +27,7 @@ import { DiscordAuthGuard } from './guards/discord-auth.guard';
     DiscordAuthGuard,
     AuthService,
     JwtVerificationService,
+    AuthCleanupService,
   ],
   exports: [AuthService, PassportModule, JwtVerificationService],
 })

src/auth/services/auth-cleanup.service.ts

@@ -0,0 +1,159 @@
+import {
+  Injectable,
+  Inject,
+  Logger,
+  OnModuleDestroy,
+  OnModuleInit,
+} from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { PrismaService } from '../../database/prisma.service';
+import Redis from 'ioredis';
+import {
+  parseBoolean,
+  parsePositiveInteger,
+} from '../../common/config/env.utils';
+import { REDIS_CLIENT } from '../../database/redis.module';
+
+const MIN_CLEANUP_INTERVAL_MS = 60_000;
+const DEFAULT_CLEANUP_INTERVAL_MS = 15 * 60_000;
+const DEFAULT_REVOKED_RETENTION_DAYS = 7;
+const CLEANUP_LOCK_KEY = 'lock:auth:cleanup';
+const CLEANUP_LOCK_TTL_MS = 55_000;
+
+@Injectable()
+export class AuthCleanupService implements OnModuleInit, OnModuleDestroy {
+  private readonly logger = new Logger(AuthCleanupService.name);
+  private cleanupTimer: NodeJS.Timeout | null = null;
+  private isCleanupRunning = false;
+
+  constructor(
+    private readonly prisma: PrismaService,
+    private readonly configService: ConfigService,
+    @Inject(REDIS_CLIENT) private readonly redisClient: Redis | null,
+  ) {}
+
+  onModuleInit(): void {
+    const enabled = parseBoolean(
+      this.configService.get<string>('AUTH_CLEANUP_ENABLED'),
+      true,
+    );
+
+    if (!enabled) {
+      this.logger.log('Auth cleanup task disabled');
+      return;
+    }
+
+    const configuredInterval = parsePositiveInteger(
+      this.configService.get<string>('AUTH_CLEANUP_INTERVAL_MS'),
+      DEFAULT_CLEANUP_INTERVAL_MS,
+    );
+    const cleanupIntervalMs = Math.max(
+      configuredInterval,
+      MIN_CLEANUP_INTERVAL_MS,
+    );
+
+    this.cleanupTimer = setInterval(() => {
+      void this.cleanupExpiredAuthData();
+    }, cleanupIntervalMs);
+    this.cleanupTimer.unref();
+
+    void this.cleanupExpiredAuthData();
+    this.logger.log(`Auth cleanup task scheduled every ${cleanupIntervalMs}ms`);
+  }
+
+  onModuleDestroy(): void {
+    if (!this.cleanupTimer) {
+      return;
+    }
+
+    clearInterval(this.cleanupTimer);
+    this.cleanupTimer = null;
+  }
+
+  private async cleanupExpiredAuthData(): Promise<void> {
+    if (this.isCleanupRunning) {
+      this.logger.warn(
+        'Skipping auth cleanup run because previous run is still in progress',
+      );
+      return;
+    }
+
+    this.isCleanupRunning = true;
+    const lockToken = `${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+    let lockAcquired = false;
+
+    try {
+      if (this.redisClient) {
+        try {
+          const lockResult = await this.redisClient.set(
+            CLEANUP_LOCK_KEY,
+            lockToken,
+            'PX',
+            CLEANUP_LOCK_TTL_MS,
+            'NX',
+          );
+          if (lockResult !== 'OK') {
+            return;
+          }
+          lockAcquired = true;
+        } catch (error) {
+          this.logger.warn(
+            'Failed to acquire auth cleanup lock; running cleanup without distributed lock',
+            error as Error,
+          );
+        }
+      }
+
+      const now = new Date();
+      const revokedRetentionDays = parsePositiveInteger(
+        this.configService.get<string>('AUTH_SESSION_REVOKED_RETENTION_DAYS'),
+        DEFAULT_REVOKED_RETENTION_DAYS,
+      );
+      const revokedCutoff = new Date(
+        now.getTime() - revokedRetentionDays * 24 * 60 * 60 * 1000,
+      );
+
+      const [codes, sessions] = await Promise.all([
+        this.prisma.authExchangeCode.deleteMany({
+          where: {
+            OR: [{ expiresAt: { lt: now } }, { consumedAt: { not: null } }],
+          },
+        }),
+        this.prisma.authSession.deleteMany({
+          where: {
+            OR: [
+              { expiresAt: { lt: now } },
+              { revokedAt: { lt: revokedCutoff } },
+            ],
+          },
+        }),
+      ]);
+
+      const totalDeleted = codes.count + sessions.count;
+
+      if (totalDeleted > 0) {
+        this.logger.log(
+          `Auth cleanup removed ${totalDeleted} records (${codes.count} exchange codes, ${sessions.count} sessions)`,
+        );
+      }
+    } catch (error) {
+      this.logger.error('Auth cleanup task failed', error as Error);
+    } finally {
+      if (lockAcquired && this.redisClient) {
+        try {
+          const currentLockValue = await this.redisClient.get(CLEANUP_LOCK_KEY);
+          if (currentLockValue === lockToken) {
+            await this.redisClient.del(CLEANUP_LOCK_KEY);
+          }
+        } catch (error) {
+          this.logger.warn(
+            'Failed to release auth cleanup lock',
+            error as Error,
+          );
+        }
+      }
+
+      this.isCleanupRunning = false;
+    }
+  }
+}

src/database/prisma.service.ts

@@ -40,6 +40,7 @@ export class PrismaService
   implements OnModuleInit, OnModuleDestroy
 {
   private readonly logger = new Logger(PrismaService.name);
+  private readonly pool: Pool;
 
   constructor(private configService: ConfigService) {
     const databaseUrl = configService.get<string>('DATABASE_URL');
@@ -62,6 +63,8 @@ export class PrismaService
       ],
     });
 
+    this.pool = pool;
+
     // Log database queries in development mode
     if (process.env.NODE_ENV === 'development') {
       this.$on('query' as never, (e: QueryEvent) => {
@@ -101,6 +104,7 @@ export class PrismaService
   async onModuleDestroy() {
     try {
       await this.$disconnect();
+      await this.pool.end();
       this.logger.log('Successfully disconnected from database');
     } catch (error) {
       this.logger.error('Error disconnecting from database', error);

src/main.ts

@@ -2,6 +2,7 @@ import { NestFactory } from '@nestjs/core';
 import { ValidationPipe, Logger } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
+import helmet from 'helmet';
 import { AppModule } from './app.module';
 import { AllExceptionsFilter } from './common/filters/all-exceptions.filter';
 import { RedisIoAdapter } from './ws/redis-io.adapter';
@@ -10,12 +11,28 @@ async function bootstrap() {
   const logger = new Logger('Bootstrap');
   const app = await NestFactory.create(AppModule);
   const configService = app.get(ConfigService);
+  const nodeEnv = configService.get<string>('NODE_ENV') || 'development';
+  const isProduction = nodeEnv === 'production';
+
+  app.enableShutdownHooks();
+
+  app.use(
+    helmet({
+      contentSecurityPolicy: false,
+      crossOriginEmbedderPolicy: false,
+    }),
+  );
 
   // Configure Redis Adapter for horizontal scaling (if enabled)
   const redisIoAdapter = new RedisIoAdapter(app, configService);
   await redisIoAdapter.connectToRedis();
   app.useWebSocketAdapter(redisIoAdapter);
 
+  app.enableCors({
+    origin: true,
+    credentials: true,
+  });
+
   // Enable global exception filter for consistent error responses
   app.useGlobalFilters(new AllExceptionsFilter());
 
@@ -29,11 +46,11 @@ async function bootstrap() {
       // Automatically transform payloads to DTO instances
       transform: true,
       // Provide detailed error messages
-      disableErrorMessages: false,
+      disableErrorMessages: isProduction,
     }),
   );
 
-  // Configure Swagger documentation
+  if (!isProduction) {
     const config = new DocumentBuilder()
       .setTitle('Friendolls API')
       .setDescription(
@@ -59,13 +76,24 @@ async function bootstrap() {
 
     const document = SwaggerModule.createDocument(app, config);
     SwaggerModule.setup('api', app, document);
+  }
 
   const host = process.env.HOST ?? 'localhost';
   const port = process.env.PORT ?? 3000;
   await app.listen(port);
+  const httpServer = app.getHttpServer() as {
+    once?: (event: 'close', listener: () => void) => void;
+  } | null;
+  httpServer?.once?.('close', () => {
+    void redisIoAdapter.close();
+  });
 
   logger.log(`Application is running on: http://${host}:${port}`);
-  logger.log(`Swagger documentation available at: http://${host}:${port}/api`);
+  if (!isProduction) {
+    logger.log(
+      `Swagger documentation available at: http://${host}:${port}/api`,
+    );
+  }
 }
 
 void bootstrap();

src/ws/state/interaction/handler.ts

@@ -9,6 +9,8 @@ import { WsNotificationService } from '../ws-notification.service';
 import { WS_EVENT } from '../ws-events';
 import { Validator } from '../utils/validation';
 
+const SENDER_NAME_CACHE_TTL_MS = 10 * 60 * 1000;
+
 export class InteractionHandler {
   private readonly logger = new Logger(InteractionHandler.name);
 
@@ -18,6 +20,32 @@ export class InteractionHandler {
     private readonly wsNotificationService: WsNotificationService,
   ) {}
 
+  private async resolveSenderName(
+    client: AuthenticatedSocket,
+    userId: string,
+  ): Promise<string> {
+    const cachedName = client.data.senderName;
+    const cachedAt = client.data.senderNameCachedAt;
+    const cacheIsFresh =
+      cachedName &&
+      typeof cachedAt === 'number' &&
+      Date.now() - cachedAt < SENDER_NAME_CACHE_TTL_MS;
+
+    if (cacheIsFresh) {
+      return cachedName;
+    }
+
+    const sender = await this.prisma.user.findUnique({
+      where: { id: userId },
+      select: { name: true, username: true },
+    });
+
+    const senderName = sender?.name || sender?.username || 'Unknown';
+    client.data.senderName = senderName;
+    client.data.senderNameCachedAt = Date.now();
+    return senderName;
+  }
+
   async handleSendInteraction(
     client: AuthenticatedSocket,
     data: SendInteractionDto,
@@ -61,11 +89,7 @@ export class InteractionHandler {
     }
 
     // 3. Construct payload
-    const sender = await this.prisma.user.findUnique({
+    const senderName = await this.resolveSenderName(client, currentUserId);
-      where: { id: currentUserId },
-      select: { name: true, username: true },
-    });
-    const senderName = sender?.name || sender?.username || 'Unknown';
 
     const payload: InteractionPayloadDto = {
       senderUserId: currentUserId,

src/ws/state/ws-notification.service.ts

@@ -48,13 +48,27 @@ export class WsNotificationService {
     action: 'add' | 'delete',
   ) {
     if (this.redisClient) {
+      try {
         await this.redisClient.publish(
           REDIS_CHANNEL.FRIEND_CACHE_UPDATE,
           JSON.stringify({ userId, friendId, action }),
         );
-    } else {
+        return;
-      // Fallback: update locally
+      } catch (error) {
+        this.logger.warn(
+          'Redis publish failed for friend cache update; applying local cache update only',
+          error as Error,
+        );
+      }
+    }
+
+    try {
       await this.updateFriendsCacheLocal(userId, friendId, action);
+    } catch (error) {
+      this.logger.error(
+        'Failed to apply local friend cache update',
+        error as Error,
+      );
     }
   }
 
@@ -89,13 +103,27 @@ export class WsNotificationService {
 
   async publishActiveDollUpdate(userId: string, dollId: string | null) {
     if (this.redisClient) {
+      try {
         await this.redisClient.publish(
           REDIS_CHANNEL.ACTIVE_DOLL_UPDATE,
           JSON.stringify({ userId, dollId }),
         );
-    } else {
+        return;
-      // Fallback: update locally
+      } catch (error) {
+        this.logger.warn(
+          'Redis publish failed for active doll update; applying local cache update only',
+          error as Error,
+        );
+      }
+    }
+
+    try {
       await this.updateActiveDollCache(userId, dollId);
+    } catch (error) {
+      this.logger.error(
+        'Failed to apply local active doll cache update',
+        error as Error,
+      );
     }
   }
 }