@etus/bhono-app 0.1.1

package/templates/base/src/server/services/invitations.ts

@@ -0,0 +1,306 @@
+// src/services/invitations.ts
+import { eq, and, isNull, gt } from 'drizzle-orm'
+import type { Database } from '../db/client'
+import { invitations, users, userAccounts, accounts } from '../db/schema'
+import { sendInvitationEmail } from '../lib/email'
+import { logAuthEvent, type AuthEventContext } from '../lib/audit'
+import { ConflictError, NotFoundError, ForbiddenError } from '../lib/errors'
+import type { Env } from '../env'
+import { hasMinimumRole, type Role } from '../auth/roles'
+import type { ServiceContext } from '../types'
+
+function generateToken(): string {
+  const array = new Uint8Array(32)
+  crypto.getRandomValues(array)
+  return [...array]
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('')
+}
+
+function getExpiryDate(): string {
+  const date = new Date()
+  date.setDate(date.getDate() + 7)
+  return date.toISOString()
+}
+
+interface CreateInvitationInput {
+  email: string
+  role: Role
+}
+
+interface InvitationResult {
+  linked: boolean
+  invited: boolean
+  user?: {
+    id: string
+    email: string
+    name: string
+  }
+  invitation?: {
+    id: string
+    email: string
+    role: Role
+    expiresAt: string
+  }
+}
+
+export const invitationsService = {
+  async create(db: Database, env: Env, ctx: ServiceContext, input: CreateInvitationInput): Promise<InvitationResult> {
+    const { email, role } = input
+
+    // Check inviter has a role in this account
+    if (!ctx.userRole) {
+      throw new ForbiddenError('User must have a role in this account to invite others')
+    }
+
+    // Check inviter can assign this role (can't assign higher than own role)
+    if (!hasMinimumRole(ctx.userRole, role)) {
+      throw new ForbiddenError('Cannot assign a role higher than your own')
+    }
+
+    // Check if user already in this account
+    const membershipResults = await db
+      .select()
+      .from(userAccounts)
+      .innerJoin(users, eq(users.id, userAccounts.userId))
+      .where(
+        and(
+          eq(userAccounts.accountId, ctx.accountId),
+          eq(users.email, email),
+          isNull(users.deletedAt)
+        )
+      )
+      .limit(1)
+
+    if (membershipResults.at(0)) {
+      throw new ConflictError('User is already a member of this account')
+    }
+
+    // Check if user exists in system
+    const existingUserResults = await db
+      .select()
+      .from(users)
+      .where(and(eq(users.email, email), isNull(users.deletedAt)))
+      .limit(1)
+
+    const existingUser = existingUserResults.at(0)
+    if (existingUser) {
+      // Link immediately
+      await db.insert(userAccounts).values({
+        userId: existingUser.id,
+        accountId: ctx.accountId,
+        role,
+      })
+
+      return {
+        linked: true,
+        invited: false,
+        user: {
+          id: existingUser.id,
+          email: existingUser.email,
+          name: existingUser.name,
+        },
+      }
+    }
+
+    // Check for existing pending invitation
+    const existingInvitationResults = await db
+      .select()
+      .from(invitations)
+      .where(
+        and(
+          eq(invitations.accountId, ctx.accountId),
+          eq(invitations.email, email),
+          isNull(invitations.acceptedAt),
+          gt(invitations.expiresAt, new Date().toISOString())
+        )
+      )
+      .limit(1)
+
+    if (existingInvitationResults.at(0)) {
+      throw new ConflictError('Pending invitation already exists for this email')
+    }
+
+    // Get account name for email
+    const accountResults = await db
+      .select()
+      .from(accounts)
+      .where(eq(accounts.id, ctx.accountId))
+      .limit(1)
+
+    const account = accountResults.at(0)
+    if (!account) {
+      throw new Error('Account not found')
+    }
+
+    // Create invitation
+    const token = generateToken()
+    const expiresAt = getExpiryDate()
+
+    const insertResults = await db
+      .insert(invitations)
+      .values({
+        accountId: ctx.accountId,
+        email,
+        role,
+        token,
+        invitedById: ctx.user.id,
+        expiresAt,
+      })
+      .returning()
+
+    const invitation = insertResults.at(0)
+    if (!invitation) {
+      throw new Error('Failed to create invitation')
+    }
+
+    // Send email
+    const inviteUrl = `${env.APP_URL}/auth/invite/${token}`
+    await sendInvitationEmail(env, email, ctx.user.name, account.name, inviteUrl)
+
+    return {
+      linked: false,
+      invited: true,
+      invitation: {
+        id: invitation.id,
+        email: invitation.email,
+        role: invitation.role as Role,
+        expiresAt: invitation.expiresAt,
+      },
+    }
+  },
+
+  async list(db: Database, ctx: ServiceContext): Promise<{
+    id: string
+    email: string
+    role: Role
+    invitedBy: { id: string; name: string }
+    expiresAt: string
+    createdAt: string
+  }[]> {
+    const results = await db
+      .select({
+        id: invitations.id,
+        email: invitations.email,
+        role: invitations.role,
+        expiresAt: invitations.expiresAt,
+        createdAt: invitations.createdAt,
+        invitedById: invitations.invitedById,
+        inviterName: users.name,
+      })
+      .from(invitations)
+      .innerJoin(users, eq(users.id, invitations.invitedById))
+      .where(
+        and(
+          eq(invitations.accountId, ctx.accountId),
+          isNull(invitations.acceptedAt),
+          gt(invitations.expiresAt, new Date().toISOString())
+        )
+      )
+      .orderBy(invitations.createdAt)
+
+    return results.map((r) => ({
+      id: r.id,
+      email: r.email,
+      role: r.role as Role,
+      invitedBy: { id: r.invitedById, name: r.inviterName },
+      expiresAt: r.expiresAt,
+      createdAt: r.createdAt,
+    }))
+  },
+
+  async revoke(db: Database, ctx: ServiceContext, id: string): Promise<void> {
+    const invitationResults = await db
+      .select()
+      .from(invitations)
+      .where(
+        and(
+          eq(invitations.id, id),
+          eq(invitations.accountId, ctx.accountId),
+          isNull(invitations.acceptedAt)
+        )
+      )
+      .limit(1)
+
+    const invitation = invitationResults.at(0)
+    if (!invitation) {
+      throw new NotFoundError('Invitation')
+    }
+
+    await db.delete(invitations).where(eq(invitations.id, id))
+  },
+
+  async getByToken(db: Database, token: string): Promise<{
+    id: string
+    accountId: string
+    email: string
+    role: Role
+    accountName: string
+  } | null> {
+    const tokenResults = await db
+      .select({
+        id: invitations.id,
+        accountId: invitations.accountId,
+        email: invitations.email,
+        role: invitations.role,
+        expiresAt: invitations.expiresAt,
+        acceptedAt: invitations.acceptedAt,
+        accountName: accounts.name,
+      })
+      .from(invitations)
+      .innerJoin(accounts, eq(accounts.id, invitations.accountId))
+      .where(eq(invitations.token, token))
+      .limit(1)
+
+    const result = tokenResults.at(0)
+    if (!result) return null
+    if (result.acceptedAt) return null
+    if (new Date(result.expiresAt) < new Date()) return null
+
+    return {
+      id: result.id,
+      accountId: result.accountId,
+      email: result.email,
+      role: result.role as Role,
+      accountName: result.accountName,
+    }
+  },
+
+  async accept(
+    db: Database,
+    invitationId: string,
+    userId: string,
+    ctx: AuthEventContext
+  ): Promise<void> {
+    const invitationResults = await db
+      .select()
+      .from(invitations)
+      .where(eq(invitations.id, invitationId))
+      .limit(1)
+
+    const invitation = invitationResults.at(0)
+    if (!invitation) {
+      throw new NotFoundError('Invitation')
+    }
+
+    // Create user-account relationship
+    await db.insert(userAccounts).values({
+      userId,
+      accountId: invitation.accountId,
+      role: invitation.role,
+    })
+
+    // Mark invitation as accepted
+    await db
+      .update(invitations)
+      .set({ acceptedAt: new Date().toISOString() })
+      .where(eq(invitations.id, invitationId))
+
+    // Log event
+    await logAuthEvent(db, ctx, 'LOGIN', userId, {
+      invitationAccepted: true,
+      accountId: invitation.accountId,
+      role: invitation.role,
+    })
+  },
+}

package/templates/base/src/server/services/users.ts

@@ -0,0 +1,350 @@
+// src/services/users.ts
+import { eq, and, isNull, isNotNull, sql } from 'drizzle-orm'
+import type { Database } from '../db/client'
+import { users, userAccounts, type UserRecord } from '../db/schema'
+import { logAudit } from '../lib/audit'
+import { auditedUpdate, auditedDelete } from '../lib/audited-db'
+import { createPaginationMeta, calculateOffset } from '../lib/pagination'
+import { NotFoundError } from '../lib/errors'
+import type { ServiceContext, PaginationQuery, PaginatedResponse, User } from '../types'
+import type { Role } from '../auth/roles'
+
+// NOTE: CreateUserInput is commented out since user creation is disabled
+// (users should only be created through Google OAuth)
+
+interface UpdateUserInput {
+  name?: string
+  status?: 'active' | 'inactive'
+}
+
+export const usersService = {
+  async findAll(
+    db: Database,
+    ctx: ServiceContext,
+    pagination: PaginationQuery
+  ): Promise<PaginatedResponse<User>> {
+    const offset = calculateOffset(pagination.page, pagination.limit)
+
+    // Build base query conditions
+    const conditions = [isNull(users.deletedAt)]
+
+    // Non-super-admin sees only users in their account
+    if (!ctx.user.isSuperAdmin) {
+      const userIdsInAccount = db
+        .select({ userId: userAccounts.userId })
+        .from(userAccounts)
+        .where(eq(userAccounts.accountId, ctx.accountId))
+
+      conditions.push(sql`${users.id} IN ${userIdsInAccount}`)
+    }
+
+    // Add search filter if provided
+    if (pagination.query) {
+      conditions.push(
+        sql`(${users.email} LIKE ${'%' + pagination.query + '%'} OR ${users.name} LIKE ${'%' + pagination.query + '%'})`
+      )
+    }
+
+    // Get total count
+    const countResults = await db
+      .select({ count: sql<number>`count(*)` })
+      .from(users)
+      .where(and(...conditions))
+
+    const totalItems = countResults.at(0)?.count ?? 0
+
+    // Get paginated data
+    const data = await db
+      .select()
+      .from(users)
+      .where(and(...conditions))
+      .limit(pagination.limit)
+      .offset(offset)
+      .orderBy(sql`${users.createdAt} DESC`)
+
+    return {
+      data: data.map((u) => ({
+        id: u.id,
+        email: u.email,
+        name: u.name,
+        status: u.status,
+        providerIds: u.providerIds ?? [],
+        isSuperAdmin: u.isSuperAdmin,
+        createdAt: u.createdAt,
+        updatedAt: u.updatedAt,
+        deletedAt: u.deletedAt,
+      })),
+      meta: createPaginationMeta(totalItems, pagination.page, pagination.limit),
+    }
+  },
+
+  async findById(db: Database, ctx: ServiceContext, id: string): Promise<User> {
+    const userResults = await db
+      .select()
+      .from(users)
+      .where(and(eq(users.id, id), isNull(users.deletedAt)))
+      .limit(1)
+
+    const userRecord = userResults.at(0)
+    if (!userRecord) {
+      throw new NotFoundError('User')
+    }
+
+    // Check user has access (super-admin or same account)
+    if (!ctx.user.isSuperAdmin) {
+      const membershipResults = await db
+        .select()
+        .from(userAccounts)
+        .where(
+          and(
+            eq(userAccounts.userId, id),
+            eq(userAccounts.accountId, ctx.accountId)
+          )
+        )
+        .limit(1)
+
+      const membership = membershipResults.at(0)
+      if (!membership) {
+        throw new NotFoundError('User')
+      }
+    }
+
+    return {
+      id: userRecord.id,
+      email: userRecord.email,
+      name: userRecord.name,
+      status: userRecord.status,
+      providerIds: userRecord.providerIds ?? [],
+      isSuperAdmin: userRecord.isSuperAdmin,
+      createdAt: userRecord.createdAt,
+      updatedAt: userRecord.updatedAt,
+      deletedAt: userRecord.deletedAt,
+    }
+  },
+
+  // NOTE: User creation is disabled - users should only be created through Google OAuth
+  // If you need to manually create users, add googleId to the CreateUserInput interface
+  // and ensure the googleId is provided when creating users.
+  /*
+  async create(ctx: ServiceContext, input: CreateUserInput): Promise<User> {
+    // Check email doesn't already exist
+    const [existing] = await db
+      .select()
+      .from(users)
+      .where(eq(users.email, input.email))
+      .limit(1)
+
+    if (existing) {
+      throw new ConflictError('User with this email already exists')
+    }
+
+    // Create user
+    const [userRecord] = await db
+      .insert(users)
+      .values({
+        email: input.email,
+        name: input.name,
+        status: 'active',
+        createdById: ctx.user.id,
+        updatedById: ctx.user.id,
+      })
+      .returning()
+
+    // Create user-account relationship
+    await db.insert(userAccounts).values({
+      userId: userRecord.id,
+      accountId: ctx.accountId,
+      role: input.role,
+    })
+
+    // Log audit
+    await logAudit(db, ctx, 'User', userRecord.id, 'INSERT', userRecord)
+
+    return {
+      id: userRecord.id,
+      email: userRecord.email,
+      name: userRecord.name,
+      status: userRecord.status,
+      providerIds: userRecord.providerIds ?? [],
+      isSuperAdmin: userRecord.isSuperAdmin,
+      createdAt: userRecord.createdAt,
+      updatedAt: userRecord.updatedAt,
+      deletedAt: userRecord.deletedAt,
+    }
+  },
+  */
+
+  async update(db: Database, ctx: ServiceContext, id: string, input: UpdateUserInput): Promise<User> {
+    // Verify user exists and accessible
+    await this.findById(db, ctx, id)
+
+    // Update user with audit
+    const updateResults = await auditedUpdate<UserRecord>(
+      db,
+      ctx,
+      users,
+      {
+        ...input,
+        updatedAt: new Date().toISOString(),
+        updatedById: ctx.user.id,
+      },
+      eq(users.id, id)
+    )
+
+    const userRecord: UserRecord | undefined = updateResults.at(0)
+    if (!userRecord) {
+      throw new Error('Failed to update user')
+    }
+
+    return {
+      id: userRecord.id,
+      email: userRecord.email,
+      name: userRecord.name,
+      status: userRecord.status,
+      providerIds: userRecord.providerIds ?? [],
+      isSuperAdmin: userRecord.isSuperAdmin,
+      createdAt: userRecord.createdAt,
+      updatedAt: userRecord.updatedAt,
+      deletedAt: userRecord.deletedAt,
+    }
+  },
+
+  async delete(db: Database, ctx: ServiceContext, id: string): Promise<void> {
+    // Verify user exists and accessible
+    await this.findById(db, ctx, id)
+
+    // Soft delete with audit
+    await auditedDelete(db, ctx, users, eq(users.id, id))
+  },
+
+  // Bulk User-Account Operations
+  async createUserAccounts(
+    db: Database,
+    ctx: ServiceContext,
+    items: { userId: string; accountId: string; role: Role }[]
+  ): Promise<{ success: boolean; count: number }> {
+    let count = 0
+
+    for (const item of items) {
+      // Check if relationship already exists
+      const existingResults = await db
+        .select()
+        .from(userAccounts)
+        .where(
+          and(
+            eq(userAccounts.userId, item.userId),
+            eq(userAccounts.accountId, item.accountId)
+          )
+        )
+        .limit(1)
+
+      const existing = existingResults.at(0)
+      if (existing) {
+        // Update existing role
+        await db
+          .update(userAccounts)
+          .set({ role: item.role })
+          .where(
+            and(
+              eq(userAccounts.userId, item.userId),
+              eq(userAccounts.accountId, item.accountId)
+            )
+          )
+      } else {
+        // Create new relationship
+        await db.insert(userAccounts).values({
+          userId: item.userId,
+          accountId: item.accountId,
+          role: item.role,
+        })
+      }
+
+      count++
+
+      // Log audit
+      await logAudit(db, ctx, 'UserAccount', `${item.userId}-${item.accountId}`, 'INSERT', {
+        userId: item.userId,
+        accountId: item.accountId,
+        role: item.role,
+      })
+    }
+
+    return { success: true, count }
+  },
+
+  async deleteUserAccounts(
+    db: Database,
+    ctx: ServiceContext,
+    items: { userId: string; accountId: string; role: Role }[]
+  ): Promise<{ success: boolean; count: number }> {
+    let count = 0
+
+    for (const item of items) {
+      await db
+        .delete(userAccounts)
+        .where(
+          and(
+            eq(userAccounts.userId, item.userId),
+            eq(userAccounts.accountId, item.accountId)
+          )
+        )
+
+      count++
+
+      // Log audit
+      await logAudit(db, ctx, 'UserAccount', `${item.userId}-${item.accountId}`, 'DELETE', {
+        userId: item.userId,
+        accountId: item.accountId,
+      })
+    }
+
+    return { success: true, count }
+  },
+
+  async restore(
+    db: Database,
+    ctx: ServiceContext,
+    id: string
+  ): Promise<User> {
+    // Find deleted record
+    const recordResults = await db
+      .select()
+      .from(users)
+      .where(and(
+        eq(users.id, id),
+        isNotNull(users.deletedAt)
+      ))
+      .limit(1)
+
+    const record = recordResults.at(0)
+    if (!record) {
+      throw new NotFoundError('User not found or not deleted')
+    }
+
+    // Restore user
+    const restoreResults = await auditedUpdate<UserRecord>(
+      db,
+      ctx,
+      users,
+      { deletedAt: null, deletedById: null },
+      eq(users.id, id)
+    )
+
+    const restored: UserRecord | undefined = restoreResults.at(0)
+    if (!restored) {
+      throw new NotFoundError('Failed to restore user')
+    }
+
+    return {
+      id: restored.id,
+      email: restored.email,
+      name: restored.name,
+      status: restored.status,
+      providerIds: restored.providerIds ?? [],
+      isSuperAdmin: restored.isSuperAdmin,
+      createdAt: restored.createdAt,
+      updatedAt: restored.updatedAt,
+      deletedAt: restored.deletedAt,
+    }
+  },
+}

package/templates/base/src/server/types/auth.ts

@@ -0,0 +1,36 @@
+// src/types/auth.ts
+export interface GoogleTokenResponse {
+  access_token: string
+  expires_in: number
+  id_token: string
+  scope: string
+  token_type: string
+  refresh_token?: string
+}
+
+export interface GoogleUserInfo {
+  sub: string
+  email: string
+  email_verified: boolean
+  name: string
+  picture?: string
+  given_name?: string
+  family_name?: string
+}
+
+export interface JWTPayload {
+  sub: string
+  email: string
+  iat: number
+  exp: number
+}
+
+export interface AuthTokens {
+  accessToken: string
+  expiresIn: number
+}
+
+export interface OAuthState {
+  codeChallenge: string
+  redirectUrl?: string
+}