npm - @etus/bhono-app - Versions diffs - 0.1.5 → 0.1.6 - Mend

@etus/bhono-app 0.1.5 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (269) hide show

package/templates/base/src/server/services/auth.ts CHANGED Viewed

@@ -1,13 +1,12 @@
 // src/services/auth.ts
-import { eq, and, isNull, gt } from 'drizzle-orm'
-import type { Database } from '../db/client'
 import { isSuperAdminEmail, type Env } from '../env'
-import { users, accounts, userAccounts, refreshTokens } from '../db/schema'
+import type { UserRecord } from '../db/records'
 import { createAccessToken, generateRefreshToken, hashToken, getRefreshTokenExpiry } from '../lib/tokens'
 import { UnauthorizedError } from '../lib/errors'
 import { logAuthEvent, type AuthEventContext } from '../lib/audit'
 import type { GoogleUserInfo, AuthTokens } from '../types/auth'
 import type { User } from '../types'
+import { execute, queryOne, type SqlRow } from '../db/sql'
 interface AuthResult {
   user: User
@@ -16,210 +15,341 @@ interface AuthResult {
   isNewUser: boolean
 }
-export const authService = {
-  async findOrCreateUser(db: Database, env: Env, googleUser: GoogleUserInfo, ctx: AuthEventContext): Promise<AuthResult> {
-    let isNewUser = false
-    // Try to find existing user by googleId
-    const existingUsers = await db
-      .select()
-      .from(users)
-      .where(and(eq(users.googleId, googleUser.sub), isNull(users.deletedAt)))
-      .limit(1)
-    let userRecord = existingUsers.at(0)
-    if (userRecord) {
-      // Update profile info if changed
-      if (
-        userRecord.email !== googleUser.email ||
-        userRecord.name !== googleUser.name ||
-        userRecord.avatarUrl !== googleUser.picture
-      ) {
-        const updated = await db
-          .update(users)
-          .set({
-            email: googleUser.email,
-            name: googleUser.name,
-            avatarUrl: googleUser.picture ?? null,
-            updatedAt: new Date().toISOString(),
-          })
-          .where(eq(users.id, userRecord.id))
-          .returning()
-        userRecord = updated[0]
+const USER_SELECT_COLUMNS = `
+  id,
+  google_id as googleId,
+  email,
+  name,
+  avatar_url as avatarUrl,
+  status,
+  provider_ids as providerIds,
+  is_super_admin as isSuperAdmin,
+  created_at as createdAt,
+  updated_at as updatedAt,
+  deleted_at as deletedAt
+`
+function toEpochSeconds(date: Date): number {
+  return Math.floor(date.getTime() / 1000)
+}
+function toBoolean(value: unknown): boolean {
+  if (typeof value === 'boolean') return value
+  if (typeof value === 'number') return value !== 0
+  if (typeof value === 'string') return value === '1' || value.toLowerCase() === 'true'
+  return false
+}
+function parseProviderIds(value: unknown): string[] {
+  if (!value) return []
+  if (Array.isArray(value)) return value.map((item) => String(item))
+  if (typeof value === 'string') {
+    try {
+      const parsed = JSON.parse(value) as unknown
+      if (Array.isArray(parsed)) {
+        return parsed.map((item) => String(item))
       }
-    } else {
-      isNewUser = true
-      // Create new user (check if email is pre-registered as super admin)
-      const shouldBeSuperAdmin = isSuperAdminEmail(env, googleUser.email)
-      const created = await db
-        .insert(users)
-        .values({
-          googleId: googleUser.sub,
-          email: googleUser.email,
-          name: googleUser.name,
-          avatarUrl: googleUser.picture ?? null,
-          status: 'active',
-          isSuperAdmin: shouldBeSuperAdmin,
-        })
-        .returning()
-      userRecord = created[0]
-      // Create personal account
-      const createdAccounts = await db
-        .insert(accounts)
-        .values({
-          name: `${googleUser.name}'s Account`,
-        })
-        .returning()
-      const accountRecord = createdAccounts[0]
-      // Link user to account with EDITOR role
-      await db.insert(userAccounts).values({
-        userId: userRecord.id,
-        accountId: accountRecord.id,
-        role: 'EDITOR',
-      })
-      // Log signup event
-      await logAuthEvent(db, ctx, 'SIGNUP', userRecord.id, {
-        email: userRecord.email,
-        provider: 'google',
-        accountId: accountRecord.id,
-      })
+    } catch {
+      return []
     }
+  }
+  return []
+}
-    // Generate tokens
-    const accessToken = await createAccessToken(env, userRecord.id, userRecord.email)
-    const refreshToken = generateRefreshToken()
-    const tokenHash = await hashToken(refreshToken)
+function mapUserRow(row: SqlRow): UserRecord {
+  return {
+    id: String(row.id ?? ''),
+    googleId: String(row.googleId ?? ''),
+    email: String(row.email ?? ''),
+    name: String(row.name ?? ''),
+    avatarUrl: row.avatarUrl ? String(row.avatarUrl) : null,
+    status: (row.status === 'inactive' ? 'inactive' : 'active'),
+    providerIds: parseProviderIds(row.providerIds),
+    isSuperAdmin: toBoolean(row.isSuperAdmin),
+    createdAt: String(row.createdAt ?? ''),
+    updatedAt: String(row.updatedAt ?? ''),
+    deletedAt: row.deletedAt ? String(row.deletedAt) : null,
+  }
+}
-    // Store refresh token
-    await db.insert(refreshTokens).values({
-      userId: userRecord.id,
-      tokenHash,
-      expiresAt: getRefreshTokenExpiry(env),
-    })
+function toUser(record: UserRecord): User {
+  return {
+    id: record.id,
+    email: record.email,
+    name: record.name,
+    status: record.status,
+    providerIds: record.providerIds ?? [],
+    isSuperAdmin: record.isSuperAdmin,
+    createdAt: record.createdAt,
+    updatedAt: record.updatedAt,
+    deletedAt: record.deletedAt,
+  }
+}
-    // Log login event
-    await logAuthEvent(db, ctx, 'LOGIN', userRecord.id, {
-      email: userRecord.email,
-      provider: 'google',
-      isNewUser,
-    })
+async function selectUserByGoogleId(db: D1Database, googleId: string): Promise<UserRecord | null> {
+  const row = await queryOne(
+    db,
+    `SELECT ${USER_SELECT_COLUMNS}
+     FROM users
+     WHERE google_id = ? AND deleted_at IS NULL
+     LIMIT 1`,
+    [googleId]
+  )
+  return row ? mapUserRow(row) : null
+}
-    return {
-      user: {
-        id: userRecord.id,
-        email: userRecord.email,
-        name: userRecord.name,
-        status: userRecord.status,
-        providerIds: userRecord.providerIds ?? [],
-        isSuperAdmin: userRecord.isSuperAdmin,
-        createdAt: userRecord.createdAt,
-        updatedAt: userRecord.updatedAt,
-        deletedAt: userRecord.deletedAt,
-      },
-      tokens: {
-        accessToken,
-        expiresIn: 60 * 15, // 15 minutes in seconds
-      },
-      refreshToken,
-      isNewUser,
-    }
-  },
+async function selectUserById(db: D1Database, userId: string): Promise<UserRecord | null> {
+  const row = await queryOne(
+    db,
+    `SELECT ${USER_SELECT_COLUMNS}
+     FROM users
+     WHERE id = ? AND deleted_at IS NULL
+     LIMIT 1`,
+    [userId]
+  )
+  return row ? mapUserRow(row) : null
+}
+async function updateUserSql(
+  db: D1Database,
+  userId: string,
+  updates: Record<string, unknown>
+): Promise<UserRecord | null> {
+  const columns = Object.keys(updates)
+  if (columns.length === 0) return selectUserById(db, userId)
+  const setClause = columns.map((column) => `${column} = ?`).join(', ')
+  const params = columns.map((column) => updates[column])
+  await execute(
+    db,
+    `UPDATE users SET ${setClause} WHERE id = ?`,
+    [...params, userId]
+  )
+  return selectUserById(db, userId)
+}
+async function insertUserSql(
+  db: D1Database,
+  values: Record<string, unknown>
+): Promise<UserRecord | null> {
+  const columns = Object.keys(values)
+  const placeholders = columns.map(() => '?').join(', ')
+  const params = columns.map((column) => values[column])
+  await execute(
+    db,
+    `INSERT INTO users (${columns.join(', ')}) VALUES (${placeholders})`,
+    params
+  )
-  async refreshAccessToken(db: Database, env: Env, refreshToken: string, ctx: AuthEventContext): Promise<AuthTokens> {
-    const tokenHash = await hashToken(refreshToken)
-    // Find valid refresh token
-    const tokenResults = await db
-      .select()
-      .from(refreshTokens)
-      .where(
-        and(
-          eq(refreshTokens.tokenHash, tokenHash),
-          isNull(refreshTokens.revokedAt),
-          gt(refreshTokens.expiresAt, new Date())
-        )
-      )
-      .limit(1)
-    const tokenRecord = tokenResults.at(0)
-    if (!tokenRecord) {
-      throw new UnauthorizedError('Invalid or expired refresh token')
+  return selectUserById(db, String(values.id ?? ''))
+}
+async function findOrCreateUserSql(
+  db: D1Database,
+  env: Env,
+  googleUser: GoogleUserInfo,
+  ctx: AuthEventContext
+): Promise<AuthResult> {
+  let isNewUser = false
+  let userRecord = await selectUserByGoogleId(db, googleUser.sub)
+  if (userRecord) {
+    const shouldUpdate =
+      userRecord.email !== googleUser.email ||
+      userRecord.name !== googleUser.name ||
+      userRecord.avatarUrl !== googleUser.picture
+    if (shouldUpdate) {
+      userRecord = await updateUserSql(db, userRecord.id, {
+        email: googleUser.email,
+        name: googleUser.name,
+        avatar_url: googleUser.picture ?? null,
+        updated_at: new Date().toISOString(),
+      }) ?? userRecord
     }
+  } else {
+    isNewUser = true
+    const shouldBeSuperAdmin = isSuperAdminEmail(env, googleUser.email)
+    const now = new Date().toISOString()
+    const userId = crypto.randomUUID()
-    // Get user
-    const userResults = await db
-      .select()
-      .from(users)
-      .where(and(eq(users.id, tokenRecord.userId), isNull(users.deletedAt)))
-      .limit(1)
+    userRecord = await insertUserSql(db, {
+      id: userId,
+      google_id: googleUser.sub,
+      email: googleUser.email,
+      name: googleUser.name,
+      avatar_url: googleUser.picture ?? null,
+      status: 'active',
+      is_super_admin: shouldBeSuperAdmin ? 1 : 0,
+      created_at: now,
+      updated_at: now,
+    })
-    const userRecord = userResults.at(0)
-    if (userRecord?.status !== 'active') {
-      throw new UnauthorizedError('User not found or inactive')
+    if (!userRecord) {
+      throw new Error('Failed to create user')
     }
-    // Generate new access token
-    const accessToken = await createAccessToken(env, userRecord.id, userRecord.email)
+    const accountId = crypto.randomUUID()
+    await execute(
+      db,
+      `INSERT INTO accounts (id, name, created_at, updated_at) VALUES (?, ?, ?, ?)`,
+      [accountId, `${googleUser.name}'s Account`, now, now]
+    )
-    // Log token refresh event
-    await logAuthEvent(db, ctx, 'TOKEN_REFRESH', userRecord.id, {
+    await execute(
+      db,
+      `INSERT INTO user_accounts (user_id, account_id, role) VALUES (?, ?, ?)`,
+      [userRecord.id, accountId, 'EDITOR']
+    )
+    await logAuthEvent(db, ctx, 'SIGNUP', userRecord.id, {
       email: userRecord.email,
+      provider: 'google',
+      accountId,
     })
+  }
-    return {
+  const accessToken = await createAccessToken(env, userRecord.id, userRecord.email)
+  const refreshToken = generateRefreshToken()
+  const tokenHash = await hashToken(refreshToken)
+  const expiresAt = toEpochSeconds(getRefreshTokenExpiry(env))
+  const createdAt = Math.floor(Date.now() / 1000)
+  await execute(
+    db,
+    `INSERT INTO refresh_tokens (id, user_id, token_hash, expires_at, created_at)
+     VALUES (?, ?, ?, ?, ?)`,
+    [crypto.randomUUID(), userRecord.id, tokenHash, expiresAt, createdAt]
+  )
+  await logAuthEvent(db, ctx, 'LOGIN', userRecord.id, {
+    email: userRecord.email,
+    provider: 'google',
+    isNewUser,
+  })
+  return {
+    user: toUser(userRecord),
+    tokens: {
       accessToken,
       expiresIn: 60 * 15,
-    }
-  },
+    },
+    refreshToken,
+    isNewUser,
+  }
+}
+async function refreshAccessTokenSql(
+  db: D1Database,
+  env: Env,
+  refreshToken: string,
+  ctx: AuthEventContext
+): Promise<AuthTokens> {
+  const tokenHash = await hashToken(refreshToken)
+  const now = Math.floor(Date.now() / 1000)
+  const tokenRecord = await queryOne(
+    db,
+    `SELECT id, user_id as userId, token_hash as tokenHash
+     FROM refresh_tokens
+     WHERE token_hash = ? AND revoked_at IS NULL AND expires_at > ?
+     LIMIT 1`,
+    [tokenHash, now]
+  )
+  if (!tokenRecord) {
+    throw new UnauthorizedError('Invalid or expired refresh token')
+  }
+  const userRecord = await selectUserById(db, String(tokenRecord.userId ?? ''))
+  if (!userRecord || userRecord.status !== 'active') {
+    throw new UnauthorizedError('User not found or inactive')
+  }
+  const accessToken = await createAccessToken(env, userRecord.id, userRecord.email)
+  await logAuthEvent(db, ctx, 'TOKEN_REFRESH', userRecord.id, {
+    email: userRecord.email,
+  })
+  return {
+    accessToken,
+    expiresIn: 60 * 15,
+  }
+}
+async function revokeRefreshTokenSql(
+  db: D1Database,
+  refreshToken: string
+): Promise<void> {
+  const tokenHash = await hashToken(refreshToken)
+  const revokedAt = Math.floor(Date.now() / 1000)
-  async revokeRefreshToken(db: Database, refreshToken: string, ctx: AuthEventContext, userId: string | null): Promise<void> {
-    const tokenHash = await hashToken(refreshToken)
+  await execute(
+    db,
+    `UPDATE refresh_tokens SET revoked_at = ? WHERE token_hash = ?`,
+    [revokedAt, tokenHash]
+  )
+}
+async function revokeAllUserTokensSql(db: D1Database, userId: string): Promise<void> {
+  const revokedAt = Math.floor(Date.now() / 1000)
+  await execute(
+    db,
+    `UPDATE refresh_tokens SET revoked_at = ? WHERE user_id = ? AND revoked_at IS NULL`,
+    [revokedAt, userId]
+  )
+}
+async function getCurrentUserSql(db: D1Database, userId: string): Promise<User> {
+  const userRecord = await selectUserById(db, userId)
+  if (!userRecord) {
+    throw new UnauthorizedError('User not found')
+  }
+  return toUser(userRecord)
+}
+export const authService = {
+  async findOrCreateUser(
+    db: D1Database,
+    env: Env,
+    googleUser: GoogleUserInfo,
+    ctx: AuthEventContext
+  ): Promise<AuthResult> {
+    return findOrCreateUserSql(db, env, googleUser, ctx)
+  },
-    await db
-      .update(refreshTokens)
-      .set({ revokedAt: new Date() })
-      .where(eq(refreshTokens.tokenHash, tokenHash))
+  async refreshAccessToken(
+    db: D1Database,
+    env: Env,
+    refreshToken: string,
+    ctx: AuthEventContext
+  ): Promise<AuthTokens> {
+    return refreshAccessTokenSql(db, env, refreshToken, ctx)
+  },
-    // Log logout event if userId provided
+  async revokeRefreshToken(
+    db: D1Database,
+    refreshToken: string,
+    ctx: AuthEventContext,
+    userId: string | null
+  ): Promise<void> {
+    await revokeRefreshTokenSql(db, refreshToken)
     if (userId) {
       await logAuthEvent(db, ctx, 'LOGOUT', userId, {})
     }
   },
-  async revokeAllUserTokens(db: Database, userId: string): Promise<void> {
-    await db
-      .update(refreshTokens)
-      .set({ revokedAt: new Date() })
-      .where(and(eq(refreshTokens.userId, userId), isNull(refreshTokens.revokedAt)))
+  async revokeAllUserTokens(db: D1Database, userId: string): Promise<void> {
+    await revokeAllUserTokensSql(db, userId)
   },
-  async getCurrentUser(db: Database, userId: string): Promise<User> {
-    const results = await db
-      .select()
-      .from(users)
-      .where(and(eq(users.id, userId), isNull(users.deletedAt)))
-      .limit(1)
-    const userRecord = results.at(0)
-    if (!userRecord) {
-      throw new UnauthorizedError('User not found')
-    }
-    return {
-      id: userRecord.id,
-      email: userRecord.email,
-      name: userRecord.name,
-      status: userRecord.status,
-      providerIds: userRecord.providerIds ?? [],
-      isSuperAdmin: userRecord.isSuperAdmin,
-      createdAt: userRecord.createdAt,
-      updatedAt: userRecord.updatedAt,
-      deletedAt: userRecord.deletedAt,
-    }
+  async getCurrentUser(db: D1Database, userId: string): Promise<User> {
+    return getCurrentUserSql(db, userId)
   },
 }