@enderworld/onlyapi 1.5.1

package/src/infrastructure/database/in-memory-user.repository.ts

@@ -0,0 +1,134 @@
+import type { User } from "../../core/entities/user.entity.js";
+import { type AppError, conflict, notFound } from "../../core/errors/app-error.js";
+import type {
+  CreateUserData,
+  UpdateUserData,
+  UserListOptions,
+  UserRepository,
+} from "../../core/ports/user.repository.js";
+import type { UserId } from "../../core/types/brand.js";
+import { brand } from "../../core/types/brand.js";
+import { decodeCursor, encodeCursor } from "../../core/types/pagination.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+import { generateId } from "../../shared/utils/id.js";
+
+/**
+ * In-memory user repository — swap for Postgres/SQLite adapter in production.
+ * Demonstrates the port/adapter contract; zero external DB deps by default.
+ */
+export const createInMemoryUserRepository = (): UserRepository => {
+  const store = new Map<string, User>();
+
+  return {
+    async findById(id: UserId): Promise<Result<User, AppError>> {
+      const user = store.get(id);
+      return user ? ok(user) : err(notFound("User"));
+    },
+
+    async findByEmail(email: string): Promise<Result<User, AppError>> {
+      for (const user of store.values()) {
+        if (user.email === email) return ok(user);
+      }
+      return err(notFound("User"));
+    },
+
+    async create(data: CreateUserData): Promise<Result<User, AppError>> {
+      // Check unique email
+      for (const user of store.values()) {
+        if (user.email === data.email) {
+          return err(conflict("Email already exists"));
+        }
+      }
+
+      const now = brand<number, "Timestamp">(Date.now());
+      const user: User = {
+        id: brand<string, "UserId">(generateId()),
+        email: data.email,
+        passwordHash: data.passwordHash,
+        role: data.role,
+        emailVerified: false,
+        mfaEnabled: false,
+        mfaSecret: null,
+        passwordChangedAt: null,
+        createdAt: now,
+        updatedAt: now,
+      };
+
+      store.set(user.id, user);
+      return ok(user);
+    },
+
+    // biome-ignore lint/complexity/noExcessiveCognitiveComplexity: update handles many optional fields
+    async update(id: UserId, data: UpdateUserData): Promise<Result<User, AppError>> {
+      const existing = store.get(id);
+      if (!existing) return err(notFound("User"));
+
+      const updated: User = {
+        ...existing,
+        ...(data.email !== undefined ? { email: data.email } : {}),
+        ...(data.passwordHash !== undefined ? { passwordHash: data.passwordHash } : {}),
+        ...(data.role !== undefined ? { role: data.role } : {}),
+        ...(data.emailVerified !== undefined ? { emailVerified: data.emailVerified } : {}),
+        ...(data.mfaEnabled !== undefined ? { mfaEnabled: data.mfaEnabled } : {}),
+        ...(data.mfaSecret !== undefined ? { mfaSecret: data.mfaSecret } : {}),
+        ...(data.passwordChangedAt !== undefined
+          ? {
+              passwordChangedAt: data.passwordChangedAt as
+                | import("../../core/types/brand.js").Timestamp
+                | null,
+            }
+          : {}),
+        updatedAt: brand<number, "Timestamp">(Date.now()),
+      };
+
+      store.set(id, updated);
+      return ok(updated);
+    },
+
+    async delete(id: UserId): Promise<Result<void, AppError>> {
+      if (!store.has(id)) return err(notFound("User"));
+      store.delete(id);
+      return ok(undefined);
+    },
+
+    async list(options: UserListOptions) {
+      let users = Array.from(store.values());
+
+      // Sort by createdAt descending
+      users.sort((a, b) => b.createdAt - a.createdAt);
+
+      // Cursor filter
+      if (options.cursor !== undefined) {
+        const decoded = decodeCursor(options.cursor);
+        if (decoded !== null) {
+          const ts = Number(decoded);
+          users = users.filter((u) => u.createdAt < ts);
+        }
+      }
+
+      // Role filter
+      if (options.role !== undefined) {
+        users = users.filter((u) => u.role === options.role);
+      }
+
+      // Search filter
+      if (options.search !== undefined) {
+        const q = options.search.toLowerCase();
+        users = users.filter((u) => u.email.includes(q));
+      }
+
+      const limit = Math.min(options.limit, 100);
+      const hasMore = users.length > limit;
+      const items = users.slice(0, limit);
+      const lastItem = items[items.length - 1];
+      const nextCursor =
+        hasMore && lastItem !== undefined ? encodeCursor(String(lastItem.createdAt)) : null;
+
+      return ok({ items, nextCursor, hasMore });
+    },
+
+    async count() {
+      return ok(store.size);
+    },
+  };
+};

package/src/infrastructure/database/index.ts

@@ -0,0 +1,37 @@
+export { createInMemoryUserRepository } from "./in-memory-user.repository.js";
+export { createSqliteUserRepository } from "./sqlite-user.repository.js";
+export { createSqliteTokenBlacklist } from "./sqlite-token-blacklist.js";
+export { createSqliteAccountLockout } from "./sqlite-account-lockout.js";
+export { createSqliteAuditLog } from "./sqlite-audit-log.js";
+export { createSqliteVerificationTokenRepo } from "./sqlite-verification-tokens.js";
+export { createSqliteRefreshTokenStore } from "./sqlite-refresh-token-store.js";
+export { createSqliteApiKeyRepository } from "./sqlite-api-keys.js";
+export { createSqlitePasswordHistory } from "./sqlite-password-history.js";
+export { createSqliteOAuthAccountRepo } from "./sqlite-oauth-accounts.js";
+export { migrateUp, migrateDown } from "./migrations/runner.js";
+export {
+  createPgUserRepository,
+  createPgTokenBlacklist,
+  createPgAccountLockout,
+  createPgAuditLog,
+  createPgVerificationTokenRepo,
+  createPgRefreshTokenStore,
+  createPgApiKeyRepository,
+  createPgPasswordHistory,
+  createPgOAuthAccountRepo,
+  pgMigrateUp,
+  pgMigrateDown,
+} from "./postgres/index.js";
+export {
+  createMssqlUserRepository,
+  createMssqlTokenBlacklist,
+  createMssqlAccountLockout,
+  createMssqlAuditLog,
+  createMssqlVerificationTokenRepo,
+  createMssqlRefreshTokenStore,
+  createMssqlApiKeyRepository,
+  createMssqlPasswordHistory,
+  createMssqlOAuthAccountRepo,
+  mssqlMigrateUp,
+  mssqlMigrateDown,
+} from "./mssql/index.js";

package/src/infrastructure/database/migrations/001_create_users.ts

@@ -0,0 +1,26 @@
+import type { Database } from "bun:sqlite";
+
+/**
+ * Migration 001: Create users table
+ */
+export const up = (db: Database): void => {
+  db.run(`
+    CREATE TABLE IF NOT EXISTS users (
+      id          TEXT PRIMARY KEY,
+      email       TEXT NOT NULL UNIQUE,
+      password_hash TEXT NOT NULL,
+      role        TEXT NOT NULL DEFAULT 'user',
+      failed_login_attempts INTEGER NOT NULL DEFAULT 0,
+      locked_until INTEGER,
+      created_at  INTEGER NOT NULL,
+      updated_at  INTEGER NOT NULL
+    )
+  `);
+
+  db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_users_email ON users(email)");
+};
+
+export const down = (db: Database): void => {
+  db.run("DROP INDEX IF EXISTS idx_users_email");
+  db.run("DROP TABLE IF EXISTS users");
+};

package/src/infrastructure/database/migrations/002_create_token_blacklist.ts

@@ -0,0 +1,21 @@
+import type { Database } from "bun:sqlite";
+
+/**
+ * Migration 002: Create token blacklist table for logout
+ */
+export const up = (db: Database): void => {
+  db.run(`
+    CREATE TABLE IF NOT EXISTS token_blacklist (
+      token_hash  TEXT PRIMARY KEY,
+      expires_at  INTEGER NOT NULL,
+      created_at  INTEGER NOT NULL
+    )
+  `);
+
+  db.run("CREATE INDEX IF NOT EXISTS idx_token_blacklist_expires ON token_blacklist(expires_at)");
+};
+
+export const down = (db: Database): void => {
+  db.run("DROP INDEX IF EXISTS idx_token_blacklist_expires");
+  db.run("DROP TABLE IF EXISTS token_blacklist");
+};

package/src/infrastructure/database/migrations/003_create_audit_log.ts

@@ -0,0 +1,31 @@
+import type { Database } from "bun:sqlite";
+
+/**
+ * Migration 003: Create audit_log table
+ * Append-only ledger of significant system events.
+ */
+export const up = (db: Database): void => {
+  db.run(`
+    CREATE TABLE IF NOT EXISTS audit_log (
+      id          TEXT PRIMARY KEY,
+      user_id     TEXT,
+      action      TEXT NOT NULL,
+      resource    TEXT NOT NULL,
+      resource_id TEXT,
+      detail      TEXT,
+      ip          TEXT NOT NULL,
+      timestamp   INTEGER NOT NULL
+    )
+  `);
+
+  db.run("CREATE INDEX IF NOT EXISTS idx_audit_log_user ON audit_log(user_id)");
+  db.run("CREATE INDEX IF NOT EXISTS idx_audit_log_action ON audit_log(action)");
+  db.run("CREATE INDEX IF NOT EXISTS idx_audit_log_timestamp ON audit_log(timestamp)");
+};
+
+export const down = (db: Database): void => {
+  db.run("DROP INDEX IF EXISTS idx_audit_log_timestamp");
+  db.run("DROP INDEX IF EXISTS idx_audit_log_action");
+  db.run("DROP INDEX IF EXISTS idx_audit_log_user");
+  db.run("DROP TABLE IF EXISTS audit_log");
+};

package/src/infrastructure/database/migrations/004_auth_platform.ts

@@ -0,0 +1,112 @@
+import type { Database } from "bun:sqlite";
+
+/**
+ * Migration 004: Auth Platform
+ * - Add email_verified, mfa_secret, mfa_enabled, password_changed_at to users
+ * - Create verification_tokens table (email verification + password reset)
+ * - Create refresh_token_families table (token rotation with reuse detection)
+ * - Create api_keys table (service-to-service auth)
+ * - Create password_history table (password reuse prevention)
+ * - Create oauth_accounts table (OAuth2/SSO provider linking)
+ */
+export const up = (db: Database): void => {
+  // Extend users table
+  db.run("ALTER TABLE users ADD COLUMN email_verified INTEGER NOT NULL DEFAULT 0");
+  db.run("ALTER TABLE users ADD COLUMN mfa_secret TEXT");
+  db.run("ALTER TABLE users ADD COLUMN mfa_enabled INTEGER NOT NULL DEFAULT 0");
+  db.run("ALTER TABLE users ADD COLUMN password_changed_at INTEGER");
+
+  // Verification tokens (email verification + password reset)
+  db.run(`
+    CREATE TABLE IF NOT EXISTS verification_tokens (
+      id          TEXT PRIMARY KEY,
+      user_id     TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      type        TEXT NOT NULL CHECK (type IN ('email_verification', 'password_reset')),
+      token_hash  TEXT NOT NULL UNIQUE,
+      expires_at  INTEGER NOT NULL,
+      used_at     INTEGER,
+      created_at  INTEGER NOT NULL
+    )
+  `);
+  db.run(
+    "CREATE INDEX IF NOT EXISTS idx_verification_tokens_hash ON verification_tokens(token_hash)",
+  );
+  db.run(
+    "CREATE INDEX IF NOT EXISTS idx_verification_tokens_user ON verification_tokens(user_id, type)",
+  );
+
+  // Refresh token families (rotation with reuse detection)
+  db.run(`
+    CREATE TABLE IF NOT EXISTS refresh_token_families (
+      id                  TEXT PRIMARY KEY,
+      user_id             TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      current_token_hash  TEXT NOT NULL,
+      revoked             INTEGER NOT NULL DEFAULT 0,
+      created_at          INTEGER NOT NULL,
+      updated_at          INTEGER NOT NULL
+    )
+  `);
+  db.run("CREATE INDEX IF NOT EXISTS idx_refresh_families_user ON refresh_token_families(user_id)");
+  db.run(
+    "CREATE INDEX IF NOT EXISTS idx_refresh_families_token ON refresh_token_families(current_token_hash)",
+  );
+
+  // API keys
+  db.run(`
+    CREATE TABLE IF NOT EXISTS api_keys (
+      id          TEXT PRIMARY KEY,
+      user_id     TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      name        TEXT NOT NULL,
+      key_hash    TEXT NOT NULL UNIQUE,
+      key_prefix  TEXT NOT NULL,
+      scopes      TEXT NOT NULL DEFAULT '[]',
+      expires_at  INTEGER,
+      last_used_at INTEGER,
+      created_at  INTEGER NOT NULL
+    )
+  `);
+  db.run("CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash)");
+  db.run("CREATE INDEX IF NOT EXISTS idx_api_keys_user ON api_keys(user_id)");
+
+  // Password history
+  db.run(`
+    CREATE TABLE IF NOT EXISTS password_history (
+      id              TEXT PRIMARY KEY,
+      user_id         TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      password_hash   TEXT NOT NULL,
+      created_at      INTEGER NOT NULL
+    )
+  `);
+  db.run("CREATE INDEX IF NOT EXISTS idx_password_history_user ON password_history(user_id)");
+
+  // OAuth accounts
+  db.run(`
+    CREATE TABLE IF NOT EXISTS oauth_accounts (
+      id                TEXT PRIMARY KEY,
+      user_id           TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      provider          TEXT NOT NULL,
+      provider_user_id  TEXT NOT NULL,
+      email             TEXT,
+      created_at        INTEGER NOT NULL,
+      UNIQUE(provider, provider_user_id)
+    )
+  `);
+  db.run("CREATE INDEX IF NOT EXISTS idx_oauth_accounts_user ON oauth_accounts(user_id)");
+  db.run(
+    "CREATE INDEX IF NOT EXISTS idx_oauth_accounts_provider ON oauth_accounts(provider, provider_user_id)",
+  );
+};
+
+export const down = (db: Database): void => {
+  db.run("DROP TABLE IF EXISTS oauth_accounts");
+  db.run("DROP TABLE IF EXISTS password_history");
+  db.run("DROP TABLE IF EXISTS api_keys");
+  db.run("DROP TABLE IF EXISTS refresh_token_families");
+  db.run("DROP TABLE IF EXISTS verification_tokens");
+
+  // SQLite doesn't support DROP COLUMN before 3.35.0, but bun:sqlite supports it
+  db.run("ALTER TABLE users DROP COLUMN password_changed_at");
+  db.run("ALTER TABLE users DROP COLUMN mfa_enabled");
+  db.run("ALTER TABLE users DROP COLUMN mfa_secret");
+  db.run("ALTER TABLE users DROP COLUMN email_verified");
+};

package/src/infrastructure/database/migrations/runner.ts

@@ -0,0 +1,120 @@
+import type { Database } from "bun:sqlite";
+import type { Logger } from "../../../core/ports/logger.js";
+
+/**
+ * Database migration runner.
+ * Tracks applied migrations in a `_migrations` table.
+ * Supports up/down with versioned TypeScript migration files.
+ */
+
+interface Migration {
+  readonly version: string;
+  readonly name: string;
+  readonly up: (db: Database) => void;
+  readonly down: (db: Database) => void;
+}
+
+/** Initialize the migrations tracking table */
+const ensureMigrationsTable = (db: Database): void => {
+  db.run(`
+    CREATE TABLE IF NOT EXISTS _migrations (
+      version     TEXT PRIMARY KEY,
+      name        TEXT NOT NULL,
+      applied_at  INTEGER NOT NULL
+    )
+  `);
+};
+
+/** Get all applied migration versions */
+const getAppliedVersions = (db: Database): Set<string> => {
+  const rows = db.query("SELECT version FROM _migrations ORDER BY version").all() as Array<{
+    version: string;
+  }>;
+  return new Set(rows.map((r) => r.version));
+};
+
+/** Load all migrations from the migrations directory */
+const loadMigrations = async (): Promise<Migration[]> => {
+  const { up: up001, down: down001 } = await import("./001_create_users.js");
+  const { up: up002, down: down002 } = await import("./002_create_token_blacklist.js");
+  const { up: up003, down: down003 } = await import("./003_create_audit_log.js");
+  const { up: up004, down: down004 } = await import("./004_auth_platform.js");
+
+  return [
+    { version: "001", name: "create_users", up: up001, down: down001 },
+    { version: "002", name: "create_token_blacklist", up: up002, down: down002 },
+    { version: "003", name: "create_audit_log", up: up003, down: down003 },
+    { version: "004", name: "auth_platform", up: up004, down: down004 },
+  ];
+};
+
+/**
+ * Run all pending migrations (up).
+ * Returns the number of migrations applied.
+ */
+export const migrateUp = async (db: Database, logger: Logger): Promise<number> => {
+  ensureMigrationsTable(db);
+  const applied = getAppliedVersions(db);
+  const migrations = await loadMigrations();
+  let count = 0;
+
+  for (const migration of migrations) {
+    if (applied.has(migration.version)) continue;
+
+    logger.info(`Applying migration ${migration.version}: ${migration.name}`);
+
+    db.transaction(() => {
+      migration.up(db);
+      db.run("INSERT INTO _migrations (version, name, applied_at) VALUES (?, ?, ?)", [
+        migration.version,
+        migration.name,
+        Date.now(),
+      ]);
+    })();
+
+    count++;
+    logger.info(`Migration ${migration.version} applied successfully`);
+  }
+
+  if (count === 0) {
+    logger.debug("No pending migrations");
+  } else {
+    logger.info(`Applied ${count} migration(s)`);
+  }
+
+  return count;
+};
+
+/**
+ * Rollback the last applied migration (down).
+ * Returns the version that was rolled back, or null if nothing to rollback.
+ */
+export const migrateDown = async (db: Database, logger: Logger): Promise<string | null> => {
+  ensureMigrationsTable(db);
+  const migrations = await loadMigrations();
+
+  const lastApplied = db
+    .query("SELECT version FROM _migrations ORDER BY version DESC LIMIT 1")
+    .get() as { version: string } | null;
+
+  if (!lastApplied) {
+    logger.info("No migrations to rollback");
+    return null;
+  }
+
+  const migration = migrations.find((m) => m.version === lastApplied.version);
+  if (!migration) {
+    logger.error(`Migration ${lastApplied.version} not found in migration files`);
+    return null;
+  }
+
+  logger.info(`Rolling back migration ${migration.version}: ${migration.name}`);
+
+  db.transaction(() => {
+    migration.down(db);
+    db.run("DELETE FROM _migrations WHERE version = ?", [migration.version]);
+  })();
+
+  logger.info(`Migration ${migration.version} rolled back successfully`);
+  return migration.version;
+};

package/src/infrastructure/database/mssql/index.ts

@@ -0,0 +1,14 @@
+/**
+ * SQL Server (mssql) adapters — barrel export.
+ */
+
+export { createMssqlUserRepository } from "./mssql-user.repository.js";
+export { createMssqlTokenBlacklist } from "./mssql-token-blacklist.js";
+export { createMssqlAccountLockout } from "./mssql-account-lockout.js";
+export { createMssqlAuditLog } from "./mssql-audit-log.js";
+export { createMssqlVerificationTokenRepo } from "./mssql-verification-tokens.js";
+export { createMssqlRefreshTokenStore } from "./mssql-refresh-token-store.js";
+export { createMssqlApiKeyRepository } from "./mssql-api-keys.js";
+export { createMssqlPasswordHistory } from "./mssql-password-history.js";
+export { createMssqlOAuthAccountRepo } from "./mssql-oauth-accounts.js";
+export { mssqlMigrateUp, mssqlMigrateDown } from "./migrations.js";