@ossy/users 1.7.0 → 1.8.0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@ossy/users",
   "description": "User domain — aggregate, events, and validators for the Ossy user model",
-  "version": "1.7.0",
+  "version": "1.8.0",
   "private": false,
   "type": "module",
   "main": "./src/index.js",
@@ -19,12 +19,12 @@
     "registry": "https://registry.npmjs.org"
   },
   "dependencies": {
-    "@ossy/observability": "^1.2.0",
+    "@ossy/observability": "^1.3.0",
     "nanoid": "^5.1.11"
   },
   "files": [
     "/src",
     "README.md"
   ],
-  "gitHead": "46cdd391ec01ea9210543ee7b14661f77079a7e7"
+  "gitHead": "c6697078268867d88553ca0bac08faad5cea1546"
 }

package/src/create-api-token.action.js

@@ -0,0 +1,35 @@
+import jwt from 'jsonwebtoken'
+import { Aggregate } from '@ossy/event-store'
+import { Token, TokenEvents } from '@ossy/tokens'
+import { ConfigService } from '@ossy/platform'
+import { createLogger } from '@ossy/observability'
+
+const log = createLogger('users/create-api-token')
+
+const SECONDS_IN_100_YEARS = 60 * 60 * 24 * 365 * 100
+
+export const id = 'users/create-api-token'
+export const access = 'authenticated'
+
+export async function run({ payload, req }) {
+  const createdBy = payload?.userId ?? req?.userId
+  const name = payload?.name
+  const description = payload?.description
+
+  if (!name || typeof name !== 'string') {
+    log.debug('[users/create-api-token] No name provided')
+    throw Object.assign(new Error('No name provided'), { status: 400 })
+  }
+  if (!description || typeof description !== 'string') {
+    log.debug('[users/create-api-token] No description provided')
+    throw Object.assign(new Error('No description provided'), { status: 400 })
+  }
+
+  const expiresIn = SECONDS_IN_100_YEARS
+  const expiresAt = Date.now() + expiresIn * 1000
+  const token = jwt.sign({ sub: createdBy, type: 'Api' }, ConfigService.TokenSecret, { expiresIn })
+
+  const event = TokenEvents.Created({ name, description, createdBy, type: 'Api', subject: createdBy, token, expiresAt })
+
+  return Aggregate.Of(Token, event).then(Aggregate.View())
+}

package/src/get-api-tokens.action.js

@@ -0,0 +1,20 @@
+import { Aggregate } from '@ossy/event-store'
+import { createLogger } from '@ossy/observability'
+
+const log = createLogger('users/get-api-tokens')
+
+export const id = 'users/get-api-tokens'
+export const access = 'authenticated'
+
+export async function run({ payload, req }) {
+  const userId = payload?.userId ?? req?.userId
+
+  log.info('[users/get-api-tokens] Fetching API tokens for user')
+  const tokens = await Aggregate.Collection.find({
+    type: 'Token',
+    'state.subject': userId,
+    'state.type': 'Api',
+  }, { state: true }).toArray().then(docs => docs.map(d => d.state))
+
+  return tokens.map(({ token: _secret, ...meta }) => meta)
+}

package/src/get-current-user-history.action.js

@@ -0,0 +1,11 @@
+import { EventStore } from '@ossy/event-store'
+import { User } from '@ossy/users'
+
+export const id = 'users/get-current-user-history'
+export const access = 'authenticated'
+
+export async function run({ payload, req }) {
+  const userId = payload?.userId ?? req?.userId
+  const events = await EventStore.GetEventStream({ aggregateId: userId, fromVersion: 0 })
+  return User.History(events)
+}

package/src/invalidate-api-token.action.js

@@ -0,0 +1,16 @@
+import { Aggregate } from '@ossy/event-store'
+import { Token, TokenEvents } from '@ossy/tokens'
+
+export const id = 'users/invalidate-api-token'
+export const access = 'authenticated'
+
+export async function run({ payload, req }) {
+  const createdBy = payload?.userId ?? req?.userId
+  const tokenId = payload?.tokenId ?? req?.params?.tokenId
+
+  if (!tokenId) throw Object.assign(new Error('tokenId is required'), { status: 400 })
+
+  const event = TokenEvents.Revoked({ createdBy })
+  await Aggregate.Of(Token, tokenId).then(Aggregate.Add(event))
+  return ''
+}

package/src/join-workspace.action.js

@@ -0,0 +1,18 @@
+import { Aggregate } from '@ossy/event-store'
+import { User, UsersEvents } from '@ossy/users'
+
+export const id = 'users/join-workspace'
+export const access = 'authenticated'
+
+export async function run({ payload, req }) {
+  const userId = payload?.targetUserId ?? payload?.userId ?? req?.userId
+  const workspaceId = payload?.workspaceId
+  const createdBy = payload?.createdBy ?? userId
+
+  if (!workspaceId) throw Object.assign(new Error('workspaceId is required'), { status: 400 })
+
+  await Aggregate.Of(User, userId)
+    .then(Aggregate.Add(UsersEvents.WorkspaceJoined({ workspaceId, createdBy })))
+    .then(Aggregate.Save())
+  return null
+}

package/src/leave-workspace.action.js

@@ -0,0 +1,17 @@
+import { Aggregate } from '@ossy/event-store'
+import { User, UsersEvents } from '@ossy/users'
+
+export const id = 'users/leave-workspace'
+export const access = 'authenticated'
+
+export async function run({ payload, req }) {
+  const userId = payload?.userId ?? req?.userId
+  const workspaceId = payload?.workspaceId
+
+  if (!workspaceId) throw Object.assign(new Error('workspaceId is required'), { status: 400 })
+
+  await Aggregate.Of(User, userId)
+    .then(Aggregate.Add(UsersEvents.WorkspaceLeft({ workspaceId, createdBy: userId })))
+    .then(Aggregate.Save())
+  return null
+}

package/src/list.api.js

@@ -0,0 +1,23 @@
+import { ActionService } from '@ossy/platform'
+
+export const metadata = {
+  id: 'users.list',
+  path: '/api/v0/users',
+}
+
+export default async function handle(req, res) {
+  if (req.method !== 'GET') {
+    res.setHeader('Allow', 'GET')
+    res.status(405).json({ error: 'Method Not Allowed' })
+    return
+  }
+  try {
+    const users = await ActionService.invoke('workspaces/get-users', {
+      payload: { workspaceId: req.workspaceId },
+      req,
+    })
+    res.json(users)
+  } catch (err) {
+    res.status(err?.status ?? 500).json()
+  }
+}

package/src/me-history.api.js

@@ -0,0 +1,23 @@
+import { ActionService } from '@ossy/platform'
+
+export const metadata = {
+  id: 'users.me.history',
+  path: '/api/v0/users/me/history',
+}
+
+export default async function handle(req, res) {
+  if (req.method !== 'GET') {
+    res.setHeader('Allow', 'GET')
+    res.status(405).json({ error: 'Method Not Allowed' })
+    return
+  }
+  try {
+    const history = await ActionService.invoke('users/get-current-user-history', {
+      payload: { userId: req.userId },
+      req,
+    })
+    res.status(200).json(history)
+  } catch (err) {
+    res.status(err?.status ?? 500).json('')
+  }
+}

package/src/me-token.api.js

@@ -0,0 +1,32 @@
+import { ActionService } from '@ossy/platform'
+
+export const metadata = {
+  id: 'users.me.token',
+  path: '/api/v0/users/me/tokens/:tokenId',
+}
+
+export default async function handle(req, res) {
+  if (req.method !== 'DELETE') {
+    res.setHeader('Allow', 'DELETE')
+    res.status(405).json({ error: 'Method Not Allowed' })
+    return
+  }
+
+  const pathname = (req.path || new URL(req.originalUrl, 'http://localhost').pathname).replace(/\/+$/, '')
+  const m = pathname.match(/^\/api\/v0\/users\/me\/tokens\/([^/]+)$/)
+  if (!m) {
+    res.status(404).json('')
+    return
+  }
+
+  const tokenId = decodeURIComponent(m[1])
+  try {
+    await ActionService.invoke('users/invalidate-api-token', {
+      payload: { userId: req.userId, tokenId },
+      req,
+    })
+    res.status(200).json('')
+  } catch (err) {
+    res.status(err?.status ?? 500).json()
+  }
+}

package/src/me-tokens.api.js

@@ -0,0 +1,35 @@
+import { ActionService } from '@ossy/platform'
+
+export const metadata = {
+  id: 'users.me.tokens',
+  path: '/api/v0/users/me/tokens',
+}
+
+export default async function handle(req, res) {
+  if (req.method === 'GET') {
+    try {
+      const tokens = await ActionService.invoke('users/get-api-tokens', {
+        payload: { userId: req.userId },
+        req,
+      })
+      res.json(tokens)
+    } catch (err) {
+      res.status(err?.status ?? 500).json()
+    }
+    return
+  }
+  if (req.method === 'POST') {
+    try {
+      const token = await ActionService.invoke('users/create-api-token', {
+        payload: { userId: req.userId, name: req.body?.name, description: req.body?.description },
+        req,
+      })
+      res.json(token)
+    } catch (err) {
+      res.status(err?.status ?? 400).json('')
+    }
+    return
+  }
+  res.setHeader('Allow', 'GET, POST')
+  res.status(405).json({ error: 'Method Not Allowed' })
+}

package/src/me.api.js

@@ -0,0 +1,41 @@
+import { ActionService } from '@ossy/platform'
+
+export const metadata = {
+  id: 'users.me',
+  path: '/api/v0/users/me',
+}
+
+export default async function handle(req, res) {
+  if (req.method === 'GET' || req.method === 'POST') {
+    try {
+      if (!req.user || req.user.anonymous) {
+        res.status(401).json('')
+        return
+      }
+      const user = await ActionService.invoke('authentication/get-current-user', { req })
+      res.status(200).json(user)
+    } catch (err) {
+      res.status(err?.status ?? 500).json('')
+    }
+    return
+  }
+  if (req.method === 'PUT') {
+    try {
+      const user = await ActionService.invoke('users/update-details', {
+        payload: {
+          userId: req.userId,
+          firstName: req.body?.firstName,
+          lastName: req.body?.lastName,
+          currentUser: req.user,
+        },
+        req,
+      })
+      res.status(200).json(user)
+    } catch (err) {
+      res.status(err?.status ?? 400).json(err?.message)
+    }
+    return
+  }
+  res.setHeader('Allow', 'GET, POST, PUT')
+  res.status(405).json({ error: 'Method Not Allowed' })
+}

package/src/update-details.action.js

@@ -0,0 +1,29 @@
+import { Aggregate } from '@ossy/event-store'
+import { User, UsersEvents } from '@ossy/users'
+
+export const id = 'users/update-details'
+export const access = 'authenticated'
+
+export async function run({ payload, req }) {
+  const createdBy = payload?.userId ?? req?.userId
+  const currentUser = payload?.currentUser ?? req?.user
+
+  const firstName = (payload?.firstName ?? currentUser?.firstName)?.trim?.()
+  const lastName = (payload?.lastName ?? currentUser?.lastName)?.trim?.()
+
+  if (!firstName || typeof firstName !== 'string') {
+    throw Object.assign(new Error('No firstName provided'), { status: 400 })
+  }
+  if (!lastName || typeof lastName !== 'string') {
+    throw Object.assign(new Error('No lastName provided'), { status: 400 })
+  }
+
+  const hasChanges = firstName + lastName !== currentUser?.firstName + currentUser?.lastName
+  if (!hasChanges) {
+    throw Object.assign(new Error('No changes provided'), { status: 400 })
+  }
+
+  return Aggregate.Of(User, createdBy)
+    .then(Aggregate.Add(UsersEvents.NameUpdated({ firstName, lastName, createdBy })))
+    .then(Aggregate.View())
+}

package/src/workspace-membership.api.js

@@ -0,0 +1,72 @@
+import { ConfigService } from '@ossy/platform'
+import { ActionService } from '@ossy/platform'
+import { createLogger } from '@ossy/observability'
+
+const log = createLogger('users')
+
+function isBotUser(req) {
+  return req.userId === ConfigService.BotUserId
+}
+
+export const metadata = {
+  id: 'users.workspace-membership',
+  path: '/api/v0/users/:userId/workspaces',
+}
+
+export default async function handle(req, res) {
+  const pathname = (req.path || new URL(req.originalUrl, 'http://localhost').pathname).replace(/\/+$/, '')
+
+  const deleteMatch = pathname.match(/^\/api\/v0\/users\/([^/]+)\/workspaces\/([^/]+)$/)
+  if (deleteMatch && req.method === 'DELETE') {
+    const userId = decodeURIComponent(deleteMatch[1])
+    const workspaceId = decodeURIComponent(deleteMatch[2])
+
+    if (!isBotUser(req)) {
+      res.status(403).json({ error: 'Forbidden' })
+      return
+    }
+
+    try {
+      await ActionService.invoke('users/leave-workspace', {
+        payload: { userId, workspaceId },
+        req,
+      })
+      res.status(204).send()
+    } catch (err) {
+      log.error('[workspace-membership.api] remove error', undefined, err)
+      res.status(err?.status ?? 500).json({ error: 'Internal Server Error' })
+    }
+    return
+  }
+
+  const postMatch = pathname.match(/^\/api\/v0\/users\/([^/]+)\/workspaces$/)
+  if (postMatch && req.method === 'POST') {
+    const userId = decodeURIComponent(postMatch[1])
+    const workspaceId = req.body?.workspaceId
+    const createdBy = req.body?.createdBy ?? userId
+
+    if (!isBotUser(req)) {
+      res.status(403).json({ error: 'Forbidden' })
+      return
+    }
+
+    if (!workspaceId) {
+      res.status(400).json({ error: 'workspaceId is required' })
+      return
+    }
+
+    try {
+      await ActionService.invoke('users/join-workspace', {
+        payload: { targetUserId: userId, workspaceId, createdBy },
+        req,
+      })
+      res.status(204).send()
+    } catch (err) {
+      log.error('[workspace-membership.api] add error', undefined, err)
+      res.status(err?.status ?? 500).json({ error: 'Internal Server Error' })
+    }
+    return
+  }
+
+  res.status(404).json({ error: 'Not Found' })
+}