@rebasepro/server-postgresql 0.0.1-canary.4d4fb3e → 0.0.1-canary.ca2cb6e

package/src/auth/ensure-tables.ts

@@ -9,21 +9,34 @@ const DEFAULT_ROLES = [
         id: "admin",
         name: "Admin",
         is_admin: true,
-        default_permissions: { read: true, create: true, edit: true, delete: true },
-        config: { createCollections: true, editCollections: "all", deleteCollections: "all" }
+        default_permissions: { read: true,
+create: true,
+edit: true,
+delete: true },
+        config: { createCollections: true,
+editCollections: "all",
+deleteCollections: "all" }
     },
     {
         id: "editor",
         name: "Editor",
         is_admin: false,
-        default_permissions: { read: true, create: true, edit: true, delete: true },
-        config: { createCollections: true, editCollections: "own", deleteCollections: "own" }
+        default_permissions: { read: true,
+create: true,
+edit: true,
+delete: true },
+        config: { createCollections: true,
+editCollections: "own",
+deleteCollections: "own" }
     },
     {
         id: "viewer",
         name: "Viewer",
         is_admin: false,
-        default_permissions: { read: true, create: false, edit: false, delete: false },
+        default_permissions: { read: true,
+create: false,
+edit: false,
+delete: false },
         config: null
     }
 ];
@@ -49,8 +62,6 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
                 password_hash TEXT,
                 display_name TEXT,
                 photo_url TEXT,
-                provider TEXT DEFAULT 'email',
-                google_id TEXT UNIQUE,
                 created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
                 updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
             )
@@ -62,12 +73,27 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
             ON rebase.users(email)
         `);
 
-        // Create index on google_id for OAuth lookups
+        // Create user_identities table
         await db.execute(sql`
-            CREATE INDEX IF NOT EXISTS idx_users_google_id 
-            ON rebase.users(google_id)
+            CREATE TABLE IF NOT EXISTS rebase.user_identities (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                user_id TEXT NOT NULL REFERENCES rebase.users(id) ON DELETE CASCADE,
+                provider TEXT NOT NULL,
+                provider_id TEXT NOT NULL,
+                profile_data JSONB,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                UNIQUE(provider, provider_id)
+            )
         `);
 
+        // Create indexes on user_identities
+        await db.execute(sql`
+            CREATE INDEX IF NOT EXISTS idx_user_identities_user 
+            ON rebase.user_identities(user_id)
+        `);
+
+
         // Create roles table
         await db.execute(sql`
             CREATE TABLE IF NOT EXISTS rebase.roles (
@@ -81,12 +107,6 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
             )
         `);
 
-        // Migration: Add collection_permissions column if it doesn't exist (for existing databases)
-        await db.execute(sql`
-            ALTER TABLE rebase.roles 
-            ADD COLUMN IF NOT EXISTS collection_permissions JSONB
-        `);
-
         // Create user_roles junction table
         await db.execute(sql`
             CREATE TABLE IF NOT EXISTS rebase.user_roles (
@@ -128,60 +148,6 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
             ON rebase.refresh_tokens(user_id)
         `);
 
-        // Migration: Add user_agent and ip_address to refresh tokens (for tables created before these columns existed)
-        await db.execute(sql`
-            ALTER TABLE rebase.refresh_tokens 
-            ADD COLUMN IF NOT EXISTS user_agent TEXT
-        `);
-
-        await db.execute(sql`
-            ALTER TABLE rebase.refresh_tokens 
-            ADD COLUMN IF NOT EXISTS ip_address TEXT
-        `);
-
-        // Migration: Ensure unique_device_session constraint exists (for tables created before it was in CREATE TABLE)
-        // Check if constraint already exists before attempting to add it
-        const constraintCheck = await db.execute(sql`
-            SELECT 1 FROM information_schema.table_constraints 
-            WHERE constraint_name = 'unique_device_session' 
-            AND table_schema = 'rebase'
-            AND table_name = 'refresh_tokens'
-        `);
-        if (constraintCheck.rows.length === 0) {
-            try {
-                await db.execute(sql`
-                    ALTER TABLE rebase.refresh_tokens
-                    ADD CONSTRAINT unique_device_session UNIQUE (user_id, user_agent, ip_address)
-                `);
-                console.log("✅ Added unique_device_session constraint");
-            } catch (e: unknown) {
-                const errorMessage = e instanceof Error ? e.message : String(e);
-                // If there's duplicate data preventing the constraint, clean up first
-                if (errorMessage.includes('could not create unique index')) {
-                    console.warn("⚠️ Duplicate sessions found, cleaning up before adding constraint...");
-                    // Keep only the most recent token per user/device combo
-                    await db.execute(sql`
-                        DELETE FROM rebase.refresh_tokens a
-                        USING rebase.refresh_tokens b
-                        WHERE a.user_id = b.user_id 
-                        AND COALESCE(a.user_agent, '') = COALESCE(b.user_agent, '')
-                        AND COALESCE(a.ip_address, '') = COALESCE(b.ip_address, '')
-                        AND a.created_at < b.created_at
-                    `);
-                    // Retry constraint creation
-                    await db.execute(sql`
-                        ALTER TABLE rebase.refresh_tokens
-                        ADD CONSTRAINT unique_device_session UNIQUE (user_id, user_agent, ip_address)
-                    `).catch((retryErr: unknown) => {
-                        const retryMessage = retryErr instanceof Error ? retryErr.message : String(retryErr);
-                        console.error("Failed to add unique_device_session constraint after cleanup:", retryMessage);
-                    });
-                } else {
-                    console.error("Constraint migration issue:", errorMessage);
-                }
-            }
-        }
-
         // Create password reset tokens table
         await db.execute(sql`
             CREATE TABLE IF NOT EXISTS rebase.password_reset_tokens (
@@ -215,21 +181,8 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
             )
         `);
 
-        // Migration: Add email verification columns to users if they don't exist
-        await db.execute(sql`
-            ALTER TABLE rebase.users 
-            ADD COLUMN IF NOT EXISTS email_verified BOOLEAN DEFAULT FALSE
-        `);
-
-        await db.execute(sql`
-            ALTER TABLE rebase.users 
-            ADD COLUMN IF NOT EXISTS email_verification_token TEXT
-        `);
-
-        await db.execute(sql`
-            ALTER TABLE rebase.users 
-            ADD COLUMN IF NOT EXISTS email_verification_sent_at TIMESTAMP WITH TIME ZONE
-        `);
+        // Apply any schema alterations for existing databases
+        await applyInternalMigrations(db);
 
         // Create the `auth` schema with Supabase-style helper functions for RLS.
         //   auth.uid()   → returns the current user's ID (reads app.user_id)
@@ -239,7 +192,7 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
         await db.execute(sql`CREATE SCHEMA IF NOT EXISTS auth`);
 
         // Use an advisory transaction lock to serialize function recreation during HMR
-        // This prevents the "tuple concurrently updated" race condition when multiple Node 
+        // This prevents the "tuple concurrently updated" race condition when multiple Node
         // workers or rapid restarts attempt to CREATE OR REPLACE FUNCTION simultaneously.
         await db.transaction(async (tx) => {
             await tx.execute(sql`SELECT pg_advisory_xact_lock(hashtext('rebase_auth_functions_init'))`);
@@ -307,3 +260,122 @@ async function seedDefaultRoles(db: NodePgDatabase): Promise<void> {
 
     console.log("✅ Default roles created: admin, editor, viewer");
 }
+
+/**
+ * Apply idempotent alterations for internal Rebase tables.
+ * This runs after CREATE TABLE IF NOT EXISTS to ensure existing
+ * databases get new columns without needing external Drizzle migrations.
+ */
+async function applyInternalMigrations(db: NodePgDatabase): Promise<void> {
+    try {
+        // Users Table Migrations
+        await db.execute(sql`
+            ALTER TABLE rebase.users 
+            ADD COLUMN IF NOT EXISTS email_verified BOOLEAN DEFAULT FALSE,
+            ADD COLUMN IF NOT EXISTS email_verification_token TEXT,
+            ADD COLUMN IF NOT EXISTS email_verification_sent_at TIMESTAMP WITH TIME ZONE
+        `);
+
+        // Migrate Old OAuth Data to user_identities table
+
+        // 1. Check if legacy columns exist
+        const columnsCheck = await db.execute(sql`
+            SELECT column_name 
+            FROM information_schema.columns 
+            WHERE table_schema='rebase' AND table_name='users' AND column_name IN ('google_id', 'linkedin_id', 'provider')
+        `);
+        const existingColumns = columnsCheck.rows.map(r => r.column_name);
+
+        if (existingColumns.includes("google_id")) {
+            // Migrate google users
+            await db.execute(sql`
+                INSERT INTO rebase.user_identities (user_id, provider, provider_id)
+                SELECT id, 'google', google_id
+                FROM rebase.users
+                WHERE google_id IS NOT NULL
+                ON CONFLICT (provider, provider_id) DO NOTHING
+            `);
+        }
+
+        if (existingColumns.includes("linkedin_id")) {
+            // Migrate linkedin users
+            await db.execute(sql`
+                INSERT INTO rebase.user_identities (user_id, provider, provider_id)
+                SELECT id, 'linkedin', linkedin_id
+                FROM rebase.users
+                WHERE linkedin_id IS NOT NULL
+                ON CONFLICT (provider, provider_id) DO NOTHING
+            `);
+        }
+
+        // Now drop legacy columns safely if they exist
+        if (existingColumns.length > 0) {
+            await db.execute(sql`
+                ALTER TABLE rebase.users
+                DROP COLUMN IF EXISTS provider,
+                DROP COLUMN IF EXISTS google_id,
+                DROP COLUMN IF EXISTS linkedin_id
+            `);
+
+            // Drop legacy indexes
+            await db.execute(sql`DROP INDEX IF EXISTS rebase.idx_users_google_id`);
+            await db.execute(sql`DROP INDEX IF EXISTS rebase.idx_users_linkedin_id`);
+
+            console.log("✅ Migrated to user_identities and dropped legacy columns.");
+        }
+
+        // Roles Table Migrations
+        await db.execute(sql`
+            ALTER TABLE rebase.roles 
+            ADD COLUMN IF NOT EXISTS collection_permissions JSONB
+        `);
+
+        // Refresh Tokens Table Migrations
+        await db.execute(sql`
+            ALTER TABLE rebase.refresh_tokens 
+            ADD COLUMN IF NOT EXISTS user_agent TEXT,
+            ADD COLUMN IF NOT EXISTS ip_address TEXT
+        `);
+
+        const constraintCheck = await db.execute(sql`
+            SELECT 1 FROM information_schema.table_constraints 
+            WHERE constraint_name = 'unique_device_session' 
+            AND table_schema = 'rebase'
+            AND table_name = 'refresh_tokens'
+        `);
+
+        if (constraintCheck.rows.length === 0) {
+            try {
+                await db.execute(sql`
+                    ALTER TABLE rebase.refresh_tokens
+                    ADD CONSTRAINT unique_device_session UNIQUE (user_id, user_agent, ip_address)
+                `);
+                console.log("✅ Added unique_device_session constraint");
+            } catch (e: unknown) {
+                const errorMessage = e instanceof Error ? e.message : String(e);
+                if (errorMessage.includes("could not create unique index")) {
+                    console.warn("⚠️ Duplicate sessions found, cleaning up before adding constraint...");
+                    await db.execute(sql`
+                        DELETE FROM rebase.refresh_tokens a
+                        USING rebase.refresh_tokens b
+                        WHERE a.user_id = b.user_id 
+                        AND COALESCE(a.user_agent, '') = COALESCE(b.user_agent, '')
+                        AND COALESCE(a.ip_address, '') = COALESCE(b.ip_address, '')
+                        AND a.created_at < b.created_at
+                    `);
+                    await db.execute(sql`
+                        ALTER TABLE rebase.refresh_tokens
+                        ADD CONSTRAINT unique_device_session UNIQUE (user_id, user_agent, ip_address)
+                    `).catch((retryErr: unknown) => {
+                        const retryMessage = retryErr instanceof Error ? retryErr.message : String(retryErr);
+                        console.error("Failed to add unique_device_session constraint after cleanup:", retryMessage);
+                    });
+                } else {
+                    console.error("Constraint migration issue:", errorMessage);
+                }
+            }
+        }
+    } catch (error) {
+        console.error("❌ Failed to run internal migrations:", error);
+    }
+}

package/src/auth/services.ts

@@ -1,6 +1,6 @@
 import { eq, sql } from "drizzle-orm";
 import { NodePgDatabase } from "drizzle-orm/node-postgres";
-import { users, refreshTokens, passwordResetTokens, User, NewUser } from "../schema/auth-schema";
+import { users, userIdentities, refreshTokens, passwordResetTokens, User, NewUser } from "../schema/auth-schema";
 import {
     UserRepository,
     RoleRepository,
@@ -12,6 +12,7 @@ import {
     CreateRoleData,
     RefreshTokenInfo,
     PasswordResetTokenInfo,
+    UserIdentityData,
     ListUsersOptions,
     PaginatedUsersResult,
     RoleData as Role
@@ -42,15 +43,64 @@ export class UserService implements UserRepository {
         return user || null;
     }
 
-    async getUserByGoogleId(googleId: string): Promise<User | null> {
-        const [user] = await this.db.select().from(users).where(eq(users.googleId, googleId));
-        return user || null;
+    async getUserByIdentity(provider: string, providerId: string): Promise<User | null> {
+        const result = await this.db.execute(sql`
+            SELECT u.*
+            FROM rebase.users u
+            INNER JOIN rebase.user_identities ui ON u.id = ui.user_id
+            WHERE ui.provider = ${provider} AND ui.provider_id = ${providerId}
+            LIMIT 1
+        `);
+
+        if (result.rows.length === 0) return null;
+
+        const row = result.rows[0] as Record<string, unknown>;
+        return {
+            id: row.id as string,
+            email: row.email as string,
+            passwordHash: (row.password_hash as string | null) ?? null,
+            displayName: (row.display_name as string | null) ?? null,
+            photoUrl: (row.photo_url as string | null) ?? null,
+            emailVerified: (row.email_verified as boolean | undefined) ?? false,
+            emailVerificationToken: (row.email_verification_token as string | null) ?? null,
+            emailVerificationSentAt: (row.email_verification_sent_at as Date | null) ?? null,
+            createdAt: row.created_at as Date,
+            updatedAt: row.updated_at as Date
+        } as User;
+    }
+
+    async getUserIdentities(userId: string): Promise<UserIdentityData[]> {
+        const result = await this.db.execute(sql`
+            SELECT id, user_id, provider, provider_id, profile_data, created_at, updated_at
+            FROM rebase.user_identities
+            WHERE user_id = ${userId}
+        `);
+
+        return result.rows.map((row: Record<string, unknown>) => ({
+            id: row.id as string,
+            userId: row.user_id as string,
+            provider: row.provider as string,
+            providerId: row.provider_id as string,
+            profileData: (row.profile_data as Record<string, unknown> | null) ?? null,
+            createdAt: row.created_at as Date,
+            updatedAt: row.updated_at as Date
+        }));
+    }
+
+    async linkUserIdentity(userId: string, provider: string, providerId: string, profileData?: Record<string, unknown>): Promise<void> {
+        await this.db.insert(userIdentities).values({
+            userId,
+            provider,
+            providerId,
+            profileData: profileData || null
+        }).onConflictDoNothing({ target: [userIdentities.provider, userIdentities.providerId] });
     }
 
     async updateUser(id: string, data: Partial<Omit<NewUser, "id">>): Promise<User | null> {
         const [user] = await this.db
             .update(users)
-            .set({ ...data, updatedAt: new Date() })
+            .set({ ...data,
+updatedAt: new Date() })
             .where(eq(users.id, id))
             .returning();
         return user || null;
@@ -70,6 +120,7 @@ export class UserService implements UserRepository {
         const search = options?.search?.trim() || "";
         const orderBy = options?.orderBy || "createdAt";
         const orderDir = options?.orderDir || "desc";
+        const roleId = options?.roleId;
 
         // Map camelCase field names to snake_case column names
         const columnMap: Record<string, string> = {
@@ -82,56 +133,54 @@ export class UserService implements UserRepository {
         const orderColumn = columnMap[orderBy] || "created_at";
         const direction = orderDir === "asc" ? sql`ASC` : sql`DESC`;
 
-        let rows: User[];
-        let total: number;
-
+        const conditions = [];
+        if (roleId) {
+            conditions.push(sql`EXISTS (SELECT 1 FROM rebase.user_roles ur WHERE ur.user_id = users.id AND ur.role_id = ${roleId})`);
+        }
         if (search) {
             const pattern = `%${search}%`;
+            conditions.push(sql`(email ILIKE ${pattern} OR display_name ILIKE ${pattern})`);
+        }
 
-            const countResult = await this.db.execute(sql`
-                SELECT count(*)::int as total FROM rebase.users
-                WHERE email ILIKE ${pattern} OR display_name ILIKE ${pattern}
-            `);
-            total = (countResult.rows[0] as { total: number }).total;
+        const whereClause = conditions.length > 0 ? sql`WHERE ${sql.join(conditions, sql` AND `)}` : sql``;
 
-            const dataResult = await this.db.execute(sql`
-                SELECT * FROM rebase.users
-                WHERE email ILIKE ${pattern} OR display_name ILIKE ${pattern}
-                ORDER BY ${sql.raw(orderColumn)} ${direction}
-                LIMIT ${limit} OFFSET ${offset}
-            `);
-            rows = dataResult.rows as User[];
-        } else {
-            const countResult = await this.db.execute(sql`
-                SELECT count(*)::int as total FROM rebase.users
-            `);
-            total = (countResult.rows[0] as { total: number }).total;
+        // Sorting: users with roles first if no role filter, then by requested order
+        const orderByClause = roleId
+            ? sql`ORDER BY ${sql.raw(orderColumn)} ${direction}`
+            : sql`ORDER BY (SELECT count(*) FROM rebase.user_roles ur WHERE ur.user_id = users.id) DESC, ${sql.raw(orderColumn)} ${direction}`;
 
-            const dataResult = await this.db.execute(sql`
-                SELECT * FROM rebase.users
-                ORDER BY ${sql.raw(orderColumn)} ${direction}
-                LIMIT ${limit} OFFSET ${offset}
-            `);
-            rows = dataResult.rows as User[];
-        }
+        const countResult = await this.db.execute(sql`
+            SELECT count(*)::int as total FROM rebase.users
+            ${whereClause}
+        `);
+        const total = (countResult.rows[0] as { total: number }).total;
+
+        const dataResult = await this.db.execute(sql`
+            SELECT * FROM rebase.users
+            ${whereClause}
+            ${orderByClause}
+            LIMIT ${limit} OFFSET ${offset}
+        `);
+        const rows = dataResult.rows as User[];
 
         // Map snake_case rows to camelCase UserData
-        const mappedUsers: User[] = rows.map((row: Record<string, any>) => ({
-            id: row.id,
-            email: row.email,
-            passwordHash: row.password_hash ?? row.passwordHash ?? null,
-            displayName: row.display_name ?? row.displayName ?? null,
-            photoUrl: row.photo_url ?? row.photoUrl ?? null,
-            provider: row.provider,
-            googleId: row.google_id ?? row.googleId ?? null,
-            emailVerified: row.email_verified ?? row.emailVerified ?? false,
-            emailVerificationToken: row.email_verification_token ?? row.emailVerificationToken ?? null,
-            emailVerificationSentAt: row.email_verification_sent_at ?? row.emailVerificationSentAt ?? null,
-            createdAt: row.created_at ?? row.createdAt,
-            updatedAt: row.updated_at ?? row.updatedAt
+        const mappedUsers: User[] = rows.map((row: Record<string, unknown>) => ({
+            id: row.id as string,
+            email: row.email as string,
+            passwordHash: ((row.password_hash ?? row.passwordHash) as string | null) ?? null,
+            displayName: ((row.display_name ?? row.displayName) as string | null) ?? null,
+            photoUrl: ((row.photo_url ?? row.photoUrl) as string | null) ?? null,
+            emailVerified: ((row.email_verified ?? row.emailVerified) as boolean | undefined) ?? false,
+            emailVerificationToken: ((row.email_verification_token ?? row.emailVerificationToken) as string | null) ?? null,
+            emailVerificationSentAt: ((row.email_verification_sent_at ?? row.emailVerificationSentAt) as Date | null) ?? null,
+            createdAt: (row.created_at ?? row.createdAt) as Date,
+            updatedAt: (row.updated_at ?? row.updatedAt) as Date
         })) as User[];
 
-        return { users: mappedUsers, total, limit, offset };
+        return { users: mappedUsers,
+total,
+limit,
+offset };
     }
 
     /**
@@ -140,7 +189,8 @@ export class UserService implements UserRepository {
     async updatePassword(id: string, passwordHash: string): Promise<void> {
         await this.db
             .update(users)
-            .set({ passwordHash, updatedAt: new Date() })
+            .set({ passwordHash,
+updatedAt: new Date() })
             .where(eq(users.id, id));
     }
 
@@ -248,7 +298,8 @@ export class UserService implements UserRepository {
         if (!user) return null;
 
         const roles = await this.getUserRoles(userId);
-        return { user, roles };
+        return { user,
+roles };
     }
 }
 
@@ -597,8 +648,16 @@ export class PostgresAuthRepository implements AuthRepository {
         return this.userService.getUserByEmail(email) as Promise<UserData | null>;
     }
 
-    async getUserByGoogleId(googleId: string): Promise<UserData | null> {
-        return this.userService.getUserByGoogleId(googleId) as Promise<UserData | null>;
+    async getUserByIdentity(provider: string, providerId: string): Promise<UserData | null> {
+        return this.userService.getUserByIdentity(provider, providerId) as Promise<UserData | null>;
+    }
+
+    async getUserIdentities(userId: string): Promise<UserIdentityData[]> {
+        return this.userService.getUserIdentities(userId);
+    }
+
+    async linkUserIdentity(userId: string, provider: string, providerId: string, profileData?: Record<string, unknown>): Promise<void> {
+        return this.userService.linkUserIdentity(userId, provider, providerId, profileData);
     }
 
     async updateUser(id: string, data: Partial<Omit<CreateUserData, "id">>): Promise<UserData | null> {