chore: bump version to 1.0.8

- Added function to stage and commit version changes automatically for `package.json` files.
- Integrated automated commit step into the release workflow.

.env.example

@@ -8,32 +8,40 @@ BACKEND_PORT=3001
 FRONTEND_PORT=3000
 
 # Database (PostgreSQL)
-POSTGRES_HOST=localhost
+POSTGRES_HOST=db
 POSTGRES_PORT=5432
-POSTGRES_DB=memegoat
+POSTGRES_DB=app
 POSTGRES_USER=app
 POSTGRES_PASSWORD=app
 
-# Storage (S3/MinIO) - À configurer lors de l'implémentation
-# S3_ENDPOINT=localhost
-# S3_PORT=9000
-# S3_ACCESS_KEY=
-# S3_SECRET_KEY=
-# S3_BUCKET=memegoat
+# Redis
+REDIS_HOST=redis
+REDIS_PORT=6379
 
-# Security (PGP & Auth) - À configurer lors de l'implémentation
-# PGP_PASSPHRASE=
-JWT_SECRET=super-secret-key-change-me-in-production
-ENCRYPTION_KEY=another-super-secret-key-32-chars
+# Storage (S3/MinIO)
+S3_ENDPOINT=s3
+S3_PORT=9000
+S3_ACCESS_KEY=minioadmin
+S3_SECRET_KEY=minioadmin
+S3_BUCKET_NAME=memegoat
+
+# Security
+JWT_SECRET=super-secret-jwt-key-change-me-in-prod
+ENCRYPTION_KEY=01234567890123456789012345678901
+PGP_ENCRYPTION_KEY=super-secret-pgp-key
+SESSION_PASSWORD=super-secret-session-password-32-chars
 
 # Mail
-MAIL_HOST=localhost
+MAIL_HOST=mail
 MAIL_PORT=1025
 MAIL_SECURE=false
-MAIL_USER=user
-MAIL_PASS=password
-MAIL_FROM=noreply@memegoat.fr
-DOMAIN_NAME=memegoat.fr
+MAIL_USER=
+MAIL_PASS=
+MAIL_FROM=noreply@memegoat.local
+DOMAIN_NAME=localhost
+
+ENABLE_CORS=false
+CORS_DOMAIN_NAME=localhost
 
 # Media Limits (in KB)
 MAX_IMAGE_SIZE_KB=512

.gitea/workflows/backend-tests.yml

@@ -1,25 +0,0 @@
-name: Backend Tests
-on:
-  push:
-    paths:
-      - 'backend/**'
-  pull_request:
-    paths:
-      - 'backend/**'
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-        with:
-          version: 9
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: 'pnpm'
-      - name: Install dependencies
-        run: pnpm install
-      - name: Run Backend Tests
-        run: pnpm -F @memegoat/backend test

.gitea/workflows/ci.yml

@@ -0,0 +1,111 @@
+# Pipeline CI/CD pour Gitea Actions (Forgejo)
+# Compatible avec GitHub Actions pour la portabilité
+name: CI/CD Pipeline
+
+on:
+  push:
+    branches:
+      - '**'
+    tags:
+      - 'v*'
+  pull_request:
+
+jobs:
+  validate:
+    name: Valider ${{ matrix.component }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        component: [backend, frontend, documentation]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Installer pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Configurer Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Obtenir le chemin du store pnpm
+        id: pnpm-cache
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path --silent)" >> "${GITEA_OUTPUT:-$GITHUB_OUTPUT}"
+
+      - name: Configurer le cache pnpm
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Installer les dépendances
+        run: pnpm install --frozen-lockfile --prefer-offline
+
+      - name: Lint ${{ matrix.component }}
+        run: pnpm -F @memegoat/${{ matrix.component }} lint
+
+      - name: Tester ${{ matrix.component }}
+        if: matrix.component == 'backend' || matrix.component == 'frontend'
+        run: |
+          if pnpm -F @memegoat/${{ matrix.component }} run | grep -q "test"; then
+            pnpm -F @memegoat/${{ matrix.component }} test
+          else
+            echo "Pas de script de test trouvé pour ${{ matrix.component }}, passage."
+          fi
+
+      - name: Build ${{ matrix.component }}
+        run: pnpm -F @memegoat/${{ matrix.component }} build
+        env:
+          NEXT_PUBLIC_API_URL: ${{ secrets.NEXT_PUBLIC_API_URL }}
+
+  deploy:
+    name: Déploiement en Production
+    needs: validate
+    # Déclenchement uniquement sur push sur main ou tag de version
+    # Gitea supporte le contexte 'github' pour la compatibilité
+    if: gitea.event_name == 'push' && (gitea.ref == 'refs/heads/main' || startsWith(gitea.ref, 'refs/tags/v'))
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Vérifier l'environnement Docker
+        run: |
+          docker version
+          docker compose version
+
+      - name: Déployer avec Docker Compose
+        run: |
+          docker compose -f docker-compose.prod.yml up -d --build
+        env:
+          BACKEND_PORT: ${{ secrets.BACKEND_PORT }}
+          FRONTEND_PORT: ${{ secrets.FRONTEND_PORT }}
+          POSTGRES_HOST: ${{ secrets.POSTGRES_HOST }}
+          POSTGRES_PORT: ${{ secrets.POSTGRES_PORT }}
+          POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
+          POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
+          POSTGRES_DB: ${{ secrets.POSTGRES_DB }}
+          REDIS_HOST: ${{ secrets.REDIS_HOST }}
+          REDIS_PORT: ${{ secrets.REDIS_PORT }}
+          S3_ENDPOINT: ${{ secrets.S3_ENDPOINT }}
+          S3_PORT: ${{ secrets.S3_PORT }}
+          S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
+          S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
+          S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
+          JWT_SECRET: ${{ secrets.JWT_SECRET }}
+          ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }}
+          PGP_ENCRYPTION_KEY: ${{ secrets.PGP_ENCRYPTION_KEY }}
+          SESSION_PASSWORD: ${{ secrets.SESSION_PASSWORD }}
+          MAIL_HOST: ${{ secrets.MAIL_HOST }}
+          MAIL_PASS: ${{ secrets.MAIL_PASS }}
+          MAIL_USER: ${{ secrets.MAIL_USER }}
+          MAIL_FROM: ${{ secrets.MAIL_FROM }}
+          DOMAIN_NAME: ${{ secrets.DOMAIN_NAME }}
+          NEXT_PUBLIC_API_URL: ${{ secrets.NEXT_PUBLIC_API_URL }}

.gitea/workflows/lint.yml

@@ -1,36 +0,0 @@
-name: Lint
-on:
-  push:
-    paths:
-      - 'frontend/**'
-      - 'backend/**'
-      - 'documentation/**'
-  pull_request:
-    paths:
-      - 'frontend/**'
-      - 'backend/**'
-      - 'documentation/**'
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-        with:
-          version: 9
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: 'pnpm'
-      - name: Install dependencies
-        run: pnpm install
-      - name: Lint Frontend
-        if: success() || failure()
-        run: pnpm -F @memegoat/frontend lint
-      - name: Lint Backend
-        if: success() || failure()
-        run: pnpm -F @memegoat/backend lint
-      - name: Lint Documentation
-        if: success() || failure()
-        run: pnpm -F @bypass/documentation lint

.gitignore

@@ -1,6 +1,7 @@
 # Dependencies
 node_modules/
 jspm_packages/
+.pnpm-store
 
 # Environment variables
 .env

ROADMAP.md

@@ -0,0 +1,50 @@
+# 🐐 Memegoat - Roadmap & Critères de Production
+
+Ce document définit les objectifs, les critères techniques et les fonctionnalités à atteindre pour que le projet Memegoat soit considéré comme prêt pour la production et conforme aux normes européennes (RGPD) et françaises.
+
+## 1. 🏗️ Architecture & Infrastructure
+- [x] Backend NestJS (TypeScript)
+- [x] Base de données PostgreSQL avec Drizzle ORM
+- [x] Stockage d'objets compatible S3 (MinIO)
+- [x] Service d'Emailing (Nodemailer / SMTPS)
+- [x] Documentation Technique & Référence API (`docs.memegoat.fr`)
+- [x] Health Checks (`/health`)
+- [x] Gestion des variables d'environnement (Validation avec Zod)
+- [ ] CI/CD (Build, Lint, Test, Deploy)
+
+## 2. 🔐 Sécurité & Authentification
+- [x] Hachage des mots de passe (Argon2id)
+- [x] Gestion des sessions robuste (JWT avec Refresh Token et Rotation)
+- [x] RBAC (Role Based Access Control) fonctionnel
+- [x] Système de Clés API (Hachées en base)
+- [x] Double Authentification (2FA / TOTP)
+- [x] Limitation de débit (Rate Limiting / Throttler)
+- [x] Validation stricte des entrées (DTOs + ValidationPipe)
+- [x] Protection contre les vulnérabilités OWASP (Helmet, CORS)
+
+## 3. ⚖️ Conformité RGPD (EU & France)
+- [x] Chiffrement natif des données personnelles (PII) via PGP (pgcrypto)
+- [x] Hachage aveugle (Blind Indexing) pour l'email (recherche/unicité)
+- [x] Journalisation d'audit complète (Audit Logs) pour les actions sensibles
+- [x] Gestion du consentement (Versionnage CGU/Politique de Confidentialité)
+- [x] Droit à l'effacement : Flux de suppression (Soft Delete -> Purge définitive)
+- [x] Droit à la portabilité : Export des données utilisateur (JSON)
+- [x] Purge automatique des données obsolètes (Signalements, Sessions expirées)
+- [x] Anonymisation des adresses IP (Hachage) dans les logs
+
+## 4. 🖼️ Fonctionnalités Coeur (Media & Galerie)
+- [x] Exploration (Trends, Recent, Favoris)
+- [x] Recherche par Tags, Catégories, Auteur, Texte
+- [x] Gestion des Favoris
+- [x] Upload sécurisé via S3 (URLs présignées)
+- [x] Scan Antivirus (ClamAV) et traitement des médias (WebP, WebM, AVIF, AV1)
+- [x] Limitation de la taille et des formats de fichiers entrants (Configurable)
+- [x] Système de Signalement (Reports) et workflow de modération
+- [ ] SEO : Metatags dynamiques et slugs sémantiques
+
+## 5. ✅ Qualité & Robustesse
+- [ ] Couverture de tests unitaires (Jest) > 80%
+- [ ] Tests d'intégration et E2E
+- [x] Gestion centralisée des erreurs (Filters NestJS)
+- [ ] Monitoring et centralisation des logs (ex: Sentry, ELK/Loki)
+- [x] Performance : Cache (Redis) pour les tendances et recherches fréquentes

backend/.migrations/0000_right_sally_floyd.sql

@@ -0,0 +1,177 @@
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
+CREATE TYPE "public"."user_status" AS ENUM('active', 'verification', 'suspended', 'pending', 'deleted');--> statement-breakpoint
+CREATE TYPE "public"."content_type" AS ENUM('meme', 'gif');--> statement-breakpoint
+CREATE TYPE "public"."report_reason" AS ENUM('inappropriate', 'spam', 'copyright', 'other');--> statement-breakpoint
+CREATE TYPE "public"."report_status" AS ENUM('pending', 'reviewed', 'resolved', 'dismissed');--> statement-breakpoint
+CREATE TABLE "users" (
+	"uuid" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"status" "user_status" DEFAULT 'pending' NOT NULL,
+	"email" "bytea" NOT NULL,
+	"email_hash" varchar(64) NOT NULL,
+	"display_name" varchar(32),
+	"username" varchar(32) NOT NULL,
+	"password_hash" varchar(72) NOT NULL,
+	"two_factor_secret" "bytea",
+	"is_two_factor_enabled" boolean DEFAULT false NOT NULL,
+	"terms_version" varchar(16),
+	"privacy_version" varchar(16),
+	"gdpr_accepted_at" timestamp with time zone,
+	"last_login_at" timestamp with time zone,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"deleted_at" timestamp with time zone,
+	CONSTRAINT "users_email_hash_unique" UNIQUE("email_hash"),
+	CONSTRAINT "users_username_unique" UNIQUE("username")
+);
+--> statement-breakpoint
+CREATE TABLE "permissions" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"name" varchar(64) NOT NULL,
+	"slug" varchar(64) NOT NULL,
+	"description" varchar(128),
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	CONSTRAINT "permissions_name_unique" UNIQUE("name"),
+	CONSTRAINT "permissions_slug_unique" UNIQUE("slug")
+);
+--> statement-breakpoint
+CREATE TABLE "roles" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"name" varchar(64) NOT NULL,
+	"slug" varchar(64) NOT NULL,
+	"description" varchar(128),
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	CONSTRAINT "roles_name_unique" UNIQUE("name"),
+	CONSTRAINT "roles_slug_unique" UNIQUE("slug")
+);
+--> statement-breakpoint
+CREATE TABLE "roles_to_permissions" (
+	"role_id" uuid NOT NULL,
+	"permission_id" uuid NOT NULL,
+	CONSTRAINT "roles_to_permissions_role_id_permission_id_pk" PRIMARY KEY("role_id","permission_id")
+);
+--> statement-breakpoint
+CREATE TABLE "users_to_roles" (
+	"user_id" uuid NOT NULL,
+	"role_id" uuid NOT NULL,
+	CONSTRAINT "users_to_roles_user_id_role_id_pk" PRIMARY KEY("user_id","role_id")
+);
+--> statement-breakpoint
+CREATE TABLE "sessions" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"user_id" uuid NOT NULL,
+	"refresh_token" varchar(512) NOT NULL,
+	"user_agent" varchar(255),
+	"ip_hash" varchar(64),
+	"is_valid" boolean DEFAULT true NOT NULL,
+	"expires_at" timestamp with time zone NOT NULL,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+	CONSTRAINT "sessions_refresh_token_unique" UNIQUE("refresh_token")
+);
+--> statement-breakpoint
+CREATE TABLE "api_keys" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"user_id" uuid NOT NULL,
+	"key_hash" varchar(128) NOT NULL,
+	"name" varchar(128) NOT NULL,
+	"prefix" varchar(8) NOT NULL,
+	"is_active" boolean DEFAULT true NOT NULL,
+	"last_used_at" timestamp with time zone,
+	"expires_at" timestamp with time zone,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+	CONSTRAINT "api_keys_key_hash_unique" UNIQUE("key_hash")
+);
+--> statement-breakpoint
+CREATE TABLE "tags" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"name" varchar(64) NOT NULL,
+	"slug" varchar(64) NOT NULL,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+	CONSTRAINT "tags_name_unique" UNIQUE("name"),
+	CONSTRAINT "tags_slug_unique" UNIQUE("slug")
+);
+--> statement-breakpoint
+CREATE TABLE "contents" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"user_id" uuid NOT NULL,
+	"type" "content_type" NOT NULL,
+	"title" varchar(255) NOT NULL,
+	"storage_key" varchar(512) NOT NULL,
+	"mime_type" varchar(128) NOT NULL,
+	"file_size" integer NOT NULL,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"deleted_at" timestamp with time zone,
+	CONSTRAINT "contents_storage_key_unique" UNIQUE("storage_key")
+);
+--> statement-breakpoint
+CREATE TABLE "contents_to_tags" (
+	"content_id" uuid NOT NULL,
+	"tag_id" uuid NOT NULL,
+	CONSTRAINT "contents_to_tags_content_id_tag_id_pk" PRIMARY KEY("content_id","tag_id")
+);
+--> statement-breakpoint
+CREATE TABLE "reports" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"reporter_id" uuid NOT NULL,
+	"content_id" uuid,
+	"tag_id" uuid,
+	"reason" "report_reason" NOT NULL,
+	"description" text,
+	"status" "report_status" DEFAULT 'pending' NOT NULL,
+	"expires_at" timestamp with time zone,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "audit_logs" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"user_id" uuid,
+	"action" varchar(64) NOT NULL,
+	"entity_type" varchar(64) NOT NULL,
+	"entity_id" uuid,
+	"details" jsonb,
+	"ip_hash" varchar(64),
+	"user_agent" varchar(255),
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+ALTER TABLE "roles_to_permissions" ADD CONSTRAINT "roles_to_permissions_role_id_roles_id_fk" FOREIGN KEY ("role_id") REFERENCES "public"."roles"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "roles_to_permissions" ADD CONSTRAINT "roles_to_permissions_permission_id_permissions_id_fk" FOREIGN KEY ("permission_id") REFERENCES "public"."permissions"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "users_to_roles" ADD CONSTRAINT "users_to_roles_user_id_users_uuid_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("uuid") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "users_to_roles" ADD CONSTRAINT "users_to_roles_role_id_roles_id_fk" FOREIGN KEY ("role_id") REFERENCES "public"."roles"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "sessions" ADD CONSTRAINT "sessions_user_id_users_uuid_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("uuid") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "api_keys" ADD CONSTRAINT "api_keys_user_id_users_uuid_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("uuid") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "contents" ADD CONSTRAINT "contents_user_id_users_uuid_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("uuid") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "contents_to_tags" ADD CONSTRAINT "contents_to_tags_content_id_contents_id_fk" FOREIGN KEY ("content_id") REFERENCES "public"."contents"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "contents_to_tags" ADD CONSTRAINT "contents_to_tags_tag_id_tags_id_fk" FOREIGN KEY ("tag_id") REFERENCES "public"."tags"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "reports" ADD CONSTRAINT "reports_reporter_id_users_uuid_fk" FOREIGN KEY ("reporter_id") REFERENCES "public"."users"("uuid") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "reports" ADD CONSTRAINT "reports_content_id_contents_id_fk" FOREIGN KEY ("content_id") REFERENCES "public"."contents"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "reports" ADD CONSTRAINT "reports_tag_id_tags_id_fk" FOREIGN KEY ("tag_id") REFERENCES "public"."tags"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_user_id_users_uuid_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("uuid") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "users_uuid_idx" ON "users" USING btree ("uuid");--> statement-breakpoint
+CREATE INDEX "users_email_hash_idx" ON "users" USING btree ("email_hash");--> statement-breakpoint
+CREATE INDEX "users_username_idx" ON "users" USING btree ("username");--> statement-breakpoint
+CREATE INDEX "users_status_idx" ON "users" USING btree ("status");--> statement-breakpoint
+CREATE INDEX "permissions_slug_idx" ON "permissions" USING btree ("slug");--> statement-breakpoint
+CREATE INDEX "roles_slug_idx" ON "roles" USING btree ("slug");--> statement-breakpoint
+CREATE INDEX "sessions_user_id_idx" ON "sessions" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "sessions_refresh_token_idx" ON "sessions" USING btree ("refresh_token");--> statement-breakpoint
+CREATE INDEX "sessions_expires_at_idx" ON "sessions" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "api_keys_user_id_idx" ON "api_keys" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "api_keys_key_hash_idx" ON "api_keys" USING btree ("key_hash");--> statement-breakpoint
+CREATE INDEX "tags_slug_idx" ON "tags" USING btree ("slug");--> statement-breakpoint
+CREATE INDEX "contents_user_id_idx" ON "contents" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "contents_storage_key_idx" ON "contents" USING btree ("storage_key");--> statement-breakpoint
+CREATE INDEX "contents_deleted_at_idx" ON "contents" USING btree ("deleted_at");--> statement-breakpoint
+CREATE INDEX "reports_reporter_id_idx" ON "reports" USING btree ("reporter_id");--> statement-breakpoint
+CREATE INDEX "reports_content_id_idx" ON "reports" USING btree ("content_id");--> statement-breakpoint
+CREATE INDEX "reports_tag_id_idx" ON "reports" USING btree ("tag_id");--> statement-breakpoint
+CREATE INDEX "reports_status_idx" ON "reports" USING btree ("status");--> statement-breakpoint
+CREATE INDEX "reports_expires_at_idx" ON "reports" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "audit_logs_user_id_idx" ON "audit_logs" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "audit_logs_action_idx" ON "audit_logs" USING btree ("action");--> statement-breakpoint
+CREATE INDEX "audit_logs_entity_idx" ON "audit_logs" USING btree ("entity_type","entity_id");--> statement-breakpoint
+CREATE INDEX "audit_logs_created_at_idx" ON "audit_logs" USING btree ("created_at");

backend/.migrations/0001_purple_goliath.sql

@@ -0,0 +1,30 @@
+CREATE TABLE "categories" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"name" varchar(64) NOT NULL,
+	"slug" varchar(64) NOT NULL,
+	"description" varchar(255),
+	"icon_url" varchar(512),
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+	CONSTRAINT "categories_name_unique" UNIQUE("name"),
+	CONSTRAINT "categories_slug_unique" UNIQUE("slug")
+);
+--> statement-breakpoint
+CREATE TABLE "favorites" (
+	"user_id" uuid NOT NULL,
+	"content_id" uuid NOT NULL,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	CONSTRAINT "favorites_user_id_content_id_pk" PRIMARY KEY("user_id","content_id")
+);
+--> statement-breakpoint
+ALTER TABLE "tags" ADD COLUMN "user_id" uuid;--> statement-breakpoint
+ALTER TABLE "contents" ADD COLUMN "category_id" uuid;--> statement-breakpoint
+ALTER TABLE "contents" ADD COLUMN "slug" varchar(255) NOT NULL;--> statement-breakpoint
+ALTER TABLE "contents" ADD COLUMN "views" integer DEFAULT 0 NOT NULL;--> statement-breakpoint
+ALTER TABLE "contents" ADD COLUMN "usage_count" integer DEFAULT 0 NOT NULL;--> statement-breakpoint
+ALTER TABLE "favorites" ADD CONSTRAINT "favorites_user_id_users_uuid_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("uuid") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "favorites" ADD CONSTRAINT "favorites_content_id_contents_id_fk" FOREIGN KEY ("content_id") REFERENCES "public"."contents"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "categories_slug_idx" ON "categories" USING btree ("slug");--> statement-breakpoint
+ALTER TABLE "tags" ADD CONSTRAINT "tags_user_id_users_uuid_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("uuid") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "contents" ADD CONSTRAINT "contents_category_id_categories_id_fk" FOREIGN KEY ("category_id") REFERENCES "public"."categories"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "contents" ADD CONSTRAINT "contents_slug_unique" UNIQUE("slug");

backend/.migrations/0002_redundant_skin.sql

@@ -0,0 +1 @@
+ALTER TABLE "users" ADD COLUMN "avatar_url" varchar(255);

backend/.migrations/0003_colossal_fantastic_four.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "users" ALTER COLUMN "password_hash" SET DATA TYPE varchar(255);--> statement-breakpoint
+ALTER TABLE "users" DROP COLUMN "avatar_url";

backend/.migrations/0004_cheerful_dakota_north.sql

@@ -0,0 +1 @@
+ALTER TABLE "users" ALTER COLUMN "password_hash" SET DATA TYPE varchar(95);

backend/.migrations/0005_perpetual_silverclaw.sql

@@ -0,0 +1 @@
+ALTER TABLE "users" ALTER COLUMN "password_hash" SET DATA TYPE varchar(100);

backend/.migrations/0006_friendly_adam_warlock.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "users" ADD COLUMN "avatar_url" varchar(512);--> statement-breakpoint
+ALTER TABLE "users" ADD COLUMN "bio" varchar(255);

backend/.migrations/meta/_journal.json

@@ -0,0 +1,55 @@
+{
+  "version": "7",
+  "dialect": "postgresql",
+  "entries": [
+    {
+      "idx": 0,
+      "version": "7",
+      "when": 1767618753676,
+      "tag": "0000_right_sally_floyd",
+      "breakpoints": true
+    },
+    {
+      "idx": 1,
+      "version": "7",
+      "when": 1768392191169,
+      "tag": "0001_purple_goliath",
+      "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "7",
+      "when": 1768393637823,
+      "tag": "0002_redundant_skin",
+      "breakpoints": true
+    },
+    {
+      "idx": 3,
+      "version": "7",
+      "when": 1768415667895,
+      "tag": "0003_colossal_fantastic_four",
+      "breakpoints": true
+    },
+    {
+      "idx": 4,
+      "version": "7",
+      "when": 1768417827439,
+      "tag": "0004_cheerful_dakota_north",
+      "breakpoints": true
+    },
+    {
+      "idx": 5,
+      "version": "7",
+      "when": 1768420201679,
+      "tag": "0005_perpetual_silverclaw",
+      "breakpoints": true
+    },
+    {
+      "idx": 6,
+      "version": "7",
+      "when": 1768423315172,
+      "tag": "0006_friendly_adam_warlock",
+      "breakpoints": true
+    }
+  ]
+}

backend/Dockerfile

@@ -1,17 +1,34 @@
-FROM node:22-slim AS base
+# syntax=docker/dockerfile:1
+FROM node:22-alpine AS base
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
-RUN corepack enable
+RUN corepack enable && corepack prepare pnpm@latest --activate
 
 FROM base AS build
 WORKDIR /usr/src/app
+COPY pnpm-lock.yaml pnpm-workspace.yaml package.json ./
+COPY backend/package.json ./backend/
+COPY frontend/package.json ./frontend/
+COPY documentation/package.json ./documentation/
+
+# Utilisation du cache pour pnpm et installation figée
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
+    pnpm install --frozen-lockfile
+
 COPY . .
-RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm install --frozen-lockfile
+
+# Deuxième passe avec cache pour les scripts/liens
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
+    pnpm install --frozen-lockfile
+
 RUN pnpm run --filter @memegoat/backend build
-RUN pnpm deploy --filter=@memegoat/backend --prod /app
+RUN pnpm deploy --filter=@memegoat/backend --prod --legacy /app
+RUN cp -r backend/dist /app/dist
+RUN cp -r backend/.migrations /app/.migrations
 
 FROM base AS runtime
 WORKDIR /app
 COPY --from=build /app .
 EXPOSE 3000
-CMD [ "node", "dist/main" ]
+ENV NODE_ENV=production
+CMD [ "node", "dist/src/main" ]

backend/biome.json

@@ -7,7 +7,7 @@
 	},
 	"files": {
 		"ignoreUnknown": true,
-		"includes": ["**", "!node_modules", "!dist", "!build"]
+		"includes": ["**", "!node_modules", "!dist", "!build", "!.migrations"]
 	},
 	"formatter": {
 		"enabled": true,

backend/package.json

@@ -1,12 +1,14 @@
 {
 	"name": "@memegoat/backend",
-	"version": "0.0.1",
+	"version": "1.0.8",
 	"description": "",
 	"author": "",
 	"private": true,
 	"license": "UNLICENSED",
 	"files": [
-		"dist"
+		"dist",
+		".migrations",
+		"drizzle.config.ts"
 	],
 	"scripts": {
 		"build": "nest build",
@@ -60,10 +62,22 @@
 		"rxjs": "^7.8.1",
 		"sharp": "^0.34.5",
 		"uuid": "^13.0.0",
-		"zod": "^4.3.5"
+		"zod": "^4.3.5",
+		"drizzle-kit": "^0.31.8"
 	},
 	"devDependencies": {
 		"@nestjs/cli": "^11.0.0",
+		"globals": "^16.0.0",
+		"jest": "^30.0.0",
+		"source-map-support": "^0.5.21",
+		"supertest": "^7.0.0",
+		"ts-jest": "^29.2.5",
+		"ts-loader": "^9.5.2",
+		"ts-node": "^10.9.2",
+		"tsconfig-paths": "^4.2.0",
+		"tsx": "^4.21.0",
+		"typescript": "^5.7.3",
+		"typescript-eslint": "^8.20.0",
 		"@nestjs/schematics": "^11.0.0",
 		"@nestjs/testing": "^11.0.1",
 		"@types/express": "^5.0.0",
@@ -77,18 +91,7 @@
 		"@types/sharp": "^0.32.0",
 		"@types/supertest": "^6.0.2",
 		"@types/uuid": "^11.0.0",
-		"drizzle-kit": "^0.31.8",
-		"globals": "^16.0.0",
-		"jest": "^30.0.0",
-		"source-map-support": "^0.5.21",
-		"supertest": "^7.0.0",
-		"ts-jest": "^29.2.5",
-		"ts-loader": "^9.5.2",
-		"ts-node": "^10.9.2",
-		"tsconfig-paths": "^4.2.0",
-		"tsx": "^4.21.0",
-		"typescript": "^5.7.3",
-		"typescript-eslint": "^8.20.0"
+		"drizzle-kit": "^0.31.8"
 	},
 	"jest": {
 		"moduleFileExtensions": [
@@ -104,7 +107,7 @@
 		"coverageDirectory": "../coverage",
 		"testEnvironment": "node",
 		"transformIgnorePatterns": [
-			"node_modules/(?!(jose|@noble)/)"
+			"node_modules/(?!(.pnpm/)?(jose|@noble|uuid)/)"
 		],
 		"transform": {
 			"^.+\\.(t|j)sx?$": "ts-jest"

backend/src/admin/admin.controller.spec.ts

@@ -0,0 +1,62 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { RolesGuard } from "../auth/guards/roles.guard";
+import { AdminController } from "./admin.controller";
+import { AdminService } from "./admin.service";
+
+describe("AdminController", () => {
+	let controller: AdminController;
+	let service: AdminService;
+
+	const mockAdminService = {
+		getStats: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [AdminController],
+			providers: [{ provide: AdminService, useValue: mockAdminService }],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.overrideGuard(RolesGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<AdminController>(AdminController);
+		service = module.get<AdminService>(AdminService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("getStats", () => {
+		it("should call service.getStats", async () => {
+			await controller.getStats();
+			expect(service.getStats).toHaveBeenCalled();
+		});
+	});
+});

backend/src/admin/admin.controller.ts

@@ -0,0 +1,17 @@
+import { Controller, Get, UseGuards } from "@nestjs/common";
+import { Roles } from "../auth/decorators/roles.decorator";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { RolesGuard } from "../auth/guards/roles.guard";
+import { AdminService } from "./admin.service";
+
+@Controller("admin")
+@UseGuards(AuthGuard, RolesGuard)
+@Roles("admin")
+export class AdminController {
+	constructor(private readonly adminService: AdminService) {}
+
+	@Get("stats")
+	getStats() {
+		return this.adminService.getStats();
+	}
+}

backend/src/admin/admin.module.ts

@@ -0,0 +1,14 @@
+import { Module } from "@nestjs/common";
+import { AuthModule } from "../auth/auth.module";
+import { CategoriesModule } from "../categories/categories.module";
+import { ContentsModule } from "../contents/contents.module";
+import { UsersModule } from "../users/users.module";
+import { AdminController } from "./admin.controller";
+import { AdminService } from "./admin.service";
+
+@Module({
+	imports: [AuthModule, UsersModule, ContentsModule, CategoriesModule],
+	controllers: [AdminController],
+	providers: [AdminService],
+})
+export class AdminModule {}

backend/src/admin/admin.service.spec.ts

@@ -0,0 +1,58 @@
+import { Test, TestingModule } from "@nestjs/testing";
+import { CategoriesRepository } from "../categories/repositories/categories.repository";
+import { ContentsRepository } from "../contents/repositories/contents.repository";
+import { UsersRepository } from "../users/repositories/users.repository";
+import { AdminService } from "./admin.service";
+
+describe("AdminService", () => {
+	let service: AdminService;
+	let _usersRepository: UsersRepository;
+	let _contentsRepository: ContentsRepository;
+	let _categoriesRepository: CategoriesRepository;
+
+	const mockUsersRepository = {
+		countAll: jest.fn(),
+	};
+
+	const mockContentsRepository = {
+		count: jest.fn(),
+	};
+
+	const mockCategoriesRepository = {
+		countAll: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				AdminService,
+				{ provide: UsersRepository, useValue: mockUsersRepository },
+				{ provide: ContentsRepository, useValue: mockContentsRepository },
+				{ provide: CategoriesRepository, useValue: mockCategoriesRepository },
+			],
+		}).compile();
+
+		service = module.get<AdminService>(AdminService);
+		_usersRepository = module.get<UsersRepository>(UsersRepository);
+		_contentsRepository = module.get<ContentsRepository>(ContentsRepository);
+		_categoriesRepository =
+			module.get<CategoriesRepository>(CategoriesRepository);
+	});
+
+	it("should return stats", async () => {
+		mockUsersRepository.countAll.mockResolvedValue(10);
+		mockContentsRepository.count.mockResolvedValue(20);
+		mockCategoriesRepository.countAll.mockResolvedValue(5);
+
+		const result = await service.getStats();
+
+		expect(result).toEqual({
+			users: 10,
+			contents: 20,
+			categories: 5,
+		});
+		expect(mockUsersRepository.countAll).toHaveBeenCalled();
+		expect(mockContentsRepository.count).toHaveBeenCalledWith({});
+		expect(mockCategoriesRepository.countAll).toHaveBeenCalled();
+	});
+});

backend/src/admin/admin.service.ts

@@ -0,0 +1,27 @@
+import { Injectable } from "@nestjs/common";
+import { CategoriesRepository } from "../categories/repositories/categories.repository";
+import { ContentsRepository } from "../contents/repositories/contents.repository";
+import { UsersRepository } from "../users/repositories/users.repository";
+
+@Injectable()
+export class AdminService {
+	constructor(
+		private readonly usersRepository: UsersRepository,
+		private readonly contentsRepository: ContentsRepository,
+		private readonly categoriesRepository: CategoriesRepository,
+	) {}
+
+	async getStats() {
+		const [userCount, contentCount, categoryCount] = await Promise.all([
+			this.usersRepository.countAll(),
+			this.contentsRepository.count({}),
+			this.categoriesRepository.countAll(),
+		]);
+
+		return {
+			users: userCount,
+			contents: contentCount,
+			categories: categoryCount,
+		};
+	}
+}

backend/src/api-keys/api-keys.controller.spec.ts

@@ -0,0 +1,95 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { AuthenticatedRequest } from "../common/interfaces/request.interface";
+import { ApiKeysController } from "./api-keys.controller";
+import { ApiKeysService } from "./api-keys.service";
+
+describe("ApiKeysController", () => {
+	let controller: ApiKeysController;
+	let service: ApiKeysService;
+
+	const mockApiKeysService = {
+		create: jest.fn(),
+		findAll: jest.fn(),
+		revoke: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [ApiKeysController],
+			providers: [{ provide: ApiKeysService, useValue: mockApiKeysService }],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<ApiKeysController>(ApiKeysController);
+		service = module.get<ApiKeysService>(ApiKeysService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("create", () => {
+		it("should call service.create", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const dto = { name: "Key Name", expiresAt: "2026-01-20T12:00:00Z" };
+			await controller.create(req, dto);
+			expect(service.create).toHaveBeenCalledWith(
+				"user-uuid",
+				"Key Name",
+				new Date(dto.expiresAt),
+			);
+		});
+
+		it("should call service.create without expiresAt", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const dto = { name: "Key Name" };
+			await controller.create(req, dto);
+			expect(service.create).toHaveBeenCalledWith(
+				"user-uuid",
+				"Key Name",
+				undefined,
+			);
+		});
+	});
+
+	describe("findAll", () => {
+		it("should call service.findAll", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.findAll(req);
+			expect(service.findAll).toHaveBeenCalledWith("user-uuid");
+		});
+	});
+
+	describe("revoke", () => {
+		it("should call service.revoke", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.revoke(req, "key-id");
+			expect(service.revoke).toHaveBeenCalledWith("user-uuid", "key-id");
+		});
+	});
+});

backend/src/api-keys/api-keys.controller.ts

@@ -11,6 +11,7 @@ import {
 import { AuthGuard } from "../auth/guards/auth.guard";
 import type { AuthenticatedRequest } from "../common/interfaces/request.interface";
 import { ApiKeysService } from "./api-keys.service";
+import { CreateApiKeyDto } from "./dto/create-api-key.dto";
 
 @Controller("api-keys")
 @UseGuards(AuthGuard)
@@ -20,13 +21,12 @@ export class ApiKeysController {
 	@Post()
 	create(
 		@Req() req: AuthenticatedRequest,
-		@Body("name") name: string,
-		@Body("expiresAt") expiresAt?: string,
+		@Body() createApiKeyDto: CreateApiKeyDto,
 	) {
 		return this.apiKeysService.create(
 			req.user.sub,
-			name,
-			expiresAt ? new Date(expiresAt) : undefined,
+			createApiKeyDto.name,
+			createApiKeyDto.expiresAt ? new Date(createApiKeyDto.expiresAt) : undefined,
 		);
 	}
 

backend/src/api-keys/api-keys.module.ts

@@ -1,14 +1,13 @@
-import { Module } from "@nestjs/common";
+import { forwardRef, Module } from "@nestjs/common";
 import { AuthModule } from "../auth/auth.module";
-import { CryptoModule } from "../crypto/crypto.module";
-import { DatabaseModule } from "../database/database.module";
 import { ApiKeysController } from "./api-keys.controller";
 import { ApiKeysService } from "./api-keys.service";
+import { ApiKeysRepository } from "./repositories/api-keys.repository";
 
 @Module({
-	imports: [DatabaseModule, AuthModule, CryptoModule],
+	imports: [forwardRef(() => AuthModule)],
 	controllers: [ApiKeysController],
-	providers: [ApiKeysService],
-	exports: [ApiKeysService],
+	providers: [ApiKeysService, ApiKeysRepository],
+	exports: [ApiKeysService, ApiKeysRepository],
 })
 export class ApiKeysModule {}

backend/src/api-keys/api-keys.service.spec.ts

@@ -1,58 +1,43 @@
-import { createHash } from "node:crypto";
 import { Test, TestingModule } from "@nestjs/testing";
-import { DatabaseService } from "../database/database.service";
-import { apiKeys } from "../database/schemas";
+import { HashingService } from "../crypto/services/hashing.service";
 import { ApiKeysService } from "./api-keys.service";
+import { ApiKeysRepository } from "./repositories/api-keys.repository";
 
 describe("ApiKeysService", () => {
 	let service: ApiKeysService;
+	let repository: ApiKeysRepository;
 
-	const mockDb = {
-		insert: jest.fn(),
-		values: jest.fn(),
-		select: jest.fn(),
-		from: jest.fn(),
-		where: jest.fn(),
-		limit: jest.fn(),
-		update: jest.fn(),
-		set: jest.fn(),
-		returning: jest.fn(),
+	const mockApiKeysRepository = {
+		create: jest.fn(),
+		findAll: jest.fn(),
+		revoke: jest.fn(),
+		findActiveByKeyHash: jest.fn(),
+		updateLastUsed: jest.fn(),
+	};
+
+	const mockHashingService = {
+		hashSha256: jest.fn().mockResolvedValue("hashed-key"),
 	};
 
 	beforeEach(async () => {
 		jest.clearAllMocks();
 
-		mockDb.insert.mockReturnThis();
-		mockDb.values.mockResolvedValue(undefined);
-		mockDb.select.mockReturnThis();
-		mockDb.from.mockReturnThis();
-		mockDb.where.mockReturnThis();
-		mockDb.limit.mockReturnThis();
-		mockDb.update.mockReturnThis();
-		mockDb.set.mockReturnThis();
-		mockDb.returning.mockResolvedValue([]);
-
-		// Default for findAll which is awaited on where()
-		mockDb.where.mockImplementation(() => {
-			const chain = {
-				returning: jest.fn().mockResolvedValue([]),
-			};
-			return Object.assign(Promise.resolve([]), chain);
-		});
-
 		const module: TestingModule = await Test.createTestingModule({
 			providers: [
 				ApiKeysService,
 				{
-					provide: DatabaseService,
-					useValue: {
-						db: mockDb,
-					},
+					provide: ApiKeysRepository,
+					useValue: mockApiKeysRepository,
+				},
+				{
+					provide: HashingService,
+					useValue: mockHashingService,
 				},
 			],
 		}).compile();
 
 		service = module.get<ApiKeysService>(ApiKeysService);
+		repository = module.get<ApiKeysRepository>(ApiKeysRepository);
 	});
 
 	it("should be defined", () => {
@@ -67,8 +52,7 @@ describe("ApiKeysService", () => {
 
 			const result = await service.create(userId, name, expiresAt);
 
-			expect(mockDb.insert).toHaveBeenCalledWith(apiKeys);
-			expect(mockDb.values).toHaveBeenCalledWith(
+			expect(repository.create).toHaveBeenCalledWith(
 				expect.objectContaining({
 					userId,
 					name,
@@ -87,12 +71,11 @@ describe("ApiKeysService", () => {
 		it("should find all API keys for a user", async () => {
 			const userId = "user-id";
 			const expectedKeys = [{ id: "1", name: "Key 1" }];
-			(mockDb.where as jest.Mock).mockResolvedValue(expectedKeys);
+			mockApiKeysRepository.findAll.mockResolvedValue(expectedKeys);
 
 			const result = await service.findAll(userId);
 
-			expect(mockDb.select).toHaveBeenCalled();
-			expect(mockDb.from).toHaveBeenCalledWith(apiKeys);
+			expect(repository.findAll).toHaveBeenCalledWith(userId);
 			expect(result).toEqual(expectedKeys);
 		});
 	});
@@ -102,17 +85,11 @@ describe("ApiKeysService", () => {
 			const userId = "user-id";
 			const keyId = "key-id";
 			const expectedResult = [{ id: keyId, isActive: false }];
-
-			mockDb.where.mockReturnValue({
-				returning: jest.fn().mockResolvedValue(expectedResult),
-			});
+			mockApiKeysRepository.revoke.mockResolvedValue(expectedResult);
 
 			const result = await service.revoke(userId, keyId);
 
-			expect(mockDb.update).toHaveBeenCalledWith(apiKeys);
-			expect(mockDb.set).toHaveBeenCalledWith(
-				expect.objectContaining({ isActive: false }),
-			);
+			expect(repository.revoke).toHaveBeenCalledWith(userId, keyId);
 			expect(result).toEqual(expectedResult);
 		});
 	});
@@ -120,42 +97,19 @@ describe("ApiKeysService", () => {
 	describe("validateKey", () => {
 		it("should validate a valid API key", async () => {
 			const key = "mg_live_testkey";
-			const keyHash = createHash("sha256").update(key).digest("hex");
-			const apiKey = { id: "1", keyHash, isActive: true, expiresAt: null };
-
-			(mockDb.limit as jest.Mock).mockResolvedValue([apiKey]);
-			(mockDb.where as jest.Mock).mockResolvedValue([apiKey]); // For the update later if needed, but here it's for select
-
-			// We need to be careful with chaining mockDb.where is used in both select and update
-			const mockSelect = {
-				from: jest.fn().mockReturnThis(),
-				where: jest.fn().mockReturnThis(),
-				limit: jest.fn().mockResolvedValue([apiKey]),
-			};
-			const mockUpdate = {
-				set: jest.fn().mockReturnThis(),
-				where: jest.fn().mockResolvedValue(undefined),
-			};
-
-			(mockDb.select as jest.Mock).mockReturnValue(mockSelect);
-			(mockDb.update as jest.Mock).mockReturnValue(mockUpdate);
+			const apiKey = { id: "1", isActive: true, expiresAt: null };
+			mockApiKeysRepository.findActiveByKeyHash.mockResolvedValue(apiKey);
 
 			const result = await service.validateKey(key);
 
 			expect(result).toEqual(apiKey);
-			expect(mockDb.select).toHaveBeenCalled();
-			expect(mockDb.update).toHaveBeenCalledWith(apiKeys);
+			expect(repository.findActiveByKeyHash).toHaveBeenCalled();
+			expect(repository.updateLastUsed).toHaveBeenCalledWith(apiKey.id);
 		});
 
 		it("should return null for invalid API key", async () => {
-			(mockDb.select as jest.Mock).mockReturnValue({
-				from: jest.fn().mockReturnThis(),
-				where: jest.fn().mockReturnThis(),
-				limit: jest.fn().mockResolvedValue([]),
-			});
-
+			mockApiKeysRepository.findActiveByKeyHash.mockResolvedValue(null);
 			const result = await service.validateKey("invalid-key");
-
 			expect(result).toBeNull();
 		});
 
@@ -164,12 +118,7 @@ describe("ApiKeysService", () => {
 			const expiredDate = new Date();
 			expiredDate.setFullYear(expiredDate.getFullYear() - 1);
 			const apiKey = { id: "1", isActive: true, expiresAt: expiredDate };
-
-			(mockDb.select as jest.Mock).mockReturnValue({
-				from: jest.fn().mockReturnThis(),
-				where: jest.fn().mockReturnThis(),
-				limit: jest.fn().mockResolvedValue([apiKey]),
-			});
+			mockApiKeysRepository.findActiveByKeyHash.mockResolvedValue(apiKey);
 
 			const result = await service.validateKey(key);
 

backend/src/api-keys/api-keys.service.ts

@@ -1,14 +1,16 @@
-import { createHash, randomBytes } from "node:crypto";
+import { randomBytes } from "node:crypto";
 import { Injectable, Logger } from "@nestjs/common";
-import { and, eq } from "drizzle-orm";
-import { DatabaseService } from "../database/database.service";
-import { apiKeys } from "../database/schemas";
+import { HashingService } from "../crypto/services/hashing.service";
+import { ApiKeysRepository } from "./repositories/api-keys.repository";
 
 @Injectable()
 export class ApiKeysService {
 	private readonly logger = new Logger(ApiKeysService.name);
 
-	constructor(private readonly databaseService: DatabaseService) {}
+	constructor(
+		private readonly apiKeysRepository: ApiKeysRepository,
+		private readonly hashingService: HashingService,
+	) {}
 
 	async create(userId: string, name: string, expiresAt?: Date) {
 		this.logger.log(`Creating API key for user ${userId}: ${name}`);
@@ -16,9 +18,9 @@ export class ApiKeysService {
 		const randomPart = randomBytes(24).toString("hex");
 		const key = `${prefix}${randomPart}`;
 
-		const keyHash = createHash("sha256").update(key).digest("hex");
+		const keyHash = await this.hashingService.hashSha256(key);
 
-		await this.databaseService.db.insert(apiKeys).values({
+		await this.apiKeysRepository.create({
 			userId,
 			name,
 			prefix: prefix.substring(0, 8),
@@ -34,37 +36,18 @@ export class ApiKeysService {
 	}
 
 	async findAll(userId: string) {
-		return await this.databaseService.db
-			.select({
-				id: apiKeys.id,
-				name: apiKeys.name,
-				prefix: apiKeys.prefix,
-				isActive: apiKeys.isActive,
-				lastUsedAt: apiKeys.lastUsedAt,
-				expiresAt: apiKeys.expiresAt,
-				createdAt: apiKeys.createdAt,
-			})
-			.from(apiKeys)
-			.where(eq(apiKeys.userId, userId));
+		return await this.apiKeysRepository.findAll(userId);
 	}
 
 	async revoke(userId: string, keyId: string) {
 		this.logger.log(`Revoking API key ${keyId} for user ${userId}`);
-		return await this.databaseService.db
-			.update(apiKeys)
-			.set({ isActive: false, updatedAt: new Date() })
-			.where(and(eq(apiKeys.id, keyId), eq(apiKeys.userId, userId)))
-			.returning();
+		return await this.apiKeysRepository.revoke(userId, keyId);
 	}
 
 	async validateKey(key: string) {
-		const keyHash = createHash("sha256").update(key).digest("hex");
+		const keyHash = await this.hashingService.hashSha256(key);
 
-		const [apiKey] = await this.databaseService.db
-			.select()
-			.from(apiKeys)
-			.where(and(eq(apiKeys.keyHash, keyHash), eq(apiKeys.isActive, true)))
-			.limit(1);
+		const apiKey = await this.apiKeysRepository.findActiveByKeyHash(keyHash);
 
 		if (!apiKey) return null;
 
@@ -73,10 +56,7 @@ export class ApiKeysService {
 		}
 
 		// Update last used at
-		await this.databaseService.db
-			.update(apiKeys)
-			.set({ lastUsedAt: new Date() })
-			.where(eq(apiKeys.id, apiKey.id));
+		await this.apiKeysRepository.updateLastUsed(apiKey.id);
 
 		return apiKey;
 	}

backend/src/api-keys/dto/create-api-key.dto.ts

@@ -0,0 +1,18 @@
+import {
+	IsDateString,
+	IsNotEmpty,
+	IsOptional,
+	IsString,
+	MaxLength,
+} from "class-validator";
+
+export class CreateApiKeyDto {
+	@IsString()
+	@IsNotEmpty()
+	@MaxLength(128)
+	name!: string;
+
+	@IsOptional()
+	@IsDateString()
+	expiresAt?: string;
+}

backend/src/api-keys/repositories/api-keys.repository.spec.ts

@@ -0,0 +1,83 @@
+import { Test, TestingModule } from "@nestjs/testing";
+import { DatabaseService } from "../../database/database.service";
+import { ApiKeysRepository } from "./api-keys.repository";
+
+describe("ApiKeysRepository", () => {
+	let repository: ApiKeysRepository;
+	let _databaseService: DatabaseService;
+
+	const mockDb = {
+		insert: jest.fn().mockReturnThis(),
+		values: jest.fn().mockReturnThis(),
+		select: jest.fn().mockReturnThis(),
+		from: jest.fn().mockReturnThis(),
+		where: jest.fn().mockReturnThis(),
+		update: jest.fn().mockReturnThis(),
+		set: jest.fn().mockReturnThis(),
+		returning: jest.fn().mockReturnThis(),
+		limit: jest.fn().mockReturnThis(),
+		execute: jest.fn(),
+	};
+
+	const wrapWithThen = (obj: unknown) => {
+		// biome-ignore lint/suspicious/noThenProperty: Necessary to mock Drizzle's awaitable query builder
+		Object.defineProperty(obj, "then", {
+			value: function (onFulfilled: (arg0: unknown) => void) {
+				const result = (this as Record<string, unknown>).execute();
+				return Promise.resolve(result).then(onFulfilled);
+			},
+			configurable: true,
+		});
+		return obj;
+	};
+	wrapWithThen(mockDb);
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				ApiKeysRepository,
+				{ provide: DatabaseService, useValue: { db: mockDb } },
+			],
+		}).compile();
+
+		repository = module.get<ApiKeysRepository>(ApiKeysRepository);
+		_databaseService = module.get<DatabaseService>(DatabaseService);
+	});
+
+	it("should create an api key", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.create({
+			userId: "u1",
+			name: "n",
+			prefix: "p",
+			keyHash: "h",
+		});
+		expect(mockDb.insert).toHaveBeenCalled();
+	});
+
+	it("should find all keys for user", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.findAll("u1");
+		expect(result).toHaveLength(1);
+	});
+
+	it("should revoke a key", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([
+			{ id: "1", isActive: false },
+		]);
+		const result = await repository.revoke("u1", "k1");
+		expect(result[0].isActive).toBe(false);
+	});
+
+	it("should find active by hash", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.findActiveByKeyHash("h");
+		expect(result.id).toBe("1");
+	});
+
+	it("should update last used", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.updateLastUsed("1");
+		expect(mockDb.update).toHaveBeenCalled();
+	});
+});

backend/src/api-keys/repositories/api-keys.repository.ts

@@ -0,0 +1,58 @@
+import { Injectable } from "@nestjs/common";
+import { and, eq } from "drizzle-orm";
+import { DatabaseService } from "../../database/database.service";
+import { apiKeys } from "../../database/schemas";
+
+@Injectable()
+export class ApiKeysRepository {
+	constructor(private readonly databaseService: DatabaseService) {}
+
+	async create(data: {
+		userId: string;
+		name: string;
+		prefix: string;
+		keyHash: string;
+		expiresAt?: Date;
+	}) {
+		return await this.databaseService.db.insert(apiKeys).values(data);
+	}
+
+	async findAll(userId: string) {
+		return await this.databaseService.db
+			.select({
+				id: apiKeys.id,
+				name: apiKeys.name,
+				prefix: apiKeys.prefix,
+				isActive: apiKeys.isActive,
+				lastUsedAt: apiKeys.lastUsedAt,
+				expiresAt: apiKeys.expiresAt,
+				createdAt: apiKeys.createdAt,
+			})
+			.from(apiKeys)
+			.where(eq(apiKeys.userId, userId));
+	}
+
+	async revoke(userId: string, keyId: string) {
+		return await this.databaseService.db
+			.update(apiKeys)
+			.set({ isActive: false, updatedAt: new Date() })
+			.where(and(eq(apiKeys.id, keyId), eq(apiKeys.userId, userId)))
+			.returning();
+	}
+
+	async findActiveByKeyHash(keyHash: string) {
+		const result = await this.databaseService.db
+			.select()
+			.from(apiKeys)
+			.where(and(eq(apiKeys.keyHash, keyHash), eq(apiKeys.isActive, true)))
+			.limit(1);
+		return result[0] || null;
+	}
+
+	async updateLastUsed(id: string) {
+		return await this.databaseService.db
+			.update(apiKeys)
+			.set({ lastUsedAt: new Date() })
+			.where(eq(apiKeys.id, id));
+	}
+}

backend/src/app.module.ts

@@ -1,15 +1,18 @@
 import { CacheModule } from "@nestjs/cache-manager";
-import { Module } from "@nestjs/common";
+import { MiddlewareConsumer, Module, NestModule } from "@nestjs/common";
 import { ConfigModule, ConfigService } from "@nestjs/config";
 import { ScheduleModule } from "@nestjs/schedule";
 import { ThrottlerModule } from "@nestjs/throttler";
 import { redisStore } from "cache-manager-redis-yet";
+import { AdminModule } from "./admin/admin.module";
 import { ApiKeysModule } from "./api-keys/api-keys.module";
 import { AppController } from "./app.controller";
 import { AppService } from "./app.service";
 import { AuthModule } from "./auth/auth.module";
 import { CategoriesModule } from "./categories/categories.module";
 import { CommonModule } from "./common/common.module";
+import { CrawlerDetectionMiddleware } from "./common/middlewares/crawler-detection.middleware";
+import { HTTPLoggerMiddleware } from "./common/middlewares/http-logger.middleware";
 import { validateEnv } from "./config/env.schema";
 import { ContentsModule } from "./contents/contents.module";
 import { CryptoModule } from "./crypto/crypto.module";
@@ -41,6 +44,7 @@ import { UsersModule } from "./users/users.module";
 		SessionsModule,
 		ReportsModule,
 		ApiKeysModule,
+		AdminModule,
 		ScheduleModule.forRoot(),
 		ThrottlerModule.forRootAsync({
 			imports: [ConfigModule],
@@ -71,4 +75,10 @@ import { UsersModule } from "./users/users.module";
 	controllers: [AppController, HealthController],
 	providers: [AppService],
 })
-export class AppModule {}
+export class AppModule implements NestModule {
+	configure(consumer: MiddlewareConsumer) {
+		consumer
+			.apply(HTTPLoggerMiddleware, CrawlerDetectionMiddleware)
+			.forRoutes("*");
+	}
+}

backend/src/auth/auth.controller.spec.ts

@@ -0,0 +1,185 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { ConfigService } from "@nestjs/config";
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthController } from "./auth.controller";
+import { AuthService } from "./auth.service";
+
+jest.mock("iron-session", () => ({
+	getIronSession: jest.fn().mockResolvedValue({
+		save: jest.fn(),
+		destroy: jest.fn(),
+	}),
+}));
+
+describe("AuthController", () => {
+	let controller: AuthController;
+	let authService: AuthService;
+	let _configService: ConfigService;
+
+	const mockAuthService = {
+		register: jest.fn(),
+		login: jest.fn(),
+		verifyTwoFactorLogin: jest.fn(),
+		refresh: jest.fn(),
+	};
+
+	const mockConfigService = {
+		get: jest
+			.fn()
+			.mockReturnValue("complex_password_at_least_32_characters_long"),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [AuthController],
+			providers: [
+				{ provide: AuthService, useValue: mockAuthService },
+				{ provide: ConfigService, useValue: mockConfigService },
+			],
+		}).compile();
+
+		controller = module.get<AuthController>(AuthController);
+		authService = module.get<AuthService>(AuthService);
+		_configService = module.get<ConfigService>(ConfigService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("register", () => {
+		it("should call authService.register", async () => {
+			const dto = {
+				email: "test@example.com",
+				password: "password",
+				username: "test",
+			};
+			// biome-ignore lint/suspicious/noExplicitAny: Necessary to avoid defining full DTO in test
+			await controller.register(dto as any);
+			expect(authService.register).toHaveBeenCalledWith(dto);
+		});
+	});
+
+	describe("login", () => {
+		it("should call authService.login and setup session if success", async () => {
+			const dto = { email: "test@example.com", password: "password" };
+			const req = { ip: "127.0.0.1" } as any;
+			const res = { json: jest.fn() } as any;
+			const loginResult = {
+				access_token: "at",
+				refresh_token: "rt",
+				userId: "1",
+				message: "ok",
+			};
+			mockAuthService.login.mockResolvedValue(loginResult);
+
+			await controller.login(dto as any, "ua", req, res);
+
+			expect(authService.login).toHaveBeenCalledWith(dto, "ua", "127.0.0.1");
+			expect(res.json).toHaveBeenCalledWith({ message: "ok", userId: "1" });
+		});
+
+		it("should return result if no access_token", async () => {
+			const dto = { email: "test@example.com", password: "password" };
+			const req = { ip: "127.0.0.1" } as any;
+			const res = { json: jest.fn() } as any;
+			const loginResult = { message: "2fa_required", userId: "1" };
+			mockAuthService.login.mockResolvedValue(loginResult);
+
+			await controller.login(dto as any, "ua", req, res);
+
+			expect(res.json).toHaveBeenCalledWith(loginResult);
+		});
+	});
+
+	describe("verifyTwoFactor", () => {
+		it("should call authService.verifyTwoFactorLogin and setup session", async () => {
+			const dto = { userId: "1", token: "123456" };
+			const req = { ip: "127.0.0.1" } as any;
+			const res = { json: jest.fn() } as any;
+			const verifyResult = {
+				access_token: "at",
+				refresh_token: "rt",
+				message: "ok",
+			};
+			mockAuthService.verifyTwoFactorLogin.mockResolvedValue(verifyResult);
+
+			await controller.verifyTwoFactor(dto, "ua", req, res);
+
+			expect(authService.verifyTwoFactorLogin).toHaveBeenCalledWith(
+				"1",
+				"123456",
+				"ua",
+				"127.0.0.1",
+			);
+			expect(res.json).toHaveBeenCalledWith({ message: "ok" });
+		});
+	});
+
+	describe("refresh", () => {
+		it("should refresh token if session has refresh token", async () => {
+			const { getIronSession } = require("iron-session");
+			const session = { refreshToken: "rt", save: jest.fn() };
+			getIronSession.mockResolvedValue(session);
+			const req = {} as any;
+			const res = { json: jest.fn() } as any;
+			mockAuthService.refresh.mockResolvedValue({
+				access_token: "at2",
+				refresh_token: "rt2",
+			});
+
+			await controller.refresh(req, res);
+
+			expect(authService.refresh).toHaveBeenCalledWith("rt");
+			expect(res.json).toHaveBeenCalledWith({ message: "Token refreshed" });
+		});
+
+		it("should return 401 if no refresh token", async () => {
+			const { getIronSession } = require("iron-session");
+			const session = { save: jest.fn() };
+			getIronSession.mockResolvedValue(session);
+			const req = {} as any;
+			const res = { status: jest.fn().mockReturnThis(), json: jest.fn() } as any;
+
+			await controller.refresh(req, res);
+
+			expect(res.status).toHaveBeenCalledWith(401);
+		});
+	});
+
+	describe("logout", () => {
+		it("should destroy session", async () => {
+			const { getIronSession } = require("iron-session");
+			const session = { destroy: jest.fn() };
+			getIronSession.mockResolvedValue(session);
+			const req = {} as any;
+			const res = { json: jest.fn() } as any;
+
+			await controller.logout(req, res);
+
+			expect(session.destroy).toHaveBeenCalled();
+			expect(res.json).toHaveBeenCalledWith({ message: "User logged out" });
+		});
+	});
+});

backend/src/auth/auth.module.ts

@@ -1,16 +1,32 @@
-import { Module } from "@nestjs/common";
-import { CryptoModule } from "../crypto/crypto.module";
-import { DatabaseModule } from "../database/database.module";
+import { forwardRef, Module } from "@nestjs/common";
 import { SessionsModule } from "../sessions/sessions.module";
 import { UsersModule } from "../users/users.module";
 import { AuthController } from "./auth.controller";
 import { AuthService } from "./auth.service";
+import { AuthGuard } from "./guards/auth.guard";
+import { OptionalAuthGuard } from "./guards/optional-auth.guard";
+import { RolesGuard } from "./guards/roles.guard";
 import { RbacService } from "./rbac.service";
+import { RbacRepository } from "./repositories/rbac.repository";
 
 @Module({
-	imports: [UsersModule, CryptoModule, SessionsModule, DatabaseModule],
+	imports: [forwardRef(() => UsersModule), SessionsModule],
 	controllers: [AuthController],
-	providers: [AuthService, RbacService],
-	exports: [AuthService, RbacService],
+	providers: [
+		AuthService,
+		RbacService,
+		RbacRepository,
+		AuthGuard,
+		OptionalAuthGuard,
+		RolesGuard,
+	],
+	exports: [
+		AuthService,
+		RbacService,
+		RbacRepository,
+		AuthGuard,
+		OptionalAuthGuard,
+		RolesGuard,
+	],
 })
 export class AuthModule {}

backend/src/auth/auth.service.spec.ts

@@ -1,3 +1,7 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
 import { Test, TestingModule } from "@nestjs/testing";
 
 jest.mock("@noble/post-quantum/ml-kem.js", () => ({
@@ -17,14 +21,14 @@ import { BadRequestException, UnauthorizedException } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import { authenticator } from "otplib";
 import * as qrcode from "qrcode";
-import { CryptoService } from "../crypto/crypto.service";
+import { HashingService } from "../crypto/services/hashing.service";
+import { JwtService } from "../crypto/services/jwt.service";
 import { SessionsService } from "../sessions/sessions.service";
 import { UsersService } from "../users/users.service";
 import { AuthService } from "./auth.service";
 
 jest.mock("otplib");
 jest.mock("qrcode");
-jest.mock("../crypto/crypto.service");
 jest.mock("../users/users.service");
 jest.mock("../sessions/sessions.service");
 
@@ -41,10 +45,13 @@ describe("AuthService", () => {
 		findOneWithPrivateData: jest.fn(),
 	};
 
-	const mockCryptoService = {
+	const mockHashingService = {
 		hashPassword: jest.fn(),
 		hashEmail: jest.fn(),
 		verifyPassword: jest.fn(),
+	};
+
+	const mockJwtService = {
 		generateJwt: jest.fn(),
 	};
 
@@ -62,7 +69,8 @@ describe("AuthService", () => {
 			providers: [
 				AuthService,
 				{ provide: UsersService, useValue: mockUsersService },
-				{ provide: CryptoService, useValue: mockCryptoService },
+				{ provide: HashingService, useValue: mockHashingService },
+				{ provide: JwtService, useValue: mockJwtService },
 				{ provide: SessionsService, useValue: mockSessionsService },
 				{ provide: ConfigService, useValue: mockConfigService },
 			],
@@ -142,8 +150,8 @@ describe("AuthService", () => {
 				email: "test@example.com",
 				password: "password",
 			};
-			mockCryptoService.hashPassword.mockResolvedValue("hashed-password");
-			mockCryptoService.hashEmail.mockResolvedValue("hashed-email");
+			mockHashingService.hashPassword.mockResolvedValue("hashed-password");
+			mockHashingService.hashEmail.mockResolvedValue("hashed-email");
 			mockUsersService.create.mockResolvedValue({ uuid: "new-user-id" });
 
 			const result = await service.register(dto);
@@ -164,10 +172,10 @@ describe("AuthService", () => {
 				passwordHash: "hash",
 				isTwoFactorEnabled: false,
 			};
-			mockCryptoService.hashEmail.mockResolvedValue("hashed-email");
+			mockHashingService.hashEmail.mockResolvedValue("hashed-email");
 			mockUsersService.findByEmailHash.mockResolvedValue(user);
-			mockCryptoService.verifyPassword.mockResolvedValue(true);
-			mockCryptoService.generateJwt.mockResolvedValue("access-token");
+			mockHashingService.verifyPassword.mockResolvedValue(true);
+			mockJwtService.generateJwt.mockResolvedValue("access-token");
 			mockSessionsService.createSession.mockResolvedValue({
 				refreshToken: "refresh-token",
 			});
@@ -189,9 +197,9 @@ describe("AuthService", () => {
 				passwordHash: "hash",
 				isTwoFactorEnabled: true,
 			};
-			mockCryptoService.hashEmail.mockResolvedValue("hashed-email");
+			mockHashingService.hashEmail.mockResolvedValue("hashed-email");
 			mockUsersService.findByEmailHash.mockResolvedValue(user);
-			mockCryptoService.verifyPassword.mockResolvedValue(true);
+			mockHashingService.verifyPassword.mockResolvedValue(true);
 
 			const result = await service.login(dto);
 
@@ -218,7 +226,7 @@ describe("AuthService", () => {
 			mockUsersService.findOneWithPrivateData.mockResolvedValue(user);
 			mockUsersService.getTwoFactorSecret.mockResolvedValue("secret");
 			(authenticator.verify as jest.Mock).mockReturnValue(true);
-			mockCryptoService.generateJwt.mockResolvedValue("access-token");
+			mockJwtService.generateJwt.mockResolvedValue("access-token");
 			mockSessionsService.createSession.mockResolvedValue({
 				refreshToken: "refresh-token",
 			});
@@ -240,7 +248,7 @@ describe("AuthService", () => {
 			const user = { uuid: "user-id", username: "test" };
 			mockSessionsService.refreshSession.mockResolvedValue(session);
 			mockUsersService.findOne.mockResolvedValue(user);
-			mockCryptoService.generateJwt.mockResolvedValue("new-access");
+			mockJwtService.generateJwt.mockResolvedValue("new-access");
 
 			const result = await service.refresh(refreshToken);
 

backend/src/auth/auth.service.ts

@@ -1,5 +1,7 @@
 import {
 	BadRequestException,
+	forwardRef,
+	Inject,
 	Injectable,
 	Logger,
 	UnauthorizedException,
@@ -7,7 +9,8 @@ import {
 import { ConfigService } from "@nestjs/config";
 import { authenticator } from "otplib";
 import { toDataURL } from "qrcode";
-import { CryptoService } from "../crypto/crypto.service";
+import { HashingService } from "../crypto/services/hashing.service";
+import { JwtService } from "../crypto/services/jwt.service";
 import { SessionsService } from "../sessions/sessions.service";
 import { UsersService } from "../users/users.service";
 import { LoginDto } from "./dto/login.dto";
@@ -18,8 +21,10 @@ export class AuthService {
 	private readonly logger = new Logger(AuthService.name);
 
 	constructor(
+		@Inject(forwardRef(() => UsersService))
 		private readonly usersService: UsersService,
-		private readonly cryptoService: CryptoService,
+		private readonly hashingService: HashingService,
+		private readonly jwtService: JwtService,
 		private readonly sessionsService: SessionsService,
 		private readonly configService: ConfigService,
 	) {}
@@ -81,8 +86,8 @@ export class AuthService {
 		this.logger.log(`Registering new user: ${dto.username}`);
 		const { username, email, password } = dto;
 
-		const passwordHash = await this.cryptoService.hashPassword(password);
-		const emailHash = await this.cryptoService.hashEmail(email);
+		const passwordHash = await this.hashingService.hashPassword(password);
+		const emailHash = await this.hashingService.hashEmail(email);
 
 		const user = await this.usersService.create({
 			username,
@@ -101,23 +106,26 @@ export class AuthService {
 		this.logger.log(`Login attempt for email: ${dto.email}`);
 		const { email, password } = dto;
 
-		const emailHash = await this.cryptoService.hashEmail(email);
+		const emailHash = await this.hashingService.hashEmail(email);
 		const user = await this.usersService.findByEmailHash(emailHash);
 
 		if (!user) {
+			this.logger.warn(`Login failed: user not found for email hash`);
 			throw new UnauthorizedException("Invalid credentials");
 		}
 
-		const isPasswordValid = await this.cryptoService.verifyPassword(
+		const isPasswordValid = await this.hashingService.verifyPassword(
 			password,
 			user.passwordHash,
 		);
 
 		if (!isPasswordValid) {
+			this.logger.warn(`Login failed: invalid password for user ${user.uuid}`);
 			throw new UnauthorizedException("Invalid credentials");
 		}
 
 		if (user.isTwoFactorEnabled) {
+			this.logger.log(`2FA required for user ${user.uuid}`);
 			return {
 				message: "2FA required",
 				requires2FA: true,
@@ -125,7 +133,7 @@ export class AuthService {
 			};
 		}
 
-		const accessToken = await this.cryptoService.generateJwt({
+		const accessToken = await this.jwtService.generateJwt({
 			sub: user.uuid,
 			username: user.username,
 		});
@@ -136,6 +144,7 @@ export class AuthService {
 			ip,
 		);
 
+		this.logger.log(`User ${user.uuid} logged in successfully`);
 		return {
 			message: "User logged in successfully",
 			access_token: accessToken,
@@ -160,10 +169,13 @@ export class AuthService {
 
 		const isValid = authenticator.verify({ token, secret });
 		if (!isValid) {
+			this.logger.warn(
+				`2FA verification failed for user ${userId}: invalid token`,
+			);
 			throw new UnauthorizedException("Invalid 2FA token");
 		}
 
-		const accessToken = await this.cryptoService.generateJwt({
+		const accessToken = await this.jwtService.generateJwt({
 			sub: user.uuid,
 			username: user.username,
 		});
@@ -174,6 +186,7 @@ export class AuthService {
 			ip,
 		);
 
+		this.logger.log(`User ${userId} logged in successfully via 2FA`);
 		return {
 			message: "User logged in successfully (2FA)",
 			access_token: accessToken,
@@ -189,7 +202,7 @@ export class AuthService {
 			throw new UnauthorizedException("User not found");
 		}
 
-		const accessToken = await this.cryptoService.generateJwt({
+		const accessToken = await this.jwtService.generateJwt({
 			sub: user.uuid,
 			username: user.username,
 		});

backend/src/auth/dto/register.dto.ts

@@ -1,10 +1,21 @@
-import { IsEmail, IsNotEmpty, IsString, MinLength } from "class-validator";
+import {
+	IsEmail,
+	IsNotEmpty,
+	IsString,
+	MaxLength,
+	MinLength,
+} from "class-validator";
 
 export class RegisterDto {
 	@IsString()
 	@IsNotEmpty()
+	@MaxLength(32)
 	username!: string;
 
+	@IsString()
+	@MaxLength(32)
+	displayName?: string;
+
 	@IsEmail()
 	email!: string;
 

backend/src/auth/guards/auth.guard.spec.ts

@@ -0,0 +1,89 @@
+import { ExecutionContext, UnauthorizedException } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { Test, TestingModule } from "@nestjs/testing";
+import { getIronSession } from "iron-session";
+import { JwtService } from "../../crypto/services/jwt.service";
+import { AuthGuard } from "./auth.guard";
+
+jest.mock("jose", () => ({}));
+jest.mock("iron-session", () => ({
+	getIronSession: jest.fn(),
+}));
+
+describe("AuthGuard", () => {
+	let guard: AuthGuard;
+	let _jwtService: JwtService;
+	let _configService: ConfigService;
+
+	const mockJwtService = {
+		verifyJwt: jest.fn(),
+	};
+
+	const mockConfigService = {
+		get: jest.fn().mockReturnValue("session-password"),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				AuthGuard,
+				{ provide: JwtService, useValue: mockJwtService },
+				{ provide: ConfigService, useValue: mockConfigService },
+			],
+		}).compile();
+
+		guard = module.get<AuthGuard>(AuthGuard);
+		_jwtService = module.get<JwtService>(JwtService);
+		_configService = module.get<ConfigService>(ConfigService);
+	});
+
+	it("should return true for valid token", async () => {
+		const request = { user: null };
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => request,
+				getResponse: () => ({}),
+			}),
+		} as unknown as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({
+			accessToken: "valid-token",
+		});
+		mockJwtService.verifyJwt.mockResolvedValue({ sub: "user1" });
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+		expect(request.user).toEqual({ sub: "user1" });
+	});
+
+	it("should throw UnauthorizedException if no token", async () => {
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => ({}),
+				getResponse: () => ({}),
+			}),
+		} as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({});
+
+		await expect(guard.canActivate(context)).rejects.toThrow(
+			UnauthorizedException,
+		);
+	});
+
+	it("should throw UnauthorizedException if token invalid", async () => {
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => ({}),
+				getResponse: () => ({}),
+			}),
+		} as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({ accessToken: "invalid" });
+		mockJwtService.verifyJwt.mockRejectedValue(new Error("invalid"));
+
+		await expect(guard.canActivate(context)).rejects.toThrow(
+			UnauthorizedException,
+		);
+	});
+});

backend/src/auth/guards/auth.guard.ts

@@ -6,13 +6,13 @@ import {
 } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import { getIronSession } from "iron-session";
-import { CryptoService } from "../../crypto/crypto.service";
+import { JwtService } from "../../crypto/services/jwt.service";
 import { getSessionOptions, SessionData } from "../session.config";
 
 @Injectable()
 export class AuthGuard implements CanActivate {
 	constructor(
-		private readonly cryptoService: CryptoService,
+		private readonly jwtService: JwtService,
 		private readonly configService: ConfigService,
 	) {}
 
@@ -33,7 +33,7 @@ export class AuthGuard implements CanActivate {
 		}
 
 		try {
-			const payload = await this.cryptoService.verifyJwt(token);
+			const payload = await this.jwtService.verifyJwt(token);
 			request.user = payload;
 		} catch {
 			throw new UnauthorizedException();

backend/src/auth/guards/optional-auth.guard.spec.ts

@@ -0,0 +1,84 @@
+import { ExecutionContext } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { Test, TestingModule } from "@nestjs/testing";
+import { getIronSession } from "iron-session";
+import { JwtService } from "../../crypto/services/jwt.service";
+import { OptionalAuthGuard } from "./optional-auth.guard";
+
+jest.mock("jose", () => ({}));
+jest.mock("iron-session", () => ({
+	getIronSession: jest.fn(),
+}));
+
+describe("OptionalAuthGuard", () => {
+	let guard: OptionalAuthGuard;
+	let _jwtService: JwtService;
+
+	const mockJwtService = {
+		verifyJwt: jest.fn(),
+	};
+
+	const mockConfigService = {
+		get: jest.fn().mockReturnValue("session-password"),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				OptionalAuthGuard,
+				{ provide: JwtService, useValue: mockJwtService },
+				{ provide: ConfigService, useValue: mockConfigService },
+			],
+		}).compile();
+
+		guard = module.get<OptionalAuthGuard>(OptionalAuthGuard);
+		_jwtService = module.get<JwtService>(JwtService);
+	});
+
+	it("should return true and set user for valid token", async () => {
+		const request = { user: null };
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => request,
+				getResponse: () => ({}),
+			}),
+		} as unknown as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({ accessToken: "valid" });
+		mockJwtService.verifyJwt.mockResolvedValue({ sub: "u1" });
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+		expect(request.user).toEqual({ sub: "u1" });
+	});
+
+	it("should return true if no token", async () => {
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => ({}),
+				getResponse: () => ({}),
+			}),
+		} as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({});
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+	});
+
+	it("should return true even if token invalid", async () => {
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => ({ user: null }),
+				getResponse: () => ({}),
+			}),
+		} as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({ accessToken: "invalid" });
+		mockJwtService.verifyJwt.mockRejectedValue(new Error("invalid"));
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+		expect(context.switchToHttp().getRequest().user).toBeNull();
+	});
+});

backend/src/auth/guards/optional-auth.guard.ts

@@ -0,0 +1,39 @@
+import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { getIronSession } from "iron-session";
+import { JwtService } from "../../crypto/services/jwt.service";
+import { getSessionOptions, SessionData } from "../session.config";
+
+@Injectable()
+export class OptionalAuthGuard implements CanActivate {
+	constructor(
+		private readonly jwtService: JwtService,
+		private readonly configService: ConfigService,
+	) {}
+
+	async canActivate(context: ExecutionContext): Promise<boolean> {
+		const request = context.switchToHttp().getRequest();
+		const response = context.switchToHttp().getResponse();
+
+		const session = await getIronSession<SessionData>(
+			request,
+			response,
+			getSessionOptions(this.configService.get("SESSION_PASSWORD") as string),
+		);
+
+		const token = session.accessToken;
+
+		if (!token) {
+			return true;
+		}
+
+		try {
+			const payload = await this.jwtService.verifyJwt(token);
+			request.user = payload;
+		} catch {
+			// Ignore invalid tokens for optional auth
+		}
+
+		return true;
+	}
+}

backend/src/auth/guards/roles.guard.spec.ts

@@ -0,0 +1,90 @@
+import { ExecutionContext } from "@nestjs/common";
+import { Reflector } from "@nestjs/core";
+import { Test, TestingModule } from "@nestjs/testing";
+import { RbacService } from "../rbac.service";
+import { RolesGuard } from "./roles.guard";
+
+describe("RolesGuard", () => {
+	let guard: RolesGuard;
+	let _reflector: Reflector;
+	let _rbacService: RbacService;
+
+	const mockReflector = {
+		getAllAndOverride: jest.fn(),
+	};
+
+	const mockRbacService = {
+		getUserRoles: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				RolesGuard,
+				{ provide: Reflector, useValue: mockReflector },
+				{ provide: RbacService, useValue: mockRbacService },
+			],
+		}).compile();
+
+		guard = module.get<RolesGuard>(RolesGuard);
+		_reflector = module.get<Reflector>(Reflector);
+		_rbacService = module.get<RbacService>(RbacService);
+	});
+
+	it("should return true if no roles required", async () => {
+		mockReflector.getAllAndOverride.mockReturnValue(null);
+		const context = {
+			getHandler: () => ({}),
+			getClass: () => ({}),
+		} as ExecutionContext;
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+	});
+
+	it("should return false if no user in request", async () => {
+		mockReflector.getAllAndOverride.mockReturnValue(["admin"]);
+		const context = {
+			getHandler: () => ({}),
+			getClass: () => ({}),
+			switchToHttp: () => ({
+				getRequest: () => ({ user: null }),
+			}),
+		} as ExecutionContext;
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(false);
+	});
+
+	it("should return true if user has required role", async () => {
+		mockReflector.getAllAndOverride.mockReturnValue(["admin"]);
+		const context = {
+			getHandler: () => ({}),
+			getClass: () => ({}),
+			switchToHttp: () => ({
+				getRequest: () => ({ user: { sub: "u1" } }),
+			}),
+		} as ExecutionContext;
+
+		mockRbacService.getUserRoles.mockResolvedValue(["admin", "user"]);
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+	});
+
+	it("should return false if user doesn't have required role", async () => {
+		mockReflector.getAllAndOverride.mockReturnValue(["admin"]);
+		const context = {
+			getHandler: () => ({}),
+			getClass: () => ({}),
+			switchToHttp: () => ({
+				getRequest: () => ({ user: { sub: "u1" } }),
+			}),
+		} as ExecutionContext;
+
+		mockRbacService.getUserRoles.mockResolvedValue(["user"]);
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(false);
+	});
+});

backend/src/auth/rbac.service.spec.ts

@@ -1,15 +1,14 @@
 import { Test, TestingModule } from "@nestjs/testing";
-import { DatabaseService } from "../database/database.service";
 import { RbacService } from "./rbac.service";
+import { RbacRepository } from "./repositories/rbac.repository";
 
 describe("RbacService", () => {
 	let service: RbacService;
+	let repository: RbacRepository;
 
-	const mockDb = {
-		select: jest.fn().mockReturnThis(),
-		from: jest.fn().mockReturnThis(),
-		innerJoin: jest.fn().mockReturnThis(),
-		where: jest.fn(),
+	const mockRbacRepository = {
+		findRolesByUserId: jest.fn(),
+		findPermissionsByUserId: jest.fn(),
 	};
 
 	beforeEach(async () => {
@@ -18,15 +17,14 @@ describe("RbacService", () => {
 			providers: [
 				RbacService,
 				{
-					provide: DatabaseService,
-					useValue: {
-						db: mockDb,
-					},
+					provide: RbacRepository,
+					useValue: mockRbacRepository,
 				},
 			],
 		}).compile();
 
 		service = module.get<RbacService>(RbacService);
+		repository = module.get<RbacRepository>(RbacRepository);
 	});
 
 	it("should be defined", () => {
@@ -36,34 +34,28 @@ describe("RbacService", () => {
 	describe("getUserRoles", () => {
 		it("should return user roles", async () => {
 			const userId = "user-id";
-			const mockRoles = [{ slug: "admin" }, { slug: "user" }];
-			mockDb.where.mockResolvedValue(mockRoles);
+			const mockRoles = ["admin", "user"];
+			mockRbacRepository.findRolesByUserId.mockResolvedValue(mockRoles);
 
 			const result = await service.getUserRoles(userId);
 
-			expect(result).toEqual(["admin", "user"]);
-			expect(mockDb.select).toHaveBeenCalled();
-			expect(mockDb.from).toHaveBeenCalled();
-			expect(mockDb.innerJoin).toHaveBeenCalled();
+			expect(result).toEqual(mockRoles);
+			expect(repository.findRolesByUserId).toHaveBeenCalledWith(userId);
 		});
 	});
 
 	describe("getUserPermissions", () => {
-		it("should return unique user permissions", async () => {
+		it("should return user permissions", async () => {
 			const userId = "user-id";
-			const mockPermissions = [
-				{ slug: "read" },
-				{ slug: "write" },
-				{ slug: "read" }, // Duplicate
-			];
-			mockDb.where.mockResolvedValue(mockPermissions);
+			const mockPermissions = ["read", "write"];
+			mockRbacRepository.findPermissionsByUserId.mockResolvedValue(
+				mockPermissions,
+			);
 
 			const result = await service.getUserPermissions(userId);
 
-			expect(result).toEqual(["read", "write"]);
-			expect(mockDb.select).toHaveBeenCalled();
-			expect(mockDb.from).toHaveBeenCalled();
-			expect(mockDb.innerJoin).toHaveBeenCalledTimes(2);
+			expect(result).toEqual(mockPermissions);
+			expect(repository.findPermissionsByUserId).toHaveBeenCalledWith(userId);
 		});
 	});
 });

backend/src/auth/rbac.service.ts

@@ -1,42 +1,15 @@
 import { Injectable } from "@nestjs/common";
-import { eq } from "drizzle-orm";
-import { DatabaseService } from "../database/database.service";
-import {
-	permissions,
-	roles,
-	rolesToPermissions,
-	usersToRoles,
-} from "../database/schemas";
+import { RbacRepository } from "./repositories/rbac.repository";
 
 @Injectable()
 export class RbacService {
-	constructor(private readonly databaseService: DatabaseService) {}
+	constructor(private readonly rbacRepository: RbacRepository) {}
 
 	async getUserRoles(userId: string) {
-		const result = await this.databaseService.db
-			.select({
-				slug: roles.slug,
-			})
-			.from(usersToRoles)
-			.innerJoin(roles, eq(usersToRoles.roleId, roles.id))
-			.where(eq(usersToRoles.userId, userId));
-
-		return result.map((r) => r.slug);
+		return this.rbacRepository.findRolesByUserId(userId);
 	}
 
 	async getUserPermissions(userId: string) {
-		const result = await this.databaseService.db
-			.select({
-				slug: permissions.slug,
-			})
-			.from(usersToRoles)
-			.innerJoin(
-				rolesToPermissions,
-				eq(usersToRoles.roleId, rolesToPermissions.roleId),
-			)
-			.innerJoin(permissions, eq(rolesToPermissions.permissionId, permissions.id))
-			.where(eq(usersToRoles.userId, userId));
-
-		return Array.from(new Set(result.map((p) => p.slug)));
+		return this.rbacRepository.findPermissionsByUserId(userId);
 	}
 }

backend/src/auth/repositories/rbac.repository.ts

@@ -0,0 +1,42 @@
+import { Injectable } from "@nestjs/common";
+import { eq } from "drizzle-orm";
+import { DatabaseService } from "../../database/database.service";
+import {
+	permissions,
+	roles,
+	rolesToPermissions,
+	usersToRoles,
+} from "../../database/schemas";
+
+@Injectable()
+export class RbacRepository {
+	constructor(private readonly databaseService: DatabaseService) {}
+
+	async findRolesByUserId(userId: string) {
+		const result = await this.databaseService.db
+			.select({
+				slug: roles.slug,
+			})
+			.from(usersToRoles)
+			.innerJoin(roles, eq(usersToRoles.roleId, roles.id))
+			.where(eq(usersToRoles.userId, userId));
+
+		return result.map((r) => r.slug);
+	}
+
+	async findPermissionsByUserId(userId: string) {
+		const result = await this.databaseService.db
+			.select({
+				slug: permissions.slug,
+			})
+			.from(usersToRoles)
+			.innerJoin(
+				rolesToPermissions,
+				eq(usersToRoles.roleId, rolesToPermissions.roleId),
+			)
+			.innerJoin(permissions, eq(rolesToPermissions.permissionId, permissions.id))
+			.where(eq(usersToRoles.userId, userId));
+
+		return Array.from(new Set(result.map((p) => p.slug)));
+	}
+}

backend/src/categories/categories.controller.spec.ts

@@ -0,0 +1,105 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { RolesGuard } from "../auth/guards/roles.guard";
+import { CategoriesController } from "./categories.controller";
+import { CategoriesService } from "./categories.service";
+
+describe("CategoriesController", () => {
+	let controller: CategoriesController;
+	let service: CategoriesService;
+
+	const mockCategoriesService = {
+		findAll: jest.fn(),
+		findOne: jest.fn(),
+		create: jest.fn(),
+		update: jest.fn(),
+		remove: jest.fn(),
+	};
+
+	const mockCacheManager = {
+		get: jest.fn(),
+		set: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [CategoriesController],
+			providers: [
+				{ provide: CategoriesService, useValue: mockCategoriesService },
+				{ provide: CACHE_MANAGER, useValue: mockCacheManager },
+			],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.overrideGuard(RolesGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<CategoriesController>(CategoriesController);
+		service = module.get<CategoriesService>(CategoriesService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("findAll", () => {
+		it("should call service.findAll", async () => {
+			await controller.findAll();
+			expect(service.findAll).toHaveBeenCalled();
+		});
+	});
+
+	describe("findOne", () => {
+		it("should call service.findOne", async () => {
+			await controller.findOne("1");
+			expect(service.findOne).toHaveBeenCalledWith("1");
+		});
+	});
+
+	describe("create", () => {
+		it("should call service.create", async () => {
+			const dto = { name: "Cat", slug: "cat" };
+			await controller.create(dto);
+			expect(service.create).toHaveBeenCalledWith(dto);
+		});
+	});
+
+	describe("update", () => {
+		it("should call service.update", async () => {
+			const dto = { name: "New Name" };
+			await controller.update("1", dto);
+			expect(service.update).toHaveBeenCalledWith("1", dto);
+		});
+	});
+
+	describe("remove", () => {
+		it("should call service.remove", async () => {
+			await controller.remove("1");
+			expect(service.remove).toHaveBeenCalledWith("1");
+		});
+	});
+});

backend/src/categories/categories.controller.ts

@@ -1,3 +1,4 @@
+import { CacheInterceptor, CacheKey, CacheTTL } from "@nestjs/cache-manager";
 import {
 	Body,
 	Controller,
@@ -9,7 +10,6 @@ import {
 	UseGuards,
 	UseInterceptors,
 } from "@nestjs/common";
-import { CacheInterceptor, CacheKey, CacheTTL } from "@nestjs/cache-manager";
 import { Roles } from "../auth/decorators/roles.decorator";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { RolesGuard } from "../auth/guards/roles.guard";

backend/src/categories/categories.module.ts

@@ -1,12 +1,13 @@
 import { Module } from "@nestjs/common";
-import { DatabaseModule } from "../database/database.module";
+import { AuthModule } from "../auth/auth.module";
 import { CategoriesController } from "./categories.controller";
 import { CategoriesService } from "./categories.service";
+import { CategoriesRepository } from "./repositories/categories.repository";
 
 @Module({
-	imports: [DatabaseModule],
+	imports: [AuthModule],
 	controllers: [CategoriesController],
-	providers: [CategoriesService],
-	exports: [CategoriesService],
+	providers: [CategoriesService, CategoriesRepository],
+	exports: [CategoriesService, CategoriesRepository],
 })
 export class CategoriesModule {}

backend/src/categories/categories.service.spec.ts

@@ -1,25 +1,24 @@
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
 import { Test, TestingModule } from "@nestjs/testing";
-import { DatabaseService } from "../database/database.service";
-import { categories } from "../database/schemas";
 import { CategoriesService } from "./categories.service";
 import { CreateCategoryDto } from "./dto/create-category.dto";
 import { UpdateCategoryDto } from "./dto/update-category.dto";
+import { CategoriesRepository } from "./repositories/categories.repository";
 
 describe("CategoriesService", () => {
 	let service: CategoriesService;
+	let repository: CategoriesRepository;
 
-	const mockDb = {
-		select: jest.fn().mockReturnThis(),
-		from: jest.fn().mockReturnThis(),
-		where: jest.fn().mockReturnThis(),
-		limit: jest.fn().mockResolvedValue([]),
-		orderBy: jest.fn().mockResolvedValue([]),
-		insert: jest.fn().mockReturnThis(),
-		values: jest.fn().mockReturnThis(),
-		update: jest.fn().mockReturnThis(),
-		set: jest.fn().mockReturnThis(),
-		delete: jest.fn().mockReturnThis(),
-		returning: jest.fn().mockResolvedValue([]),
+	const mockCategoriesRepository = {
+		findAll: jest.fn(),
+		findOne: jest.fn(),
+		create: jest.fn(),
+		update: jest.fn(),
+		remove: jest.fn(),
+	};
+
+	const mockCacheManager = {
+		del: jest.fn(),
 	};
 
 	beforeEach(async () => {
@@ -28,15 +27,15 @@ describe("CategoriesService", () => {
 			providers: [
 				CategoriesService,
 				{
-					provide: DatabaseService,
-					useValue: {
-						db: mockDb,
-					},
+					provide: CategoriesRepository,
+					useValue: mockCategoriesRepository,
 				},
+				{ provide: CACHE_MANAGER, useValue: mockCacheManager },
 			],
 		}).compile();
 
 		service = module.get<CategoriesService>(CategoriesService);
+		repository = module.get<CategoriesRepository>(CategoriesRepository);
 	});
 
 	it("should be defined", () => {
@@ -46,28 +45,28 @@ describe("CategoriesService", () => {
 	describe("findAll", () => {
 		it("should return all categories ordered by name", async () => {
 			const mockCategories = [{ name: "A" }, { name: "B" }];
-			mockDb.orderBy.mockResolvedValue(mockCategories);
+			mockCategoriesRepository.findAll.mockResolvedValue(mockCategories);
 
 			const result = await service.findAll();
 
 			expect(result).toEqual(mockCategories);
-			expect(mockDb.select).toHaveBeenCalled();
-			expect(mockDb.from).toHaveBeenCalledWith(categories);
+			expect(repository.findAll).toHaveBeenCalled();
 		});
 	});
 
 	describe("findOne", () => {
 		it("should return a category by id", async () => {
 			const mockCategory = { id: "1", name: "Cat" };
-			mockDb.limit.mockResolvedValue([mockCategory]);
+			mockCategoriesRepository.findOne.mockResolvedValue(mockCategory);
 
 			const result = await service.findOne("1");
 
 			expect(result).toEqual(mockCategory);
+			expect(repository.findOne).toHaveBeenCalledWith("1");
 		});
 
 		it("should return null if category not found", async () => {
-			mockDb.limit.mockResolvedValue([]);
+			mockCategoriesRepository.findOne.mockResolvedValue(null);
 			const result = await service.findOne("999");
 			expect(result).toBeNull();
 		});
@@ -76,12 +75,13 @@ describe("CategoriesService", () => {
 	describe("create", () => {
 		it("should create a category and generate slug", async () => {
 			const dto: CreateCategoryDto = { name: "Test Category" };
-			mockDb.returning.mockResolvedValue([{ ...dto, slug: "test-category" }]);
+			mockCategoriesRepository.create.mockResolvedValue([
+				{ ...dto, slug: "test-category" },
+			]);
 
 			const result = await service.create(dto);
 
-			expect(mockDb.insert).toHaveBeenCalledWith(categories);
-			expect(mockDb.values).toHaveBeenCalledWith({
+			expect(repository.create).toHaveBeenCalledWith({
 				name: "Test Category",
 				slug: "test-category",
 			});
@@ -93,12 +93,14 @@ describe("CategoriesService", () => {
 		it("should update a category and regenerate slug", async () => {
 			const id = "1";
 			const dto: UpdateCategoryDto = { name: "New Name" };
-			mockDb.returning.mockResolvedValue([{ id, ...dto, slug: "new-name" }]);
+			mockCategoriesRepository.update.mockResolvedValue([
+				{ id, ...dto, slug: "new-name" },
+			]);
 
 			const result = await service.update(id, dto);
 
-			expect(mockDb.update).toHaveBeenCalledWith(categories);
-			expect(mockDb.set).toHaveBeenCalledWith(
+			expect(repository.update).toHaveBeenCalledWith(
+				id,
 				expect.objectContaining({
 					name: "New Name",
 					slug: "new-name",
@@ -111,11 +113,11 @@ describe("CategoriesService", () => {
 	describe("remove", () => {
 		it("should remove a category", async () => {
 			const id = "1";
-			mockDb.returning.mockResolvedValue([{ id }]);
+			mockCategoriesRepository.remove.mockResolvedValue([{ id }]);
 
 			const result = await service.remove(id);
 
-			expect(mockDb.delete).toHaveBeenCalledWith(categories);
+			expect(repository.remove).toHaveBeenCalledWith(id);
 			expect(result).toEqual([{ id }]);
 		});
 	});

backend/src/categories/categories.service.ts

@@ -1,18 +1,16 @@
-import { Injectable, Logger, Inject } from "@nestjs/common";
 import { CACHE_MANAGER } from "@nestjs/cache-manager";
-import { Cache } from "cache-manager";
-import { eq } from "drizzle-orm";
-import { DatabaseService } from "../database/database.service";
-import { categories } from "../database/schemas";
+import { Inject, Injectable, Logger } from "@nestjs/common";
+import type { Cache } from "cache-manager";
 import { CreateCategoryDto } from "./dto/create-category.dto";
 import { UpdateCategoryDto } from "./dto/update-category.dto";
+import { CategoriesRepository } from "./repositories/categories.repository";
 
 @Injectable()
 export class CategoriesService {
 	private readonly logger = new Logger(CategoriesService.name);
 
 	constructor(
-		private readonly databaseService: DatabaseService,
+		private readonly categoriesRepository: CategoriesRepository,
 		@Inject(CACHE_MANAGER) private cacheManager: Cache,
 	) {}
 
@@ -22,20 +20,11 @@ export class CategoriesService {
 	}
 
 	async findAll() {
-		return await this.databaseService.db
-			.select()
-			.from(categories)
-			.orderBy(categories.name);
+		return await this.categoriesRepository.findAll();
 	}
 
 	async findOne(id: string) {
-		const result = await this.databaseService.db
-			.select()
-			.from(categories)
-			.where(eq(categories.id, id))
-			.limit(1);
-
-		return result[0] || null;
+		return await this.categoriesRepository.findOne(id);
 	}
 
 	async create(data: CreateCategoryDto) {
@@ -44,10 +33,7 @@ export class CategoriesService {
 			.toLowerCase()
 			.replace(/ /g, "-")
 			.replace(/[^\w-]/g, "");
-		const result = await this.databaseService.db
-			.insert(categories)
-			.values({ ...data, slug })
-			.returning();
+		const result = await this.categoriesRepository.create({ ...data, slug });
 
 		await this.clearCategoriesCache();
 		return result;
@@ -65,11 +51,7 @@ export class CategoriesService {
 						.replace(/[^\w-]/g, "")
 				: undefined,
 		};
-		const result = await this.databaseService.db
-			.update(categories)
-			.set(updateData)
-			.where(eq(categories.id, id))
-			.returning();
+		const result = await this.categoriesRepository.update(id, updateData);
 
 		await this.clearCategoriesCache();
 		return result;
@@ -77,10 +59,7 @@ export class CategoriesService {
 
 	async remove(id: string) {
 		this.logger.log(`Removing category: ${id}`);
-		const result = await this.databaseService.db
-			.delete(categories)
-			.where(eq(categories.id, id))
-			.returning();
+		const result = await this.categoriesRepository.remove(id);
 
 		await this.clearCategoriesCache();
 		return result;

backend/src/categories/dto/create-category.dto.ts

@@ -1,15 +1,18 @@
-import { IsNotEmpty, IsOptional, IsString } from "class-validator";
+import { IsNotEmpty, IsOptional, IsString, MaxLength } from "class-validator";
 
 export class CreateCategoryDto {
 	@IsString()
 	@IsNotEmpty()
+	@MaxLength(64)
 	name!: string;
 
 	@IsOptional()
 	@IsString()
+	@MaxLength(255)
 	description?: string;
 
 	@IsOptional()
 	@IsString()
+	@MaxLength(512)
 	iconUrl?: string;
 }

backend/src/categories/repositories/categories.repository.spec.ts

@@ -0,0 +1,82 @@
+import { Test, TestingModule } from "@nestjs/testing";
+import { DatabaseService } from "../../database/database.service";
+import { CategoriesRepository } from "./categories.repository";
+
+describe("CategoriesRepository", () => {
+	let repository: CategoriesRepository;
+
+	const mockDb = {
+		select: jest.fn().mockReturnThis(),
+		from: jest.fn().mockReturnThis(),
+		orderBy: jest.fn().mockReturnThis(),
+		where: jest.fn().mockReturnThis(),
+		limit: jest.fn().mockReturnThis(),
+		insert: jest.fn().mockReturnThis(),
+		values: jest.fn().mockReturnThis(),
+		update: jest.fn().mockReturnThis(),
+		set: jest.fn().mockReturnThis(),
+		delete: jest.fn().mockReturnThis(),
+		returning: jest.fn().mockReturnThis(),
+		execute: jest.fn(),
+	};
+
+	const wrapWithThen = (obj: unknown) => {
+		// biome-ignore lint/suspicious/noThenProperty: Necessary to mock Drizzle's awaitable query builder
+		Object.defineProperty(obj, "then", {
+			value: function (onFulfilled: (arg0: unknown) => void) {
+				const result = (this as Record<string, unknown>).execute();
+				return Promise.resolve(result).then(onFulfilled);
+			},
+			configurable: true,
+		});
+		return obj;
+	};
+	wrapWithThen(mockDb);
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				CategoriesRepository,
+				{ provide: DatabaseService, useValue: { db: mockDb } },
+			],
+		}).compile();
+
+		repository = module.get<CategoriesRepository>(CategoriesRepository);
+	});
+
+	it("should find all", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.findAll();
+		expect(result).toHaveLength(1);
+	});
+
+	it("should count all", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ count: 5 }]);
+		const result = await repository.countAll();
+		expect(result).toBe(5);
+	});
+
+	it("should find one", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.findOne("1");
+		expect(result.id).toBe("1");
+	});
+
+	it("should create", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.create({ name: "C", slug: "s" });
+		expect(mockDb.insert).toHaveBeenCalled();
+	});
+
+	it("should update", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.update("1", { name: "N", updatedAt: new Date() });
+		expect(mockDb.update).toHaveBeenCalled();
+	});
+
+	it("should remove", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.remove("1");
+		expect(mockDb.delete).toHaveBeenCalled();
+	});
+});

backend/src/categories/repositories/categories.repository.ts

@@ -0,0 +1,60 @@
+import { Injectable } from "@nestjs/common";
+import { eq, sql } from "drizzle-orm";
+import { DatabaseService } from "../../database/database.service";
+import { categories } from "../../database/schemas";
+import type { CreateCategoryDto } from "../dto/create-category.dto";
+import type { UpdateCategoryDto } from "../dto/update-category.dto";
+
+@Injectable()
+export class CategoriesRepository {
+	constructor(private readonly databaseService: DatabaseService) {}
+
+	async findAll() {
+		return await this.databaseService.db
+			.select()
+			.from(categories)
+			.orderBy(categories.name);
+	}
+
+	async countAll() {
+		const result = await this.databaseService.db
+			.select({ count: sql<number>`count(*)` })
+			.from(categories);
+		return Number(result[0].count);
+	}
+
+	async findOne(id: string) {
+		const result = await this.databaseService.db
+			.select()
+			.from(categories)
+			.where(eq(categories.id, id))
+			.limit(1);
+
+		return result[0] || null;
+	}
+
+	async create(data: CreateCategoryDto & { slug: string }) {
+		return await this.databaseService.db
+			.insert(categories)
+			.values(data)
+			.returning();
+	}
+
+	async update(
+		id: string,
+		data: UpdateCategoryDto & { slug?: string; updatedAt: Date },
+	) {
+		return await this.databaseService.db
+			.update(categories)
+			.set(data)
+			.where(eq(categories.id, id))
+			.returning();
+	}
+
+	async remove(id: string) {
+		return await this.databaseService.db
+			.delete(categories)
+			.where(eq(categories.id, id))
+			.returning();
+	}
+}

backend/src/common/common.module.ts

@@ -1,10 +1,20 @@
-import { Global, Module } from "@nestjs/common";
+import { forwardRef, Global, Module } from "@nestjs/common";
+import { ContentsModule } from "../contents/contents.module";
 import { DatabaseModule } from "../database/database.module";
+import { ReportsModule } from "../reports/reports.module";
+import { SessionsModule } from "../sessions/sessions.module";
+import { UsersModule } from "../users/users.module";
 import { PurgeService } from "./services/purge.service";
 
 @Global()
 @Module({
-	imports: [DatabaseModule],
+	imports: [
+		DatabaseModule,
+		forwardRef(() => SessionsModule),
+		forwardRef(() => ReportsModule),
+		forwardRef(() => UsersModule),
+		forwardRef(() => ContentsModule),
+	],
 	providers: [PurgeService],
 	exports: [PurgeService],
 })

backend/src/common/filters/http-exception.filter.ts

@@ -9,6 +9,14 @@ import {
 import * as Sentry from "@sentry/nestjs";
 import { Request, Response } from "express";
 
+interface RequestWithUser extends Request {
+	user?: {
+		sub?: string;
+		username?: string;
+		id?: string;
+	};
+}
+
 @Catch()
 export class AllExceptionsFilter implements ExceptionFilter {
 	private readonly logger = new Logger("ExceptionFilter");
@@ -16,7 +24,7 @@ export class AllExceptionsFilter implements ExceptionFilter {
 	catch(exception: unknown, host: ArgumentsHost) {
 		const ctx = host.switchToHttp();
 		const response = ctx.getResponse<Response>();
-		const request = ctx.getRequest<Request>();
+		const request = ctx.getRequest<RequestWithUser>();
 
 		const status =
 			exception instanceof HttpException
@@ -28,6 +36,9 @@ export class AllExceptionsFilter implements ExceptionFilter {
 				? exception.getResponse()
 				: "Internal server error";
 
+		const userId = request.user?.sub || request.user?.id;
+		const userPart = userId ? `[User: ${userId}] ` : "";
+
 		const errorResponse = {
 			statusCode: status,
 			timestamp: new Date().toISOString(),
@@ -42,12 +53,12 @@ export class AllExceptionsFilter implements ExceptionFilter {
 		if (status === HttpStatus.INTERNAL_SERVER_ERROR) {
 			Sentry.captureException(exception);
 			this.logger.error(
-				`${request.method} ${request.url} - Error: ${exception instanceof Error ? exception.message : "Unknown error"}`,
+				`${userPart}${request.method} ${request.url} - Error: ${exception instanceof Error ? exception.message : "Unknown error"}`,
 				exception instanceof Error ? exception.stack : "",
 			);
 		} else {
 			this.logger.warn(
-				`${request.method} ${request.url} - Status: ${status} - Message: ${JSON.stringify(message)}`,
+				`${userPart}${request.method} ${request.url} - Status: ${status} - Message: ${JSON.stringify(message)}`,
 			);
 		}
 

backend/src/common/interfaces/mail.interface.ts

@@ -0,0 +1,4 @@
+export interface IMailService {
+	sendEmailValidation(email: string, token: string): Promise<void>;
+	sendPasswordReset(email: string, token: string): Promise<void>;
+}

backend/src/common/interfaces/media.interface.ts

@@ -0,0 +1,26 @@
+export interface MediaProcessingResult {
+	buffer: Buffer;
+	mimeType: string;
+	extension: string;
+	width?: number;
+	height?: number;
+	size: number;
+}
+
+export interface ScanResult {
+	isInfected: boolean;
+	virusName?: string;
+}
+
+export interface IMediaService {
+	scanFile(buffer: Buffer, filename: string): Promise<ScanResult>;
+	processImage(
+		buffer: Buffer,
+		format?: "webp" | "avif",
+		resize?: { width?: number; height?: number },
+	): Promise<MediaProcessingResult>;
+	processVideo(
+		buffer: Buffer,
+		format?: "webm" | "av1",
+	): Promise<MediaProcessingResult>;
+}

backend/src/common/interfaces/storage.interface.ts

@@ -0,0 +1,38 @@
+import type { Readable } from "node:stream";
+
+export interface IStorageService {
+	uploadFile(
+		fileName: string,
+		file: Buffer,
+		mimeType: string,
+		metaData?: Record<string, string>,
+		bucketName?: string,
+	): Promise<string>;
+
+	getFile(fileName: string, bucketName?: string): Promise<Readable>;
+
+	getFileUrl(
+		fileName: string,
+		expiry?: number,
+		bucketName?: string,
+	): Promise<string>;
+
+	getUploadUrl(
+		fileName: string,
+		expiry?: number,
+		bucketName?: string,
+	): Promise<string>;
+
+	deleteFile(fileName: string, bucketName?: string): Promise<void>;
+
+	getFileInfo(fileName: string, bucketName?: string): Promise<unknown>;
+
+	moveFile(
+		sourceFileName: string,
+		destinationFileName: string,
+		sourceBucketName?: string,
+		destinationBucketName?: string,
+	): Promise<string>;
+
+	getPublicUrl(storageKey: string): string;
+}

backend/src/common/middlewares/crawler-detection.middleware.ts

@@ -0,0 +1,67 @@
+import { Injectable, Logger, NestMiddleware } from "@nestjs/common";
+import type { NextFunction, Request, Response } from "express";
+
+@Injectable()
+export class CrawlerDetectionMiddleware implements NestMiddleware {
+	private readonly logger = new Logger("CrawlerDetection");
+
+	private readonly SUSPICIOUS_PATTERNS = [
+		/\.env/,
+		/wp-admin/,
+		/wp-login/,
+		/\.git/,
+		/\.php$/,
+		/xmlrpc/,
+		/config/,
+		/setup/,
+		/wp-config/,
+		/_next/,
+		/install/,
+		/admin/,
+		/phpmyadmin/,
+		/sql/,
+		/backup/,
+		/db\./,
+		/backup\./,
+		/cgi-bin/,
+		/\.well-known\/security\.txt/, // Bien que légitime, souvent scanné
+	];
+
+	private readonly BOT_USER_AGENTS = [
+		/bot/i,
+		/crawler/i,
+		/spider/i,
+		/python/i,
+		/curl/i,
+		/wget/i,
+		/nmap/i,
+		/nikto/i,
+		/zgrab/i,
+		/masscan/i,
+	];
+
+	use(req: Request, res: Response, next: NextFunction) {
+		const { method, url, ip } = req;
+		const userAgent = req.get("user-agent") || "unknown";
+
+		res.on("finish", () => {
+			if (res.statusCode === 404) {
+				const isSuspiciousPath = this.SUSPICIOUS_PATTERNS.some((pattern) =>
+					pattern.test(url),
+				);
+				const isBotUserAgent = this.BOT_USER_AGENTS.some((pattern) =>
+					pattern.test(userAgent),
+				);
+
+				if (isSuspiciousPath || isBotUserAgent) {
+					this.logger.warn(
+						`Potential crawler detected: [${ip}] ${method} ${url} - User-Agent: ${userAgent}`,
+					);
+					// Ici, on pourrait ajouter une logique pour bannir l'IP temporairement via Redis
+				}
+			}
+		});
+
+		next();
+	}
+}

backend/src/common/middlewares/http-logger.middleware.ts

@@ -0,0 +1,37 @@
+import { createHash } from "node:crypto";
+import { Injectable, Logger, NestMiddleware } from "@nestjs/common";
+import { NextFunction, Request, Response } from "express";
+
+@Injectable()
+export class HTTPLoggerMiddleware implements NestMiddleware {
+	private readonly logger = new Logger("HTTP");
+
+	use(request: Request, response: Response, next: NextFunction): void {
+		const { method, originalUrl, ip } = request;
+		const userAgent = request.get("user-agent") || "";
+		const startTime = Date.now();
+
+		response.on("finish", () => {
+			const { statusCode } = response;
+			const contentLength = response.get("content-length");
+			const duration = Date.now() - startTime;
+
+			const hashedIp = createHash("sha256")
+				.update(ip as string)
+				.digest("hex");
+			const message = `${method} ${originalUrl} ${statusCode} ${contentLength || 0} - ${userAgent} ${hashedIp} +${duration}ms`;
+
+			if (statusCode >= 500) {
+				return this.logger.error(message);
+			}
+
+			if (statusCode >= 400) {
+				return this.logger.warn(message);
+			}
+
+			return this.logger.log(message);
+		});
+
+		next();
+	}
+}

backend/src/common/services/purge.service.spec.ts

@@ -1,15 +1,23 @@
 import { Logger } from "@nestjs/common";
 import { Test, TestingModule } from "@nestjs/testing";
-import { DatabaseService } from "../../database/database.service";
+import { ContentsRepository } from "../../contents/repositories/contents.repository";
+import { ReportsRepository } from "../../reports/repositories/reports.repository";
+import { SessionsRepository } from "../../sessions/repositories/sessions.repository";
+import { UsersRepository } from "../../users/repositories/users.repository";
 import { PurgeService } from "./purge.service";
 
 describe("PurgeService", () => {
 	let service: PurgeService;
 
-	const mockDb = {
-		delete: jest.fn(),
-		where: jest.fn(),
-		returning: jest.fn(),
+	const mockSessionsRepository = {
+		purgeExpired: jest.fn().mockResolvedValue([]),
+	};
+	const mockReportsRepository = {
+		purgeObsolete: jest.fn().mockResolvedValue([]),
+	};
+	const mockUsersRepository = { purgeDeleted: jest.fn().mockResolvedValue([]) };
+	const mockContentsRepository = {
+		purgeSoftDeleted: jest.fn().mockResolvedValue([]),
 	};
 
 	beforeEach(async () => {
@@ -17,22 +25,13 @@ describe("PurgeService", () => {
 		jest.spyOn(Logger.prototype, "error").mockImplementation(() => {});
 		jest.spyOn(Logger.prototype, "log").mockImplementation(() => {});
 
-		const chain = {
-			delete: jest.fn().mockReturnThis(),
-			where: jest.fn().mockReturnThis(),
-			returning: jest.fn().mockResolvedValue([]),
-		};
-
-		const mockImplementation = () => Object.assign(Promise.resolve([]), chain);
-		for (const mock of Object.values(chain)) {
-			mock.mockImplementation(mockImplementation);
-		}
-		Object.assign(mockDb, chain);
-
 		const module: TestingModule = await Test.createTestingModule({
 			providers: [
 				PurgeService,
-				{ provide: DatabaseService, useValue: { db: mockDb } },
+				{ provide: SessionsRepository, useValue: mockSessionsRepository },
+				{ provide: ReportsRepository, useValue: mockReportsRepository },
+				{ provide: UsersRepository, useValue: mockUsersRepository },
+				{ provide: ContentsRepository, useValue: mockContentsRepository },
 			],
 		}).compile();
 
@@ -44,23 +43,22 @@ describe("PurgeService", () => {
 	});
 
 	describe("purgeExpiredData", () => {
-		it("should purge data", async () => {
-			mockDb.returning
-				.mockResolvedValueOnce([{ id: "s1" }]) // sessions
-				.mockResolvedValueOnce([{ id: "r1" }]) // reports
-				.mockResolvedValueOnce([{ id: "u1" }]) // users
-				.mockResolvedValueOnce([{ id: "c1" }]); // contents
+		it("should purge data using repositories", async () => {
+			mockSessionsRepository.purgeExpired.mockResolvedValue([{ id: "s1" }]);
+			mockReportsRepository.purgeObsolete.mockResolvedValue([{ id: "r1" }]);
+			mockUsersRepository.purgeDeleted.mockResolvedValue([{ id: "u1" }]);
+			mockContentsRepository.purgeSoftDeleted.mockResolvedValue([{ id: "c1" }]);
 
 			await service.purgeExpiredData();
 
-			expect(mockDb.delete).toHaveBeenCalledTimes(4);
-			expect(mockDb.returning).toHaveBeenCalledTimes(4);
+			expect(mockSessionsRepository.purgeExpired).toHaveBeenCalled();
+			expect(mockReportsRepository.purgeObsolete).toHaveBeenCalled();
+			expect(mockUsersRepository.purgeDeleted).toHaveBeenCalled();
+			expect(mockContentsRepository.purgeSoftDeleted).toHaveBeenCalled();
 		});
 
 		it("should handle errors", async () => {
-			mockDb.delete.mockImplementation(() => {
-				throw new Error("Db error");
-			});
+			mockSessionsRepository.purgeExpired.mockRejectedValue(new Error("Db error"));
 			await expect(service.purgeExpiredData()).resolves.not.toThrow();
 		});
 	});

backend/src/common/services/purge.service.ts

@@ -1,14 +1,20 @@
 import { Injectable, Logger } from "@nestjs/common";
 import { Cron, CronExpression } from "@nestjs/schedule";
-import { and, eq, isNotNull, lte } from "drizzle-orm";
-import { DatabaseService } from "../../database/database.service";
-import { contents, reports, sessions, users } from "../../database/schemas";
+import { ContentsRepository } from "../../contents/repositories/contents.repository";
+import { ReportsRepository } from "../../reports/repositories/reports.repository";
+import { SessionsRepository } from "../../sessions/repositories/sessions.repository";
+import { UsersRepository } from "../../users/repositories/users.repository";
 
 @Injectable()
 export class PurgeService {
 	private readonly logger = new Logger(PurgeService.name);
 
-	constructor(private readonly databaseService: DatabaseService) {}
+	constructor(
+		private readonly sessionsRepository: SessionsRepository,
+		private readonly reportsRepository: ReportsRepository,
+		private readonly usersRepository: UsersRepository,
+		private readonly contentsRepository: ContentsRepository,
+	) {}
 
 	// Toutes les nuits à minuit
 	@Cron(CronExpression.EVERY_DAY_AT_MIDNIGHT)
@@ -19,40 +25,25 @@ export class PurgeService {
 			const now = new Date();
 
 			// 1. Purge des sessions expirées
-			const deletedSessions = await this.databaseService.db
-				.delete(sessions)
-				.where(lte(sessions.expiresAt, now))
-				.returning();
+			const deletedSessions = await this.sessionsRepository.purgeExpired(now);
 			this.logger.log(`Purged ${deletedSessions.length} expired sessions.`);
 
 			// 2. Purge des signalements obsolètes
-			const deletedReports = await this.databaseService.db
-				.delete(reports)
-				.where(lte(reports.expiresAt, now))
-				.returning();
+			const deletedReports = await this.reportsRepository.purgeObsolete(now);
 			this.logger.log(`Purged ${deletedReports.length} obsolete reports.`);
 
 			// 3. Purge des utilisateurs supprimés (Soft Delete > 30 jours)
 			const thirtyDaysAgo = new Date();
 			thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
 
-			const deletedUsers = await this.databaseService.db
-				.delete(users)
-				.where(
-					and(eq(users.status, "deleted"), lte(users.deletedAt, thirtyDaysAgo)),
-				)
-				.returning();
+			const deletedUsers = await this.usersRepository.purgeDeleted(thirtyDaysAgo);
 			this.logger.log(
 				`Purged ${deletedUsers.length} users marked for deletion more than 30 days ago.`,
 			);
 
 			// 4. Purge des contenus supprimés (Soft Delete > 30 jours)
-			const deletedContents = await this.databaseService.db
-				.delete(contents)
-				.where(
-					and(isNotNull(contents.deletedAt), lte(contents.deletedAt, thirtyDaysAgo)),
-				)
-				.returning();
+			const deletedContents =
+				await this.contentsRepository.purgeSoftDeleted(thirtyDaysAgo);
 			this.logger.log(
 				`Purged ${deletedContents.length} contents marked for deletion more than 30 days ago.`,
 			);

backend/src/config/env.schema.ts

@@ -33,6 +33,7 @@ export const envSchema = z.object({
 	MAIL_FROM: z.string().email(),
 
 	DOMAIN_NAME: z.string(),
+	API_URL: z.string().url().optional(),
 
 	// Sentry
 	SENTRY_DSN: z.string().optional(),

backend/src/contents/contents.controller.spec.ts

@@ -0,0 +1,230 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { OptionalAuthGuard } from "../auth/guards/optional-auth.guard";
+import { RolesGuard } from "../auth/guards/roles.guard";
+import { AuthenticatedRequest } from "../common/interfaces/request.interface";
+import { ContentsController } from "./contents.controller";
+import { ContentsService } from "./contents.service";
+
+describe("ContentsController", () => {
+	let controller: ContentsController;
+	let service: ContentsService;
+
+	const mockContentsService = {
+		create: jest.fn(),
+		getUploadUrl: jest.fn(),
+		uploadAndProcess: jest.fn(),
+		findAll: jest.fn(),
+		findOne: jest.fn(),
+		incrementViews: jest.fn(),
+		incrementUsage: jest.fn(),
+		remove: jest.fn(),
+		removeAdmin: jest.fn(),
+		generateBotHtml: jest.fn(),
+	};
+
+	const mockCacheManager = {
+		get: jest.fn(),
+		set: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [ContentsController],
+			providers: [
+				{ provide: ContentsService, useValue: mockContentsService },
+				{ provide: CACHE_MANAGER, useValue: mockCacheManager },
+			],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.overrideGuard(RolesGuard)
+			.useValue({ canActivate: () => true })
+			.overrideGuard(OptionalAuthGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<ContentsController>(ContentsController);
+		service = module.get<ContentsService>(ContentsService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("create", () => {
+		it("should call service.create", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const dto = { title: "Title", type: "image" as any };
+			await controller.create(req, dto as any);
+			expect(service.create).toHaveBeenCalledWith("user-uuid", dto);
+		});
+	});
+
+	describe("getUploadUrl", () => {
+		it("should call service.getUploadUrl", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.getUploadUrl(req, "test.jpg");
+			expect(service.getUploadUrl).toHaveBeenCalledWith("user-uuid", "test.jpg");
+		});
+	});
+
+	describe("upload", () => {
+		it("should call service.uploadAndProcess", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const file = {} as Express.Multer.File;
+			const dto = { title: "Title" };
+			await controller.upload(req, file, dto as any);
+			expect(service.uploadAndProcess).toHaveBeenCalledWith(
+				"user-uuid",
+				file,
+				dto,
+			);
+		});
+	});
+
+	describe("explore", () => {
+		it("should call service.findAll", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.explore(
+				req,
+				10,
+				0,
+				"trend",
+				"tag",
+				"cat",
+				"auth",
+				"query",
+				false,
+				undefined,
+			);
+			expect(service.findAll).toHaveBeenCalledWith({
+				limit: 10,
+				offset: 0,
+				sortBy: "trend",
+				tag: "tag",
+				category: "cat",
+				author: "auth",
+				query: "query",
+				favoritesOnly: false,
+				userId: "user-uuid",
+			});
+		});
+	});
+
+	describe("trends", () => {
+		it("should call service.findAll with trend sort", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.trends(req, 10, 0);
+			expect(service.findAll).toHaveBeenCalledWith({
+				limit: 10,
+				offset: 0,
+				sortBy: "trend",
+				userId: "user-uuid",
+			});
+		});
+	});
+
+	describe("recent", () => {
+		it("should call service.findAll with recent sort", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.recent(req, 10, 0);
+			expect(service.findAll).toHaveBeenCalledWith({
+				limit: 10,
+				offset: 0,
+				sortBy: "recent",
+				userId: "user-uuid",
+			});
+		});
+	});
+
+	describe("findOne", () => {
+		it("should return json for normal user", async () => {
+			const req = { user: { sub: "user-uuid" }, headers: {} } as any;
+			const res = { json: jest.fn(), send: jest.fn() } as any;
+			const content = { id: "1" };
+			mockContentsService.findOne.mockResolvedValue(content);
+
+			await controller.findOne("1", req, res);
+
+			expect(res.json).toHaveBeenCalledWith(content);
+		});
+
+		it("should return html for bot", async () => {
+			const req = {
+				user: { sub: "user-uuid" },
+				headers: { "user-agent": "Googlebot" },
+			} as any;
+			const res = { json: jest.fn(), send: jest.fn() } as any;
+			const content = { id: "1" };
+			mockContentsService.findOne.mockResolvedValue(content);
+			mockContentsService.generateBotHtml.mockReturnValue("<html></html>");
+
+			await controller.findOne("1", req, res);
+
+			expect(res.send).toHaveBeenCalledWith("<html></html>");
+		});
+
+		it("should throw NotFoundException if not found", async () => {
+			const req = { user: { sub: "user-uuid" }, headers: {} } as any;
+			const res = { json: jest.fn(), send: jest.fn() } as any;
+			mockContentsService.findOne.mockResolvedValue(null);
+
+			await expect(controller.findOne("1", req, res)).rejects.toThrow(
+				"Contenu non trouvé",
+			);
+		});
+	});
+
+	describe("incrementViews", () => {
+		it("should call service.incrementViews", async () => {
+			await controller.incrementViews("1");
+			expect(service.incrementViews).toHaveBeenCalledWith("1");
+		});
+	});
+
+	describe("incrementUsage", () => {
+		it("should call service.incrementUsage", async () => {
+			await controller.incrementUsage("1");
+			expect(service.incrementUsage).toHaveBeenCalledWith("1");
+		});
+	});
+
+	describe("remove", () => {
+		it("should call service.remove", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.remove("1", req);
+			expect(service.remove).toHaveBeenCalledWith("1", "user-uuid");
+		});
+	});
+
+	describe("removeAdmin", () => {
+		it("should call service.removeAdmin", async () => {
+			await controller.removeAdmin("1");
+			expect(service.removeAdmin).toHaveBeenCalledWith("1");
+		});
+	});
+});

backend/src/contents/contents.controller.ts

@@ -19,8 +19,11 @@ import {
 	UseInterceptors,
 } from "@nestjs/common";
 import { FileInterceptor } from "@nestjs/platform-express";
-import type { Request, Response } from "express";
+import type { Response } from "express";
+import { Roles } from "../auth/decorators/roles.decorator";
 import { AuthGuard } from "../auth/guards/auth.guard";
+import { OptionalAuthGuard } from "../auth/guards/optional-auth.guard";
+import { RolesGuard } from "../auth/guards/roles.guard";
 import type { AuthenticatedRequest } from "../common/interfaces/request.interface";
 import { ContentsService } from "./contents.service";
 import { CreateContentDto } from "./dto/create-content.dto";
@@ -65,10 +68,12 @@ export class ContentsController {
 	}
 
 	@Get("explore")
+	@UseGuards(OptionalAuthGuard)
 	@UseInterceptors(CacheInterceptor)
 	@CacheTTL(60)
 	@Header("Cache-Control", "public, max-age=60")
 	explore(
+		@Req() req: AuthenticatedRequest,
 		@Query("limit", new DefaultValuePipe(10), ParseIntPipe) limit: number,
 		@Query("offset", new DefaultValuePipe(0), ParseIntPipe) offset: number,
 		@Query("sort") sort?: "trend" | "recent",
@@ -78,7 +83,7 @@ export class ContentsController {
 		@Query("query") query?: string,
 		@Query("favoritesOnly", new DefaultValuePipe(false), ParseBoolPipe)
 		favoritesOnly?: boolean,
-		@Query("userId") userId?: string,
+		@Query("userId") userIdQuery?: string,
 	) {
 		return this.contentsService.findAll({
 			limit,
@@ -89,42 +94,57 @@ export class ContentsController {
 			author,
 			query,
 			favoritesOnly,
-			userId,
+			userId: userIdQuery || req.user?.sub,
 		});
 	}
 
 	@Get("trends")
+	@UseGuards(OptionalAuthGuard)
 	@UseInterceptors(CacheInterceptor)
 	@CacheTTL(300)
 	@Header("Cache-Control", "public, max-age=300")
 	trends(
+		@Req() req: AuthenticatedRequest,
 		@Query("limit", new DefaultValuePipe(10), ParseIntPipe) limit: number,
 		@Query("offset", new DefaultValuePipe(0), ParseIntPipe) offset: number,
 	) {
-		return this.contentsService.findAll({ limit, offset, sortBy: "trend" });
+		return this.contentsService.findAll({
+			limit,
+			offset,
+			sortBy: "trend",
+			userId: req.user?.sub,
+		});
 	}
 
 	@Get("recent")
+	@UseGuards(OptionalAuthGuard)
 	@UseInterceptors(CacheInterceptor)
 	@CacheTTL(60)
 	@Header("Cache-Control", "public, max-age=60")
 	recent(
+		@Req() req: AuthenticatedRequest,
 		@Query("limit", new DefaultValuePipe(10), ParseIntPipe) limit: number,
 		@Query("offset", new DefaultValuePipe(0), ParseIntPipe) offset: number,
 	) {
-		return this.contentsService.findAll({ limit, offset, sortBy: "recent" });
+		return this.contentsService.findAll({
+			limit,
+			offset,
+			sortBy: "recent",
+			userId: req.user?.sub,
+		});
 	}
 
 	@Get(":idOrSlug")
+	@UseGuards(OptionalAuthGuard)
 	@UseInterceptors(CacheInterceptor)
 	@CacheTTL(3600)
 	@Header("Cache-Control", "public, max-age=3600")
 	async findOne(
 		@Param("idOrSlug") idOrSlug: string,
-		@Req() req: Request,
+		@Req() req: AuthenticatedRequest,
 		@Res() res: Response,
 	) {
-		const content = await this.contentsService.findOne(idOrSlug);
+		const content = await this.contentsService.findOne(idOrSlug, req.user?.sub);
 		if (!content) {
 			throw new NotFoundException("Contenu non trouvé");
 		}
@@ -136,25 +156,7 @@ export class ContentsController {
 			);
 
 		if (isBot) {
-			const imageUrl = this.contentsService.getFileUrl(content.storageKey);
-			const html = `<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="UTF-8">
-    <title>${content.title}</title>
-    <meta property="og:title" content="${content.title}" />
-    <meta property="og:type" content="website" />
-    <meta property="og:image" content="${imageUrl}" />
-    <meta property="og:description" content="Découvrez ce meme sur Memegoat" />
-    <meta name="twitter:card" content="summary_large_image" />
-    <meta name="twitter:title" content="${content.title}" />
-    <meta name="twitter:image" content="${imageUrl}" />
-</head>
-<body>
-    <h1>${content.title}</h1>
-    <img src="${imageUrl}" alt="${content.title}" />
-</body>
-</html>`;
+			const html = this.contentsService.generateBotHtml(content);
 			return res.send(html);
 		}
 
@@ -176,4 +178,11 @@ export class ContentsController {
 	remove(@Param("id") id: string, @Req() req: AuthenticatedRequest) {
 		return this.contentsService.remove(id, req.user.sub);
 	}
+
+	@Delete(":id/admin")
+	@UseGuards(AuthGuard, RolesGuard)
+	@Roles("admin")
+	removeAdmin(@Param("id") id: string) {
+		return this.contentsService.removeAdmin(id);
+	}
 }

backend/src/contents/contents.module.ts

@@ -1,15 +1,15 @@
 import { Module } from "@nestjs/common";
 import { AuthModule } from "../auth/auth.module";
-import { CryptoModule } from "../crypto/crypto.module";
-import { DatabaseModule } from "../database/database.module";
 import { MediaModule } from "../media/media.module";
 import { S3Module } from "../s3/s3.module";
 import { ContentsController } from "./contents.controller";
 import { ContentsService } from "./contents.service";
+import { ContentsRepository } from "./repositories/contents.repository";
 
 @Module({
-	imports: [DatabaseModule, S3Module, AuthModule, CryptoModule, MediaModule],
+	imports: [S3Module, AuthModule, MediaModule],
 	controllers: [ContentsController],
-	providers: [ContentsService],
+	providers: [ContentsService, ContentsRepository],
+	exports: [ContentsRepository],
 })
 export class ContentsModule {}

backend/src/contents/contents.service.spec.ts

@@ -2,40 +2,36 @@ jest.mock("uuid", () => ({
 	v4: jest.fn(() => "mocked-uuid"),
 }));
 
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
 import { BadRequestException } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import { Test, TestingModule } from "@nestjs/testing";
-import { DatabaseService } from "../database/database.service";
 import { MediaService } from "../media/media.service";
 import { S3Service } from "../s3/s3.service";
 import { ContentsService } from "./contents.service";
+import { ContentsRepository } from "./repositories/contents.repository";
 
 describe("ContentsService", () => {
 	let service: ContentsService;
 	let s3Service: S3Service;
 	let mediaService: MediaService;
 
-	const mockDb = {
-		select: jest.fn().mockReturnThis(),
-		from: jest.fn().mockReturnThis(),
-		where: jest.fn().mockReturnThis(),
-		limit: jest.fn().mockReturnThis(),
-		offset: jest.fn().mockReturnThis(),
-		orderBy: jest.fn().mockReturnThis(),
-		innerJoin: jest.fn().mockReturnThis(),
-		insert: jest.fn().mockReturnThis(),
-		values: jest.fn().mockReturnThis(),
-		update: jest.fn().mockReturnThis(),
-		set: jest.fn().mockReturnThis(),
-		returning: jest.fn().mockResolvedValue([]),
-		onConflictDoNothing: jest.fn().mockReturnThis(),
-		transaction: jest.fn().mockImplementation((cb) => cb(mockDb)),
-		execute: jest.fn().mockResolvedValue([]),
+	const mockContentsRepository = {
+		findAll: jest.fn(),
+		count: jest.fn(),
+		create: jest.fn(),
+		incrementViews: jest.fn(),
+		incrementUsage: jest.fn(),
+		softDelete: jest.fn(),
+		softDeleteAdmin: jest.fn(),
+		findOne: jest.fn(),
+		findBySlug: jest.fn(),
 	};
 
 	const mockS3Service = {
 		getUploadUrl: jest.fn(),
 		uploadFile: jest.fn(),
+		getPublicUrl: jest.fn(),
 	};
 
 	const mockMediaService = {
@@ -48,46 +44,22 @@ describe("ContentsService", () => {
 		get: jest.fn(),
 	};
 
+	const mockCacheManager = {
+		clear: jest.fn(),
+		del: jest.fn(),
+	};
+
 	beforeEach(async () => {
 		jest.clearAllMocks();
 
-		const chain = {
-			select: jest.fn().mockReturnThis(),
-			from: jest.fn().mockReturnThis(),
-			where: jest.fn().mockReturnThis(),
-			orderBy: jest.fn().mockReturnThis(),
-			limit: jest.fn().mockReturnThis(),
-			offset: jest.fn().mockReturnThis(),
-			innerJoin: jest.fn().mockReturnThis(),
-			insert: jest.fn().mockReturnThis(),
-			values: jest.fn().mockReturnThis(),
-			update: jest.fn().mockReturnThis(),
-			set: jest.fn().mockReturnThis(),
-			returning: jest.fn().mockReturnThis(),
-			onConflictDoNothing: jest.fn().mockReturnThis(),
-		};
-
-		const mockImplementation = () => {
-			return Object.assign(Promise.resolve([]), chain);
-		};
-
-		for (const mock of Object.values(chain)) {
-
-			//TODO Fix : TS2774: This condition will always return true since this function is always defined. Did you mean to call it instead?
-			if (mock.mockReturnValue) {
-				mock.mockImplementation(mockImplementation);
-			}
-		}
-
-		Object.assign(mockDb, chain);
-
 		const module: TestingModule = await Test.createTestingModule({
 			providers: [
 				ContentsService,
-				{ provide: DatabaseService, useValue: { db: mockDb } },
+				{ provide: ContentsRepository, useValue: mockContentsRepository },
 				{ provide: S3Service, useValue: mockS3Service },
 				{ provide: MediaService, useValue: mockMediaService },
 				{ provide: ConfigService, useValue: mockConfigService },
+				{ provide: CACHE_MANAGER, useValue: mockCacheManager },
 			],
 		}).compile();
 
@@ -127,7 +99,8 @@ describe("ContentsService", () => {
 				mimeType: "image/webp",
 				size: 500,
 			});
-			mockDb.returning.mockResolvedValue([{ id: "content-id" }]);
+			mockContentsRepository.findBySlug.mockResolvedValue(null);
+			mockContentsRepository.create.mockResolvedValue({ id: "content-id" });
 
 			const result = await service.uploadAndProcess("user1", file, {
 				title: "Meme",
@@ -155,8 +128,8 @@ describe("ContentsService", () => {
 
 	describe("findAll", () => {
 		it("should return contents and total count", async () => {
-			mockDb.where.mockResolvedValueOnce([{ count: 10 }]); // for count
-			mockDb.offset.mockResolvedValueOnce([{ id: "1" }]); // for data
+			mockContentsRepository.count.mockResolvedValue(10);
+			mockContentsRepository.findAll.mockResolvedValue([{ id: "1" }]);
 
 			const result = await service.findAll({ limit: 10, offset: 0 });
 
@@ -167,10 +140,89 @@ describe("ContentsService", () => {
 
 	describe("incrementViews", () => {
 		it("should increment views", async () => {
-			mockDb.returning.mockResolvedValue([{ id: "1", views: 1 }]);
+			mockContentsRepository.incrementViews.mockResolvedValue([
+				{ id: "1", views: 1 },
+			]);
 			const result = await service.incrementViews("1");
-			expect(mockDb.update).toHaveBeenCalled();
+			expect(mockContentsRepository.incrementViews).toHaveBeenCalledWith("1");
 			expect(result[0].views).toBe(1);
 		});
 	});
+
+	describe("incrementUsage", () => {
+		it("should increment usage", async () => {
+			mockContentsRepository.incrementUsage.mockResolvedValue([
+				{ id: "1", usageCount: 1 },
+			]);
+			await service.incrementUsage("1");
+			expect(mockContentsRepository.incrementUsage).toHaveBeenCalledWith("1");
+		});
+	});
+
+	describe("remove", () => {
+		it("should soft delete content", async () => {
+			mockContentsRepository.softDelete.mockResolvedValue({ id: "1" });
+			await service.remove("1", "u1");
+			expect(mockContentsRepository.softDelete).toHaveBeenCalledWith("1", "u1");
+		});
+	});
+
+	describe("removeAdmin", () => {
+		it("should soft delete content without checking owner", async () => {
+			mockContentsRepository.softDeleteAdmin.mockResolvedValue({ id: "1" });
+			await service.removeAdmin("1");
+			expect(mockContentsRepository.softDeleteAdmin).toHaveBeenCalledWith("1");
+		});
+	});
+
+	describe("findOne", () => {
+		it("should return content by id", async () => {
+			mockContentsRepository.findOne.mockResolvedValue({
+				id: "1",
+				storageKey: "k",
+				author: { avatarUrl: "a" },
+			});
+			mockS3Service.getPublicUrl.mockReturnValue("url");
+			const result = await service.findOne("1");
+			expect(result.id).toBe("1");
+			expect(result.url).toBe("url");
+		});
+
+		it("should return content by slug", async () => {
+			mockContentsRepository.findOne.mockResolvedValue({
+				id: "1",
+				slug: "s",
+				storageKey: "k",
+			});
+			const result = await service.findOne("s");
+			expect(result.slug).toBe("s");
+		});
+	});
+
+	describe("generateBotHtml", () => {
+		it("should generate html with og tags", () => {
+			const content = { title: "Title", storageKey: "k" };
+			mockS3Service.getPublicUrl.mockReturnValue("url");
+			const html = service.generateBotHtml(content as any);
+			expect(html).toContain("<title>Title</title>");
+			expect(html).toContain('content="Title"');
+			expect(html).toContain('content="url"');
+		});
+	});
+
+	describe("ensureUniqueSlug", () => {
+		it("should return original slug if unique", async () => {
+			mockContentsRepository.findBySlug.mockResolvedValue(null);
+			const slug = (service as any).ensureUniqueSlug("My Title");
+			await expect(slug).resolves.toBe("my-title");
+		});
+
+		it("should append counter if not unique", async () => {
+			mockContentsRepository.findBySlug
+				.mockResolvedValueOnce({ id: "1" })
+				.mockResolvedValueOnce(null);
+			const slug = await (service as any).ensureUniqueSlug("My Title");
+			expect(slug).toBe("my-title-1");
+		});
+	});
 });

backend/src/contents/contents.service.ts

@@ -1,52 +1,39 @@
-import { BadRequestException, Injectable, Logger } from "@nestjs/common";
 import { CACHE_MANAGER } from "@nestjs/cache-manager";
-import { Cache } from "cache-manager";
-import { Inject } from "@nestjs/common";
+import {
+	BadRequestException,
+	Inject,
+	Injectable,
+	Logger,
+} from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
-import {
-	and,
-	desc,
-	eq,
-	exists,
-	ilike,
-	isNull,
-	type SQL,
-	sql,
-} from "drizzle-orm";
+import type { Cache } from "cache-manager";
 import { v4 as uuidv4 } from "uuid";
-import { DatabaseService } from "../database/database.service";
-import {
-	categories,
-	contents,
-	contentsToTags,
-	favorites,
-	tags,
-	users,
-} from "../database/schemas";
-import type { MediaProcessingResult } from "../media/interfaces/media.interface";
+import type {
+	IMediaService,
+	MediaProcessingResult,
+} from "../common/interfaces/media.interface";
+import type { IStorageService } from "../common/interfaces/storage.interface";
 import { MediaService } from "../media/media.service";
 import { S3Service } from "../s3/s3.service";
 import { CreateContentDto } from "./dto/create-content.dto";
+import { UploadContentDto } from "./dto/upload-content.dto";
+import { ContentsRepository } from "./repositories/contents.repository";
 
 @Injectable()
 export class ContentsService {
 	private readonly logger = new Logger(ContentsService.name);
 
 	constructor(
-		private readonly databaseService: DatabaseService,
-		private readonly s3Service: S3Service,
-		private readonly mediaService: MediaService,
+		private readonly contentsRepository: ContentsRepository,
+		@Inject(S3Service) private readonly s3Service: IStorageService,
+		@Inject(MediaService) private readonly mediaService: IMediaService,
 		private readonly configService: ConfigService,
 		@Inject(CACHE_MANAGER) private cacheManager: Cache,
 	) {}
 
 	private async clearContentsCache() {
 		this.logger.log("Clearing contents cache");
-		const keys = await this.cacheManager.store.keys();
-		const contentsKeys = keys.filter((key) => key.startsWith("contents/"));
-		for (const key of contentsKeys) {
-			await this.cacheManager.del(key);
-		}
+		await this.cacheManager.clear();
 	}
 
 	async getUploadUrl(userId: string, fileName: string) {
@@ -58,12 +45,7 @@ export class ContentsService {
 	async uploadAndProcess(
 		userId: string,
 		file: Express.Multer.File,
-		data: {
-			title: string;
-			type: "meme" | "gif";
-			categoryId?: string;
-			tags?: string[];
-		},
+		data: UploadContentDto,
 	) {
 		this.logger.log(`Uploading and processing file for user ${userId}`);
 		// 0. Validation du format et de la taille
@@ -118,6 +100,7 @@ export class ContentsService {
 		// 3. Upload vers S3
 		const key = `contents/${userId}/${Date.now()}-${uuidv4()}.${processed.extension}`;
 		await this.s3Service.uploadFile(key, processed.buffer, processed.mimeType);
+		this.logger.log(`File uploaded successfully to S3: ${key}`);
 
 		// 4. Création en base de données
 		return await this.create(userId, {
@@ -139,105 +122,23 @@ export class ContentsService {
 		favoritesOnly?: boolean;
 		userId?: string; // Nécessaire si favoritesOnly est vrai
 	}) {
-		const {
-			limit,
-			offset,
-			sortBy,
-			tag,
-			category,
-			author,
-			query,
-			favoritesOnly,
-			userId,
-		} = options;
+		const [data, totalCount] = await Promise.all([
+			this.contentsRepository.findAll(options),
+			this.contentsRepository.count(options),
+		]);
 
-		let whereClause: SQL | undefined = isNull(contents.deletedAt);
+		const processedData = data.map((content) => ({
+			...content,
+			url: this.s3Service.getPublicUrl(content.storageKey),
+			author: {
+				...content.author,
+				avatarUrl: content.author?.avatarUrl
+					? this.s3Service.getPublicUrl(content.author.avatarUrl)
+					: null,
+			},
+		}));
 
-		if (tag) {
-			whereClause = and(
-				whereClause,
-				exists(
-					this.databaseService.db
-						.select()
-						.from(contentsToTags)
-						.innerJoin(tags, eq(contentsToTags.tagId, tags.id))
-						.where(
-							and(eq(contentsToTags.contentId, contents.id), eq(tags.name, tag)),
-						),
-				),
-			);
-		}
-
-		if (author) {
-			whereClause = and(
-				whereClause,
-				exists(
-					this.databaseService.db
-						.select()
-						.from(users)
-						.where(and(eq(users.uuid, contents.userId), eq(users.username, author))),
-				),
-			);
-		}
-
-		if (category) {
-			whereClause = and(
-				whereClause,
-				exists(
-					this.databaseService.db
-						.select()
-						.from(categories)
-						.where(
-							and(
-								eq(categories.id, contents.categoryId),
-								sql`(${categories.slug} = ${category} OR ${categories.id}::text = ${category})`,
-							),
-						),
-				),
-			);
-		}
-
-		if (query) {
-			whereClause = and(whereClause, ilike(contents.title, `%${query}%`));
-		}
-
-		if (favoritesOnly && userId) {
-			whereClause = and(
-				whereClause,
-				exists(
-					this.databaseService.db
-						.select()
-						.from(favorites)
-						.where(
-							and(eq(favorites.contentId, contents.id), eq(favorites.userId, userId)),
-						),
-				),
-			);
-		}
-
-		// Pagination Total Count
-		const totalCountResult = await this.databaseService.db
-			.select({ count: sql<number>`count(*)` })
-			.from(contents)
-			.where(whereClause);
-
-		const totalCount = Number(totalCountResult[0].count);
-
-		// Sorting
-		let orderBy: SQL = desc(contents.createdAt);
-		if (sortBy === "trend") {
-			orderBy = desc(sql`${contents.views} + ${contents.usageCount}`);
-		}
-
-		const data = await this.databaseService.db
-			.select()
-			.from(contents)
-			.where(whereClause)
-			.orderBy(orderBy)
-			.limit(limit)
-			.offset(offset);
-
-		return { data, totalCount };
+		return { data: processedData, totalCount };
 	}
 
 	async create(userId: string, data: CreateContentDto) {
@@ -246,101 +147,79 @@ export class ContentsService {
 
 		const slug = await this.ensureUniqueSlug(contentData.title);
 
-		return await this.databaseService.db.transaction(async (tx) => {
-			const [newContent] = await tx
-				.insert(contents)
-				.values({ ...contentData, userId, slug })
-				.returning();
+		const newContent = await this.contentsRepository.create(
+			{ ...contentData, userId, slug },
+			tagNames,
+		);
 
-			if (tagNames && tagNames.length > 0) {
-				for (const tagName of tagNames) {
-					const slug = tagName
-						.toLowerCase()
-						.replace(/ /g, "-")
-						.replace(/[^\w-]/g, "");
-
-					// Trouver ou créer le tag
-					let [tag] = await tx
-						.select()
-						.from(tags)
-						.where(eq(tags.slug, slug))
-						.limit(1);
-
-					if (!tag) {
-						[tag] = await tx
-							.insert(tags)
-							.values({ name: tagName, slug, userId })
-							.returning();
-					}
-
-					// Lier le tag au contenu
-					await tx
-						.insert(contentsToTags)
-						.values({ contentId: newContent.id, tagId: tag.id })
-						.onConflictDoNothing();
-				}
-			}
-
-			await this.clearContentsCache();
-			return newContent;
-		});
+		await this.clearContentsCache();
+		return newContent;
 	}
 
 	async incrementViews(id: string) {
-		return await this.databaseService.db
-			.update(contents)
-			.set({ views: sql`${contents.views} + 1` })
-			.where(eq(contents.id, id))
-			.returning();
+		return await this.contentsRepository.incrementViews(id);
 	}
 
 	async incrementUsage(id: string) {
-		return await this.databaseService.db
-			.update(contents)
-			.set({ usageCount: sql`${contents.usageCount} + 1` })
-			.where(eq(contents.id, id))
-			.returning();
+		return await this.contentsRepository.incrementUsage(id);
 	}
 
 	async remove(id: string, userId: string) {
 		this.logger.log(`Removing content ${id} for user ${userId}`);
-		const result = await this.databaseService.db
-			.update(contents)
-			.set({ deletedAt: new Date() })
-			.where(and(eq(contents.id, id), eq(contents.userId, userId)))
-			.returning();
+		const deleted = await this.contentsRepository.softDelete(id, userId);
 
-		if (result.length > 0) {
+		if (deleted) {
 			await this.clearContentsCache();
 		}
-		return result;
+		return deleted;
 	}
 
-	async findOne(idOrSlug: string) {
-		const [content] = await this.databaseService.db
-			.select()
-			.from(contents)
-			.where(
-				and(
-					isNull(contents.deletedAt),
-					sql`(${contents.id}::text = ${idOrSlug} OR ${contents.slug} = ${idOrSlug})`,
-				),
-			)
-			.limit(1);
-		return content;
-	}
+	async removeAdmin(id: string) {
+		this.logger.log(`Removing content ${id} by admin`);
+		const deleted = await this.contentsRepository.softDeleteAdmin(id);
 
-	getFileUrl(storageKey: string): string {
-		const endpoint = this.configService.get("S3_ENDPOINT");
-		const port = this.configService.get("S3_PORT");
-		const protocol =
-			this.configService.get("S3_USE_SSL") === true ? "https" : "http";
-		const bucket = this.configService.get("S3_BUCKET_NAME");
-
-		if (endpoint === "localhost" || endpoint === "127.0.0.1") {
-			return `${protocol}://${endpoint}:${port}/${bucket}/${storageKey}`;
+		if (deleted) {
+			await this.clearContentsCache();
 		}
-		return `${protocol}://${endpoint}/${bucket}/${storageKey}`;
+		return deleted;
+	}
+
+	async findOne(idOrSlug: string, userId?: string) {
+		const content = await this.contentsRepository.findOne(idOrSlug, userId);
+		if (!content) return null;
+
+		return {
+			...content,
+			url: this.s3Service.getPublicUrl(content.storageKey),
+			author: {
+				...content.author,
+				avatarUrl: content.author?.avatarUrl
+					? this.s3Service.getPublicUrl(content.author.avatarUrl)
+					: null,
+			},
+		};
+	}
+
+	generateBotHtml(content: { title: string; storageKey: string }): string {
+		const imageUrl = this.s3Service.getPublicUrl(content.storageKey);
+		return `<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>${content.title}</title>
+    <meta property="og:title" content="${content.title}" />
+    <meta property="og:type" content="website" />
+    <meta property="og:image" content="${imageUrl}" />
+    <meta property="og:description" content="Découvrez ce meme sur Memegoat" />
+    <meta name="twitter:card" content="summary_large_image" />
+    <meta name="twitter:title" content="${content.title}" />
+    <meta name="twitter:image" content="${imageUrl}" />
+</head>
+<body>
+    <h1>${content.title}</h1>
+    <img src="${imageUrl}" alt="${content.title}" />
+</body>
+</html>`;
 	}
 
 	private generateSlug(text: string): string {
@@ -359,11 +238,7 @@ export class ContentsService {
 		let counter = 1;
 
 		while (true) {
-			const [existing] = await this.databaseService.db
-				.select()
-				.from(contents)
-				.where(eq(contents.slug, slug))
-				.limit(1);
+			const existing = await this.contentsRepository.findBySlug(slug);
 
 			if (!existing) break;
 			slug = `${baseSlug}-${counter++}`;

backend/src/contents/dto/create-content.dto.ts

@@ -6,6 +6,7 @@ import {
 	IsOptional,
 	IsString,
 	IsUUID,
+	MaxLength,
 } from "class-validator";
 
 export enum ContentType {
@@ -19,14 +20,17 @@ export class CreateContentDto {
 
 	@IsString()
 	@IsNotEmpty()
+	@MaxLength(255)
 	title!: string;
 
 	@IsString()
 	@IsNotEmpty()
+	@MaxLength(512)
 	storageKey!: string;
 
 	@IsString()
 	@IsNotEmpty()
+	@MaxLength(128)
 	mimeType!: string;
 
 	@IsInt()
@@ -39,5 +43,6 @@ export class CreateContentDto {
 	@IsOptional()
 	@IsArray()
 	@IsString({ each: true })
+	@MaxLength(64, { each: true })
 	tags?: string[];
 }

backend/src/contents/dto/upload-content.dto.ts

@@ -1,9 +1,11 @@
 import {
+	IsArray,
 	IsEnum,
 	IsNotEmpty,
 	IsOptional,
 	IsString,
 	IsUUID,
+	MaxLength,
 } from "class-validator";
 import { ContentType } from "./create-content.dto";
 
@@ -13,6 +15,7 @@ export class UploadContentDto {
 
 	@IsString()
 	@IsNotEmpty()
+	@MaxLength(255)
 	title!: string;
 
 	@IsOptional()
@@ -20,6 +23,8 @@ export class UploadContentDto {
 	categoryId?: string;
 
 	@IsOptional()
+	@IsArray()
 	@IsString({ each: true })
+	@MaxLength(64, { each: true })
 	tags?: string[];
 }

backend/src/contents/repositories/contents.repository.ts

@@ -0,0 +1,427 @@
+import { Injectable } from "@nestjs/common";
+import {
+	and,
+	desc,
+	eq,
+	exists,
+	ilike,
+	isNull,
+	lte,
+	type SQL,
+	sql,
+} from "drizzle-orm";
+import { DatabaseService } from "../../database/database.service";
+import {
+	categories,
+	contents,
+	contentsToTags,
+	favorites,
+	tags,
+	users,
+} from "../../database/schemas";
+import type { NewContentInDb } from "../../database/schemas/content";
+
+export interface FindAllOptions {
+	limit: number;
+	offset: number;
+	sortBy?: "trend" | "recent";
+	tag?: string;
+	category?: string;
+	author?: string;
+	query?: string;
+	favoritesOnly?: boolean;
+	userId?: string;
+}
+
+@Injectable()
+export class ContentsRepository {
+	constructor(private readonly databaseService: DatabaseService) {}
+
+	async findAll(options: FindAllOptions) {
+		const {
+			limit,
+			offset,
+			sortBy,
+			tag,
+			category,
+			author,
+			query,
+			favoritesOnly,
+			userId,
+		} = options;
+
+		let whereClause: SQL | undefined = isNull(contents.deletedAt);
+
+		if (tag) {
+			whereClause = and(
+				whereClause,
+				exists(
+					this.databaseService.db
+						.select()
+						.from(contentsToTags)
+						.innerJoin(tags, eq(contentsToTags.tagId, tags.id))
+						.where(
+							and(eq(contentsToTags.contentId, contents.id), eq(tags.name, tag)),
+						),
+				),
+			);
+		}
+
+		if (category) {
+			whereClause = and(
+				whereClause,
+				exists(
+					this.databaseService.db
+						.select()
+						.from(categories)
+						.where(
+							and(
+								eq(contents.categoryId, categories.id),
+								sql`(${categories.id}::text = ${category} OR ${categories.slug} = ${category})`,
+							),
+						),
+				),
+			);
+		}
+
+		if (author) {
+			whereClause = and(
+				whereClause,
+				exists(
+					this.databaseService.db
+						.select()
+						.from(users)
+						.where(
+							and(
+								eq(contents.userId, users.uuid),
+								sql`(${users.uuid}::text = ${author} OR ${users.username} = ${author})`,
+							),
+						),
+				),
+			);
+		}
+
+		if (query) {
+			whereClause = and(whereClause, ilike(contents.title, `%${query}%`));
+		}
+
+		if (favoritesOnly && userId) {
+			whereClause = and(
+				whereClause,
+				exists(
+					this.databaseService.db
+						.select()
+						.from(favorites)
+						.where(
+							and(eq(favorites.contentId, contents.id), eq(favorites.userId, userId)),
+						),
+				),
+			);
+		}
+
+		let orderBy = desc(contents.createdAt);
+		if (sortBy === "trend") {
+			orderBy = desc(sql`${contents.views} + ${contents.usageCount} * 2`);
+		}
+
+		const results = await this.databaseService.db
+			.select({
+				id: contents.id,
+				title: contents.title,
+				slug: contents.slug,
+				type: contents.type,
+				storageKey: contents.storageKey,
+				mimeType: contents.mimeType,
+				fileSize: contents.fileSize,
+				views: contents.views,
+				usageCount: contents.usageCount,
+				favoritesCount:
+					sql<number>`(SELECT count(*) FROM ${favorites} WHERE ${favorites.contentId} = ${contents.id})`.mapWith(
+						Number,
+					),
+				isLiked: userId
+					? sql<boolean>`EXISTS(SELECT 1 FROM ${favorites} WHERE ${favorites.contentId} = ${contents.id} AND ${favorites.userId} = ${userId})`
+					: sql<boolean>`false`,
+				createdAt: contents.createdAt,
+				updatedAt: contents.updatedAt,
+				author: {
+					id: users.uuid,
+					username: users.username,
+					displayName: users.displayName,
+					avatarUrl: users.avatarUrl,
+				},
+				category: {
+					id: categories.id,
+					name: categories.name,
+					slug: categories.slug,
+				},
+			})
+			.from(contents)
+			.leftJoin(users, eq(contents.userId, users.uuid))
+			.leftJoin(categories, eq(contents.categoryId, categories.id))
+			.where(whereClause)
+			.orderBy(orderBy)
+			.limit(limit)
+			.offset(offset);
+
+		const contentIds = results.map((r) => r.id);
+		const tagsForContents = contentIds.length
+			? await this.databaseService.db
+					.select({
+						contentId: contentsToTags.contentId,
+						name: tags.name,
+					})
+					.from(contentsToTags)
+					.innerJoin(tags, eq(contentsToTags.tagId, tags.id))
+					.where(sql`${contentsToTags.contentId} IN ${contentIds}`)
+			: [];
+
+		return results.map((r) => ({
+			...r,
+			tags: tagsForContents.filter((t) => t.contentId === r.id).map((t) => t.name),
+		}));
+	}
+
+	async create(data: NewContentInDb & { userId: string }, tagNames?: string[]) {
+		return await this.databaseService.db.transaction(async (tx) => {
+			const [newContent] = await tx.insert(contents).values(data).returning();
+
+			if (tagNames && tagNames.length > 0) {
+				for (const tagName of tagNames) {
+					const slug = tagName
+						.toLowerCase()
+						.replace(/ /g, "-")
+						.replace(/[^\w-]/g, "");
+
+					let [tag] = await tx
+						.select()
+						.from(tags)
+						.where(eq(tags.slug, slug))
+						.limit(1);
+
+					if (!tag) {
+						[tag] = await tx
+							.insert(tags)
+							.values({
+								name: tagName,
+								slug,
+								userId: data.userId,
+							})
+							.returning();
+					}
+
+					await tx
+						.insert(contentsToTags)
+						.values({
+							contentId: newContent.id,
+							tagId: tag.id,
+						})
+						.onConflictDoNothing();
+				}
+			}
+
+			return newContent;
+		});
+	}
+
+	async findOne(idOrSlug: string, userId?: string) {
+		const [result] = await this.databaseService.db
+			.select({
+				id: contents.id,
+				title: contents.title,
+				slug: contents.slug,
+				type: contents.type,
+				storageKey: contents.storageKey,
+				mimeType: contents.mimeType,
+				fileSize: contents.fileSize,
+				views: contents.views,
+				usageCount: contents.usageCount,
+				favoritesCount:
+					sql<number>`(SELECT count(*) FROM ${favorites} WHERE ${favorites.contentId} = ${contents.id})`.mapWith(
+						Number,
+					),
+				isLiked: userId
+					? sql<boolean>`EXISTS(SELECT 1 FROM ${favorites} WHERE ${favorites.contentId} = ${contents.id} AND ${favorites.userId} = ${userId})`
+					: sql<boolean>`false`,
+				createdAt: contents.createdAt,
+				updatedAt: contents.updatedAt,
+				userId: contents.userId,
+				author: {
+					id: users.uuid,
+					username: users.username,
+					displayName: users.displayName,
+					avatarUrl: users.avatarUrl,
+				},
+				category: {
+					id: categories.id,
+					name: categories.name,
+					slug: categories.slug,
+				},
+			})
+			.from(contents)
+			.leftJoin(users, eq(contents.userId, users.uuid))
+			.leftJoin(categories, eq(contents.categoryId, categories.id))
+			.where(
+				and(
+					isNull(contents.deletedAt),
+					sql`(${contents.id}::text = ${idOrSlug} OR ${contents.slug} = ${idOrSlug})`,
+				),
+			)
+			.limit(1);
+
+		if (!result) return null;
+
+		const tagsForContent = await this.databaseService.db
+			.select({
+				name: tags.name,
+			})
+			.from(contentsToTags)
+			.innerJoin(tags, eq(contentsToTags.tagId, tags.id))
+			.where(eq(contentsToTags.contentId, result.id));
+
+		return {
+			...result,
+			tags: tagsForContent.map((t) => t.name),
+		};
+	}
+
+	async count(options: {
+		tag?: string;
+		category?: string;
+		author?: string;
+		query?: string;
+		favoritesOnly?: boolean;
+		userId?: string;
+	}) {
+		const { tag, category, author, query, favoritesOnly, userId } = options;
+
+		let whereClause: SQL | undefined = isNull(contents.deletedAt);
+
+		if (tag) {
+			whereClause = and(
+				whereClause,
+				exists(
+					this.databaseService.db
+						.select()
+						.from(contentsToTags)
+						.innerJoin(tags, eq(contentsToTags.tagId, tags.id))
+						.where(
+							and(eq(contentsToTags.contentId, contents.id), eq(tags.name, tag)),
+						),
+				),
+			);
+		}
+
+		if (category) {
+			whereClause = and(
+				whereClause,
+				exists(
+					this.databaseService.db
+						.select()
+						.from(categories)
+						.where(
+							and(
+								eq(contents.categoryId, categories.id),
+								sql`(${categories.id}::text = ${category} OR ${categories.slug} = ${category})`,
+							),
+						),
+				),
+			);
+		}
+
+		if (author) {
+			whereClause = and(
+				whereClause,
+				exists(
+					this.databaseService.db
+						.select()
+						.from(users)
+						.where(
+							and(
+								eq(contents.userId, users.uuid),
+								sql`(${users.uuid}::text = ${author} OR ${users.username} = ${author})`,
+							),
+						),
+				),
+			);
+		}
+
+		if (query) {
+			whereClause = and(whereClause, ilike(contents.title, `%${query}%`));
+		}
+
+		if (favoritesOnly && userId) {
+			whereClause = and(
+				whereClause,
+				exists(
+					this.databaseService.db
+						.select()
+						.from(favorites)
+						.where(
+							and(eq(favorites.contentId, contents.id), eq(favorites.userId, userId)),
+						),
+				),
+			);
+		}
+
+		const [result] = await this.databaseService.db
+			.select({ count: sql<number>`count(*)` })
+			.from(contents)
+			.where(whereClause);
+
+		return Number(result.count);
+	}
+
+	async incrementViews(id: string) {
+		await this.databaseService.db
+			.update(contents)
+			.set({ views: sql`${contents.views} + 1` })
+			.where(eq(contents.id, id));
+	}
+
+	async incrementUsage(id: string) {
+		await this.databaseService.db
+			.update(contents)
+			.set({ usageCount: sql`${contents.usageCount} + 1` })
+			.where(eq(contents.id, id));
+	}
+
+	async softDelete(id: string, userId: string) {
+		const [deleted] = await this.databaseService.db
+			.update(contents)
+			.set({ deletedAt: new Date() })
+			.where(and(eq(contents.id, id), eq(contents.userId, userId)))
+			.returning();
+		return deleted;
+	}
+
+	async softDeleteAdmin(id: string) {
+		const [deleted] = await this.databaseService.db
+			.update(contents)
+			.set({ deletedAt: new Date() })
+			.where(eq(contents.id, id))
+			.returning();
+		return deleted;
+	}
+
+	async findBySlug(slug: string) {
+		const [result] = await this.databaseService.db
+			.select()
+			.from(contents)
+			.where(eq(contents.slug, slug))
+			.limit(1);
+		return result;
+	}
+
+	async purgeSoftDeleted(before: Date) {
+		return await this.databaseService.db
+			.delete(contents)
+			.where(
+				and(
+					sql`${contents.deletedAt} IS NOT NULL`,
+					lte(contents.deletedAt, before),
+				),
+			)
+			.returning();
+	}
+}

backend/src/crypto/crypto.module.ts

@@ -1,8 +1,25 @@
-import { Module } from "@nestjs/common";
+import { Global, Module } from "@nestjs/common";
 import { CryptoService } from "./crypto.service";
+import { EncryptionService } from "./services/encryption.service";
+import { HashingService } from "./services/hashing.service";
+import { JwtService } from "./services/jwt.service";
+import { PostQuantumService } from "./services/post-quantum.service";
 
+@Global()
 @Module({
-	providers: [CryptoService],
-	exports: [CryptoService],
+	providers: [
+		CryptoService,
+		HashingService,
+		JwtService,
+		EncryptionService,
+		PostQuantumService,
+	],
+	exports: [
+		CryptoService,
+		HashingService,
+		JwtService,
+		EncryptionService,
+		PostQuantumService,
+	],
 })
 export class CryptoModule {}

backend/src/crypto/crypto.service.spec.ts

@@ -64,6 +64,10 @@ jest.mock("jose", () => ({
 }));
 
 import { CryptoService } from "./crypto.service";
+import { EncryptionService } from "./services/encryption.service";
+import { HashingService } from "./services/hashing.service";
+import { JwtService } from "./services/jwt.service";
+import { PostQuantumService } from "./services/post-quantum.service";
 
 describe("CryptoService", () => {
 	let service: CryptoService;
@@ -72,6 +76,10 @@ describe("CryptoService", () => {
 		const module: TestingModule = await Test.createTestingModule({
 			providers: [
 				CryptoService,
+				HashingService,
+				JwtService,
+				EncryptionService,
+				PostQuantumService,
 				{
 					provide: ConfigService,
 					useValue: {

backend/src/crypto/crypto.service.ts

@@ -1,151 +1,79 @@
-import { Injectable, Logger } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
-import { ml_kem768 } from "@noble/post-quantum/ml-kem.js";
-import { hash, verify } from "@node-rs/argon2";
-import * as jose from "jose";
+import { Injectable } from "@nestjs/common";
+import type * as jose from "jose";
+import { EncryptionService } from "./services/encryption.service";
+import { HashingService } from "./services/hashing.service";
+import { JwtService } from "./services/jwt.service";
+import { PostQuantumService } from "./services/post-quantum.service";
 
+/**
+ * @deprecated Use HashingService, JwtService, EncryptionService or PostQuantumService directly.
+ * This service acts as a Facade for backward compatibility.
+ */
 @Injectable()
 export class CryptoService {
-	private readonly logger = new Logger(CryptoService.name);
-	private readonly jwtSecret: Uint8Array;
-	private readonly encryptionKey: Uint8Array;
-
-	constructor(private configService: ConfigService) {
-		const secret = this.configService.get<string>("JWT_SECRET");
-		if (!secret) {
-			this.logger.warn(
-				"JWT_SECRET is not defined, using a default insecure secret for development",
-			);
-		}
-		this.jwtSecret = new TextEncoder().encode(
-			secret || "default-secret-change-me-in-production",
-		);
-
-		const encKey = this.configService.get<string>("ENCRYPTION_KEY");
-		if (!encKey) {
-			this.logger.warn(
-				"ENCRYPTION_KEY is not defined, using a default insecure key for development",
-			);
-		}
-		// Pour AES-GCM 256, on a besoin de 32 octets (256 bits)
-		const rawKey = encKey || "default-encryption-key-32-chars-";
-		this.encryptionKey = new TextEncoder().encode(
-			rawKey.padEnd(32, "0").substring(0, 32),
-		);
-	}
-
-	// --- Blind Indexing (for search on encrypted data) ---
+	constructor(
+		private readonly hashingService: HashingService,
+		private readonly jwtService: JwtService,
+		private readonly encryptionService: EncryptionService,
+		private readonly postQuantumService: PostQuantumService,
+	) {}
 
 	async hashEmail(email: string): Promise<string> {
-		const normalizedEmail = email.toLowerCase().trim();
-		const data = new TextEncoder().encode(normalizedEmail);
-		const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-		return Array.from(new Uint8Array(hashBuffer))
-			.map((b) => b.toString(16).padStart(2, "0"))
-			.join("");
+		return this.hashingService.hashEmail(email);
 	}
 
 	async hashIp(ip: string): Promise<string> {
-		const data = new TextEncoder().encode(ip);
-		const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-		return Array.from(new Uint8Array(hashBuffer))
-			.map((b) => b.toString(16).padStart(2, "0"))
-			.join("");
+		return this.hashingService.hashIp(ip);
 	}
 
 	getPgpEncryptionKey(): string {
-		return (
-			this.configService.get<string>("PGP_ENCRYPTION_KEY") || "default-pgp-key"
-		);
+		return this.encryptionService.getPgpEncryptionKey();
 	}
 
-	// --- Argon2 Hashing ---
-
 	async hashPassword(password: string): Promise<string> {
-		return hash(password, {
-			algorithm: 2,
-		});
+		return this.hashingService.hashPassword(password);
 	}
 
 	async verifyPassword(password: string, hash: string): Promise<boolean> {
-		return verify(hash, password);
+		return this.hashingService.verifyPassword(password, hash);
 	}
 
-	// --- JWT Operations via jose ---
-
 	async generateJwt(
 		payload: jose.JWTPayload,
 		expiresIn = "2h",
 	): Promise<string> {
-		return new jose.SignJWT(payload)
-			.setProtectedHeader({ alg: "HS256" })
-			.setIssuedAt()
-			.setExpirationTime(expiresIn)
-			.sign(this.jwtSecret);
+		return this.jwtService.generateJwt(payload, expiresIn);
 	}
 
 	async verifyJwt<T extends jose.JWTPayload>(token: string): Promise<T> {
-		const { payload } = await jose.jwtVerify(token, this.jwtSecret);
-		return payload as T;
+		return this.jwtService.verifyJwt<T>(token);
 	}
 
-	// --- Encryption & Decryption (JWE) ---
-
-	/**
-	 * Chiffre un contenu textuel en utilisant JWE (Compact Serialization)
-	 * Algorithme: A256GCMKW pour la gestion des clés, A256GCM pour le chiffrement de contenu
-	 */
 	async encryptContent(content: string): Promise<string> {
-		const data = new TextEncoder().encode(content);
-		return new jose.CompactEncrypt(data)
-			.setProtectedHeader({ alg: "dir", enc: "A256GCM" })
-			.encrypt(this.encryptionKey);
+		return this.encryptionService.encryptContent(content);
 	}
 
-	/**
-	 * Déchiffre un contenu JWE
-	 */
 	async decryptContent(jwe: string): Promise<string> {
-		const { plaintext } = await jose.compactDecrypt(jwe, this.encryptionKey);
-		return new TextDecoder().decode(plaintext);
+		return this.encryptionService.decryptContent(jwe);
 	}
 
-	// --- Signature & Verification (JWS) ---
-
-	/**
-	 * Signe un contenu textuel en utilisant JWS (Compact Serialization)
-	 * Algorithme: HS256 (HMAC-SHA256)
-	 */
 	async signContent(content: string): Promise<string> {
-		const data = new TextEncoder().encode(content);
-		return new jose.CompactSign(data)
-			.setProtectedHeader({ alg: "HS256" })
-			.sign(this.jwtSecret);
+		return this.encryptionService.signContent(content);
 	}
 
-	/**
-	 * Vérifie la signature JWS d'un contenu
-	 */
 	async verifyContentSignature(jws: string): Promise<string> {
-		const { payload } = await jose.compactVerify(jws, this.jwtSecret);
-		return new TextDecoder().decode(payload);
+		return this.encryptionService.verifyContentSignature(jws);
 	}
 
-	// --- Post-Quantum Cryptography via @noble/post-quantum ---
-	// Example: Kyber (ML-KEM) key encapsulation
-
 	generatePostQuantumKeyPair() {
-		const seed = new Uint8Array(64);
-		crypto.getRandomValues(seed);
-		const { publicKey, secretKey } = ml_kem768.keygen(seed);
-		return { publicKey, secretKey };
+		return this.postQuantumService.generatePostQuantumKeyPair();
 	}
 
 	encapsulate(publicKey: Uint8Array) {
-		return ml_kem768.encapsulate(publicKey);
+		return this.postQuantumService.encapsulate(publicKey);
 	}
 
 	decapsulate(cipherText: Uint8Array, secretKey: Uint8Array) {
-		return ml_kem768.decapsulate(cipherText, secretKey);
+		return this.postQuantumService.decapsulate(cipherText, secretKey);
 	}
 }

backend/src/crypto/services/encryption.service.ts

@@ -0,0 +1,58 @@
+import { Injectable, Logger } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import * as jose from "jose";
+
+@Injectable()
+export class EncryptionService {
+	private readonly logger = new Logger(EncryptionService.name);
+	private readonly jwtSecret: Uint8Array;
+	private readonly encryptionKey: Uint8Array;
+
+	constructor(private configService: ConfigService) {
+		const secret = this.configService.get<string>("JWT_SECRET");
+		this.jwtSecret = new TextEncoder().encode(
+			secret || "default-secret-change-me-in-production",
+		);
+
+		const encKey = this.configService.get<string>("ENCRYPTION_KEY");
+		if (!encKey) {
+			this.logger.warn(
+				"ENCRYPTION_KEY is not defined, using a default insecure key for development",
+			);
+		}
+		const rawKey = encKey || "default-encryption-key-32-chars-";
+		this.encryptionKey = new TextEncoder().encode(
+			rawKey.padEnd(32, "0").substring(0, 32),
+		);
+	}
+
+	async encryptContent(content: string): Promise<string> {
+		const data = new TextEncoder().encode(content);
+		return new jose.CompactEncrypt(data)
+			.setProtectedHeader({ alg: "dir", enc: "A256GCM" })
+			.encrypt(this.encryptionKey);
+	}
+
+	async decryptContent(jwe: string): Promise<string> {
+		const { plaintext } = await jose.compactDecrypt(jwe, this.encryptionKey);
+		return new TextDecoder().decode(plaintext);
+	}
+
+	async signContent(content: string): Promise<string> {
+		const data = new TextEncoder().encode(content);
+		return new jose.CompactSign(data)
+			.setProtectedHeader({ alg: "HS256" })
+			.sign(this.jwtSecret);
+	}
+
+	async verifyContentSignature(jws: string): Promise<string> {
+		const { payload } = await jose.compactVerify(jws, this.jwtSecret);
+		return new TextDecoder().decode(payload);
+	}
+
+	getPgpEncryptionKey(): string {
+		return (
+			this.configService.get<string>("PGP_ENCRYPTION_KEY") || "default-pgp-key"
+		);
+	}
+}

backend/src/crypto/services/hashing.service.ts

@@ -0,0 +1,32 @@
+import { Injectable } from "@nestjs/common";
+import { hash, verify } from "@node-rs/argon2";
+
+@Injectable()
+export class HashingService {
+	async hashEmail(email: string): Promise<string> {
+		const normalizedEmail = email.toLowerCase().trim();
+		return this.hashSha256(normalizedEmail);
+	}
+
+	async hashIp(ip: string): Promise<string> {
+		return this.hashSha256(ip);
+	}
+
+	async hashSha256(text: string): Promise<string> {
+		const data = new TextEncoder().encode(text);
+		const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+		return Array.from(new Uint8Array(hashBuffer))
+			.map((b) => b.toString(16).padStart(2, "0"))
+			.join("");
+	}
+
+	async hashPassword(password: string): Promise<string> {
+		return hash(password, {
+			algorithm: 2,
+		});
+	}
+
+	async verifyPassword(password: string, hash: string): Promise<boolean> {
+		return verify(hash, password);
+	}
+}

backend/src/crypto/services/jwt.service.ts

@@ -0,0 +1,37 @@
+import { Injectable, Logger } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import * as jose from "jose";
+
+@Injectable()
+export class JwtService {
+	private readonly logger = new Logger(JwtService.name);
+	private readonly jwtSecret: Uint8Array;
+
+	constructor(private configService: ConfigService) {
+		const secret = this.configService.get<string>("JWT_SECRET");
+		if (!secret) {
+			this.logger.warn(
+				"JWT_SECRET is not defined, using a default insecure secret for development",
+			);
+		}
+		this.jwtSecret = new TextEncoder().encode(
+			secret || "default-secret-change-me-in-production",
+		);
+	}
+
+	async generateJwt(
+		payload: jose.JWTPayload,
+		expiresIn = "2h",
+	): Promise<string> {
+		return new jose.SignJWT(payload)
+			.setProtectedHeader({ alg: "HS256" })
+			.setIssuedAt()
+			.setExpirationTime(expiresIn)
+			.sign(this.jwtSecret);
+	}
+
+	async verifyJwt<T extends jose.JWTPayload>(token: string): Promise<T> {
+		const { payload } = await jose.jwtVerify(token, this.jwtSecret);
+		return payload as T;
+	}
+}

backend/src/crypto/services/post-quantum.service.ts

@@ -0,0 +1,20 @@
+import { Injectable } from "@nestjs/common";
+import { ml_kem768 } from "@noble/post-quantum/ml-kem.js";
+
+@Injectable()
+export class PostQuantumService {
+	generatePostQuantumKeyPair() {
+		const seed = new Uint8Array(64);
+		crypto.getRandomValues(seed);
+		const { publicKey, secretKey } = ml_kem768.keygen(seed);
+		return { publicKey, secretKey };
+	}
+
+	encapsulate(publicKey: Uint8Array) {
+		return ml_kem768.encapsulate(publicKey);
+	}
+
+	decapsulate(cipherText: Uint8Array, secretKey: Uint8Array) {
+		return ml_kem768.decapsulate(cipherText, secretKey);
+	}
+}

backend/src/database/database.module.ts

@@ -1,7 +1,8 @@
-import { Module } from "@nestjs/common";
+import { Global, Module } from "@nestjs/common";
 import { ConfigModule } from "@nestjs/config";
 import { DatabaseService } from "./database.service";
 
+@Global()
 @Module({
 	imports: [ConfigModule],
 	providers: [DatabaseService],

backend/src/database/database.service.spec.ts

@@ -0,0 +1,67 @@
+import { ConfigService } from "@nestjs/config";
+import { Test, TestingModule } from "@nestjs/testing";
+import { DatabaseService } from "./database.service";
+
+jest.mock("pg", () => {
+	const mPool = {
+		connect: jest.fn(),
+		query: jest.fn(),
+		end: jest.fn(),
+		on: jest.fn(),
+	};
+	return { Pool: jest.fn(() => mPool) };
+});
+
+jest.mock("drizzle-orm/node-postgres", () => ({
+	drizzle: jest.fn().mockReturnValue({}),
+}));
+
+describe("DatabaseService", () => {
+	let service: DatabaseService;
+	let _configService: ConfigService;
+
+	const mockConfigService = {
+		get: jest.fn((key) => {
+			const config = {
+				POSTGRES_PASSWORD: "p",
+				POSTGRES_USER: "u",
+				POSTGRES_HOST: "h",
+				POSTGRES_PORT: "5432",
+				POSTGRES_DB: "db",
+				NODE_ENV: "development",
+			};
+			return config[key];
+		}),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				DatabaseService,
+				{ provide: ConfigService, useValue: mockConfigService },
+			],
+		}).compile();
+
+		service = module.get<DatabaseService>(DatabaseService);
+		_configService = module.get<ConfigService>(ConfigService);
+	});
+
+	it("should be defined", () => {
+		expect(service).toBeDefined();
+	});
+
+	describe("onModuleInit", () => {
+		it("should skip migrations in development", async () => {
+			await service.onModuleInit();
+			expect(mockConfigService.get).toHaveBeenCalledWith("NODE_ENV");
+		});
+	});
+
+	describe("onModuleDestroy", () => {
+		it("should close pool", async () => {
+			const pool = (service as any).pool;
+			await service.onModuleDestroy();
+			expect(pool.end).toHaveBeenCalled();
+		});
+	});
+});

backend/src/database/schemas/index.ts

@@ -3,9 +3,9 @@ export * from "./audit_logs";
 export * from "./categories";
 export * from "./content";
 export * from "./favorites";
+export * from "./pgp";
 export * from "./rbac";
 export * from "./reports";
 export * from "./sessions";
 export * from "./tags";
 export * from "./users";
-export * from "./pgp";

backend/src/database/schemas/pgp.ts

@@ -55,6 +55,9 @@ export function pgpSymEncrypt(value: string | SQL, key: string | SQL) {
 /**
  * @deprecated Utiliser directement les colonnes de type pgpEncrypted qui gèrent maintenant le déchiffrement automatiquement.
  */
-export function pgpSymDecrypt(column: AnyPgColumn, key: string | SQL): SQL<string> {
+export function pgpSymDecrypt(
+	column: AnyPgColumn,
+	key: string | SQL,
+): SQL<string> {
 	return sql`pgp_sym_decrypt(${column}, ${key})`.mapWith(column) as SQL<string>;
 }

backend/src/database/schemas/users.ts

@@ -1,4 +1,3 @@
-import { SQL, sql } from "drizzle-orm";
 import {
 	boolean,
 	index,
@@ -30,7 +29,9 @@ export const users = pgTable(
 		displayName: varchar("display_name", { length: 32 }),
 
 		username: varchar("username", { length: 32 }).notNull().unique(),
-		passwordHash: varchar("password_hash", { length: 72 }).notNull(),
+		passwordHash: varchar("password_hash", { length: 100 }).notNull(),
+		avatarUrl: varchar("avatar_url", { length: 512 }),
+		bio: varchar("bio", { length: 255 }),
 
 		// Sécurité
 		twoFactorSecret: pgpEncrypted("two_factor_secret"),

backend/src/favorites/favorites.controller.spec.ts

@@ -0,0 +1,82 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { AuthenticatedRequest } from "../common/interfaces/request.interface";
+import { FavoritesController } from "./favorites.controller";
+import { FavoritesService } from "./favorites.service";
+
+describe("FavoritesController", () => {
+	let controller: FavoritesController;
+	let service: FavoritesService;
+
+	const mockFavoritesService = {
+		addFavorite: jest.fn(),
+		removeFavorite: jest.fn(),
+		getUserFavorites: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [FavoritesController],
+			providers: [{ provide: FavoritesService, useValue: mockFavoritesService }],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<FavoritesController>(FavoritesController);
+		service = module.get<FavoritesService>(FavoritesService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("add", () => {
+		it("should call service.addFavorite", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.add(req, "content-1");
+			expect(service.addFavorite).toHaveBeenCalledWith("user-uuid", "content-1");
+		});
+	});
+
+	describe("remove", () => {
+		it("should call service.removeFavorite", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.remove(req, "content-1");
+			expect(service.removeFavorite).toHaveBeenCalledWith(
+				"user-uuid",
+				"content-1",
+			);
+		});
+	});
+
+	describe("list", () => {
+		it("should call service.getUserFavorites", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.list(req, 10, 0);
+			expect(service.getUserFavorites).toHaveBeenCalledWith("user-uuid", 10, 0);
+		});
+	});
+});

backend/src/favorites/favorites.module.ts

@@ -1,12 +1,13 @@
 import { Module } from "@nestjs/common";
-import { DatabaseModule } from "../database/database.module";
+import { AuthModule } from "../auth/auth.module";
 import { FavoritesController } from "./favorites.controller";
 import { FavoritesService } from "./favorites.service";
+import { FavoritesRepository } from "./repositories/favorites.repository";
 
 @Module({
-	imports: [DatabaseModule],
+	imports: [AuthModule],
 	controllers: [FavoritesController],
-	providers: [FavoritesService],
-	exports: [FavoritesService],
+	providers: [FavoritesService, FavoritesRepository],
+	exports: [FavoritesService, FavoritesRepository],
 })
 export class FavoritesModule {}

backend/src/favorites/favorites.service.spec.ts

@@ -1,54 +1,31 @@
 import { ConflictException, NotFoundException } from "@nestjs/common";
 import { Test, TestingModule } from "@nestjs/testing";
-import { DatabaseService } from "../database/database.service";
 import { FavoritesService } from "./favorites.service";
+import { FavoritesRepository } from "./repositories/favorites.repository";
 
 describe("FavoritesService", () => {
 	let service: FavoritesService;
+	let repository: FavoritesRepository;
 
-	const mockDb = {
-		select: jest.fn(),
-		from: jest.fn(),
-		where: jest.fn(),
-		limit: jest.fn(),
-		offset: jest.fn(),
-		innerJoin: jest.fn(),
-		insert: jest.fn(),
-		values: jest.fn(),
-		delete: jest.fn(),
-		returning: jest.fn(),
+	const mockFavoritesRepository = {
+		findContentById: jest.fn(),
+		add: jest.fn(),
+		remove: jest.fn(),
+		findByUserId: jest.fn(),
 	};
 
 	beforeEach(async () => {
 		jest.clearAllMocks();
 
-		const chain = {
-			select: jest.fn().mockReturnThis(),
-			from: jest.fn().mockReturnThis(),
-			where: jest.fn().mockReturnThis(),
-			limit: jest.fn().mockReturnThis(),
-			offset: jest.fn().mockReturnThis(),
-			innerJoin: jest.fn().mockReturnThis(),
-			insert: jest.fn().mockReturnThis(),
-			values: jest.fn().mockReturnThis(),
-			delete: jest.fn().mockReturnThis(),
-			returning: jest.fn().mockReturnThis(),
-		};
-
-		const mockImplementation = () => Object.assign(Promise.resolve([]), chain);
-		for (const mock of Object.values(chain)) {
-			mock.mockImplementation(mockImplementation);
-		}
-		Object.assign(mockDb, chain);
-
 		const module: TestingModule = await Test.createTestingModule({
 			providers: [
 				FavoritesService,
-				{ provide: DatabaseService, useValue: { db: mockDb } },
+				{ provide: FavoritesRepository, useValue: mockFavoritesRepository },
 			],
 		}).compile();
 
 		service = module.get<FavoritesService>(FavoritesService);
+		repository = module.get<FavoritesRepository>(FavoritesRepository);
 	});
 
 	it("should be defined", () => {
@@ -57,26 +34,31 @@ describe("FavoritesService", () => {
 
 	describe("addFavorite", () => {
 		it("should add a favorite", async () => {
-			mockDb.limit.mockResolvedValue([{ id: "content1" }]);
-			mockDb.returning.mockResolvedValue([
+			mockFavoritesRepository.findContentById.mockResolvedValue({
+				id: "content1",
+			});
+			mockFavoritesRepository.add.mockResolvedValue([
 				{ userId: "u1", contentId: "content1" },
 			]);
 
 			const result = await service.addFavorite("u1", "content1");
 
 			expect(result).toEqual([{ userId: "u1", contentId: "content1" }]);
+			expect(repository.add).toHaveBeenCalledWith("u1", "content1");
 		});
 
 		it("should throw NotFoundException if content does not exist", async () => {
-			mockDb.limit.mockResolvedValue([]);
+			mockFavoritesRepository.findContentById.mockResolvedValue(null);
 			await expect(service.addFavorite("u1", "invalid")).rejects.toThrow(
 				NotFoundException,
 			);
 		});
 
 		it("should throw ConflictException on duplicate favorite", async () => {
-			mockDb.limit.mockResolvedValue([{ id: "content1" }]);
-			mockDb.returning.mockRejectedValue(new Error("Duplicate"));
+			mockFavoritesRepository.findContentById.mockResolvedValue({
+				id: "content1",
+			});
+			mockFavoritesRepository.add.mockRejectedValue(new Error("Duplicate"));
 			await expect(service.addFavorite("u1", "content1")).rejects.toThrow(
 				ConflictException,
 			);
@@ -85,13 +67,16 @@ describe("FavoritesService", () => {
 
 	describe("removeFavorite", () => {
 		it("should remove a favorite", async () => {
-			mockDb.returning.mockResolvedValue([{ userId: "u1", contentId: "c1" }]);
+			mockFavoritesRepository.remove.mockResolvedValue([
+				{ userId: "u1", contentId: "c1" },
+			]);
 			const result = await service.removeFavorite("u1", "c1");
 			expect(result).toEqual({ userId: "u1", contentId: "c1" });
+			expect(repository.remove).toHaveBeenCalledWith("u1", "c1");
 		});
 
 		it("should throw NotFoundException if favorite not found", async () => {
-			mockDb.returning.mockResolvedValue([]);
+			mockFavoritesRepository.remove.mockResolvedValue([]);
 			await expect(service.removeFavorite("u1", "c1")).rejects.toThrow(
 				NotFoundException,
 			);

backend/src/favorites/favorites.service.ts

@@ -4,46 +4,32 @@ import {
 	Logger,
 	NotFoundException,
 } from "@nestjs/common";
-import { and, eq } from "drizzle-orm";
-import { DatabaseService } from "../database/database.service";
-import { contents, favorites } from "../database/schemas";
+import { FavoritesRepository } from "./repositories/favorites.repository";
 
 @Injectable()
 export class FavoritesService {
 	private readonly logger = new Logger(FavoritesService.name);
 
-	constructor(private readonly databaseService: DatabaseService) {}
+	constructor(private readonly favoritesRepository: FavoritesRepository) {}
 
 	async addFavorite(userId: string, contentId: string) {
 		this.logger.log(`Adding favorite: user ${userId}, content ${contentId}`);
-		// Vérifier si le contenu existe
-		const content = await this.databaseService.db
-			.select()
-			.from(contents)
-			.where(eq(contents.id, contentId))
-			.limit(1);
 
-		if (content.length === 0) {
+		const content = await this.favoritesRepository.findContentById(contentId);
+		if (!content) {
 			throw new NotFoundException("Content not found");
 		}
 
 		try {
-			return await this.databaseService.db
-				.insert(favorites)
-				.values({ userId, contentId })
-				.returning();
+			return await this.favoritesRepository.add(userId, contentId);
 		} catch (_error) {
-			// Probablement une violation de clé primaire (déjà en favori)
 			throw new ConflictException("Content already in favorites");
 		}
 	}
 
 	async removeFavorite(userId: string, contentId: string) {
 		this.logger.log(`Removing favorite: user ${userId}, content ${contentId}`);
-		const result = await this.databaseService.db
-			.delete(favorites)
-			.where(and(eq(favorites.userId, userId), eq(favorites.contentId, contentId)))
-			.returning();
+		const result = await this.favoritesRepository.remove(userId, contentId);
 
 		if (result.length === 0) {
 			throw new NotFoundException("Favorite not found");
@@ -53,16 +39,6 @@ export class FavoritesService {
 	}
 
 	async getUserFavorites(userId: string, limit: number, offset: number) {
-		const data = await this.databaseService.db
-			.select({
-				content: contents,
-			})
-			.from(favorites)
-			.innerJoin(contents, eq(favorites.contentId, contents.id))
-			.where(eq(favorites.userId, userId))
-			.limit(limit)
-			.offset(offset);
-
-		return data.map((item) => item.content);
+		return await this.favoritesRepository.findByUserId(userId, limit, offset);
 	}
 }

backend/src/favorites/repositories/favorites.repository.spec.ts

@@ -0,0 +1,72 @@
+import { Test, TestingModule } from "@nestjs/testing";
+import { DatabaseService } from "../../database/database.service";
+import { FavoritesRepository } from "./favorites.repository";
+
+describe("FavoritesRepository", () => {
+	let repository: FavoritesRepository;
+
+	const mockDb = {
+		select: jest.fn().mockReturnThis(),
+		from: jest.fn().mockReturnThis(),
+		innerJoin: jest.fn().mockReturnThis(),
+		where: jest.fn().mockReturnThis(),
+		limit: jest.fn().mockReturnThis(),
+		offset: jest.fn().mockReturnThis(),
+		insert: jest.fn().mockReturnThis(),
+		values: jest.fn().mockReturnThis(),
+		delete: jest.fn().mockReturnThis(),
+		returning: jest.fn().mockReturnThis(),
+		execute: jest.fn(),
+	};
+
+	const wrapWithThen = (obj: unknown) => {
+		// biome-ignore lint/suspicious/noThenProperty: Necessary to mock Drizzle's awaitable query builder
+		Object.defineProperty(obj, "then", {
+			value: function (onFulfilled: (arg0: unknown) => void) {
+				const result = (this as Record<string, unknown>).execute();
+				return Promise.resolve(result).then(onFulfilled);
+			},
+			configurable: true,
+		});
+		return obj;
+	};
+	wrapWithThen(mockDb);
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				FavoritesRepository,
+				{ provide: DatabaseService, useValue: { db: mockDb } },
+			],
+		}).compile();
+
+		repository = module.get<FavoritesRepository>(FavoritesRepository);
+	});
+
+	it("should find content by id", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.findContentById("1");
+		expect(result.id).toBe("1");
+	});
+
+	it("should add favorite", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([
+			{ userId: "u", contentId: "c" },
+		]);
+		await repository.add("u", "c");
+		expect(mockDb.insert).toHaveBeenCalled();
+	});
+
+	it("should remove favorite", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.remove("u", "c");
+		expect(mockDb.delete).toHaveBeenCalled();
+	});
+
+	it("should find by user id", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ content: { id: "c1" } }]);
+		const result = await repository.findByUserId("u1", 10, 0);
+		expect(result).toHaveLength(1);
+		expect(result[0].id).toBe("c1");
+	});
+});

backend/src/favorites/repositories/favorites.repository.ts

@@ -0,0 +1,46 @@
+import { Injectable } from "@nestjs/common";
+import { and, eq } from "drizzle-orm";
+import { DatabaseService } from "../../database/database.service";
+import { contents, favorites } from "../../database/schemas";
+
+@Injectable()
+export class FavoritesRepository {
+	constructor(private readonly databaseService: DatabaseService) {}
+
+	async findContentById(contentId: string) {
+		const result = await this.databaseService.db
+			.select()
+			.from(contents)
+			.where(eq(contents.id, contentId))
+			.limit(1);
+		return result[0] || null;
+	}
+
+	async add(userId: string, contentId: string) {
+		return await this.databaseService.db
+			.insert(favorites)
+			.values({ userId, contentId })
+			.returning();
+	}
+
+	async remove(userId: string, contentId: string) {
+		return await this.databaseService.db
+			.delete(favorites)
+			.where(and(eq(favorites.userId, userId), eq(favorites.contentId, contentId)))
+			.returning();
+	}
+
+	async findByUserId(userId: string, limit: number, offset: number) {
+		const data = await this.databaseService.db
+			.select({
+				content: contents,
+			})
+			.from(favorites)
+			.innerJoin(contents, eq(favorites.contentId, contents.id))
+			.where(eq(favorites.userId, userId))
+			.limit(limit)
+			.offset(offset);
+
+		return data.map((item) => item.content);
+	}
+}

backend/src/health.controller.spec.ts

@@ -1,3 +1,4 @@
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
 import { Test, TestingModule } from "@nestjs/testing";
 import { DatabaseService } from "./database/database.service";
 import { HealthController } from "./health.controller";
@@ -9,6 +10,10 @@ describe("HealthController", () => {
 		execute: jest.fn().mockResolvedValue([]),
 	};
 
+	const mockCacheManager = {
+		set: jest.fn().mockResolvedValue(undefined),
+	};
+
 	beforeEach(async () => {
 		const module: TestingModule = await Test.createTestingModule({
 			controllers: [HealthController],
@@ -19,24 +24,42 @@ describe("HealthController", () => {
 						db: mockDb,
 					},
 				},
+				{
+					provide: CACHE_MANAGER,
+					useValue: mockCacheManager,
+				},
 			],
 		}).compile();
 
 		controller = module.get<HealthController>(HealthController);
 	});
 
-	it("should return ok if database is connected", async () => {
+	it("should return ok if database and redis are connected", async () => {
 		mockDb.execute.mockResolvedValue([]);
+		mockCacheManager.set.mockResolvedValue(undefined);
 		const result = await controller.check();
 		expect(result.status).toBe("ok");
 		expect(result.database).toBe("connected");
+		expect(result.redis).toBe("connected");
 	});
 
 	it("should return error if database is disconnected", async () => {
 		mockDb.execute.mockRejectedValue(new Error("DB Error"));
+		mockCacheManager.set.mockResolvedValue(undefined);
 		const result = await controller.check();
 		expect(result.status).toBe("error");
 		expect(result.database).toBe("disconnected");
-		expect(result.message).toBe("DB Error");
+		expect(result.databaseError).toBe("DB Error");
+		expect(result.redis).toBe("connected");
+	});
+
+	it("should return error if redis is disconnected", async () => {
+		mockDb.execute.mockResolvedValue([]);
+		mockCacheManager.set.mockRejectedValue(new Error("Redis Error"));
+		const result = await controller.check();
+		expect(result.status).toBe("error");
+		expect(result.database).toBe("connected");
+		expect(result.redis).toBe("disconnected");
+		expect(result.redisError).toBe("Redis Error");
 	});
 });

backend/src/health.controller.ts

@@ -1,28 +1,44 @@
-import { Controller, Get } from "@nestjs/common";
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
+import { Controller, Get, Inject } from "@nestjs/common";
+import type { Cache } from "cache-manager";
 import { sql } from "drizzle-orm";
 import { DatabaseService } from "./database/database.service";
 
 @Controller("health")
 export class HealthController {
-	constructor(private readonly databaseService: DatabaseService) {}
+	constructor(
+		private readonly databaseService: DatabaseService,
+		@Inject(CACHE_MANAGER) private cacheManager: Cache,
+	) {}
 
 	@Get()
 	async check() {
+		const health: any = {
+			status: "ok",
+			timestamp: new Date().toISOString(),
+		};
+
 		try {
 			// Check database connection
 			await this.databaseService.db.execute(sql`SELECT 1`);
-			return {
-				status: "ok",
-				database: "connected",
-				timestamp: new Date().toISOString(),
-			};
+			health.database = "connected";
 		} catch (error) {
-			return {
-				status: "error",
-				database: "disconnected",
-				message: error.message,
-				timestamp: new Date().toISOString(),
-			};
+			health.status = "error";
+			health.database = "disconnected";
+			health.databaseError = error.message;
 		}
+
+		try {
+			// Check Redis connection via cache-manager
+			// We try to set a temporary key to verify the connection
+			await this.cacheManager.set("health-check", "ok", 1000);
+			health.redis = "connected";
+		} catch (error) {
+			health.status = "error";
+			health.redis = "disconnected";
+			health.redisError = error.message;
+		}
+
+		return health;
 	}
 }

backend/src/mail/mail.service.ts

@@ -1,9 +1,10 @@
 import { Injectable, Logger } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import { MailerService } from "@nestjs-modules/mailer";
+import type { IMailService } from "../common/interfaces/mail.interface";
 
 @Injectable()
-export class MailService {
+export class MailService implements IMailService {
 	private readonly logger = new Logger(MailService.name);
 	private readonly domain: string;
 

backend/src/main.ts

@@ -24,14 +24,31 @@ async function bootstrap() {
 	}
 
 	// Sécurité
-	app.use(helmet());
-	app.enableCors({
-		origin:
-			configService.get("NODE_ENV") === "production"
-				? [configService.get("DOMAIN_NAME") as string]
-				: true,
-		credentials: true,
-	});
+	app.use(
+		helmet({
+			crossOriginResourcePolicy: { policy: "cross-origin" },
+		}),
+	);
+	const corsEnabled = Boolean(configService.get<boolean>("ENABLE_CORS"));
+	if (corsEnabled) {
+		const domainName = configService.get<string>("CORS_DOMAIN_NAME");
+		app.enableCors({
+			origin: (origin, callback) => {
+				if (!origin || domainName === "*") {
+					callback(null, true);
+					return;
+				}
+
+				const allowedOrigins = domainName?.split(",").map((o) => o.trim()) || [];
+				if (allowedOrigins.includes(origin)) {
+					callback(null, true);
+				} else {
+					callback(null, false);
+				}
+			},
+			credentials: true,
+		});
+	}
 
 	// Validation Globale
 	app.useGlobalPipes(
@@ -49,4 +66,4 @@ async function bootstrap() {
 	await app.listen(port);
 	logger.log(`Application is running on: http://localhost:${port}`);
 }
-bootstrap();
+bootstrap().then();

backend/src/media/media.controller.spec.ts

@@ -0,0 +1,66 @@
+import { Readable } from "node:stream";
+import { NotFoundException } from "@nestjs/common";
+import { Test, TestingModule } from "@nestjs/testing";
+import type { Response } from "express";
+import { S3Service } from "../s3/s3.service";
+import { MediaController } from "./media.controller";
+
+describe("MediaController", () => {
+	let controller: MediaController;
+
+	const mockS3Service = {
+		getFileInfo: jest.fn(),
+		getFile: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [MediaController],
+			providers: [{ provide: S3Service, useValue: mockS3Service }],
+		}).compile();
+
+		controller = module.get<MediaController>(MediaController);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("getFile", () => {
+		it("should stream the file and set headers with path containing slashes", async () => {
+			const res = {
+				setHeader: jest.fn(),
+			} as unknown as Response;
+			const stream = new Readable();
+			stream.pipe = jest.fn();
+			const key = "contents/user-id/test.webp";
+
+			mockS3Service.getFileInfo.mockResolvedValue({
+				size: 100,
+				metaData: { "content-type": "image/webp" },
+			});
+			mockS3Service.getFile.mockResolvedValue(stream);
+
+			await controller.getFile(key, res);
+
+			expect(mockS3Service.getFileInfo).toHaveBeenCalledWith(key);
+			expect(res.setHeader).toHaveBeenCalledWith("Content-Type", "image/webp");
+			expect(res.setHeader).toHaveBeenCalledWith("Content-Length", 100);
+			expect(stream.pipe).toHaveBeenCalledWith(res);
+		});
+
+		it("should throw NotFoundException if path is missing", async () => {
+			const res = {} as unknown as Response;
+			await expect(controller.getFile("", res)).rejects.toThrow(NotFoundException);
+		});
+
+		it("should throw NotFoundException if file is not found", async () => {
+			mockS3Service.getFileInfo.mockRejectedValue(new Error("Not found"));
+			const res = {} as unknown as Response;
+
+			await expect(controller.getFile("invalid", res)).rejects.toThrow(
+				NotFoundException,
+			);
+		});
+	});
+});