@scryan7371/sdr-security 0.1.1 → 0.1.3

package/README.md

@@ -15,13 +15,153 @@ Use shared helpers/types in your API controllers/services where useful:
 - `isValidEmail`
 - `isStrongPassword`
 - `AuthResponse`, `RegisterResponse`, `SafeUser`
+- `notifyAdminsOnEmailVerified`
+- `notifyUserOnAdminApproval`
+
+## Nest Integration
+
+Import the Nest surface from `@scryan7371/sdr-security/nest`.
+
+```ts
+import { Module } from "@nestjs/common";
+import {
+  SecurityWorkflowsModule,
+  SECURITY_WORKFLOW_NOTIFIER,
+} from "@scryan7371/sdr-security/nest";
+import { EmailService } from "./notifications/email.service";
+
+@Module({
+  imports: [
+    SecurityWorkflowsModule.forRoot({
+      notifierProvider: {
+        provide: SECURITY_WORKFLOW_NOTIFIER,
+        useFactory: (emailService: EmailService) => ({
+          sendAdminsUserEmailVerified: ({ adminEmails, user }) =>
+            emailService.sendEmailVerifiedNotificationToAdmins(
+              adminEmails,
+              user,
+            ),
+          sendUserAccountApproved: ({ email }) =>
+            emailService.sendAccountApproved(email),
+        }),
+        inject: [EmailService],
+      },
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+### User Table Ownership Model
+
+Consuming apps keep ownership of their own `app_user` table. `sdr-security`
+stores security/auth state in its own tables and links them by user id.
+
+- App-owned table:
+  - `app_user` (at minimum: `id`, `email`, plus any app-specific columns)
+- `sdr-security` tables:
+  - `security_user` (password hash, verified/approved/active flags)
+  - `security_identity` (provider links such as Google subject)
+  - `security_role`, `security_user_role`
+  - `refresh_token`
+  - `security_password_reset_token`
+
+Link key:
+
+- `security_* .user_id` -> `app_user.id`
+
+This lets each app evolve its user schema independently while reusing the same
+security workflows, guards, controllers, and migrations.
+
+Typical app query pattern is a join when you need security state:
+
+```sql
+SELECT u.id, u.email, su.is_active, su.admin_approved_at, su.email_verified_at
+FROM app_user u
+LEFT JOIN security_user su ON su.user_id = u.id
+WHERE u.id = $1;
+```
+
+Nest/TypeORM equivalent:
+
+```ts
+const row = await usersRepo
+  .createQueryBuilder("user")
+  .leftJoin("security_user", "securityUser", "securityUser.user_id = user.id")
+  .select("user.id", "id")
+  .addSelect("user.email", "email")
+  .addSelect("securityUser.is_active", "isActive")
+  .addSelect("securityUser.admin_approved_at", "adminApprovedAt")
+  .addSelect("securityUser.email_verified_at", "emailVerifiedAt")
+  .where("user.id = :id", { id: userId })
+  .getRawOne();
+```
+
+Optional Swagger setup in consuming app:
+
+```ts
+import { setupSecuritySwagger } from "@scryan7371/sdr-security/nest";
+
+setupSecuritySwagger(app); // default path: /docs/security
+```
+
+Routes exposed by the shared controller:
+
+- `POST /security/auth/register`
+- `POST /security/auth/login`
+- `POST /security/auth/forgot-password`
+- `POST /security/auth/reset-password`
+- `GET /security/auth/verify-email?token=...`
+- `POST /security/auth/change-password` (JWT required)
+- `POST /security/auth/logout` (JWT required)
+- `POST /security/auth/refresh`
+- `GET /security/auth/me/roles` (JWT required)
+- `POST /security/workflows/users/:id/email-verified`
+  - marks `email_verified_at` and notifies admins.
+- `PATCH /security/workflows/users/:id/admin-approval` with `{ approved: boolean }`
+  - updates `admin_approved_at` and notifies user when approved (admin JWT required).
+- `PATCH /security/workflows/users/:id/active` with `{ active: boolean }` (admin JWT required)
+- `GET /security/workflows/roles` (admin JWT required)
+- `POST /security/workflows/roles` (admin JWT required)
+- `DELETE /security/workflows/roles/:role` (admin JWT required)
+- `GET /security/workflows/users/:id/roles` (admin JWT required)
+- `PUT /security/workflows/users/:id/roles` (admin JWT required)
+- `POST /security/workflows/users/:id/roles` with `{ role: string }` (admin JWT required)
+- `DELETE /security/workflows/users/:id/roles/:role` (admin JWT required)
+
+### Shared notification workflows
+
+Use these helpers to standardize notification behavior across apps while still
+keeping app-specific email sending in your own services.
+
+```ts
+import { api as sdrSecurity } from "@scryan7371/sdr-security";
+
+await sdrSecurity.notifyAdminsOnEmailVerified({
+  user: {
+    id: user.id,
+    email: user.email,
+  },
+  listAdminEmails: () => usersService.listAdminEmails(),
+  notifyAdmins: ({ adminEmails, user }) =>
+    emailService.sendEmailVerifiedNotificationToAdmins(adminEmails, user),
+});
+
+await sdrSecurity.notifyUserOnAdminApproval({
+  approved: body.approved,
+  user: {
+    email: user.email,
+  },
+  notifyUser: ({ email }) => emailService.sendAccountApproved(email),
+});
+```
 
 ## App Integration
 
 Create one client per app session and reuse it across screens:
 
 ```ts
-import { app as sdrSecurity } from '@scryan7371/sdr-security';
+import { app as sdrSecurity } from "@scryan7371/sdr-security";
 
 const securityClient = sdrSecurity.createSecurityClient({
   baseUrl,
@@ -42,31 +182,94 @@ Methods:
 - `requestPhoneVerification`
 - `verifyPhone`
 
-## Private Registry Publish (GitHub Packages)
+## Publish (npmjs)
+
+1. Configure project-local npm auth (`.npmrc`):
 
-1. Set your token:
+```ini
+registry=https://registry.npmjs.org/
+@scryan7371:registry=https://registry.npmjs.org/
+//registry.npmjs.org/:_authToken=${NPM_TOKEN}
+```
+
+2. Set token, bump version, and publish:
 
 ```bash
-export GITHUB_PACKAGES_TOKEN=ghp_xxx
+export NPM_TOKEN=xxxx
+npm version patch
+npm publish --access public --registry=https://registry.npmjs.org --userconfig .npmrc
 ```
 
-2. Publish:
+3. Push commit and tags:
 
 ```bash
-npm publish
+git push
+git push --tags
 ```
 
-## Install From Any Environment
+## CI Publish (GitHub Actions)
 
-1. Add auth to your consuming project's `.npmrc`:
+Tag pushes like `sdr-security-v*` trigger `.github/workflows/publish.yml`.
 
-```ini
-@scryan7371:registry=https://npm.pkg.github.com
-//npm.pkg.github.com/:_authToken=${GITHUB_PACKAGES_TOKEN}
-```
+Required repo secret:
+
+- `NPM_TOKEN` (npm granular token with read/write + bypass 2FA for automation).
 
-2. Install a pinned version:
+## Install
+
+Install a pinned version:
 
 ```bash
 npm install @scryan7371/sdr-security@0.1.0
 ```
+
+## Database Integration Test
+
+A sample Postgres integration test is included at:
+
+- `src/integration/database.integration.test.ts`
+
+Run it with:
+
+```bash
+npm run test:db
+```
+
+Configuration resolution order:
+
+1. `.env.test` (if present)
+2. `.env.dev` (if present)
+3. existing process env
+
+Supported env vars:
+
+- `SECURITY_TEST_DATABASE_URL` (preferred)
+- or `DB_HOST`, `DB_PORT`, `DB_USER`, `DB_PASSWORD`, `DB_NAME`
+- optional fallback: `DATABASE_URL`
+- optional debug:
+  - `SECURITY_TEST_KEEP_SCHEMA=true` (do not drop schema after test run)
+  - `SECURITY_TEST_SCHEMA=your_schema_name` (use fixed schema name)
+
+See `.env.test.example` for a template.
+
+## Release Script
+
+You can automate version bump + tag + push with:
+
+```bash
+npm run release:patch
+npm run release:minor
+npm run release:major
+```
+
+What it does:
+
+1. Verifies clean git working tree
+2. Runs `npm test`
+3. Runs `npm run build`
+4. Bumps `package.json` + `package-lock.json`
+5. Commits as `chore(release): vX.Y.Z`
+6. Tags as `sdr-security-vX.Y.Z`
+7. Pushes commit and tag
+
+This tag format triggers `.github/workflows/publish.yml`.

package/dist/api/contracts.d.ts

@@ -3,8 +3,6 @@ export type UserRole = string;
 export type SafeUser = {
     id: string;
     email: string;
-    firstName: string | null;
-    lastName: string | null;
     phone: string | null;
     roles: UserRole[];
     emailVerifiedAt: string | Date | null;
@@ -44,3 +42,15 @@ export type DebugCodeResponse = {
     success: true;
     debugCode?: string;
 };
+export type GenericSuccessResponse = {
+    success: true;
+};
+export type UserActiveResponse = {
+    success: true;
+    userId: string;
+    active: boolean;
+};
+export type AdminNotificationResponse = {
+    success: true;
+    notified: boolean;
+};

package/dist/api/index.d.ts

@@ -3,3 +3,4 @@ export * from "./migrations";
 export * from "./access-policy";
 export * from "./validation";
 export * from "./roles";
+export * from "./notification-workflows";

package/dist/api/index.js

@@ -19,3 +19,4 @@ __exportStar(require("./migrations"), exports);
 __exportStar(require("./access-policy"), exports);
 __exportStar(require("./validation"), exports);
 __exportStar(require("./roles"), exports);
+__exportStar(require("./notification-workflows"), exports);

package/dist/api/migrations/1739500000000-create-security-identity.d.ts

@@ -1,7 +1,7 @@
 export declare class CreateSecurityIdentity1739500000000 {
     name: string;
     up(queryRunner: {
-        query: (sql: string, params?: unknown[]) => Promise<unknown>;
+        query: (sql: string) => Promise<unknown>;
     }): Promise<void>;
     down(queryRunner: {
         query: (sql: string) => Promise<unknown>;

package/dist/api/migrations/1739500000000-create-security-identity.js

@@ -4,13 +4,10 @@ exports.CreateSecurityIdentity1739500000000 = void 0;
 class CreateSecurityIdentity1739500000000 {
     name = "CreateSecurityIdentity1739500000000";
     async up(queryRunner) {
-        const userTable = getSafeIdentifier(process.env.USER_TABLE, "app_user");
-        const userSchema = getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public");
-        const userTableRef = `"${userSchema}"."${userTable}"`;
-        await queryRunner.query(`CREATE EXTENSION IF NOT EXISTS "uuid-ossp"`);
+        const userTableRef = getUserTableReference();
         await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_identity" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
         "user_id" varchar NOT NULL,
         "provider" varchar NOT NULL,
         "provider_subject" varchar NOT NULL,
@@ -21,36 +18,6 @@ class CreateSecurityIdentity1739500000000 {
     `);
         await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_identity_provider_subject" ON "security_identity" ("provider", "provider_subject")`);
         await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_identity_user_provider" ON "security_identity" ("user_id", "provider")`);
-        const hasGoogleSubjectColumn = (await queryRunner.query(`
-        SELECT 1
-        FROM information_schema.columns
-        WHERE table_schema = $1
-          AND table_name = $2
-          AND column_name = 'google_subject'
-        LIMIT 1
-      `, [userSchema, userTable]));
-        if (hasGoogleSubjectColumn.length > 0) {
-            await queryRunner.query(`
-        INSERT INTO "security_identity" (
-          "user_id",
-          "provider",
-          "provider_subject",
-          "created_at",
-          "updated_at"
-        )
-        SELECT
-          "id",
-          'google',
-          "google_subject",
-          now(),
-          now()
-        FROM ${userTableRef}
-        WHERE "google_subject" IS NOT NULL
-        ON CONFLICT ("provider", "provider_subject") DO NOTHING
-      `);
-            await queryRunner.query(`DROP INDEX IF EXISTS "IDX_app_user_google_subject"`);
-            await queryRunner.query(`ALTER TABLE ${userTableRef} DROP COLUMN IF EXISTS "google_subject"`);
-        }
     }
     async down(queryRunner) {
         await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_identity_user_provider"`);
@@ -66,3 +33,10 @@ const getSafeIdentifier = (value, fallback) => {
     }
     return resolved;
 };
+const getUserTableReference = () => {
+    const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+    const schema = process.env.USER_TABLE_SCHEMA
+        ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+        : "public";
+    return `"${schema}"."${table}"`;
+};

package/dist/api/migrations/1739510000000-create-security-roles.d.ts

@@ -1,7 +1,7 @@
 export declare class CreateSecurityRoles1739510000000 {
     name: string;
     up(queryRunner: {
-        query: (sql: string, params?: unknown[]) => Promise<unknown>;
+        query: (sql: string) => Promise<unknown>;
     }): Promise<void>;
     down(queryRunner: {
         query: (sql: string) => Promise<unknown>;

package/dist/api/migrations/1739510000000-create-security-roles.js

@@ -4,13 +4,9 @@ exports.CreateSecurityRoles1739510000000 = void 0;
 class CreateSecurityRoles1739510000000 {
     name = "CreateSecurityRoles1739510000000";
     async up(queryRunner) {
-        const userTable = getSafeIdentifier(process.env.USER_TABLE, "app_user");
-        const userSchema = getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public");
-        const userTableRef = `"${userSchema}"."${userTable}"`;
-        await queryRunner.query(`CREATE EXTENSION IF NOT EXISTS "uuid-ossp"`);
         await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_role" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
         "role_key" varchar NOT NULL,
         "description" text,
         "is_system" boolean NOT NULL DEFAULT false,
@@ -20,76 +16,14 @@ class CreateSecurityRoles1739510000000 {
     `);
         await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_role_key" ON "security_role" ("role_key")`);
         await queryRunner.query(`
-      CREATE TABLE IF NOT EXISTS "security_user_role" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
-        "user_id" varchar NOT NULL,
-        "role_id" uuid NOT NULL,
-        "created_at" timestamptz NOT NULL DEFAULT now(),
-        CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,
-        CONSTRAINT "FK_security_user_role_role_id" FOREIGN KEY ("role_id") REFERENCES "security_role" ("id") ON DELETE CASCADE
-      )
-    `);
-        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_role_user_role" ON "security_user_role" ("user_id", "role_id")`);
-        await queryRunner.query(`
       INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
       VALUES ('ADMIN', 'Administrative access', true, now(), now())
       ON CONFLICT ("role_key") DO NOTHING
     `);
-        const hasRoleColumn = (await queryRunner.query(`
-        SELECT 1
-        FROM information_schema.columns
-        WHERE table_schema = $1
-          AND table_name = $2
-          AND column_name = 'role'
-        LIMIT 1
-      `, [userSchema, userTable]));
-        if (hasRoleColumn.length > 0) {
-            await queryRunner.query(`
-        INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
-        SELECT DISTINCT
-          CASE
-            WHEN UPPER(TRIM("role")) = 'ADMINISTRATOR' THEN 'ADMIN'
-            ELSE UPPER(TRIM("role"))
-          END AS "role_key",
-          NULL,
-          false,
-          now(),
-          now()
-        FROM ${userTableRef}
-        WHERE "role" IS NOT NULL
-          AND LENGTH(TRIM("role")) > 0
-        ON CONFLICT ("role_key") DO NOTHING
-      `);
-            await queryRunner.query(`
-        INSERT INTO "security_user_role" ("user_id", "role_id", "created_at")
-        SELECT
-          u."id" AS "user_id",
-          r."id" AS "role_id",
-          now()
-        FROM ${userTableRef} u
-        INNER JOIN "security_role" r ON r."role_key" = CASE
-          WHEN UPPER(TRIM(u."role")) = 'ADMINISTRATOR' THEN 'ADMIN'
-          ELSE UPPER(TRIM(u."role"))
-        END
-        WHERE u."role" IS NOT NULL
-          AND LENGTH(TRIM(u."role")) > 0
-        ON CONFLICT ("user_id", "role_id") DO NOTHING
-      `);
-            await queryRunner.query(`ALTER TABLE ${userTableRef} DROP COLUMN IF EXISTS "role"`);
-        }
     }
     async down(queryRunner) {
-        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_user_role_user_role"`);
-        await queryRunner.query(`DROP TABLE IF EXISTS "security_user_role"`);
         await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_role_key"`);
         await queryRunner.query(`DROP TABLE IF EXISTS "security_role"`);
     }
 }
 exports.CreateSecurityRoles1739510000000 = CreateSecurityRoles1739510000000;
-const getSafeIdentifier = (value, fallback) => {
-    const resolved = value?.trim() || fallback;
-    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
-        throw new Error(`Invalid SQL identifier: ${resolved}`);
-    }
-    return resolved;
-};

package/dist/api/migrations/1739515000000-create-security-user-roles.d.ts

@@ -0,0 +1,9 @@
+export declare class CreateSecurityUserRoles1739515000000 {
+    name: string;
+    up(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+    down(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+}

package/dist/api/migrations/1739515000000-create-security-user-roles.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreateSecurityUserRoles1739515000000 = void 0;
+class CreateSecurityUserRoles1739515000000 {
+    name = "CreateSecurityUserRoles1739515000000";
+    async up(queryRunner) {
+        const userTableRef = getUserTableReference();
+        await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_user_role" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
+        "user_id" varchar NOT NULL,
+        "role_id" uuid NOT NULL,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,
+        CONSTRAINT "FK_security_user_role_role_id" FOREIGN KEY ("role_id") REFERENCES "security_role" ("id") ON DELETE CASCADE
+      )
+    `);
+        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_role_user_role" ON "security_user_role" ("user_id", "role_id")`);
+    }
+    async down(queryRunner) {
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_user_role_user_role"`);
+        await queryRunner.query(`DROP TABLE IF EXISTS "security_user_role"`);
+    }
+}
+exports.CreateSecurityUserRoles1739515000000 = CreateSecurityUserRoles1739515000000;
+const getUserTableReference = () => {
+    const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+    const schema = process.env.USER_TABLE_SCHEMA
+        ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+        : "public";
+    return `"${schema}"."${table}"`;
+};
+const getSafeIdentifier = (value, fallback) => {
+    const resolved = value?.trim() || fallback;
+    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+        throw new Error(`Invalid SQL identifier: ${resolved}`);
+    }
+    return resolved;
+};

package/dist/api/migrations/1739520000000-create-password-reset-tokens.d.ts

@@ -0,0 +1,9 @@
+export declare class CreatePasswordResetTokens1739520000000 {
+    name: string;
+    up(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+    down(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+}

package/dist/api/migrations/1739520000000-create-password-reset-tokens.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreatePasswordResetTokens1739520000000 = void 0;
+class CreatePasswordResetTokens1739520000000 {
+    name = "CreatePasswordResetTokens1739520000000";
+    async up(queryRunner) {
+        const userTableRef = getUserTableReference();
+        await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_password_reset_token" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
+        "user_id" varchar NOT NULL,
+        "token" varchar NOT NULL,
+        "expires_at" timestamptz NOT NULL,
+        "used_at" timestamptz,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_password_reset_token_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE
+      )
+    `);
+        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_password_reset_token_token" ON "security_password_reset_token" ("token")`);
+        await queryRunner.query(`CREATE INDEX IF NOT EXISTS "IDX_security_password_reset_token_user_id" ON "security_password_reset_token" ("user_id")`);
+    }
+    async down(queryRunner) {
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_password_reset_token_user_id"`);
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_password_reset_token_token"`);
+        await queryRunner.query(`DROP TABLE IF EXISTS "security_password_reset_token"`);
+    }
+}
+exports.CreatePasswordResetTokens1739520000000 = CreatePasswordResetTokens1739520000000;
+const getUserTableReference = () => {
+    const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+    const schema = process.env.USER_TABLE_SCHEMA
+        ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+        : "public";
+    return `"${schema}"."${table}"`;
+};
+const getSafeIdentifier = (value, fallback) => {
+    const resolved = value?.trim() || fallback;
+    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+        throw new Error(`Invalid SQL identifier: ${resolved}`);
+    }
+    return resolved;
+};

package/dist/api/migrations/1739530000000-create-security-user.d.ts

@@ -0,0 +1,9 @@
+export declare class CreateSecurityUser1739530000000 {
+    name: string;
+    up(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+    down(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+}

package/dist/api/migrations/1739530000000-create-security-user.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreateSecurityUser1739530000000 = void 0;
+class CreateSecurityUser1739530000000 {
+    name = "CreateSecurityUser1739530000000";
+    async up(queryRunner) {
+        const userTableRef = getUserTableReference();
+        await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_user" (
+        "user_id" varchar PRIMARY KEY NOT NULL,
+        "password_hash" varchar NOT NULL,
+        "email_verified_at" timestamptz,
+        "email_verification_token" varchar,
+        "admin_approved_at" timestamptz,
+        "is_active" boolean NOT NULL DEFAULT true,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_user_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE
+      )
+    `);
+        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_email_verification_token" ON "security_user" ("email_verification_token") WHERE "email_verification_token" IS NOT NULL`);
+    }
+    async down(queryRunner) {
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_user_email_verification_token"`);
+        await queryRunner.query(`DROP TABLE IF EXISTS "security_user"`);
+    }
+}
+exports.CreateSecurityUser1739530000000 = CreateSecurityUser1739530000000;
+const getSafeIdentifier = (value, fallback) => {
+    const resolved = value?.trim() || fallback;
+    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+        throw new Error(`Invalid SQL identifier: ${resolved}`);
+    }
+    return resolved;
+};
+const getUserTableReference = () => {
+    const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+    const schema = process.env.USER_TABLE_SCHEMA
+        ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+        : "public";
+    return `"${schema}"."${table}"`;
+};

package/dist/api/migrations/index.d.ts

@@ -1,6 +1,8 @@
 import { AddRefreshTokens1700000000001 } from "./1700000000001-add-refresh-tokens";
-import { AddGoogleSubjectToUser1739490000000 } from "./1739490000000-add-google-subject-to-user";
 import { CreateSecurityIdentity1739500000000 } from "./1739500000000-create-security-identity";
 import { CreateSecurityRoles1739510000000 } from "./1739510000000-create-security-roles";
+import { CreateSecurityUserRoles1739515000000 } from "./1739515000000-create-security-user-roles";
+import { CreatePasswordResetTokens1739520000000 } from "./1739520000000-create-password-reset-tokens";
+import { CreateSecurityUser1739530000000 } from "./1739530000000-create-security-user";
 export declare const securityMigrations: (typeof AddRefreshTokens1700000000001)[];
-export { AddRefreshTokens1700000000001, AddGoogleSubjectToUser1739490000000, CreateSecurityIdentity1739500000000, CreateSecurityRoles1739510000000, };
+export { AddRefreshTokens1700000000001, CreateSecurityIdentity1739500000000, CreateSecurityRoles1739510000000, CreateSecurityUserRoles1739515000000, CreatePasswordResetTokens1739520000000, CreateSecurityUser1739530000000, };