feat: SaaS onboarding, Stripe billing, MFA, SSO, passkeys, refresh tokens

Complete SaaS self-service onboarding sprint:

- Stripe-powered signup flow: pricing page → checkout → provisioning → activation
- Refresh token infrastructure: 1h access tokens + 30-day httpOnly cookie refresh
- TOTP MFA with QR setup, recovery codes, and login challenge flow
- Google + Azure AD SSO (conditional on env vars) with account linking
- WebAuthn passkey registration and passwordless login
- Guided onboarding checklist with server-side progress tracking
- Stubbed email service (console + DB logging, ready for real provider)
- Settings page with tabbed security settings (MFA, passkeys, linked accounts)
- Login page enhanced with MFA verification, SSO buttons, passkey login
- Database migration 015 with all new tables and columns
- Version bump to 2026.03.17

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/src/modules/auth/auth.service.ts

@@ -4,21 +4,33 @@ import {
   ConflictException,
   ForbiddenException,
   NotFoundException,
+  BadRequestException,
+  Logger,
 } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
+import { ConfigService } from '@nestjs/config';
 import { DataSource } from 'typeorm';
 import * as bcrypt from 'bcryptjs';
+import { createHash } from 'crypto';
 import { UsersService } from '../users/users.service';
 import { RegisterDto } from './dto/register.dto';
 import { User } from '../users/entities/user.entity';
+import { RefreshTokenService } from './refresh-token.service';
 
 @Injectable()
 export class AuthService {
+  private readonly logger = new Logger(AuthService.name);
+  private readonly inviteSecret: string;
+
   constructor(
     private usersService: UsersService,
     private jwtService: JwtService,
+    private configService: ConfigService,
     private dataSource: DataSource,
-  ) {}
+    private refreshTokenService: RefreshTokenService,
+  ) {
+    this.inviteSecret = this.configService.get<string>('INVITE_TOKEN_SECRET') || 'dev-invite-secret';
+  }
 
   async register(dto: RegisterDto) {
     const existing = await this.usersService.findByEmail(dto.email);
@@ -72,9 +84,27 @@ export class AuthService {
     // Record login in history (org_id is null at initial login)
     this.recordLoginHistory(user.id, null, ipAddress, userAgent).catch(() => {});
 
+    // If MFA is enabled, return a challenge token instead of full session
+    if (u.mfaEnabled && u.mfaSecret) {
+      const mfaToken = this.jwtService.sign(
+        { sub: u.id, type: 'mfa_challenge' },
+        { expiresIn: '5m' },
+      );
+      return { mfaRequired: true, mfaToken };
+    }
+
     return this.generateTokenResponse(u);
   }
 
+  /**
+   * Complete login after MFA verification — generate full session tokens.
+   */
+  async completeMfaLogin(userId: string): Promise<any> {
+    const user = await this.usersService.findByIdWithOrgs(userId);
+    if (!user) throw new UnauthorizedException('User not found');
+    return this.generateTokenResponse(user);
+  }
+
   async getProfile(userId: string) {
     const user = await this.usersService.findByIdWithOrgs(userId);
     if (!user) {
@@ -85,6 +115,7 @@ export class AuthService {
       email: user.email,
       firstName: user.firstName,
       lastName: user.lastName,
+      mfaEnabled: user.mfaEnabled || false,
       organizations: user.userOrganizations?.map((uo) => ({
         id: uo.organization.id,
         name: uo.organization.name,
@@ -124,8 +155,12 @@ export class AuthService {
     // Record org switch in login history
     this.recordLoginHistory(userId, organizationId, ipAddress, userAgent).catch(() => {});
 
+    // Generate new refresh token for org switch
+    const refreshToken = await this.refreshTokenService.createRefreshToken(user.id);
+
     return {
       accessToken: this.jwtService.sign(payload),
+      refreshToken,
       organization: {
         id: membership.organization.id,
         name: membership.organization.name,
@@ -135,10 +170,145 @@ export class AuthService {
     };
   }
 
+  /**
+   * Refresh an access token using a valid refresh token.
+   */
+  async refreshAccessToken(rawRefreshToken: string) {
+    const userId = await this.refreshTokenService.validateRefreshToken(rawRefreshToken);
+    if (!userId) {
+      throw new UnauthorizedException('Invalid or expired refresh token');
+    }
+
+    const user = await this.usersService.findByIdWithOrgs(userId);
+    if (!user) {
+      throw new UnauthorizedException('User not found');
+    }
+
+    // Generate a new access token (keep same org context if available)
+    const orgs = (user.userOrganizations || []).filter(
+      (uo) => !uo.organization?.status || !['suspended', 'archived'].includes(uo.organization.status),
+    );
+    const defaultOrg = orgs[0];
+
+    const payload: Record<string, any> = {
+      sub: user.id,
+      email: user.email,
+      isSuperadmin: user.isSuperadmin || false,
+    };
+
+    if (defaultOrg) {
+      payload.orgId = defaultOrg.organizationId;
+      payload.role = defaultOrg.role;
+    }
+
+    return {
+      accessToken: this.jwtService.sign(payload),
+    };
+  }
+
+  /**
+   * Logout: revoke the refresh token.
+   */
+  async logout(rawRefreshToken: string): Promise<void> {
+    if (rawRefreshToken) {
+      await this.refreshTokenService.revokeToken(rawRefreshToken);
+    }
+  }
+
+  /**
+   * Logout everywhere: revoke all refresh tokens for a user.
+   */
+  async logoutEverywhere(userId: string): Promise<void> {
+    await this.refreshTokenService.revokeAllUserTokens(userId);
+  }
+
   async markIntroSeen(userId: string): Promise<void> {
     await this.usersService.markIntroSeen(userId);
   }
 
+  // ─── Invite Token (Activation) Methods ──────────────────────────────
+
+  /**
+   * Validate an invite/activation token.
+   */
+  async validateInviteToken(token: string) {
+    try {
+      const payload = this.jwtService.verify(token, { secret: this.inviteSecret });
+      if (payload.type !== 'invite') throw new Error('Not an invite token');
+
+      const tokenHash = createHash('sha256').update(token).digest('hex');
+      const rows = await this.dataSource.query(
+        `SELECT it.*, o.name as org_name FROM shared.invite_tokens it
+         JOIN shared.organizations o ON o.id = it.organization_id
+         WHERE it.token_hash = $1`,
+        [tokenHash],
+      );
+
+      if (rows.length === 0) throw new Error('Token not found');
+      const row = rows[0];
+      if (row.used_at) throw new BadRequestException('This activation link has already been used');
+      if (new Date(row.expires_at) < new Date()) throw new BadRequestException('This activation link has expired');
+
+      return { valid: true, email: payload.email, orgName: row.org_name, orgId: payload.orgId, userId: payload.userId };
+    } catch (err) {
+      if (err instanceof BadRequestException) throw err;
+      throw new BadRequestException('Invalid or expired activation link');
+    }
+  }
+
+  /**
+   * Activate a user from an invite token (set password, activate, issue session).
+   */
+  async activateUser(token: string, password: string, fullName: string) {
+    const info = await this.validateInviteToken(token);
+
+    const passwordHash = await bcrypt.hash(password, 12);
+    const [firstName, ...rest] = fullName.trim().split(' ');
+    const lastName = rest.join(' ') || '';
+
+    // Update user record
+    await this.dataSource.query(
+      `UPDATE shared.users SET password_hash = $1, first_name = $2, last_name = $3,
+       is_email_verified = true, updated_at = NOW()
+       WHERE id = $4`,
+      [passwordHash, firstName, lastName, info.userId],
+    );
+
+    // Mark invite token as used
+    const tokenHash = createHash('sha256').update(token).digest('hex');
+    await this.dataSource.query(
+      `UPDATE shared.invite_tokens SET used_at = NOW() WHERE token_hash = $1`,
+      [tokenHash],
+    );
+
+    // Issue session
+    const user = await this.usersService.findByIdWithOrgs(info.userId);
+    if (!user) throw new NotFoundException('User not found after activation');
+
+    return this.generateTokenResponse(user);
+  }
+
+  /**
+   * Generate a signed invite token for a user/org pair.
+   */
+  async generateInviteToken(userId: string, orgId: string, email: string): Promise<string> {
+    const token = this.jwtService.sign(
+      { type: 'invite', userId, orgId, email },
+      { secret: this.inviteSecret, expiresIn: '72h' },
+    );
+
+    const tokenHash = createHash('sha256').update(token).digest('hex');
+    const expiresAt = new Date(Date.now() + 72 * 60 * 60 * 1000);
+
+    await this.dataSource.query(
+      `INSERT INTO shared.invite_tokens (organization_id, user_id, token_hash, expires_at)
+       VALUES ($1, $2, $3, $4)`,
+      [orgId, userId, tokenHash, expiresAt],
+    );
+
+    return token;
+  }
+
   private async recordLoginHistory(
     userId: string,
     organizationId: string | null,
@@ -156,7 +326,7 @@ export class AuthService {
     }
   }
 
-  private generateTokenResponse(user: User, impersonatedBy?: string) {
+  async generateTokenResponse(user: User, impersonatedBy?: string) {
     const allOrgs = user.userOrganizations || [];
     // Filter out suspended/archived organizations
     const orgs = allOrgs.filter(
@@ -179,8 +349,12 @@ export class AuthService {
       payload.role = defaultOrg.role;
     }
 
+    // Create refresh token
+    const refreshToken = await this.refreshTokenService.createRefreshToken(user.id);
+
     return {
       accessToken: this.jwtService.sign(payload),
+      refreshToken,
       user: {
         id: user.id,
         email: user.email,
@@ -189,6 +363,7 @@ export class AuthService {
         isSuperadmin: user.isSuperadmin || false,
         isPlatformOwner: user.isPlatformOwner || false,
         hasSeenIntro: user.hasSeenIntro || false,
+        mfaEnabled: user.mfaEnabled || false,
       },
       organizations: orgs.map((uo) => ({
         id: uo.organizationId,