npm - @jskit-ai/users-core - Versions diffs - 0.1.32 → 0.1.35 - Mend

@jskit-ai/users-core 0.1.32 → 0.1.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

package/src/shared/roles.js CHANGED Viewed

@@ -20,10 +20,35 @@ function normalizeRoleId(value) {
     .toLowerCase();
 }
-function createRoleDescriptor(roleSid, configuredDefinition) {
+function resolveInheritedRolePermissions(roleSid, configuredRoles = {}, seenRoleIds = new Set()) {
+  if (seenRoleIds.has(roleSid)) {
+    throw new TypeError(`roleCatalog role "${roleSid}" has circular inheritance.`);
+  }
+  const source = asRecord(configuredRoles[roleSid]);
+  const inheritedRoleId = normalizeRoleId(source.inherits);
+  const directPermissions = normalizePermissionList(source.permissions);
+  if (!inheritedRoleId) {
+    return directPermissions;
+  }
+  if (!Object.hasOwn(configuredRoles, inheritedRoleId)) {
+    throw new TypeError(`roleCatalog role "${roleSid}" inherits unknown role "${inheritedRoleId}".`);
+  }
+  const nextSeenRoleIds = new Set(seenRoleIds);
+  nextSeenRoleIds.add(roleSid);
+  return normalizePermissionList([
+    ...resolveInheritedRolePermissions(inheritedRoleId, configuredRoles, nextSeenRoleIds),
+    ...directPermissions
+  ]);
+}
+function createRoleDescriptor(roleSid, configuredDefinition, configuredRoles = {}) {
   const source = asRecord(configuredDefinition);
   const assignable = roleSid === OWNER_ROLE_ID ? false : source.assignable === true;
-  const permissions = normalizePermissionList(source.permissions);
+  const permissions = resolveInheritedRolePermissions(roleSid, configuredRoles);
   return Object.freeze({
     id: roleSid,
@@ -38,12 +63,12 @@ function listConfiguredRoleIds(appConfig = {}) {
 }
 function resolveConfiguredDefaultInviteRole(appConfig = {}) {
-  return normalizeRoleId(appConfig?.workspaceRoles?.defaultInviteRole);
+  return normalizeRoleId(appConfig?.roleCatalog?.workspace?.defaultInviteRole);
 }
 function normalizeConfiguredRoles(appConfig = {}) {
-  const workspaceRoles = asRecord(appConfig?.workspaceRoles);
-  const configuredRoles = asRecord(workspaceRoles.roles);
+  const roleCatalog = asRecord(appConfig?.roleCatalog);
+  const configuredRoles = asRecord(roleCatalog.roles);
   const normalizedRoles = {};
   for (const [roleSid, roleDefinition] of Object.entries(configuredRoles)) {
@@ -60,7 +85,7 @@ function normalizeConfiguredRoles(appConfig = {}) {
 function createWorkspaceRoleCatalog(appConfig = {}) {
   const configuredRoles = normalizeConfiguredRoles(appConfig);
   const roleIds = listConfiguredRoleIds(appConfig);
-  const roles = roleIds.map((roleSid) => createRoleDescriptor(roleSid, configuredRoles[roleSid]));
+  const roles = roleIds.map((roleSid) => createRoleDescriptor(roleSid, configuredRoles[roleSid], configuredRoles));
   const assignableRoleIds = roles.filter((role) => role.assignable).map((role) => role.id);
   const configuredDefaultInviteRole = resolveConfiguredDefaultInviteRole(appConfig);
   const defaultInviteRole = assignableRoleIds.includes(configuredDefaultInviteRole)

package/src/shared/settings.js CHANGED Viewed

@@ -30,8 +30,7 @@ const DEFAULT_USER_SETTINGS = Object.freeze({
   accountActivity: true,
   securityAlerts: true,
   passwordSignInEnabled: true,
-  passwordSetupRequired: false,
-  lastActiveWorkspaceId: null
+  passwordSetupRequired: false
 });
 function normalizeWorkspaceHexColor(value) {

package/templates/migrations/users_core_generic_initial.cjs ADDED Viewed

@@ -0,0 +1,69 @@
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.up = async function up(knex) {
+  const hasUsersTable = await knex.schema.hasTable("users");
+  if (!hasUsersTable) {
+    await knex.schema.createTable("users", (table) => {
+      table.increments("id").primary();
+      table.string("auth_provider", 64).notNullable();
+      table.string("auth_provider_user_sid", 191).notNullable();
+      table.string("email", 255).notNullable();
+      table.string("username", 120).notNullable();
+      table.string("display_name", 160).notNullable();
+      table.string("avatar_storage_key", 512).nullable();
+      table.string("avatar_version", 64).nullable();
+      table.timestamp("avatar_updated_at", { useTz: false }).nullable();
+      table.timestamp("created_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+      table.unique(["auth_provider", "auth_provider_user_sid"], "uq_users_identity");
+      table.unique(["email"], "uq_users_email");
+      table.unique(["username"], "uq_users_username");
+    });
+  }
+  const hasUserSettingsTable = await knex.schema.hasTable("user_settings");
+  if (!hasUserSettingsTable) {
+    await knex.schema.createTable("user_settings", (table) => {
+      table.integer("user_id").unsigned().primary().references("id").inTable("users").onDelete("CASCADE");
+      table.string("theme", 32).notNullable().defaultTo("system");
+      table.string("locale", 24).notNullable().defaultTo("en");
+      table.string("time_zone", 64).notNullable().defaultTo("UTC");
+      table.string("date_format", 32).notNullable().defaultTo("yyyy-mm-dd");
+      table.string("number_format", 32).notNullable().defaultTo("1,234.56");
+      table.string("currency_code", 3).notNullable().defaultTo("USD");
+      table.integer("avatar_size").notNullable().defaultTo(64);
+      table.boolean("password_sign_in_enabled").notNullable().defaultTo(true);
+      table.boolean("password_setup_required").notNullable().defaultTo(false);
+      table.boolean("notify_product_updates").notNullable().defaultTo(true);
+      table.boolean("notify_account_activity").notNullable().defaultTo(true);
+      table.boolean("notify_security_alerts").notNullable().defaultTo(true);
+      table.timestamp("created_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+      table.timestamp("updated_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    });
+  }
+  const hasConsoleSettingsTable = await knex.schema.hasTable("console_settings");
+  if (!hasConsoleSettingsTable) {
+    await knex.schema.createTable("console_settings", (table) => {
+      table.integer("id").primary();
+      table.integer("owner_user_id").unsigned().nullable().references("id").inTable("users").onDelete("SET NULL");
+      table.timestamp("created_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+      table.timestamp("updated_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    });
+    await knex("console_settings").insert({
+      id: 1,
+      created_at: knex.fn.now(),
+      updated_at: knex.fn.now()
+    });
+  }
+};
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.down = async function down(knex) {
+  await knex.schema.dropTableIfExists("console_settings");
+  await knex.schema.dropTableIfExists("user_settings");
+  await knex.schema.dropTableIfExists("users");
+};

package/test/authProfileSyncService.test.js CHANGED Viewed

@@ -7,7 +7,7 @@ test("authProfileSyncService.syncIdentityProfile uses shared transaction for pro
   const transaction = { trxId: "tx-1" };
   const service = createService({
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity(_identity, options = {}) {
         calls.push({ step: "find", trx: options.trx || null });
         return null;
@@ -64,7 +64,7 @@ test("authProfileSyncService.syncIdentityProfile skips write path when profile i
   let provisionCalls = 0;
   const service = createService({
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity() {
         return {
           id: 7,
@@ -109,7 +109,7 @@ test("authProfileSyncService.syncIdentityProfile skips write path when profile i
 test("authProfileSyncService.findByIdentity normalizes provider identity input", async () => {
   let capturedIdentity = null;
   const service = createService({
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity(identity) {
         capturedIdentity = identity;
         return null;

package/test/avatarService.test.js CHANGED Viewed

@@ -59,7 +59,7 @@ test("avatarService uploadForUser stores bytes and updates profile avatar fields
   };
   const avatarService = createService({
-    userProfilesRepository: repository,
+    usersRepository: repository,
     avatarStorageService
   });
@@ -99,7 +99,7 @@ test("avatarService clearForUser removes stored avatar and clears profile fields
   };
   const avatarService = createService({
-    userProfilesRepository: repository,
+    usersRepository: repository,
     avatarStorageService
   });

package/test/registerUsersCore.test.js ADDED Viewed

@@ -0,0 +1,42 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { registerUsersCore } from "../src/server/registerUsersCore.js";
+test("registerUsersCore registers console and workspace action surface aliases when action runtime is available", () => {
+  const calls = [];
+  const app = {
+    singleton() {
+      return this;
+    },
+    actionSurfaceSource(sourceName, resolver) {
+      calls.push({
+        sourceName: String(sourceName || ""),
+        resolverType: typeof resolver
+      });
+      return this;
+    }
+  };
+  registerUsersCore(app);
+  assert.deepEqual(calls, [
+    {
+      sourceName: "workspace",
+      resolverType: "function"
+    },
+    {
+      sourceName: "console",
+      resolverType: "function"
+    }
+  ]);
+});
+test("registerUsersCore still works when action runtime has not installed actionSurfaceSource yet", () => {
+  const app = {
+    singleton() {
+      return this;
+    }
+  };
+  assert.doesNotThrow(() => registerUsersCore(app));
+});

package/test/roles.test.js CHANGED Viewed

@@ -7,7 +7,7 @@ import {
   hasPermission
 } from "../src/shared/roles.js";
-test("createWorkspaceRoleCatalog resolves role descriptors only from appConfig.workspaceRoles", () => {
+test("createWorkspaceRoleCatalog resolves role descriptors only from appConfig.roleCatalog", () => {
   const emptyCatalog = createWorkspaceRoleCatalog();
   assert.deepEqual(emptyCatalog.roles, []);
   assert.deepEqual(emptyCatalog.assignableRoleIds, []);
@@ -15,8 +15,10 @@ test("createWorkspaceRoleCatalog resolves role descriptors only from appConfig.w
   assert.equal(emptyCatalog.collaborationEnabled, false);
   const appConfig = {
-    workspaceRoles: {
-      defaultInviteRole: "editor",
+    roleCatalog: {
+      workspace: {
+        defaultInviteRole: "editor"
+      },
       roles: {
         owner: {
           assignable: false,
@@ -24,7 +26,7 @@ test("createWorkspaceRoleCatalog resolves role descriptors only from appConfig.w
         },
         editor: {
           assignable: true,
-          permissions: ["crud_contacts.*"]
+          permissions: ["crud.contacts.*"]
         }
       }
     }
@@ -35,7 +37,90 @@ test("createWorkspaceRoleCatalog resolves role descriptors only from appConfig.w
   assert.equal(roleCatalog.defaultInviteRole, "editor");
   assert.equal(roleCatalog.assignableRoleIds.includes("editor"), true);
   assert.deepEqual(resolveRolePermissions("owner", appConfig), ["workspace.settings.update"]);
-  assert.equal(hasPermission(editorRole?.permissions, "crud_contacts.update"), true);
+  assert.equal(hasPermission(editorRole?.permissions, "crud.contacts.update"), true);
+});
+test("createWorkspaceRoleCatalog resolves inherited role permissions with parent permissions first", () => {
+  const appConfig = {
+    roleCatalog: {
+      workspace: {
+        defaultInviteRole: "member"
+      },
+      roles: {
+        member: {
+          assignable: true,
+          permissions: [
+            "workspace.settings.view",
+            "crud.contacts.list"
+          ]
+        },
+        admin: {
+          assignable: true,
+          inherits: "member",
+          permissions: [
+            "workspace.settings.update",
+            "workspace.members.manage",
+            "workspace.settings.view"
+          ]
+        }
+      }
+    }
+  };
+  const roleCatalog = createWorkspaceRoleCatalog(appConfig);
+  const adminRole = roleCatalog.roles.find((role) => role.id === "admin");
+  assert.deepEqual(adminRole, {
+    id: "admin",
+    assignable: true,
+    permissions: [
+      "workspace.settings.view",
+      "crud.contacts.list",
+      "workspace.settings.update",
+      "workspace.members.manage"
+    ]
+  });
+});
+test("createWorkspaceRoleCatalog rejects unknown inherited roles", () => {
+  assert.throws(
+    () =>
+      createWorkspaceRoleCatalog({
+        roleCatalog: {
+          roles: {
+            admin: {
+              assignable: true,
+              inherits: "member",
+              permissions: []
+            }
+          }
+        }
+      }),
+    /inherits unknown role "member"/
+  );
+});
+test("createWorkspaceRoleCatalog rejects circular inherited roles", () => {
+  assert.throws(
+    () =>
+      createWorkspaceRoleCatalog({
+        roleCatalog: {
+          roles: {
+            member: {
+              assignable: true,
+              inherits: "admin",
+              permissions: []
+            },
+            admin: {
+              assignable: true,
+              inherits: "member",
+              permissions: []
+            }
+          }
+        }
+      }),
+    /circular inheritance/
+  );
 });
 test("cloneWorkspaceRoleCatalog normalizes role ids and returns detached arrays", () => {

package/test/usersBootstrapContributor.test.js ADDED Viewed

@@ -0,0 +1,172 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createUsersBootstrapContributor } from "../src/server/usersBootstrapContributor.js";
+import {
+  TENANCY_MODE_PERSONAL,
+  WORKSPACE_SLUG_POLICY_IMMUTABLE_USERNAME
+} from "../src/shared/tenancyProfile.js";
+function createAuthenticatedProfile(overrides = {}) {
+  return {
+    id: 7,
+    authProvider: "local",
+    authProviderUserSid: "user-7",
+    username: "tester",
+    displayName: "Test User",
+    email: "test@example.com",
+    ...overrides
+  };
+}
+function createUserSettings() {
+  return {
+    theme: "system",
+    locale: "en",
+    timeZone: "UTC",
+    dateFormat: "YYYY-MM-DD",
+    numberFormat: "1,234.56",
+    currencyCode: "USD",
+    avatarSize: 64,
+    productUpdates: true,
+    accountActivity: true,
+    securityAlerts: true
+  };
+}
+test("users bootstrap contributor seeds the initial console owner and exposes generic app payload", async () => {
+  const profile = createAuthenticatedProfile({ id: 12 });
+  const consoleOwnerSeeds = [];
+  const writtenSessions = [];
+  const contributor = createUsersBootstrapContributor({
+    usersRepository: {
+      async findById() {
+        return profile;
+      }
+    },
+    userSettingsRepository: {
+      async ensureForUserId() {
+        return createUserSettings();
+      }
+    },
+    authService: {
+      writeSessionCookies(reply, session) {
+        writtenSessions.push({ reply, session });
+      },
+      getOAuthProviderCatalog() {
+        return {
+          providers: [
+            { id: "google", label: "Google" }
+          ],
+          defaultProvider: "google"
+        };
+      }
+    },
+    consoleService: {
+      async ensureInitialConsoleMember(userId) {
+        consoleOwnerSeeds.push(Number(userId));
+        return Number(userId);
+      }
+    }
+  });
+  const reply = {};
+  const payload = await contributor.contribute({
+    request: {
+      async executeAction() {
+        return {
+          authenticated: true,
+          profile,
+          session: {
+            csrfToken: "csrf-1"
+          }
+        };
+      }
+    },
+    reply
+  });
+  assert.deepEqual(consoleOwnerSeeds, [12]);
+  assert.equal(writtenSessions.length, 1);
+  assert.equal(writtenSessions[0].reply, reply);
+  assert.deepEqual(writtenSessions[0].session, {
+    csrfToken: "csrf-1"
+  });
+  assert.equal(payload.session.authenticated, true);
+  assert.equal(payload.session.userId, 12);
+  assert.equal(payload.surfaceAccess.consoleowner, true);
+  assert.equal(payload.app.features.workspaceSwitching, false);
+  assert.deepEqual(payload.session.oauthProviders, [
+    {
+      id: "google",
+      label: "Google"
+    }
+  ]);
+  assert.equal(payload.session.oauthDefaultProvider, "google");
+  assert.deepEqual(payload.workspaces, []);
+  assert.deepEqual(payload.userSettings, {});
+  assert.equal(payload.requestMeta.hasRequest, true);
+});
+test("users bootstrap contributor emits canonical tenancy profile for anonymous bootstrap", async () => {
+  const contributor = createUsersBootstrapContributor({
+    usersRepository: {
+      async findById() {
+        return null;
+      }
+    },
+    userSettingsRepository: {
+      async ensureForUserId() {
+        return createUserSettings();
+      }
+    },
+    tenancyProfile: {
+      mode: TENANCY_MODE_PERSONAL,
+      workspace: {
+        enabled: true,
+        autoProvision: true,
+        allowSelfCreate: false,
+        slugPolicy: WORKSPACE_SLUG_POLICY_IMMUTABLE_USERNAME
+      }
+    },
+    appConfig: {
+      tenancyMode: "none"
+    },
+    authService: {
+      getOAuthProviderCatalog() {
+        return {
+          providers: [],
+          defaultProvider: null
+        };
+      }
+    }
+  });
+  const payload = await contributor.contribute({
+    request: {
+      async executeAction() {
+        return {
+          authenticated: false
+        };
+      }
+    },
+    reply: {}
+  });
+  assert.deepEqual(payload.tenancy, {
+    mode: TENANCY_MODE_PERSONAL,
+    workspace: {
+      enabled: true,
+      autoProvision: true,
+      allowSelfCreate: false,
+      slugPolicy: WORKSPACE_SLUG_POLICY_IMMUTABLE_USERNAME
+    }
+  });
+  assert.deepEqual(payload.session, {
+    authenticated: false,
+    oauthProviders: [],
+    oauthDefaultProvider: null
+  });
+  assert.deepEqual(payload.workspaces, []);
+  assert.equal(payload.surfaceAccess.consoleowner, false);
+  assert.equal(payload.userSettings, null);
+});