@ofeklabs/horizon-auth 0.2.1 → 0.4.0

package/prisma/migrations/20260218105110_add_enhanced_auth_features/migration.sql

@@ -0,0 +1,192 @@
+-- CreateTable
+CREATE TABLE "users" (
+    "id" TEXT NOT NULL,
+    "email" TEXT NOT NULL,
+    "fullName" TEXT,
+    "passwordHash" TEXT,
+    "emailVerified" BOOLEAN NOT NULL DEFAULT false,
+    "emailVerifyToken" TEXT,
+    "resetToken" TEXT,
+    "resetTokenExpiry" TIMESTAMP(3),
+    "tenantId" TEXT NOT NULL DEFAULT 'default',
+    "roles" TEXT[] DEFAULT ARRAY['user']::TEXT[],
+    "isActive" BOOLEAN NOT NULL DEFAULT true,
+    "deactivationReason" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "users_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "refresh_tokens" (
+    "id" TEXT NOT NULL,
+    "hashedToken" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "deviceId" TEXT,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "parentTokenId" TEXT,
+    "revoked" BOOLEAN NOT NULL DEFAULT false,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "refresh_tokens_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "social_accounts" (
+    "id" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "provider" TEXT NOT NULL,
+    "providerId" TEXT NOT NULL,
+    "email" TEXT,
+    "displayName" TEXT,
+    "profileData" JSONB,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "social_accounts_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "devices" (
+    "id" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "deviceName" TEXT,
+    "deviceType" TEXT,
+    "os" TEXT,
+    "browser" TEXT,
+    "fingerprint" TEXT NOT NULL,
+    "lastActiveAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "devices_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "push_tokens" (
+    "id" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "deviceId" TEXT NOT NULL,
+    "token" TEXT NOT NULL,
+    "tokenType" TEXT NOT NULL,
+    "active" BOOLEAN NOT NULL DEFAULT true,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "push_tokens_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "two_factor_auth" (
+    "id" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "totpSecret" TEXT NOT NULL,
+    "enabled" BOOLEAN NOT NULL DEFAULT false,
+    "enabledAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "two_factor_auth_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "backup_codes" (
+    "id" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "codeHash" TEXT NOT NULL,
+    "used" BOOLEAN NOT NULL DEFAULT false,
+    "usedAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "backup_codes_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "users_email_key" ON "users"("email");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "users_emailVerifyToken_key" ON "users"("emailVerifyToken");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "users_resetToken_key" ON "users"("resetToken");
+
+-- CreateIndex
+CREATE INDEX "users_email_idx" ON "users"("email");
+
+-- CreateIndex
+CREATE INDEX "users_tenantId_idx" ON "users"("tenantId");
+
+-- CreateIndex
+CREATE INDEX "users_isActive_idx" ON "users"("isActive");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "refresh_tokens_hashedToken_key" ON "refresh_tokens"("hashedToken");
+
+-- CreateIndex
+CREATE INDEX "refresh_tokens_userId_idx" ON "refresh_tokens"("userId");
+
+-- CreateIndex
+CREATE INDEX "refresh_tokens_deviceId_idx" ON "refresh_tokens"("deviceId");
+
+-- CreateIndex
+CREATE INDEX "refresh_tokens_hashedToken_idx" ON "refresh_tokens"("hashedToken");
+
+-- CreateIndex
+CREATE INDEX "social_accounts_userId_idx" ON "social_accounts"("userId");
+
+-- CreateIndex
+CREATE INDEX "social_accounts_provider_idx" ON "social_accounts"("provider");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "social_accounts_provider_providerId_key" ON "social_accounts"("provider", "providerId");
+
+-- CreateIndex
+CREATE INDEX "devices_userId_idx" ON "devices"("userId");
+
+-- CreateIndex
+CREATE INDEX "devices_fingerprint_idx" ON "devices"("fingerprint");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "push_tokens_token_key" ON "push_tokens"("token");
+
+-- CreateIndex
+CREATE INDEX "push_tokens_userId_idx" ON "push_tokens"("userId");
+
+-- CreateIndex
+CREATE INDEX "push_tokens_deviceId_idx" ON "push_tokens"("deviceId");
+
+-- CreateIndex
+CREATE INDEX "push_tokens_active_idx" ON "push_tokens"("active");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "two_factor_auth_userId_key" ON "two_factor_auth"("userId");
+
+-- CreateIndex
+CREATE INDEX "backup_codes_userId_idx" ON "backup_codes"("userId");
+
+-- CreateIndex
+CREATE INDEX "backup_codes_used_idx" ON "backup_codes"("used");
+
+-- AddForeignKey
+ALTER TABLE "refresh_tokens" ADD CONSTRAINT "refresh_tokens_userId_fkey" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "refresh_tokens" ADD CONSTRAINT "refresh_tokens_deviceId_fkey" FOREIGN KEY ("deviceId") REFERENCES "devices"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "social_accounts" ADD CONSTRAINT "social_accounts_userId_fkey" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "devices" ADD CONSTRAINT "devices_userId_fkey" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "push_tokens" ADD CONSTRAINT "push_tokens_userId_fkey" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "push_tokens" ADD CONSTRAINT "push_tokens_deviceId_fkey" FOREIGN KEY ("deviceId") REFERENCES "devices"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "two_factor_auth" ADD CONSTRAINT "two_factor_auth_userId_fkey" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "backup_codes" ADD CONSTRAINT "backup_codes_userId_fkey" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;

package/prisma/migrations/migration_lock.toml

@@ -0,0 +1,3 @@
+# Please do not edit this file manually
+# It should be added in your version-control system (i.e. Git)
+provider = "postgresql"

package/prisma/schema.prisma

@@ -11,22 +11,30 @@ datasource db {
 }
 
 model User {
-  id                String   @id @default(cuid())
-  email             String   @unique
-  fullName          String?
-  passwordHash      String?
-  emailVerified     Boolean  @default(false)
-  emailVerifyToken  String?  @unique
-  resetToken        String?  @unique
-  resetTokenExpiry  DateTime?
-  tenantId          String   @default("default")
-  roles             String[] @default(["user"])
-  refreshTokens     RefreshToken[]
-  createdAt         DateTime @default(now())
-  updatedAt         DateTime @updatedAt
+  id                 String          @id @default(cuid())
+  email              String          @unique
+  fullName           String?
+  passwordHash       String?
+  emailVerified      Boolean         @default(false)
+  emailVerifyToken   String?         @unique
+  resetToken         String?         @unique
+  resetTokenExpiry   DateTime?
+  tenantId           String          @default("default")
+  roles              String[]        @default(["user"])
+  isActive           Boolean         @default(true)
+  deactivationReason String?
+  refreshTokens      RefreshToken[]
+  socialAccounts     SocialAccount[]
+  devices            Device[]
+  pushTokens         PushToken[]
+  twoFactorAuth      TwoFactorAuth?
+  backupCodes        BackupCode[]
+  createdAt          DateTime        @default(now())
+  updatedAt          DateTime        @updatedAt
 
   @@index([email])
   @@index([tenantId])
+  @@index([isActive])
   @@map("users")
 }
 
@@ -34,13 +42,98 @@ model RefreshToken {
   id            String    @id @default(cuid())
   hashedToken   String    @unique
   userId        String
+  deviceId      String?
   expiresAt     DateTime
   parentTokenId String?
   revoked       Boolean   @default(false)
   createdAt     DateTime  @default(now())
   user          User      @relation(fields: [userId], references: [id], onDelete: Cascade)
+  device        Device?   @relation(fields: [deviceId], references: [id], onDelete: SetNull)
 
   @@index([userId])
+  @@index([deviceId])
   @@index([hashedToken])
   @@map("refresh_tokens")
 }
+
+model SocialAccount {
+  id          String   @id @default(cuid())
+  userId      String
+  provider    String   // 'google' | 'facebook'
+  providerId  String   // Provider's user ID
+  email       String?
+  displayName String?
+  profileData Json?    // Additional profile info
+  createdAt   DateTime @default(now())
+  updatedAt   DateTime @updatedAt
+  user        User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([provider, providerId])
+  @@index([userId])
+  @@index([provider])
+  @@map("social_accounts")
+}
+
+model Device {
+  id            String         @id @default(cuid())
+  userId        String
+  deviceName    String?        // e.g., "iPhone 13"
+  deviceType    String?        // 'mobile' | 'tablet' | 'desktop'
+  os            String?        // e.g., "iOS 16.0"
+  browser       String?        // e.g., "Safari 16.0"
+  fingerprint   String         // Hash of user agent
+  lastActiveAt  DateTime       @default(now())
+  createdAt     DateTime       @default(now())
+  user          User           @relation(fields: [userId], references: [id], onDelete: Cascade)
+  refreshTokens RefreshToken[]
+  pushTokens    PushToken[]
+
+  @@index([userId])
+  @@index([fingerprint])
+  @@map("devices")
+}
+
+model PushToken {
+  id        String   @id @default(cuid())
+  userId    String
+  deviceId  String
+  token     String   @unique
+  tokenType String   // 'FCM' | 'APNS'
+  active    Boolean  @default(true)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+  user      User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  device    Device   @relation(fields: [deviceId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+  @@index([deviceId])
+  @@index([active])
+  @@map("push_tokens")
+}
+
+model TwoFactorAuth {
+  id         String    @id @default(cuid())
+  userId     String    @unique
+  totpSecret String    // Encrypted TOTP secret
+  enabled    Boolean   @default(false)
+  enabledAt  DateTime?
+  createdAt  DateTime  @default(now())
+  updatedAt  DateTime  @updatedAt
+  user       User      @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@map("two_factor_auth")
+}
+
+model BackupCode {
+  id        String    @id @default(cuid())
+  userId    String
+  codeHash  String    // Bcrypt hash of the code
+  used      Boolean   @default(false)
+  usedAt    DateTime?
+  createdAt DateTime  @default(now())
+  user      User      @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+  @@index([used])
+  @@map("backup_codes")
+}