Secure Authentication System for a SaaS Platform

Problem/Feature Description

A B2B SaaS company is building a new platform and needs a complete authentication system. Currently, the team is using hard-coded credentials in the codebase and returning full database user records directly to API consumers. The security team has flagged both issues and requested a proper implementation before the platform goes live.

The platform requires users to log in with email and password, receive tokens they can use for subsequent API calls, and be able to refresh their session without re-entering their password. When a user changes their password or logs out, all existing sessions should be invalidated. The system also needs to protect against brute-force attacks on the login endpoint.

The engineering lead wants the authentication module implemented as a self-contained NestJS module that can be imported by other feature modules. The system must be deployable across staging and production environments with different secrets, and configuration errors should be caught at application startup rather than at runtime.

Output Specification

Produce TypeScript source files for a NestJS authentication module. The implementation should include:

• Module registration files (the auth module and its dependencies)
• A strategy file for token validation
• Service files handling login, token issuance, and session refresh
• Controller handling the HTTP endpoints (login, refresh, logout)
• DTO files for request bodies
• A guard file that can be applied to protected routes
• A main.ts snippet or separate file showing application bootstrap configuration
• A auth.config.ts (or similar) showing the configuration namespace/schema

Name your output files following NestJS conventions and place them under src/auth/. Include a brief IMPLEMENTATION_NOTES.md summarizing key security decisions made during implementation.