@auth-craft/tenant-access-control-dynamodb 0.0.1 → 0.0.3

package/dist/index.js

@@ -2,9 +2,528 @@ import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
 import { DynamoDBDocumentClient, GetCommand, PutCommand, UpdateCommand, DeleteCommand, QueryCommand, TransactWriteCommand } from '@aws-sdk/lib-dynamodb';
 import { ok, err } from 'ts-micro-result';
 import { tenantAccessErrors } from '@auth-craft/tenant-access-control';
-import { TableAttr, KeyPattern, KeyExtractor, millisToDate, GSIKeys, GSIName } from '@auth-craft/database-plugin-dynamodb';
 
 // src/index.ts
+
+// ../auth-core/dist/chunk-66N4CPWZ.mjs
+var USER_STATUS = {
+  ACTIVE: "active"};
+
+// ../database-plugin-dynamodb/dist/index.mjs
+var EntityPrefix = {
+  USER: "USR"
+};
+var PkPrefix = {
+  USER: `${EntityPrefix.USER}#`,
+  SESSION: "SES#",
+  PROVIDER: "PRV#",
+  CHALLENGE: "CHL#",
+  IDENTITY: "IDT#",
+  // Identity (email/phone/username)
+  CREDENTIAL: "CRD#",
+  // Credential (password, passkey, etc.)
+  // Note: MFA credentials use PK: USR#{userId} (stored under user, not separate partition)
+  TENANT: "TNT#"
+  // TenantMember (SCHEMA_V4 multi-tenant)
+};
+var SkPrefix = {
+  METADATA: "MD",
+  // Metadata suffix for entities
+  AUTH: "AUTH",
+  // UserAuth entity (SCHEMA_V4)
+  PROFILE: "PROF",
+  // UserProfile entity (SCHEMA_V4)
+  PROVIDER: "PRV#",
+  MFA: "MFA#"
+  // UserMFAAuthenticator entity (SCHEMA_V4)
+};
+var DELIMITER = "#";
+var KeyPattern = {
+  // ============================================
+  // USER
+  // ============================================
+  /**
+   * User PK
+   * Pattern: USR#{userId}
+   */
+  USER_PK: (userId) => `${PkPrefix.USER}${userId}`,
+  /**
+   * User Auth SK (SCHEMA_V4)
+   * Pattern: AUTH
+   * Stores: userStatus, mfaRequired, mfaMethods[], createdAt, updatedAt
+   *
+   * Removed in SCHEMA_V4:
+   * - email, phone fields → moved to Identity entity
+   * - passwordHash → moved to Credential entity
+   * - lockedUntil, failedLoginAttempts → moved to Identity.guards (per-method)
+   * - MFA credentials (mfaSecret, mfaBackupCodes) → moved to UserMFAAuthenticator items
+   * - Profile fields (givenName, familyName, avatarUrl, locale, metadata) → moved to PROF item
+   * - tokenVersion → removed (use Session.revokedAt instead)
+   * - permissions → removed from UserAuth (use TenantMember.permMask or Session.permMask)
+   */
+  USER_AUTH_SK: () => SkPrefix.AUTH,
+  /**
+   * User Profile SK (SCHEMA_V4)
+   * Pattern: PROF
+   * Stores: userStatus, deletedAt, givenName, familyName, avatarUrl,
+   *         locale, metadata, createdAt, updatedAt, statusPk, statusSk
+   *
+   * Removed in SCHEMA_V4:
+   * - email, phone fields → moved to Identity entity
+   */
+  USER_PROFILE_SK: () => SkPrefix.PROFILE,
+  // ============================================
+  // USER MFA AUTHENTICATOR (SCHEMA_V4)
+  // ============================================
+  /**
+   * UserMFAAuthenticator SK (single-instance methods like TOTP)
+   * Pattern: MFA#{method}
+   * Example: MFA#totp
+   * Used by: Single-instance MFA methods that don't need ID
+   */
+  USER_MFA_SK: (method) => `${SkPrefix.MFA}${method}`,
+  /**
+   * UserMFAAuthenticator SK (multi-instance methods like WebAuthn)
+   * Pattern: MFA#{method}#{id}
+   * Example: MFA#webauthn#key_abc123, MFA#passkey#pk_xyz789
+   * Used by: Multi-instance MFA methods (security keys, passkeys)
+   */
+  USER_MFA_WITH_ID_SK: (method, id) => `${SkPrefix.MFA}${method}${DELIMITER}${id}`,
+  // ============================================
+  // TENANT MEMBER (SCHEMA_V4)
+  // ============================================
+  /**
+   * Tenant Member PK
+   * Pattern: TNT#{tenantId}
+   * Example: TNT#org-abc
+   * Used by: DynamoDBTenantMemberItem (main table)
+   */
+  TENANT_MEMBER_PK: (tenantId) => `${PkPrefix.TENANT}${tenantId}`,
+  /**
+   * Tenant Member SK
+   * Pattern: USR#{userId}
+   * Example: USR#01HQZX8V9ABCDEFGHIJK
+   * Used by: DynamoDBTenantMemberItem (main table)
+   */
+  TENANT_MEMBER_SK: (userId) => `${PkPrefix.USER}${userId}`,
+  // ============================================
+  // SESSION
+  // ============================================
+  /**
+   * Session PK (New session-centric design)
+   * Pattern: SES#{sessionId}
+   * Example: SES#01HQZX8V9ABCDEFGHIJK
+   */
+  SESSION_PK: (sessionId) => `${PkPrefix.SESSION}${sessionId}`,
+  /**
+   * Session Metadata SK
+   * Pattern: MD
+   * Stores: userId, tokenId, tenantId, audience, permMask, roleIds,
+   *         deviceLabel, country, city, createdAt, expiresAt, lastUsedAt,
+   *         revokedAt, metadata, TTL
+   * Note: sessionId extracted from PK
+   */
+  SESSION_METADATA_SK: () => SkPrefix.METADATA,
+  /**
+   * Session SK (alias for SESSION_METADATA_SK)
+   */
+  SESSION_SK: () => SkPrefix.METADATA,
+  /**
+   * Provider SK
+   * Pattern: PRV#{provider}#{externalId}
+   * Used for:
+   * - GSI_UserProviders sort key (userProviderSk)
+   * - DynamoDBProviderRegistryItem PK
+   */
+  PROVIDER_SK: (provider, externalId) => `${SkPrefix.PROVIDER}${provider}${DELIMITER}${externalId}`,
+  // ============================================
+  // PROVIDER (Provider-centric design)
+  // ============================================
+  /**
+   * Provider PK (Main table)
+   * Pattern: PRV#{provider}#{externalId}
+   * Example: PRV#google#123456789
+   * Used by: DynamoDBUserProviderItem (main table)
+   */
+  PROVIDER_PK: (provider, externalId) => `${PkPrefix.PROVIDER}${provider}${DELIMITER}${externalId}`,
+  /**
+   * Provider Metadata SK
+   * Pattern: MD
+   * Stores: userId, system, externalUsername, externalEmail, externalPhone,
+   *         externalName, externalAvatarUrl, accessToken, refreshToken,
+   *         tokenExpiresAt, createdAt, metadata
+   * Note: id generated at mapper layer from PK (base64url), NOT stored
+   * Note: provider and externalId extracted from PK
+   */
+  PROVIDER_METADATA_SK: () => SkPrefix.METADATA,
+  // ============================================
+  // CHALLENGE
+  // ============================================
+  /**
+   * Challenge PK
+   * Pattern: CHL#{challengeId}
+   * Example: CHL#abc123xyz
+   */
+  CHALLENGE_PK: (challengeId) => `${PkPrefix.CHALLENGE}${challengeId}`,
+  /**
+   * Challenge Metadata SK
+   * Pattern: MD
+   * Stores: userId, tenantId, audience, purpose, status, phase, allowedMethods,
+   *         method, codeHash, attempts, maxAttempts, metadata, flowKey,
+   *         expiresAt, createdAt, TTL
+   * Note: challengeId extracted from PK
+   */
+  CHALLENGE_SK: () => SkPrefix.METADATA,
+  // ============================================
+  // IDENTITY
+  // ============================================
+  /**
+   * Identity PK
+   * Pattern: IDT#{type}#{value}
+   * Examples:
+   *   - IDT#email#user@example.com
+   *   - IDT#phone#+84987654321
+   *   - IDT#username#johndoe
+   *
+   * Purpose: Fast O(1) lookup by identity type and value
+   */
+  IDENTITY_PK: (type, value) => {
+    return `${PkPrefix.IDENTITY}${type}#${value}`;
+  },
+  /**
+   * Identity Metadata SK
+   * Pattern: MD
+   * Stores: userId, loginEnabled, verifiedAt, guards, createdAt, updatedAt
+   * Note: type and value extracted from PK
+   */
+  IDENTITY_SK: () => SkPrefix.METADATA,
+  // ============================================
+  // CREDENTIAL
+  // ============================================
+  /**
+   * Credential PK
+   * Pattern: CRD#{credentialId}
+   * Example: CRD#cred_01JCQR8XMZP2KGH7NWV8F9E3TS
+   */
+  CREDENTIAL_PK: (credentialId) => `${PkPrefix.CREDENTIAL}${credentialId}`,
+  /**
+   * Credential Metadata SK
+   * Pattern: MD
+   * Stores: userId, value, metadata, isActive, createdAt, updatedAt, lastUsedAt
+   * Note: credentialId and type extracted from PK and GSI SK
+   */
+  CREDENTIAL_SK: () => SkPrefix.METADATA,
+  /**
+   * Credential Type Prefix (for GSI query)
+   * Pattern: CRD#{type}#
+   * Used to query credentials by type with begins_with
+   */
+  CREDENTIAL_TYPE_PREFIX: (type) => `${PkPrefix.CREDENTIAL}${type}#`,
+  /**
+   * Credential User GSI SK
+   * Pattern: CRD#{type}#{credentialId}
+   * Example: CRD#password#cred_01JCQR8XMZP2KGH7NWV8F9E3TS
+   * Allows querying credentials by user and filtering by type
+   */
+  CREDENTIAL_USER_SK: (type, credentialId) => `${PkPrefix.CREDENTIAL}${type}#${credentialId}`,
+  // ============================================
+  // IDENTITY
+  // ============================================
+  /**
+   * User Index GSI PK (for Identity)
+   * Pattern: USR#{userId}
+   * Example: USR#01JCQR8XMZP2KGH7NWV8F9E3TS
+   *
+   * Purpose: Query all identities for a specific user
+   */
+  USER_INDEX_PK: (userId) => `${PkPrefix.USER}${userId}`,
+  /**
+   * User Index GSI SK (for Identity)
+   * Pattern: IDT#{type}#{value}
+   * Examples:
+   *   - IDT#email#user@example.com
+   *   - IDT#phone#+84987654321
+   *
+   * Purpose: Sort identities by type and extract type/value without additional attributes
+   */
+  USER_INDEX_SK: (type, value) => {
+    return `${PkPrefix.IDENTITY}${type}#${value}`;
+  }
+};
+var KeyExtractor = {
+  // ============================================
+  // PK Extractors
+  // ============================================
+  /**
+   * Extract userId from User PK
+   * Pattern: USR#{userId} -> userId
+   */
+  userId: (pk) => pk.slice(PkPrefix.USER.length),
+  /**
+   * Extract sessionId from Session PK
+   * Pattern: SES#{sessionId} -> sessionId
+   */
+  sessionId: (pk) => pk.slice(PkPrefix.SESSION.length),
+  /**
+   * Extract provider and externalId from Provider PK
+   * Pattern: PRV#{provider}#{externalId} -> { provider, externalId }
+   * Example: PRV#google#123456789 -> { provider: 'google', externalId: '123456789' }
+   */
+  providerPKInfo: (pk) => {
+    const remainder = pk.slice(PkPrefix.PROVIDER.length);
+    const delimiterIndex = remainder.indexOf("#");
+    if (delimiterIndex === -1) return null;
+    const provider = remainder.slice(0, delimiterIndex);
+    const externalId = remainder.slice(delimiterIndex + 1);
+    return { provider, externalId };
+  },
+  // ============================================
+  // SK Extractors
+  // ============================================
+  /**
+   * Extract provider and externalId from Provider SK
+   * Pattern: PRV#{provider}#{externalId} -> { provider, externalId }
+   */
+  providerInfo: (sk) => {
+    const remainder = sk.slice(SkPrefix.PROVIDER.length);
+    const delimiterIndex = remainder.indexOf(DELIMITER);
+    if (delimiterIndex === -1) return null;
+    const provider = remainder.slice(0, delimiterIndex);
+    const externalId = remainder.slice(delimiterIndex + 1);
+    return { provider, externalId };
+  },
+  /**
+   * Extract method and optional id from MFA SK
+   * Pattern: MFA#{method} or MFA#{method}#{id} -> { method, id? }
+   * Example: MFA#totp -> { method: 'totp' }
+   * Example: MFA#webauthn#key_abc -> { method: 'webauthn', id: 'key_abc' }
+   */
+  mfaSKInfo: (sk) => {
+    const remainder = sk.slice(SkPrefix.MFA.length);
+    const delimiterIndex = remainder.indexOf(DELIMITER);
+    if (delimiterIndex === -1) {
+      return { method: remainder };
+    }
+    const method = remainder.slice(0, delimiterIndex);
+    const id = remainder.slice(delimiterIndex + 1);
+    return { method, id };
+  },
+  // ============================================
+  // Tenant Extractors (SCHEMA_V4)
+  // ============================================
+  /**
+   * Extract tenantId from TenantMember PK
+   * Pattern: TNT#{tenantId} -> tenantId
+   * Example: TNT#org-abc -> org-abc
+   */
+  tenantId: (pk) => pk.slice(PkPrefix.TENANT.length),
+  /**
+   * Extract userId from TenantMember SK
+   * Pattern: USR#{userId} -> userId
+   * Example: USR#01HQZX8V9ABCDEFGHIJK -> 01HQZX8V9ABCDEFGHIJK
+   */
+  tenantMemberUserId: (sk) => sk.slice(PkPrefix.USER.length),
+  /**
+   * Extract challengeId from Challenge PK
+   * Pattern: CHL#{challengeId} -> challengeId
+   * Example: CHL#abc123xyz -> abc123xyz
+   */
+  challengeIdFromPK: (pk) => pk.slice(PkPrefix.CHALLENGE.length),
+  /**
+   * Extract type and value from Identity PK
+   * Pattern: IDT#{type}#{value} -> { type, value }
+   * Example: IDT#email#user@example.com -> { type: 'email', value: 'user@example.com' }
+   */
+  identityPKInfo: (pk) => {
+    const remainder = pk.slice(PkPrefix.IDENTITY.length);
+    const delimiterIndex = remainder.indexOf("#");
+    if (delimiterIndex === -1) return null;
+    const type = remainder.slice(0, delimiterIndex);
+    const value = remainder.slice(delimiterIndex + 1);
+    return { type, value };
+  },
+  /**
+   * Extract credentialId from Credential PK
+   * Pattern: CRD#{credentialId} -> credentialId
+   * Example: CRD#cred_01JCQR8XMZP2KGH7NWV8F9E3TS -> cred_01JCQR8XMZP2KGH7NWV8F9E3TS
+   */
+  credentialId: (pk) => pk.slice(PkPrefix.CREDENTIAL.length),
+  /**
+   * Extract type from Credential User GSI SK
+   * Pattern: CRD#{type}#{credentialId} -> type
+   * Example: CRD#password#cred_abc -> password
+   */
+  credentialTypeFromUserSK: (sk) => {
+    const remainder = sk.slice(PkPrefix.CREDENTIAL.length);
+    const delimiterIndex = remainder.indexOf("#");
+    if (delimiterIndex === -1) return "";
+    return remainder.slice(0, delimiterIndex);
+  },
+  /**
+   * Extract type and value from User Index SK (GSI)
+   * Pattern: IDT#{type}#{value} -> { type, value }
+   * Example: IDT#email#user@example.com -> { type: 'email', value: 'user@example.com' }
+   */
+  userIndexSKInfo: (sk) => {
+    const remainder = sk.slice(PkPrefix.IDENTITY.length);
+    const delimiterIndex = remainder.indexOf("#");
+    if (delimiterIndex === -1) return null;
+    const type = remainder.slice(0, delimiterIndex);
+    const value = remainder.slice(delimiterIndex + 1);
+    return { type, value };
+  }
+};
+var GSIKeys = {
+  // ============================================
+  // GSI_ActiveSessions
+  // ============================================
+  /**
+   * Active Sessions GSI PK
+   * Pattern: USR#{userId} (user-partitioned for scalability)
+   * Used by: GSI_ActiveSessions
+   * NOTE: Changed from global 'ACTIVE' to user-partitioned to prevent hot partition
+   */
+  ACTIVE_SESSION_PK: (userId) => `${PkPrefix.USER}${userId}`,
+  /**
+   * Active Sessions GSI SK
+   * Pattern: {createdAt}#{sessionId}
+   * Used by: GSI_ActiveSessions
+   */
+  ACTIVE_SESSION_SK: (createdAt, sessionId) => `${createdAt}${DELIMITER}${sessionId}`,
+  // ============================================
+  // GSI_UserSessions
+  // ============================================
+  /**
+   * User Sessions GSI PK
+   * Pattern: USR#{userId}
+   * Used by: GSI_UserSessions
+   */
+  USER_SESSION_PK: (userId) => `${PkPrefix.USER}${userId}`,
+  /**
+   * User Sessions GSI SK
+   * Pattern: {createdAt}#{sessionId}
+   * Used by: GSI_UserSessions
+   */
+  USER_SESSION_SK: (createdAt, sessionId) => `${createdAt}${DELIMITER}${sessionId}`,
+  // ============================================
+  // GSI_UsersByStatus
+  // ============================================
+  /**
+   * Users By Status GSI PK
+   * Pattern: USR#ACTIVE or USR#INACTIVE (SCHEMA_V4)
+   * Used by: GSI_UsersByStatus
+   * Maps: active → ACTIVE, suspended/deleted → INACTIVE
+   */
+  USER_STATUS_PK: (status) => {
+    const statusGroup = status === USER_STATUS.ACTIVE ? "ACTIVE" : "INACTIVE";
+    return `${EntityPrefix.USER}${DELIMITER}${statusGroup}`;
+  },
+  /**
+   * Users By Status GSI SK
+   * Pattern: {userId}
+   * Used by: GSI_UsersByStatus
+   * Simple userId pattern to avoid needing createdAt for syncAuthStatus
+   */
+  USER_STATUS_SK: (userId) => userId,
+  // ============================================
+  // GSI_UserProviders
+  // ============================================
+  /**
+   * User Providers GSI PK
+   * Pattern: USR#{userId}
+   * Used by: GSI_UserProviders
+   */
+  USER_PROVIDER_PK: (userId) => `${PkPrefix.USER}${userId}`,
+  /**
+   * User Providers GSI SK
+   * Pattern: PRV#{provider}#{externalId}
+   * Used by: GSI_UserProviders
+   */
+  USER_PROVIDER_SK: (provider, externalId) => `${SkPrefix.PROVIDER}${provider}${DELIMITER}${externalId}`
+};
+var TableAttr = {
+  PK: "PK",
+  SK: "SK",
+  TTL: "TTL",
+  ACTIVE_SESSION_PK: "activeSessionPk",
+  // GSI partition key for active sessions
+  ACTIVE_SESSION_SK: "activeSessionSk",
+  // GSI sort key for active sessions (createdAt#sessionId)
+  USER_SESSION_PK: "userSessionPk",
+  // GSI partition key for user sessions (USR#{userId})
+  USER_SESSION_SK: "userSessionSk",
+  // GSI sort key for user sessions (createdAt#sessionId)
+  USER_STATUS_PK: "userStatusPk",
+  // GSI partition key for users by status
+  USER_STATUS_SK: "userStatusSk",
+  // GSI sort key for users by status (userId)
+  USER_PROVIDER_PK: "userProviderPk",
+  // GSI partition key for user providers (USR#{userId})
+  USER_PROVIDER_SK: "userProviderSk",
+  // GSI sort key for user providers (PRV#{provider}#{externalId})
+  // Challenge attributes
+  USER_ID: "userId",
+  TENANT_ID: "tenantId",
+  AUDIENCE: "audience",
+  PURPOSE: "purpose",
+  CHALLENGE_STATUS: "challengeStatus",
+  // Named challengeStatus to avoid DynamoDB reserved keyword 'status'
+  PHASE: "phase",
+  ALLOWED_METHODS: "allowedMethods",
+  METHOD: "method",
+  IDENTITY_TYPE: "identityType",
+  // For credential challenges
+  IDENTITY_VALUE: "identityValue",
+  // For credential challenges
+  CODE_HASH: "codeHash",
+  ATTEMPTS: "attempts",
+  MAX_ATTEMPTS: "maxAttempts",
+  METADATA: "metadata",
+  FLOW_KEY: "flowKey",
+  EXPIRES_AT: "expiresAt",
+  CREATED_AT: "createdAt",
+  // Session attributes
+  TOKEN_ID: "tokenId",
+  LAST_USED_AT: "lastUsedAt",
+  REVOKED_AT: "revokedAt",
+  PERM_MASK: "permMask",
+  ROLE_IDS: "roleIds",
+  DEVICE_LABEL: "deviceLabel",
+  COUNTRY: "country",
+  CITY: "city",
+  // Identity attributes
+  IDENTITY_USER_PK: "identityUserPk",
+  // GSI partition key for user identities (USR#{userId})
+  IDENTITY_USER_SK: "identityUserSk",
+  // GSI sort key for user identities (IDT#{type}#{value})
+  LOGIN_ENABLED: "loginEnabled",
+  VERIFIED_AT: "verifiedAt",
+  GUARDS: "guards",
+  UPDATED_AT: "updatedAt",
+  // Credential attributes
+  CREDENTIAL_USER_PK: "credentialUserPk",
+  // GSI partition key for user credentials (USR#{userId})
+  CREDENTIAL_USER_SK: "credentialUserSk",
+  // GSI sort key for user credentials (CRD#{type}#{credentialId})
+  CREDENTIAL_VALUE: "value"
+  // Credential value (password hash, etc.)
+  // Note: REVOKED_AT is shared with Session (defined above)
+};
+var GSIName = {
+  ACTIVE_SESSIONS: "GSI_ActiveSessions",
+  USER_SESSIONS: "GSI_UserSessions",
+  USERS_BY_STATUS: "GSI_UsersByStatus",
+  USER_PROVIDERS: "GSI_UserProviders",
+  USER_IDENTITIES: "GSI_UserIdentities",
+  // Query all identities for a user
+  USER_CREDENTIALS: "GSI_UserCredentials"
+  // Query all credentials for a user
+};
+function millisToDate(millis) {
+  return new Date(millis);
+}
+
+// src/dynamodb-tenant-member-repo.ts
 var DynamoDBTenantMemberRepository = class {
   constructor(client, tableName) {
     this.client = client;
@@ -14,14 +533,14 @@ var DynamoDBTenantMemberRepository = class {
     });
   }
   docClient;
-  async get(tenantId, audience, userId) {
+  async get(tenantId, userId) {
     try {
       const response = await this.docClient.send(
         new GetCommand({
           TableName: this.tableName,
           Key: {
             [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),
-            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId)
+            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(userId)
           }
         })
       );
@@ -41,7 +560,7 @@ var DynamoDBTenantMemberRepository = class {
           TableName: this.tableName,
           Item: {
             [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(data.tenantId),
-            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(data.audience, data.userId),
+            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(data.userId),
             userStatus: data.status,
             roleIds: JSON.stringify(data.roleIds),
             permMask: data.permMask ?? 0,
@@ -59,7 +578,7 @@ var DynamoDBTenantMemberRepository = class {
       return err(tenantAccessErrors.DATABASE_ERROR());
     }
   }
-  async updatePermissions(tenantId, audience, userId, updates) {
+  async updatePermissions(tenantId, userId, updates) {
     try {
       const setClauses = ["#updatedAt = :updatedAt"];
       const names = { "#updatedAt": "updatedAt" };
@@ -79,7 +598,7 @@ var DynamoDBTenantMemberRepository = class {
           TableName: this.tableName,
           Key: {
             [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),
-            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId)
+            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(userId)
           },
           UpdateExpression: `SET ${setClauses.join(", ")}`,
           ExpressionAttributeNames: names,
@@ -95,14 +614,14 @@ var DynamoDBTenantMemberRepository = class {
       return err(tenantAccessErrors.DATABASE_ERROR());
     }
   }
-  async updateStatus(tenantId, audience, userId, status) {
+  async updateStatus(tenantId, userId, status) {
     try {
       await this.docClient.send(
         new UpdateCommand({
           TableName: this.tableName,
           Key: {
             [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),
-            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId)
+            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(userId)
           },
           UpdateExpression: "SET #status = :status, #updatedAt = :updatedAt",
           ExpressionAttributeNames: {
@@ -124,14 +643,14 @@ var DynamoDBTenantMemberRepository = class {
       return err(tenantAccessErrors.DATABASE_ERROR());
     }
   }
-  async remove(tenantId, audience, userId) {
+  async remove(tenantId, userId) {
     try {
       await this.docClient.send(
         new DeleteCommand({
           TableName: this.tableName,
           Key: {
             [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),
-            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId)
+            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(userId)
           }
         })
       );
@@ -142,11 +661,10 @@ var DynamoDBTenantMemberRepository = class {
   }
   mapItemToEntity(item) {
     const tenantId = KeyExtractor.tenantId(item[TableAttr.PK]);
-    const skInfo = KeyExtractor.tenantMemberSKInfo(item[TableAttr.SK]);
+    const userId = KeyExtractor.tenantMemberUserId(item[TableAttr.SK]);
     return {
       tenantId,
-      audience: skInfo?.audience ?? "",
-      userId: skInfo?.userId ?? "",
+      userId,
       status: item["userStatus"],
       roleIds: JSON.parse(item["roleIds"]),
       permMask: item["permMask"] ?? 0,