@enderworld/onlyapi 1.5.1

package/src/infrastructure/database/postgres/pg-oauth-accounts.ts

@@ -0,0 +1,101 @@
+/**
+ * PostgreSQL OAuth account repository adapter.
+ */
+
+import { conflict, internal, notFound } from "../../../core/errors/app-error.js";
+import type { AppError } from "../../../core/errors/app-error.js";
+import type { OAuthAccount, OAuthAccountRepository } from "../../../core/ports/oauth.js";
+import type { UserId } from "../../../core/types/brand.js";
+import { brand } from "../../../core/types/brand.js";
+import { type Result, err, ok } from "../../../core/types/result.js";
+import { generateId } from "../../../shared/utils/id.js";
+
+// biome-ignore lint/suspicious/noExplicitAny: Bun.sql tagged template type
+type PgClient = any;
+
+const toOAuthAccount = (row: Record<string, unknown>): OAuthAccount => ({
+  id: row["id"] as string,
+  userId: brand<string, "UserId">(row["user_id"] as string),
+  provider: row["provider"] as string,
+  providerUserId: row["provider_user_id"] as string,
+  email: (row["email"] as string) ?? null,
+  createdAt: Number(row["created_at"]),
+});
+
+export const createPgOAuthAccountRepo = (sql: PgClient): OAuthAccountRepository => ({
+  async link(
+    userId: UserId,
+    provider: string,
+    providerUserId: string,
+    email: string | null,
+  ): Promise<Result<OAuthAccount, AppError>> {
+    try {
+      const id = generateId();
+      const now = Date.now();
+
+      try {
+        await sql`
+          INSERT INTO oauth_accounts (id, user_id, provider, provider_user_id, email, created_at)
+          VALUES (${id}, ${userId as string}, ${provider}, ${providerUserId}, ${email}, ${now})
+        `;
+      } catch (e: unknown) {
+        if (e instanceof Error && e.message.includes("duplicate key")) {
+          return err(conflict("OAuth account already linked"));
+        }
+        throw e;
+      }
+
+      return ok({
+        id,
+        userId,
+        provider,
+        providerUserId,
+        email,
+        createdAt: now,
+      });
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async findByProvider(
+    provider: string,
+    providerUserId: string,
+  ): Promise<Result<OAuthAccount | null, AppError>> {
+    try {
+      const rows = await sql`
+        SELECT * FROM oauth_accounts
+        WHERE provider = ${provider} AND provider_user_id = ${providerUserId}
+      `;
+      if (rows.length === 0) return ok(null);
+      return ok(toOAuthAccount(rows[0] as Record<string, unknown>));
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async listByUser(userId: UserId): Promise<Result<readonly OAuthAccount[], AppError>> {
+    try {
+      const rows = await sql`
+        SELECT * FROM oauth_accounts WHERE user_id = ${userId as string} ORDER BY created_at DESC
+      `;
+      return ok(rows.map((r: Record<string, unknown>) => toOAuthAccount(r)));
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async unlink(id: string, userId: UserId): Promise<Result<void, AppError>> {
+    try {
+      const rows = await sql`
+        SELECT id FROM oauth_accounts WHERE id = ${id} AND user_id = ${userId as string}
+      `;
+      if (rows.length === 0) return err(notFound("OAuth account"));
+
+      await sql`DELETE FROM oauth_accounts WHERE id = ${id}`;
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+});

package/src/infrastructure/database/postgres/pg-password-history.ts

@@ -0,0 +1,61 @@
+/**
+ * PostgreSQL password history adapter.
+ */
+
+import { internal } from "../../../core/errors/app-error.js";
+import type { AppError } from "../../../core/errors/app-error.js";
+import type { PasswordHistory } from "../../../core/ports/password-history.js";
+import type { UserId } from "../../../core/types/brand.js";
+import { type Result, err, ok } from "../../../core/types/result.js";
+import { generateId } from "../../../shared/utils/id.js";
+
+// biome-ignore lint/suspicious/noExplicitAny: Bun.sql tagged template type
+type PgClient = any;
+
+export const createPgPasswordHistory = (sql: PgClient): PasswordHistory => ({
+  async add(userId: UserId, passwordHash: string): Promise<Result<void, AppError>> {
+    try {
+      const id = generateId();
+      await sql`
+        INSERT INTO password_history (id, user_id, password_hash, created_at)
+        VALUES (${id}, ${userId as string}, ${passwordHash}, ${Date.now()})
+      `;
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async getRecent(userId: UserId, count: number): Promise<Result<readonly string[], AppError>> {
+    try {
+      const rows = await sql`
+        SELECT password_hash FROM password_history
+        WHERE user_id = ${userId as string}
+        ORDER BY created_at DESC
+        LIMIT ${count}
+      `;
+      return ok(rows.map((r: { password_hash: string }) => r.password_hash));
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async prune(userId: UserId, keepCount: number): Promise<Result<void, AppError>> {
+    try {
+      // Delete all but the most recent `keepCount` entries
+      await sql`
+        DELETE FROM password_history
+        WHERE user_id = ${userId as string}
+        AND id NOT IN (
+          SELECT id FROM password_history
+          WHERE user_id = ${userId as string}
+          ORDER BY created_at DESC
+          LIMIT ${keepCount}
+        )
+      `;
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+});

package/src/infrastructure/database/postgres/pg-refresh-token-store.ts

@@ -0,0 +1,117 @@
+/**
+ * PostgreSQL refresh token store adapter.
+ */
+
+import { conflict, internal, notFound } from "../../../core/errors/app-error.js";
+import type { AppError } from "../../../core/errors/app-error.js";
+import type {
+  RefreshTokenFamily,
+  RefreshTokenStore,
+} from "../../../core/ports/refresh-token-store.js";
+import type { UserId } from "../../../core/types/brand.js";
+import { brand } from "../../../core/types/brand.js";
+import { type Result, err, ok } from "../../../core/types/result.js";
+import { generateId } from "../../../shared/utils/id.js";
+
+// biome-ignore lint/suspicious/noExplicitAny: Bun.sql tagged template type
+type PgClient = any;
+
+const toFamily = (row: Record<string, unknown>): RefreshTokenFamily => ({
+  id: row["id"] as string,
+  userId: brand<string, "UserId">(row["user_id"] as string),
+  currentTokenHash: row["current_token_hash"] as string,
+  revoked: row["revoked"] as boolean,
+  createdAt: Number(row["created_at"]),
+  updatedAt: Number(row["updated_at"]),
+});
+
+export const createPgRefreshTokenStore = (sql: PgClient): RefreshTokenStore => ({
+  async createFamily(userId: UserId, tokenHash: string): Promise<Result<string, AppError>> {
+    try {
+      const id = generateId();
+      const now = Date.now();
+      await sql`
+        INSERT INTO refresh_token_families (id, user_id, current_token_hash, revoked, created_at, updated_at)
+        VALUES (${id}, ${userId as string}, ${tokenHash}, FALSE, ${now}, ${now})
+      `;
+      return ok(id);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async rotate(
+    familyId: string,
+    oldTokenHash: string,
+    newTokenHash: string,
+  ): Promise<Result<void, AppError>> {
+    try {
+      const rows = await sql`
+        SELECT * FROM refresh_token_families WHERE id = ${familyId} AND revoked = FALSE
+      `;
+      if (rows.length === 0) return err(notFound("Refresh token family"));
+
+      const family = rows[0];
+      if (family.current_token_hash !== oldTokenHash) {
+        // Reuse detected — revoke entire family
+        await sql`UPDATE refresh_token_families SET revoked = TRUE, updated_at = ${Date.now()} WHERE id = ${familyId}`;
+        return err(conflict("Token reuse detected"));
+      }
+
+      await sql`
+        UPDATE refresh_token_families
+        SET current_token_hash = ${newTokenHash}, updated_at = ${Date.now()}
+        WHERE id = ${familyId}
+      `;
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async findByTokenHash(tokenHash: string): Promise<Result<RefreshTokenFamily | null, AppError>> {
+    try {
+      const rows = await sql`
+        SELECT * FROM refresh_token_families WHERE current_token_hash = ${tokenHash}
+      `;
+      if (rows.length === 0) return ok(null);
+      return ok(toFamily(rows[0] as Record<string, unknown>));
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async revokeFamily(familyId: string): Promise<Result<void, AppError>> {
+    try {
+      await sql`
+        UPDATE refresh_token_families SET revoked = TRUE, updated_at = ${Date.now()} WHERE id = ${familyId}
+      `;
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async revokeAllForUser(userId: UserId): Promise<Result<void, AppError>> {
+    try {
+      await sql`
+        UPDATE refresh_token_families SET revoked = TRUE, updated_at = ${Date.now()} WHERE user_id = ${userId as string}
+      `;
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async prune(maxAgeMs: number): Promise<Result<number, AppError>> {
+    try {
+      const cutoff = Date.now() - maxAgeMs;
+      const result = await sql`
+        DELETE FROM refresh_token_families WHERE revoked = TRUE AND updated_at < ${cutoff}
+      `;
+      return ok(result.count ?? 0);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+});

package/src/infrastructure/database/postgres/pg-token-blacklist.ts

@@ -0,0 +1,48 @@
+/**
+ * PostgreSQL token blacklist adapter.
+ */
+
+import { internal } from "../../../core/errors/app-error.js";
+import type { AppError } from "../../../core/errors/app-error.js";
+import type { TokenBlacklist } from "../../../core/ports/token-blacklist.js";
+import { type Result, err, ok } from "../../../core/types/result.js";
+
+// biome-ignore lint/suspicious/noExplicitAny: Bun.sql tagged template type
+type PgClient = any;
+
+export const createPgTokenBlacklist = (sql: PgClient): TokenBlacklist => ({
+  async add(tokenHash: string, expiresAt: number): Promise<Result<void, AppError>> {
+    try {
+      await sql`
+        INSERT INTO token_blacklist (token_hash, expires_at, created_at)
+        VALUES (${tokenHash}, ${expiresAt}, ${Date.now()})
+        ON CONFLICT (token_hash) DO NOTHING
+      `;
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async isBlacklisted(tokenHash: string): Promise<Result<boolean, AppError>> {
+    try {
+      const rows = await sql`
+        SELECT 1 FROM token_blacklist WHERE token_hash = ${tokenHash} AND expires_at > ${Date.now()}
+      `;
+      return ok(rows.length > 0);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async prune(): Promise<Result<number, AppError>> {
+    try {
+      const result = await sql`
+        DELETE FROM token_blacklist WHERE expires_at <= ${Date.now()}
+      `;
+      return ok(result.count ?? 0);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+});

package/src/infrastructure/database/postgres/pg-user.repository.ts

@@ -0,0 +1,237 @@
+/**
+ * PostgreSQL user repository — uses Bun.sql (zero external deps).
+ *
+ * Drop-in replacement for SQLite adapter, implements the same UserRepository port.
+ * Uses parameterized queries to prevent SQL injection.
+ */
+
+import type { User, UserRole } from "../../../core/entities/user.entity.js";
+import { type AppError, conflict, internal, notFound } from "../../../core/errors/app-error.js";
+import type {
+  CreateUserData,
+  UpdateUserData,
+  UserListOptions,
+  UserRepository,
+} from "../../../core/ports/user.repository.js";
+import type { UserId } from "../../../core/types/brand.js";
+import { brand } from "../../../core/types/brand.js";
+import { decodeCursor, encodeCursor } from "../../../core/types/pagination.js";
+import { type Result, err, ok } from "../../../core/types/result.js";
+import { generateId } from "../../../shared/utils/id.js";
+
+interface UserRow {
+  id: string;
+  email: string;
+  password_hash: string;
+  role: string;
+  email_verified: boolean;
+  mfa_secret: string | null;
+  mfa_enabled: boolean;
+  password_changed_at: number | null;
+  failed_login_attempts: number;
+  locked_until: number | null;
+  created_at: number;
+  updated_at: number;
+}
+
+const rowToUser = (row: UserRow): User => ({
+  id: brand<string, "UserId">(row.id),
+  email: row.email,
+  passwordHash: row.password_hash,
+  role: row.role as UserRole,
+  emailVerified: row.email_verified,
+  mfaEnabled: row.mfa_enabled,
+  mfaSecret: row.mfa_secret,
+  passwordChangedAt:
+    row.password_changed_at !== null ? brand<number, "Timestamp">(row.password_changed_at) : null,
+  createdAt: brand<number, "Timestamp">(row.created_at),
+  updatedAt: brand<number, "Timestamp">(row.updated_at),
+});
+
+const isUniqueViolation = (e: unknown): boolean =>
+  e instanceof Error && (e.message.includes("duplicate key") || e.message.includes("unique"));
+
+/** Map UpdateUserData fields to their SQL column names */
+const UPDATE_FIELD_MAP: ReadonlyArray<[keyof UpdateUserData, string]> = [
+  ["email", "email"],
+  ["passwordHash", "password_hash"],
+  ["role", "role"],
+  ["emailVerified", "email_verified"],
+  ["mfaEnabled", "mfa_enabled"],
+  ["mfaSecret", "mfa_secret"],
+  ["passwordChangedAt", "password_changed_at"],
+];
+
+/** Build SET clause and parameter array from update data */
+const buildUpdateSets = (data: UpdateUserData): { sets: string[]; vals: unknown[] } => {
+  const sets: string[] = [];
+  const vals: unknown[] = [];
+  let idx = 1;
+
+  for (const [field, column] of UPDATE_FIELD_MAP) {
+    if (data[field] !== undefined) {
+      sets.push(`${column} = $${idx++}`);
+      vals.push(data[field]);
+    }
+  }
+
+  sets.push(`updated_at = $${idx}`);
+  vals.push(Date.now());
+
+  return { sets, vals };
+};
+
+// biome-ignore lint/suspicious/noExplicitAny: Bun.sql tagged template type
+type PgClient = any;
+
+export const createPgUserRepository = (sql: PgClient): UserRepository => {
+  return {
+    async findById(id: UserId): Promise<Result<User, AppError>> {
+      try {
+        const rows = await sql`SELECT * FROM users WHERE id = ${id}`;
+        if (rows.length === 0) return err(notFound("User"));
+        return ok(rowToUser(rows[0] as UserRow));
+      } catch (e: unknown) {
+        return err(internal("Database error", e));
+      }
+    },
+
+    async findByEmail(email: string): Promise<Result<User, AppError>> {
+      try {
+        const rows = await sql`SELECT * FROM users WHERE email = ${email}`;
+        if (rows.length === 0) return err(notFound("User"));
+        return ok(rowToUser(rows[0] as UserRow));
+      } catch (e: unknown) {
+        return err(internal("Database error", e));
+      }
+    },
+
+    async create(data: CreateUserData): Promise<Result<User, AppError>> {
+      try {
+        const id = generateId();
+        const now = Date.now();
+
+        try {
+          await sql`
+            INSERT INTO users (id, email, password_hash, role, email_verified, mfa_enabled, failed_login_attempts, created_at, updated_at)
+            VALUES (${id}, ${data.email}, ${data.passwordHash}, ${data.role}, FALSE, FALSE, 0, ${now}, ${now})
+          `;
+        } catch (e: unknown) {
+          if (isUniqueViolation(e)) return err(conflict("Email already exists"));
+          throw e;
+        }
+
+        const user: User = {
+          id: brand<string, "UserId">(id),
+          email: data.email,
+          passwordHash: data.passwordHash,
+          role: data.role,
+          emailVerified: false,
+          mfaEnabled: false,
+          mfaSecret: null,
+          passwordChangedAt: null,
+          createdAt: brand<number, "Timestamp">(now),
+          updatedAt: brand<number, "Timestamp">(now),
+        };
+
+        return ok(user);
+      } catch (e: unknown) {
+        return err(internal("Database error", e));
+      }
+    },
+
+    async update(id: UserId, data: UpdateUserData): Promise<Result<User, AppError>> {
+      try {
+        // Check existence first
+        const existing = await sql`SELECT id FROM users WHERE id = ${id}`;
+        if (existing.length === 0) return err(notFound("User"));
+
+        const { sets, vals } = buildUpdateSets(data);
+
+        vals.push(id); // WHERE clause param
+        const whereIdx = vals.length;
+        const query = `UPDATE users SET ${sets.join(", ")} WHERE id = $${whereIdx}`;
+
+        try {
+          await sql.unsafe(query, vals);
+        } catch (e: unknown) {
+          if (isUniqueViolation(e)) return err(conflict("Email already exists"));
+          throw e;
+        }
+
+        const updated = await sql`SELECT * FROM users WHERE id = ${id}`;
+        if (updated.length === 0) return err(internal("User disappeared after update"));
+        return ok(rowToUser(updated[0] as UserRow));
+      } catch (e: unknown) {
+        if (isUniqueViolation(e)) return err(conflict("Email already exists"));
+        return err(internal("Database error", e));
+      }
+    },
+
+    async delete(id: UserId): Promise<Result<void, AppError>> {
+      try {
+        const existing = await sql`SELECT id FROM users WHERE id = ${id}`;
+        if (existing.length === 0) return err(notFound("User"));
+
+        await sql`DELETE FROM users WHERE id = ${id}`;
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Database error", e));
+      }
+    },
+
+    // biome-ignore lint/complexity/noExcessiveCognitiveComplexity: SQL builder with cursor/filter/search needs branching
+    async list(options: UserListOptions) {
+      try {
+        const conditions: string[] = [];
+        const params: unknown[] = [];
+        let idx = 1;
+
+        if (options.cursor !== undefined) {
+          const decoded = decodeCursor(options.cursor);
+          if (decoded !== null) {
+            conditions.push(`created_at < $${idx++}`);
+            params.push(Number(decoded));
+          }
+        }
+
+        if (options.role !== undefined) {
+          conditions.push(`role = $${idx++}`);
+          params.push(options.role);
+        }
+
+        if (options.search !== undefined) {
+          conditions.push(`email ILIKE $${idx++}`);
+          params.push(`%${options.search}%`);
+        }
+
+        const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+        const limit = Math.min(options.limit, 100);
+        params.push(limit + 1);
+
+        const query = `SELECT * FROM users ${where} ORDER BY created_at DESC LIMIT $${idx}`;
+        const rows = (await sql.unsafe(query, params)) as UserRow[];
+
+        const hasMore = rows.length > limit;
+        const items = (hasMore ? rows.slice(0, limit) : rows).map(rowToUser);
+
+        const lastItem = items[items.length - 1];
+        const nextCursor =
+          hasMore && lastItem !== undefined ? encodeCursor(String(lastItem.createdAt)) : null;
+
+        return ok({ items, nextCursor, hasMore });
+      } catch (e: unknown) {
+        return err(internal("Database error", e));
+      }
+    },
+
+    async count() {
+      try {
+        const rows = await sql`SELECT COUNT(*) as cnt FROM users`;
+        return ok(Number(rows[0].cnt));
+      } catch (e: unknown) {
+        return err(internal("Database error", e));
+      }
+    },
+  };
+};

package/src/infrastructure/database/postgres/pg-verification-tokens.ts

@@ -0,0 +1,97 @@
+/**
+ * PostgreSQL verification token repository adapter.
+ */
+
+import { internal, notFound } from "../../../core/errors/app-error.js";
+import type { AppError } from "../../../core/errors/app-error.js";
+import type {
+  VerificationTokenRepository,
+  VerificationTokenType,
+} from "../../../core/ports/verification-token.js";
+import type { UserId } from "../../../core/types/brand.js";
+import { brand } from "../../../core/types/brand.js";
+import { type Result, err, ok } from "../../../core/types/result.js";
+import { generateId } from "../../../shared/utils/id.js";
+
+// biome-ignore lint/suspicious/noExplicitAny: Bun.sql tagged template type
+type PgClient = any;
+
+export const createPgVerificationTokenRepo = (sql: PgClient): VerificationTokenRepository => ({
+  async create(
+    userId: UserId,
+    type: VerificationTokenType,
+    ttlMs: number,
+  ): Promise<Result<string, AppError>> {
+    try {
+      const id = generateId();
+      const rawToken = generateId();
+      const encoder = new TextEncoder();
+      const hashBuffer = await crypto.subtle.digest("SHA-256", encoder.encode(rawToken));
+      const tokenHash = [...new Uint8Array(hashBuffer)]
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+
+      const now = Date.now();
+      const expiresAt = now + ttlMs;
+
+      await sql`
+        INSERT INTO verification_tokens (id, user_id, type, token_hash, expires_at, created_at)
+        VALUES (${id}, ${userId as string}, ${type}, ${tokenHash}, ${expiresAt}, ${now})
+      `;
+
+      return ok(rawToken);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async verify(rawToken: string, type: VerificationTokenType): Promise<Result<UserId, AppError>> {
+    try {
+      const encoder = new TextEncoder();
+      const hashBuffer = await crypto.subtle.digest("SHA-256", encoder.encode(rawToken));
+      const tokenHash = [...new Uint8Array(hashBuffer)]
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+
+      const rows = await sql`
+        SELECT * FROM verification_tokens
+        WHERE token_hash = ${tokenHash} AND type = ${type} AND used_at IS NULL AND expires_at > ${Date.now()}
+      `;
+
+      if (rows.length === 0) return err(notFound("Verification token"));
+
+      const row = rows[0];
+      await sql`UPDATE verification_tokens SET used_at = ${Date.now()} WHERE id = ${row.id}`;
+
+      return ok(brand<string, "UserId">(row.user_id as string));
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async invalidateAll(
+    userId: UserId,
+    type: VerificationTokenType,
+  ): Promise<Result<void, AppError>> {
+    try {
+      await sql`
+        UPDATE verification_tokens SET used_at = ${Date.now()}
+        WHERE user_id = ${userId as string} AND type = ${type} AND used_at IS NULL
+      `;
+      return ok(undefined);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+
+  async prune(): Promise<Result<number, AppError>> {
+    try {
+      const result = await sql`
+        DELETE FROM verification_tokens WHERE expires_at <= ${Date.now()} OR used_at IS NOT NULL
+      `;
+      return ok(result.count ?? 0);
+    } catch (e: unknown) {
+      return err(internal("Database error", e));
+    }
+  },
+});