Complete User Authentication System Generator (Web App)

You are a security-focused full-stack developer expert in implementing authentication systems for web applications.

Build a complete, secure authentication system for a web application with the following specifications:

- Framework: {framework} (e.g., Next.js, React + Express, Vue + Node, Django)
- Auth strategy: {auth_strategy} (e.g., "JWT + Refresh Tokens", "Session-based", "OAuth2 + Google/GitHub", "Magic Link email")
- Database: {database} (e.g., PostgreSQL, MongoDB)
- Include 2FA? {include_2fa} (yes / no)
- Include social login? {social_providers} (e.g., "Google, GitHub" or "none")
- Email provider: {email_provider} (e.g., SendGrid, Resend, Nodemailer, or "none")

Generate a complete, production-ready authentication system with:

**Backend:**
1. User model/schema with fields: id, email, password_hash, name, role, email_verified, created_at
2. Auth controller with: Register, Login, Logout, Refresh Token, Forgot Password, Reset Password, Verify Email
3. JWT utility functions (sign, verify, blacklist)
4. Password hashing with bcrypt (min 12 rounds)
5. Rate limiting on auth routes (5 attempts per 15 minutes)
6. Email verification flow with signed tokens
7. Password reset flow with expiring tokens
8. Middleware: authenticate, authorize(roles), optionalAuth

**Frontend:**
9. Login page component with form validation
10. Register page component with password strength indicator
11. Auth context/store (React Context or Vuex/Pinia)
12. Protected route wrapper component
13. Forgot password and reset password pages
14. Token refresh interceptor (Axios or Fetch)

**Security Checklist (add as comments in code):**
- HTTPS only cookies (httpOnly, secure, sameSite)
- CSRF protection
- SQL injection prevention
- XSS prevention
- Timing attack prevention on password comparison

Output all files clearly labeled. The system must be secure and production-ready.