@digitaldefiance/node-express-suite 3.6.14 → 3.6.15

package/src/services/database-initialization.js

@@ -0,0 +1,817 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DatabaseInitializationService = void 0;
+const ecies_lib_1 = require("@digitaldefiance/ecies-lib");
+const i18n_lib_1 = require("@digitaldefiance/i18n-lib");
+const node_ecies_lib_1 = require("@digitaldefiance/node-ecies-lib");
+const suite_core_lib_1 = require("@digitaldefiance/suite-core-lib");
+const crc_1 = require("crc");
+const crypto_1 = require("crypto");
+const mongodb_1 = require("mongodb");
+const backup_code_1 = require("../backup-code");
+const base_model_name_1 = require("../enumerations/base-model-name");
+const model_registry_1 = require("../model-registry");
+const key_wrapping_1 = require("../services/key-wrapping");
+const id_converters_1 = require("../types/id-converters");
+const utils_1 = require("../utils");
+const backup_code_2 = require("./backup-code");
+const mnemonic_1 = require("./mnemonic");
+const role_1 = require("./role");
+const system_user_1 = require("./system-user");
+class DatabaseInitializationService {
+    // Static initialization state management
+    static initializationPromises = new Map();
+    static initializationLock = new Map();
+    static defaultI18nTFunc(str, variables, language, application) {
+        // All callers pass template strings with {{component.key}} syntax
+        return (0, suite_core_lib_1.getSuiteCoreI18nEngine)(application ? { constants: application.constants } : undefined).t(str, variables, language);
+    }
+    /**
+     * Get the mnemonic or generate a new one if not present
+     * @param mnemonic The existing mnemonic or undefined
+     * @param eciesService The ECIES service to generate a new mnemonic
+     * @returns The existing or new mnemonic
+     */
+    static mnemonicOrNew(mnemonic, eciesService) {
+        return mnemonic && mnemonic.hasValue
+            ? mnemonic
+            : eciesService.generateNewMnemonic();
+    }
+    /**
+     * Generate a cache key for a user based on their details
+     * @param username The username
+     * @param email The email address
+     * @param mnemonic The mnemonic
+     * @param id The user ID
+     * @returns The generated cache key
+     */
+    static cacheKey(username, email, mnemonic, id, idToString = (id) => String(id)) {
+        const combined = `${username}|${email.email}|${mnemonic.value}|${idToString(id)}`;
+        const buffer = Buffer.from(combined, 'utf-8');
+        const crcHash = (0, crc_1.crc32)(buffer);
+        return crcHash.toString(16).padStart(8, '0');
+    }
+    /**
+     * Get a cached BackendMember or create a new one if not cached
+     * @param username The username
+     * @param email The email address
+     * @param mnemonic The mnemonic or undefined to generate a new one
+     * @param memberType The type of member (Admin, Member, System)
+     * @param eciesService The ECIES service to handle key generation
+     * @param memberId Optional specific member ID to use
+     * @param createdBy Optional ID of the user who created this member
+     * @returns The cached or newly created BackendMember and the mnemonic used
+     */
+    static cacheOrNew(username, email, mnemonic, memberType, eciesService, memberId, createdBy, idGenerator, idToString = (id) => String(id)) {
+        const m = this.mnemonicOrNew(mnemonic, eciesService);
+        const newId = memberId
+            ? memberId
+            : idGenerator
+                ? idGenerator()
+                : (0, id_converters_1.convertObjectIdToGenericId)(new mongodb_1.ObjectId());
+        const key = DatabaseInitializationService.cacheKey(username, email, m, newId, idToString);
+        if (!global.__MEMBER_CACHE__) {
+            global.__MEMBER_CACHE__ = new Map();
+        }
+        if (!global.__MEMBER_CACHE__.has(key)) {
+            const { wallet } = eciesService.walletAndSeedFromMnemonic(m);
+            // Get private key from wallet
+            const privateKey = wallet.getPrivateKey();
+            // Get public key with 0x04 prefix
+            const publicKeyWithPrefix = Buffer.concat([
+                Buffer.from([ecies_lib_1.ECIES.PUBLIC_KEY_MAGIC]),
+                wallet.getPublicKey(),
+            ]);
+            const user = new node_ecies_lib_1.Member(eciesService, memberType, username, email, publicKeyWithPrefix, new ecies_lib_1.SecureBuffer(privateKey), wallet, newId, undefined, undefined, createdBy);
+            global.__MEMBER_CACHE__.set(key, { mnemonic: m, member: user });
+            return { mnemonic: m, member: user };
+        }
+        else {
+            return global.__MEMBER_CACHE__.get(key);
+        }
+    }
+    /**
+     * Generate a random password
+     * @param length The length of the password
+     * @returns The generated password
+     */
+    static generatePassword(length) {
+        const specialCharacters = "!@#$%^&*()_+-=[]{};':|,.<>/?";
+        const numbers = '0123456789';
+        const letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+        // Get a random character from a string
+        const getRandomChar = (chars) => {
+            // amazonq-ignore-next-line false positive
+            const randomIndex = (0, crypto_1.randomBytes)(1)[0] % chars.length;
+            return chars[randomIndex];
+        };
+        // Start with one of each required character type
+        // amazonq-ignore-next-line false positive
+        let password = '';
+        password += getRandomChar(letters);
+        password += getRandomChar(numbers);
+        password += getRandomChar(specialCharacters);
+        // Fill the rest with random characters from all types
+        const allCharacters = specialCharacters + numbers + letters;
+        for (let i = password.length; i < length; i++) {
+            password += getRandomChar(allCharacters);
+        }
+        // Shuffle the password characters to avoid predictable pattern
+        const chars = password.split('');
+        for (let i = chars.length - 1; i > 0; i--) {
+            // amazonq-ignore-next-line already fixed
+            const j = (0, crypto_1.randomBytes)(1)[0] % (i + 1);
+            [chars[i], chars[j]] = [chars[j], chars[i]];
+        }
+        return chars.join('');
+    }
+    /**
+     * Drops the database
+     * @param connection The database connection
+     * @returns True if the database was dropped, false if not connected
+     */
+    static async dropDatabase(connection) {
+        if (!connection.db)
+            return false;
+        (0, utils_1.debugLog)(true, 'warn', this.defaultI18nTFunc('{{SuiteCoreStringKey.Admin_DroppingDatabase}}'));
+        return connection.db.dropDatabase();
+    }
+    static getInitOptions(application) {
+        const env = application.environment;
+        return {
+            adminId: env.adminId,
+            adminMnemonic: env.adminMnemonic?.hasValue
+                ? env.adminMnemonic
+                : undefined,
+            adminPassword: env.adminPassword?.hasValue
+                ? env.adminPassword
+                : undefined,
+            adminRoleId: env.adminRoleId,
+            adminUserRoleId: env.adminUserRoleId,
+            adminBackupCodes: env.adminBackupCodes,
+            memberId: env.memberId,
+            memberMnemonic: env.memberMnemonic?.hasValue
+                ? env.memberMnemonic
+                : undefined,
+            memberPassword: env.memberPassword?.hasValue
+                ? env.memberPassword
+                : undefined,
+            memberRoleId: env.memberRoleId,
+            memberUserRoleId: env.memberUserRoleId,
+            memberBackupCodes: env.memberBackupCodes,
+            systemId: env.systemId,
+            systemMnemonic: env.systemMnemonic?.hasValue
+                ? env.systemMnemonic
+                : undefined,
+            systemPassword: env.systemPassword?.hasValue
+                ? env.systemPassword
+                : undefined,
+            systemRoleId: env.systemRoleId,
+            systemUserRoleId: env.systemUserRoleId,
+            systemBackupCodes: env.systemBackupCodes,
+        };
+    }
+    static serverInitResultHash(serverInitResult, idToString = (id) => String(id)) {
+        const h = (0, crypto_1.createHash)('sha256');
+        h.update(idToString(serverInitResult.adminUser._id));
+        h.update(idToString(serverInitResult.adminRole._id));
+        h.update(idToString(serverInitResult.adminUserRole._id));
+        h.update(serverInitResult.adminUsername);
+        h.update(serverInitResult.adminEmail);
+        h.update(serverInitResult.adminMnemonic);
+        h.update(serverInitResult.adminPassword);
+        h.update(serverInitResult.adminUser.publicKey);
+        serverInitResult.adminBackupCodes.map((bc) => h.update(bc));
+        h.update(idToString(serverInitResult.memberUser._id));
+        h.update(idToString(serverInitResult.memberRole._id));
+        h.update(idToString(serverInitResult.memberUserRole._id));
+        h.update(serverInitResult.memberUsername);
+        h.update(serverInitResult.memberEmail);
+        h.update(serverInitResult.memberMnemonic);
+        h.update(serverInitResult.memberPassword);
+        h.update(serverInitResult.memberUser.publicKey);
+        serverInitResult.memberBackupCodes.map((bc) => h.update(bc));
+        h.update(idToString(serverInitResult.systemUser._id));
+        h.update(idToString(serverInitResult.systemRole._id));
+        h.update(idToString(serverInitResult.systemUserRole._id));
+        h.update(serverInitResult.systemUsername);
+        h.update(serverInitResult.systemEmail);
+        h.update(serverInitResult.systemMnemonic);
+        h.update(serverInitResult.systemPassword);
+        h.update(serverInitResult.systemUser.publicKey);
+        serverInitResult.systemBackupCodes.map((bc) => h.update(bc));
+        return h.digest('hex');
+    }
+    /**
+     * Initialize the user database with default users and roles (with dependency injection)
+     * @param application The application
+     * @param keyWrappingService The key wrapping service
+     * @param mnemonicService The mnemonic service
+     * @param eciesService The ECIES service
+     * @param roleService The role service
+     * @param backupCodeService The backup code service
+     * @returns The result of the initialization
+     */
+    static async initUserDbWithServices(application, keyWrappingService, mnemonicService, eciesService, roleService, backupCodeService, idGenerator, idToString = (id) => application.constants.idProvider.idToString(id)) {
+        const engine = (0, suite_core_lib_1.getSuiteCoreI18nEngine)({ constants: application.constants });
+        const isTestEnvironment = process.env['NODE_ENV'] === 'test';
+        const options = DatabaseInitializationService.getInitOptions(application);
+        const effectiveIdGenerator = (idGenerator ??
+            (() => application.environment.idAdapter(application.constants.idProvider.generate())));
+        const UserModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.User);
+        const RoleModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.Role);
+        const adminUserId = options.adminId ?? effectiveIdGenerator();
+        const adminRoleId = options.adminRoleId ?? effectiveIdGenerator();
+        const adminUserRoleId = options.adminUserRoleId ?? effectiveIdGenerator();
+        const memberUserId = options.memberId ?? effectiveIdGenerator();
+        const memberRoleId = options.memberRoleId ?? effectiveIdGenerator();
+        const memberUserRoleId = options.memberUserRoleId ?? effectiveIdGenerator();
+        const systemUserId = options.systemId ?? effectiveIdGenerator();
+        const systemRoleId = options.systemRoleId ?? effectiveIdGenerator();
+        const systemUserRoleId = options.systemUserRoleId ?? effectiveIdGenerator();
+        // Check for existing users and roles with optimized queries
+        // Use lean() for better performance on read-only operations
+        const [existingUsers, existingRoles] = await Promise.all([
+            UserModel.find({
+                username: {
+                    $in: [
+                        application.constants.SystemUser,
+                        application.constants.AdministratorUser,
+                        application.constants.MemberUser,
+                    ],
+                },
+            }).lean(),
+            RoleModel.find({
+                name: {
+                    $in: [
+                        application.constants.AdministratorRole,
+                        application.constants.MemberRole,
+                        application.constants.SystemRole,
+                    ],
+                },
+            }).lean(),
+        ]);
+        if (existingUsers.length > 0 || existingRoles.length > 0) {
+            // Database is already initialized, return the existing data
+            const existingAdminUser = existingUsers.find((u) => u.username === application.constants.AdministratorUser);
+            const existingMemberUser = existingUsers.find((u) => u.username === application.constants.MemberUser);
+            const existingSystemUser = existingUsers.find((u) => u.username === application.constants.SystemUser);
+            if (existingAdminUser && existingMemberUser && existingSystemUser) {
+                const adminUserDoc = UserModel.hydrate(existingAdminUser);
+                const memberUserDoc = UserModel.hydrate(existingMemberUser);
+                const systemUserDoc = UserModel.hydrate(existingSystemUser);
+                // Try to construct a minimal result from existing data
+                // Note: This is a fallback case and some data may not be available
+                const UserRoleModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.UserRole);
+                const [adminRole, memberRole, systemRole, adminUserRole, memberUserRole, systemUserRole,] = await Promise.all([
+                    RoleModel.findOne({ name: application.constants.AdministratorRole }),
+                    RoleModel.findOne({ name: application.constants.MemberRole }),
+                    RoleModel.findOne({ name: application.constants.SystemRole }),
+                    UserRoleModel.findOne({ userId: adminUserDoc._id }),
+                    UserRoleModel.findOne({ userId: memberUserDoc._id }),
+                    UserRoleModel.findOne({ userId: systemUserDoc._id }),
+                ]);
+                // detailed case
+                if (adminRole &&
+                    memberRole &&
+                    systemRole &&
+                    adminUserRole &&
+                    memberUserRole &&
+                    systemUserRole) {
+                    return {
+                        alreadyInitialized: true,
+                        success: false,
+                        data: {
+                            adminRole,
+                            adminUserRole,
+                            adminUser: adminUserDoc,
+                            adminUsername: adminUserDoc.username,
+                            adminEmail: adminUserDoc.email,
+                            adminMnemonic: '', // Not available in fallback
+                            adminPassword: '', // Not available in fallback
+                            adminBackupCodes: [], // Not available in fallback
+                            adminMember: {}, // Not available in fallback
+                            memberRole,
+                            memberUserRole,
+                            memberUser: memberUserDoc,
+                            memberUsername: memberUserDoc.username,
+                            memberEmail: memberUserDoc.email,
+                            memberMnemonic: '', // Not available in fallback
+                            memberPassword: '', // Not available in fallback
+                            memberBackupCodes: [], // Not available in fallback
+                            memberMember: {}, // Not available in fallback
+                            systemRole,
+                            systemUserRole,
+                            systemUser: systemUserDoc,
+                            systemUsername: systemUserDoc.username,
+                            systemEmail: systemUserDoc.email,
+                            systemMnemonic: '', // Not available in fallback
+                            systemPassword: '', // Not available in fallback
+                            systemBackupCodes: [], // Not available in fallback
+                            systemMember: {}, // Not available in fallback
+                        },
+                        message: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Admin_DatabaseAlreadyInitialized),
+                        error: new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Admin_DatabaseAlreadyInitialized)),
+                    };
+                }
+            }
+            // basic case
+            return {
+                alreadyInitialized: true,
+                success: false,
+                message: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Admin_DatabaseAlreadyInitialized),
+                error: new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Admin_DatabaseAlreadyInitialized)),
+            };
+        }
+        (0, utils_1.debugLog)(application.environment.detailedDebug, 'log', engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Admin_SettingUpUsersAndRoles));
+        const now = new Date();
+        // Add a small random delay in test environments to reduce collision probability
+        if (isTestEnvironment) {
+            const delay = ((0, crypto_1.randomBytes)(1)[0] % 50) + 10; // 10-60ms random delay (reduced)
+            await new Promise((resolve) => setTimeout(resolve, delay));
+        }
+        try {
+            // Use test-optimized settings for better performance
+            const transactionOptions = isTestEnvironment
+                ? { timeoutMs: 15000, retryAttempts: 2 } // Reduced timeout and retries for tests
+                : { timeoutMs: 120000 }; // Keep original production timeout
+            const result = await (0, utils_1.withTransaction)(application.db.connection, application.environment.mongo.useTransactions, undefined, async (sess) => {
+                // Check if admin role already exists
+                let adminRole = await RoleModel.findOne({
+                    name: application.constants.AdministratorRole,
+                }).session(sess ?? null);
+                if (!adminRole) {
+                    const adminRoleDocs = await RoleModel.create([
+                        {
+                            _id: adminRoleId,
+                            name: application.constants.AdministratorRole,
+                            admin: true,
+                            member: true,
+                            system: false,
+                            child: false,
+                            createdAt: now,
+                            updatedAt: now,
+                            createdBy: systemUserId,
+                            updatedBy: systemUserId,
+                        },
+                    ], { session: sess });
+                    if (adminRoleDocs.length !== 1) {
+                        throw new suite_core_lib_1.TranslatableSuiteError(suite_core_lib_1.SuiteCoreStringKey.Error_FailedToCreateRoleTemplate, {
+                            NAME: application.constants.AdministratorRole,
+                        });
+                    }
+                    adminRole = adminRoleDocs[0];
+                }
+                // Check if member role already exists
+                let memberRole = await RoleModel.findOne({
+                    name: application.constants.MemberRole,
+                }).session(sess ?? null);
+                if (!memberRole) {
+                    const memberRoleDocs = await RoleModel.create([
+                        {
+                            _id: memberRoleId,
+                            name: application.constants.MemberRole,
+                            admin: false,
+                            member: true,
+                            child: false,
+                            system: false,
+                            createdAt: now,
+                            updatedAt: now,
+                            createdBy: systemUserId,
+                            updatedBy: systemUserId,
+                        },
+                    ], { session: sess });
+                    if (memberRoleDocs.length !== 1) {
+                        throw new suite_core_lib_1.TranslatableSuiteError(suite_core_lib_1.SuiteCoreStringKey.Error_FailedToCreateRoleTemplate, {
+                            NAME: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Common_Member),
+                        });
+                    }
+                    memberRole = memberRoleDocs[0];
+                }
+                // Check if system role already exists
+                let systemRole = await RoleModel.findOne({
+                    name: application.constants.SystemRole,
+                }).session(sess ?? null);
+                if (!systemRole) {
+                    const systemRoleDocs = await RoleModel.create([
+                        {
+                            _id: systemRoleId,
+                            name: application.constants.SystemRole,
+                            admin: true,
+                            member: true,
+                            system: true,
+                            child: false,
+                            createdAt: now,
+                            updatedAt: now,
+                            createdBy: systemUserId,
+                            updatedBy: systemUserId,
+                        },
+                    ], { session: sess });
+                    if (systemRoleDocs.length !== 1) {
+                        throw new suite_core_lib_1.TranslatableSuiteError(suite_core_lib_1.SuiteCoreStringKey.Error_FailedToCreateRoleTemplate);
+                    }
+                    systemRole = systemRoleDocs[0];
+                }
+                const systemUser = DatabaseInitializationService.cacheOrNew(application.constants.SystemUser, new ecies_lib_1.EmailString(application.constants.SystemEmail), options.systemMnemonic, ecies_lib_1.MemberType.System, eciesService, systemUserId, systemUserId, effectiveIdGenerator, idToString);
+                backupCodeService.setSystemUser(systemUser.member);
+                system_user_1.SystemUserService.setSystemUser(systemUser.member, application.constants);
+                // Encrypt mnemonic for recovery
+                const systemEncryptedMnemonic = systemUser.member
+                    .encryptData(Buffer.from(systemUser.mnemonic.value ?? '', 'utf-8'))
+                    .toString('hex');
+                const systemMnemonicDoc = await mnemonicService.addMnemonic(systemUser.mnemonic, sess);
+                if (!systemMnemonicDoc) {
+                    throw new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Error_FailedToStoreUserMnemonicTemplate, {
+                        NAME: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Common_System),
+                    }));
+                }
+                const systemPasswordSecure = options.systemPassword
+                    ? options.systemPassword
+                    : new ecies_lib_1.SecureString(this.generatePassword(16));
+                const systemWrapped = keyWrappingService.wrapSecret(systemUser.member.privateKey, systemPasswordSecure, application.constants);
+                const systemBackupCodes = options.systemBackupCodes ?? backup_code_1.BackupCode.generateBackupCodes();
+                const encryptedSystemBackupCodes = await backup_code_1.BackupCode.encryptBackupCodes(systemUser.member, systemUser.member, systemBackupCodes);
+                const systemDocs = await UserModel.create([
+                    {
+                        _id: systemUserId,
+                        username: application.constants.SystemUser,
+                        email: application.constants.SystemEmail,
+                        publicKey: systemUser.member.publicKey.toString('hex'),
+                        duressPasswords: [],
+                        mnemonicRecovery: systemEncryptedMnemonic,
+                        mnemonicId: systemMnemonicDoc._id,
+                        passwordWrappedPrivateKey: systemWrapped,
+                        backupCodes: encryptedSystemBackupCodes,
+                        timezone: application.environment.timezone,
+                        siteLanguage: 'en-US',
+                        emailVerified: true,
+                        darkMode: false,
+                        accountStatus: suite_core_lib_1.AccountStatus.Active,
+                        directChallenge: true, // allow direct challenge login by default
+                        createdAt: now,
+                        updatedAt: now,
+                        createdBy: systemUserId,
+                        updatedBy: systemUserId,
+                    },
+                ], { session: sess });
+                if (systemDocs.length !== 1) {
+                    throw new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Error_FailedToCreateUserTemplate, {
+                        NAME: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Common_System),
+                    }));
+                }
+                const systemDoc = systemDocs[0];
+                // Create admin user-role relationship
+                const systemUserRoleDoc = await roleService.addUserToRole(systemRoleId, systemUserId, systemUserId, sess, systemUserRoleId);
+                if (!systemUser.mnemonic.value) {
+                    throw new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Error_MnemonicIsNullTemplate, {
+                        NAME: suite_core_lib_1.SuiteCoreStringKey.Common_System,
+                    }));
+                }
+                const adminUser = DatabaseInitializationService.cacheOrNew(application.constants.AdministratorUser, new ecies_lib_1.EmailString(application.constants.AdministratorEmail), options.adminMnemonic, ecies_lib_1.MemberType.User, eciesService, adminUserId, systemDoc._id, effectiveIdGenerator, idToString);
+                // Encrypt mnemonic for recovery
+                const adminEncryptedMnemonic = adminUser.member
+                    .encryptData(Buffer.from(adminUser.mnemonic.value ?? '', 'utf-8'))
+                    .toString('hex');
+                const adminMnemonicDoc = await mnemonicService.addMnemonic(adminUser.mnemonic, sess);
+                if (!adminMnemonicDoc) {
+                    throw new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Error_FailedToStoreUserMnemonicTemplate, {
+                        NAME: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Common_Admin),
+                    }));
+                }
+                const adminPasswordSecure = options.adminPassword
+                    ? options.adminPassword
+                    : new ecies_lib_1.SecureString(this.generatePassword(16));
+                const adminWrapped = keyWrappingService.wrapSecret(adminUser.member.privateKey, adminPasswordSecure);
+                const adminBackupCodes = options.adminBackupCodes ?? backup_code_1.BackupCode.generateBackupCodes();
+                const encryptedAdminBackupCodes = await backup_code_1.BackupCode.encryptBackupCodes(adminUser.member, systemUser.member, adminBackupCodes);
+                const adminDocs = await UserModel.create([
+                    {
+                        _id: adminUserId,
+                        username: application.constants.AdministratorUser,
+                        email: application.constants.AdministratorEmail,
+                        publicKey: adminUser.member.publicKey.toString('hex'),
+                        duressPasswords: [],
+                        mnemonicRecovery: adminEncryptedMnemonic,
+                        mnemonicId: adminMnemonicDoc._id,
+                        passwordWrappedPrivateKey: adminWrapped,
+                        backupCodes: encryptedAdminBackupCodes,
+                        timezone: application.environment.timezone,
+                        siteLanguage: 'en-US',
+                        emailVerified: true,
+                        accountStatus: suite_core_lib_1.AccountStatus.Active,
+                        directChallenge: true,
+                        createdAt: now,
+                        updatedAt: now,
+                        createdBy: systemUserId,
+                        updatedBy: systemUserId,
+                    },
+                ], { session: sess });
+                if (adminDocs.length !== 1) {
+                    throw new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Error_FailedToCreateUserTemplate, {
+                        NAME: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Common_Admin),
+                    }));
+                }
+                const adminDoc = adminDocs[0];
+                // Create admin user-role relationship
+                const adminUserRoleDoc = await roleService.addUserToRole(adminRoleId, adminUserId, systemUserId, sess, adminUserRoleId);
+                if (!adminUser.mnemonic.value) {
+                    throw new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Error_MnemonicIsNullTemplate, {
+                        NAME: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Common_Admin),
+                    }));
+                }
+                const memberUser = DatabaseInitializationService.cacheOrNew(application.constants.MemberUser, new ecies_lib_1.EmailString(application.constants.MemberEmail), options.memberMnemonic, ecies_lib_1.MemberType.User, eciesService, memberUserId, systemDoc._id, effectiveIdGenerator, idToString);
+                const memberPasswordSecure = options.memberPassword
+                    ? options.memberPassword
+                    : new ecies_lib_1.SecureString(this.generatePassword(16));
+                const memberMnemonicDoc = await mnemonicService.addMnemonic(memberUser.mnemonic, sess);
+                if (!memberMnemonicDoc) {
+                    throw new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Error_FailedToStoreUserMnemonicTemplate, {
+                        NAME: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Common_Member),
+                    }));
+                }
+                // Encrypt mnemonic for recovery
+                const encryptedMemberMnemonic = memberUser.member
+                    .encryptData(Buffer.from(memberUser.mnemonic.value ?? '', 'utf-8'))
+                    .toString('hex');
+                const memberWrapped = keyWrappingService.wrapSecret(memberUser.member.privateKey, memberPasswordSecure);
+                const memberBackupCodes = options.memberBackupCodes ?? backup_code_1.BackupCode.generateBackupCodes();
+                const encryptedMemberBackupCodes = await backup_code_1.BackupCode.encryptBackupCodes(memberUser.member, systemUser.member, memberBackupCodes);
+                const memberDocs = await UserModel.create([
+                    {
+                        _id: memberUserId,
+                        username: application.constants.MemberUser,
+                        email: application.constants.MemberEmail,
+                        publicKey: memberUser.member.publicKey.toString('hex'),
+                        mnemonicId: memberMnemonicDoc._id,
+                        mnemonicRecovery: encryptedMemberMnemonic,
+                        passwordWrappedPrivateKey: memberWrapped,
+                        backupCodes: encryptedMemberBackupCodes,
+                        duressPasswords: [],
+                        timezone: application.environment.timezone,
+                        siteLanguage: 'en-US',
+                        emailVerified: true,
+                        accountStatus: suite_core_lib_1.AccountStatus.Active,
+                        directChallenge: true,
+                        createdAt: now,
+                        updatedAt: now,
+                        createdBy: systemUserId,
+                        updatedBy: systemUserId,
+                    },
+                ], { session: sess });
+                if (memberDocs.length !== 1) {
+                    throw new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Error_FailedToCreateUserTemplate, {
+                        NAME: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Common_Member),
+                    }));
+                }
+                const memberDoc = memberDocs[0];
+                // Create member user-role relationship
+                const memberUserRoleDoc = await roleService.addUserToRole(memberRoleId, memberUserId, systemUserId, sess, memberUserRoleId);
+                if (!memberUser.mnemonic.value) {
+                    throw new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Error_MnemonicIsNullTemplate, {
+                        NAME: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Common_Member),
+                    }));
+                }
+                return {
+                    adminRole,
+                    memberRole,
+                    systemRole,
+                    systemDoc,
+                    systemUserRoleDoc,
+                    systemPassword: systemPasswordSecure.notNullValue,
+                    systemMnemonic: systemUser.mnemonic.notNullValue,
+                    systemBackupCodes: systemBackupCodes,
+                    systemMember: systemUser.member,
+                    adminDoc,
+                    adminUserRoleDoc,
+                    adminPassword: adminPasswordSecure.notNullValue,
+                    adminMnemonic: adminUser.mnemonic.notNullValue,
+                    adminBackupCodes: adminBackupCodes,
+                    adminMember: adminUser.member,
+                    memberDoc,
+                    memberUserRoleDoc,
+                    memberPassword: memberPasswordSecure.notNullValue,
+                    memberMnemonic: memberUser.mnemonic.notNullValue,
+                    memberBackupCodes: memberBackupCodes,
+                    memberUser: memberUser.member,
+                };
+            }, transactionOptions);
+            return {
+                alreadyInitialized: false,
+                success: true,
+                data: {
+                    adminRole: result.adminRole,
+                    adminUserRole: result.adminUserRoleDoc,
+                    adminUser: result.adminDoc,
+                    adminUsername: result.adminDoc.username,
+                    adminEmail: result.adminDoc.email,
+                    adminMnemonic: result.adminMnemonic,
+                    adminPassword: result.adminPassword,
+                    adminBackupCodes: result.adminBackupCodes.map((bc) => bc.value ?? ''),
+                    adminMember: result.adminMember,
+                    memberRole: result.memberRole,
+                    memberUserRole: result.memberUserRoleDoc,
+                    memberUser: result.memberDoc,
+                    memberUsername: result.memberDoc.username,
+                    memberEmail: result.memberDoc.email,
+                    memberMnemonic: result.memberMnemonic,
+                    memberPassword: result.memberPassword,
+                    memberBackupCodes: result.memberBackupCodes.map((bc) => bc.value ?? ''),
+                    memberMember: result.memberUser,
+                    systemRole: result.systemRole,
+                    systemUserRole: result.systemUserRoleDoc,
+                    systemUser: result.systemDoc,
+                    systemUsername: result.systemDoc.username,
+                    systemEmail: result.systemDoc.email,
+                    systemMnemonic: result.systemMnemonic,
+                    systemPassword: result.systemPassword,
+                    systemBackupCodes: result.systemBackupCodes.map((bc) => bc.value ?? ''),
+                    systemMember: result.systemMember,
+                },
+            };
+        }
+        catch (error) {
+            // Check if it's a translatable error and display cleanly
+            if (error instanceof i18n_lib_1.TranslatableGenericError ||
+                error instanceof i18n_lib_1.TranslatableHandleableGenericError ||
+                error instanceof suite_core_lib_1.TranslatableSuiteError ||
+                error instanceof suite_core_lib_1.TranslatableSuiteHandleableError) {
+                return {
+                    alreadyInitialized: false,
+                    success: false,
+                    message: error.message,
+                    error: error,
+                };
+            }
+            return {
+                alreadyInitialized: false,
+                success: false,
+                message: engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Admin_Error_FailedToInitializeUserDatabase),
+                error: error instanceof Error
+                    ? error
+                    : new Error(engine.translate(suite_core_lib_1.SuiteCoreComponentId, suite_core_lib_1.SuiteCoreStringKey.Admin_Error_FailedToInitializeUserDatabase)),
+            };
+        }
+    }
+    static serverInitResultsToDotEnv(serverInitResult, idToString = (id) => String(id)) {
+        return `ADMIN_ID="${idToString(serverInitResult.adminUser._id)}"
+ADMIN_MNEMONIC="${serverInitResult.adminMnemonic}"
+ADMIN_ROLE_ID="${idToString(serverInitResult.adminRole._id)}"
+ADMIN_USER_ROLE_ID="${idToString(serverInitResult.adminUserRole._id)}"
+ADMIN_PASSWORD="${serverInitResult.adminPassword}"
+MEMBER_ID="${idToString(serverInitResult.memberUser._id)}"
+MEMBER_MNEMONIC="${serverInitResult.memberMnemonic}"
+MEMBER_ROLE_ID="${idToString(serverInitResult.memberRole._id)}"
+MEMBER_USER_ROLE_ID="${idToString(serverInitResult.memberUserRole._id)}"
+MEMBER_PASSWORD="${serverInitResult.memberPassword}"
+SYSTEM_ID="${idToString(serverInitResult.systemUser._id)}"
+SYSTEM_MNEMONIC="${serverInitResult.systemMnemonic}"
+SYSTEM_PUBLIC_KEY="${serverInitResult.systemUser.publicKey}"
+SYSTEM_ROLE_ID="${idToString(serverInitResult.systemRole._id)}"
+SYSTEM_USER_ROLE_ID="${idToString(serverInitResult.systemUserRole._id)}"
+SYSTEM_PASSWORD="${serverInitResult.systemPassword}"
+`;
+    }
+    static printServerInitResults(result, printDotEnv = true, idToString = (id) => String(id)) {
+        (0, utils_1.debugLog)(true, 'log', this.defaultI18nTFunc('\n=== {{SuiteCoreStringKey.Admin_AccountCredentials}} ==='));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_System}} {{SuiteCoreStringKey.Common_ID}}: {id}', {
+            id: idToString(result.systemUser._id),
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_System}} {{SuiteCoreStringKey.Common_Role}}: {roleName}', {
+            roleName: result.systemRole.name,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_System}} {{SuiteCoreStringKey.Common_Role}} {{SuiteCoreStringKey.Common_ID}}: {roleId}', {
+            roleId: idToString(result.systemRole._id),
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_System}} {{SuiteCoreStringKey.Common_User}} {{SuiteCoreStringKey.Common_Role}} {{SuiteCoreStringKey.Common_ID}}: {userRoleId}', {
+            userRoleId: idToString(result.systemUserRole._id),
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_System}} {{SuiteCoreStringKey.Common_Username}}: {username}', {
+            username: result.systemUsername,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_System}} {{SuiteCoreStringKey.Common_Email}}: {email}', {
+            email: result.systemEmail,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_System}} {{SuiteCoreStringKey.Common_Password}}: {password}', {
+            password: result.systemPassword,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_System}} {{SuiteCoreStringKey.Common_Mnemonic}}: {mnemonic}', {
+            mnemonic: result.systemMnemonic,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_System}} {{SuiteCoreStringKey.Common_PublicKey}}: {publicKey}', {
+            publicKey: result.systemUser.publicKey,
+        }));
+        (0, utils_1.directLog)(true, 'log', `${this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_System}} {{SuiteCoreStringKey.Common_BackupCodes}}')}: ${result.systemBackupCodes.join(', ')}`);
+        (0, utils_1.directLog)(true, 'log', '');
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Admin}} {{SuiteCoreStringKey.Common_ID}}: {id}', {
+            id: idToString(result.adminUser._id),
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Admin}} {{SuiteCoreStringKey.Common_Role}}: {roleName}', {
+            roleName: result.adminRole.name,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Admin}} {{SuiteCoreStringKey.Common_Role}} {{SuiteCoreStringKey.Common_ID}}: {roleId}', {
+            roleId: idToString(result.adminRole._id),
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Admin}} {{SuiteCoreStringKey.Common_User}} {{SuiteCoreStringKey.Common_Role}} {{SuiteCoreStringKey.Common_ID}}: {userRoleId}', {
+            userRoleId: idToString(result.adminUserRole._id),
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Admin}} {{SuiteCoreStringKey.Common_Username}}: {username}', {
+            username: result.adminUsername,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Admin}} {{SuiteCoreStringKey.Common_Email}}: {email}', {
+            email: result.adminEmail,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Admin}} {{SuiteCoreStringKey.Common_Password}}: {password}', {
+            password: result.adminPassword,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Admin}} {{SuiteCoreStringKey.Common_Mnemonic}}: {mnemonic}', {
+            mnemonic: result.adminMnemonic,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Admin}} {{SuiteCoreStringKey.Common_PublicKey}}: {publicKey}', {
+            publicKey: result.adminUser.publicKey,
+        }));
+        (0, utils_1.directLog)(true, 'log', `${this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Admin}} {{SuiteCoreStringKey.Common_BackupCodes}}')}: ${result.adminBackupCodes.join(', ')}`);
+        (0, utils_1.directLog)(true, 'log', '');
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Member}} {{SuiteCoreStringKey.Common_ID}}: {id}', {
+            id: idToString(result.memberUser._id),
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Member}} {{SuiteCoreStringKey.Common_Role}}: {roleName}', {
+            roleName: result.memberRole.name,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Member}} {{SuiteCoreStringKey.Common_Role}} {{SuiteCoreStringKey.Common_ID}}: {roleId}', {
+            roleId: idToString(result.memberRole._id),
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Member}} {{SuiteCoreStringKey.Common_User}} {{SuiteCoreStringKey.Common_Role}} {{SuiteCoreStringKey.Common_ID}}: {userRoleId}', {
+            userRoleId: idToString(result.memberUserRole._id),
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Member}} {{SuiteCoreStringKey.Common_Username}}: {username}', {
+            username: result.memberUsername,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Member}} {{SuiteCoreStringKey.Common_Email}}: {email}', {
+            email: result.memberEmail,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Member}} {{SuiteCoreStringKey.Common_Password}}: {password}', {
+            password: result.memberPassword,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Member}} {{SuiteCoreStringKey.Common_Mnemonic}}: {mnemonic}', {
+            mnemonic: result.memberMnemonic,
+        }));
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Member}} {{SuiteCoreStringKey.Common_PublicKey}}: {publicKey}', {
+            publicKey: result.memberUser.publicKey,
+        }));
+        (0, utils_1.directLog)(true, 'log', `${this.defaultI18nTFunc('{{SuiteCoreStringKey.Common_Member}} {{SuiteCoreStringKey.Common_BackupCodes}}')}: ${result.memberBackupCodes.join(', ')}`);
+        (0, utils_1.directLog)(true, 'log', this.defaultI18nTFunc('\n=== {{SuiteCoreStringKey.Admin_EndCredentials}} ==='));
+        if (printDotEnv) {
+            (0, utils_1.directLog)(true, 'log', '');
+            (0, utils_1.debugLog)(true, 'log', this.defaultI18nTFunc('=== {{SuiteCoreStringKey.Admin_DotEnvFormat}} ==='));
+            (0, utils_1.directLog)(true, 'log', this.serverInitResultsToDotEnv(result, idToString));
+            (0, utils_1.debugLog)(true, 'log', this.defaultI18nTFunc('=== {{SuiteCoreStringKey.Admin_EndDotEnvFormat}} ==='));
+        }
+    }
+    static setEnvFromInitResults(result, idToString = (id) => String(id)) {
+        process.env['ADMIN_ID'] = idToString(result.adminUser._id);
+        process.env['ADMIN_PUBLIC_KEY'] = result.adminUser.publicKey;
+        process.env['ADMIN_MNEMONIC'] = result.adminMnemonic;
+        process.env['ADMIN_PASSWORD'] = result.adminPassword;
+        process.env['ADMIN_ROLE_ID'] = idToString(result.adminRole._id);
+        process.env['ADMIN_USER_ROLE_ID'] = idToString(result.adminUserRole._id);
+        //
+        process.env['MEMBER_ID'] = idToString(result.memberUser._id);
+        process.env['MEMBER_PUBLIC_KEY'] = result.memberUser.publicKey;
+        process.env['MEMBER_MNEMONIC'] = result.memberMnemonic;
+        process.env['MEMBER_PASSWORD'] = result.memberPassword;
+        process.env['MEMBER_ROLE_ID'] = idToString(result.memberRole._id);
+        process.env['MEMBER_USER_ROLE_ID'] = idToString(result.memberUserRole._id);
+        //
+        process.env['SYSTEM_ID'] = idToString(result.systemUser._id);
+        process.env['SYSTEM_PUBLIC_KEY'] = result.systemUser.publicKey;
+        process.env['SYSTEM_MNEMONIC'] = result.systemMnemonic;
+        process.env['SYSTEM_PASSWORD'] = result.systemPassword;
+        process.env['SYSTEM_ROLE_ID'] = idToString(result.systemRole._id);
+        process.env['SYSTEM_USER_ROLE_ID'] = idToString(result.systemUserRole._id);
+    }
+    /**
+     * Initialize the user database with default users and roles (convenience method)
+     * This method creates the necessary services and calls initUserDbWithServices
+     * @param application The application
+     * @returns The result of the initialization
+     */
+    static async initUserDb(application, idGenerator, idToString = (id) => application.constants.idProvider.idToString(id)) {
+        const mnemonicModel = model_registry_1.ModelRegistry.instance.getTypedModel(base_model_name_1.BaseModelName.Mnemonic);
+        const mnemonicService = new mnemonic_1.MnemonicService(mnemonicModel, application.environment.mnemonicHmacSecret, application.constants);
+        const config = {
+            curveName: ecies_lib_1.ECIES.CURVE_NAME,
+            primaryKeyDerivationPath: ecies_lib_1.ECIES.PRIMARY_KEY_DERIVATION_PATH,
+            mnemonicStrength: ecies_lib_1.ECIES.MNEMONIC_STRENGTH,
+            symmetricAlgorithm: ecies_lib_1.ECIES.SYMMETRIC_ALGORITHM_CONFIGURATION,
+            symmetricKeyBits: ecies_lib_1.ECIES.SYMMETRIC.KEY_BITS,
+            symmetricKeyMode: ecies_lib_1.ECIES.SYMMETRIC.MODE,
+        };
+        const eciesService = new node_ecies_lib_1.ECIESService(config);
+        const roleService = new role_1.RoleService(application);
+        const keyWrappingService = new key_wrapping_1.KeyWrappingService();
+        const backupCodeService = new backup_code_2.BackupCodeService(application, eciesService, keyWrappingService, roleService);
+        return this.initUserDbWithServices(application, keyWrappingService, mnemonicService, eciesService, roleService, backupCodeService, idGenerator, idToString);
+    }
+}
+exports.DatabaseInitializationService = DatabaseInitializationService;
+//# sourceMappingURL=database-initialization.js.map