@openparachute/hub 0.5.13 → 0.5.14-rc.1

package/src/users.ts

@@ -188,6 +188,41 @@ export function userCount(db: Database): number {
   return (db.query<{ n: number }, []>("SELECT COUNT(*) AS n FROM users").get() ?? { n: 0 }).n;
 }
 
+/**
+ * Single source of truth for "who is *the* admin in Phase 1." The
+ * earliest-created user row is the wizard or env-seeded admin by
+ * construction — Phase 1 has no role model, so the first row is the
+ * hub administrator. Used by:
+ *
+ *   - `api-users.ts` for the first-admin-undeletable rail (the only
+ *     user who can't be deleted, since deleting them would self-lock
+ *     the hub).
+ *   - `admin-host-admin-token.ts` to gate the SPA-bearer mint endpoint
+ *     to the admin only — any signed-in non-admin friend hitting it
+ *     would otherwise get a JWT carrying `parachute:host:admin` +
+ *     `parachute:host:auth`, a full-admin privesc (multi-user Phase 1
+ *     friend-account follow-up).
+ *   - `admin-handlers.ts` for the login-redirect default — non-admin
+ *     users targeting `/admin/*` get redirected to `/account/` instead
+ *     of a 403 wall.
+ *
+ * Returns `null` only when the users table is empty (pre-wizard state).
+ */
+export function getFirstAdminId(db: Database): string | null {
+  const row = db
+    .query<{ id: string }, []>("SELECT id FROM users ORDER BY created_at ASC LIMIT 1")
+    .get();
+  return row?.id ?? null;
+}
+
+/**
+ * Convenience predicate over `getFirstAdminId`. Caller sites read
+ * cleaner as `isFirstAdmin(db, userId)` than `getFirstAdminId(db) === userId`.
+ */
+export function isFirstAdmin(db: Database, userId: string): boolean {
+  return getFirstAdminId(db) === userId;
+}
+
 export async function verifyPassword(user: User, password: string): Promise<boolean> {
   return argonVerify(user.passwordHash, password);
 }
@@ -211,6 +246,83 @@ export async function setPassword(
   if (result.changes === 0) throw new UserNotFoundError(userId);
 }
 
+/**
+ * Reset a user's password to an admin-chosen value (multi-user Phase 2
+ * PR 1, hub#252 follow-up). Used by the `POST /api/users/:id/reset-password`
+ * admin endpoint when a friend forgets their password — the operator's
+ * only Phase-1 recovery was delete+recreate, which is destructive-feeling
+ * even though it's safe (vaults are independent of accounts).
+ *
+ * Three writes inside one transaction:
+ *
+ *   1. Rotate `password_hash` to the new argon2id hash and flip
+ *      `password_changed` back to 0 so the user is force-redirected
+ *      through `/account/change-password` on next sign-in (same posture
+ *      as the admin-created-user default — the operator hands the temp
+ *      password out-of-band, the user picks their own immediately).
+ *   2. Revoke every still-active token row owned by the user
+ *      (`tokens.revoked_at = now WHERE user_id = ? AND revoked_at IS NULL`).
+ *      The reset is a "the old password leaked" recovery shape — leaving
+ *      pre-reset tokens valid for an attacker who knew the old password
+ *      would defeat the purpose. We keep the rows (don't NULL `user_id`
+ *      like `deleteUser` does) because the audit trail naturally re-
+ *      anchors to the still-existing user row.
+ *   3. Bump `updated_at` so the SPA's row reflects the rotation.
+ *
+ * Hash OUTSIDE the transaction — argon2id is async and `db.transaction()`
+ * on bun:sqlite is sync; doing it inside silently breaks atomicity (same
+ * constraint api-account.ts:399 documents for the change-password POST).
+ *
+ * Caller responsibilities (not enforced here):
+ *   - Validate `newPassword` first (`validatePassword`) — this helper
+ *     trusts the input and runs argon2id over whatever it gets.
+ *   - First-admin protection — admin password reset is restricted to
+ *     non-first-admin users per design §7. The first admin uses the
+ *     normal `/account/change-password` flow for themselves.
+ *
+ * Returns true on success, false if the user doesn't exist (idempotent —
+ * the API layer translates that to 404).
+ */
+export async function resetUserPassword(
+  db: Database,
+  userId: string,
+  newPassword: string,
+  now: () => Date = () => new Date(),
+): Promise<boolean> {
+  // Existence pre-check OUTSIDE the tx. The argon2id hash below is the
+  // expensive step; hashing for a non-existent user is wasted CPU and
+  // also leaks "was this id valid" timing. Cheap SELECT first.
+  const exists = db
+    .query<{ id: string }, [string]>("SELECT id FROM users WHERE id = ?")
+    .get(userId);
+  if (!exists) return false;
+  // Hash outside the tx — see note above.
+  const passwordHash = await argonHash(newPassword);
+  const stamp = now().toISOString();
+  // Track whether the tx actually applied the update — `result.changes === 0`
+  // means the row vanished between the pre-check and the tx body (concurrent
+  // delete race). The outer caller needs to know so its 200/{ok,user} response
+  // isn't a lie when the user is gone. Reviewer fold on hub#427.
+  let updated = false;
+  db.transaction(() => {
+    const result = db
+      .prepare(
+        "UPDATE users SET password_hash = ?, password_changed = 0, updated_at = ? WHERE id = ?",
+      )
+      .run(passwordHash, stamp, userId);
+    if (result.changes === 0) return;
+    updated = true;
+    // Revoke still-active tokens. Audit trail stays on the user row —
+    // we don't null `user_id` because the parent users row sticks
+    // around (unlike `deleteUser` where the parent vanishes).
+    db.prepare("UPDATE tokens SET revoked_at = ? WHERE user_id = ? AND revoked_at IS NULL").run(
+      stamp,
+      userId,
+    );
+  })();
+  return updated;
+}
+
 /**
  * Hard-delete a user row and clean up FK-dependent rows.
  *