@aneuhold/be-ts-db-lib 4.2.19 → 4.2.20

package/CHANGELOG.md

@@ -5,6 +5,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## 🔖 [4.2.20] (2026-03-19)
+
+### ✅ Added
+
+- Added `GoogleAuthService.verifyAndFindUser` method that returns `null` when no matching user exists (does not create one).
+
+### 🏗️ Changed
+
+- Refactored `GoogleAuthService`: extracted private `verifyToken` helper and restructured `verifyAndFindOrCreateUser` to delegate to `verifyAndFindUser`.
+- Refactored `MigrationService` to fill in missing `projectAccess` fields with safe defaults instead of patching `refreshTokenHashes`.
+- Updated dependencies on `@aneuhold/be-ts-lib` to `^3.1.7` and `@aneuhold/core-ts-db-lib` to `^5.0.2`.
+
 ## 🔖 [4.2.19] (2026-03-18)
 
 ### ✅ Added
@@ -348,6 +360,7 @@ Updated dependencies: now requires `@aneuhold/core-ts-db-lib@^3.0.0`, `@aneuhold
 
 <!-- Link References -->
 
+[4.2.20]: https://github.com/aneuhold/ts-libs/compare/be-ts-db-lib-v4.2.19...be-ts-db-lib-v4.2.20
 [4.2.19]: https://github.com/aneuhold/ts-libs/compare/be-ts-db-lib-v4.2.18...be-ts-db-lib-v4.2.19
 [4.2.18]: https://github.com/aneuhold/ts-libs/compare/be-ts-db-lib-v4.2.17...be-ts-db-lib-v4.2.18
 [4.2.17]: https://github.com/aneuhold/ts-libs/compare/be-ts-db-lib-v4.2.16...be-ts-db-lib-v4.2.17

package/lib/services/GoogleAuthService.d.ts

@@ -6,6 +6,16 @@ import type { ApiKey, User } from '@aneuhold/core-ts-db-lib';
  */
 export default class GoogleAuthService {
     private static readonly client;
+    /**
+     * Verifies a Google ID token and finds the associated user. Returns
+     * `null` if no matching user exists (does **not** create one).
+     *
+     * @param googleCredentialToken - The Google ID token string from the client.
+     */
+    static verifyAndFindUser(googleCredentialToken: string): Promise<{
+        user: User;
+        apiKey: ApiKey;
+    } | null>;
     /**
      * Verifies a Google ID token and finds or creates the associated user.
      *
@@ -15,5 +25,11 @@ export default class GoogleAuthService {
         user: User;
         apiKey: ApiKey;
     }>;
+    /**
+     * Verifies a Google ID token and returns the Google ID and email.
+     *
+     * @param googleCredentialToken - The Google ID token string from the client.
+     */
+    private static verifyToken;
 }
 //# sourceMappingURL=GoogleAuthService.d.ts.map

package/lib/services/GoogleAuthService.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"GoogleAuthService.d.ts","sourceRoot":"","sources":["../../src/services/GoogleAuthService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAM7D;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,iBAAiB;IACpC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAsC;IAEpE;;;;OAIG;WACU,yBAAyB,CACpC,qBAAqB,EAAE,MAAM,GAC5B,OAAO,CAAC;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;CAsD3C"}
+{"version":3,"file":"GoogleAuthService.d.ts","sourceRoot":"","sources":["../../src/services/GoogleAuthService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAM7D;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,iBAAiB;IACpC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAsC;IAEpE;;;;;OAKG;WACU,iBAAiB,CAC5B,qBAAqB,EAAE,MAAM,GAC5B,OAAO,CAAC;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IA+BjD;;;;OAIG;WACU,yBAAyB,CACpC,qBAAqB,EAAE,MAAM,GAC5B,OAAO,CAAC;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IA+B1C;;;;OAIG;mBACkB,WAAW;CAmBjC"}

package/lib/services/GoogleAuthService.js

@@ -1,4 +1,4 @@
-import { GOOGLE_CLIENT_ID, UserSchema } from '@aneuhold/core-ts-db-lib';
+import { GOOGLE_CLIENT_ID, ProjectName, UserSchema } from '@aneuhold/core-ts-db-lib';
 import { OAuth2Client } from 'google-auth-library';
 import ApiKeyRepository from '../repositories/common/ApiKeyRepository.js';
 import UserRepository from '../repositories/common/UserRepository.js';
@@ -10,23 +10,13 @@ import UserRepository from '../repositories/common/UserRepository.js';
 export default class GoogleAuthService {
     static client = new OAuth2Client(GOOGLE_CLIENT_ID);
     /**
-     * Verifies a Google ID token and finds or creates the associated user.
+     * Verifies a Google ID token and finds the associated user. Returns
+     * `null` if no matching user exists (does **not** create one).
      *
      * @param googleCredentialToken - The Google ID token string from the client.
      */
-    static async verifyAndFindOrCreateUser(googleCredentialToken) {
-        const ticket = await this.client.verifyIdToken({
-            idToken: googleCredentialToken,
-            audience: GOOGLE_CLIENT_ID
-        });
-        const payload = ticket.getPayload();
-        if (!payload) {
-            throw new Error('Invalid Google token payload');
-        }
-        const { sub: googleId, email } = payload;
-        if (!email) {
-            throw new Error('Google account has no email');
-        }
+    static async verifyAndFindUser(googleCredentialToken) {
+        const { googleId, email } = await this.verifyToken(googleCredentialToken);
         const userRepo = UserRepository.getRepo();
         const apiKeyRepo = ApiKeyRepository.getRepo();
         // 1. Look up by googleId
@@ -40,20 +30,8 @@ export default class GoogleAuthService {
                 user.auth.googleId = googleId;
             }
         }
-        // 3. Create new user if neither match. The ApiKey subscriber on
-        //    UserRepository automatically creates an API key on user insertion.
         if (!user) {
-            const newUser = UserSchema.parse({
-                userName: email,
-                email,
-                auth: { googleId },
-                projectAccess: { dashboard: false, workout: true }
-            });
-            const insertedUser = await userRepo.insertNew(newUser);
-            if (!insertedUser) {
-                throw new Error('Failed to create user');
-            }
-            user = insertedUser;
+            return null;
         }
         const apiKey = await apiKeyRepo.get({ userId: user._id });
         if (!apiKey) {
@@ -61,5 +39,56 @@ export default class GoogleAuthService {
         }
         return { user, apiKey };
     }
+    /**
+     * Verifies a Google ID token and finds or creates the associated user.
+     *
+     * @param googleCredentialToken - The Google ID token string from the client.
+     */
+    static async verifyAndFindOrCreateUser(googleCredentialToken) {
+        const result = await this.verifyAndFindUser(googleCredentialToken);
+        if (result) {
+            return result;
+        }
+        // Create new user. The ApiKey subscriber on UserRepository automatically
+        // creates an API key on user insertion.
+        const { googleId, email } = await this.verifyToken(googleCredentialToken);
+        const userRepo = UserRepository.getRepo();
+        const apiKeyRepo = ApiKeyRepository.getRepo();
+        const newUser = UserSchema.parse({
+            userName: email,
+            email,
+            auth: { googleId },
+            projectAccess: { [ProjectName.Dashboard]: false, [ProjectName.Workout]: true }
+        });
+        const insertedUser = await userRepo.insertNew(newUser);
+        if (!insertedUser) {
+            throw new Error('Failed to create user');
+        }
+        const apiKey = await apiKeyRepo.get({ userId: insertedUser._id });
+        if (!apiKey) {
+            throw new Error(`No API key found for user ${insertedUser._id}`);
+        }
+        return { user: insertedUser, apiKey };
+    }
+    /**
+     * Verifies a Google ID token and returns the Google ID and email.
+     *
+     * @param googleCredentialToken - The Google ID token string from the client.
+     */
+    static async verifyToken(googleCredentialToken) {
+        const ticket = await this.client.verifyIdToken({
+            idToken: googleCredentialToken,
+            audience: GOOGLE_CLIENT_ID
+        });
+        const payload = ticket.getPayload();
+        if (!payload) {
+            throw new Error('Invalid Google token payload');
+        }
+        const { sub: googleId, email } = payload;
+        if (!email) {
+            throw new Error('Google account has no email');
+        }
+        return { googleId, email };
+    }
 }
 //# sourceMappingURL=GoogleAuthService.js.map

package/lib/services/GoogleAuthService.js.map

@@ -1 +1 @@
-{"version":3,"file":"GoogleAuthService.js","sourceRoot":"","sources":["../../src/services/GoogleAuthService.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AACxE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,gBAAgB,MAAM,4CAA4C,CAAC;AAC1E,OAAO,cAAc,MAAM,0CAA0C,CAAC;AAEtE;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,iBAAiB;IAC5B,MAAM,CAAU,MAAM,GAAG,IAAI,YAAY,CAAC,gBAAgB,CAAC,CAAC;IAEpE;;;;OAIG;IACH,MAAM,CAAC,KAAK,CAAC,yBAAyB,CACpC,qBAA6B;QAE7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;YAC7C,OAAO,EAAE,qBAAqB;YAC9B,QAAQ,EAAE,gBAAgB;SAC3B,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACpC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;QACzC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,CAAC;QAC1C,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,EAAE,CAAC;QAE9C,yBAAyB;QACzB,IAAI,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;QAEtD,iDAAiD;QACjD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;YACrC,IAAI,IAAI,EAAE,CAAC;gBACT,qCAAqC;gBACrC,MAAM,QAAQ,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;gBAC3E,IAAI,CAAC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;YAChC,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,wEAAwE;QACxE,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC;gBAC/B,QAAQ,EAAE,KAAK;gBACf,KAAK;gBACL,IAAI,EAAE,EAAE,QAAQ,EAAE;gBAClB,aAAa,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE;aACnD,CAAC,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YACvD,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAC3C,CAAC;YACD,IAAI,GAAG,YAAY,CAAC;QACtB,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAC1B,CAAC"}
+{"version":3,"file":"GoogleAuthService.js","sourceRoot":"","sources":["../../src/services/GoogleAuthService.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AACrF,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,gBAAgB,MAAM,4CAA4C,CAAC;AAC1E,OAAO,cAAc,MAAM,0CAA0C,CAAC;AAEtE;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,iBAAiB;IAC5B,MAAM,CAAU,MAAM,GAAG,IAAI,YAAY,CAAC,gBAAgB,CAAC,CAAC;IAEpE;;;;;OAKG;IACH,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAC5B,qBAA6B;QAE7B,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,qBAAqB,CAAC,CAAC;QAE1E,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,CAAC;QAC1C,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,EAAE,CAAC;QAE9C,yBAAyB;QACzB,IAAI,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;QAEtD,iDAAiD;QACjD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;YACrC,IAAI,IAAI,EAAE,CAAC;gBACT,qCAAqC;gBACrC,MAAM,QAAQ,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;gBAC3E,IAAI,CAAC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;YAChC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAC1B,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,KAAK,CAAC,yBAAyB,CACpC,qBAA6B;QAE7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,CAAC;QACnE,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,yEAAyE;QACzE,wCAAwC;QACxC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,qBAAqB,CAAC,CAAC;QAC1E,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,CAAC;QAC1C,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,EAAE,CAAC;QAE9C,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC;YAC/B,QAAQ,EAAE,KAAK;YACf,KAAK;YACL,IAAI,EAAE,EAAE,QAAQ,EAAE;YAClB,aAAa,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE;SAC/E,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACvD,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC;QAClE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,6BAA6B,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;IACxC,CAAC;IAED;;;;OAIG;IACK,MAAM,CAAC,KAAK,CAAC,WAAW,CAC9B,qBAA6B;QAE7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;YAC7C,OAAO,EAAE,qBAAqB;YAC9B,QAAQ,EAAE,gBAAgB;SAC3B,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACpC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;QACzC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC"}

package/lib/services/GoogleAuthService.ts

@@ -1,5 +1,5 @@
 import type { ApiKey, User } from '@aneuhold/core-ts-db-lib';
-import { GOOGLE_CLIENT_ID, UserSchema } from '@aneuhold/core-ts-db-lib';
+import { GOOGLE_CLIENT_ID, ProjectName, UserSchema } from '@aneuhold/core-ts-db-lib';
 import { OAuth2Client } from 'google-auth-library';
 import ApiKeyRepository from '../repositories/common/ApiKeyRepository.js';
 import UserRepository from '../repositories/common/UserRepository.js';
@@ -13,26 +13,15 @@ export default class GoogleAuthService {
   private static readonly client = new OAuth2Client(GOOGLE_CLIENT_ID);
 
   /**
-   * Verifies a Google ID token and finds or creates the associated user.
+   * Verifies a Google ID token and finds the associated user. Returns
+   * `null` if no matching user exists (does **not** create one).
    *
    * @param googleCredentialToken - The Google ID token string from the client.
    */
-  static async verifyAndFindOrCreateUser(
+  static async verifyAndFindUser(
     googleCredentialToken: string
-  ): Promise<{ user: User; apiKey: ApiKey }> {
-    const ticket = await this.client.verifyIdToken({
-      idToken: googleCredentialToken,
-      audience: GOOGLE_CLIENT_ID
-    });
-    const payload = ticket.getPayload();
-    if (!payload) {
-      throw new Error('Invalid Google token payload');
-    }
-
-    const { sub: googleId, email } = payload;
-    if (!email) {
-      throw new Error('Google account has no email');
-    }
+  ): Promise<{ user: User; apiKey: ApiKey } | null> {
+    const { googleId, email } = await this.verifyToken(googleCredentialToken);
 
     const userRepo = UserRepository.getRepo();
     const apiKeyRepo = ApiKeyRepository.getRepo();
@@ -50,20 +39,8 @@ export default class GoogleAuthService {
       }
     }
 
-    // 3. Create new user if neither match. The ApiKey subscriber on
-    //    UserRepository automatically creates an API key on user insertion.
     if (!user) {
-      const newUser = UserSchema.parse({
-        userName: email,
-        email,
-        auth: { googleId },
-        projectAccess: { dashboard: false, workout: true }
-      });
-      const insertedUser = await userRepo.insertNew(newUser);
-      if (!insertedUser) {
-        throw new Error('Failed to create user');
-      }
-      user = insertedUser;
+      return null;
     }
 
     const apiKey = await apiKeyRepo.get({ userId: user._id });
@@ -73,4 +50,67 @@ export default class GoogleAuthService {
 
     return { user, apiKey };
   }
+
+  /**
+   * Verifies a Google ID token and finds or creates the associated user.
+   *
+   * @param googleCredentialToken - The Google ID token string from the client.
+   */
+  static async verifyAndFindOrCreateUser(
+    googleCredentialToken: string
+  ): Promise<{ user: User; apiKey: ApiKey }> {
+    const result = await this.verifyAndFindUser(googleCredentialToken);
+    if (result) {
+      return result;
+    }
+
+    // Create new user. The ApiKey subscriber on UserRepository automatically
+    // creates an API key on user insertion.
+    const { googleId, email } = await this.verifyToken(googleCredentialToken);
+    const userRepo = UserRepository.getRepo();
+    const apiKeyRepo = ApiKeyRepository.getRepo();
+
+    const newUser = UserSchema.parse({
+      userName: email,
+      email,
+      auth: { googleId },
+      projectAccess: { [ProjectName.Dashboard]: false, [ProjectName.Workout]: true }
+    });
+    const insertedUser = await userRepo.insertNew(newUser);
+    if (!insertedUser) {
+      throw new Error('Failed to create user');
+    }
+
+    const apiKey = await apiKeyRepo.get({ userId: insertedUser._id });
+    if (!apiKey) {
+      throw new Error(`No API key found for user ${insertedUser._id}`);
+    }
+
+    return { user: insertedUser, apiKey };
+  }
+
+  /**
+   * Verifies a Google ID token and returns the Google ID and email.
+   *
+   * @param googleCredentialToken - The Google ID token string from the client.
+   */
+  private static async verifyToken(
+    googleCredentialToken: string
+  ): Promise<{ googleId: string; email: string }> {
+    const ticket = await this.client.verifyIdToken({
+      idToken: googleCredentialToken,
+      audience: GOOGLE_CLIENT_ID
+    });
+    const payload = ticket.getPayload();
+    if (!payload) {
+      throw new Error('Invalid Google token payload');
+    }
+
+    const { sub: googleId, email } = payload;
+    if (!email) {
+      throw new Error('Google account has no email');
+    }
+
+    return { googleId, email };
+  }
 }

package/lib/services/MigrationService.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"MigrationService.d.ts","sourceRoot":"","sources":["../../src/services/MigrationService.ts"],"names":[],"mappings":"AAKA;;;;;;GAMG;AACH,MAAM,CAAC,OAAO,OAAO,gBAAgB;IACnC;;;;;;;;OAQG;WACU,SAAS,CAAC,MAAM,UAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;CAoCtD"}
+{"version":3,"file":"MigrationService.d.ts","sourceRoot":"","sources":["../../src/services/MigrationService.ts"],"names":[],"mappings":"AAeA;;;;;;GAMG;AACH,MAAM,CAAC,OAAO,OAAO,gBAAgB;IACnC;;;;;;;;OAQG;WACU,SAAS,CAAC,MAAM,UAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;CAkDtD"}

package/lib/services/MigrationService.js

@@ -2,6 +2,15 @@
 // @ts-nocheck
 import { DR } from '@aneuhold/core-ts-lib';
 import UserRepository from '../repositories/common/UserRepository.js';
+/**
+ * The default values for each project access field. New fields should be
+ * added here and defaulted to `false` so existing users don't gain access
+ * automatically.
+ */
+const PROJECT_ACCESS_DEFAULTS = {
+    dashboard: false,
+    workout: false
+};
 /**
  * A service for migrating the DB to a new state after an existing document
  * change.
@@ -23,9 +32,14 @@ export default class MigrationService {
         DR.logger.info('Starting migration...');
         const userRepo = UserRepository.getRepo();
         const users = await userRepo.getAll();
-        // Add refreshTokenHashes to users that don't have it yet
-        const usersToUpdate = users.filter((user) => !user.auth.refreshTokenHashes);
-        DR.logger.info(`Found ${usersToUpdate.length} of ${users.length} users missing auth.refreshTokenHashes.`);
+        // Find users that are missing projectAccess entirely or are missing
+        // any of the expected fields.
+        const usersToUpdate = users.filter((user) => {
+            if (!user.projectAccess)
+                return true;
+            return Object.keys(PROJECT_ACCESS_DEFAULTS).some((key) => user.projectAccess[key] === undefined);
+        });
+        DR.logger.info(`Found ${usersToUpdate.length} of ${users.length} users with missing projectAccess fields.`);
         if (usersToUpdate.length === 0) {
             DR.logger.success('No migration needed.');
             return;
@@ -33,16 +47,20 @@ export default class MigrationService {
         if (dryRun) {
             DR.logger.info('Dry run: Would update the following users:');
             usersToUpdate.forEach((user) => {
-                DR.logger.info(`  - ${user.userName} (${user._id})`);
+                const existing = user.projectAccess ?? {};
+                const merged = { ...PROJECT_ACCESS_DEFAULTS, ...existing };
+                DR.logger.info(`  - ${user.userName} (${user._id}): ${JSON.stringify(existing)} → ${JSON.stringify(merged)}`);
             });
             return;
         }
         for (const user of usersToUpdate) {
+            const existing = user.projectAccess ?? {};
+            const merged = { ...PROJECT_ACCESS_DEFAULTS, ...existing };
             await userRepo.update({
                 _id: user._id,
-                auth: { ...user.auth, refreshTokenHashes: [] }
+                projectAccess: merged
             });
-            DR.logger.info(`Updated user ${user.userName} (${user._id})`);
+            DR.logger.info(`Updated user ${user.userName} (${user._id}): ${JSON.stringify(existing)} → ${JSON.stringify(merged)}`);
         }
         DR.logger.success(`Migration complete. Updated ${usersToUpdate.length} users.`);
     }

package/lib/services/MigrationService.js.map

@@ -1 +1 @@
-{"version":3,"file":"MigrationService.js","sourceRoot":"","sources":["../../src/services/MigrationService.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB,cAAc;AACd,OAAO,EAAE,EAAE,EAAE,MAAM,uBAAuB,CAAC;AAC3C,OAAO,cAAc,MAAM,0CAA0C,CAAC;AAEtE;;;;;;GAMG;AACH,MAAM,CAAC,OAAO,OAAO,gBAAgB;IACnC;;;;;;;;OAQG;IACH,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,KAAK;QACnC,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAExC,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,CAAC;QAEtC,yDAAyD;QACzD,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAE5E,EAAE,CAAC,MAAM,CAAC,IAAI,CACZ,SAAS,aAAa,CAAC,MAAM,OAAO,KAAK,CAAC,MAAM,yCAAyC,CAC1F,CAAC;QAEF,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,IAAI,MAAM,EAAE,CAAC;YACX,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;YAC7D,aAAa,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC7B,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC;YACvD,CAAC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,MAAM,QAAQ,CAAC,MAAM,CAAC;gBACpB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,IAAI,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,EAAE,kBAAkB,EAAE,EAAE,EAAE;aAC/C,CAAC,CAAC;YACH,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC;QAChE,CAAC;QAED,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,+BAA+B,aAAa,CAAC,MAAM,SAAS,CAAC,CAAC;IAClF,CAAC;CACF"}
+{"version":3,"file":"MigrationService.js","sourceRoot":"","sources":["../../src/services/MigrationService.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB,cAAc;AACd,OAAO,EAAE,EAAE,EAAE,MAAM,uBAAuB,CAAC;AAC3C,OAAO,cAAc,MAAM,0CAA0C,CAAC;AAEtE;;;;GAIG;AACH,MAAM,uBAAuB,GAAG;IAC9B,SAAS,EAAE,KAAK;IAChB,OAAO,EAAE,KAAK;CACf,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,CAAC,OAAO,OAAO,gBAAgB;IACnC;;;;;;;;OAQG;IACH,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,KAAK;QACnC,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAExC,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,CAAC;QAEtC,oEAAoE;QACpE,8BAA8B;QAC9B,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;YAC1C,IAAI,CAAC,IAAI,CAAC,aAAa;gBAAE,OAAO,IAAI,CAAC;YACrC,OAAO,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,IAAI,CAC9C,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,SAAS,CAC/C,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,MAAM,CAAC,IAAI,CACZ,SAAS,aAAa,CAAC,MAAM,OAAO,KAAK,CAAC,MAAM,2CAA2C,CAC5F,CAAC;QAEF,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,IAAI,MAAM,EAAE,CAAC;YACX,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;YAC7D,aAAa,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC;gBAC1C,MAAM,MAAM,GAAG,EAAE,GAAG,uBAAuB,EAAE,GAAG,QAAQ,EAAE,CAAC;gBAC3D,EAAE,CAAC,MAAM,CAAC,IAAI,CACZ,OAAO,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAC9F,CAAC;YACJ,CAAC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC;YAC1C,MAAM,MAAM,GAAG,EAAE,GAAG,uBAAuB,EAAE,GAAG,QAAQ,EAAE,CAAC;YAC3D,MAAM,QAAQ,CAAC,MAAM,CAAC;gBACpB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,aAAa,EAAE,MAAM;aACtB,CAAC,CAAC;YACH,EAAE,CAAC,MAAM,CAAC,IAAI,CACZ,gBAAgB,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CACvG,CAAC;QACJ,CAAC;QAED,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,+BAA+B,aAAa,CAAC,MAAM,SAAS,CAAC,CAAC;IAClF,CAAC;CACF"}

package/lib/services/MigrationService.ts

@@ -3,6 +3,16 @@
 import { DR } from '@aneuhold/core-ts-lib';
 import UserRepository from '../repositories/common/UserRepository.js';
 
+/**
+ * The default values for each project access field. New fields should be
+ * added here and defaulted to `false` so existing users don't gain access
+ * automatically.
+ */
+const PROJECT_ACCESS_DEFAULTS = {
+  dashboard: false,
+  workout: false
+};
+
 /**
  * A service for migrating the DB to a new state after an existing document
  * change.
@@ -26,11 +36,17 @@ export default class MigrationService {
     const userRepo = UserRepository.getRepo();
     const users = await userRepo.getAll();
 
-    // Add refreshTokenHashes to users that don't have it yet
-    const usersToUpdate = users.filter((user) => !user.auth.refreshTokenHashes);
+    // Find users that are missing projectAccess entirely or are missing
+    // any of the expected fields.
+    const usersToUpdate = users.filter((user) => {
+      if (!user.projectAccess) return true;
+      return Object.keys(PROJECT_ACCESS_DEFAULTS).some(
+        (key) => user.projectAccess[key] === undefined
+      );
+    });
 
     DR.logger.info(
-      `Found ${usersToUpdate.length} of ${users.length} users missing auth.refreshTokenHashes.`
+      `Found ${usersToUpdate.length} of ${users.length} users with missing projectAccess fields.`
     );
 
     if (usersToUpdate.length === 0) {
@@ -41,17 +57,25 @@ export default class MigrationService {
     if (dryRun) {
       DR.logger.info('Dry run: Would update the following users:');
       usersToUpdate.forEach((user) => {
-        DR.logger.info(`  - ${user.userName} (${user._id})`);
+        const existing = user.projectAccess ?? {};
+        const merged = { ...PROJECT_ACCESS_DEFAULTS, ...existing };
+        DR.logger.info(
+          `  - ${user.userName} (${user._id}): ${JSON.stringify(existing)} → ${JSON.stringify(merged)}`
+        );
       });
       return;
     }
 
     for (const user of usersToUpdate) {
+      const existing = user.projectAccess ?? {};
+      const merged = { ...PROJECT_ACCESS_DEFAULTS, ...existing };
       await userRepo.update({
         _id: user._id,
-        auth: { ...user.auth, refreshTokenHashes: [] }
+        projectAccess: merged
       });
-      DR.logger.info(`Updated user ${user.userName} (${user._id})`);
+      DR.logger.info(
+        `Updated user ${user.userName} (${user._id}): ${JSON.stringify(existing)} → ${JSON.stringify(merged)}`
+      );
     }
 
     DR.logger.success(`Migration complete. Updated ${usersToUpdate.length} users.`);

package/package.json

@@ -2,7 +2,7 @@
   "name": "@aneuhold/be-ts-db-lib",
   "author": "Anton G. Neuhold Jr.",
   "license": "MIT",
-  "version": "4.2.19",
+  "version": "4.2.20",
   "description": "A backend database library meant to actually interact with various databases in personal projects",
   "packageManager": "pnpm@10.25.0",
   "type": "module",
@@ -58,8 +58,8 @@
     "MongoDB"
   ],
   "dependencies": {
-    "@aneuhold/be-ts-lib": "^3.1.6",
-    "@aneuhold/core-ts-db-lib": "^5.0.1",
+    "@aneuhold/be-ts-lib": "^3.1.7",
+    "@aneuhold/core-ts-db-lib": "^5.0.2",
     "@aneuhold/core-ts-lib": "^2.4.3",
     "bson": "^7.0.0",
     "google-auth-library": "^10.6.1",