@rovela-ai/sdk 0.4.1 → 0.4.2

package/dist/admin/server/admin-self-service.js

@@ -0,0 +1,188 @@
+/**
+ * @rovela/sdk/admin/server/admin-self-service
+ *
+ * Self-service helpers for logged-in admins — change their own password,
+ * edit their own profile. Never accepts an `actor` vs `target` distinction:
+ * these operations always act on the caller themselves, enforced by the
+ * API layer passing `session.user.id` as the adminId.
+ *
+ * # What these do that admin-service.ts doesn't
+ *
+ * `admin-service.ts` has the raw CRUD helpers (`updateAdmin`,
+ * `updateAdminPassword`). Those are called from multiple contexts —
+ * forgot-password flow, invite acceptance, emergency reset, user-management
+ * actions. This file wraps them in self-service semantics:
+ *
+ *   1. `changeOwnPassword` requires the current password as proof of
+ *      identity. Mere session possession isn't enough — we want defense
+ *      against "attacker on coffee shop laptop" scenarios where the
+ *      session cookie is borrowed.
+ *
+ *   2. `updateOwnProfile` checks email uniqueness against every other
+ *      admin (not just-not-self) before persisting, to surface clean
+ *      error codes to the caller.
+ *
+ * Both helpers return typed discriminated unions — they never throw on
+ * business errors, only on unexpected infra failures (DB connectivity,
+ * which the API layer catches).
+ */
+import { eq, and, ne } from 'drizzle-orm';
+import { getDb } from '../../core/db/client';
+import * as schema from '../../core/db/schema';
+import { verifyPassword, validatePassword } from '../../auth/server/password';
+import { findAdminById, updateAdminPassword, updateAdmin } from './admin-service';
+import { deleteAdminPasswordResetTokens } from './admin-password-reset';
+import { invalidateAdminSession } from './admin-session';
+// =============================================================================
+// Change own password
+// =============================================================================
+/**
+ * Change the logged-in admin's password.
+ *
+ * Requires the current password as proof of identity. Validates the new
+ * password via the shared `validatePassword` helper (min 8 chars). On
+ * success, bumps `session_version` (via `updateAdminPassword`), cleans up
+ * any stale reset tokens, and invalidates the in-memory session cache so
+ * other active sessions for this admin are kicked out on their next
+ * request.
+ *
+ * The admin's CURRENT session (the one that initiated this change) also
+ * carries a now-stale `sessionVersion` JWT claim, which means the next
+ * request from that session will also fail `requireAdmin`'s version
+ * check → forced logout. That's correct behavior: after a password
+ * rotation, the user must re-authenticate with the new password.
+ *
+ * If that's undesirable (the UI would need to immediately re-sign-in),
+ * the API handler can call `nextAuthSignIn` server-side after a
+ * successful change. For Phase 4, we accept the forced re-login as the
+ * honest behavior.
+ */
+export async function changeOwnPassword(adminId, currentPassword, newPassword) {
+    // 1. Load the current admin
+    const admin = await findAdminById(adminId);
+    if (!admin) {
+        return {
+            ok: false,
+            error: { code: 'NOT_FOUND', message: 'Admin not found.' },
+        };
+    }
+    // 2. No password on file → invited admin can't self-service
+    if (!admin.passwordHash) {
+        return {
+            ok: false,
+            error: {
+                code: 'INVALID_CREDENTIALS',
+                message: 'Current password is incorrect.',
+            },
+        };
+    }
+    // 3. Verify current password — same generic error message on failure
+    // so we never reveal whether the account exists or is in a weird state.
+    const isValid = await verifyPassword(currentPassword, admin.passwordHash);
+    if (!isValid) {
+        return {
+            ok: false,
+            error: {
+                code: 'INVALID_CREDENTIALS',
+                message: 'Current password is incorrect.',
+            },
+        };
+    }
+    // 4. Validate new password strength
+    const check = validatePassword(newPassword);
+    if (!check.valid) {
+        return {
+            ok: false,
+            error: {
+                code: 'VALIDATION_ERROR',
+                message: check.error || 'Invalid new password.',
+            },
+        };
+    }
+    // 5. Update (bumps session_version internally)
+    await updateAdminPassword(adminId, newPassword);
+    // 6. Defensive cleanup — any stale reset tokens shouldn't grant
+    // post-rotation access.
+    await deleteAdminPasswordResetTokens(adminId);
+    // 7. Flush the 30s per-admin status cache so the next request reads
+    // the new session_version immediately.
+    invalidateAdminSession(adminId);
+    return { ok: true };
+}
+// =============================================================================
+// Update own profile
+// =============================================================================
+/**
+ * Update the logged-in admin's name and/or email.
+ *
+ * Email uniqueness is checked against every OTHER admin (not self). If
+ * both fields are omitted, returns a VALIDATION_ERROR so the caller gets
+ * a clean error rather than a silent no-op.
+ *
+ * Changing email does NOT require a separate re-verification — the admin
+ * is already authenticated and the client-side confirmation dialog in
+ * `AdminAccountPage` warns them about the forgot-password implication.
+ *
+ * No sessionVersion bump — profile changes don't invalidate sessions.
+ */
+export async function updateOwnProfile(adminId, data) {
+    const name = typeof data.name === 'string' ? data.name.trim() : undefined;
+    const email = typeof data.email === 'string' ? data.email.trim().toLowerCase() : undefined;
+    if (name === undefined && email === undefined) {
+        return {
+            ok: false,
+            error: {
+                code: 'VALIDATION_ERROR',
+                message: 'Provide at least one field to update (name or email).',
+            },
+        };
+    }
+    // Validate name length (if provided)
+    if (name !== undefined && name.length < 2) {
+        return {
+            ok: false,
+            error: {
+                code: 'VALIDATION_ERROR',
+                message: 'Name must be at least 2 characters.',
+            },
+        };
+    }
+    // Validate email format (if provided)
+    if (email !== undefined && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+        return {
+            ok: false,
+            error: {
+                code: 'VALIDATION_ERROR',
+                message: 'Please enter a valid email address.',
+            },
+        };
+    }
+    // Email uniqueness — only if email is being changed
+    if (email !== undefined) {
+        const db = getDb();
+        const [collision] = await db
+            .select({ id: schema.storeAdmins.id })
+            .from(schema.storeAdmins)
+            .where(and(eq(schema.storeAdmins.email, email), ne(schema.storeAdmins.id, adminId)))
+            .limit(1);
+        if (collision) {
+            return {
+                ok: false,
+                error: {
+                    code: 'EMAIL_EXISTS',
+                    message: 'Another admin already uses this email.',
+                },
+            };
+        }
+    }
+    // Delegate to the shared helper
+    const updated = await updateAdmin(adminId, { name, email });
+    if (!updated) {
+        return {
+            ok: false,
+            error: { code: 'NOT_FOUND', message: 'Admin not found.' },
+        };
+    }
+    return { ok: true, admin: updated };
+}
+//# sourceMappingURL=admin-self-service.js.map

package/dist/admin/server/admin-self-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-self-service.js","sourceRoot":"","sources":["../../../src/admin/server/admin-self-service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAC9C,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAA;AAC7E,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AACjF,OAAO,EAAE,8BAA8B,EAAE,MAAM,wBAAwB,CAAA;AACvE,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAA;AAwBxD,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAe,EACf,eAAuB,EACvB,WAAmB;IAEnB,4BAA4B;IAC5B,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAA;IAC1C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,kBAAkB,EAAE;SAC1D,CAAA;IACH,CAAC;IAED,4DAA4D;IAC5D,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;QACxB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,gCAAgC;aAC1C;SACF,CAAA;IACH,CAAC;IAED,qEAAqE;IACrE,wEAAwE;IACxE,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,eAAe,EAAE,KAAK,CAAC,YAAY,CAAC,CAAA;IACzE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,gCAAgC;aAC1C;SACF,CAAA;IACH,CAAC;IAED,oCAAoC;IACpC,MAAM,KAAK,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAA;IAC3C,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACjB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,KAAK,CAAC,KAAK,IAAI,uBAAuB;aAChD;SACF,CAAA;IACH,CAAC;IAED,+CAA+C;IAC/C,MAAM,mBAAmB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;IAE/C,gEAAgE;IAChE,wBAAwB;IACxB,MAAM,8BAA8B,CAAC,OAAO,CAAC,CAAA;IAE7C,oEAAoE;IACpE,uCAAuC;IACvC,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAE/B,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;AACrB,CAAC;AAED,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAe,EACf,IAAuC;IAEvC,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAA;IACzE,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CAAA;IAE1F,IAAI,IAAI,KAAK,SAAS,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC9C,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,uDAAuD;aACjE;SACF,CAAA;IACH,CAAC;IAED,qCAAqC;IACrC,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,qCAAqC;aAC/C;SACF,CAAA;IACH,CAAC;IAED,sCAAsC;IACtC,IAAI,KAAK,KAAK,SAAS,IAAI,CAAC,4BAA4B,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACrE,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,qCAAqC;aAC/C;SACF,CAAA;IACH,CAAC;IAED,oDAAoD;IACpD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;QAClB,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,EAAE;aACzB,MAAM,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;aACrC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;aACxB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,EACnC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CACnC,CACF;aACA,KAAK,CAAC,CAAC,CAAC,CAAA;QAEX,IAAI,SAAS,EAAE,CAAC;YACd,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACL,IAAI,EAAE,cAAc;oBACpB,OAAO,EAAE,wCAAwC;iBAClD;aACF,CAAA;QACH,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IAC3D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,kBAAkB,EAAE;SAC1D,CAAA;IACH,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAA;AACrC,CAAC"}

package/dist/admin/server/admin-service.d.ts

@@ -0,0 +1,131 @@
+/**
+ * @rovela/sdk/admin/server/admin-service
+ *
+ * Admin CRUD operations.
+ * Each store has its own database (via Neon branches) - no tenant isolation needed.
+ */
+import * as schema from '../../core/db/schema';
+import type { AdminSession } from '../types';
+import type { AdminRole } from '../../core/types';
+export interface CreateAdminResult {
+    admin: schema.StoreAdmin;
+}
+export interface AuthenticateAdminResult {
+    success: true;
+    admin: schema.StoreAdmin;
+}
+export interface AuthenticateAdminError {
+    success: false;
+    error: string;
+    code: 'INVALID_CREDENTIALS' | 'ADMIN_NOT_FOUND';
+}
+/**
+ * Authenticate an admin by email and password.
+ *
+ * @param email - Admin email
+ * @param password - Plain text password
+ * @returns Authentication result
+ *
+ * @example
+ * ```typescript
+ * const result = await authenticateAdmin('admin@store.com', 'password123')
+ * if (result.success) {
+ *   console.log('Authenticated:', result.admin.email)
+ * } else {
+ *   console.log('Failed:', result.error)
+ * }
+ * ```
+ */
+export declare function authenticateAdmin(email: string, password: string): Promise<AuthenticateAdminResult | AuthenticateAdminError>;
+/**
+ * Create a new admin account.
+ * Password is hashed before storage.
+ *
+ * @param email - Admin email (will be lowercased)
+ * @param password - Plain text password (min 8 chars)
+ * @param name - Admin name
+ * @param role - Admin role (defaults to 'owner' for the bootstrap admin)
+ * @returns Created admin
+ * @throws Error if email already exists
+ *
+ * @example
+ * ```typescript
+ * const { admin } = await createAdmin(
+ *   'admin@store.com',
+ *   'securePassword123',
+ *   'Store Owner',
+ *   'owner'
+ * )
+ * ```
+ */
+export declare function createAdmin(email: string, password: string, name: string, role?: AdminRole): Promise<CreateAdminResult>;
+/**
+ * Get admin data for session (excludes sensitive fields).
+ *
+ * @param adminId - Admin UUID
+ * @returns Admin session data or null if not found
+ *
+ * @example
+ * ```typescript
+ * const session = await findAdminForSession(adminId)
+ * if (session) {
+ *   console.log('Admin:', session.email)
+ * }
+ * ```
+ */
+export declare function findAdminForSession(adminId: string): Promise<AdminSession | null>;
+/**
+ * Find an admin by email.
+ *
+ * @param email - Admin email
+ * @returns Admin or null if not found
+ */
+export declare function findAdminByEmail(email: string): Promise<schema.StoreAdmin | null>;
+/**
+ * Find an admin by ID.
+ *
+ * @param adminId - Admin UUID
+ * @returns Admin or null if not found
+ */
+export declare function findAdminById(adminId: string): Promise<schema.StoreAdmin | null>;
+/**
+ * Update admin profile information.
+ *
+ * @param adminId - Admin UUID
+ * @param data - Fields to update
+ * @returns Updated admin
+ *
+ * @example
+ * ```typescript
+ * const updated = await updateAdmin(adminId, { name: 'New Name' })
+ * ```
+ */
+export declare function updateAdmin(adminId: string, data: {
+    name?: string;
+    email?: string;
+}): Promise<schema.StoreAdmin | null>;
+/**
+ * Update admin password.
+ *
+ * @param adminId - Admin UUID
+ * @param newPassword - New plain text password
+ *
+ * @example
+ * ```typescript
+ * await updateAdminPassword(adminId, 'newSecurePassword123')
+ * ```
+ */
+export declare function updateAdminPassword(adminId: string, newPassword: string): Promise<void>;
+/**
+ * Check if email is already registered as an admin.
+ *
+ * @param email - Email to check
+ * @returns True if email exists
+ */
+export declare function adminEmailExists(email: string): Promise<boolean>;
+/**
+ * Get the count of admins.
+ * Used to check if this is the first admin (should be owner).
+ */
+export declare function countAdmins(): Promise<number>;
+//# sourceMappingURL=admin-service.d.ts.map

package/dist/admin/server/admin-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-service.d.ts","sourceRoot":"","sources":["../../../src/admin/server/admin-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAE9C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAA;AAC5C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAA;AAMjD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAA;CACzB;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,IAAI,CAAA;IACb,KAAK,EAAE,MAAM,CAAC,UAAU,CAAA;CACzB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,KAAK,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,qBAAqB,GAAG,iBAAiB,CAAA;CAChD;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,uBAAuB,GAAG,sBAAsB,CAAC,CAyD3D;AAMD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,SAAmB,GACxB,OAAO,CAAC,iBAAiB,CAAC,CA0B5B;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAwB9B;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAUnC;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAUnC;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACtC,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAyBnC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,CAgBf;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGtE;AAED;;;GAGG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,CAQnD"}

package/dist/admin/server/admin-service.js

@@ -0,0 +1,278 @@
+/**
+ * @rovela/sdk/admin/server/admin-service
+ *
+ * Admin CRUD operations.
+ * Each store has its own database (via Neon branches) - no tenant isolation needed.
+ */
+import { eq, sql } from 'drizzle-orm';
+import { getDb } from '../../core/db/client';
+import * as schema from '../../core/db/schema';
+import { hashPassword, verifyPassword } from '../../auth/server/password';
+// =============================================================================
+// Admin Authentication
+// =============================================================================
+/**
+ * Authenticate an admin by email and password.
+ *
+ * @param email - Admin email
+ * @param password - Plain text password
+ * @returns Authentication result
+ *
+ * @example
+ * ```typescript
+ * const result = await authenticateAdmin('admin@store.com', 'password123')
+ * if (result.success) {
+ *   console.log('Authenticated:', result.admin.email)
+ * } else {
+ *   console.log('Failed:', result.error)
+ * }
+ * ```
+ */
+export async function authenticateAdmin(email, password) {
+    const db = getDb();
+    // Find admin by email
+    const [admin] = await db
+        .select()
+        .from(schema.storeAdmins)
+        .where(eq(schema.storeAdmins.email, email.toLowerCase().trim()))
+        .limit(1);
+    if (!admin) {
+        return {
+            success: false,
+            error: 'Invalid email or password',
+            code: 'INVALID_CREDENTIALS',
+        };
+    }
+    // Block 'deactivated' and 'invited' admins. 'invited' admins have no
+    // password hash yet (they must accept their invite first); 'deactivated'
+    // admins are blocked entirely. Return the same generic error message as
+    // wrong-password so we don't reveal account state.
+    const adminStatus = admin.status ?? 'active';
+    if (adminStatus !== 'active' || !admin.passwordHash) {
+        return {
+            success: false,
+            error: 'Invalid email or password',
+            code: 'INVALID_CREDENTIALS',
+        };
+    }
+    // Verify password
+    const isValidPassword = await verifyPassword(password, admin.passwordHash);
+    if (!isValidPassword) {
+        return {
+            success: false,
+            error: 'Invalid email or password',
+            code: 'INVALID_CREDENTIALS',
+        };
+    }
+    // Stamp last_login_at on every successful authentication. Fire-and-forget
+    // pattern: a DB failure here must not block login. We also mirror the new
+    // timestamp onto the returned `admin` object so callers see the fresh
+    // value without an extra round-trip.
+    const loginAt = new Date();
+    try {
+        await db
+            .update(schema.storeAdmins)
+            .set({ lastLoginAt: loginAt })
+            .where(eq(schema.storeAdmins.id, admin.id));
+        admin.lastLoginAt = loginAt;
+    }
+    catch (err) {
+        console.error('[authenticateAdmin] Failed to stamp last_login_at:', err);
+    }
+    return { success: true, admin };
+}
+// =============================================================================
+// Admin CRUD
+// =============================================================================
+/**
+ * Create a new admin account.
+ * Password is hashed before storage.
+ *
+ * @param email - Admin email (will be lowercased)
+ * @param password - Plain text password (min 8 chars)
+ * @param name - Admin name
+ * @param role - Admin role (defaults to 'owner' for the bootstrap admin)
+ * @returns Created admin
+ * @throws Error if email already exists
+ *
+ * @example
+ * ```typescript
+ * const { admin } = await createAdmin(
+ *   'admin@store.com',
+ *   'securePassword123',
+ *   'Store Owner',
+ *   'owner'
+ * )
+ * ```
+ */
+export async function createAdmin(email, password, name, role = 'owner') {
+    const db = getDb();
+    // Hash password
+    const passwordHash = await hashPassword(password);
+    try {
+        const [admin] = await db
+            .insert(schema.storeAdmins)
+            .values({
+            email: email.toLowerCase().trim(),
+            name: name.trim(),
+            passwordHash,
+            role,
+        })
+            .returning();
+        return { admin };
+    }
+    catch (error) {
+        // Check for unique constraint violation
+        const err = error;
+        if (err.code === '23505' || err.cause?.code === '23505') {
+            throw new Error('An admin with this email already exists');
+        }
+        throw error;
+    }
+}
+/**
+ * Get admin data for session (excludes sensitive fields).
+ *
+ * @param adminId - Admin UUID
+ * @returns Admin session data or null if not found
+ *
+ * @example
+ * ```typescript
+ * const session = await findAdminForSession(adminId)
+ * if (session) {
+ *   console.log('Admin:', session.email)
+ * }
+ * ```
+ */
+export async function findAdminForSession(adminId) {
+    const db = getDb();
+    const [admin] = await db
+        .select({
+        id: schema.storeAdmins.id,
+        email: schema.storeAdmins.email,
+        name: schema.storeAdmins.name,
+        role: schema.storeAdmins.role,
+    })
+        .from(schema.storeAdmins)
+        .where(eq(schema.storeAdmins.id, adminId))
+        .limit(1);
+    if (!admin) {
+        return null;
+    }
+    return {
+        id: admin.id,
+        email: admin.email,
+        name: admin.name,
+        role: admin.role,
+    };
+}
+/**
+ * Find an admin by email.
+ *
+ * @param email - Admin email
+ * @returns Admin or null if not found
+ */
+export async function findAdminByEmail(email) {
+    const db = getDb();
+    const [admin] = await db
+        .select()
+        .from(schema.storeAdmins)
+        .where(eq(schema.storeAdmins.email, email.toLowerCase().trim()))
+        .limit(1);
+    return admin || null;
+}
+/**
+ * Find an admin by ID.
+ *
+ * @param adminId - Admin UUID
+ * @returns Admin or null if not found
+ */
+export async function findAdminById(adminId) {
+    const db = getDb();
+    const [admin] = await db
+        .select()
+        .from(schema.storeAdmins)
+        .where(eq(schema.storeAdmins.id, adminId))
+        .limit(1);
+    return admin || null;
+}
+/**
+ * Update admin profile information.
+ *
+ * @param adminId - Admin UUID
+ * @param data - Fields to update
+ * @returns Updated admin
+ *
+ * @example
+ * ```typescript
+ * const updated = await updateAdmin(adminId, { name: 'New Name' })
+ * ```
+ */
+export async function updateAdmin(adminId, data) {
+    const db = getDb();
+    const updateData = {};
+    if (data.name !== undefined) {
+        updateData.name = data.name.trim();
+    }
+    if (data.email !== undefined) {
+        updateData.email = data.email.toLowerCase().trim();
+    }
+    if (Object.keys(updateData).length === 0) {
+        // Nothing to update, return current admin
+        return findAdminById(adminId);
+    }
+    const [admin] = await db
+        .update(schema.storeAdmins)
+        .set(updateData)
+        .where(eq(schema.storeAdmins.id, adminId))
+        .returning();
+    return admin || null;
+}
+/**
+ * Update admin password.
+ *
+ * @param adminId - Admin UUID
+ * @param newPassword - New plain text password
+ *
+ * @example
+ * ```typescript
+ * await updateAdminPassword(adminId, 'newSecurePassword123')
+ * ```
+ */
+export async function updateAdminPassword(adminId, newPassword) {
+    const db = getDb();
+    const passwordHash = await hashPassword(newPassword);
+    // Bump session_version atomically so all existing JWTs for this admin
+    // are invalidated on their next request. Every caller (self-service,
+    // forgot-password reset, accept-invite, emergency reset) gets this
+    // invalidation semantics consistently.
+    await db
+        .update(schema.storeAdmins)
+        .set({
+        passwordHash,
+        sessionVersion: sql `${schema.storeAdmins.sessionVersion} + 1`,
+    })
+        .where(eq(schema.storeAdmins.id, adminId));
+}
+/**
+ * Check if email is already registered as an admin.
+ *
+ * @param email - Email to check
+ * @returns True if email exists
+ */
+export async function adminEmailExists(email) {
+    const admin = await findAdminByEmail(email);
+    return !!admin;
+}
+/**
+ * Get the count of admins.
+ * Used to check if this is the first admin (should be owner).
+ */
+export async function countAdmins() {
+    const db = getDb();
+    const result = await db
+        .select({ id: schema.storeAdmins.id })
+        .from(schema.storeAdmins);
+    return result.length;
+}
+//# sourceMappingURL=admin-service.js.map

package/dist/admin/server/admin-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-service.js","sourceRoot":"","sources":["../../../src/admin/server/admin-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,aAAa,CAAA;AACrC,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAC9C,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAA;AAuBzE,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,QAAgB;IAEhB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,sBAAsB;IACtB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAC/D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,qEAAqE;IACrE,yEAAyE;IACzE,wEAAwE;IACxE,mDAAmD;IACnD,MAAM,WAAW,GAAI,KAA6B,CAAC,MAAM,IAAI,QAAQ,CAAA;IACrE,IAAI,WAAW,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;QACpD,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,kBAAkB;IAClB,MAAM,eAAe,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAA;IAC1E,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,qBAAqB;SAC5B,CAAA;IACH,CAAC;IAED,0EAA0E;IAC1E,0EAA0E;IAC1E,sEAAsE;IACtE,qCAAqC;IACrC,MAAM,OAAO,GAAG,IAAI,IAAI,EAAE,CAAA;IAC1B,IAAI,CAAC;QACH,MAAM,EAAE;aACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;aAC1B,GAAG,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;aAC7B,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC,CAC5C;QAAC,KAAuC,CAAC,WAAW,GAAG,OAAO,CAAA;IACjE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,oDAAoD,EAAE,GAAG,CAAC,CAAA;IAC1E,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAA;AACjC,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAa,EACb,QAAgB,EAChB,IAAY,EACZ,OAAkB,OAAO;IAEzB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,gBAAgB;IAChB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAA;IAEjD,IAAI,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;aACrB,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;aAC1B,MAAM,CAAC;YACN,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE;YACjC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;YACjB,YAAY;YACZ,IAAI;SACL,CAAC;aACD,SAAS,EAAE,CAAA;QAEd,OAAO,EAAE,KAAK,EAAE,CAAA;IAClB,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,wCAAwC;QACxC,MAAM,GAAG,GAAG,KAAqD,CAAA;QACjE,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,KAAK,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;QAC5D,CAAC;QACD,MAAM,KAAK,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAe;IAEf,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,CAAC;QACN,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE;QACzB,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK;QAC/B,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;QAC7B,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;KAC9B,CAAC;SACD,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO;QACL,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,IAAI,EAAE,KAAK,CAAC,IAAI;KACjB,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAa;IAEb,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAC/D,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe;IAEf,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;SACxB,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,IAAuC;IAEvC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,UAAU,GAAkC,EAAE,CAAA;IAEpD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAA;IACpC,CAAC;IAED,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC7B,UAAU,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IACpD,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,0CAA0C;QAC1C,OAAO,aAAa,CAAC,OAAO,CAAC,CAAA;IAC/B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE;SACrB,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC,UAAU,CAAC;SACf,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;SACzC,SAAS,EAAE,CAAA;IAEd,OAAO,KAAK,IAAI,IAAI,CAAA;AACtB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAe,EACf,WAAmB;IAEnB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,CAAA;IAEpD,sEAAsE;IACtE,qEAAqE;IACrE,mEAAmE;IACnE,uCAAuC;IACvC,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;SAC1B,GAAG,CAAC;QACH,YAAY;QACZ,cAAc,EAAE,GAAG,CAAA,GAAG,MAAM,CAAC,WAAW,CAAC,cAAc,MAAM;KAC9D,CAAC;SACD,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC,CAAA;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAa;IAClD,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAA;IAC3C,OAAO,CAAC,CAAC,KAAK,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,MAAM,GAAG,MAAM,EAAE;SACpB,MAAM,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;SACrC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;IAE3B,OAAO,MAAM,CAAC,MAAM,CAAA;AACtB,CAAC"}