@naisys/erp 3.0.0-beta.37 → 3.0.0-beta.38

package/dist/generated/prisma/internal/prismaNamespace.js

@@ -282,7 +282,7 @@ export const UserScalarFieldEnum = {
     uuid: 'uuid',
     username: 'username',
     passwordHash: 'passwordHash',
-    apiKey: 'apiKey',
+    apiKeyHash: 'apiKeyHash',
     isAgent: 'isAgent',
     createdAt: 'createdAt',
     updatedAt: 'updatedAt',

package/dist/routes/auth.js

@@ -38,7 +38,7 @@ export default function authRoutes(fastify) {
             }
             // Standalone mode: authenticate against local DB
             const user = await erpDb.user.findUnique({ where: { username } });
-            if (!user) {
+            if (!user || user.passwordHash === null) {
                 return unauthorized(reply, "Invalid username or password");
             }
             const valid = await bcrypt.compare(password, user.passwordHash);

package/dist/routes/user-permissions.js

@@ -2,7 +2,8 @@ import { ErpPermissionEnum, GrantPermissionSchema } from "@naisys/erp-shared";
 import { z } from "zod/v4";
 import { authCache, requirePermission } from "../auth-middleware.js";
 import { mutationResult } from "../route-helpers.js";
-import { getUserById, getUserByUsername, grantPermission, revokePermission, rotateUserApiKey, } from "../services/user-service.js";
+import { getUserById, getUserByUsername, grantPermission, hasUserApiKey, revokePermission, rotateUserApiKey, } from "../services/user-service.js";
+import { isSupervisorAuth } from "../supervisorAuth.js";
 import { formatUser } from "./users.js";
 export default function userPermissionRoutes(fastify) {
     const app = fastify.withTypeProvider();
@@ -17,14 +18,25 @@ export default function userPermissionRoutes(fastify) {
             params: usernameParams,
         },
     }, async (request, reply) => {
+        if (isSupervisorAuth()) {
+            reply.code(400);
+            return {
+                success: false,
+                message: "API keys are managed by the supervisor when SSO is enabled.",
+            };
+        }
         const targetUser = await getUserByUsername(request.params.username);
         if (!targetUser) {
             reply.code(404);
             return { success: false, message: "User not found" };
         }
-        await rotateUserApiKey(targetUser.id);
+        const apiKey = await rotateUserApiKey(targetUser.id);
         authCache.clear();
-        return { success: true, message: "API key rotated" };
+        return {
+            success: true,
+            message: "API key generated. Copy it now; it cannot be shown again.",
+            apiKey,
+        };
     });
     // GRANT PERMISSION
     app.post("/:username/permissions", {
@@ -45,7 +57,8 @@ export default function userPermissionRoutes(fastify) {
             await grantPermission(targetUser.id, request.body.permission, request.erpUser.id);
             authCache.clear();
             const user = await getUserById(targetUser.id);
-            const full = formatUser(user, request.erpUser.id, request.erpUser.permissions);
+            const hasApiKey = user ? await hasUserApiKey(user.id) : false;
+            const full = formatUser(user, request.erpUser.id, request.erpUser.permissions, { hasApiKey });
             return mutationResult(request, reply, full, {
                 _actions: full._actions,
             });
@@ -91,7 +104,8 @@ export default function userPermissionRoutes(fastify) {
         await revokePermission(targetUser.id, permission);
         authCache.clear();
         const user = await getUserById(targetUser.id);
-        const full = formatUser(user, request.erpUser.id, request.erpUser.permissions);
+        const hasApiKey = user ? await hasUserApiKey(user.id) : false;
+        const full = formatUser(user, request.erpUser.id, request.erpUser.permissions, { hasApiKey });
         return mutationResult(request, reply, full, {
             _actions: full._actions,
         });

package/dist/routes/users.js

@@ -4,7 +4,7 @@ import { z } from "zod/v4";
 import { authCache, hasPermission, requirePermission, } from "../auth-middleware.js";
 import { API_PREFIX, collectionLink, paginationLinks, schemaLink, selfLink, } from "../hateoas.js";
 import { mutationResult } from "../route-helpers.js";
-import { createUserForAgent, createUserWithPassword, deleteUser, getUserApiKey, getUserByUsername, getUserByUuid, listUsers, updateUser, } from "../services/user-service.js";
+import { createUserForAgent, createUserWithPassword, deleteUser, getUserByUsername, getUserByUuid, hasUserApiKey, listUsers, updateUser, } from "../services/user-service.js";
 import { isSupervisorAuth } from "../supervisorAuth.js";
 function userItemLinks(username) {
     return [
@@ -26,7 +26,10 @@ function userActions(username, isSelf, isAdmin) {
             body: { username: "" },
         });
     }
-    if (isSelf) {
+    // In SSO mode the supervisor owns passwords (passkey-only) and external API
+    // keys, so ERP doesn't expose its own change-password / rotate-key actions.
+    const sso = isSupervisorAuth();
+    if (isSelf && !sso) {
         actions.push({
             rel: "change-password",
             href: `${API_PREFIX}/users/me/password`,
@@ -45,12 +48,14 @@ function userActions(username, isSelf, isAdmin) {
             schema: `${API_PREFIX}/schemas/GrantPermission`,
             body: { permission: "" },
         });
-        actions.push({
-            rel: "rotate-key",
-            href: `${href}/rotate-key`,
-            method: "POST",
-            title: "Rotate API Key",
-        });
+        if (!sso) {
+            actions.push({
+                rel: "rotate-key",
+                href: `${href}/rotate-key`,
+                method: "POST",
+                title: "Generate API Key",
+            });
+        }
         if (!isSelf) {
             actions.push({
                 rel: "delete",
@@ -88,7 +93,7 @@ export function formatUser(user, currentUserId, currentUserPermissions, options)
         isAgent: user.isAgent,
         createdAt: user.createdAt.toISOString(),
         updatedAt: user.updatedAt.toISOString(),
-        apiKey: isAdmin ? (options?.apiKey ?? null) : undefined,
+        hasApiKey: options?.hasApiKey ?? false,
         permissions: user.permissions.map((p) => ({
             permission: p.permission,
             grantedAt: p.grantedAt.toISOString(),
@@ -201,6 +206,13 @@ export default function userRoutes(fastify) {
             });
             return;
         }
+        if (isSupervisorAuth()) {
+            reply.code(400);
+            return {
+                success: false,
+                message: "Passwords are managed by the supervisor when SSO is enabled.",
+            };
+        }
         await updateUser(request.erpUser.id, {
             password: request.body.password,
         });
@@ -223,7 +235,6 @@ export default function userRoutes(fastify) {
             return mutationResult(request, reply, full, {
                 id: full.id,
                 username: full.username,
-                apiKey: full.apiKey,
                 _links: full._links,
                 _actions: full._actions,
             });
@@ -288,7 +299,6 @@ export default function userRoutes(fastify) {
             return mutationResult(request, reply, full, {
                 id: full.id,
                 username: full.username,
-                apiKey: full.apiKey,
                 _links: full._links,
                 _actions: full._actions,
             });
@@ -319,8 +329,10 @@ export default function userRoutes(fastify) {
             reply.code(404);
             return { success: false, message: "User not found" };
         }
-        const apiKey = await getUserApiKey(user.id);
-        return formatUser(user, request.erpUser.id, request.erpUser.permissions, { apiKey });
+        const hasApiKey = isSupervisorAuth()
+            ? false
+            : await hasUserApiKey(user.id);
+        return formatUser(user, request.erpUser.id, request.erpUser.permissions, { hasApiKey });
     });
     // UPDATE USER (admin can update any field; non-admin can only change own password)
     app.put("/:username", {
@@ -338,12 +350,21 @@ export default function userRoutes(fastify) {
             return { success: false, message: "User not found" };
         }
         const isAdmin = hasPermission(request.erpUser, "erp_admin");
-        // Non-admins can only change their own password
-        const body = isAdmin ? request.body : { password: request.body.password };
+        // In SSO mode the supervisor owns passwords, so we strip any password
+        // field before forwarding the update — even from admins.
+        const sso = isSupervisorAuth();
+        const body = isAdmin
+            ? sso
+                ? { username: request.body.username }
+                : request.body
+            : sso
+                ? {}
+                : { password: request.body.password };
         try {
             const user = await updateUser(targetUser.id, body);
             authCache.clear();
-            const full = formatUser(user, request.erpUser.id, request.erpUser.permissions);
+            const hasApiKey = sso ? false : await hasUserApiKey(user.id);
+            const full = formatUser(user, request.erpUser.id, request.erpUser.permissions, { hasApiKey });
             return mutationResult(request, reply, full, {
                 _actions: full._actions,
             });

package/dist/services/user-service.js

@@ -1,8 +1,7 @@
-import { getAgentApiKeyByUuid, rotateAgentApiKeyByUuid, } from "@naisys/hub-database";
+import { generatePersistentUserApiKey } from "@naisys/common-node";
 import bcrypt from "bcryptjs";
-import { randomBytes, randomUUID } from "crypto";
+import { randomUUID } from "crypto";
 import erpDb from "../erpDb.js";
-import { isSupervisorAuth } from "../supervisorAuth.js";
 // --- Prisma include & result type ---
 export const includePermissions = {
     permissions: true,
@@ -37,19 +36,12 @@ export async function getUserById(id) {
         include: includePermissions,
     });
 }
-export async function getUserApiKey(id) {
+export async function hasUserApiKey(id) {
     const user = await erpDb.user.findUnique({
         where: { id },
-        select: { isAgent: true, uuid: true, apiKey: true },
+        select: { apiKeyHash: true },
     });
-    if (!user)
-        return null;
-    if (user.isAgent && isSupervisorAuth()) {
-        return getAgentApiKeyByUuid(user.uuid);
-    }
-    else {
-        return user.apiKey ?? null;
-    }
+    return !!user?.apiKeyHash;
 }
 // --- Mutations ---
 export async function getUserByUuid(uuid) {
@@ -63,7 +55,6 @@ export async function createUserForAgent(username, uuid) {
         data: {
             username,
             uuid,
-            passwordHash: "",
             isAgent: true,
         },
         include: includePermissions,
@@ -78,7 +69,6 @@ export async function createUserWithPassword(data) {
             uuid,
             passwordHash,
             isAgent: false,
-            apiKey: randomBytes(32).toString("hex"),
         },
         include: includePermissions,
     });
@@ -111,22 +101,15 @@ export async function revokePermission(userId, permission) {
     });
 }
 export async function rotateUserApiKey(id) {
-    const newKey = randomBytes(32).toString("hex");
-    const user = await erpDb.user.findUnique({
-        where: { id },
-        select: { isAgent: true, uuid: true },
+    return generatePersistentUserApiKey(id, {
+        userExists: async (userId) => (await erpDb.user.findUnique({
+            where: { id: userId },
+            select: { id: true },
+        })) !== null,
+        updateApiKeyHash: (userId, apiKeyHash) => erpDb.user.update({
+            where: { id: userId },
+            data: { apiKeyHash },
+        }),
     });
-    if (!user)
-        throw new Error("User not found");
-    if (user.isAgent && isSupervisorAuth()) {
-        await rotateAgentApiKeyByUuid(user.uuid, newKey);
-    }
-    else {
-        await erpDb.user.update({
-            where: { id },
-            data: { apiKey: newKey },
-        });
-    }
-    return newKey;
 }
 //# sourceMappingURL=user-service.js.map

package/dist/userService.js

@@ -1,7 +1,7 @@
 import { SUPER_ADMIN_USERNAME } from "@naisys/common";
 import { ensureSuperAdmin } from "@naisys/supervisor-database";
 import bcrypt from "bcryptjs";
-import { randomBytes, randomUUID } from "crypto";
+import { randomUUID } from "crypto";
 import erpDb from "./erpDb.js";
 const SALT_ROUNDS = 10;
 /**
@@ -31,7 +31,6 @@ export async function ensureLocalSuperAdmin(password) {
                 uuid: randomUUID(),
                 username: SUPER_ADMIN_USERNAME,
                 passwordHash: hash,
-                apiKey: randomBytes(32).toString("hex"),
             },
         });
         await ensureErpAdminPermission(user.id);
@@ -50,8 +49,8 @@ export async function ensureLocalSuperAdmin(password) {
 }
 /**
  * Sync superadmin from supervisor into ERP DB and ensure permissions.
- * For supervisor auth mode. The supervisor uses passkey-only auth, so the
- * mirrored ERP row stores a sentinel passwordHash that can never match.
+ * For supervisor auth mode. Supervisor uses passkey-only auth — the
+ * mirrored ERP row has no passwordHash.
  */
 export async function ensureSupervisorSuperAdmin() {
     const result = await ensureSuperAdmin();
@@ -60,12 +59,9 @@ export async function ensureSupervisorSuperAdmin() {
         create: {
             uuid: result.user.uuid,
             username: result.user.username,
-            passwordHash: "!sso-passkey-only",
-            apiKey: result.user.apiKey,
         },
         update: {
             username: result.user.username,
-            apiKey: result.user.apiKey,
         },
     });
     const localSuperAdmin = await erpDb.user.findUnique({

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "@naisys/erp",
-  "version": "3.0.0-beta.37",
+  "version": "3.0.0-beta.38",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@naisys/erp",
-      "version": "3.0.0-beta.37",
+      "version": "3.0.0-beta.38",
       "dependencies": {
         "@fastify/cookie": "^11.0.2",
         "@fastify/cors": "^11.2.0",
@@ -14,11 +14,11 @@
         "@fastify/rate-limit": "^10.3.0",
         "@fastify/static": "^9.0.0",
         "@fastify/swagger": "^9.7.0",
-        "@naisys/common": "3.0.0-beta.37",
-        "@naisys/common-node": "3.0.0-beta.37",
-        "@naisys/erp-shared": "3.0.0-beta.37",
-        "@naisys/hub-database": "3.0.0-beta.37",
-        "@naisys/supervisor-database": "3.0.0-beta.37",
+        "@naisys/common": "3.0.0-beta.38",
+        "@naisys/common-node": "3.0.0-beta.38",
+        "@naisys/erp-shared": "3.0.0-beta.38",
+        "@naisys/hub-database": "3.0.0-beta.38",
+        "@naisys/supervisor-database": "3.0.0-beta.38",
         "@prisma/adapter-better-sqlite3": "^7.5.0",
         "@prisma/client": "^7.5.0",
         "@scalar/fastify-api-reference": "^1.48.7",
@@ -394,41 +394,41 @@
       }
     },
     "node_modules/@naisys/common": {
-      "version": "3.0.0-beta.37",
-      "resolved": "https://registry.npmjs.org/@naisys/common/-/common-3.0.0-beta.37.tgz",
-      "integrity": "sha512-b0XfCadaPcfewmK9b649WD+ZGB86Uk9BjTrx/tLSgd5Nbx7L6NuzTqTnDFScdeCmtyPk4oUGAzATmXwKTM8bew==",
+      "version": "3.0.0-beta.38",
+      "resolved": "https://registry.npmjs.org/@naisys/common/-/common-3.0.0-beta.38.tgz",
+      "integrity": "sha512-YJIawcV12XNgzQz/QcM2oAYhu4O4V55tHm0JZrEdmBt2GS33VsGIVJqhDtg3sVWvtsDfh8QkK7EjwPEvgj7fzA==",
       "dependencies": {
         "semver": "^7.7.4",
         "zod": "^4.3.6"
       }
     },
     "node_modules/@naisys/common-node": {
-      "version": "3.0.0-beta.37",
-      "resolved": "https://registry.npmjs.org/@naisys/common-node/-/common-node-3.0.0-beta.37.tgz",
-      "integrity": "sha512-V4yyA79G93OSqZ+6l5FWoMqnATE2It78VkGyziNTqcrv2CIf8UDGbds7hHV+bp/0VplNe6BrZ4P7quYvgyCeeQ==",
+      "version": "3.0.0-beta.38",
+      "resolved": "https://registry.npmjs.org/@naisys/common-node/-/common-node-3.0.0-beta.38.tgz",
+      "integrity": "sha512-dNVvY+gWzBx4I+3chvNl74MgrcxVBFpPB+0acYSl7bcINvhqmbqLMYryR4AwOvU+dc09GDbpgugE6EWIQnn/zA==",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.37",
+        "@naisys/common": "3.0.0-beta.38",
         "better-sqlite3": "^12.6.2",
         "js-yaml": "^4.1.1",
         "pino": "^10.3.1"
       }
     },
     "node_modules/@naisys/erp-shared": {
-      "version": "3.0.0-beta.37",
-      "resolved": "https://registry.npmjs.org/@naisys/erp-shared/-/erp-shared-3.0.0-beta.37.tgz",
-      "integrity": "sha512-CjHqdXX/kmrEROLdqiLK6kTIauK2InTiXfOjyhtTQRVrB3TPmhsnH4qtnFGCDu2G00o2l+D30YUGyFt0ZrQyVw==",
+      "version": "3.0.0-beta.38",
+      "resolved": "https://registry.npmjs.org/@naisys/erp-shared/-/erp-shared-3.0.0-beta.38.tgz",
+      "integrity": "sha512-3lDS/qJBl1brKhkMilliUJY+k9K9E8ctARFwdPuwrLCUleIVUKx2VGEKsEWF0mYLIrvTMOSwB8gyG+ZQlCQaVw==",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.37",
+        "@naisys/common": "3.0.0-beta.38",
         "zod": "^4.3.6"
       }
     },
     "node_modules/@naisys/hub-database": {
-      "version": "3.0.0-beta.37",
-      "resolved": "https://registry.npmjs.org/@naisys/hub-database/-/hub-database-3.0.0-beta.37.tgz",
-      "integrity": "sha512-PI8Jj4niCc6agObLWpP+Am8nrNcwAAk77/OmZmUWq1ZiBW+m5C60PFdfBvzLEZX/6G/JOb0VvI9oLpzFD6VRKg==",
+      "version": "3.0.0-beta.38",
+      "resolved": "https://registry.npmjs.org/@naisys/hub-database/-/hub-database-3.0.0-beta.38.tgz",
+      "integrity": "sha512-h+e50Qjg389ewSKU2jAisexlmajEAK34lMz6FKWd8Hog/PI6v3BYKB/8wgL2HmI78apmHIjh1FRW3NQNF+D8rw==",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.37",
-        "@naisys/common-node": "3.0.0-beta.37",
+        "@naisys/common": "3.0.0-beta.38",
+        "@naisys/common-node": "3.0.0-beta.38",
         "@prisma/adapter-better-sqlite3": "^7.5.0",
         "@prisma/client": "^7.5.0",
         "better-sqlite3": "^12.6.2",
@@ -436,12 +436,12 @@
       }
     },
     "node_modules/@naisys/supervisor-database": {
-      "version": "3.0.0-beta.37",
-      "resolved": "https://registry.npmjs.org/@naisys/supervisor-database/-/supervisor-database-3.0.0-beta.37.tgz",
-      "integrity": "sha512-NSbw5kbBYZIBB7aRkuhMfaARuU8P61RZK1ME1AlEL2UB0DMmXoys1MD49wC2hafP+/MV0B6miLAOIjfy7BAR1g==",
+      "version": "3.0.0-beta.38",
+      "resolved": "https://registry.npmjs.org/@naisys/supervisor-database/-/supervisor-database-3.0.0-beta.38.tgz",
+      "integrity": "sha512-3lV4sFHQZkTtNK80N3DpJ3YrfxE/3Pq6CtoavXiEsM2TaMAThjewbHTlY3RyrdfrHK0txTCiC24LCwiSn4qUpg==",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.37",
-        "@naisys/common-node": "3.0.0-beta.37",
+        "@naisys/common": "3.0.0-beta.38",
+        "@naisys/common-node": "3.0.0-beta.38",
         "@prisma/adapter-better-sqlite3": "^7.5.0",
         "@prisma/client": "^7.5.0",
         "bcryptjs": "^3.0.2",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naisys/erp",
-  "version": "3.0.0-beta.37",
+  "version": "3.0.0-beta.38",
   "description": "NAISYS ERP - Web UI for AI-driven order and work management",
   "type": "module",
   "main": "dist/erpServer.js",
@@ -46,11 +46,11 @@
     "@fastify/rate-limit": "^10.3.0",
     "@fastify/static": "^9.0.0",
     "@fastify/swagger": "^9.7.0",
-    "@naisys/common": "3.0.0-beta.37",
-    "@naisys/common-node": "3.0.0-beta.37",
-    "@naisys/erp-shared": "3.0.0-beta.37",
-    "@naisys/hub-database": "3.0.0-beta.37",
-    "@naisys/supervisor-database": "3.0.0-beta.37",
+    "@naisys/common": "3.0.0-beta.38",
+    "@naisys/common-node": "3.0.0-beta.38",
+    "@naisys/erp-shared": "3.0.0-beta.38",
+    "@naisys/hub-database": "3.0.0-beta.38",
+    "@naisys/supervisor-database": "3.0.0-beta.38",
     "@prisma/adapter-better-sqlite3": "^7.5.0",
     "@prisma/client": "^7.5.0",
     "@scalar/fastify-api-reference": "^1.48.7",

package/prisma/migrations/20260427010000_hash_user_api_keys/migration.sql

@@ -0,0 +1,10 @@
+-- Replace persisted plaintext user API keys with nullable hashes.
+-- Existing plaintext keys are intentionally discarded.
+
+DROP INDEX IF EXISTS "users_api_key_key";
+
+ALTER TABLE "users" RENAME COLUMN "api_key" TO "api_key_hash";
+
+UPDATE "users" SET "api_key_hash" = NULL;
+
+CREATE UNIQUE INDEX "users_api_key_hash_key" ON "users"("api_key_hash");

package/prisma/migrations/20260427020000_nullable_user_password_hash/migration.sql

@@ -0,0 +1,39 @@
+-- Make users.password_hash nullable. NULL means the user is not
+-- password-authable (passkey-only, API-key-only, or agent).
+-- Existing sentinel values are converted to NULL.
+
+PRAGMA foreign_keys=OFF;
+
+CREATE TABLE "users_new" (
+    "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    "uuid" TEXT NOT NULL,
+    "username" TEXT NOT NULL,
+    "password_hash" TEXT,
+    "is_agent" INTEGER NOT NULL DEFAULT 0,
+    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" DATETIME NOT NULL,
+    "deleted_at" DATETIME,
+    "api_key_hash" TEXT
+);
+
+INSERT INTO "users_new" ("id", "uuid", "username", "password_hash", "is_agent", "created_at", "updated_at", "deleted_at", "api_key_hash")
+SELECT
+    "id",
+    "uuid",
+    "username",
+    CASE WHEN "password_hash" IN ('!sso-passkey-only', '!api-key-only', '') THEN NULL ELSE "password_hash" END,
+    "is_agent",
+    "created_at",
+    "updated_at",
+    "deleted_at",
+    "api_key_hash"
+FROM "users";
+
+DROP TABLE "users";
+ALTER TABLE "users_new" RENAME TO "users";
+
+CREATE UNIQUE INDEX "users_uuid_key" ON "users"("uuid");
+CREATE UNIQUE INDEX "users_username_key" ON "users"("username");
+CREATE UNIQUE INDEX "users_api_key_hash_key" ON "users"("api_key_hash");
+
+PRAGMA foreign_keys=ON;

package/prisma/schema.prisma

@@ -418,8 +418,8 @@ model User {
   id           Int       @id @default(autoincrement())
   uuid         String    @unique
   username     String    @unique
-  passwordHash String    @map("password_hash")
-  apiKey       String?   @unique @map("api_key")
+  passwordHash String?   @map("password_hash")
+  apiKeyHash   String?   @unique @map("api_key_hash")
   isAgent      Boolean   @default(false) @map("is_agent")
   createdAt    DateTime  @default(now()) @map("created_at")
   updatedAt    DateTime  @updatedAt @map("updated_at")