@baseworks/account 0.2.0

package/src/repo/index.ts

@@ -0,0 +1,6 @@
+export { createUserRepo }          from './users.js'
+export type { UserRepo }           from './users.js'
+export { createOrgMembershipRepo } from './memberships.js'
+export type { OrgMembershipRepo }  from './memberships.js'
+export { createApiTokenRepo }      from './api-tokens.js'
+export type { ApiTokenRepo }       from './api-tokens.js'

package/src/repo/memberships.ts

@@ -0,0 +1,60 @@
+import { and, eq } from 'drizzle-orm'
+import { generateId } from '@baseworks/core'
+import type { OrgMembership, OrgRole } from '../types.js'
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+type AnyDB = any
+
+export function createOrgMembershipRepo(db: AnyDB, schema: { orgMemberships: any }) {
+  const { orgMemberships } = schema
+
+  return {
+    async add(userId: string, organizationId: string, role: OrgRole): Promise<OrgMembership> {
+      const now = Date.now()
+      const row: OrgMembership = { id: generateId(), userId, organizationId, role, createdAt: now, updatedAt: now }
+      await db.insert(orgMemberships).values(row).onConflictDoNothing()
+      return row
+    },
+
+    async updateRole(userId: string, organizationId: string, role: OrgRole): Promise<void> {
+      await db
+        .update(orgMemberships)
+        .set({ role, updatedAt: Date.now() })
+        .where(and(eq(orgMemberships.userId, userId), eq(orgMemberships.organizationId, organizationId)))
+    },
+
+    async remove(userId: string, organizationId: string): Promise<void> {
+      await db
+        .delete(orgMemberships)
+        .where(and(eq(orgMemberships.userId, userId), eq(orgMemberships.organizationId, organizationId)))
+    },
+
+    async find(userId: string, organizationId: string): Promise<OrgMembership | undefined> {
+      const rows: OrgMembership[] = await db
+        .select()
+        .from(orgMemberships)
+        .where(and(eq(orgMemberships.userId, userId), eq(orgMemberships.organizationId, organizationId)))
+        .limit(1)
+      return rows[0]
+    },
+
+    async listByUser(userId: string): Promise<OrgMembership[]> {
+      return db.select().from(orgMemberships).where(eq(orgMemberships.userId, userId))
+    },
+
+    async listByOrg(organizationId: string): Promise<OrgMembership[]> {
+      return db.select().from(orgMemberships).where(eq(orgMemberships.organizationId, organizationId))
+    },
+
+    async firstForUser(userId: string): Promise<OrgMembership | undefined> {
+      const rows: OrgMembership[] = await db
+        .select()
+        .from(orgMemberships)
+        .where(eq(orgMemberships.userId, userId))
+        .limit(1)
+      return rows[0]
+    },
+  }
+}
+
+export type OrgMembershipRepo = ReturnType<typeof createOrgMembershipRepo>

package/src/repo/users.ts

@@ -0,0 +1,64 @@
+import { and, eq } from 'drizzle-orm'
+import { generateId } from '@baseworks/core'
+import type { User, OidcIdentity } from '../types.js'
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+type AnyDB = any
+
+export function createUserRepo(db: AnyDB, schema: { users: any }) {
+  const { users } = schema
+
+  return {
+    async upsert(identity: OidcIdentity): Promise<User> {
+      const now      = Date.now()
+      const existing = await db
+        .select()
+        .from(users)
+        .where(and(eq(users.subject, identity.subject), eq(users.issuer, identity.issuer)))
+        .limit(1)
+        .then((r: User[]) => r[0])
+
+      if (existing) {
+        await db
+          .update(users)
+          .set({ email: identity.email, name: identity.name ?? null, picture: identity.picture ?? null, updatedAt: now })
+          .where(eq(users.id, existing.id))
+        return { ...existing, email: identity.email, name: identity.name ?? null, picture: identity.picture ?? null, updatedAt: now }
+      }
+
+      const row: User = {
+        id:        generateId(),
+        subject:   identity.subject,
+        issuer:    identity.issuer,
+        email:     identity.email,
+        name:      identity.name ?? null,
+        picture:   identity.picture ?? null,
+        createdAt: now,
+        updatedAt: now,
+      }
+      await db.insert(users).values(row)
+      return row
+    },
+
+    async findById(id: string): Promise<User | undefined> {
+      const rows: User[] = await db.select().from(users).where(eq(users.id, id)).limit(1)
+      return rows[0]
+    },
+
+    async findBySubject(issuer: string, subject: string): Promise<User | undefined> {
+      const rows: User[] = await db
+        .select()
+        .from(users)
+        .where(and(eq(users.issuer, issuer), eq(users.subject, subject)))
+        .limit(1)
+      return rows[0]
+    },
+
+    async findByEmail(email: string): Promise<User | undefined> {
+      const rows: User[] = await db.select().from(users).where(eq(users.email, email)).limit(1)
+      return rows[0]
+    },
+  }
+}
+
+export type UserRepo = ReturnType<typeof createUserRepo>

package/src/schema/pg/api-tokens.ts

@@ -0,0 +1,17 @@
+import { bigint, pgTable, text } from 'drizzle-orm/pg-core'
+import { users } from './users.js'
+
+export const apiTokens = pgTable('api_tokens', {
+  id:             text('id').primaryKey(),
+  organizationId: text('organization_id').notNull(),
+  userId:         text('user_id').references(() => users.id, { onDelete: 'cascade' }),
+  name:           text('name').notNull(),
+  tokenHash:      text('token_hash').notNull().unique(),
+  keyPrefix:      text('key_prefix').notNull(),
+  scopes:         text('scopes').notNull().default('[]'),
+  lastUsedAt:     bigint('last_used_at', { mode: 'number' }),
+  expiresAt:      bigint('expires_at',   { mode: 'number' }),
+  revokedAt:      bigint('revoked_at',   { mode: 'number' }),
+  createdAt:      bigint('created_at',   { mode: 'number' }).notNull(),
+  updatedAt:      bigint('updated_at',   { mode: 'number' }).notNull(),
+})

package/src/schema/pg/index.ts

@@ -0,0 +1,4 @@
+export { users }                      from './users.js'
+export { orgMemberships, OrgRoles }   from './memberships.js'
+export type { OrgRole }               from './memberships.js'
+export { apiTokens }                  from './api-tokens.js'

package/src/schema/pg/memberships.ts

@@ -0,0 +1,14 @@
+import { bigint, pgTable, text } from 'drizzle-orm/pg-core'
+import { users } from './users.js'
+
+export const OrgRoles = ['admin', 'member', 'viewer'] as const
+export type OrgRole = typeof OrgRoles[number]
+
+export const orgMemberships = pgTable('org_memberships', {
+  id:             text('id').primaryKey(),
+  userId:         text('user_id').notNull().references(() => users.id,    { onDelete: 'cascade' }),
+  organizationId: text('organization_id').notNull(),
+  role:           text('role').notNull().$type<OrgRole>(),
+  createdAt:      bigint('created_at', { mode: 'number' }).notNull(),
+  updatedAt:      bigint('updated_at', { mode: 'number' }).notNull(),
+})

package/src/schema/pg/users.ts

@@ -0,0 +1,12 @@
+import { bigint, pgTable, text } from 'drizzle-orm/pg-core'
+
+export const users = pgTable('users', {
+  id:        text('id').primaryKey(),
+  subject:   text('subject').notNull(),
+  issuer:    text('issuer').notNull(),
+  email:     text('email').notNull(),
+  name:      text('name'),
+  picture:   text('picture'),
+  createdAt: bigint('created_at', { mode: 'number' }).notNull(),
+  updatedAt: bigint('updated_at', { mode: 'number' }).notNull(),
+})

package/src/schema/sqlite/api-tokens.ts

@@ -0,0 +1,18 @@
+import { integer, sqliteTable, text } from 'drizzle-orm/sqlite-core';
+import { users } from './users';
+import { organizations } from '@baseworks/organization';
+
+export const apiTokens = sqliteTable('api_tokens', {
+  id:             text('id').primaryKey(),
+  organizationId: text('organization_id').notNull().references(() => organizations.id, { onDelete: 'cascade' }),
+  userId:         text('user_id').references(() => users.id, { onDelete: 'cascade' }),  // null = org-level key
+  name:           text('name').notNull(),
+  tokenHash:      text('token_hash').notNull().unique(),
+  keyPrefix:      text('key_prefix').notNull(),            // e.g. "orb_", "tally_" — service identifier
+  scopes:         text('scopes').notNull().default('[]'),  // JSON string[]
+  lastUsedAt:     integer('last_used_at'),                 // Unix ms
+  expiresAt:      integer('expires_at'),                   // Unix ms, null = never
+  revokedAt:      integer('revoked_at'),                   // Unix ms
+  createdAt:      integer('created_at').notNull(),
+  updatedAt:      integer('updated_at').notNull(),
+});

package/src/schema/sqlite/index.ts

@@ -0,0 +1,4 @@
+export { users }                      from './users.js'
+export { orgMemberships, OrgRoles }   from './memberships.js'
+export type { OrgRole }               from './memberships.js'
+export { apiTokens }                  from './api-tokens.js'

package/src/schema/sqlite/memberships.ts

@@ -0,0 +1,15 @@
+import { integer, sqliteTable, text } from 'drizzle-orm/sqlite-core';
+import { users } from './users';
+import { organizations } from '@baseworks/organization';
+
+export const OrgRoles = ['owner', 'admin', 'member', 'viewer'] as const;
+export type OrgRole = typeof OrgRoles[number];
+
+export const orgMemberships = sqliteTable('org_memberships', {
+  id:             text('id').primaryKey(),
+  userId:         text('user_id').notNull().references(() => users.id,         { onDelete: 'cascade' }),
+  organizationId: text('organization_id').notNull().references(() => organizations.id, { onDelete: 'cascade' }),
+  role:           text('role').notNull().$type<OrgRole>(),
+  createdAt:      integer('created_at').notNull(),
+  updatedAt:      integer('updated_at').notNull(),
+});

package/src/schema/sqlite/users.ts

@@ -0,0 +1,16 @@
+import { integer, sqliteTable, text } from 'drizzle-orm/sqlite-core';
+
+// OIDC identity mirror.
+// id  = our internal stable key (UUIDv7).
+// subject + issuer = the OIDC identity, globally unique together.
+// This lets us support multiple OIDC providers without a schema migration.
+export const users = sqliteTable('users', {
+  id:        text('id').primaryKey(),          // UUIDv7 — our internal key
+  subject:   text('subject').notNull(),        // OIDC `sub` claim
+  issuer:    text('issuer').notNull(),         // OIDC `iss` — e.g. https://auth.example.com
+  email:     text('email').notNull(),
+  name:      text('name'),
+  picture:   text('picture'),                  // avatar URL from OIDC `picture` claim
+  createdAt: integer('created_at').notNull(),  // Unix ms
+  updatedAt: integer('updated_at').notNull(),
+});

package/src/types.ts

@@ -0,0 +1,45 @@
+export type { OrgRole } from './schema/pg/index.js'
+
+export interface User {
+  id:        string
+  subject:   string
+  issuer:    string
+  email:     string
+  name:      string | null
+  picture:   string | null
+  createdAt: number
+  updatedAt: number
+}
+
+export interface OrgMembership {
+  id:             string
+  userId:         string
+  organizationId: string
+  role:           string
+  createdAt:      number
+  updatedAt:      number
+}
+
+export interface ApiToken {
+  id:             string
+  organizationId: string
+  userId:         string | null
+  name:           string
+  tokenHash:      string
+  keyPrefix:      string
+  scopes:         string   // JSON string[]
+  lastUsedAt:     number | null
+  expiresAt:      number | null
+  revokedAt:      number | null
+  createdAt:      number
+  updatedAt:      number
+}
+
+// Provider-agnostic identity from OIDC token verification
+export interface OidcIdentity {
+  subject:  string
+  issuer:   string
+  email:    string
+  name?:    string
+  picture?: string
+}