@scryan7371/sdr-security 0.1.1

package/src/api/migrations/1739510000000-create-security-roles.ts

@@ -0,0 +1,122 @@
+export class CreateSecurityRoles1739510000000 {
+  name = "CreateSecurityRoles1739510000000";
+
+  async up(queryRunner: {
+    query: (sql: string, params?: unknown[]) => Promise<unknown>;
+  }): Promise<void> {
+    const userTable = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+    const userSchema = getSafeIdentifier(
+      process.env.USER_TABLE_SCHEMA,
+      "public",
+    );
+    const userTableRef = `"${userSchema}"."${userTable}"`;
+
+    await queryRunner.query(`CREATE EXTENSION IF NOT EXISTS "uuid-ossp"`);
+
+    await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_role" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "role_key" varchar NOT NULL,
+        "description" text,
+        "is_system" boolean NOT NULL DEFAULT false,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        "updated_at" timestamptz NOT NULL DEFAULT now()
+      )
+    `);
+
+    await queryRunner.query(
+      `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_role_key" ON "security_role" ("role_key")`,
+    );
+
+    await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_user_role" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "user_id" varchar NOT NULL,
+        "role_id" uuid NOT NULL,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,
+        CONSTRAINT "FK_security_user_role_role_id" FOREIGN KEY ("role_id") REFERENCES "security_role" ("id") ON DELETE CASCADE
+      )
+    `);
+
+    await queryRunner.query(
+      `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_role_user_role" ON "security_user_role" ("user_id", "role_id")`,
+    );
+
+    await queryRunner.query(`
+      INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
+      VALUES ('ADMIN', 'Administrative access', true, now(), now())
+      ON CONFLICT ("role_key") DO NOTHING
+    `);
+
+    const hasRoleColumn = (await queryRunner.query(
+      `
+        SELECT 1
+        FROM information_schema.columns
+        WHERE table_schema = $1
+          AND table_name = $2
+          AND column_name = 'role'
+        LIMIT 1
+      `,
+      [userSchema, userTable],
+    )) as Array<{ "?column?": number }>;
+
+    if (hasRoleColumn.length > 0) {
+      await queryRunner.query(`
+        INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
+        SELECT DISTINCT
+          CASE
+            WHEN UPPER(TRIM("role")) = 'ADMINISTRATOR' THEN 'ADMIN'
+            ELSE UPPER(TRIM("role"))
+          END AS "role_key",
+          NULL,
+          false,
+          now(),
+          now()
+        FROM ${userTableRef}
+        WHERE "role" IS NOT NULL
+          AND LENGTH(TRIM("role")) > 0
+        ON CONFLICT ("role_key") DO NOTHING
+      `);
+
+      await queryRunner.query(`
+        INSERT INTO "security_user_role" ("user_id", "role_id", "created_at")
+        SELECT
+          u."id" AS "user_id",
+          r."id" AS "role_id",
+          now()
+        FROM ${userTableRef} u
+        INNER JOIN "security_role" r ON r."role_key" = CASE
+          WHEN UPPER(TRIM(u."role")) = 'ADMINISTRATOR' THEN 'ADMIN'
+          ELSE UPPER(TRIM(u."role"))
+        END
+        WHERE u."role" IS NOT NULL
+          AND LENGTH(TRIM(u."role")) > 0
+        ON CONFLICT ("user_id", "role_id") DO NOTHING
+      `);
+
+      await queryRunner.query(
+        `ALTER TABLE ${userTableRef} DROP COLUMN IF EXISTS "role"`,
+      );
+    }
+  }
+
+  async down(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    await queryRunner.query(
+      `DROP INDEX IF EXISTS "IDX_security_user_role_user_role"`,
+    );
+    await queryRunner.query(`DROP TABLE IF EXISTS "security_user_role"`);
+    await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_role_key"`);
+    await queryRunner.query(`DROP TABLE IF EXISTS "security_role"`);
+  }
+}
+
+const getSafeIdentifier = (value: string | undefined, fallback: string) => {
+  const resolved = value?.trim() || fallback;
+  if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+    throw new Error(`Invalid SQL identifier: ${resolved}`);
+  }
+  return resolved;
+};

package/src/api/migrations/index.ts

@@ -0,0 +1,18 @@
+import { AddRefreshTokens1700000000001 } from "./1700000000001-add-refresh-tokens";
+import { AddGoogleSubjectToUser1739490000000 } from "./1739490000000-add-google-subject-to-user";
+import { CreateSecurityIdentity1739500000000 } from "./1739500000000-create-security-identity";
+import { CreateSecurityRoles1739510000000 } from "./1739510000000-create-security-roles";
+
+export const securityMigrations = [
+  AddRefreshTokens1700000000001,
+  AddGoogleSubjectToUser1739490000000,
+  CreateSecurityIdentity1739500000000,
+  CreateSecurityRoles1739510000000,
+];
+
+export {
+  AddRefreshTokens1700000000001,
+  AddGoogleSubjectToUser1739490000000,
+  CreateSecurityIdentity1739500000000,
+  CreateSecurityRoles1739510000000,
+};

package/src/api/roles.test.ts

@@ -0,0 +1,20 @@
+import { describe, expect, it } from "vitest";
+import { hasRole, isAdmin, normalizeRoleName } from "./roles";
+
+describe("roles", () => {
+  it("normalizes role names", () => {
+    expect(normalizeRoleName("admin")).toBe("ADMIN");
+    expect(normalizeRoleName("case manager")).toBe("CASE_MANAGER");
+    expect(normalizeRoleName("ADMINISTRATOR")).toBe("ADMIN");
+  });
+
+  it("checks role membership", () => {
+    expect(hasRole(["ADMIN", "MEMBER"], "admin")).toBe(true);
+    expect(hasRole(["MEMBER"], "ADMIN")).toBe(false);
+  });
+
+  it("checks admin role", () => {
+    expect(isAdmin(["ADMIN"])).toBe(true);
+    expect(isAdmin(["MEMBER"])).toBe(false);
+  });
+});

package/src/api/roles.ts

@@ -0,0 +1,25 @@
+import { ADMIN_ROLE } from "./contracts";
+
+export const normalizeRoleName = (value: string): string => {
+  const normalized = value.trim().toUpperCase().replace(/\s+/g, "_");
+  if (!normalized || !/^[A-Z][A-Z0-9_]*$/.test(normalized)) {
+    throw new Error("Invalid role name");
+  }
+  if (normalized === "ADMINISTRATOR") {
+    return ADMIN_ROLE;
+  }
+  return normalized;
+};
+
+export const hasRole = (roles: string[], role: string) => {
+  const normalizedRole = normalizeRoleName(role);
+  return roles.some((assignedRole) => {
+    try {
+      return normalizeRoleName(assignedRole) === normalizedRole;
+    } catch {
+      return false;
+    }
+  });
+};
+
+export const isAdmin = (roles: string[]) => hasRole(roles, ADMIN_ROLE);

package/src/api/validation.ts

@@ -0,0 +1,7 @@
+export const sanitizeEmail = (email: string) => email.trim().toLowerCase();
+
+export const isValidEmail = (value: string) =>
+  /^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$/.test(value);
+
+export const isStrongPassword = (value: string) =>
+  /[A-Z]/.test(value) && /[a-z]/.test(value) && /\\d/.test(value);

package/src/app/client.ts

@@ -0,0 +1,131 @@
+import type {
+  AuthResponse,
+  DebugCodeResponse,
+  DebugTokenResponse,
+  RoleCatalogResponse,
+  RegisterResponse,
+  UserRolesResponse,
+} from "../api/contracts";
+
+type FetchLike = typeof fetch;
+
+export type SecurityClientOptions = {
+  baseUrl: string;
+  getAccessToken: () => string | null;
+  fetchImpl?: FetchLike;
+};
+
+export const createSecurityClient = (options: SecurityClientOptions) => {
+  const fetchImpl = options.fetchImpl ?? fetch;
+
+  const request = async <T>(path: string, init?: RequestInit): Promise<T> => {
+    const token = options.getAccessToken();
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+      ...(init?.headers ? (init.headers as Record<string, string>) : {}),
+    };
+
+    if (token) {
+      headers.Authorization = `Bearer ${token}`;
+    }
+
+    const response = await fetchImpl(`${options.baseUrl}${path}`, {
+      ...init,
+      headers,
+    });
+
+    const text = await response.text();
+    const body = text ? JSON.parse(text) : {};
+
+    if (!response.ok) {
+      const message =
+        typeof body?.message === "string"
+          ? body.message
+          : `Request failed: ${response.status}`;
+      throw new Error(message);
+    }
+
+    return body as T;
+  };
+
+  return {
+    register: (payload: {
+      email: string;
+      password: string;
+      firstName?: string;
+      lastName?: string;
+    }) =>
+      request<RegisterResponse>("/auth/register", {
+        method: "POST",
+        body: JSON.stringify(payload),
+      }),
+
+    login: (payload: { email: string; password: string }) =>
+      request<AuthResponse>("/auth/login", {
+        method: "POST",
+        body: JSON.stringify(payload),
+      }),
+
+    loginWithGoogle: (payload: { idToken: string }) =>
+      request<AuthResponse>("/auth/login/google", {
+        method: "POST",
+        body: JSON.stringify(payload),
+      }),
+
+    refresh: (payload: { refreshToken: string }) =>
+      request<AuthResponse>("/auth/refresh", {
+        method: "POST",
+        body: JSON.stringify(payload),
+      }),
+
+    revoke: (payload: { refreshToken: string }) =>
+      request<{ success: true }>("/auth/revoke", {
+        method: "POST",
+        body: JSON.stringify(payload),
+      }),
+
+    logout: (payload: { refreshToken?: string }) =>
+      request<{ success: true }>("/auth/logout", {
+        method: "POST",
+        body: JSON.stringify(payload),
+      }),
+
+    requestEmailVerification: () =>
+      request<DebugTokenResponse>("/auth/request-email-verification", {
+        method: "POST",
+      }),
+
+    verifyEmail: (token: string) =>
+      request<{ success: true }>(`/auth/verify-email?token=${token}`),
+
+    requestPhoneVerification: () =>
+      request<DebugCodeResponse>("/auth/request-phone-verification", {
+        method: "POST",
+      }),
+
+    verifyPhone: (code: string) =>
+      request<{ success: true }>("/auth/verify-phone", {
+        method: "POST",
+        body: JSON.stringify({ code }),
+      }),
+
+    getMyRoles: () => request<UserRolesResponse>("/auth/me/roles"),
+
+    listRoles: () => request<RoleCatalogResponse>("/admin/roles"),
+
+    createRole: (payload: { role: string; description?: string | null }) =>
+      request<RoleCatalogResponse>("/admin/roles", {
+        method: "POST",
+        body: JSON.stringify(payload),
+      }),
+
+    getUserRoles: (userId: string) =>
+      request<UserRolesResponse>(`/admin/users/${userId}/roles`),
+
+    setUserRoles: (userId: string, roles: string[]) =>
+      request<UserRolesResponse>(`/admin/users/${userId}/roles`, {
+        method: "PUT",
+        body: JSON.stringify({ roles }),
+      }),
+  };
+};

package/src/app/index.ts

@@ -0,0 +1 @@
+export * from "./client";

package/src/index.ts

@@ -0,0 +1,2 @@
+export * as api from "./api";
+export * as app from "./app";