@scryan7371/sdr-security 0.1.1 → 0.1.3

package/src/api/migrations/1739510000000-create-security-roles.ts

@@ -2,20 +2,11 @@ export class CreateSecurityRoles1739510000000 {
   name = "CreateSecurityRoles1739510000000";
 
   async up(queryRunner: {
-    query: (sql: string, params?: unknown[]) => Promise<unknown>;
+    query: (sql: string) => Promise<unknown>;
   }): Promise<void> {
-    const userTable = getSafeIdentifier(process.env.USER_TABLE, "app_user");
-    const userSchema = getSafeIdentifier(
-      process.env.USER_TABLE_SCHEMA,
-      "public",
-    );
-    const userTableRef = `"${userSchema}"."${userTable}"`;
-
-    await queryRunner.query(`CREATE EXTENSION IF NOT EXISTS "uuid-ossp"`);
-
     await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_role" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
         "role_key" varchar NOT NULL,
         "description" text,
         "is_system" boolean NOT NULL DEFAULT false,
@@ -28,95 +19,17 @@ export class CreateSecurityRoles1739510000000 {
       `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_role_key" ON "security_role" ("role_key")`,
     );
 
-    await queryRunner.query(`
-      CREATE TABLE IF NOT EXISTS "security_user_role" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
-        "user_id" varchar NOT NULL,
-        "role_id" uuid NOT NULL,
-        "created_at" timestamptz NOT NULL DEFAULT now(),
-        CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,
-        CONSTRAINT "FK_security_user_role_role_id" FOREIGN KEY ("role_id") REFERENCES "security_role" ("id") ON DELETE CASCADE
-      )
-    `);
-
-    await queryRunner.query(
-      `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_role_user_role" ON "security_user_role" ("user_id", "role_id")`,
-    );
-
     await queryRunner.query(`
       INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
       VALUES ('ADMIN', 'Administrative access', true, now(), now())
       ON CONFLICT ("role_key") DO NOTHING
     `);
-
-    const hasRoleColumn = (await queryRunner.query(
-      `
-        SELECT 1
-        FROM information_schema.columns
-        WHERE table_schema = $1
-          AND table_name = $2
-          AND column_name = 'role'
-        LIMIT 1
-      `,
-      [userSchema, userTable],
-    )) as Array<{ "?column?": number }>;
-
-    if (hasRoleColumn.length > 0) {
-      await queryRunner.query(`
-        INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
-        SELECT DISTINCT
-          CASE
-            WHEN UPPER(TRIM("role")) = 'ADMINISTRATOR' THEN 'ADMIN'
-            ELSE UPPER(TRIM("role"))
-          END AS "role_key",
-          NULL,
-          false,
-          now(),
-          now()
-        FROM ${userTableRef}
-        WHERE "role" IS NOT NULL
-          AND LENGTH(TRIM("role")) > 0
-        ON CONFLICT ("role_key") DO NOTHING
-      `);
-
-      await queryRunner.query(`
-        INSERT INTO "security_user_role" ("user_id", "role_id", "created_at")
-        SELECT
-          u."id" AS "user_id",
-          r."id" AS "role_id",
-          now()
-        FROM ${userTableRef} u
-        INNER JOIN "security_role" r ON r."role_key" = CASE
-          WHEN UPPER(TRIM(u."role")) = 'ADMINISTRATOR' THEN 'ADMIN'
-          ELSE UPPER(TRIM(u."role"))
-        END
-        WHERE u."role" IS NOT NULL
-          AND LENGTH(TRIM(u."role")) > 0
-        ON CONFLICT ("user_id", "role_id") DO NOTHING
-      `);
-
-      await queryRunner.query(
-        `ALTER TABLE ${userTableRef} DROP COLUMN IF EXISTS "role"`,
-      );
-    }
   }
 
   async down(queryRunner: {
     query: (sql: string) => Promise<unknown>;
   }): Promise<void> {
-    await queryRunner.query(
-      `DROP INDEX IF EXISTS "IDX_security_user_role_user_role"`,
-    );
-    await queryRunner.query(`DROP TABLE IF EXISTS "security_user_role"`);
     await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_role_key"`);
     await queryRunner.query(`DROP TABLE IF EXISTS "security_role"`);
   }
 }
-
-const getSafeIdentifier = (value: string | undefined, fallback: string) => {
-  const resolved = value?.trim() || fallback;
-  if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
-    throw new Error(`Invalid SQL identifier: ${resolved}`);
-  }
-  return resolved;
-};

package/src/api/migrations/1739515000000-create-security-user-roles.ts

@@ -0,0 +1,49 @@
+export class CreateSecurityUserRoles1739515000000 {
+  name = "CreateSecurityUserRoles1739515000000";
+
+  async up(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    const userTableRef = getUserTableReference();
+
+    await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_user_role" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
+        "user_id" varchar NOT NULL,
+        "role_id" uuid NOT NULL,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,
+        CONSTRAINT "FK_security_user_role_role_id" FOREIGN KEY ("role_id") REFERENCES "security_role" ("id") ON DELETE CASCADE
+      )
+    `);
+
+    await queryRunner.query(
+      `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_role_user_role" ON "security_user_role" ("user_id", "role_id")`,
+    );
+  }
+
+  async down(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    await queryRunner.query(
+      `DROP INDEX IF EXISTS "IDX_security_user_role_user_role"`,
+    );
+    await queryRunner.query(`DROP TABLE IF EXISTS "security_user_role"`);
+  }
+}
+
+const getUserTableReference = () => {
+  const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+  const schema = process.env.USER_TABLE_SCHEMA
+    ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+    : "public";
+  return `"${schema}"."${table}"`;
+};
+
+const getSafeIdentifier = (value: string | undefined, fallback: string) => {
+  const resolved = value?.trim() || fallback;
+  if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+    throw new Error(`Invalid SQL identifier: ${resolved}`);
+  }
+  return resolved;
+};

package/src/api/migrations/1739520000000-create-password-reset-tokens.ts

@@ -0,0 +1,57 @@
+export class CreatePasswordResetTokens1739520000000 {
+  name = "CreatePasswordResetTokens1739520000000";
+
+  async up(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    const userTableRef = getUserTableReference();
+
+    await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_password_reset_token" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
+        "user_id" varchar NOT NULL,
+        "token" varchar NOT NULL,
+        "expires_at" timestamptz NOT NULL,
+        "used_at" timestamptz,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_password_reset_token_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE
+      )
+    `);
+    await queryRunner.query(
+      `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_password_reset_token_token" ON "security_password_reset_token" ("token")`,
+    );
+    await queryRunner.query(
+      `CREATE INDEX IF NOT EXISTS "IDX_security_password_reset_token_user_id" ON "security_password_reset_token" ("user_id")`,
+    );
+  }
+
+  async down(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    await queryRunner.query(
+      `DROP INDEX IF EXISTS "IDX_security_password_reset_token_user_id"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX IF EXISTS "IDX_security_password_reset_token_token"`,
+    );
+    await queryRunner.query(
+      `DROP TABLE IF EXISTS "security_password_reset_token"`,
+    );
+  }
+}
+
+const getUserTableReference = () => {
+  const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+  const schema = process.env.USER_TABLE_SCHEMA
+    ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+    : "public";
+  return `"${schema}"."${table}"`;
+};
+
+const getSafeIdentifier = (value: string | undefined, fallback: string) => {
+  const resolved = value?.trim() || fallback;
+  if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+    throw new Error(`Invalid SQL identifier: ${resolved}`);
+  }
+  return resolved;
+};

package/src/api/migrations/1739530000000-create-security-user.ts

@@ -0,0 +1,51 @@
+export class CreateSecurityUser1739530000000 {
+  name = "CreateSecurityUser1739530000000";
+
+  async up(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    const userTableRef = getUserTableReference();
+
+    await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_user" (
+        "user_id" varchar PRIMARY KEY NOT NULL,
+        "password_hash" varchar NOT NULL,
+        "email_verified_at" timestamptz,
+        "email_verification_token" varchar,
+        "admin_approved_at" timestamptz,
+        "is_active" boolean NOT NULL DEFAULT true,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_user_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE
+      )
+    `);
+
+    await queryRunner.query(
+      `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_email_verification_token" ON "security_user" ("email_verification_token") WHERE "email_verification_token" IS NOT NULL`,
+    );
+  }
+
+  async down(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    await queryRunner.query(
+      `DROP INDEX IF EXISTS "IDX_security_user_email_verification_token"`,
+    );
+    await queryRunner.query(`DROP TABLE IF EXISTS "security_user"`);
+  }
+}
+
+const getSafeIdentifier = (value: string | undefined, fallback: string) => {
+  const resolved = value?.trim() || fallback;
+  if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+    throw new Error(`Invalid SQL identifier: ${resolved}`);
+  }
+  return resolved;
+};
+
+const getUserTableReference = () => {
+  const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+  const schema = process.env.USER_TABLE_SCHEMA
+    ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+    : "public";
+  return `"${schema}"."${table}"`;
+};

package/src/api/migrations/index.ts

@@ -1,18 +1,24 @@
 import { AddRefreshTokens1700000000001 } from "./1700000000001-add-refresh-tokens";
-import { AddGoogleSubjectToUser1739490000000 } from "./1739490000000-add-google-subject-to-user";
 import { CreateSecurityIdentity1739500000000 } from "./1739500000000-create-security-identity";
 import { CreateSecurityRoles1739510000000 } from "./1739510000000-create-security-roles";
+import { CreateSecurityUserRoles1739515000000 } from "./1739515000000-create-security-user-roles";
+import { CreatePasswordResetTokens1739520000000 } from "./1739520000000-create-password-reset-tokens";
+import { CreateSecurityUser1739530000000 } from "./1739530000000-create-security-user";
 
 export const securityMigrations = [
   AddRefreshTokens1700000000001,
-  AddGoogleSubjectToUser1739490000000,
   CreateSecurityIdentity1739500000000,
   CreateSecurityRoles1739510000000,
+  CreateSecurityUserRoles1739515000000,
+  CreatePasswordResetTokens1739520000000,
+  CreateSecurityUser1739530000000,
 ];
 
 export {
   AddRefreshTokens1700000000001,
-  AddGoogleSubjectToUser1739490000000,
   CreateSecurityIdentity1739500000000,
   CreateSecurityRoles1739510000000,
+  CreateSecurityUserRoles1739515000000,
+  CreatePasswordResetTokens1739520000000,
+  CreateSecurityUser1739530000000,
 };

package/src/api/migrations/migrations.test.ts

@@ -0,0 +1,145 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { AddRefreshTokens1700000000001 } from "./1700000000001-add-refresh-tokens";
+import { CreateSecurityIdentity1739500000000 } from "./1739500000000-create-security-identity";
+import { CreateSecurityRoles1739510000000 } from "./1739510000000-create-security-roles";
+import { CreateSecurityUserRoles1739515000000 } from "./1739515000000-create-security-user-roles";
+import { CreatePasswordResetTokens1739520000000 } from "./1739520000000-create-password-reset-tokens";
+import { CreateSecurityUser1739530000000 } from "./1739530000000-create-security-user";
+import { securityMigrations } from "./index";
+
+const originalEnv = { ...process.env };
+
+afterEach(() => {
+  process.env = { ...originalEnv };
+  vi.restoreAllMocks();
+});
+
+describe("security migrations", () => {
+  it("exports migration list", () => {
+    expect(securityMigrations.length).toBe(6);
+    expect(securityMigrations).toEqual([
+      AddRefreshTokens1700000000001,
+      CreateSecurityIdentity1739500000000,
+      CreateSecurityRoles1739510000000,
+      CreateSecurityUserRoles1739515000000,
+      CreatePasswordResetTokens1739520000000,
+      CreateSecurityUser1739530000000,
+    ]);
+  });
+
+  it("runs refresh token migration up/down", async () => {
+    const query = vi.fn().mockResolvedValue(undefined);
+    const migration = new AddRefreshTokens1700000000001();
+
+    await migration.up({ query });
+    await migration.down({ query });
+
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('CREATE TABLE "refresh_token"'),
+    );
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('DROP TABLE "refresh_token"'),
+    );
+  });
+
+  it("runs security identity migration up/down", async () => {
+    const query = vi.fn().mockResolvedValue(undefined);
+    const migration = new CreateSecurityIdentity1739500000000();
+
+    await migration.up({ query });
+    await migration.down({ query });
+
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_identity"'),
+    );
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('DROP TABLE IF EXISTS "security_identity"'),
+    );
+  });
+
+  it("runs security role migration up/down", async () => {
+    const query = vi.fn().mockResolvedValue(undefined);
+    const migration = new CreateSecurityRoles1739510000000();
+
+    await migration.up({ query });
+    await migration.down({ query });
+
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_role"'),
+    );
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('DROP TABLE IF EXISTS "security_role"'),
+    );
+  });
+
+  it("runs security user role migration up/down", async () => {
+    const query = vi.fn().mockResolvedValue(undefined);
+    const migration = new CreateSecurityUserRoles1739515000000();
+
+    await migration.up({ query });
+    await migration.down({ query });
+
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining(
+        'CREATE TABLE IF NOT EXISTS "security_user_role"',
+      ),
+    );
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('DROP TABLE IF EXISTS "security_user_role"'),
+    );
+  });
+
+  it("runs password reset token migration up/down", async () => {
+    const query = vi.fn().mockResolvedValue(undefined);
+    const migration = new CreatePasswordResetTokens1739520000000();
+
+    await migration.up({ query });
+    await migration.down({ query });
+
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining(
+        'CREATE TABLE IF NOT EXISTS "security_password_reset_token"',
+      ),
+    );
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining(
+        'DROP TABLE IF EXISTS "security_password_reset_token"',
+      ),
+    );
+  });
+
+  it("runs security user migration up/down", async () => {
+    const query = vi.fn().mockResolvedValue(undefined);
+    const migration = new CreateSecurityUser1739530000000();
+
+    await migration.up({ query });
+    await migration.down({ query });
+
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_user"'),
+    );
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('DROP TABLE IF EXISTS "security_user"'),
+    );
+  });
+
+  it("uses user schema/table env safely", async () => {
+    process.env.USER_TABLE = "users";
+    process.env.USER_TABLE_SCHEMA = "security";
+    const query = vi.fn().mockResolvedValue(undefined);
+
+    await new CreateSecurityUser1739530000000().up({ query });
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('REFERENCES "security"."users" ("id")'),
+    );
+  });
+
+  it("throws for invalid identifiers", async () => {
+    process.env.USER_TABLE = "bad-name!";
+    const query = vi.fn().mockResolvedValue(undefined);
+
+    await expect(
+      new CreateSecurityUserRoles1739515000000().up({ query }),
+    ).rejects.toThrow("Invalid SQL identifier");
+  });
+});

package/src/api/notification-workflows.test.ts

@@ -0,0 +1,78 @@
+import { describe, expect, it, vi } from "vitest";
+import {
+  notifyAdminsOnEmailVerified,
+  notifyUserOnAdminApproval,
+} from "./notification-workflows";
+
+describe("notification-workflows", () => {
+  it("notifies admins when admin recipients exist", async () => {
+    const listAdminEmails = vi
+      .fn<() => Promise<string[]>>()
+      .mockResolvedValue(["admin@example.com"]);
+    const notifyAdmins = vi.fn().mockResolvedValue(undefined);
+
+    const result = await notifyAdminsOnEmailVerified({
+      user: {
+        id: "user-1",
+        email: "user@example.com",
+      },
+      listAdminEmails,
+      notifyAdmins,
+    });
+
+    expect(result).toEqual({
+      notified: true,
+      adminEmails: ["admin@example.com"],
+    });
+    expect(notifyAdmins).toHaveBeenCalledWith(
+      expect.objectContaining({
+        adminEmails: ["admin@example.com"],
+        user: expect.objectContaining({ id: "user-1" }),
+      }),
+    );
+  });
+
+  it("skips admin notification when there are no admin recipients", async () => {
+    const notifyAdmins = vi.fn().mockResolvedValue(undefined);
+
+    const result = await notifyAdminsOnEmailVerified({
+      user: {
+        id: "user-1",
+        email: "user@example.com",
+      },
+      listAdminEmails: vi.fn().mockResolvedValue([]),
+      notifyAdmins,
+    });
+
+    expect(result).toEqual({ notified: false, adminEmails: [] });
+    expect(notifyAdmins).not.toHaveBeenCalled();
+  });
+
+  it("notifies user when account is approved", async () => {
+    const notifyUser = vi.fn().mockResolvedValue(undefined);
+
+    const result = await notifyUserOnAdminApproval({
+      approved: true,
+      user: { email: "user@example.com" },
+      notifyUser,
+    });
+
+    expect(result).toEqual({ notified: true });
+    expect(notifyUser).toHaveBeenCalledWith({
+      email: "user@example.com",
+    });
+  });
+
+  it("skips user notification when approval is false", async () => {
+    const notifyUser = vi.fn().mockResolvedValue(undefined);
+
+    const result = await notifyUserOnAdminApproval({
+      approved: false,
+      user: { email: "user@example.com" },
+      notifyUser,
+    });
+
+    expect(result).toEqual({ notified: false });
+    expect(notifyUser).not.toHaveBeenCalled();
+  });
+});

package/src/api/notification-workflows.ts

@@ -0,0 +1,38 @@
+export type VerificationNotificationUser = {
+  id: string;
+  email: string;
+};
+
+export const notifyAdminsOnEmailVerified = async (params: {
+  user: VerificationNotificationUser;
+  listAdminEmails: () => Promise<string[]>;
+  notifyAdmins: (payload: {
+    adminEmails: string[];
+    user: VerificationNotificationUser;
+  }) => Promise<void>;
+}) => {
+  const adminEmails = await params.listAdminEmails();
+  if (adminEmails.length === 0) {
+    return { notified: false as const, adminEmails };
+  }
+
+  await params.notifyAdmins({ adminEmails, user: params.user });
+  return { notified: true as const, adminEmails };
+};
+
+export const notifyUserOnAdminApproval = async (params: {
+  approved: boolean;
+  user: {
+    email: string;
+  };
+  notifyUser: (payload: { email: string }) => Promise<void>;
+}) => {
+  if (!params.approved) {
+    return { notified: false as const };
+  }
+
+  await params.notifyUser({
+    email: params.user.email,
+  });
+  return { notified: true as const };
+};

package/src/api/validation.test.ts

@@ -0,0 +1,21 @@
+import { describe, expect, it } from "vitest";
+import { isStrongPassword, isValidEmail, sanitizeEmail } from "./validation";
+
+describe("validation", () => {
+  it("sanitizes email", () => {
+    expect(sanitizeEmail("  USER@Example.COM ")).toBe("user@example.com");
+  });
+
+  it("validates email format", () => {
+    expect(isValidEmail("bad-email")).toBe(false);
+    expect(isValidEmail("u@e\\.c")).toBe(true);
+  });
+
+  it("checks password strength", () => {
+    expect(isStrongPassword("Abc123")).toBe(false);
+    expect(isStrongPassword("lowercase123")).toBe(false);
+    expect(isStrongPassword("UPPERCASE123")).toBe(false);
+    expect(isStrongPassword("NoDigitsHere")).toBe(false);
+    expect(isStrongPassword("Abc\\d")).toBe(true);
+  });
+});