@scryan7371/sdr-security 0.1.1 → 0.1.2

package/src/nest/security-workflows.service.test.ts

@@ -0,0 +1,232 @@
+import { NotFoundException } from "@nestjs/common";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { SecurityWorkflowsService } from "./security-workflows.service";
+
+const makeRepo = () => ({
+  update: vi.fn(async () => ({ affected: 1 })),
+  findOne: vi.fn(),
+  find: vi.fn(async (): Promise<Array<Record<string, unknown>>> => []),
+  save: vi.fn(async (value: any) => value),
+  create: vi.fn((value: any) => value),
+  delete: vi.fn(async () => ({ affected: 1 })),
+  createQueryBuilder: vi.fn(),
+});
+
+const makeNotifier = () => ({
+  sendAdminsUserEmailVerified: vi.fn(async () => undefined),
+  sendUserAccountApproved: vi.fn(async () => undefined),
+});
+
+const makeUser = () => ({
+  id: "user-1",
+  email: "user@example.com",
+  firstName: "A",
+  lastName: "B",
+  isActive: true,
+});
+
+const setup = () => {
+  const usersRepo = makeRepo();
+  const rolesRepo = makeRepo();
+  const userRolesRepo = makeRepo();
+  const notifier = makeNotifier();
+
+  const service = new SecurityWorkflowsService(
+    usersRepo as never,
+    rolesRepo as never,
+    userRolesRepo as never,
+    notifier as never,
+  );
+
+  return { service, usersRepo, rolesRepo, userRolesRepo, notifier };
+};
+
+describe("SecurityWorkflowsService", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("marks email verified and notifies admins", async () => {
+    const { service, usersRepo, userRolesRepo, notifier } = setup();
+    usersRepo.findOne.mockResolvedValue(makeUser());
+
+    const getRawMany = vi
+      .fn()
+      .mockResolvedValue([{ email: "admin@example.com" }]);
+    const qb = {
+      innerJoin: vi.fn().mockReturnThis(),
+      where: vi.fn().mockReturnThis(),
+      andWhere: vi.fn().mockReturnThis(),
+      select: vi.fn().mockReturnThis(),
+      getRawMany,
+    };
+    userRolesRepo.createQueryBuilder.mockReturnValue(qb);
+
+    const result = await service.markEmailVerifiedAndNotifyAdmins("user-1");
+
+    expect(result).toEqual({
+      success: true,
+      notified: true,
+      adminEmails: ["admin@example.com"],
+    });
+    expect(notifier.sendAdminsUserEmailVerified).toHaveBeenCalled();
+  });
+
+  it("returns not-notified when no admins are present", async () => {
+    const { service, usersRepo, userRolesRepo } = setup();
+    usersRepo.findOne.mockResolvedValue(makeUser());
+
+    const qb = {
+      innerJoin: vi.fn().mockReturnThis(),
+      where: vi.fn().mockReturnThis(),
+      andWhere: vi.fn().mockReturnThis(),
+      select: vi.fn().mockReturnThis(),
+      getRawMany: vi.fn().mockResolvedValue([]),
+    };
+    userRolesRepo.createQueryBuilder.mockReturnValue(qb);
+
+    await expect(
+      service.markEmailVerifiedAndNotifyAdmins("user-1"),
+    ).resolves.toEqual({ success: true, notified: false, adminEmails: [] });
+  });
+
+  it("throws when user is missing during verification flow", async () => {
+    const { service, usersRepo } = setup();
+    usersRepo.findOne.mockResolvedValue(null);
+
+    await expect(
+      service.markEmailVerifiedAndNotifyAdmins("missing"),
+    ).rejects.toBeInstanceOf(NotFoundException);
+  });
+
+  it("handles admin approval notifications", async () => {
+    const { service, usersRepo, notifier } = setup();
+    usersRepo.findOne.mockResolvedValue(makeUser());
+
+    await expect(
+      service.setAdminApprovalAndNotifyUser("user-1", false),
+    ).resolves.toEqual({ success: true, notified: false });
+
+    await expect(
+      service.setAdminApprovalAndNotifyUser("user-1", true),
+    ).resolves.toEqual({ success: true, notified: true });
+
+    expect(notifier.sendUserAccountApproved).toHaveBeenCalledWith({
+      email: "user@example.com",
+      firstName: "A",
+    });
+  });
+
+  it("throws when approval target user is missing", async () => {
+    const { service, usersRepo } = setup();
+    usersRepo.findOne.mockResolvedValue(null);
+
+    await expect(
+      service.setAdminApprovalAndNotifyUser("missing", true),
+    ).rejects.toBeInstanceOf(NotFoundException);
+  });
+
+  it("manages role catalog and protected role removal", async () => {
+    const { service, rolesRepo, userRolesRepo } = setup();
+    rolesRepo.find.mockResolvedValue([
+      { roleKey: "ADMIN", description: null, isSystem: true },
+    ]);
+
+    await expect(service.listRoles()).resolves.toEqual([
+      { role: "ADMIN", description: null, isSystem: true },
+    ]);
+
+    rolesRepo.findOne.mockResolvedValue(null);
+    rolesRepo.find
+      .mockResolvedValueOnce([])
+      .mockResolvedValueOnce([
+        { roleKey: "COACH", description: null, isSystem: false },
+      ]);
+    await service.createRole("coach", " Coach ");
+    expect(rolesRepo.save).toHaveBeenCalled();
+
+    rolesRepo.findOne.mockResolvedValue({
+      id: "r1",
+      roleKey: "ADMIN",
+      isSystem: true,
+    });
+    await expect(service.removeRole("ADMIN")).resolves.toEqual({
+      success: false,
+    });
+
+    rolesRepo.findOne.mockResolvedValue({
+      id: "r2",
+      roleKey: "COACH",
+      isSystem: false,
+    });
+    await expect(service.removeRole("COACH")).resolves.toEqual({
+      success: true,
+    });
+    expect(userRolesRepo.delete).toHaveBeenCalledWith({ roleId: "r2" });
+  });
+
+  it("gets and sets user roles", async () => {
+    const { service, usersRepo, userRolesRepo, rolesRepo } = setup();
+    usersRepo.findOne.mockResolvedValue(makeUser());
+    userRolesRepo.find.mockResolvedValue([{ roleId: "r1" }]);
+    rolesRepo.find.mockResolvedValue([{ id: "r1", roleKey: "ADMIN" }]);
+
+    await expect(service.getUserRoles("user-1")).resolves.toEqual({
+      userId: "user-1",
+      roles: ["ADMIN"],
+    });
+
+    rolesRepo.find
+      .mockResolvedValueOnce([{ roleKey: "ADMIN" }])
+      .mockResolvedValueOnce([{ id: "r1", roleKey: "ADMIN" }]);
+    await expect(
+      service.setUserRoles("user-1", ["admin", "admin"]),
+    ).resolves.toEqual({
+      userId: "user-1",
+      roles: ["ADMIN"],
+    });
+    expect(userRolesRepo.save).toHaveBeenCalled();
+  });
+
+  it("assigns and removes role from user", async () => {
+    const { service, usersRepo, userRolesRepo, rolesRepo } = setup();
+    usersRepo.findOne.mockResolvedValue(makeUser());
+
+    userRolesRepo.find.mockResolvedValue([]);
+    rolesRepo.find.mockResolvedValue([]);
+    await service.assignRoleToUser("user-1", "coach");
+
+    userRolesRepo.find.mockResolvedValue([{ roleId: "r1" }]);
+    rolesRepo.find
+      .mockResolvedValueOnce([{ id: "r1", roleKey: "COACH" }])
+      .mockResolvedValueOnce([]);
+    await service.removeRoleFromUser("user-1", "coach");
+
+    expect(userRolesRepo.delete).toHaveBeenCalledWith({ userId: "user-1" });
+  });
+
+  it("sets user active state", async () => {
+    const { service, usersRepo } = setup();
+    await expect(service.setUserActive("user-1", false)).resolves.toEqual({
+      success: true,
+      userId: "user-1",
+      active: false,
+    });
+    expect(usersRepo.update).toHaveBeenCalledWith(
+      { id: "user-1" },
+      { isActive: false },
+    );
+  });
+
+  it("throws when role operations target missing user", async () => {
+    const { service, usersRepo } = setup();
+    usersRepo.findOne.mockResolvedValue(null);
+
+    await expect(service.getUserRoles("missing")).rejects.toBeInstanceOf(
+      NotFoundException,
+    );
+    await expect(
+      service.setUserRoles("missing", ["ADMIN"]),
+    ).rejects.toBeInstanceOf(NotFoundException);
+  });
+});

package/src/nest/security-workflows.service.ts

@@ -0,0 +1,215 @@
+import { Inject, Injectable, NotFoundException } from "@nestjs/common";
+import { InjectRepository } from "@nestjs/typeorm";
+import { In, Repository } from "typeorm";
+import { ADMIN_ROLE } from "../api/contracts";
+import { normalizeRoleName } from "../api/roles";
+import { AppUserEntity } from "./entities/app-user.entity";
+import { SecurityRoleEntity } from "./entities/security-role.entity";
+import { SecurityUserRoleEntity } from "./entities/security-user-role.entity";
+import { SecurityWorkflowNotifier } from "./contracts";
+import { SECURITY_WORKFLOW_NOTIFIER } from "./tokens";
+
+@Injectable()
+export class SecurityWorkflowsService {
+  constructor(
+    @InjectRepository(AppUserEntity)
+    private readonly usersRepo: Repository<AppUserEntity>,
+    @InjectRepository(SecurityRoleEntity)
+    private readonly rolesRepo: Repository<SecurityRoleEntity>,
+    @InjectRepository(SecurityUserRoleEntity)
+    private readonly userRolesRepo: Repository<SecurityUserRoleEntity>,
+    @Inject(SECURITY_WORKFLOW_NOTIFIER)
+    private readonly notifier: SecurityWorkflowNotifier,
+  ) {}
+
+  async markEmailVerifiedAndNotifyAdmins(userId: string) {
+    await this.usersRepo.update(
+      { id: userId },
+      { emailVerifiedAt: new Date(), emailVerificationToken: null },
+    );
+
+    const user = await this.usersRepo.findOne({ where: { id: userId } });
+    if (!user) {
+      throw new NotFoundException("User not found");
+    }
+
+    const adminEmails = await this.listAdminEmails();
+    if (adminEmails.length === 0) {
+      return { success: true as const, notified: false as const, adminEmails };
+    }
+
+    await this.notifier.sendAdminsUserEmailVerified({
+      adminEmails,
+      user: {
+        id: user.id,
+        email: user.email,
+        firstName: user.firstName,
+        lastName: user.lastName,
+      },
+    });
+
+    return { success: true as const, notified: true as const, adminEmails };
+  }
+
+  async setAdminApprovalAndNotifyUser(userId: string, approved: boolean) {
+    await this.usersRepo.update(
+      { id: userId },
+      { adminApprovedAt: approved ? new Date() : null },
+    );
+
+    const user = await this.usersRepo.findOne({ where: { id: userId } });
+    if (!user) {
+      throw new NotFoundException("User not found");
+    }
+
+    if (!approved) {
+      return { success: true as const, notified: false as const };
+    }
+
+    await this.notifier.sendUserAccountApproved({
+      email: user.email,
+      firstName: user.firstName,
+    });
+
+    return { success: true as const, notified: true as const };
+  }
+
+  async listAdminEmails() {
+    const rows = await this.userRolesRepo
+      .createQueryBuilder("userRole")
+      .innerJoin("security_role", "role", "role.id = userRole.role_id")
+      .innerJoin("app_user", "user", "user.id = userRole.user_id")
+      .where("role.role_key = :roleKey", { roleKey: ADMIN_ROLE })
+      .andWhere("user.is_active = :isActive", { isActive: true })
+      .select("DISTINCT user.email", "email")
+      .getRawMany<{ email: string }>();
+
+    return rows.map((row) => row.email).filter(Boolean);
+  }
+
+  async listRoles() {
+    const roles = await this.rolesRepo.find({ order: { roleKey: "ASC" } });
+    return roles.map((role) => ({
+      role: role.roleKey,
+      description: role.description,
+      isSystem: role.isSystem,
+    }));
+  }
+
+  async createRole(roleName: string, description?: string | null) {
+    const roleKey = normalizeRoleName(roleName);
+    let role = await this.rolesRepo.findOne({ where: { roleKey } });
+    if (!role) {
+      role = this.rolesRepo.create({
+        roleKey,
+        description: description?.trim() || null,
+        isSystem: roleKey === ADMIN_ROLE,
+      });
+      await this.rolesRepo.save(role);
+    } else if (description !== undefined) {
+      role.description = description?.trim() || null;
+      await this.rolesRepo.save(role);
+    }
+
+    return this.listRoles();
+  }
+
+  async removeRole(roleName: string) {
+    const roleKey = normalizeRoleName(roleName);
+    const role = await this.rolesRepo.findOne({ where: { roleKey } });
+    if (!role || role.isSystem || role.roleKey === ADMIN_ROLE) {
+      return { success: false as const };
+    }
+
+    await this.userRolesRepo.delete({ roleId: role.id });
+    await this.rolesRepo.delete({ id: role.id });
+    return { success: true as const };
+  }
+
+  async getUserRoles(userId: string) {
+    await this.assertUserExists(userId);
+    const assignments = await this.userRolesRepo.find({ where: { userId } });
+    if (assignments.length === 0) {
+      return { userId, roles: [] as string[] };
+    }
+    const roleIds = assignments.map((assignment) => assignment.roleId);
+    const roles = await this.rolesRepo.find({
+      where: { id: In(roleIds) },
+      order: { roleKey: "ASC" },
+    });
+    return { userId, roles: roles.map((role) => role.roleKey) };
+  }
+
+  async setUserRoles(userId: string, roleNames: string[]) {
+    await this.assertUserExists(userId);
+    const normalized = [...new Set(roleNames.map(normalizeRoleName))];
+    await this.ensureRoles(normalized);
+    const roles = normalized.length
+      ? await this.rolesRepo.find({ where: { roleKey: In(normalized) } })
+      : [];
+
+    await this.userRolesRepo.delete({ userId });
+    if (roles.length > 0) {
+      await this.userRolesRepo.save(
+        roles.map((role) =>
+          this.userRolesRepo.create({
+            userId,
+            roleId: role.id,
+          }),
+        ),
+      );
+    }
+    return { userId, roles: normalized };
+  }
+
+  async assignRoleToUser(userId: string, roleName: string) {
+    const existing = await this.getUserRoles(userId);
+    const nextRoles = [
+      ...new Set([...existing.roles, normalizeRoleName(roleName)]),
+    ];
+    return this.setUserRoles(userId, nextRoles);
+  }
+
+  async removeRoleFromUser(userId: string, roleName: string) {
+    const normalized = normalizeRoleName(roleName);
+    const existing = await this.getUserRoles(userId);
+    const nextRoles = existing.roles.filter((role) => role !== normalized);
+    return this.setUserRoles(userId, nextRoles);
+  }
+
+  async setUserActive(userId: string, active: boolean) {
+    await this.usersRepo.update({ id: userId }, { isActive: active });
+    return { success: true as const, userId, active };
+  }
+
+  private async assertUserExists(userId: string) {
+    const user = await this.usersRepo.findOne({ where: { id: userId } });
+    if (!user) {
+      throw new NotFoundException("User not found");
+    }
+    return user;
+  }
+
+  private async ensureRoles(roleKeys: string[]) {
+    if (roleKeys.length === 0) {
+      return;
+    }
+    const existing = await this.rolesRepo.find({
+      where: { roleKey: In(roleKeys) },
+    });
+    const existingSet = new Set(existing.map((role) => role.roleKey));
+    const missing = roleKeys.filter((roleKey) => !existingSet.has(roleKey));
+    if (missing.length === 0) {
+      return;
+    }
+    await this.rolesRepo.save(
+      missing.map((roleKey) =>
+        this.rolesRepo.create({
+          roleKey,
+          description: null,
+          isSystem: roleKey === ADMIN_ROLE,
+        }),
+      ),
+    );
+  }
+}

package/src/nest/swagger.test.ts

@@ -0,0 +1,27 @@
+import { describe, expect, it, vi } from "vitest";
+import { setupSecuritySwagger } from "./swagger";
+import { SwaggerModule } from "@nestjs/swagger";
+
+describe("setupSecuritySwagger", () => {
+  it("creates swagger document and mounts UI", () => {
+    const app = {} as any;
+    const document = { openapi: "3.0.0" } as any;
+
+    const createSpy = vi
+      .spyOn(SwaggerModule, "createDocument")
+      .mockReturnValue(document);
+    const setupSpy = vi.spyOn(SwaggerModule, "setup").mockImplementation(() => {
+      return;
+    });
+
+    const result = setupSecuritySwagger(app, "docs/custom-security");
+
+    expect(createSpy).toHaveBeenCalled();
+    expect(setupSpy).toHaveBeenCalledWith(
+      "docs/custom-security",
+      app,
+      document,
+    );
+    expect(result).toBe(document);
+  });
+});

package/src/nest/swagger.ts

@@ -0,0 +1,18 @@
+import { INestApplication } from "@nestjs/common";
+import { DocumentBuilder, SwaggerModule } from "@nestjs/swagger";
+
+export const setupSecuritySwagger = (
+  app: INestApplication,
+  path = "docs/security",
+) => {
+  const config = new DocumentBuilder()
+    .setTitle("Security API")
+    .setDescription("Shared auth and security workflow endpoints")
+    .setVersion("1.0")
+    .addBearerAuth()
+    .build();
+
+  const document = SwaggerModule.createDocument(app, config);
+  SwaggerModule.setup(path, app, document);
+  return document;
+};

package/src/nest/tokens.ts

@@ -0,0 +1 @@
+export const SECURITY_WORKFLOW_NOTIFIER = Symbol("SECURITY_WORKFLOW_NOTIFIER");