Complete Authentication System with JWT, Refresh Tokens, and RBAC

Implement a complete authentication and authorization system for [PROJECT NAME], built with [NODE.JS/PYTHON] and [FRAMEWORK: NestJS/Fastify/FastAPI/Django].\\\\\\\\n\\\\\\\\n**Requirements:**\\\\\\\\n- Login methods: [EMAIL+PASSWORD, GOOGLE OAUTH, MAGIC LINK]\\\\\\\\n- Roles: [LIST ROLES WITH PERMISSIONS]\\\\\\\\n- Multi-tenant: [YES/NO] — each workspace has its own members\\\\\\\\n- Simultaneous sessions: [YES/NO] — multiple devices\\\\\\\\n\\\\\\\\n**1) JWT Authentication Flow:**\\\\\\\\n- Access token: [15 MINUTES] duration, minimal payload (userId, role, tenantId)\\\\\\\\n- Refresh token: [7 DAYS] duration, rotation on each use (RTR)\\\\\\\\n- Token storage: httpOnly cookies (not localStorage)\\\\\\\\n- Silent renewal flow (frontend interceptor)\\\\\\\\n- Revoked refresh token blacklist (Redis)\\\\\\\\n\\\\\\\\n**2) Registration and Onboarding:**\\\\\\\\n- Signup with email validation (confirmation token)\\\\\\\\n- Password strength verification (zxcvbn)\\\\\\\\n- Rate limiting on auth endpoints (5 attempts/15min)\\\\\\\\n- Email member invitations with temporary token\\\\\\\\n\\\\\\\\n**3) OAuth 2.0 (Google):**\\\\\\\\n- Authorization Code flow with PKCE\\\\\\\\n- Linking OAuth account with existing account\\\\\\\\n- First login: auto-create account\\\\\\\\n- Minimum required scopes\\\\\\\\n\\\\\\\\n**4) RBAC (Role-Based Access Control):**\\\\\\\\n- Permission table: \\\\\\\\\\\\\\\\\\\\\\\`role → resource → action (create/read/update/delete)\\\\\\\\\\\\\\\\\\\\\\\`\\\\\\\\n- Reusable authorization middleware\\\\\\\\n- Per-endpoint guard/decorator: \\\\\\\\\\\\\\\\\\\\\\\`@Roles('admin', 'editor')\\\\\\\\\\\\\\\\\\\\\\\`\\\\\\\\n- Resource-level permissions (e.g., can only edit own posts)\\\\\\\\n- 403 response with actionable message\\\\\\\\n\\\\\\\\n**5) Security:**\\\\\\\\n- CSRF protection (SameSite cookies + token)\\\\\\\\n- Brute force protection (progressive delays)\\\\\\\\n- Account lockout after [NUMBER] attempts\\\\\\\\n- Login audit (IP, device, geolocation)\\\\\\\\n- Logout from all devices\\\\\\\\n- Secure password reset (single-use token, expires in 1h)\\\\\\\\n\\\\\\\\n**6) Complete Code:**\\\\\\\\n- Database models/schemas\\\\\\\\n- Authentication and authorization middleware\\\\\\\\n- Auth controllers/routes (register, login, refresh, logout, reset-password)\\\\\\\\n- Unit and integration tests for each flow\\\\\\\\n\\\\\\\\nUse [BCRYPT/ARGON2] for password hashing. Consider LGPD compliance.