@scryan7371/sdr-security 0.1.1 → 0.1.3

package/src/app/client.test.ts

@@ -0,0 +1,157 @@
+import { describe, expect, it, vi } from "vitest";
+import { createSecurityClient } from "./client";
+
+type MockResponse = { ok: boolean; status: number; body: unknown };
+
+const makeFetch = (responses: MockResponse[]) => {
+  const fn = vi.fn();
+  responses.forEach((response) => {
+    fn.mockResolvedValueOnce({
+      ok: response.ok,
+      status: response.status,
+      text: async () =>
+        response.body === undefined ? "" : JSON.stringify(response.body),
+    });
+  });
+  return fn;
+};
+
+describe("createSecurityClient", () => {
+  it("sends auth header and JSON body", async () => {
+    const fetchImpl = makeFetch([
+      { ok: true, status: 200, body: { success: true } },
+    ]);
+    const client = createSecurityClient({
+      baseUrl: "https://api.example.com",
+      getAccessToken: () => "token-1",
+      fetchImpl: fetchImpl as unknown as typeof fetch,
+    });
+
+    await client.register({
+      email: "user@example.com",
+      password: "Secret123",
+    });
+
+    expect(fetchImpl).toHaveBeenCalledWith(
+      "https://api.example.com/security/auth/register",
+      expect.objectContaining({
+        method: "POST",
+        headers: expect.objectContaining({
+          Authorization: "Bearer token-1",
+          "Content-Type": "application/json",
+        }),
+      }),
+    );
+  });
+
+  it("omits auth header when token is missing", async () => {
+    const fetchImpl = makeFetch([
+      { ok: true, status: 200, body: { success: true } },
+    ]);
+    const client = createSecurityClient({
+      baseUrl: "https://api.example.com",
+      getAccessToken: () => null,
+      fetchImpl: fetchImpl as unknown as typeof fetch,
+    });
+
+    await client.logout({});
+
+    const headers = (
+      fetchImpl.mock.calls[0][1] as { headers: Record<string, string> }
+    ).headers;
+    expect(headers.Authorization).toBeUndefined();
+  });
+
+  it("throws server-provided error message", async () => {
+    const fetchImpl = makeFetch([
+      { ok: false, status: 400, body: { message: "bad request" } },
+    ]);
+    const client = createSecurityClient({
+      baseUrl: "https://api.example.com",
+      getAccessToken: () => "token",
+      fetchImpl: fetchImpl as unknown as typeof fetch,
+    });
+
+    await expect(client.login({ email: "x", password: "y" })).rejects.toThrow(
+      "bad request",
+    );
+  });
+
+  it("throws fallback error when server does not return message", async () => {
+    const fetchImpl = makeFetch([
+      { ok: false, status: 503, body: { detail: "down" } },
+    ]);
+    const client = createSecurityClient({
+      baseUrl: "https://api.example.com",
+      getAccessToken: () => "token",
+      fetchImpl: fetchImpl as unknown as typeof fetch,
+    });
+
+    await expect(client.listRoles()).rejects.toThrow("Request failed: 503");
+  });
+
+  it("encodes URL params correctly", async () => {
+    const fetchImpl = makeFetch([
+      { ok: true, status: 200, body: { success: true } },
+      { ok: true, status: 200, body: { success: true } },
+      { ok: true, status: 200, body: { success: true } },
+    ]);
+    const client = createSecurityClient({
+      baseUrl: "https://api.example.com",
+      getAccessToken: () => "token",
+      fetchImpl: fetchImpl as unknown as typeof fetch,
+    });
+
+    await client.verifyEmail("a b+c");
+    await client.removeRole("ADMIN TEAM");
+    await client.removeRoleFromUser("u1", "ADMIN TEAM");
+
+    expect(fetchImpl.mock.calls[0][0]).toContain("token=a%20b%2Bc");
+    expect(fetchImpl.mock.calls[1][0]).toContain("roles/ADMIN%20TEAM");
+    expect(fetchImpl.mock.calls[2][0]).toContain("roles/ADMIN%20TEAM");
+  });
+
+  it("supports auth and workflow operations", async () => {
+    const responses = Array.from({ length: 18 }, () => ({
+      ok: true,
+      status: 200,
+      body: { success: true },
+    }));
+    const fetchImpl = makeFetch(responses);
+    const client = createSecurityClient({
+      baseUrl: "https://api.example.com",
+      getAccessToken: () => "token",
+      fetchImpl: fetchImpl as unknown as typeof fetch,
+    });
+
+    await client.login({ email: "u@e.com", password: "Secret123" });
+    await client.loginWithGoogle({ idToken: "id-token" });
+    await client.refresh({ refreshToken: "rt" });
+    await client.revoke({ refreshToken: "rt" });
+    await client.changePassword({ currentPassword: "a", newPassword: "b" });
+    await client.forgotPassword("u@e.com");
+    await client.resetPassword({ token: "t", newPassword: "Secret123" });
+    await client.requestPhoneVerification();
+    await client.verifyPhone("123456");
+    await client.getMyRoles();
+    await client.listRoles();
+    await client.createRole({ role: "COACH", description: null });
+    await client.getUserRoles("u1");
+    await client.setUserRoles("u1", ["ADMIN"]);
+    await client.approveUser("u1", true);
+    await client.setUserActive("u1", true);
+    await client.assignRoleToUser("u1", "ADMIN");
+    await client.removeRoleFromUser("u1", "ADMIN");
+
+    expect(fetchImpl).toHaveBeenCalledTimes(18);
+    expect(fetchImpl.mock.calls.map((c) => c[0])).toEqual(
+      expect.arrayContaining([
+        "https://api.example.com/auth/login/google",
+        "https://api.example.com/auth/revoke",
+        "https://api.example.com/auth/request-phone-verification",
+        "https://api.example.com/auth/verify-phone",
+        "https://api.example.com/security/workflows/users/u1/admin-approval",
+      ]),
+    );
+  });
+});

package/src/app/client.ts

@@ -1,9 +1,12 @@
 import type {
+  AdminNotificationResponse,
   AuthResponse,
   DebugCodeResponse,
   DebugTokenResponse,
+  GenericSuccessResponse,
   RoleCatalogResponse,
   RegisterResponse,
+  UserActiveResponse,
   UserRolesResponse,
 } from "../api/contracts";
 
@@ -49,19 +52,14 @@ export const createSecurityClient = (options: SecurityClientOptions) => {
   };
 
   return {
-    register: (payload: {
-      email: string;
-      password: string;
-      firstName?: string;
-      lastName?: string;
-    }) =>
-      request<RegisterResponse>("/auth/register", {
+    register: (payload: { email: string; password: string }) =>
+      request<RegisterResponse>("/security/auth/register", {
         method: "POST",
         body: JSON.stringify(payload),
       }),
 
     login: (payload: { email: string; password: string }) =>
-      request<AuthResponse>("/auth/login", {
+      request<AuthResponse>("/security/auth/login", {
         method: "POST",
         body: JSON.stringify(payload),
       }),
@@ -73,7 +71,7 @@ export const createSecurityClient = (options: SecurityClientOptions) => {
       }),
 
     refresh: (payload: { refreshToken: string }) =>
-      request<AuthResponse>("/auth/refresh", {
+      request<AuthResponse>("/security/auth/refresh", {
         method: "POST",
         body: JSON.stringify(payload),
       }),
@@ -85,18 +83,36 @@ export const createSecurityClient = (options: SecurityClientOptions) => {
       }),
 
     logout: (payload: { refreshToken?: string }) =>
-      request<{ success: true }>("/auth/logout", {
+      request<{ success: true }>("/security/auth/logout", {
         method: "POST",
         body: JSON.stringify(payload),
       }),
 
-    requestEmailVerification: () =>
-      request<DebugTokenResponse>("/auth/request-email-verification", {
+    changePassword: (payload: {
+      currentPassword: string;
+      newPassword: string;
+    }) =>
+      request<GenericSuccessResponse>("/security/auth/change-password", {
         method: "POST",
+        body: JSON.stringify(payload),
       }),
 
     verifyEmail: (token: string) =>
-      request<{ success: true }>(`/auth/verify-email?token=${token}`),
+      request<{ success: true }>(
+        `/security/auth/verify-email?token=${encodeURIComponent(token)}`,
+      ),
+
+    forgotPassword: (email: string) =>
+      request<GenericSuccessResponse>("/security/auth/forgot-password", {
+        method: "POST",
+        body: JSON.stringify({ email }),
+      }),
+
+    resetPassword: (payload: { token: string; newPassword: string }) =>
+      request<GenericSuccessResponse>("/security/auth/reset-password", {
+        method: "POST",
+        body: JSON.stringify(payload),
+      }),
 
     requestPhoneVerification: () =>
       request<DebugCodeResponse>("/auth/request-phone-verification", {
@@ -109,23 +125,63 @@ export const createSecurityClient = (options: SecurityClientOptions) => {
         body: JSON.stringify({ code }),
       }),
 
-    getMyRoles: () => request<UserRolesResponse>("/auth/me/roles"),
+    getMyRoles: () => request<UserRolesResponse>("/security/auth/me/roles"),
 
-    listRoles: () => request<RoleCatalogResponse>("/admin/roles"),
+    listRoles: () => request<RoleCatalogResponse>("/security/workflows/roles"),
 
     createRole: (payload: { role: string; description?: string | null }) =>
-      request<RoleCatalogResponse>("/admin/roles", {
+      request<RoleCatalogResponse>("/security/workflows/roles", {
         method: "POST",
         body: JSON.stringify(payload),
       }),
 
     getUserRoles: (userId: string) =>
-      request<UserRolesResponse>(`/admin/users/${userId}/roles`),
+      request<UserRolesResponse>(`/security/workflows/users/${userId}/roles`),
 
     setUserRoles: (userId: string, roles: string[]) =>
-      request<UserRolesResponse>(`/admin/users/${userId}/roles`, {
+      request<UserRolesResponse>(`/security/workflows/users/${userId}/roles`, {
         method: "PUT",
         body: JSON.stringify({ roles }),
       }),
+
+    approveUser: (userId: string, approved: boolean) =>
+      request<AdminNotificationResponse>(
+        `/security/workflows/users/${userId}/admin-approval`,
+        {
+          method: "PATCH",
+          body: JSON.stringify({ approved }),
+        },
+      ),
+
+    setUserActive: (userId: string, active: boolean) =>
+      request<UserActiveResponse>(
+        `/security/workflows/users/${userId}/active`,
+        {
+          method: "PATCH",
+          body: JSON.stringify({ active }),
+        },
+      ),
+
+    removeRole: (role: string) =>
+      request<{ success: boolean }>(
+        `/security/workflows/roles/${encodeURIComponent(role)}`,
+        {
+          method: "DELETE",
+        },
+      ),
+
+    assignRoleToUser: (userId: string, role: string) =>
+      request<UserRolesResponse>(`/security/workflows/users/${userId}/roles`, {
+        method: "POST",
+        body: JSON.stringify({ role }),
+      }),
+
+    removeRoleFromUser: (userId: string, role: string) =>
+      request<UserRolesResponse>(
+        `/security/workflows/users/${userId}/roles/${encodeURIComponent(role)}`,
+        {
+          method: "DELETE",
+        },
+      ),
   };
 };

package/src/index.test.ts

@@ -0,0 +1,9 @@
+import { describe, expect, it } from "vitest";
+import { api, app } from "./index";
+
+describe("package exports", () => {
+  it("exposes api and app modules", () => {
+    expect(api.ADMIN_ROLE).toBe("ADMIN");
+    expect(typeof app.createSecurityClient).toBe("function");
+  });
+});

package/src/integration/database.integration.test.ts

@@ -0,0 +1,205 @@
+import { existsSync, readFileSync } from "node:fs";
+import path from "node:path";
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import { Client, ClientConfig } from "pg";
+import { securityMigrations } from "../api/migrations";
+
+type QueryRunnerLike = {
+  query: (sql: string, params?: unknown[]) => Promise<unknown>;
+};
+
+const loadEnvFile = (filepath: string) => {
+  if (!existsSync(filepath)) {
+    return;
+  }
+
+  const file = readFileSync(filepath, "utf8");
+  for (const line of file.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      continue;
+    }
+
+    const index = trimmed.indexOf("=");
+    if (index <= 0) {
+      continue;
+    }
+
+    const rawKey = trimmed.slice(0, index).trim();
+    const key = rawKey.startsWith("export ")
+      ? rawKey.slice("export ".length).trim()
+      : rawKey;
+    const rawValue = trimmed.slice(index + 1).trim();
+    const unquoted =
+      (rawValue.startsWith('"') && rawValue.endsWith('"')) ||
+      (rawValue.startsWith("'") && rawValue.endsWith("'"))
+        ? rawValue.slice(1, -1)
+        : rawValue;
+
+    if (!process.env[key]) {
+      process.env[key] = unquoted;
+    }
+  }
+};
+
+const loadDotEnvDefaults = () => {
+  const cwd = process.cwd();
+  const fileDir = __dirname;
+  const projectRoot = path.resolve(fileDir, "../..");
+
+  const candidates = [
+    path.join(cwd, ".env.test"),
+    path.join(cwd, ".env.dev"),
+    path.join(projectRoot, ".env.test"),
+    path.join(projectRoot, ".env.dev"),
+  ];
+
+  for (const candidate of candidates) {
+    loadEnvFile(candidate);
+  }
+};
+
+const resolveDbConfig = (): ClientConfig | null => {
+  const connectionString =
+    process.env.SECURITY_TEST_DATABASE_URL ?? process.env.DATABASE_URL;
+
+  if (connectionString) {
+    return { connectionString };
+  }
+
+  if (!process.env.DB_HOST || !process.env.DB_USER || !process.env.DB_NAME) {
+    return null;
+  }
+
+  return {
+    host: process.env.DB_HOST,
+    port: process.env.DB_PORT ? Number(process.env.DB_PORT) : 5432,
+    user: process.env.DB_USER,
+    password: process.env.DB_PASSWORD,
+    database: process.env.DB_NAME,
+  };
+};
+
+loadDotEnvDefaults();
+const dbConfig = resolveDbConfig();
+const missingRequiredDbVars = ["DB_HOST", "DB_USER", "DB_NAME"].filter(
+  (key) => !process.env[key],
+);
+const keepSchemaForDebug = process.env.SECURITY_TEST_KEEP_SCHEMA === "true";
+const fixedSchemaName = process.env.SECURITY_TEST_SCHEMA?.trim() || "";
+const resetSchemaBeforeRun = process.env.SECURITY_TEST_RESET_SCHEMA !== "false";
+
+describe("database integration", () => {
+  const previousUserTable = process.env.USER_TABLE;
+  const previousUserSchema = process.env.USER_TABLE_SCHEMA;
+
+  const schema = fixedSchemaName || `sdr_security_it_${Date.now()}`;
+  let client: Client;
+  let runner: QueryRunnerLike;
+
+  beforeAll(async () => {
+    if (!dbConfig) {
+      throw new Error(
+        `Database integration tests require DB env. Missing: ${missingRequiredDbVars.join(", ") || "unknown"}`,
+      );
+    }
+
+    client = new Client(dbConfig as ClientConfig);
+    await client.connect();
+
+    runner = {
+      query: async (sql: string, params?: unknown[]) => {
+        const result = await client.query(sql, params as any[] | undefined);
+        return result.rows;
+      },
+    };
+
+    if (resetSchemaBeforeRun) {
+      await client.query(`DROP SCHEMA IF EXISTS "${schema}" CASCADE`);
+    }
+    await client.query(`CREATE SCHEMA IF NOT EXISTS "${schema}"`);
+    await client.query(`SET search_path TO "${schema}", public`);
+    await client.query(`
+      CREATE TABLE IF NOT EXISTS "${schema}"."app_user" (
+        "id" varchar PRIMARY KEY NOT NULL,
+        "email" varchar NOT NULL
+      )
+    `);
+
+    process.env.USER_TABLE = "app_user";
+    process.env.USER_TABLE_SCHEMA = schema;
+
+    for (const Migration of securityMigrations) {
+      await new Migration().up(runner as never);
+    }
+  });
+
+  afterAll(async () => {
+    if (!client) {
+      return;
+    }
+
+    if (!keepSchemaForDebug) {
+      for (const Migration of [...securityMigrations].reverse()) {
+        await new Migration().down(runner as never);
+      }
+      await client.query(`DROP TABLE IF EXISTS "${schema}"."app_user"`);
+      await client.query(`DROP SCHEMA IF EXISTS "${schema}" CASCADE`);
+    }
+    await client.end();
+
+    process.env.USER_TABLE = previousUserTable;
+    process.env.USER_TABLE_SCHEMA = previousUserSchema;
+  });
+
+  it("creates expected security tables and indexes", async () => {
+    const tables = await client.query(
+      `
+      SELECT table_name
+      FROM information_schema.tables
+      WHERE table_schema = $1
+        AND table_name = ANY($2)
+    `,
+      [
+        schema,
+        [
+          "refresh_token",
+          "security_identity",
+          "security_role",
+          "security_user_role",
+          "security_password_reset_token",
+        ],
+      ],
+    );
+
+    expect(tables.rows).toHaveLength(5);
+
+    const adminRole = await client.query(
+      `SELECT role_key FROM "${schema}"."security_role" WHERE role_key = 'ADMIN' LIMIT 1`,
+    );
+    expect(adminRole.rows).toHaveLength(1);
+
+    const index = await client.query(
+      `
+      SELECT indexname
+      FROM pg_indexes
+      WHERE schemaname = $1
+        AND indexname = 'IDX_security_user_role_user_role'
+      `,
+      [schema],
+    );
+
+    expect(index.rows).toHaveLength(1);
+  });
+
+  it("prints schema name for debugging", () => {
+    console.log(`[sdr-security test:db] schema=${schema}`);
+    console.log(
+      `[sdr-security test:db] keepSchema=${keepSchemaForDebug ? "true" : "false"}`,
+    );
+    console.log(
+      `[sdr-security test:db] resetSchemaBeforeRun=${resetSchemaBeforeRun ? "true" : "false"}`,
+    );
+    expect(schema.length).toBeGreaterThan(0);
+  });
+});

package/src/nest/contracts.ts

@@ -0,0 +1,20 @@
+export type SecurityWorkflowUser = {
+  id: string;
+  email: string;
+};
+
+export type SecurityWorkflowNotifier = {
+  sendEmailVerification?: (params: {
+    email: string;
+    token: string;
+  }) => Promise<void>;
+  sendPasswordReset?: (params: {
+    email: string;
+    token: string;
+  }) => Promise<void>;
+  sendAdminsUserEmailVerified: (params: {
+    adminEmails: string[];
+    user: SecurityWorkflowUser;
+  }) => Promise<void>;
+  sendUserAccountApproved: (params: { email: string }) => Promise<void>;
+};

package/src/nest/dto/auth.dto.ts

@@ -0,0 +1,48 @@
+import { ApiProperty } from "@nestjs/swagger";
+
+export class RegisterDto {
+  @ApiProperty({ example: "user@example.com" })
+  email!: string;
+
+  @ApiProperty({ example: "StrongPass1" })
+  password!: string;
+}
+
+export class LoginDto {
+  @ApiProperty({ example: "user@example.com" })
+  email!: string;
+
+  @ApiProperty({ example: "StrongPass1" })
+  password!: string;
+}
+
+export class RefreshDto {
+  @ApiProperty({ example: "refresh-token" })
+  refreshToken!: string;
+}
+
+export class LogoutDto {
+  @ApiProperty({ required: false, example: "refresh-token" })
+  refreshToken?: string;
+}
+
+export class ChangePasswordDto {
+  @ApiProperty({ example: "OldPass1" })
+  currentPassword!: string;
+
+  @ApiProperty({ example: "NewPass1" })
+  newPassword!: string;
+}
+
+export class ForgotPasswordDto {
+  @ApiProperty({ example: "user@example.com" })
+  email!: string;
+}
+
+export class ResetPasswordDto {
+  @ApiProperty({ example: "reset-token" })
+  token!: string;
+
+  @ApiProperty({ example: "NewPass1" })
+  newPassword!: string;
+}

package/src/nest/dto/workflows.dto.ts

@@ -0,0 +1,29 @@
+import { ApiProperty } from "@nestjs/swagger";
+
+export class SetAdminApprovalDto {
+  @ApiProperty({ example: true })
+  approved!: boolean;
+}
+
+export class SetUserActiveDto {
+  @ApiProperty({ example: false })
+  active!: boolean;
+}
+
+export class CreateRoleDto {
+  @ApiProperty({ example: "COACH" })
+  role!: string;
+
+  @ApiProperty({ required: false, nullable: true, example: "Coaching access" })
+  description?: string | null;
+}
+
+export class SetUserRolesDto {
+  @ApiProperty({ type: [String], example: ["ADMIN", "COACH"] })
+  roles!: string[];
+}
+
+export class AssignRoleDto {
+  @ApiProperty({ example: "COACH" })
+  role!: string;
+}

package/src/nest/entities/app-user.entity.ts

@@ -0,0 +1,10 @@
+import { Column, Entity, PrimaryGeneratedColumn } from "typeorm";
+
+@Entity({ name: "app_user" })
+export class AppUserEntity {
+  @PrimaryGeneratedColumn("uuid")
+  id!: string;
+
+  @Column({ type: "varchar" })
+  email!: string;
+}

package/src/nest/entities/password-reset-token.entity.ts

@@ -0,0 +1,27 @@
+import {
+  Column,
+  CreateDateColumn,
+  Entity,
+  PrimaryGeneratedColumn,
+} from "typeorm";
+
+@Entity({ name: "security_password_reset_token" })
+export class PasswordResetTokenEntity {
+  @PrimaryGeneratedColumn("uuid")
+  id!: string;
+
+  @Column({ type: "varchar", name: "user_id" })
+  userId!: string;
+
+  @Column({ type: "varchar", unique: true })
+  token!: string;
+
+  @Column({ type: "timestamptz", name: "expires_at" })
+  expiresAt!: Date;
+
+  @Column({ type: "timestamptz", name: "used_at", nullable: true })
+  usedAt!: Date | null;
+
+  @CreateDateColumn({ name: "created_at" })
+  createdAt!: Date;
+}

package/src/nest/entities/refresh-token.entity.ts

@@ -0,0 +1,22 @@
+import { Column, CreateDateColumn, Entity, PrimaryColumn } from "typeorm";
+
+@Entity({ name: "refresh_token" })
+export class RefreshTokenEntity {
+  @PrimaryColumn({ type: "varchar" })
+  id!: string;
+
+  @Column({ type: "varchar", name: "token_hash" })
+  tokenHash!: string;
+
+  @Column({ type: "timestamptz", name: "expires_at" })
+  expiresAt!: Date;
+
+  @Column({ type: "timestamptz", name: "revoked_at", nullable: true })
+  revokedAt!: Date | null;
+
+  @Column({ type: "varchar", name: "userId", nullable: true })
+  userId!: string | null;
+
+  @CreateDateColumn({ name: "created_at" })
+  createdAt!: Date;
+}