@lastshotlabs/bunshot 0.0.21 → 0.0.27

package/dist/adapters/sqliteAuth.js

@@ -25,13 +25,35 @@ function initSchema(db) {
     passwordHash  TEXT,
     providerIds   TEXT NOT NULL DEFAULT '[]',
     roles         TEXT NOT NULL DEFAULT '[]',
-    emailVerified INTEGER NOT NULL DEFAULT 0
+    emailVerified INTEGER NOT NULL DEFAULT 0,
+    displayName   TEXT,
+    firstName     TEXT,
+    lastName      TEXT,
+    externalId    TEXT,
+    suspended     INTEGER NOT NULL DEFAULT 0,
+    suspendedAt   TEXT,
+    suspendedReason TEXT
   )`);
     // Add emailVerified to pre-existing databases that lack the column
     try {
         db.run("ALTER TABLE users ADD COLUMN emailVerified INTEGER NOT NULL DEFAULT 0");
     }
     catch { /* already exists */ }
+    // Add profile and suspension columns to pre-existing databases
+    for (const col of [
+        "ALTER TABLE users ADD COLUMN displayName TEXT",
+        "ALTER TABLE users ADD COLUMN firstName TEXT",
+        "ALTER TABLE users ADD COLUMN lastName TEXT",
+        "ALTER TABLE users ADD COLUMN externalId TEXT",
+        "ALTER TABLE users ADD COLUMN suspended INTEGER NOT NULL DEFAULT 0",
+        "ALTER TABLE users ADD COLUMN suspendedAt TEXT",
+        "ALTER TABLE users ADD COLUMN suspendedReason TEXT",
+    ]) {
+        try {
+            db.run(col);
+        }
+        catch { /* column already exists */ }
+    }
     // Add MFA columns to pre-existing databases
     try {
         db.run("ALTER TABLE users ADD COLUMN mfaSecret TEXT");
@@ -78,6 +100,14 @@ function initSchema(db) {
         db.run("ALTER TABLE sessions ADD COLUMN prevTokenExpiresAt INTEGER");
     }
     catch { /* already exists */ }
+    try {
+        db.run("ALTER TABLE sessions ADD COLUMN fingerprint TEXT");
+    }
+    catch { /* already exists */ }
+    try {
+        db.run("ALTER TABLE sessions ADD COLUMN mfaVerifiedAt INTEGER");
+    }
+    catch { /* already exists */ }
     db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_sessions_refreshToken ON sessions(refreshToken) WHERE refreshToken IS NOT NULL");
     db.run(`CREATE TABLE IF NOT EXISTS oauth_states (
     state        TEXT PRIMARY KEY,
@@ -119,6 +149,35 @@ function initSchema(db) {
     createdAt    INTEGER NOT NULL
   )`);
     db.run("CREATE INDEX IF NOT EXISTS idx_webauthn_userId ON webauthn_credentials(userId)");
+    db.run(`CREATE TABLE IF NOT EXISTS groups (
+    id          TEXT    PRIMARY KEY,
+    name        TEXT    NOT NULL,
+    displayName TEXT,
+    description TEXT,
+    roles       TEXT    NOT NULL DEFAULT '[]',
+    tenantId    TEXT,
+    createdAt   INTEGER NOT NULL,
+    updatedAt   INTEGER NOT NULL
+  )`);
+    // SQLite UNIQUE treats each NULL as distinct, so we use partial indexes instead of
+    // a simple UNIQUE constraint on (name, tenantId). This correctly enforces name
+    // uniqueness within app-wide scope and within each tenant scope separately.
+    db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_groups_name_appwide ON groups(name) WHERE tenantId IS NULL");
+    db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_groups_name_tenant ON groups(name, tenantId) WHERE tenantId IS NOT NULL");
+    db.run("CREATE INDEX IF NOT EXISTS idx_groups_tenantId ON groups(tenantId)");
+    db.run(`CREATE TABLE IF NOT EXISTS group_memberships (
+    userId    TEXT    NOT NULL,
+    groupId   TEXT    NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
+    roles     TEXT    NOT NULL DEFAULT '[]',
+    tenantId  TEXT,
+    createdAt INTEGER NOT NULL,
+    PRIMARY KEY (userId, groupId)
+  )`);
+    // NOTE: PRAGMA foreign_keys = ON is set in setSqliteDb() and must run per-connection.
+    // If any code path opens SQLite without going through setSqliteDb, ON DELETE CASCADE
+    // for group_memberships will silently not fire. All SQLite access must use setSqliteDb.
+    db.run("CREATE INDEX IF NOT EXISTS idx_gm_groupId ON group_memberships(groupId)");
+    db.run("CREATE INDEX IF NOT EXISTS idx_gm_userId_tenantId ON group_memberships(userId, tenantId)");
     db.run(`CREATE TABLE IF NOT EXISTS oauth_codes (
     codeHash     TEXT PRIMARY KEY,
     token        TEXT NOT NULL,
@@ -127,6 +186,20 @@ function initSchema(db) {
     refreshToken TEXT,
     expiresAt    INTEGER NOT NULL
   )`);
+    db.run(`CREATE TABLE IF NOT EXISTS deletion_cancel_tokens (
+    token     TEXT PRIMARY KEY,
+    userId    TEXT NOT NULL,
+    jobId     TEXT NOT NULL,
+    expiresAt INTEGER NOT NULL
+  )`);
+    db.run(`CREATE TABLE IF NOT EXISTS upload_registry (
+    key           TEXT PRIMARY KEY,
+    ownerUserId   TEXT,
+    tenantId      TEXT,
+    mimeType      TEXT,
+    bucket        TEXT,
+    createdAt     INTEGER NOT NULL
+  )`);
 }
 // ---------------------------------------------------------------------------
 // Auth adapter
@@ -205,13 +278,19 @@ export const sqliteAuthAdapter = {
         db.run("UPDATE users SET roles = ? WHERE id = ?", [JSON.stringify(roles.filter((r) => r !== role)), userId]);
     },
     async getUser(userId) {
-        const row = getDb().query("SELECT email, providerIds, emailVerified FROM users WHERE id = ?").get(userId);
+        const row = getDb().query("SELECT email, providerIds, emailVerified, displayName, firstName, lastName, externalId, suspended, suspendedReason FROM users WHERE id = ?").get(userId);
         if (!row)
             return null;
         return {
             email: row.email ?? undefined,
             providerIds: JSON.parse(row.providerIds),
             emailVerified: row.emailVerified === 1,
+            displayName: row.displayName ?? undefined,
+            firstName: row.firstName ?? undefined,
+            lastName: row.lastName ?? undefined,
+            externalId: row.externalId ?? undefined,
+            suspended: row.suspended === 1,
+            suspendedReason: row.suspendedReason ?? undefined,
         };
     },
     async unlinkProvider(userId, provider) {
@@ -325,6 +404,227 @@ export const sqliteAuthAdapter = {
     async removeTenantRole(userId, tenantId, role) {
         getDb().run("DELETE FROM tenant_roles WHERE userId = ? AND tenantId = ? AND role = ?", [userId, tenantId, role]);
     },
+    async setSuspended(userId, suspended, reason) {
+        if (suspended) {
+            getDb().run("UPDATE users SET suspended = 1, suspendedAt = ?, suspendedReason = ? WHERE id = ?", [new Date().toISOString(), reason ?? null, userId]);
+        }
+        else {
+            getDb().run("UPDATE users SET suspended = 0, suspendedAt = NULL, suspendedReason = NULL WHERE id = ?", [userId]);
+        }
+    },
+    async getSuspended(userId) {
+        const row = getDb().query("SELECT suspended, suspendedReason FROM users WHERE id = ?").get(userId);
+        if (!row)
+            return null;
+        return { suspended: row.suspended === 1, suspendedReason: row.suspendedReason ?? undefined };
+    },
+    async updateProfile(userId, fields) {
+        const sets = [];
+        const params = [];
+        if ("displayName" in fields) {
+            sets.push("displayName = ?");
+            params.push(fields.displayName ?? null);
+        }
+        if ("firstName" in fields) {
+            sets.push("firstName = ?");
+            params.push(fields.firstName ?? null);
+        }
+        if ("lastName" in fields) {
+            sets.push("lastName = ?");
+            params.push(fields.lastName ?? null);
+        }
+        if ("externalId" in fields) {
+            sets.push("externalId = ?");
+            params.push(fields.externalId ?? null);
+        }
+        if (sets.length === 0)
+            return;
+        params.push(userId);
+        getDb().run(`UPDATE users SET ${sets.join(", ")} WHERE id = ?`, params);
+    },
+    async listUsers(query) {
+        const db = getDb();
+        const conditions = [];
+        const params = [];
+        if (query.email !== undefined) {
+            conditions.push("email = ?");
+            params.push(query.email);
+        }
+        if (query.externalId !== undefined) {
+            conditions.push("externalId = ?");
+            params.push(query.externalId);
+        }
+        if (query.suspended !== undefined) {
+            conditions.push("suspended = ?");
+            params.push(query.suspended ? 1 : 0);
+        }
+        const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+        const startIndex = query.startIndex ?? 0;
+        const count = query.count ?? 100;
+        const queryParams = [...params, count, startIndex];
+        const countParams = params;
+        const rows = db.prepare(`SELECT id, email, displayName, firstName, lastName, externalId, suspended, suspendedAt, suspendedReason, emailVerified, providerIds FROM users ${where} LIMIT ? OFFSET ?`).all(...queryParams);
+        const totalRow = db.prepare(`SELECT COUNT(*) as c FROM users ${where}`).get(...countParams);
+        const totalResults = totalRow?.c ?? 0;
+        return {
+            users: rows.map((r) => ({
+                id: r.id,
+                email: r.email ?? undefined,
+                displayName: r.displayName ?? undefined,
+                firstName: r.firstName ?? undefined,
+                lastName: r.lastName ?? undefined,
+                externalId: r.externalId ?? undefined,
+                suspended: r.suspended === 1,
+                suspendedAt: r.suspendedAt ? new Date(r.suspendedAt) : undefined,
+                suspendedReason: r.suspendedReason ?? undefined,
+                emailVerified: r.emailVerified === 1,
+                providerIds: JSON.parse(r.providerIds),
+            })),
+            totalResults,
+        };
+    },
+    // ---------------------------------------------------------------------------
+    // Groups
+    // ---------------------------------------------------------------------------
+    async createGroup(group) {
+        const id = crypto.randomUUID();
+        const now = Date.now();
+        try {
+            getDb().run("INSERT INTO groups (id, name, displayName, description, roles, tenantId, createdAt, updatedAt) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", [id, group.name, group.displayName ?? null, group.description ?? null, JSON.stringify(group.roles ?? []), group.tenantId ?? null, now, now]);
+        }
+        catch (err) {
+            if (err?.code === "SQLITE_CONSTRAINT_UNIQUE" || err?.code === "SQLITE_CONSTRAINT_PRIMARYKEY") {
+                throw new HttpError(409, "A group with this name already exists in this scope");
+            }
+            throw err;
+        }
+        return { id };
+    },
+    async deleteGroup(groupId) {
+        // group_memberships are cascade-deleted via ON DELETE CASCADE (requires PRAGMA foreign_keys = ON)
+        getDb().run("DELETE FROM groups WHERE id = ?", [groupId]);
+    },
+    async getGroup(groupId) {
+        const row = getDb().query("SELECT id, name, displayName, description, roles, tenantId, createdAt, updatedAt FROM groups WHERE id = ?").get(groupId);
+        if (!row)
+            return null;
+        return { ...row, displayName: row.displayName ?? undefined, description: row.description ?? undefined, roles: JSON.parse(row.roles) };
+    },
+    async listGroups(tenantId, opts) {
+        const limit = Math.min(opts?.limit ?? 50, 200);
+        const offset = opts?.offset ?? 0;
+        const db = getDb();
+        const cols = "id, name, displayName, description, roles, tenantId, createdAt, updatedAt";
+        let rows;
+        let total;
+        if (tenantId === null) {
+            rows = db.query(`SELECT ${cols} FROM groups WHERE tenantId IS NULL LIMIT ? OFFSET ?`).all(limit, offset);
+            total = (db.query("SELECT COUNT(*) as c FROM groups WHERE tenantId IS NULL").get()?.c ?? 0);
+        }
+        else {
+            rows = db.query(`SELECT ${cols} FROM groups WHERE tenantId = ? LIMIT ? OFFSET ?`).all(tenantId, limit, offset);
+            total = (db.query("SELECT COUNT(*) as c FROM groups WHERE tenantId = ?").get(tenantId)?.c ?? 0);
+        }
+        const items = rows.map((r) => ({ ...r, displayName: r.displayName ?? undefined, description: r.description ?? undefined, roles: JSON.parse(r.roles) }));
+        return { items, total, limit, offset };
+    },
+    async updateGroup(groupId, updates) {
+        const db = getDb();
+        const now = Date.now();
+        const sets = ["updatedAt = ?"];
+        const params = [now];
+        if (updates.name !== undefined) {
+            sets.push("name = ?");
+            params.push(updates.name);
+        }
+        if ("displayName" in updates) {
+            sets.push("displayName = ?");
+            params.push(updates.displayName ?? null);
+        }
+        if ("description" in updates) {
+            sets.push("description = ?");
+            params.push(updates.description ?? null);
+        }
+        if (updates.roles !== undefined) {
+            sets.push("roles = ?");
+            params.push(JSON.stringify(updates.roles));
+        }
+        params.push(groupId);
+        db.run(`UPDATE groups SET ${sets.join(", ")} WHERE id = ?`, params);
+    },
+    async addGroupMember(groupId, userId, roles = []) {
+        const group = getDb().query("SELECT tenantId FROM groups WHERE id = ?").get(groupId);
+        if (!group)
+            throw new HttpError(404, "Group not found");
+        try {
+            getDb().run("INSERT INTO group_memberships (userId, groupId, roles, tenantId, createdAt) VALUES (?, ?, ?, ?, ?)", [userId, groupId, JSON.stringify(roles), group.tenantId ?? null, Date.now()]);
+        }
+        catch (err) {
+            if (err?.code === "SQLITE_CONSTRAINT_PRIMARYKEY" || err?.code === "SQLITE_CONSTRAINT_UNIQUE") {
+                throw new HttpError(409, "User is already a member of this group");
+            }
+            throw err;
+        }
+    },
+    async updateGroupMembership(groupId, userId, roles) {
+        getDb().run("UPDATE group_memberships SET roles = ? WHERE userId = ? AND groupId = ?", [JSON.stringify(roles), userId, groupId]);
+    },
+    async removeGroupMember(groupId, userId) {
+        getDb().run("DELETE FROM group_memberships WHERE userId = ? AND groupId = ?", [userId, groupId]);
+    },
+    async getGroupMembers(groupId, opts) {
+        const limit = Math.min(opts?.limit ?? 50, 200);
+        const offset = opts?.offset ?? 0;
+        const db = getDb();
+        const rows = db.query("SELECT userId, roles FROM group_memberships WHERE groupId = ? LIMIT ? OFFSET ?").all(groupId, limit, offset);
+        const total = db.query("SELECT COUNT(*) as c FROM group_memberships WHERE groupId = ?").get(groupId)?.c ?? 0;
+        return { items: rows.map((r) => ({ userId: r.userId, roles: JSON.parse(r.roles) })), total, limit, offset };
+    },
+    async getUserGroups(userId, tenantId) {
+        const db = getDb();
+        let memberRows;
+        if (tenantId === null) {
+            memberRows = db.query("SELECT groupId, roles as memberRoles FROM group_memberships WHERE userId = ? AND tenantId IS NULL").all(userId);
+        }
+        else {
+            memberRows = db.query("SELECT groupId, roles as memberRoles FROM group_memberships WHERE userId = ? AND tenantId = ?").all(userId, tenantId);
+        }
+        if (memberRows.length === 0)
+            return [];
+        const result = [];
+        for (const m of memberRows) {
+            const row = db.query("SELECT id, name, displayName, description, roles, tenantId, createdAt, updatedAt FROM groups WHERE id = ?").get(m.groupId);
+            if (row) {
+                result.push({
+                    group: { ...row, displayName: row.displayName ?? undefined, description: row.description ?? undefined, roles: JSON.parse(row.roles) },
+                    membershipRoles: JSON.parse(m.memberRoles),
+                });
+            }
+        }
+        return result;
+    },
+    async getEffectiveRoles(userId, tenantId) {
+        const db = getDb();
+        // Direct roles
+        let direct = [];
+        if (tenantId) {
+            const rows = db.query("SELECT role FROM tenant_roles WHERE userId = ? AND tenantId = ?").all(userId, tenantId);
+            direct = rows.map((r) => r.role);
+        }
+        else {
+            const row = db.query("SELECT roles FROM users WHERE id = ?").get(userId);
+            direct = row ? JSON.parse(row.roles) : [];
+        }
+        let memberRows;
+        if (tenantId === null) {
+            memberRows = db.query("SELECT g.roles as groupRoles, gm.roles as memberRoles FROM group_memberships gm JOIN groups g ON g.id = gm.groupId WHERE gm.userId = ? AND gm.tenantId IS NULL").all(userId);
+        }
+        else {
+            memberRows = db.query("SELECT g.roles as groupRoles, gm.roles as memberRoles FROM group_memberships gm JOIN groups g ON g.id = gm.groupId WHERE gm.userId = ? AND gm.tenantId = ?").all(userId, tenantId);
+        }
+        const groupRoles = memberRows.flatMap((r) => [...JSON.parse(r.groupRoles), ...JSON.parse(r.memberRoles)]);
+        return [...new Set([...direct, ...groupRoles])];
+    },
 };
 import { getPersistSessionMetadata, getIncludeInactiveSessions } from "../lib/appConfig";
 const SESSION_TTL_MS = 60 * 60 * 24 * 7 * 1000; // 7 days
@@ -413,6 +713,20 @@ export const sqliteRotateRefreshToken = (sessionId, newRefreshToken, newAccessTo
     const prevTokenExpiresAt = Date.now() + graceSeconds * 1000;
     getDb().run("UPDATE sessions SET prevRefreshToken = refreshToken, prevTokenExpiresAt = ?, refreshToken = ?, token = ? WHERE sessionId = ?", [prevTokenExpiresAt, newRefreshToken, newAccessToken, sessionId]);
 };
+export const sqliteGetSessionFingerprint = (sessionId) => {
+    const row = getDb().query("SELECT fingerprint FROM sessions WHERE sessionId = ?").get(sessionId);
+    return row?.fingerprint ?? null;
+};
+export const sqliteSetSessionFingerprint = (sessionId, fingerprint) => {
+    getDb().run("UPDATE sessions SET fingerprint = ? WHERE sessionId = ?", [fingerprint, sessionId]);
+};
+export const sqliteGetMfaVerifiedAt = (sessionId) => {
+    const row = getDb().query("SELECT mfaVerifiedAt FROM sessions WHERE sessionId = ?").get(sessionId);
+    return row?.mfaVerifiedAt ?? null;
+};
+export const sqliteSetMfaVerifiedAt = (sessionId, ts) => {
+    getDb().run("UPDATE sessions SET mfaVerifiedAt = ? WHERE sessionId = ?", [ts, sessionId]);
+};
 // ---------------------------------------------------------------------------
 // OAuth state helpers (used by src/lib/oauth.ts)
 // ---------------------------------------------------------------------------
@@ -464,6 +778,10 @@ export const sqliteGetVerificationToken = (token) => {
 export const sqliteDeleteVerificationToken = (token) => {
     getDb().run("DELETE FROM email_verifications WHERE token = ?", [token]);
 };
+export const sqliteConsumeVerificationToken = (token) => {
+    const row = getDb().query("DELETE FROM email_verifications WHERE token = ? AND expiresAt > ? RETURNING userId, email").get(token, Date.now());
+    return row ?? null;
+};
 // ---------------------------------------------------------------------------
 // Password reset token helpers (used by src/lib/resetPassword.ts)
 // ---------------------------------------------------------------------------
@@ -475,6 +793,17 @@ export const sqliteConsumeResetToken = (hash) => {
     const row = getDb().query("DELETE FROM password_resets WHERE token = ? AND expiresAt > ? RETURNING userId, email").get(hash, Date.now());
     return row ?? null;
 };
+// ---------------------------------------------------------------------------
+// Account deletion cancel token helpers (used by src/lib/deletionCancelToken.ts)
+// ---------------------------------------------------------------------------
+export const sqliteCreateDeletionCancelToken = (token, userId, jobId, ttlSeconds) => {
+    const expiresAt = Date.now() + ttlSeconds * 1000;
+    getDb().run("INSERT INTO deletion_cancel_tokens (token, userId, jobId, expiresAt) VALUES (?, ?, ?, ?)", [token, userId, jobId, expiresAt]);
+};
+export const sqliteConsumeDeletionCancelToken = (hash) => {
+    const row = getDb().query("DELETE FROM deletion_cancel_tokens WHERE token = ? AND expiresAt > ? RETURNING userId, jobId").get(hash, Date.now());
+    return row ?? null;
+};
 export const sqliteStoreOAuthCode = (hash, payload, ttlSeconds) => {
     const expiresAt = Date.now() + ttlSeconds * 1000;
     getDb().run("INSERT INTO oauth_codes (codeHash, token, userId, email, refreshToken, expiresAt) VALUES (?, ?, ?, ?, ?, ?)", [hash, payload.token, payload.userId, payload.email ?? null, payload.refreshToken ?? null, expiresAt]);
@@ -506,3 +835,24 @@ export const startSqliteCleanup = (intervalMs = 3_600_000) => {
         db.run("DELETE FROM oauth_codes WHERE expiresAt <= ?", [now]);
     }, intervalMs);
 };
+export const sqliteRegisterUpload = (record) => {
+    getDb().run(`INSERT OR REPLACE INTO upload_registry (key, ownerUserId, tenantId, mimeType, bucket, createdAt)
+     VALUES (?, ?, ?, ?, ?, ?)`, [record.key, record.ownerUserId ?? null, record.tenantId ?? null, record.mimeType ?? null, record.bucket ?? null, record.createdAt]);
+};
+export const sqliteGetUploadRecord = (key) => {
+    const row = getDb().query("SELECT key, ownerUserId, tenantId, mimeType, bucket, createdAt FROM upload_registry WHERE key = ?").get(key);
+    if (!row)
+        return null;
+    return {
+        key: row.key,
+        ...(row.ownerUserId !== null ? { ownerUserId: row.ownerUserId } : {}),
+        ...(row.tenantId !== null ? { tenantId: row.tenantId } : {}),
+        ...(row.mimeType !== null ? { mimeType: row.mimeType } : {}),
+        ...(row.bucket !== null ? { bucket: row.bucket } : {}),
+        createdAt: row.createdAt,
+    };
+};
+export const sqliteDeleteUploadRecord = (key) => {
+    const result = getDb().run("DELETE FROM upload_registry WHERE key = ?", [key]);
+    return result.changes > 0;
+};